def test_query(self): dce, rpctransport, scHandle = self.connect() ############################ # Query Service Status / Enum Dependent lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] scmr.hRQueryServiceStatus(dce, serviceHandle) cbBufSize = 0 try: resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize ) resp.dump() except scmr.DCERPCSessionError as e: if str(e).find('ERROR_MORE_DATA') <= 0: raise else: resp = e.get_packet() resp.dump() cbBufSize = resp['pcbBytesNeeded'] resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize ) resp.dump() scmr.hRCloseServiceHandle(dce, serviceHandle) scmr.hRCloseServiceHandle(dce, scHandle)
def __checkServiceStatus(self): # Open SC Manager ans = scmr.hROpenSCManagerW(self.__scmr) self.__scManagerHandle = ans['lpScHandle'] # Now let's open the service ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__serviceName) self.__serviceHandle = ans['lpServiceHandle'] # Let's check its status ans = scmr.hRQueryServiceStatus(self.__scmr, self.__serviceHandle) if ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_STOPPED: logging.info('Service %s is in stopped state'% self.__serviceName) self.__shouldStop = True self.__started = False elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING: logging.debug('Service %s is already running'% self.__serviceName) self.__shouldStop = False self.__started = True else: raise Exception('Unknown service state 0x%x - Aborting' % ans['CurrentState']) # Let's check its configuration if service is stopped, maybe it's disabled :s if self.__started is False: ans = scmr.hRQueryServiceConfigW(self.__scmr,self.__serviceHandle) if ans['lpServiceConfig']['dwStartType'] == 0x4: logging.info('Service %s is disabled, enabling it'% self.__serviceName) self.__disabled = True scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x3) logging.info('Starting service %s' % self.__serviceName) scmr.hRStartServiceW(self.__scmr,self.__serviceHandle) time.sleep(1)
def __checkServiceStatus(self): # Open SC Manager ans = scmr.hROpenSCManagerW(self.__scmr) self.__scManagerHandle = ans['lpScHandle'] # Now let's open the service ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__serviceName) self.__serviceHandle = ans['lpServiceHandle'] # Let's check its status ans = scmr.hRQueryServiceStatus(self.__scmr, self.__serviceHandle) if ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_STOPPED: logging.info('Service %s is in stopped state' % self.__serviceName) self.__shouldStop = True self.__started = False elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING: logging.debug('Service %s is already running' % self.__serviceName) self.__shouldStop = False self.__started = True else: raise Exception('Unknown service state 0x%x - Aborting' % ans['CurrentState']) # Let's check its configuration if service is stopped, maybe it's disabled :s if self.__started is False: ans = scmr.hRQueryServiceConfigW(self.__scmr, self.__serviceHandle) if ans['lpServiceConfig']['dwStartType'] == 0x4: logging.info('Service %s is disabled, enabling it' % self.__serviceName) self.__disabled = True scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType=0x3) logging.info('Starting service %s' % self.__serviceName) scmr.hRStartServiceW(self.__scmr, self.__serviceHandle) time.sleep(1)
def __scmr_state(self, srvname, return_state=False): ''' Display state of a service ''' logger.info('Querying the state of service %s' % srvname) resp = scmr.hRQueryServiceStatus(self.__rpc, self.__service_handle) state = resp['lpServiceStatus']['dwCurrentState'] if return_state: return self.__scmr_parse_state(state) else: print('Service %s state is: %s' % (srvname, self.__scmr_parse_state(state)))
def doStuff(self, rpctransport): dce = rpctransport.get_dce_rpc() #dce.set_credentials(self.__username, self.__password) dce.connect() #dce.set_max_fragment_size(1) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY) dce.bind(scmr.MSRPC_UUID_SCMR) #rpc = svcctl.DCERPCSvcCtl(dce) rpc = dce ans = scmr.hROpenSCManagerW(rpc) scManagerHandle = ans['lpScHandle'] if self.__action != 'LIST' and self.__action != 'CREATE': ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.name + '\x00') serviceHandle = ans['lpServiceHandle'] if self.__action == 'START': logging.info("Starting service %s" % self.__options.name) scmr.hRStartServiceW(rpc, serviceHandle) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'STOP': logging.info("Stopping service %s" % self.__options.name) scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'DELETE': logging.info("Deleting service %s" % self.__options.name) scmr.hRDeleteService(rpc, serviceHandle) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'CONFIG': logging.info("Querying service config for %s" % self.__options.name) resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle) print "TYPE : %2d - " % resp['lpServiceConfig'][ 'dwServiceType'], if resp['lpServiceConfig']['dwServiceType'] & 0x1: print "SERVICE_KERNEL_DRIVER ", if resp['lpServiceConfig']['dwServiceType'] & 0x2: print "SERVICE_FILE_SYSTEM_DRIVER ", if resp['lpServiceConfig']['dwServiceType'] & 0x10: print "SERVICE_WIN32_OWN_PROCESS ", if resp['lpServiceConfig']['dwServiceType'] & 0x20: print "SERVICE_WIN32_SHARE_PROCESS ", if resp['lpServiceConfig']['dwServiceType'] & 0x100: print "SERVICE_INTERACTIVE_PROCESS ", print "" print "START_TYPE : %2d - " % resp['lpServiceConfig'][ 'dwStartType'], if resp['lpServiceConfig']['dwStartType'] == 0x0: print "BOOT START" elif resp['lpServiceConfig']['dwStartType'] == 0x1: print "SYSTEM START" elif resp['lpServiceConfig']['dwStartType'] == 0x2: print "AUTO START" elif resp['lpServiceConfig']['dwStartType'] == 0x3: print "DEMAND START" elif resp['lpServiceConfig']['dwStartType'] == 0x4: print "DISABLED" else: print "UNKOWN" print "ERROR_CONTROL : %2d - " % resp['lpServiceConfig'][ 'dwErrorControl'], if resp['lpServiceConfig']['dwErrorControl'] == 0x0: print "IGNORE" elif resp['lpServiceConfig']['dwErrorControl'] == 0x1: print "NORMAL" elif resp['lpServiceConfig']['dwErrorControl'] == 0x2: print "SEVERE" elif resp['lpServiceConfig']['dwErrorControl'] == 0x3: print "CRITICAL" else: print "UNKOWN" print "BINARY_PATH_NAME : %s" % resp['lpServiceConfig'][ 'lpBinaryPathName'][:-1] print "LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig'][ 'lpLoadOrderGroup'][:-1] print "TAG : %d" % resp['lpServiceConfig']['dwTagId'] print "DISPLAY_NAME : %s" % resp['lpServiceConfig'][ 'lpDisplayName'][:-1] print "DEPENDENCIES : %s" % resp['lpServiceConfig'][ 'lpDependencies'][:-1] print "SERVICE_START_NAME: %s" % resp['lpServiceConfig'][ 'lpServiceStartName'][:-1] elif self.__action == 'STATUS': print "Querying status for %s" % self.__options.name resp = scmr.hRQueryServiceStatus(rpc, serviceHandle) print "%30s - " % (self.__options.name), state = resp['lpServiceStatus']['dwCurrentState'] if state == scmr.SERVICE_CONTINUE_PENDING: print "CONTINUE PENDING" elif state == scmr.SERVICE_PAUSE_PENDING: print "PAUSE PENDING" elif state == scmr.SERVICE_PAUSED: print "PAUSED" elif state == scmr.SERVICE_RUNNING: print "RUNNING" elif state == scmr.SERVICE_START_PENDING: print "START PENDING" elif state == scmr.SERVICE_STOP_PENDING: print "STOP PENDING" elif state == scmr.SERVICE_STOPPED: print "STOPPED" else: print "UNKOWN" elif self.__action == 'LIST': logging.info("Listing services available on target") #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL ) resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle) for i in range(len(resp)): print "%30s - %70s - " % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1]), state = resp[i]['ServiceStatus']['dwCurrentState'] if state == scmr.SERVICE_CONTINUE_PENDING: print "CONTINUE PENDING" elif state == scmr.SERVICE_PAUSE_PENDING: print "PAUSE PENDING" elif state == scmr.SERVICE_PAUSED: print "PAUSED" elif state == scmr.SERVICE_RUNNING: print "RUNNING" elif state == scmr.SERVICE_START_PENDING: print "START PENDING" elif state == scmr.SERVICE_STOP_PENDING: print "STOP PENDING" elif state == scmr.SERVICE_STOPPED: print "STOPPED" else: print "UNKOWN" print "Total Services: %d" % len(resp) elif self.__action == 'CREATE': logging.info("Creating service %s" % self.__options.name) resp = scmr.hRCreateServiceW(rpc, scManagerHandle, self.__options.name + '\x00', self.__options.display + '\x00', lpBinaryPathName=self.__options.path + '\x00') elif self.__action == 'CHANGE': logging.info("Changing service config for %s" % self.__options.name) if self.__options.start_type is not None: start_type = int(self.__options.start_type) else: start_type = scmr.SERVICE_NO_CHANGE if self.__options.service_type is not None: service_type = int(self.__options.service_type) else: service_type = scmr.SERVICE_NO_CHANGE if self.__options.display is not None: display = self.__options.display + '\x00' else: display = NULL if self.__options.path is not None: path = self.__options.path + '\x00' else: path = NULL if self.__options.start_name is not None: start_name = self.__options.start_name + '\x00' else: start_name = NULL if self.__options.password is not None: s = rpctransport.get_smb_connection() key = s.getSessionKey() password = (self.__options.password + '\x00').encode('utf-16le') password = encryptSecret(key, password) else: password = NULL #resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password) resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path, NULL, NULL, NULL, 0, start_name, password, 0, display) scmr.hRCloseServiceHandle(rpc, serviceHandle) else: logging.error("Unknown action %s" % self.__action) scmr.hRCloseServiceHandle(rpc, scManagerHandle) dce.disconnect() return
def doStuff(self, rpctransport): dce = rpctransport.get_dce_rpc() #dce.set_credentials(self.__username, self.__password) dce.connect() #dce.set_max_fragment_size(1) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY) dce.bind(scmr.MSRPC_UUID_SCMR) #rpc = svcctl.DCERPCSvcCtl(dce) rpc = dce ans = scmr.hROpenSCManagerW(rpc) scManagerHandle = ans['lpScHandle'] if self.__action != 'LIST' and self.__action != 'CREATE': ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.name+'\x00') serviceHandle = ans['lpServiceHandle'] if self.__action == 'START': print "Starting service %s" % self.__options.name scmr.hRStartServiceW(rpc, serviceHandle) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'STOP': print "Stopping service %s" % self.__options.name scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'DELETE': print "Deleting service %s" % self.__options.name scmr.hRDeleteService(rpc, serviceHandle) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'CONFIG': print "Querying service config for %s" % self.__options.name resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle) print "TYPE : %2d - " % resp['lpServiceConfig']['dwServiceType'], if resp['lpServiceConfig']['dwServiceType'] & 0x1: print "SERVICE_KERNEL_DRIVER ", if resp['lpServiceConfig']['dwServiceType'] & 0x2: print "SERVICE_FILE_SYSTEM_DRIVER ", if resp['lpServiceConfig']['dwServiceType'] & 0x10: print "SERVICE_WIN32_OWN_PROCESS ", if resp['lpServiceConfig']['dwServiceType'] & 0x20: print "SERVICE_WIN32_SHARE_PROCESS ", if resp['lpServiceConfig']['dwServiceType'] & 0x100: print "SERVICE_INTERACTIVE_PROCESS ", print "" print "START_TYPE : %2d - " % resp['lpServiceConfig']['dwStartType'], if resp['lpServiceConfig']['dwStartType'] == 0x0: print "BOOT START" elif resp['lpServiceConfig']['dwStartType'] == 0x1: print "SYSTEM START" elif resp['lpServiceConfig']['dwStartType'] == 0x2: print "AUTO START" elif resp['lpServiceConfig']['dwStartType'] == 0x3: print "DEMAND START" elif resp['lpServiceConfig']['dwStartType'] == 0x4: print "DISABLED" else: print "UNKOWN" print "ERROR_CONTROL : %2d - " % resp['lpServiceConfig']['dwErrorControl'], if resp['lpServiceConfig']['dwErrorControl'] == 0x0: print "IGNORE" elif resp['lpServiceConfig']['dwErrorControl'] == 0x1: print "NORMAL" elif resp['lpServiceConfig']['dwErrorControl'] == 0x2: print "SEVERE" elif resp['lpServiceConfig']['dwErrorControl'] == 0x3: print "CRITICAL" else: print "UNKOWN" print "BINARY_PATH_NAME : %s" % resp['lpServiceConfig']['lpBinaryPathName'][:-1] print "LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig']['lpLoadOrderGroup'][:-1] print "TAG : %d" % resp['lpServiceConfig']['dwTagId'] print "DISPLAY_NAME : %s" % resp['lpServiceConfig']['lpDisplayName'][:-1] print "DEPENDENCIES : %s" % resp['lpServiceConfig']['lpDependencies'][:-1] print "SERVICE_START_NAME: %s" % resp['lpServiceConfig']['lpServiceStartName'][:-1] elif self.__action == 'STATUS': print "Querying status for %s" % self.__options.name resp = scmr.hRQueryServiceStatus(rpc, serviceHandle) print "%30s - " % (self.__options.name), state = resp['lpServiceStatus']['dwCurrentState'] if state == scmr.SERVICE_CONTINUE_PENDING: print "CONTINUE PENDING" elif state == scmr.SERVICE_PAUSE_PENDING: print "PAUSE PENDING" elif state == scmr.SERVICE_PAUSED: print "PAUSED" elif state == scmr.SERVICE_RUNNING: print "RUNNING" elif state == scmr.SERVICE_START_PENDING: print "START PENDING" elif state == scmr.SERVICE_STOP_PENDING: print "STOP PENDING" elif state == scmr.SERVICE_STOPPED: print "STOPPED" else: print "UNKOWN" elif self.__action == 'LIST': print "Listing services available on target" #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL ) resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle) for i in range(len(resp)): print "%30s - %70s - " % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1]), state = resp[i]['ServiceStatus']['dwCurrentState'] if state == scmr.SERVICE_CONTINUE_PENDING: print "CONTINUE PENDING" elif state == scmr.SERVICE_PAUSE_PENDING: print "PAUSE PENDING" elif state == scmr.SERVICE_PAUSED: print "PAUSED" elif state == scmr.SERVICE_RUNNING: print "RUNNING" elif state == scmr.SERVICE_START_PENDING: print "START PENDING" elif state == scmr.SERVICE_STOP_PENDING: print "STOP PENDING" elif state == scmr.SERVICE_STOPPED: print "STOPPED" else: print "UNKOWN" print "Total Services: %d" % len(resp) elif self.__action == 'CREATE': print "Creating service %s" % self.__options.name resp = scmr.hRCreateServiceW(rpc, scManagerHandle,self.__options.name + '\x00', self.__options.display + '\x00', lpBinaryPathName=self.__options.path + '\x00') elif self.__action == 'CHANGE': print "Changing service config for %s" % self.__options.name if self.__options.start_type is not None: start_type = int(self.__options.start_type) else: start_type = scmr.SERVICE_NO_CHANGE if self.__options.service_type is not None: service_type = int(self.__options.service_type) else: service_type = scmr.SERVICE_NO_CHANGE if self.__options.display is not None: display = self.__options.display + '\x00' else: display = NULL if self.__options.path is not None: path = self.__options.path + '\x00' else: path = NULL if self.__options.start_name is not None: start_name = self.__options.start_name + '\x00' else: start_name = NULL if self.__options.password is not None: s = rpctransport.get_smb_connection() key = s.getSessionKey() password = (self.__options.password+'\x00').encode('utf-16le') password = encryptSecret(key, password) else: password = NULL #resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password) resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path, NULL, NULL, NULL, 0, start_name, password, 0, display) scmr.hRCloseServiceHandle(rpc, serviceHandle) else: print "Unknown action %s" % self.__action scmr.hRCloseServiceHandle(rpc, scManagerHandle) dce.disconnect() return
def doStuff(self, rpctransport): dce = rpctransport.get_dce_rpc() #dce.set_credentials(self.__username, self.__password) dce.connect() #dce.set_max_fragment_size(1) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY) dce.bind(scmr.MSRPC_UUID_SCMR) #rpc = svcctl.DCERPCSvcCtl(dce) rpc = dce ans = scmr.hROpenSCManagerW(rpc) scManagerHandle = ans['lpScHandle'] if self.__action != 'LIST' and self.__action != 'CREATE': ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.service_name+'\x00') serviceHandle = ans['lpServiceHandle'] if self.__action == 'START': self.__logger.success("Starting service {}".format(self.__options.service_name)) scmr.hRStartServiceW(rpc, serviceHandle) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'STOP': self.__logger.success("Stopping service {}".format(self.__options.service_name)) scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'DELETE': self.__logger.success("Deleting service {}".format(self.__options.service_name)) scmr.hRDeleteService(rpc, serviceHandle) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'CONFIG': self.__logger.success("Service config for {}".format(self.__options.service_name)) resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle) output = "TYPE : %2d - " % resp['lpServiceConfig']['dwServiceType'] if resp['lpServiceConfig']['dwServiceType'] & 0x1: output += "SERVICE_KERNEL_DRIVER " if resp['lpServiceConfig']['dwServiceType'] & 0x2: output += "SERVICE_FILE_SYSTEM_DRIVER " if resp['lpServiceConfig']['dwServiceType'] & 0x10: output += "SERVICE_WIN32_OWN_PROCESS " if resp['lpServiceConfig']['dwServiceType'] & 0x20: output += "SERVICE_WIN32_SHARE_PROCESS " if resp['lpServiceConfig']['dwServiceType'] & 0x100: output += "SERVICE_INTERACTIVE_PROCESS " self.__logger.results(output) output = "START_TYPE : %2d - " % resp['lpServiceConfig']['dwStartType'] if resp['lpServiceConfig']['dwStartType'] == 0x0: output += "BOOT START" elif resp['lpServiceConfig']['dwStartType'] == 0x1: output += "SYSTEM START" elif resp['lpServiceConfig']['dwStartType'] == 0x2: output += "AUTO START" elif resp['lpServiceConfig']['dwStartType'] == 0x3: output += "DEMAND START" elif resp['lpServiceConfig']['dwStartType'] == 0x4: output += "DISABLED" else: output += "UNKOWN" self.logger.results(output) output = "ERROR_CONTROL : %2d - " % resp['lpServiceConfig']['dwErrorControl'] if resp['lpServiceConfig']['dwErrorControl'] == 0x0: output += "IGNORE" elif resp['lpServiceConfig']['dwErrorControl'] == 0x1: output += "NORMAL" elif resp['lpServiceConfig']['dwErrorControl'] == 0x2: output += "SEVERE" elif resp['lpServiceConfig']['dwErrorControl'] == 0x3: output += "CRITICAL" else: output += "UNKOWN" self.__logger.results(output) self.__logger.results("BINARY_PATH_NAME : %s" % resp['lpServiceConfig']['lpBinaryPathName'][:-1]) self.__logger.results("LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig']['lpLoadOrderGroup'][:-1]) self.__logger.results("TAG : %d" % resp['lpServiceConfig']['dwTagId']) self.__logger.results("DISPLAY_NAME : %s" % resp['lpServiceConfig']['lpDisplayName'][:-1]) self.__logger.results("DEPENDENCIES : %s" % resp['lpServiceConfig']['lpDependencies'][:-1]) self.__logger.results("SERVICE_START_NAME: %s" % resp['lpServiceConfig']['lpServiceStartName'][:-1]) elif self.__action == 'STATUS': self.__logger.success("Service status for {}".format(self.__options.service_name)) resp = scmr.hRQueryServiceStatus(rpc, serviceHandle) output = "%s - " % self.__options.service_name state = resp['lpServiceStatus']['dwCurrentState'] if state == scmr.SERVICE_CONTINUE_PENDING: output += "CONTINUE PENDING" elif state == scmr.SERVICE_PAUSE_PENDING: output += "PAUSE PENDING" elif state == scmr.SERVICE_PAUSED: output += "PAUSED" elif state == scmr.SERVICE_RUNNING: output += "RUNNING" elif state == scmr.SERVICE_START_PENDING: output += "START PENDING" elif state == scmr.SERVICE_STOP_PENDING: output += "STOP PENDING" elif state == scmr.SERVICE_STOPPED: output += "STOPPED" else: output += "UNKOWN" self.__logger.results(output) elif self.__action == 'LIST': self.__logger.success("Enumerating services") #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL ) resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle) for i in range(len(resp)): output = "%30s - %70s - " % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1]) state = resp[i]['ServiceStatus']['dwCurrentState'] if state == scmr.SERVICE_CONTINUE_PENDING: output += "CONTINUE PENDING" elif state == scmr.SERVICE_PAUSE_PENDING: output += "PAUSE PENDING" elif state == scmr.SERVICE_PAUSED: output += "PAUSED" elif state == scmr.SERVICE_RUNNING: output += "RUNNING" elif state == scmr.SERVICE_START_PENDING: output += "START PENDING" elif state == scmr.SERVICE_STOP_PENDING: output += "STOP PENDING" elif state == scmr.SERVICE_STOPPED: output += "STOPPED" else: output += "UNKOWN" self.__logger.results(output) self.__logger.results("Total Services: {}".format(len(resp))) elif self.__action == 'CREATE': self.__logger.success("Creating service {}".format(self.__options.service_name)) scmr.hRCreateServiceW(rpc, scManagerHandle,self.__options.service_name + '\x00', self.__options.service_display_name + '\x00', lpBinaryPathName=self.__options.service_bin_path + '\x00') elif self.__action == 'CHANGE': self.__logger.success("Changing service config for {}".format(self.__options.service_name)) if self.__options.start_type is not None: start_type = int(self.__options.start_type) else: start_type = scmr.SERVICE_NO_CHANGE if self.__options.service_type is not None: service_type = int(self.__options.service_type) else: service_type = scmr.SERVICE_NO_CHANGE if self.__options.service_display_name is not None: display = self.__options.service_display_name + '\x00' else: display = NULL if self.__options.service_bin_path is not None: path = self.__options.service_bin_path + '\x00' else: path = NULL if self.__options.start_name is not None: start_name = self.__options.start_name + '\x00' else: start_name = NULL if self.__options.start_pass is not None: s = rpctransport.get_smb_connection() key = s.getSessionKey() try: password = (self.__options.start_pass+'\x00').encode('utf-16le') except UnicodeDecodeError: import sys password = (self.__options.start_pass+'\x00').decode(sys.getfilesystemencoding()).encode('utf-16le') password = encryptSecret(key, password) else: password = NULL #resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password) scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path, NULL, NULL, NULL, 0, start_name, password, 0, display) scmr.hRCloseServiceHandle(rpc, serviceHandle) else: logging.error("Unknown action %s" % self.__action) scmr.hRCloseServiceHandle(rpc, scManagerHandle) dce.disconnect() return
def status(self): if not self._serviceHandle: raise ShellServiceIsNotExists() resp = scmr.hRQueryServiceStatus(self._scmr, self._serviceHandle) return resp['lpServiceStatus']['dwCurrentState']
def doStuff(self, rpctransport): dce = rpctransport.get_dce_rpc() #dce.set_credentials(self.__username, self.__password) dce.connect() #dce.set_max_fragment_size(1) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) #dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY) dce.bind(scmr.MSRPC_UUID_SCMR) #rpc = svcctl.DCERPCSvcCtl(dce) rpc = dce ans = scmr.hROpenSCManagerW(rpc) scManagerHandle = ans['lpScHandle'] if self.__action != 'LIST' and self.__action != 'CREATE': ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.service_name + '\x00') serviceHandle = ans['lpServiceHandle'] if self.__action == 'START': self.__logger.success(u"Starting service {}".format( unicode(self.__options.service_name, 'utf-8'))) scmr.hRStartServiceW(rpc, serviceHandle) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'STOP': self.__logger.success(u"Stopping service {}".format( unicode(self.__options.service_name, 'utf-8'))) scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'DELETE': self.__logger.success(u"Deleting service {}".format( unicode(self.__options.service_name, 'utf-8'))) scmr.hRDeleteService(rpc, serviceHandle) scmr.hRCloseServiceHandle(rpc, serviceHandle) elif self.__action == 'CONFIG': self.__logger.success(u"Service config for {}".format( unicode(self.__options.service_name, 'utf-8'))) resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle) output = "TYPE : %2d - " % resp['lpServiceConfig'][ 'dwServiceType'] if resp['lpServiceConfig']['dwServiceType'] & 0x1: output += "SERVICE_KERNEL_DRIVER " if resp['lpServiceConfig']['dwServiceType'] & 0x2: output += "SERVICE_FILE_SYSTEM_DRIVER " if resp['lpServiceConfig']['dwServiceType'] & 0x10: output += "SERVICE_WIN32_OWN_PROCESS " if resp['lpServiceConfig']['dwServiceType'] & 0x20: output += "SERVICE_WIN32_SHARE_PROCESS " if resp['lpServiceConfig']['dwServiceType'] & 0x100: output += "SERVICE_INTERACTIVE_PROCESS " self.__logger.results(output) output = "START_TYPE : %2d - " % resp['lpServiceConfig'][ 'dwStartType'] if resp['lpServiceConfig']['dwStartType'] == 0x0: output += "BOOT START" elif resp['lpServiceConfig']['dwStartType'] == 0x1: output += "SYSTEM START" elif resp['lpServiceConfig']['dwStartType'] == 0x2: output += "AUTO START" elif resp['lpServiceConfig']['dwStartType'] == 0x3: output += "DEMAND START" elif resp['lpServiceConfig']['dwStartType'] == 0x4: output += "DISABLED" else: output += "UNKOWN" self.__logger.results(output) output = "ERROR_CONTROL : %2d - " % resp['lpServiceConfig'][ 'dwErrorControl'] if resp['lpServiceConfig']['dwErrorControl'] == 0x0: output += "IGNORE" elif resp['lpServiceConfig']['dwErrorControl'] == 0x1: output += "NORMAL" elif resp['lpServiceConfig']['dwErrorControl'] == 0x2: output += "SEVERE" elif resp['lpServiceConfig']['dwErrorControl'] == 0x3: output += "CRITICAL" else: output += "UNKOWN" self.__logger.results(output) self.__logger.results( "BINARY_PATH_NAME : %s" % resp['lpServiceConfig']['lpBinaryPathName'][:-1]) self.__logger.results( "LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig']['lpLoadOrderGroup'][:-1]) self.__logger.results("TAG : %d" % resp['lpServiceConfig']['dwTagId']) self.__logger.results( "DISPLAY_NAME : %s" % resp['lpServiceConfig']['lpDisplayName'][:-1]) self.__logger.results( "DEPENDENCIES : %s" % resp['lpServiceConfig']['lpDependencies'][:-1]) self.__logger.results( "SERVICE_START_NAME: %s" % resp['lpServiceConfig']['lpServiceStartName'][:-1]) elif self.__action == 'STATUS': self.__logger.success(u"Service status for {}".format( unicode(self.__options.service_name, 'utf-8'))) resp = scmr.hRQueryServiceStatus(rpc, serviceHandle) output = u"%s - " % format( unicode(self.__options.service_name, 'utf-8')) state = resp['lpServiceStatus']['dwCurrentState'] if state == scmr.SERVICE_CONTINUE_PENDING: output += "CONTINUE PENDING" elif state == scmr.SERVICE_PAUSE_PENDING: output += "PAUSE PENDING" elif state == scmr.SERVICE_PAUSED: output += "PAUSED" elif state == scmr.SERVICE_RUNNING: output += "RUNNING" elif state == scmr.SERVICE_START_PENDING: output += "START PENDING" elif state == scmr.SERVICE_STOP_PENDING: output += "STOP PENDING" elif state == scmr.SERVICE_STOPPED: output += "STOPPED" else: output += "UNKOWN" self.__logger.results(output) elif self.__action == 'LIST': self.__logger.success("Enumerating services") #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS ) #resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL ) resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle) for i in range(len(resp)): output = "%30s - %70s - " % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1]) state = resp[i]['ServiceStatus']['dwCurrentState'] if state == scmr.SERVICE_CONTINUE_PENDING: output += "CONTINUE PENDING" elif state == scmr.SERVICE_PAUSE_PENDING: output += "PAUSE PENDING" elif state == scmr.SERVICE_PAUSED: output += "PAUSED" elif state == scmr.SERVICE_RUNNING: output += "RUNNING" elif state == scmr.SERVICE_START_PENDING: output += "START PENDING" elif state == scmr.SERVICE_STOP_PENDING: output += "STOP PENDING" elif state == scmr.SERVICE_STOPPED: output += "STOPPED" else: output += "UNKOWN" self.__logger.results(output) self.__logger.results("Total Services: {}".format(len(resp))) elif self.__action == 'CREATE': self.__logger.success(u"Creating service {}".format( unicode(self.__options.service_name, 'utf-8'))) scmr.hRCreateServiceW( rpc, scManagerHandle, self.__options.service_name + '\x00', self.__options.service_display_name + '\x00', lpBinaryPathName=self.__options.service_bin_path + '\x00') elif self.__action == 'CHANGE': self.__logger.success(u"Changing service config for {}".format( unicode(self.__options.service_name, 'utf-8'))) if self.__options.start_type is not None: start_type = int(self.__options.start_type) else: start_type = scmr.SERVICE_NO_CHANGE if self.__options.service_type is not None: service_type = int(self.__options.service_type) else: service_type = scmr.SERVICE_NO_CHANGE if self.__options.service_display_name is not None: display = self.__options.service_display_name + '\x00' else: display = NULL if self.__options.service_bin_path is not None: path = self.__options.service_bin_path + '\x00' else: path = NULL if self.__options.start_name is not None: start_name = self.__options.start_name + '\x00' else: start_name = NULL if self.__options.start_pass is not None: s = rpctransport.get_smb_connection() key = s.getSessionKey() try: password = (self.__options.start_pass + '\x00').encode('utf-16le') except UnicodeDecodeError: import sys password = (self.__options.start_pass + '\x00').decode( sys.getfilesystemencoding()).encode('utf-16le') password = encryptSecret(key, password) else: password = NULL #resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password) scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path, NULL, NULL, NULL, 0, start_name, password, 0, display) scmr.hRCloseServiceHandle(rpc, serviceHandle) else: logging.error("Unknown action %s" % self.__action) scmr.hRCloseServiceHandle(rpc, scManagerHandle) dce.disconnect() return