def spawn_dcom_connection(self, *, connect_timeout=6.0):
# CAUTION: keep this one to False so to prevent impacket's
# DCOMConnection class from launching a daemon thread (threading.Timer)
# which will prevent interpreter from terminating
oxid_resolver = False
# CAUTION: changing RPC port number from default 135 is not well
# supported by impacket. It is technically possible to specify the port
# number as part of the *target* arg, however the information gets lost
# on the way by impacket and it leads to either a KeyError exception, or
# even a "Can't find a valid stringBinding to connect" error in case
# connection must go through port mapping - e.g. typically a connection
# test to a local VM.
#
# target = self.dcom_target # <-- ideally we want this
assert self.rport_rpc == 135
target = self.rhost_str
dcom_conn = impkt_dcomrt.DCOMConnection(
target=target, username=self.username, password=self.password,
domain=self.domain, lmhash=self.lmhash, nthash=self.nthash,
aesKey=self.aes_key, oxidResolver=oxid_resolver,
doKerberos=self.do_kerberos, kdcHost=self.kdc_host)
dcom_conn.get_dce_rpc().get_rpc_transport().set_connect_timeout(
connect_timeout)
return DcomConnection(dcom_conn)
def test_RemRelease(self):
dcom = dcomrt.DCOMConnection(self.machine, self.username,
self.password, self.domain)
iInterface = dcom.CoCreateInstanceEx(comev.CLSID_EventSystem,
comev.IID_IEventSystem)
iEventSystem = comev.IEventSystem(iInterface)
iEventSystem.RemRelease()
dcom.disconnect()
def tes_comev(self):
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
dcom = dcomrt.DCOMConnection(self.machine, self.username,
self.password, self.domain, lmhash,
nthash)
iInterface = dcom.CoCreateInstanceEx(comev.CLSID_EventSystem,
comev.IID_IEventSystem)
#scm = dcomrt.IRemoteSCMActivator(dce)
#iInterface = scm.RemoteCreateInstance(comev.CLSID_EventSystem, comev.IID_IEventSystem)
#iInterface = scm.RemoteCreateInstance(comev.CLSID_EventSystem,oaut.IID_IDispatch)
iDispatch = oaut.IDispatch(iInterface)
#scm = dcomrt.IRemoteSCMActivator(dce)
#resp = iDispatch.GetIDsOfNames(('Navigate\x00', 'ExecWB\x00'))
#resp.dump()
iEventSystem = comev.IEventSystem(iInterface)
iTypeInfo = iEventSystem.GetTypeInfo()
resp = iTypeInfo.GetTypeAttr()
#resp.dump()
for i in range(1, resp['ppTypeAttr']['cFuncs']):
resp = iTypeInfo.GetFuncDesc(i)
#resp.dump()
resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid'])
#resp2.dump()
resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid'])
#resp.dump()
#iEventSystem.get_EventObjectChangeEventClassID()
iEventSystem.RemRelease()
iTypeInfo.RemRelease()
objCollection = iEventSystem.Query(
'EventSystem.EventSubscriptionCollection', 'ALL')
resp = objCollection.get_Count()
count = resp['pCount']
evnObj = objCollection.get_NewEnum()
#for i in range(count-1):
for i in range(3):
iUnknown = evnObj.Next(1)[0]
es = iUnknown.RemQueryInterface(1,
(comev.IID_IEventSubscription3, ))
es = comev.IEventSubscription3(es)
#es.get_SubscriptionID()
print es.get_SubscriptionName()['pbstrSubscriptionName']['asData']
##es.get_PublisherID()
#es.get_EventClassID()
#es.get_MethodName()
##es.get_SubscriberCLSID()
#es.get_SubscriberInterface()
#es.get_PerUser()
#es.get_OwnerSID()
#es.get_Enabled()
##es.get_Description()
##es.get_MachineName()
##es.GetPublisherProperty()
#es.GetPublisherPropertyCollection()
##es.GetSubscriberProperty()
#es.GetSubscriberPropertyCollection()
#es.get_InterfaceID()
es.RemRelease()
objCollection = iEventSystem.Query('EventSystem.EventClassCollection',
'ALL')
resp = objCollection.get_Count()
count = resp['pCount']
#objCollection.get_Item('EventClassID={D5978630-5B9F-11D1-8DD2-00AA004ABD5E}')
evnObj = objCollection.get_NewEnum()
#for i in range(count-1):
for i in range(3):
iUnknown = evnObj.Next(1)[0]
ev = iUnknown.RemQueryInterface(1, (comev.IID_IEventClass2, ))
ev = comev.IEventClass2(ev)
ev.get_EventClassID()
#ev.get_EventClassName()
#ev.get_OwnerSID()
#ev.get_FiringInterfaceID()
#ev.get_Description()
#try:
# ev.get_TypeLib()
#except:
# pass
#ev.get_PublisherID()
#ev.get_MultiInterfacePublisherFilterCLSID()
#ev.get_AllowInprocActivation()
#ev.get_FireInParallel()
ev.RemRelease()
print "=" * 80
dcom.disconnect()
