Reuse mimikatz RPRN definitions

2024-11-20 14:39:22 +01:00 · 2022-01-14 15:19:20 -05:00 · 2022-01-14 15:19:20 -05:00 · 174ae1ab09
commit 174ae1ab09
parent 3b0862b182
7 changed files with 22 additions and 8076 deletions
--- a/c/meterpreter/source/extensions/priv/ms-rprn_32.c
+++ b/c/meterpreter/source/extensions/priv/ms-rprn_32.c
--- a/c/meterpreter/source/extensions/priv/ms-rprn_64.c
+++ b/c/meterpreter/source/extensions/priv/ms-rprn_64.c
--- a/c/meterpreter/source/extensions/priv/ms-rprn_h.h
+++ b/c/meterpreter/source/extensions/priv/ms-rprn_h.h
@ -1,317 +0,0 @@
-
-
-/* this ALWAYS GENERATED file contains the definitions for the interfaces */
-
-
- /* File created by MIDL compiler version 8.01.0622 */
-/* at Tue Jan 19 14:14:07 2038
- */
-/* Compiler settings for ms-rprn.idl:
-    Oicf, W1, Zp8, env=Win64 (32b run), target_arch=AMD64 8.01.0622 
-    protocol : all , ms_ext, c_ext, robust
-    error checks: allocation ref bounds_check enum stub_data 
-    VC __declspec() decoration level: 
-         __declspec(uuid()), __declspec(selectany), __declspec(novtable)
-         DECLSPEC_UUID(), MIDL_INTERFACE()
-*/
-/* @@MIDL_FILE_HEADING(  ) */
-
-
-
-/* verify that the <rpcndr.h> version is high enough to compile this file*/
-#ifndef __REQUIRED_RPCNDR_H_VERSION__
-#define __REQUIRED_RPCNDR_H_VERSION__ 500
-#endif
-
-#include "rpc.h"
-#include "rpcndr.h"
-
-#ifndef __RPCNDR_H_VERSION__
-#error this stub requires an updated version of <rpcndr.h>
-#endif /* __RPCNDR_H_VERSION__ */
-
-
-#ifndef __ms2Drprn_h_h__
-#define __ms2Drprn_h_h__
-
-#if defined(_MSC_VER) && (_MSC_VER >= 1020)
-#pragma once
-#endif
-
-/* Forward Declarations */ 
-
-/* header files for imported files */
-#include "oaidl.h"
-
-#ifdef __cplusplus
-extern "C"{
-#endif 
-
-
-#ifndef __winspool_INTERFACE_DEFINED__
-#define __winspool_INTERFACE_DEFINED__
-
-/* interface winspool */
-/* [unique][endpoint][ms_union][version][uuid] */ 
-
-typedef struct _DEVMODE_CONTAINER
-    {
-    DWORD cbBuf;
-    /* [unique][size_is] */ BYTE *pDevMode;
-    } 	DEVMODE_CONTAINER;
-
-typedef struct _RPC_V2_NOTIFY_OPTIONS_TYPE
-    {
-    unsigned short Type;
-    unsigned short Reserved0;
-    DWORD Reserved1;
-    DWORD Reserved2;
-    DWORD Count;
-    /* [unique][size_is] */ unsigned short *pFields;
-    } 	RPC_V2_NOTIFY_OPTIONS_TYPE;
-
-typedef struct _RPC_V2_NOTIFY_OPTIONS
-    {
-    DWORD Version;
-    DWORD Reserved;
-    DWORD Count;
-    /* [unique][size_is] */ RPC_V2_NOTIFY_OPTIONS_TYPE *pTypes;
-    } 	RPC_V2_NOTIFY_OPTIONS;
-
-typedef unsigned short LANGID;
-
-typedef /* [context_handle] */ void *GDI_HANDLE;
-
-typedef /* [context_handle] */ void *PRINTER_HANDLE;
-
-typedef /* [handle] */ wchar_t *STRING_HANDLE;
-
-DWORD RpcEnumPrinters( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcOpenPrinter( 
-    /* [unique][string][in] */ STRING_HANDLE pPrinterName,
-    /* [out] */ PRINTER_HANDLE *pHandle,
-    /* [unique][string][in] */ wchar_t *pDatatype,
-    /* [in] */ DEVMODE_CONTAINER *pDevModeContainer,
-    /* [in] */ DWORD AccessRequired);
-
-DWORD RpcSetJob( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcGetJob( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcEnumJobs( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcAddPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcDeletePrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcSetPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcGetPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcAddPrinterDriver( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcEnumPrinterDrivers( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcGetPrinterDriver( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcGetPrinterDriverDirectory( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcDeletePrinterDriver( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcAddPrintProcessor( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcEnumPrintProcessors( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcGetPrintProcessorDirectory( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcStartDocPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcStartPagePrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcWritePrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcEndPagePrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcAbortPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcReadPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcEndDocPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcAddJob( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcScheduleJob( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcGetPrinterData( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcSetPrinterData( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcWaitForPrinterChange( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcClosePrinter( 
-    /* [out][in] */ PRINTER_HANDLE *phPrinter);
-
-DWORD RpcAddForm( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcDeleteForm( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcGetForm( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcSetForm( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcEnumForms( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcEnumPorts( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcEnumMonitors( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum37NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum38NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcDeletePort( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcCreatePrinterIC( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcPlayGdiScriptOnPrinterIC( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcDeletePrinterIC( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum43NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum44NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum45NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcAddMonitor( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcDeleteMonitor( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcDeletePrintProcessor( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum49NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum50NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcEnumPrintProcessorDatatypes( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcResetPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcGetPrinterDriver2( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum54NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum55NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcFindClosePrinterChangeNotification( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum57NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcReplyOpenPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcRouterReplyPrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcReplyClosePrinter( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcAddPortEx( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcRemoteFindFirstPrinterChangeNotification( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum63NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-void Opnum64NotUsedOnWire( 
-    /* [in] */ handle_t IDL_handle);
-
-DWORD RpcRemoteFindFirstPrinterChangeNotificationEx( 
-    /* [in] */ PRINTER_HANDLE hPrinter,
-    /* [in] */ DWORD fdwFlags,
-    /* [in] */ DWORD fdwOptions,
-    /* [unique][string][in] */ wchar_t *pszLocalMachine,
-    /* [in] */ DWORD dwPrinterLocal,
-    /* [unique][in] */ RPC_V2_NOTIFY_OPTIONS *pOptions);
-
-
-
-extern RPC_IF_HANDLE winspool_v1_0_c_ifspec;
-extern RPC_IF_HANDLE winspool_v1_0_s_ifspec;
-#endif /* __winspool_INTERFACE_DEFINED__ */
-
-/* Additional Prototypes for ALL interfaces */
-
-handle_t __RPC_USER STRING_HANDLE_bind ( STRING_HANDLE );
-void     __RPC_USER STRING_HANDLE_unbind( STRING_HANDLE,  handle_t );
-
-void __RPC_USER PRINTER_HANDLE_rundown( PRINTER_HANDLE );
-
-/* end of Additional Prototypes */
-
-#ifdef __cplusplus
-}
-#endif
-
-#endif
-
-
--- a/c/meterpreter/source/extensions/priv/namedpipe_printspooler.c
+++ b/c/meterpreter/source/extensions/priv/namedpipe_printspooler.c
@ -1,13 +1,23 @@
 #include "precomp.h"
 #include "common_metapi.h"
 #include "namedpipe.h"
-#include "ms-rprn_h.h"
+
+typedef void* PRINTER_HANDLE;
+typedef wchar_t* STRING_HANDLE;
+
+typedef struct _DEVMODE_CONTAINER {
+	DWORD cbBuf;
+	BYTE* pDevMode;
+} DEVMODE_CONTAINER;
+
+DWORD RpcOpenPrinter(STRING_HANDLE pPrinterName, PRINTER_HANDLE* pHandle, wchar_t* pDatatype, DEVMODE_CONTAINER* pDevModeContainer, DWORD AccessRequired);
+DWORD RpcClosePrinter(PRINTER_HANDLE* phPrinter);
+DWORD RpcRemoteFindFirstPrinterChangeNotification(PRINTER_HANDLE hPrinter, DWORD fdwFlags, DWORD fdwOptions, wchar_t* pszLocalMachine, DWORD dwPrinterLocal, DWORD cbBuffer, BYTE* pBuffer);

 typedef NTSTATUS(WINAPI* PRtlGetVersion)(LPOSVERSIONINFOEXW);

 DWORD WINAPI trigger_printer_connection(LPWSTR pPipeName);

-
 DWORD elevate_via_namedpipe_printspooler(Remote* remote, Packet* packet)
 {
 	DWORD dwResult = ERROR_SUCCESS;
@ -148,7 +158,7 @@ DWORD WINAPI trigger_printer_connection(LPWSTR pPipeName)
 		{
 			if (RpcOpenPrinter(pPrinterName, &hPrinter, NULL, &devModeContainer, 0) == RPC_S_OK)
 			{
-				RpcRemoteFindFirstPrinterChangeNotificationEx(hPrinter, PRINTER_CHANGE_ADD_JOB, 0, pCaptureServer, 0, NULL);
+				RpcRemoteFindFirstPrinterChangeNotification(hPrinter, PRINTER_CHANGE_ADD_JOB, 0, pCaptureServer, 0, 0, NULL);
 				RpcClosePrinter(&hPrinter);
 			}
 		}
--- a/c/meterpreter/source/extensions/priv/namedpipe_rpcss.c
+++ b/c/meterpreter/source/extensions/priv/namedpipe_rpcss.c
--- a/c/meterpreter/source/extensions/priv/namedpipe_rpcss.h
+++ b/c/meterpreter/source/extensions/priv/namedpipe_rpcss.h
--- a/c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj
+++ b/c/meterpreter/workspace/ext_server_priv/ext_server_priv.vcxproj
@ -128,7 +128,7 @@
    <ClCompile>
      <Optimization>MinSpace</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -194,7 +194,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    <ClCompile>
      <Optimization>MinSpace</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -260,7 +260,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    <ClCompile>
      <Optimization>MinSpace</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -326,7 +326,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    <ClCompile>
      <Optimization>MaxSpeed</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -392,7 +392,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    <ClCompile>
      <Optimization>MaxSpeed</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\extensions\kiwi\mimikatz\modules\rpc;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>DEBUGTRACE;WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -458,7 +458,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    <ClCompile>
      <Optimization>MaxSpeed</Optimization>
      <InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
-      <AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
+      <AdditionalIncludeDirectories>..\..\source\extensions\kiwi\mimikatz\modules\rpc;..\..\source\extensions\kiwi\mimikatz\inc;..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\priv\server;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
      <PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;EXT_SERVER_PRIV_EXPORTS;_CRT_SECURE_NO_WARNINGS;%(PreprocessorDefinitions)</PreprocessorDefinitions>
      <StringPooling>true</StringPooling>
      <RuntimeLibrary>MultiThreaded</RuntimeLibrary>
@ -521,10 +521,10 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    </ProjectReference>
  </ItemGroup>
  <ItemGroup>
+    <ClInclude Include="..\..\source\extensions\kiwi\mimikatz\modules\rpc\kull_m_rpc_ms-rprn.h" />
    <ClInclude Include="..\..\source\extensions\priv\defs.h" />
    <ClInclude Include="..\..\source\extensions\priv\elevate.h" />
    <ClInclude Include="..\..\source\extensions\priv\fs.h" />
-    <ClInclude Include="..\..\source\extensions\priv\ms-rprn_h.h" />
    <ClInclude Include="..\..\source\extensions\priv\namedpipe.h" />
    <ClInclude Include="..\..\source\extensions\priv\namedpipe_printspooler.h" />
    <ClInclude Include="..\..\source\extensions\priv\namedpipe_rpcss.h" />
@ -535,10 +535,9 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
    <ClInclude Include="..\..\source\extensions\priv\tokendup.h" />
  </ItemGroup>
  <ItemGroup>
+    <ClCompile Include="..\..\source\extensions\kiwi\mimikatz\modules\rpc\kull_m_rpc_ms-rprn.c" />
    <ClCompile Include="..\..\source\extensions\priv\elevate.c" />
    <ClCompile Include="..\..\source\extensions\priv\fs.c" />
-    <ClCompile Include="..\..\source\extensions\priv\ms-rprn_32.c" />
-    <ClCompile Include="..\..\source\extensions\priv\ms-rprn_64.c" />
    <ClCompile Include="..\..\source\extensions\priv\namedpipe.c" />
    <ClCompile Include="..\..\source\extensions\priv\namedpipe_printspooler.c" />
    <ClCompile Include="..\..\source\extensions\priv\namedpipe_rpcss.c" />