def __checkServiceStatus(self):
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__serviceName)
self.__serviceHandle = ans['lpServiceHandle']
# Let's check its status
ans = scmr.hRQueryServiceStatus(self.__scmr, self.__serviceHandle)
if ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_STOPPED:
logging.info('Service %s is in stopped state'% self.__serviceName)
self.__shouldStop = True
self.__started = False
elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING:
logging.debug('Service %s is already running'% self.__serviceName)
self.__shouldStop = False
self.__started = True
else:
raise Exception('Unknown service state 0x%x - Aborting' % ans['CurrentState'])
# Let's check its configuration if service is stopped, maybe it's disabled :s
if self.__started is False:
ans = scmr.hRQueryServiceConfigW(self.__scmr,self.__serviceHandle)
if ans['lpServiceConfig']['dwStartType'] == 0x4:
logging.info('Service %s is disabled, enabling it'% self.__serviceName)
self.__disabled = True
scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x3)
logging.info('Starting service %s' % self.__serviceName)
scmr.hRStartServiceW(self.__scmr,self.__serviceHandle)
time.sleep(1)
def test_create_change_delete(self):
dce, rpctransport, scHandle = self.connect()
#####################
# Create / Change / Query / Delete a service
lpServiceName = 'TESTSVC\x00'
lpDisplayName = 'DisplayName\x00'
dwDesiredAccess = scmr.SERVICE_ALL_ACCESS
dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS
dwStartType = scmr.SERVICE_DEMAND_START
dwErrorControl = scmr.SERVICE_ERROR_NORMAL
lpBinaryPathName = 'binaryPath\x00'
lpLoadOrderGroup = NULL
lpdwTagId = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize)
resp.dump()
newHandle = resp['lpServiceHandle']
# Aca hay que chequear cada uno de los items
cbBufSize = 0
try:
resp = scmr.hRQueryServiceConfigW(dce, newHandle)
except Exception, e:
if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0:
raise
else:
resp = e.get_packet()
def __checkServiceStatus(self):
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle,
self.__serviceName)
self.__serviceHandle = ans['lpServiceHandle']
# Let's check its status
ans = scmr.hRQueryServiceStatus(self.__scmr, self.__serviceHandle)
if ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_STOPPED:
logging.info('Service %s is in stopped state' % self.__serviceName)
self.__shouldStop = True
self.__started = False
elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING:
logging.debug('Service %s is already running' % self.__serviceName)
self.__shouldStop = False
self.__started = True
else:
raise Exception('Unknown service state 0x%x - Aborting' %
ans['CurrentState'])
# Let's check its configuration if service is stopped, maybe it's disabled :s
if self.__started is False:
ans = scmr.hRQueryServiceConfigW(self.__scmr, self.__serviceHandle)
if ans['lpServiceConfig']['dwStartType'] == 0x4:
logging.info('Service %s is disabled, enabling it' %
self.__serviceName)
self.__disabled = True
scmr.hRChangeServiceConfigW(self.__scmr,
self.__serviceHandle,
dwStartType=0x3)
logging.info('Starting service %s' % self.__serviceName)
scmr.hRStartServiceW(self.__scmr, self.__serviceHandle)
time.sleep(1)
def changeServiceAndQuery(self, dce, cbBufSize, hService, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName):
try:
resp = scmr.hRChangeServiceConfigW( dce, hService, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
resp = scmr.hRQueryServiceConfigW(dce, hService)
resp.dump()
# Now let's compare all the results
if dwServiceType != scmr.SERVICE_NO_CHANGE:
self.assertTrue( resp['lpServiceConfig']['dwServiceType'] == dwServiceType )
if dwStartType != scmr.SERVICE_NO_CHANGE:
self.assertTrue( resp['lpServiceConfig']['dwStartType'] == dwStartType )
if dwErrorControl != scmr.SERVICE_NO_CHANGE:
self.assertTrue( resp['lpServiceConfig']['dwErrorControl'] == dwErrorControl )
if lpBinaryPathName != NULL:
self.assertTrue( resp['lpServiceConfig']['lpBinaryPathName'] == lpBinaryPathName )
if lpBinaryPathName != NULL:
self.assertTrue( resp['lpServiceConfig']['lpBinaryPathName'] == lpBinaryPathName )
if lpLoadOrderGroup != NULL:
self.assertTrue( resp['lpServiceConfig']['lpLoadOrderGroup'] == lpLoadOrderGroup )
#if lpDependencies != '':
# self.assertTrue( resp['lpServiceConfig']['lpDependencies'] == lpDependencies[:-4]+'/\x00\x00\x00')
if lpServiceStartName != NULL:
self.assertTrue( resp['lpServiceConfig']['lpServiceStartName'] == lpServiceStartName )
if lpDisplayName != NULL:
self.assertTrue( resp['lpServiceConfig']['lpDisplayName'] == lpDisplayName )
#if lpdwTagId != scmr.SERVICE_NO_CHANGE:
# if resp['lpServiceConfig']['dwTagId']['Data'] != lpdwTagId:
# print "ERROR %s" % 'lpdwTagId'
except:
resp = scmr.hRDeleteService(dce, hService)
raise
def rpc_get_services(self):
"""
Query services with stored credentials via RPC.
These credentials can be dumped with mimikatz via lsadump::secrets or via secretsdump.py
"""
binding = r'ncacn_np:%s[\PIPE\svcctl]' % self.addr
serviceusers = []
dce = self.dce_rpc_connect(binding, scmr.MSRPC_UUID_SCMR)
if dce is None:
logging.warning('Connection failed: %s', binding)
return
try:
resp = scmr.hROpenSCManagerW(dce)
scManagerHandle = resp['lpScHandle']
# TODO: Figure out if filtering out service types makes sense
resp = scmr.hREnumServicesStatusW(
dce,
scManagerHandle,
dwServiceType=scmr.SERVICE_WIN32_OWN_PROCESS,
dwServiceState=scmr.SERVICE_STATE_ALL)
# TODO: Skip well-known services to save on traffic
for i in range(len(resp)):
try:
ans = scmr.hROpenServiceW(dce, scManagerHandle,
resp[i]['lpServiceName'][:-1])
serviceHandle = ans['lpServiceHandle']
svcresp = scmr.hRQueryServiceConfigW(dce, serviceHandle)
svc_user = svcresp['lpServiceConfig'][
'lpServiceStartName'][:-1]
if '@' in svc_user:
logging.info(
"Found user service: %s running as %s on %s",
resp[i]['lpServiceName'][:-1], svc_user,
self.hostname)
serviceusers.append(svc_user)
except DCERPCException as e:
if 'rpc_s_access_denied' not in str(e):
logging.debug(
'Exception querying service %s via RPC: %s',
resp[i]['lpServiceName'][:-1], e)
except DCERPCException as e:
logging.debug('Exception connecting to RPC: %s', e)
except Exception as e:
if 'connection reset' in str(e):
logging.debug('Connection was reset: %s', e)
else:
raise e
dce.disconnect()
return serviceusers
def getServiceAccount(self, serviceName):
try:
# Open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName)
serviceHandle = ans['lpServiceHandle']
resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle)
account = resp['lpServiceConfig']['lpServiceStartName'][:-1]
scmr.hRCloseServiceHandle(self.__scmr, serviceHandle)
if account.startswith('.\\'):
account = account[2:]
return account
except Exception, e:
logging.error(e)
return None
def __scmr_config(self, srvname, return_answer=False):
'''
Display a service configuration
'''
logger.info('Querying the service configuration of service %s' %
srvname)
resp = scmr.hRQueryServiceConfigW(self.__rpc, self.__service_handle)
if return_answer:
return resp
print('Service %s information:' % srvname)
self.__scmr_parse_config(resp)
def getServiceAccount(self, serviceName):
try:
# Open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName)
serviceHandle = ans['lpServiceHandle']
resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle)
account = resp['lpServiceConfig']['lpServiceStartName'][:-1]
scmr.hRCloseServiceHandle(self.__scmr, serviceHandle)
if account.startswith('.\\'):
account = account[2:]
return account
except Exception, e:
logging.error(e)
return None
def undeploy(self, srvname):
self.oldpwd = self.pwd
self.pwd = '\\'
self.__scmr_connect()
self.__scmr_srv_manager(srvname)
resp = scmr.hRQueryServiceConfigW(self.__rpc, self.__service_handle)
remote_file = resp['lpServiceConfig']['lpBinaryPathName'][:-1]
remote_file = str(os.path.basename(remote_file.replace('\\', '/')))
if self.__scmr_state(srvname, return_state=True) == 'RUNNING':
self.__scmr_stop(srvname)
self.__scmr_delete(srvname)
self.__scmr_disconnect(srvname)
self.__scmr_bin_remove(remote_file)
self.pwd = self.oldpwd
def exec(self, command):
if not super().exec(command):
return False
try:
stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % self.session.address
logging.debug('StringBinding %s' % stringbinding)
self._rpctransport = transport.DCERPCTransportFactory(stringbinding)
self._rpctransport.set_dport(445)
self._rpctransport.setRemoteHost(self.session.address)
if hasattr(self._rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
self._rpctransport.set_credentials(self.session.username, self.session.password, self.session.domain,
self.session.lmhash, self.session.nthash, self.session.aesKey)
self._rpctransport.set_kerberos(self.session.kerberos, self.session.dc_ip)
self._scmr = self._rpctransport.get_dce_rpc()
try:
self._scmr.connect()
except Exception as e:
raise Exception("An error occurred while connecting to SVCCTL: %s" % e)
s = self._rpctransport.get_smb_connection()
s.setTimeout(100000)
self._scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self._scmr)
_scHandle = resp['lpScHandle']
resp = scmr.hROpenServiceW(self._scmr, _scHandle, self._serviceName)
self._service = resp['lpServiceHandle']
resp = scmr.hRQueryServiceConfigW(self._scmr, self._service)
self._binaryPath = resp['lpServiceConfig']['lpBinaryPathName']
self._startType = resp['lpServiceConfig']['dwStartType']
self._errorControl = resp['lpServiceConfig']['dwErrorControl']
logging.info('({}) Current service binary path {}'.format(self._serviceName, self._binaryPath))
scmr.hRChangeServiceConfigW(
self._scmr,
self._service,
scmr.SERVICE_NO_CHANGE,
scmr.SERVICE_DEMAND_START,
scmr.SERVICE_ERROR_IGNORE,
command,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
)
try:
scmr.hRStartServiceW(self._scmr, self._service)
logging.debug("Service %s restarted for command execution" % self._serviceName)
except:
pass
try:
scmr.hRChangeServiceConfigW(
self._scmr,
self._service,
scmr.SERVICE_NO_CHANGE,
self._startType,
self._errorControl,
self._binaryPath,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
)
logging.info('({}) Service binary path has been restored'.format(self._serviceName))
self._startType = ""
self._errorControl = ""
self._binaryPath = ""
except Exception as e:
self.clean()
raise Exception(e)
self.clean()
except KeyboardInterrupt as e:
logging.debug("Keyboard interrupt: Trying to restore %s if it exists" % self._serviceName)
self.clean()
raise KeyboardInterrupt(e)
except Exception as e:
self.clean()
raise Exception(e)
return True
def doStuff(self, rpctransport):
dce = rpctransport.get_dce_rpc()
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = svcctl.DCERPCSvcCtl(dce)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
if self.__action != 'LIST' and self.__action != 'CREATE':
ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.service_name+'\x00')
serviceHandle = ans['lpServiceHandle']
if self.__action == 'START':
self.__logger.success("Starting service {}".format(self.__options.service_name))
scmr.hRStartServiceW(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'STOP':
self.__logger.success("Stopping service {}".format(self.__options.service_name))
scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'DELETE':
self.__logger.success("Deleting service {}".format(self.__options.service_name))
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'CONFIG':
self.__logger.success("Service config for {}".format(self.__options.service_name))
resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)
output = "TYPE : %2d - " % resp['lpServiceConfig']['dwServiceType']
if resp['lpServiceConfig']['dwServiceType'] & 0x1:
output += "SERVICE_KERNEL_DRIVER "
if resp['lpServiceConfig']['dwServiceType'] & 0x2:
output += "SERVICE_FILE_SYSTEM_DRIVER "
if resp['lpServiceConfig']['dwServiceType'] & 0x10:
output += "SERVICE_WIN32_OWN_PROCESS "
if resp['lpServiceConfig']['dwServiceType'] & 0x20:
output += "SERVICE_WIN32_SHARE_PROCESS "
if resp['lpServiceConfig']['dwServiceType'] & 0x100:
output += "SERVICE_INTERACTIVE_PROCESS "
self.__logger.results(output)
output = "START_TYPE : %2d - " % resp['lpServiceConfig']['dwStartType']
if resp['lpServiceConfig']['dwStartType'] == 0x0:
output += "BOOT START"
elif resp['lpServiceConfig']['dwStartType'] == 0x1:
output += "SYSTEM START"
elif resp['lpServiceConfig']['dwStartType'] == 0x2:
output += "AUTO START"
elif resp['lpServiceConfig']['dwStartType'] == 0x3:
output += "DEMAND START"
elif resp['lpServiceConfig']['dwStartType'] == 0x4:
output += "DISABLED"
else:
output += "UNKOWN"
self.logger.results(output)
output = "ERROR_CONTROL : %2d - " % resp['lpServiceConfig']['dwErrorControl']
if resp['lpServiceConfig']['dwErrorControl'] == 0x0:
output += "IGNORE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:
output += "NORMAL"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:
output += "SEVERE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:
output += "CRITICAL"
else:
output += "UNKOWN"
self.__logger.results(output)
self.__logger.results("BINARY_PATH_NAME : %s" % resp['lpServiceConfig']['lpBinaryPathName'][:-1])
self.__logger.results("LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig']['lpLoadOrderGroup'][:-1])
self.__logger.results("TAG : %d" % resp['lpServiceConfig']['dwTagId'])
self.__logger.results("DISPLAY_NAME : %s" % resp['lpServiceConfig']['lpDisplayName'][:-1])
self.__logger.results("DEPENDENCIES : %s" % resp['lpServiceConfig']['lpDependencies'][:-1])
self.__logger.results("SERVICE_START_NAME: %s" % resp['lpServiceConfig']['lpServiceStartName'][:-1])
elif self.__action == 'STATUS':
self.__logger.success("Service status for {}".format(self.__options.service_name))
resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)
output = "%s - " % self.__options.service_name
state = resp['lpServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
output += "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
output += "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
output += "PAUSED"
elif state == scmr.SERVICE_RUNNING:
output += "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
output += "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
output += "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
output += "STOPPED"
else:
output += "UNKOWN"
self.__logger.results(output)
elif self.__action == 'LIST':
self.__logger.success("Enumerating services")
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)
for i in range(len(resp)):
output = "%30s - %70s - " % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1])
state = resp[i]['ServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
output += "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
output += "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
output += "PAUSED"
elif state == scmr.SERVICE_RUNNING:
output += "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
output += "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
output += "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
output += "STOPPED"
else:
output += "UNKOWN"
self.__logger.results(output)
self.__logger.results("Total Services: {}".format(len(resp)))
elif self.__action == 'CREATE':
self.__logger.success("Creating service {}".format(self.__options.service_name))
scmr.hRCreateServiceW(rpc, scManagerHandle,self.__options.service_name + '\x00', self.__options.service_display_name + '\x00', lpBinaryPathName=self.__options.service_bin_path + '\x00')
elif self.__action == 'CHANGE':
self.__logger.success("Changing service config for {}".format(self.__options.service_name))
if self.__options.start_type is not None:
start_type = int(self.__options.start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_type is not None:
service_type = int(self.__options.service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_display_name is not None:
display = self.__options.service_display_name + '\x00'
else:
display = NULL
if self.__options.service_bin_path is not None:
path = self.__options.service_bin_path + '\x00'
else:
path = NULL
if self.__options.start_name is not None:
start_name = self.__options.start_name + '\x00'
else:
start_name = NULL
if self.__options.start_pass is not None:
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
try:
password = (self.__options.start_pass+'\x00').encode('utf-16le')
except UnicodeDecodeError:
import sys
password = (self.__options.start_pass+'\x00').decode(sys.getfilesystemencoding()).encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
#resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)
scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path, NULL, NULL, NULL, 0, start_name, password, 0, display)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
else:
logging.error("Unknown action %s" % self.__action)
scmr.hRCloseServiceHandle(rpc, scManagerHandle)
dce.disconnect()
return
def run(
self,
remoteName,
remoteHost,
serviceName,
noCmd,
):
exitCli = False
stringBinding = epm.hept_map(remoteName,
scmr.MSRPC_UUID_SCMR,
protocol='ncacn_ip_tcp')
rpctransport = transport.DCERPCTransportFactory(stringBinding)
logging.debug('binding to %s' % stringBinding)
rpctransport.set_credentials(
self.__username,
self.__password,
self.__domain,
self.__lmhash,
self.__nthash,
self.__aesKey,
)
rpctransport.set_kerberos(self.__doKerberos, self.__kdcHost)
self.__scmr = rpctransport.get_dce_rpc()
self.__scmr.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
try:
self.__scmr.connect()
except Exception as e:
logging.critical(str(e))
sys.exit(1)
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self.__scmr)
scHandle = resp['lpScHandle']
logging.debug('Opening service %s' % serviceName)
resp = scmr.hROpenServiceW(self.__scmr, scHandle, serviceName)
serviceHandle = resp['lpServiceHandle']
resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle)
binaryPath = resp['lpServiceConfig']['lpBinaryPathName']
startType = resp['lpServiceConfig']['dwStartType']
errorControl = resp['lpServiceConfig']['dwErrorControl']
logging.debug('(%s) Current service binary path %s' %
(serviceName, binaryPath))
logging.info('Command need to use FULL path. No command output.')
while not exitCli:
userCommand = capture_input('SCShell>')
if not userCommand == 'exit':
if not noCmd:
userCommand = 'C:\windows\system32\cmd.exe /c %s' % userCommand
logging.debug('(%s) Updating service binary path to %s' %
(serviceName, userCommand))
resp = scmr.hRChangeServiceConfigW(
self.__scmr,
serviceHandle,
scmr.SERVICE_NO_CHANGE,
scmr.SERVICE_DEMAND_START,
scmr.SERVICE_ERROR_IGNORE,
userCommand,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
)
logging.debug('Starting service %s' % serviceName)
try:
scmr.hRStartServiceW(self.__scmr, serviceHandle)
except Exception as e:
error = str(e)
# ignoring error 1053 ERROR_SERVICE_REQUEST_TIMEOUT since it will happen if the target binary is not a service
if error.find('ERROR_SERVICE_REQUEST_TIMEOUT') == -1:
logging.critical(error)
time.sleep(5)
logging.debug('(%s) Reverting binary path to %s' %
(serviceName, binaryPath))
resp = scmr.hRChangeServiceConfigW(
self.__scmr,
serviceHandle,
scmr.SERVICE_NO_CHANGE,
startType,
errorControl,
binaryPath,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
NULL,
)
logging.info('Command Executed')
else:
exitCli = True
scmr.hRCloseServiceHandle(self.__scmr, serviceHandle)
scmr.hRCloseServiceHandle(self.__scmr, scHandle)
self.__scmr.disconnect()
def test_create_change_delete(self):
dce, rpctransport, scHandle = self.connect()
#####################
# Create / Change / Query / Delete a service
lpServiceName = 'TESTSVC\x00'
lpDisplayName = 'DisplayName\x00'
dwDesiredAccess = scmr.SERVICE_ALL_ACCESS
dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS
dwStartType = scmr.SERVICE_DEMAND_START
dwErrorControl = scmr.SERVICE_ERROR_NORMAL
lpBinaryPathName = 'binaryPath\x00'
lpLoadOrderGroup = NULL
lpdwTagId = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize)
resp.dump()
newHandle = resp['lpServiceHandle']
# Aca hay que chequear cada uno de los items
cbBufSize = 0
try:
resp = scmr.hRQueryServiceConfigW(dce, newHandle)
except Exception as e:
if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0:
raise
else:
resp = e.get_packet()
resp.dump()
cbBufSize = resp['pcbBytesNeeded']+100
# Now that we have cbBufSize, let's start changing everything on the service
dwServiceType = scmr.SERVICE_WIN32_SHARE_PROCESS
dwStartType = scmr.SERVICE_NO_CHANGE
dwErrorControl = scmr.SERVICE_NO_CHANGE
lpBinaryPathName = NULL
lpLoadOrderGroup = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
lpDisplayName = NULL
lpdwTagId = NULL
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwServiceType = scmr.SERVICE_NO_CHANGE
dwStartType = scmr.SERVICE_DISABLED
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwStartType = scmr.SERVICE_NO_CHANGE
dwErrorControl = scmr.SERVICE_ERROR_SEVERE
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwErrorControl = scmr.SERVICE_NO_CHANGE
lpBinaryPathName = 'BETOBETO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpBinaryPathName = NULL
lpLoadOrderGroup = 'KKKK\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpLoadOrderGroup = NULL
#lpdwTagId = [0]
#self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
#lpdwTagId = ''
lpDependencies = 'RemoteRegistry\x00\x00'.encode('utf-16le')
dwDependSize = len(lpDependencies)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = '.\\Administrator\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpServiceStartName = NULL
if self.__class__.__name__ == 'SMBTransport':
lpPassword = '******'.encode('utf-16le')
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
lpPassword = encryptSecret(key, lpPassword)
dwPwSize = len(lpPassword)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpPassword = NULL
dwPwSize = 0
lpDisplayName = 'MANOLO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
scmr.hRDeleteService(dce, newHandle)
scmr.hRCloseServiceHandle(dce, newHandle)
scmr.hRCloseServiceHandle(dce, scHandle)
def doStuff(self, rpctransport):
dce = rpctransport.get_dce_rpc()
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = svcctl.DCERPCSvcCtl(dce)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
if self.__action != 'LIST' and self.__action != 'CREATE':
ans = scmr.hROpenServiceW(rpc, scManagerHandle,
self.__options.service_name + '\x00')
serviceHandle = ans['lpServiceHandle']
if self.__action == 'START':
self.__logger.success(u"Starting service {}".format(
unicode(self.__options.service_name, 'utf-8')))
scmr.hRStartServiceW(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'STOP':
self.__logger.success(u"Stopping service {}".format(
unicode(self.__options.service_name, 'utf-8')))
scmr.hRControlService(rpc, serviceHandle,
scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'DELETE':
self.__logger.success(u"Deleting service {}".format(
unicode(self.__options.service_name, 'utf-8')))
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'CONFIG':
self.__logger.success(u"Service config for {}".format(
unicode(self.__options.service_name, 'utf-8')))
resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)
output = "TYPE : %2d - " % resp['lpServiceConfig'][
'dwServiceType']
if resp['lpServiceConfig']['dwServiceType'] & 0x1:
output += "SERVICE_KERNEL_DRIVER "
if resp['lpServiceConfig']['dwServiceType'] & 0x2:
output += "SERVICE_FILE_SYSTEM_DRIVER "
if resp['lpServiceConfig']['dwServiceType'] & 0x10:
output += "SERVICE_WIN32_OWN_PROCESS "
if resp['lpServiceConfig']['dwServiceType'] & 0x20:
output += "SERVICE_WIN32_SHARE_PROCESS "
if resp['lpServiceConfig']['dwServiceType'] & 0x100:
output += "SERVICE_INTERACTIVE_PROCESS "
self.__logger.results(output)
output = "START_TYPE : %2d - " % resp['lpServiceConfig'][
'dwStartType']
if resp['lpServiceConfig']['dwStartType'] == 0x0:
output += "BOOT START"
elif resp['lpServiceConfig']['dwStartType'] == 0x1:
output += "SYSTEM START"
elif resp['lpServiceConfig']['dwStartType'] == 0x2:
output += "AUTO START"
elif resp['lpServiceConfig']['dwStartType'] == 0x3:
output += "DEMAND START"
elif resp['lpServiceConfig']['dwStartType'] == 0x4:
output += "DISABLED"
else:
output += "UNKOWN"
self.__logger.results(output)
output = "ERROR_CONTROL : %2d - " % resp['lpServiceConfig'][
'dwErrorControl']
if resp['lpServiceConfig']['dwErrorControl'] == 0x0:
output += "IGNORE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:
output += "NORMAL"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:
output += "SEVERE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:
output += "CRITICAL"
else:
output += "UNKOWN"
self.__logger.results(output)
self.__logger.results(
"BINARY_PATH_NAME : %s" %
resp['lpServiceConfig']['lpBinaryPathName'][:-1])
self.__logger.results(
"LOAD_ORDER_GROUP : %s" %
resp['lpServiceConfig']['lpLoadOrderGroup'][:-1])
self.__logger.results("TAG : %d" %
resp['lpServiceConfig']['dwTagId'])
self.__logger.results(
"DISPLAY_NAME : %s" %
resp['lpServiceConfig']['lpDisplayName'][:-1])
self.__logger.results(
"DEPENDENCIES : %s" %
resp['lpServiceConfig']['lpDependencies'][:-1])
self.__logger.results(
"SERVICE_START_NAME: %s" %
resp['lpServiceConfig']['lpServiceStartName'][:-1])
elif self.__action == 'STATUS':
self.__logger.success(u"Service status for {}".format(
unicode(self.__options.service_name, 'utf-8')))
resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)
output = u"%s - " % format(
unicode(self.__options.service_name, 'utf-8'))
state = resp['lpServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
output += "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
output += "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
output += "PAUSED"
elif state == scmr.SERVICE_RUNNING:
output += "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
output += "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
output += "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
output += "STOPPED"
else:
output += "UNKOWN"
self.__logger.results(output)
elif self.__action == 'LIST':
self.__logger.success("Enumerating services")
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)
for i in range(len(resp)):
output = "%30s - %70s - " % (resp[i]['lpServiceName'][:-1],
resp[i]['lpDisplayName'][:-1])
state = resp[i]['ServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
output += "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
output += "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
output += "PAUSED"
elif state == scmr.SERVICE_RUNNING:
output += "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
output += "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
output += "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
output += "STOPPED"
else:
output += "UNKOWN"
self.__logger.results(output)
self.__logger.results("Total Services: {}".format(len(resp)))
elif self.__action == 'CREATE':
self.__logger.success(u"Creating service {}".format(
unicode(self.__options.service_name, 'utf-8')))
scmr.hRCreateServiceW(
rpc,
scManagerHandle,
self.__options.service_name + '\x00',
self.__options.service_display_name + '\x00',
lpBinaryPathName=self.__options.service_bin_path + '\x00')
elif self.__action == 'CHANGE':
self.__logger.success(u"Changing service config for {}".format(
unicode(self.__options.service_name, 'utf-8')))
if self.__options.start_type is not None:
start_type = int(self.__options.start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_type is not None:
service_type = int(self.__options.service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_display_name is not None:
display = self.__options.service_display_name + '\x00'
else:
display = NULL
if self.__options.service_bin_path is not None:
path = self.__options.service_bin_path + '\x00'
else:
path = NULL
if self.__options.start_name is not None:
start_name = self.__options.start_name + '\x00'
else:
start_name = NULL
if self.__options.start_pass is not None:
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
try:
password = (self.__options.start_pass +
'\x00').encode('utf-16le')
except UnicodeDecodeError:
import sys
password = (self.__options.start_pass + '\x00').decode(
sys.getfilesystemencoding()).encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
#resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)
scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type,
start_type, scmr.SERVICE_ERROR_IGNORE,
path, NULL, NULL, NULL, 0, start_name,
password, 0, display)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
else:
logging.error("Unknown action %s" % self.__action)
scmr.hRCloseServiceHandle(rpc, scManagerHandle)
dce.disconnect()
return
def doStuff(self, rpctransport):
dce = rpctransport.get_dce_rpc()
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = svcctl.DCERPCSvcCtl(dce)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
if self.__action != 'LIST' and self.__action != 'CREATE':
ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.name+'\x00')
serviceHandle = ans['lpServiceHandle']
if self.__action == 'START':
print "Starting service %s" % self.__options.name
scmr.hRStartServiceW(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'STOP':
print "Stopping service %s" % self.__options.name
scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'DELETE':
print "Deleting service %s" % self.__options.name
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'CONFIG':
print "Querying service config for %s" % self.__options.name
resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)
print "TYPE : %2d - " % resp['lpServiceConfig']['dwServiceType'],
if resp['lpServiceConfig']['dwServiceType'] & 0x1:
print "SERVICE_KERNEL_DRIVER ",
if resp['lpServiceConfig']['dwServiceType'] & 0x2:
print "SERVICE_FILE_SYSTEM_DRIVER ",
if resp['lpServiceConfig']['dwServiceType'] & 0x10:
print "SERVICE_WIN32_OWN_PROCESS ",
if resp['lpServiceConfig']['dwServiceType'] & 0x20:
print "SERVICE_WIN32_SHARE_PROCESS ",
if resp['lpServiceConfig']['dwServiceType'] & 0x100:
print "SERVICE_INTERACTIVE_PROCESS ",
print ""
print "START_TYPE : %2d - " % resp['lpServiceConfig']['dwStartType'],
if resp['lpServiceConfig']['dwStartType'] == 0x0:
print "BOOT START"
elif resp['lpServiceConfig']['dwStartType'] == 0x1:
print "SYSTEM START"
elif resp['lpServiceConfig']['dwStartType'] == 0x2:
print "AUTO START"
elif resp['lpServiceConfig']['dwStartType'] == 0x3:
print "DEMAND START"
elif resp['lpServiceConfig']['dwStartType'] == 0x4:
print "DISABLED"
else:
print "UNKOWN"
print "ERROR_CONTROL : %2d - " % resp['lpServiceConfig']['dwErrorControl'],
if resp['lpServiceConfig']['dwErrorControl'] == 0x0:
print "IGNORE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:
print "NORMAL"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:
print "SEVERE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:
print "CRITICAL"
else:
print "UNKOWN"
print "BINARY_PATH_NAME : %s" % resp['lpServiceConfig']['lpBinaryPathName'][:-1]
print "LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig']['lpLoadOrderGroup'][:-1]
print "TAG : %d" % resp['lpServiceConfig']['dwTagId']
print "DISPLAY_NAME : %s" % resp['lpServiceConfig']['lpDisplayName'][:-1]
print "DEPENDENCIES : %s" % resp['lpServiceConfig']['lpDependencies'][:-1]
print "SERVICE_START_NAME: %s" % resp['lpServiceConfig']['lpServiceStartName'][:-1]
elif self.__action == 'STATUS':
print "Querying status for %s" % self.__options.name
resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)
print "%30s - " % (self.__options.name),
state = resp['lpServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
print "PAUSED"
elif state == scmr.SERVICE_RUNNING:
print "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
print "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
elif self.__action == 'LIST':
print "Listing services available on target"
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)
for i in range(len(resp)):
print "%30s - %70s - " % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1]),
state = resp[i]['ServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
print "PAUSED"
elif state == scmr.SERVICE_RUNNING:
print "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
print "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
print "Total Services: %d" % len(resp)
elif self.__action == 'CREATE':
print "Creating service %s" % self.__options.name
resp = scmr.hRCreateServiceW(rpc, scManagerHandle,self.__options.name + '\x00', self.__options.display + '\x00', lpBinaryPathName=self.__options.path + '\x00')
elif self.__action == 'CHANGE':
print "Changing service config for %s" % self.__options.name
if self.__options.start_type is not None:
start_type = int(self.__options.start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_type is not None:
service_type = int(self.__options.service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if self.__options.display is not None:
display = self.__options.display + '\x00'
else:
display = NULL
if self.__options.path is not None:
path = self.__options.path + '\x00'
else:
path = NULL
if self.__options.start_name is not None:
start_name = self.__options.start_name + '\x00'
else:
start_name = NULL
if self.__options.password is not None:
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
password = (self.__options.password+'\x00').encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
#resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)
resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path, NULL, NULL, NULL, 0, start_name, password, 0, display)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
else:
print "Unknown action %s" % self.__action
scmr.hRCloseServiceHandle(rpc, scManagerHandle)
dce.disconnect()
return
def doStuff(self, rpctransport):
dce = rpctransport.get_dce_rpc()
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = svcctl.DCERPCSvcCtl(dce)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
if self.__action != 'LIST' and self.__action != 'CREATE':
ans = scmr.hROpenServiceW(rpc, scManagerHandle,
self.__options.name + '\x00')
serviceHandle = ans['lpServiceHandle']
if self.__action == 'START':
logging.info("Starting service %s" % self.__options.name)
scmr.hRStartServiceW(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'STOP':
logging.info("Stopping service %s" % self.__options.name)
scmr.hRControlService(rpc, serviceHandle,
scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'DELETE':
logging.info("Deleting service %s" % self.__options.name)
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'CONFIG':
logging.info("Querying service config for %s" %
self.__options.name)
resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)
print "TYPE : %2d - " % resp['lpServiceConfig'][
'dwServiceType'],
if resp['lpServiceConfig']['dwServiceType'] & 0x1:
print "SERVICE_KERNEL_DRIVER ",
if resp['lpServiceConfig']['dwServiceType'] & 0x2:
print "SERVICE_FILE_SYSTEM_DRIVER ",
if resp['lpServiceConfig']['dwServiceType'] & 0x10:
print "SERVICE_WIN32_OWN_PROCESS ",
if resp['lpServiceConfig']['dwServiceType'] & 0x20:
print "SERVICE_WIN32_SHARE_PROCESS ",
if resp['lpServiceConfig']['dwServiceType'] & 0x100:
print "SERVICE_INTERACTIVE_PROCESS ",
print ""
print "START_TYPE : %2d - " % resp['lpServiceConfig'][
'dwStartType'],
if resp['lpServiceConfig']['dwStartType'] == 0x0:
print "BOOT START"
elif resp['lpServiceConfig']['dwStartType'] == 0x1:
print "SYSTEM START"
elif resp['lpServiceConfig']['dwStartType'] == 0x2:
print "AUTO START"
elif resp['lpServiceConfig']['dwStartType'] == 0x3:
print "DEMAND START"
elif resp['lpServiceConfig']['dwStartType'] == 0x4:
print "DISABLED"
else:
print "UNKOWN"
print "ERROR_CONTROL : %2d - " % resp['lpServiceConfig'][
'dwErrorControl'],
if resp['lpServiceConfig']['dwErrorControl'] == 0x0:
print "IGNORE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:
print "NORMAL"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:
print "SEVERE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:
print "CRITICAL"
else:
print "UNKOWN"
print "BINARY_PATH_NAME : %s" % resp['lpServiceConfig'][
'lpBinaryPathName'][:-1]
print "LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig'][
'lpLoadOrderGroup'][:-1]
print "TAG : %d" % resp['lpServiceConfig']['dwTagId']
print "DISPLAY_NAME : %s" % resp['lpServiceConfig'][
'lpDisplayName'][:-1]
print "DEPENDENCIES : %s" % resp['lpServiceConfig'][
'lpDependencies'][:-1]
print "SERVICE_START_NAME: %s" % resp['lpServiceConfig'][
'lpServiceStartName'][:-1]
elif self.__action == 'STATUS':
print "Querying status for %s" % self.__options.name
resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)
print "%30s - " % (self.__options.name),
state = resp['lpServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
print "PAUSED"
elif state == scmr.SERVICE_RUNNING:
print "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
print "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
elif self.__action == 'LIST':
logging.info("Listing services available on target")
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)
for i in range(len(resp)):
print "%30s - %70s - " % (resp[i]['lpServiceName'][:-1],
resp[i]['lpDisplayName'][:-1]),
state = resp[i]['ServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
print "PAUSED"
elif state == scmr.SERVICE_RUNNING:
print "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
print "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
print "Total Services: %d" % len(resp)
elif self.__action == 'CREATE':
logging.info("Creating service %s" % self.__options.name)
resp = scmr.hRCreateServiceW(rpc,
scManagerHandle,
self.__options.name + '\x00',
self.__options.display + '\x00',
lpBinaryPathName=self.__options.path +
'\x00')
elif self.__action == 'CHANGE':
logging.info("Changing service config for %s" %
self.__options.name)
if self.__options.start_type is not None:
start_type = int(self.__options.start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_type is not None:
service_type = int(self.__options.service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if self.__options.display is not None:
display = self.__options.display + '\x00'
else:
display = NULL
if self.__options.path is not None:
path = self.__options.path + '\x00'
else:
path = NULL
if self.__options.start_name is not None:
start_name = self.__options.start_name + '\x00'
else:
start_name = NULL
if self.__options.password is not None:
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
password = (self.__options.password +
'\x00').encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
#resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)
resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle,
service_type, start_type,
scmr.SERVICE_ERROR_IGNORE, path,
NULL, NULL, NULL, 0, start_name,
password, 0, display)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
else:
logging.error("Unknown action %s" % self.__action)
scmr.hRCloseServiceHandle(rpc, scManagerHandle)
dce.disconnect()
return
def test_create_change_delete(self):
dce, rpctransport, scHandle = self.connect()
#####################
# Create / Change / Query / Delete a service
lpServiceName = 'TESTSVC\x00'
lpDisplayName = 'DisplayName\x00'
dwDesiredAccess = scmr.SERVICE_ALL_ACCESS
dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS
dwStartType = scmr.SERVICE_DEMAND_START
dwErrorControl = scmr.SERVICE_ERROR_NORMAL
lpBinaryPathName = 'binaryPath\x00'
lpLoadOrderGroup = NULL
lpdwTagId = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize)
resp.dump()
newHandle = resp['lpServiceHandle']
# Aca hay que chequear cada uno de los items
cbBufSize = 0
try:
resp = scmr.hRQueryServiceConfigW(dce, newHandle)
except Exception as e:
if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0:
raise
else:
resp = e.get_packet()
resp.dump()
cbBufSize = resp['pcbBytesNeeded']+100
# Now that we have cbBufSize, let's start changing everything on the service
dwServiceType = scmr.SERVICE_WIN32_SHARE_PROCESS
dwStartType = scmr.SERVICE_NO_CHANGE
dwErrorControl = scmr.SERVICE_NO_CHANGE
lpBinaryPathName = NULL
lpLoadOrderGroup = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
lpDisplayName = NULL
lpdwTagId = NULL
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwServiceType = scmr.SERVICE_NO_CHANGE
dwStartType = scmr.SERVICE_DISABLED
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwStartType = scmr.SERVICE_NO_CHANGE
dwErrorControl = scmr.SERVICE_ERROR_SEVERE
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwErrorControl = scmr.SERVICE_NO_CHANGE
lpBinaryPathName = 'BETOBETO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpBinaryPathName = NULL
lpLoadOrderGroup = 'KKKK\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpLoadOrderGroup = NULL
#lpdwTagId = [0]
#self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
#lpdwTagId = ''
lpDependencies = 'RemoteRegistry\x00\x00'.encode('utf-16le')
dwDependSize = len(lpDependencies)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = '.\\Administrator\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpServiceStartName = NULL
if self.__class__.__name__ == 'SMBTransport':
lpPassword = '******'.encode('utf-16le')
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
lpPassword = encryptSecret(key, lpPassword)
dwPwSize = len(lpPassword)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpPassword = NULL
dwPwSize = 0
lpDisplayName = 'MANOLO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
scmr.hRDeleteService(dce, newHandle)
scmr.hRCloseServiceHandle(dce, newHandle)
scmr.hRCloseServiceHandle(dce, scHandle)
