class SmbExecute():
def __init__(self, share, rpc, mode, serviceName, outputFile):
self.__share = share
self.__mode = mode
if not outputFile:
self.__output = None
else:
self.__output = 'C:\\Windows\\Temp\\' + outputFile
self.__batchFile = '%TEMP%\\execute.bat'
self.__outputBuffer = ''
self.__command = ''
self.__shell = '%COMSPEC% /Q /c '
self.__serviceName = serviceName
self.__rpc = rpc
dce = rpc.get_dce_rpc()
try:
dce.connect()
except Exception, e:
print e
sys.exit(1)
s = rpc.get_smb_connection()
# We don't wanna deal with timeouts from now on.
s.setTimeout(100000)
# open the service handler and get the handle to this created service
dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(dce)
resp = self.rpcsvc.OpenSCManagerW()
self.__scHandle = resp['ContextHandle']
self.transferClient = rpc.get_smb_connection()
class RemoteShell():
def __init__(self, share, rpc, mode, serviceName, command):
self.__share = share
self.__mode = mode
self.__output = '\\' + OUTPUT_FILENAME
self.__batchFile = '\\' + BATCH_FILENAME
self.__outputBuffer = ''
self.__command = command
self.__shell = '%COMSPEC% /Q /c '
self.__serviceName = serviceName
self.__rpc = rpc
dce = rpc.get_dce_rpc()
try:
dce.connect()
except Exception, e:
print '[!]', e
exc_type, exc_obj, exc_tb = sys.exc_info()
fname = os.path.split(exc_tb.tb_frame.f_code.co_filename)[1]
print(exc_type, fname, exc_tb.tb_lineno)
sys.exit(1)
s = rpc.get_smb_connection()
# We don't wanna deal with timeouts from now on.
s.setTimeout(100000)
dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(dce)
resp = self.rpcsvc.OpenSCManagerW()
self.__scHandle = resp['ContextHandle']
self.transferClient = rpc.get_smb_connection()
class RemoteShell(cmd.Cmd):
def __init__(self, share, rpc, mode):
cmd.Cmd.__init__(self)
self.__share = share
self.__mode = mode
self.__output = '\\Windows\\Temp\\' + OUTPUT_FILENAME
self.__batchFile = '%TEMP%\\' + BATCH_FILENAME
self.__outputBuffer = ''
self.__command = ''
self.__shell = '%COMSPEC% /Q /c '
self.__serviceName = 'BTOBTO'.encode('utf-16le')
self.intro = '[!] Launching semi-interactive shell - Careful what you execute'
dce = dcerpc.DCERPC_v5(rpc)
try:
dce.connect()
except Exception, e:
pass
s = rpc.get_smb_connection()
# We don't wanna deal with timeouts from now on.
s.setTimeout(100000)
if mode == 'SERVER':
myIPaddr = s.getSMBServer().get_socket().getsockname()[0]
self.__copyBack = 'copy %s \\\\%s\\%s' % (self.__output, myIPaddr,
DUMMY_SHARE)
dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(dce)
resp = self.rpcsvc.OpenSCManagerW()
self.__scHandle = resp['ContextHandle']
self.transferClient = rpc.get_smb_connection()
self.do_cd('')
def __init__(self, share, rpc, mode, serviceName, command):
self.__share = share
self.__mode = mode
# self.__output = '\\Windows\\Temp\\' + 'output'
# self.__batchFile = '%TEMP%\\' + 'output.bat'
# self.__outputBuffer = ''
self.__command = command
self.__shell = '%COMSPEC% /Q /c '
self.__serviceName = serviceName
self.__rpc = rpc
dce = rpc.get_dce_rpc()
try:
dce.connect()
except Exception as e:
raise e
s = rpc.get_smb_connection()
# We don't wanna deal with timeouts from now on.
s.setTimeout(100000)
try:
dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(dce)
resp = self.rpcsvc.OpenSCManagerW()
self.__scHandle = resp['ContextHandle']
self.transferClient = rpc.get_smb_connection()
except Exception as e:
print "[!] {}".format(e)
def openSvcManager(self):
print "[*] Opening SVCManager on %s....." % self.client.get_remote_host(),
# Setup up a DCE SMBTransport with the connection already in place
self._rpctransport = transport.SMBTransport('','',filename = r'\svcctl', smb_server = self.client)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(self._dce)
resp = self.rpcsvc.OpenSCManagerW()
if resp['ErrorCode'] == 0:
print "OK"
return resp['ContextHandle']
else:
print "ERROR"
return 0
def finish(self):
# Just in case the service is still created
try:
dce = self.__rpc.get_dce_rpc()
dce.connect()
dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(dce)
resp = self.rpcsvc.OpenSCManagerW()
self.__scHandle = resp['ContextHandle']
resp = self.rpcsvc.OpenServiceW(self.__scHandle,
self.__serviceName)
service = resp['ContextHandle']
self.rpcsvc.DeleteService(service)
self.rpcsvc.StopService(service)
self.rpcsvc.CloseServiceHandle(service)
except Exception, e:
pass
def openSvcManager(self):
#print "[*] Opening SVCManager on %s....." % self.connection.getRemoteHost()
# Setup up a DCE SMBTransport with the connection already in place
self._rpctransport = transport.SMBTransport(
'', '', filename=r'\svcctl', smb_connection=self.connection)
self._dce = dcerpc.DCERPC_v5(self._rpctransport)
self._dce.connect()
self._dce.bind(svcctl.MSRPC_UUID_SVCCTL)
self.rpcsvc = svcctl.DCERPCSvcCtl(self._dce)
try:
resp = self.rpcsvc.OpenSCManagerW()
except:
print "[!] Error opening SVCManager on %s....." % self.connection.getRemoteHost(
)
return 0
else:
return resp['ContextHandle']
def doStuff(self, rpctransport):
# UDP only works over DCE/RPC version 4.
if isinstance(rpctransport, transport.UDPTransport):
dce = dcerpc_v4.DCERPC_v4(rpctransport)
else:
dce = dcerpc.DCERPC_v5(rpctransport)
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(svcctl.MSRPC_UUID_SVCCTL)
rpc = svcctl.DCERPCSvcCtl(dce)
ans = rpc.OpenSCManagerW()
scManagerHandle = ans['ContextHandle']
ans = rpc.OpenServiceW(scManagerHandle,
self.__service_name.encode('utf-16le'))
serviceHandle = ans['ContextHandle']
if self.__action.upper() == 'START':
print "Starting service %s" % self.__service_name
rpc.StartServiceW(serviceHandle)
rpc.CloseServiceHandle(serviceHandle)
elif self.__action.upper() == 'STOP':
print "Stopping service %s" % self.__service_name
rpc.StopService(serviceHandle)
rpc.CloseServiceHandle(serviceHandle)
elif self.__action.upper() == 'DELETE':
print "Deleting service %s" % self.__service_name
rpc.DeleteService(serviceHandle)
rpc.CloseServiceHandle(serviceHandle)
elif self.__action.upper() == 'CONFIG':
print "Querying service config for %s" % self.__service_name
resp = rpc.QueryServiceConfigW(serviceHandle)
print "TYPE : %2d - " % resp['QueryConfig'][
'ServiceType'],
if resp['QueryConfig']['ServiceType'] == 0x1:
print "SERVICE_KERNLE_DRIVER"
elif resp['QueryConfig']['ServiceType'] == 0x2:
print "SERVICE_FILE_SYSTEM_DRIVER"
elif resp['QueryConfig']['ServiceType'] == 0x10:
print "SERVICE_WIN32_OWN_PROCESS"
elif resp['QueryConfig']['ServiceType'] == 0x20:
print "SERVICE_WIN32_SHARE_PROCESS"
else:
print "UNKOWN"
print "START_TYPE : %2d - " % resp['QueryConfig'][
'StartType'],
if resp['QueryConfig']['StartType'] == 0x0:
print "BOOT START"
elif resp['QueryConfig']['StartType'] == 0x1:
print "SYSTEM START"
elif resp['QueryConfig']['StartType'] == 0x2:
print "AUTO START"
elif resp['QueryConfig']['StartType'] == 0x3:
print "DEMAND START"
elif resp['QueryConfig']['StartType'] == 0x4:
print "DISABLED"
else:
print "UNKOWN"
print "ERROR_CONTROL : %2d - " % resp['QueryConfig'][
'ErrorControl'],
if resp['QueryConfig']['ErrorControl'] == 0x0:
print "IGNORE"
elif resp['QueryConfig']['ErrorControl'] == 0x1:
print "NORMAL"
elif resp['QueryConfig']['ErrorControl'] == 0x2:
print "SEVERE"
elif resp['QueryConfig']['ErrorControl'] == 0x3:
print "CRITICAL"
else:
print "UNKOWN"
print "BINARY_PATH_NAME : %s" % resp['QueryConfig'][
'BinaryPathName'].decode('utf-16le')
print "LOAD_ORDER_GROUP : %s" % resp['QueryConfig'][
'LoadOrderGroup'].decode('utf-16le')
print "TAG : %d" % resp['QueryConfig']['TagID']
print "DISPLAY_NAME : %s" % resp['QueryConfig'][
'DisplayName'].decode('utf-16le')
print "DEPENDENCIES : %s" % resp['QueryConfig'][
'Dependencies'].decode('utf-16le').replace('/', ' - ')
print "SERVICE_START_NAME: %s" % resp['QueryConfig'][
'ServiceStartName'].decode('utf-16le')
elif self.__action.upper() == 'STATUS':
print "Querying status for %s" % self.__service_name
resp = rpc.QueryServiceStatus(serviceHandle)
print "%30s - " % (self.__service_name),
state = resp['CurrentState']
if state == svcctl.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == svcctl.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == svcctl.SERVICE_PAUSED:
print "PAUSED"
elif state == svcctl.SERVICE_RUNNING:
print "RUNNING"
elif state == svcctl.SERVICE_START_PENDING:
print "START PENDING"
elif state == svcctl.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == svcctl.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
elif self.__action.upper() == 'LIST':
print "Listing services available on target"
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = rpc.EnumServicesStatusW(scManagerHandle)
for i in range(len(resp)):
print "%30s - %70s - " % (resp[i]['ServiceName'].decode(
'utf-16'), resp[i]['DisplayName'].decode('utf-16')),
state = resp[i]['CurrentState']
if state == svcctl.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == svcctl.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == svcctl.SERVICE_PAUSED:
print "PAUSED"
elif state == svcctl.SERVICE_RUNNING:
print "RUNNING"
elif state == svcctl.SERVICE_START_PENDING:
print "START PENDING"
elif state == svcctl.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == svcctl.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
print "Total Services: %d" % len(resp)
else:
print "Unknown action %s" % self.__action
rpc.CloseServiceHandle(scManagerHandle)
dce.disconnect()
return
