def spawn_dcom_connection(self, *, connect_timeout=6.0): # CAUTION: keep this one to False so to prevent impacket's # DCOMConnection class from launching a daemon thread (threading.Timer) # which will prevent interpreter from terminating oxid_resolver = False # CAUTION: changing RPC port number from default 135 is not well # supported by impacket. It is technically possible to specify the port # number as part of the *target* arg, however the information gets lost # on the way by impacket and it leads to either a KeyError exception, or # even a "Can't find a valid stringBinding to connect" error in case # connection must go through port mapping - e.g. typically a connection # test to a local VM. # # target = self.dcom_target # <-- ideally we want this assert self.rport_rpc == 135 target = self.rhost_str dcom_conn = impkt_dcomrt.DCOMConnection( target=target, username=self.username, password=self.password, domain=self.domain, lmhash=self.lmhash, nthash=self.nthash, aesKey=self.aes_key, oxidResolver=oxid_resolver, doKerberos=self.do_kerberos, kdcHost=self.kdc_host) dcom_conn.get_dce_rpc().get_rpc_transport().set_connect_timeout( connect_timeout) return DcomConnection(dcom_conn)
def test_RemRelease(self): dcom = dcomrt.DCOMConnection(self.machine, self.username, self.password, self.domain) iInterface = dcom.CoCreateInstanceEx(comev.CLSID_EventSystem, comev.IID_IEventSystem) iEventSystem = comev.IEventSystem(iInterface) iEventSystem.RemRelease() dcom.disconnect()
def tes_comev(self): if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' dcom = dcomrt.DCOMConnection(self.machine, self.username, self.password, self.domain, lmhash, nthash) iInterface = dcom.CoCreateInstanceEx(comev.CLSID_EventSystem, comev.IID_IEventSystem) #scm = dcomrt.IRemoteSCMActivator(dce) #iInterface = scm.RemoteCreateInstance(comev.CLSID_EventSystem, comev.IID_IEventSystem) #iInterface = scm.RemoteCreateInstance(comev.CLSID_EventSystem,oaut.IID_IDispatch) iDispatch = oaut.IDispatch(iInterface) #scm = dcomrt.IRemoteSCMActivator(dce) #resp = iDispatch.GetIDsOfNames(('Navigate\x00', 'ExecWB\x00')) #resp.dump() iEventSystem = comev.IEventSystem(iInterface) iTypeInfo = iEventSystem.GetTypeInfo() resp = iTypeInfo.GetTypeAttr() #resp.dump() for i in range(1, resp['ppTypeAttr']['cFuncs']): resp = iTypeInfo.GetFuncDesc(i) #resp.dump() resp2 = iTypeInfo.GetNames(resp['ppFuncDesc']['memid']) #resp2.dump() resp = iTypeInfo.GetDocumentation(resp['ppFuncDesc']['memid']) #resp.dump() #iEventSystem.get_EventObjectChangeEventClassID() iEventSystem.RemRelease() iTypeInfo.RemRelease() objCollection = iEventSystem.Query( 'EventSystem.EventSubscriptionCollection', 'ALL') resp = objCollection.get_Count() count = resp['pCount'] evnObj = objCollection.get_NewEnum() #for i in range(count-1): for i in range(3): iUnknown = evnObj.Next(1)[0] es = iUnknown.RemQueryInterface(1, (comev.IID_IEventSubscription3, )) es = comev.IEventSubscription3(es) #es.get_SubscriptionID() print es.get_SubscriptionName()['pbstrSubscriptionName']['asData'] ##es.get_PublisherID() #es.get_EventClassID() #es.get_MethodName() ##es.get_SubscriberCLSID() #es.get_SubscriberInterface() #es.get_PerUser() #es.get_OwnerSID() #es.get_Enabled() ##es.get_Description() ##es.get_MachineName() ##es.GetPublisherProperty() #es.GetPublisherPropertyCollection() ##es.GetSubscriberProperty() #es.GetSubscriberPropertyCollection() #es.get_InterfaceID() es.RemRelease() objCollection = iEventSystem.Query('EventSystem.EventClassCollection', 'ALL') resp = objCollection.get_Count() count = resp['pCount'] #objCollection.get_Item('EventClassID={D5978630-5B9F-11D1-8DD2-00AA004ABD5E}') evnObj = objCollection.get_NewEnum() #for i in range(count-1): for i in range(3): iUnknown = evnObj.Next(1)[0] ev = iUnknown.RemQueryInterface(1, (comev.IID_IEventClass2, )) ev = comev.IEventClass2(ev) ev.get_EventClassID() #ev.get_EventClassName() #ev.get_OwnerSID() #ev.get_FiringInterfaceID() #ev.get_Description() #try: # ev.get_TypeLib() #except: # pass #ev.get_PublisherID() #ev.get_MultiInterfacePublisherFilterCLSID() #ev.get_AllowInprocActivation() #ev.get_FireInParallel() ev.RemRelease() print "=" * 80 dcom.disconnect()