def test_RControlServiceCall(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'CryptSvc\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
req = scmr.RControlService()
req['hService'] = serviceHandle
req['dwControl'] = scmr.SERVICE_CONTROL_STOP
dce.request(req)
except Exception as e:
if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0 and str(e).find('ERROR_SERVICE_NOT_ACTIVE') < 0:
raise
pass
scmr.hRCloseServiceHandle(dce, serviceHandle)
import time
time.sleep(1)
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle, 0, NULL )
resp.dump()
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') < 0:
raise
return
def test_RControlServiceCall(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'CryptSvc\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
req = scmr.RControlService()
req['hService'] = serviceHandle
req['dwControl'] = scmr.SERVICE_CONTROL_STOP
dce.request(req)
except Exception as e:
if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0 and str(e).find('ERROR_SERVICE_NOT_ACTIVE') < 0:
raise
pass
scmr.hRCloseServiceHandle(dce, serviceHandle)
import time
time.sleep(1)
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle, 0, NULL )
resp.dump()
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') < 0:
raise
return
def te_RNotifyServiceStatusChange(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RNotifyServiceStatusChange()
request['hService'] =serviceHandle
request['NotifyParams']['tag'] = 1
request['NotifyParams']['pStatusChangeParam1']['dwNotifyMask'] = scmr.SERVICE_NOTIFY_RUNNING
request['pClientProcessGuid'] = '0'*16
#request.dump()
resp = dce.request(request)
resp.dump()
request = scmr.RCloseNotifyHandle()
request['phNotify'] = resp['phNotify']
resp = dce.request(request)
resp.dump()
request = scmr.RGetNotifyResults()
request['hNotify'] = resp['phNotify']
resp = dce.request(request)
resp.dump()
def open_or_create_service(self, dce, scHandle, service_name, display_name,
binary_path_name):
try:
desiredAccess = scmr.SERVICE_ALL_ACCESS
resp = scmr.hROpenServiceW(dce, scHandle, service_name,
desiredAccess)
resp.dump()
return resp['lpServiceHandle']
except scmr.DCERPCSessionError as e:
if e.get_error_code() != 0x424:
raise
dwDesiredAccess = scmr.SERVICE_ALL_ACCESS
dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS
dwStartType = scmr.SERVICE_DEMAND_START
dwErrorControl = scmr.SERVICE_ERROR_NORMAL
lpLoadOrderGroup = NULL
lpdwTagId = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
resp = scmr.hRCreateServiceW(dce, scHandle, service_name, display_name,
dwDesiredAccess, dwServiceType,
dwStartType, dwErrorControl,
binary_path_name, lpLoadOrderGroup,
lpdwTagId, lpDependencies, dwDependSize,
lpServiceStartName, lpPassword, dwPwSize)
return resp['lpServiceHandle']
def __checkServiceStatus(self):
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle,
self.__serviceName)
self.__serviceHandle = ans['lpServiceHandle']
# Let's check its status
ans = scmr.hRQueryServiceStatus(self.__scmr, self.__serviceHandle)
if ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_STOPPED:
logging.info('Service %s is in stopped state' % self.__serviceName)
self.__shouldStop = True
self.__started = False
elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING:
logging.debug('Service %s is already running' % self.__serviceName)
self.__shouldStop = False
self.__started = True
else:
raise Exception('Unknown service state 0x%x - Aborting' %
ans['CurrentState'])
# Let's check its configuration if service is stopped, maybe it's disabled :s
if self.__started is False:
ans = scmr.hRQueryServiceConfigW(self.__scmr, self.__serviceHandle)
if ans['lpServiceConfig']['dwStartType'] == 0x4:
logging.info('Service %s is disabled, enabling it' %
self.__serviceName)
self.__disabled = True
scmr.hRChangeServiceConfigW(self.__scmr,
self.__serviceHandle,
dwStartType=0x3)
logging.info('Starting service %s' % self.__serviceName)
scmr.hRStartServiceW(self.__scmr, self.__serviceHandle)
time.sleep(1)
def createService(self, handle, share, path):
LOG.info("Creating service %s on %s....." %
(self.__service_name, self.connection.getRemoteHost()))
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(self.rpcsvc, handle,
self.__service_name + '\x00')
except Exception as e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') >= 0:
# We're good, pass the exception
pass
else:
raise e
else:
# It exists, remove it
scmr.hRDeleteService(self.rpcsvc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(self.rpcsvc, resp['lpServiceHandle'])
# Create the service
command = '%s\\%s' % (path, self.__binary_service_name)
try:
resp = scmr.hRCreateServiceW(self.rpcsvc,
handle,
self.__service_name + '\x00',
self.__service_name + '\x00',
lpBinaryPathName=command + '\x00',
dwStartType=scmr.SERVICE_DEMAND_START)
except:
LOG.critical(
"Error creating service %s on %s" %
(self.__service_name, self.connection.getRemoteHost()))
raise
else:
return resp['lpServiceHandle']
def service_exec(conn, cmd):
import random
import string
from impacket.dcerpc.v5 import transport, srvs, scmr
service_name = ''.join([random.choice(string.letters) for i in range(4)])
# Setup up a DCE SMBTransport with the connection already in place
rpcsvc = conn.get_dce_rpc('svcctl')
rpcsvc.connect()
rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
svcHandle = None
try:
print("Opening SVCManager on %s....." % conn.get_remote_host())
resp = scmr.hROpenSCManagerW(rpcsvc)
svcHandle = resp['lpScHandle']
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(rpcsvc, svcHandle,
service_name + '\x00')
except Exception as e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
raise e # Unexpected error
else:
# It exists, remove it
scmr.hRDeleteService(rpcsvc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(rpcsvc, resp['lpServiceHandle'])
print('Creating service %s.....' % service_name)
resp = scmr.hRCreateServiceW(rpcsvc,
svcHandle,
service_name + '\x00',
service_name + '\x00',
lpBinaryPathName=cmd + '\x00')
serviceHandle = resp['lpServiceHandle']
if serviceHandle:
# Start service
try:
print('Starting service %s.....' % service_name)
scmr.hRStartServiceW(rpcsvc, serviceHandle)
# is it really need to stop?
# using command line always makes starting service fail because SetServiceStatus() does not get called
#print('Stoping service %s.....' % service_name)
#scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
except Exception as e:
print(str(e))
print('Removing service %s.....' % service_name)
scmr.hRDeleteService(rpcsvc, serviceHandle)
scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
except Exception as e:
print("ServiceExec Error on: %s" % conn.get_remote_host())
print(str(e))
finally:
if svcHandle:
scmr.hRCloseServiceHandle(rpcsvc, svcHandle)
rpcsvc.disconnect()
def test_query(self):
dce, rpctransport, scHandle = self.connect()
############################
# Query Service Status / Enum Dependent
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess)
#resp.dump()
serviceHandle = resp['lpServiceHandle']
resp = scmr.hRQueryServiceStatus(dce, serviceHandle)
cbBufSize = 0
try:
resp = scmr.hREnumDependentServicesW(dce, serviceHandle,
scmr.SERVICE_STATE_ALL,
cbBufSize)
#resp.dump()
except scmr.DCERPCSessionError, e:
if str(e).find('ERROR_MORE_DATA') <= 0:
raise
else:
resp = e.get_packet()
def test_query(self):
dce, rpctransport, scHandle = self.connect()
############################
# Query Service Status / Enum Dependent
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
scmr.hRQueryServiceStatus(dce, serviceHandle)
cbBufSize = 0
try:
resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize )
resp.dump()
except scmr.DCERPCSessionError as e:
if str(e).find('ERROR_MORE_DATA') <= 0:
raise
else:
resp = e.get_packet()
resp.dump()
cbBufSize = resp['pcbBytesNeeded']
resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize )
resp.dump()
scmr.hRCloseServiceHandle(dce, serviceHandle)
scmr.hRCloseServiceHandle(dce, scHandle)
def service_exec(conn, cmd):
import random
import string
from impacket.dcerpc.v5 import transport, srvs, scmr
service_name = ''.join([random.choice(string.letters) for i in range(4)])
print service_name
# Setup up a DCE SMBTransport with the connection already in place
rpcsvc = conn.get_dce_rpc('svcctl')
rpcsvc.connect()
rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
svnHandle = None
try:
print("Opening SVCManager on %s....." % conn.get_remote_host())
resp = scmr.hROpenSCManagerW(rpcsvc)
svcHandle = resp['lpScHandle']
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(rpcsvc, svcHandle,
service_name + '\x00')
except Exception, e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
raise e # Unexpected error
else:
def __checkServiceStatus(self):
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__serviceName)
self.__serviceHandle = ans['lpServiceHandle']
# Let's check its status
ans = scmr.hRQueryServiceStatus(self.__scmr, self.__serviceHandle)
if ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_STOPPED:
logging.info('Service %s is in stopped state'% self.__serviceName)
self.__shouldStop = True
self.__started = False
elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING:
logging.debug('Service %s is already running'% self.__serviceName)
self.__shouldStop = False
self.__started = True
else:
raise Exception('Unknown service state 0x%x - Aborting' % ans['CurrentState'])
# Let's check its configuration if service is stopped, maybe it's disabled :s
if self.__started is False:
ans = scmr.hRQueryServiceConfigW(self.__scmr,self.__serviceHandle)
if ans['lpServiceConfig']['dwStartType'] == 0x4:
logging.info('Service %s is disabled, enabling it'% self.__serviceName)
self.__disabled = True
scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x3)
logging.info('Starting service %s' % self.__serviceName)
scmr.hRStartServiceW(self.__scmr,self.__serviceHandle)
time.sleep(1)
def clean(self):
try:
scmr.hRDeleteService(self._scmr, self._service)
scmr.hRCloseServiceHandle(self._scmr, self._service)
logging.debug("Service %s deleted" % self._serviceName)
except:
logging.warning("An error occurred while trying to delete service %s. Trying again." % self._serviceName)
try:
logging.debug("Trying to connect back to SCMR")
self._scmr = self._rpctransport.get_dce_rpc()
try:
self._scmr.connect()
except Exception as e:
raise Exception("An error occurred while connecting to SVCCTL: %s" % e)
logging.debug("Connected to SCMR")
self._scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self._scmr)
_scHandle = resp['lpScHandle']
resp = scmr.hROpenServiceW(self._scmr, _scHandle, self._serviceName)
logging.debug("Found service %s" % self._serviceName)
self._service = resp['lpServiceHandle']
scmr.hRDeleteService(self._scmr, self._service)
logging.debug("Service %s deleted" % self._serviceName)
scmr.hRControlService(self._scmr, self._service, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self._scmr, self._service)
except scmr.DCERPCException:
logging.debug("A DCERPCException error occured while trying to delete %s" % self._serviceName, exc_info=True)
pass
except:
logging.debug("An unknown error occured while trying to delete %s" % self._serviceName, exc_info=True)
pass
def stop_service(target):
username, password, domain, nthash = target.creds
lmhash = "" if password else "aad3b435b51404eeaad3b435b51404ee"
aesKey = None
remoteName = target.target_ip
remoteHost = target.target_ip
stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % remoteName
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(target.target_port)
rpctransport.setRemoteHost(remoteHost)
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(username, password, domain, lmhash,
nthash, aesKey)
rpctransport.set_kerberos(False, None)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(scmr.MSRPC_UUID_SCMR)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
ans = scmr.hROpenServiceW(rpc, scManagerHandle, "lateral" + '\x00')
serviceHandle = ans['lpServiceHandle']
#print("[*] stopping")
#scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
print("[*] deleting")
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
def te_RNotifyServiceStatusChange(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess)
#resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RNotifyServiceStatusChange()
request['hService'] = serviceHandle
request['NotifyParams']['tag'] = 1
request['NotifyParams']['pStatusChangeParam1'][
'dwNotifyMask'] = scmr.SERVICE_NOTIFY_RUNNING
request['pClientProcessGuid'] = '0' * 16
#request.dump()
resp = dce.request(request)
#resp.dump()
request = scmr.RCloseNotifyHandle()
request['phNotify'] = resp['phNotify']
resp = dce.request(request)
#resp.dump()
request = scmr.RGetNotifyResults()
request['hNotify'] = resp['phNotify']
resp = dce.request(request)
def createService(self, handle, share, path):
LOG.info("Creating service %s on %s....." % (self.__service_name, self.connection.getRemoteHost()))
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(self.rpcsvc, handle, self.__service_name+'\x00')
except Exception as e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') >= 0:
# We're good, pass the exception
pass
else:
raise e
else:
# It exists, remove it
scmr.hRDeleteService(self.rpcsvc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(self.rpcsvc, resp['lpServiceHandle'])
# Create the service
command = '%s\\%s' % (path, self.__binary_service_name)
try:
resp = scmr.hRCreateServiceW(self.rpcsvc, handle,self.__service_name + '\x00', self.__service_name + '\x00',
lpBinaryPathName=command + '\x00', dwStartType=scmr.SERVICE_DEMAND_START)
except:
LOG.critical("Error creating service %s on %s" % (self.__service_name, self.connection.getRemoteHost()))
raise
else:
return resp['lpServiceHandle']
def service_exec(conn, cmd):
import random
import string
from impacket.dcerpc.v5 import transport, srvs, scmr
service_name = ''.join([random.choice(string.letters) for i in range(4)])
# Setup up a DCE SMBTransport with the connection already in place
rpcsvc = conn.get_dce_rpc('svcctl')
rpcsvc.connect()
rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
svcHandle = None
try:
print("Opening SVCManager on %s....." % conn.get_remote_host())
resp = scmr.hROpenSCManagerW(rpcsvc)
svcHandle = resp['lpScHandle']
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(rpcsvc, svcHandle, service_name+'\x00')
except Exception as e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
raise e # Unexpected error
else:
# It exists, remove it
scmr.hRDeleteService(rpcsvc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(rpcsvc, resp['lpServiceHandle'])
print('Creating service %s.....' % service_name)
resp = scmr.hRCreateServiceW(rpcsvc, svcHandle, service_name + '\x00', service_name + '\x00', lpBinaryPathName=cmd + '\x00')
serviceHandle = resp['lpServiceHandle']
if serviceHandle:
# Start service
try:
print('Starting service %s.....' % service_name)
scmr.hRStartServiceW(rpcsvc, serviceHandle)
# is it really need to stop?
# using command line always makes starting service fail because SetServiceStatus() does not get called
#print('Stoping service %s.....' % service_name)
#scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
except Exception as e:
print(str(e))
print('Removing service %s.....' % service_name)
scmr.hRDeleteService(rpcsvc, serviceHandle)
scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
except Exception as e:
print("ServiceExec Error on: %s" % conn.get_remote_host())
print(str(e))
finally:
if svcHandle:
scmr.hRCloseServiceHandle(rpcsvc, svcHandle)
rpcsvc.disconnect()
def createService(self, handle, share, path):
LOG.info("Creating service %s on %s....." % (self.__service_name, self.connection.getRemoteHost()))
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(self.rpcsvc, handle, self.__service_name+'\x00')
except Exception, e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') >= 0:
# We're good, pass the exception
pass
else:
raise e
def createService(self, handle, share, path):
LOG.info("Creating service %s on %s....." % (self.__service_name, self.connection.getRemoteHost()))
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(self.rpcsvc, handle, self.__service_name+'\x00')
except Exception, e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') >= 0:
# We're good, pass the exception
pass
else:
raise e
def __createService(self):
self.__log__(logging.DEBUG, 'Creating service')
try:
resp = scmr.hROpenServiceW(
self.__dcerpc, self.__SVCManager,
RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00')
self.__log__(logging.WARNING,
'Service already exists, renewing it')
try:
scmr.hRControlService(self.__dcerpc, resp['lpServiceHandle'],
scmr.SERVICE_CONTROL_STOP)
time.sleep(1)
except:
pass
scmr.hRDeleteService(self.__dcerpc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(self.__dcerpc, resp['lpServiceHandle'])
except:
pass
resp = scmr.hRCreateServiceW(
self.__dcerpc,
self.__SVCManager,
RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00',
RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00',
lpBinaryPathName=self.__getWritableUNCPath() + '\\' +
RemoteCmd.REMCOMSVC_REMOTE + '\x00',
dwStartType=scmr.SERVICE_DEMAND_START,
)
resp = scmr.hROpenServiceW(self.__dcerpc, self.__SVCManager,
RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00')
self.__service = resp['lpServiceHandle']
self.__pendingCleanupActions.append((self.__deleteService, 3))
return
def service_exec(conn, cmd):
import random
import string
from impacket.dcerpc.v5 import transport, srvs, scmr
service_name = ''.join([random.choice(string.letters) for i in range(6)])
rpcsvc = conn.get_dce_rpc('svcctl')
rpcsvc.connect()
rpcsvc.bind(scmr.MSRPC_UUID_SCMR)
svcHandle = None
try:
print(" Opening SVCManager on %s..." % conn.get_remote_host())
resp = scmr.hROpenSCManagerW(rpcsvc)
svcHandle = resp['lpScHandle']
try:
resp = scmr.hROpenServiceW(rpcsvc, svcHandle,
service_name + '\x00')
except Exception as e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') == -1:
raise e
else:
scmr.hRDeleteService(rpcsvc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(rpcsvc, resp['lpServiceHandle'])
print(" Creating Service %s..." % service_name)
resp = scmr.hRCreateServiceW(rpcsvc,
svcHandle,
service_name + '\x00',
service_name + '\x00',
lpBinaryPathName=cmd + '\x00')
serviceHandle = resp['lpServiceHandle']
if serviceHandle:
try:
print(" Starting Service %s..." % service_name)
scmr.hRStartServiceW(rpcsvc, serviceHandle)
except Exception as e:
print(str(e))
except Exception as e:
print(" ServiceExec Error on: %s" % conn.get_remote_host())
print(str(e))
finally:
if svcHandle:
scmr.hRCloseServiceHandle(rpcsvc, svcHandle)
rpcsvc.disconnect()
def getServiceAccount(self, serviceName):
try:
# Open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName)
serviceHandle = ans['lpServiceHandle']
resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle)
account = resp['lpServiceConfig']['lpServiceStartName'][:-1]
scmr.hRCloseServiceHandle(self.__scmr, serviceHandle)
if account.startswith('.\\'):
account = account[2:]
return account
except Exception, e:
logging.error(e)
return None
def rpc_get_services(self):
"""
Query services with stored credentials via RPC.
These credentials can be dumped with mimikatz via lsadump::secrets or via secretsdump.py
"""
binding = r'ncacn_np:%s[\PIPE\svcctl]' % self.addr
serviceusers = []
dce = self.dce_rpc_connect(binding, scmr.MSRPC_UUID_SCMR)
if dce is None:
logging.warning('Connection failed: %s', binding)
return
try:
resp = scmr.hROpenSCManagerW(dce)
scManagerHandle = resp['lpScHandle']
# TODO: Figure out if filtering out service types makes sense
resp = scmr.hREnumServicesStatusW(
dce,
scManagerHandle,
dwServiceType=scmr.SERVICE_WIN32_OWN_PROCESS,
dwServiceState=scmr.SERVICE_STATE_ALL)
# TODO: Skip well-known services to save on traffic
for i in range(len(resp)):
try:
ans = scmr.hROpenServiceW(dce, scManagerHandle,
resp[i]['lpServiceName'][:-1])
serviceHandle = ans['lpServiceHandle']
svcresp = scmr.hRQueryServiceConfigW(dce, serviceHandle)
svc_user = svcresp['lpServiceConfig'][
'lpServiceStartName'][:-1]
if '@' in svc_user:
logging.info(
"Found user service: %s running as %s on %s",
resp[i]['lpServiceName'][:-1], svc_user,
self.hostname)
serviceusers.append(svc_user)
except DCERPCException as e:
if 'rpc_s_access_denied' not in str(e):
logging.debug(
'Exception querying service %s via RPC: %s',
resp[i]['lpServiceName'][:-1], e)
except DCERPCException as e:
logging.debug('Exception connecting to RPC: %s', e)
except Exception as e:
if 'connection reset' in str(e):
logging.debug('Connection was reset: %s', e)
else:
raise e
dce.disconnect()
return serviceusers
def getServiceAccount(self, serviceName):
try:
# Open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName)
serviceHandle = ans['lpServiceHandle']
resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle)
account = resp['lpServiceConfig']['lpServiceStartName'][:-1]
scmr.hRCloseServiceHandle(self.__scmr, serviceHandle)
if account.startswith('.\\'):
account = account[2:]
return account
except Exception, e:
logging.error(e)
return None
def test_RStartServiceW(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle, 3, ['arg1\x00', 'arg2\x00', 'arg3\x00'] )
except Exception, e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') <= 0:
raise
def finish(self):
# Just in case the service is still created
try:
self.__scmr = self.__rpc.get_dce_rpc()
self.__scmr.connect()
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self.__scmr)
self.__scHandle = resp['lpScHandle']
resp = scmr.hROpenServiceW(self.__scmr, self.__scHandle, self.__serviceName)
service = resp['lpServiceHandle']
scmr.hRDeleteService(self.__scmr, service)
scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self.__scmr, service)
except:
pass
def finish(self):
# Just in case the service is still created
try:
self.__scmr = self.__rpc.get_dce_rpc()
self.__scmr.connect()
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self.__scmr)
self.__scHandle = resp['lpScHandle']
resp = scmr.hROpenServiceW(self.__scmr, self.__scHandle, self.__serviceName)
service = resp['lpServiceHandle']
scmr.hRDeleteService(self.__scmr, service)
scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self.__scmr, service)
except:
pass
def test_RQueryServiceConfigEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'RemoteRegistry\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess)
#resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceConfigEx()
request['hService'] = serviceHandle
request['dwInfoLevel'] = 0x00000008
#request.dump()
resp = dce.request(request)
def start_rrp_service(self, dce, sc_handle):
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, sc_handle, 'RemoteRegistry\x00',
desiredAccess)
serviceHandle = resp['lpServiceHandle']
try:
scmr.hRStartServiceW(dce, serviceHandle)
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >= 0:
pass
else:
raise
scmr.hRCloseServiceHandle(dce, sc_handle)
self.rrp_started = True
def test_RQueryServiceConfigEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'RemoteRegistry\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceConfigEx()
request['hService'] = serviceHandle
request['dwInfoLevel'] = 0x00000008
#request.dump()
resp = dce.request(request)
resp.dump()
def create_service(self, name, display_name, cmdline, *, start=True):
if self._svcmgr is None:
raise RuntimeError("ServiceManager must be open() first")
svc_handle = None
try:
# try to open existing service first
try:
resp = impkt_scmr.hROpenServiceW(self._rpcsvcctl, self._svcmgr,
name + "\x00")
svc_handle = resp["lpServiceHandle"]
except Exception as exc:
svc_handle = None
if str(exc).find("ERROR_SERVICE_DOES_NOT_EXIST") >= 0:
pass
else:
raise
# create service if needed
if svc_handle is None:
resp = impkt_scmr.hRCreateServiceW(
self._rpcsvcctl,
self._svcmgr,
name + "\x00",
display_name + "\x00",
lpBinaryPathName=cmdline + "\x00",
dwStartType=impkt_scmr.SERVICE_DEMAND_START)
svc_handle = resp["lpServiceHandle"]
assert svc_handle is not None
# start service
try:
impkt_scmr.hRStartServiceW(self._rpcsvcctl, svc_handle)
except Exception as exc:
if str(exc).find("ERROR_SERVICE_ALREADY_RUNNING") < 0:
raise
finally:
if svc_handle is not None:
with contextlib.suppress(Exception):
impkt_scmr.hRCloseServiceHandle(self._rpcsvcctl,
svc_handle)
svc_handle = None
def __restore(self):
# First of all stop the service if it was originally stopped
if self.__shouldStop is True:
logging.info('Stopping service %s' % self.__serviceName)
scmr.hRControlService(self.__scmr, self.__serviceHandle,
scmr.SERVICE_CONTROL_STOP)
if self.__disabled is True:
logging.info('Restoring the disabled state for service %s' %
self.__serviceName)
scmr.hRChangeServiceConfigW(self.__scmr,
self.__serviceHandle,
dwStartType=0x4)
if self.__serviceDeleted is False:
# Check again the service we created does not exist, starting a new connection
# Why?.. Hitting CTRL+C might break the whole existing DCE connection
try:
rpc = transport.DCERPCTransportFactory(
r'ncacn_np:%s[\pipe\svcctl]' %
self.__smbConnection.getRemoteHost())
if hasattr(rpc, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpc.set_credentials(*self.__smbConnection.getCredentials())
rpc.set_kerberos(self.__doKerberos)
self.__scmr = rpc.get_dce_rpc()
self.__scmr.connect()
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
resp = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle,
self.__tmpServiceName)
service = resp['lpServiceHandle']
scmr.hRDeleteService(self.__scmr, service)
scmr.hRControlService(self.__scmr, service,
scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self.__scmr, service)
scmr.hRCloseServiceHandle(self.__scmr, self.__serviceHandle)
scmr.hRCloseServiceHandle(self.__scmr, self.__scManagerHandle)
rpc.disconnect()
except Exception, e:
# If service is stopped it'll trigger an exception
# If service does not exist it'll trigger an exception
# So. we just wanna be sure we delete it, no need to
# show this exception message
pass
def uninstall(self):
fileCopied = True
serviceCreated = True
# Do the stuff here
try:
# Let's get the shares
svcManager = self.openSvcManager()
if svcManager != 0:
resp = scmr.hROpenServiceW(self.rpcsvc, svcManager,
self.__service_name + '\x00')
service = resp['lpServiceHandle']
print '[*] Stoping service %s.....' % self.__service_name
try:
scmr.hRControlService(self.rpcsvc, service,
scmr.SERVICE_CONTROL_STOP)
except:
pass
print '[*] Removing service %s.....' % self.__service_name
scmr.hRDeleteService(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, svcManager)
print '[*] Removing file %s.....' % self.__binary_service_name
self.connection.deleteFile(self.share, self.__binary_service_name)
except Exception, e:
print "[!] Error performing the uninstallation, cleaning up"
try:
scmr.hRControlService(self.rpcsvc, service,
scmr.SERVICE_CONTROL_STOP)
except:
pass
if fileCopied is True:
try:
self.connection.deleteFile(self.share,
self.__binary_service_name)
except:
try:
self.connection.deleteFile(self.share,
self.__binary_service_name)
except:
pass
pass
if serviceCreated is True:
try:
scmr.hRDeleteService(self.rpcsvc, service)
except:
pass
def test_RQueryServiceStatusEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess)
#resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceStatusEx()
request['hService'] = serviceHandle
request['InfoLevel'] = scmr.SC_STATUS_PROCESS_INFO
request['cbBufSize'] = 100
resp = dce.request(request)
array = ''.join(resp['lpBuffer'])
status = scmr.SERVICE_STATUS_PROCESS(array)
def test_RQueryServiceStatusEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceStatusEx()
request['hService'] = serviceHandle
request['InfoLevel'] = scmr.SC_STATUS_PROCESS_INFO
request['cbBufSize'] = 100
resp = dce.request(request)
array = ''.join(resp['lpBuffer'])
status = scmr.SERVICE_STATUS_PROCESS(array)
def te_RControlServiceExW(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess)
#resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RControlServiceExW()
request['hService'] = serviceHandle
request['dwControl'] = scmr.SERVICE_CONTROL_STOP
request['dwInfoLevel'] = 1
# This is not working, don't know exactly why
request['pControlInParams']['dwReason'] = 0x20000000
request['pControlInParams']['pszComment'] = 'nada\x00'
request['pControlInParams'] = NULL
resp = dce.request(request)
def test_RControlServiceCall(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'CryptSvc\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
req = scmr.RControlService()
req['hService'] = serviceHandle
req['dwControl'] = scmr.SERVICE_CONTROL_STOP
resp = dce.request(req)
except Exception, e:
if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0:
raise
pass
def test_RControlServiceCall(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'CryptSvc\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess)
#resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
req = scmr.RControlService()
req['hService'] = serviceHandle
req['dwControl'] = scmr.SERVICE_CONTROL_STOP
resp = dce.request(req)
except Exception, e:
if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0:
raise
pass
def start_service(target):
username, password, domain, nthash = target.creds
lmhash = "" if password else "aad3b435b51404eeaad3b435b51404ee"
aesKey = None
remoteName = target.target_ip
remoteHost = target.target_ip
stringbinding = r'ncacn_np:%s[\pipe\svcctl]' % remoteName
rpctransport = transport.DCERPCTransportFactory(stringbinding)
rpctransport.set_dport(target.target_port)
rpctransport.setRemoteHost(remoteHost)
if hasattr(rpctransport, 'set_credentials'):
rpctransport.set_credentials(username, password, domain, lmhash,
nthash, aesKey)
rpctransport.set_kerberos(False, None)
dce = rpctransport.get_dce_rpc()
dce.connect()
dce.bind(scmr.MSRPC_UUID_SCMR)
rpc = dce
#print("[*] creating")
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
try:
scmr.hRCreateServiceW(rpc,
scManagerHandle,
"lateral" + '\x00',
"Lateral" + '\x00',
lpBinaryPathName='lateral.exe\x00')
except Exception as e:
print(str(e))
#print("[*] starting")
ans = scmr.hROpenServiceW(rpc, scManagerHandle, "lateral" + '\x00')
serviceHandle = ans['lpServiceHandle']
try:
scmr.hRStartServiceW(rpc, serviceHandle)
except:
pass
scmr.hRCloseServiceHandle(rpc, serviceHandle)
def uninstall(self):
fileCopied = True
serviceCreated = True
# Do the stuff here
try:
# Let's get the shares
svcManager = self.openSvcManager()
if svcManager != 0:
resp = scmr.hROpenServiceW(self.rpcsvc, svcManager, self.__service_name+'\x00')
service = resp['lpServiceHandle']
LOG.info('Stoping service %s.....' % self.__service_name)
try:
scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP)
except:
pass
LOG.info('Removing service %s.....' % self.__service_name)
scmr.hRDeleteService(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, svcManager)
LOG.info('Removing file %s.....' % self.__binary_service_name)
self.connection.deleteFile(self.share, self.__binary_service_name)
except Exception:
LOG.critical("Error performing the uninstallation, cleaning up" )
try:
scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP)
except:
pass
if fileCopied is True:
try:
self.connection.deleteFile(self.share, self.__binary_service_name)
except:
try:
self.connection.deleteFile(self.share, self.__binary_service_name)
except:
pass
pass
if serviceCreated is True:
try:
scmr.hRDeleteService(self.rpcsvc, service)
except:
pass
def connect(self):
if self.rrpStarted is not True:
dce, rpctransport, scHandle = self.connect_scmr()
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00',
desiredAccess)
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle)
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >= 0:
pass
else:
raise
resp = scmr.hRCloseServiceHandle(dce, scHandle)
self.rrpStarted = True
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username, self.password,
self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax=self.ts)
resp = rrp.hOpenLocalMachine(
dce,
MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport, resp['phKey']
def te_RControlServiceExW(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RControlServiceExW()
request['hService'] = serviceHandle
request['dwControl'] = scmr.SERVICE_CONTROL_STOP
request['dwInfoLevel'] = 1
# This is not working, don't know exactly why
request['pControlInParams']['dwReason'] = 0x20000000
request['pControlInParams']['pszComment'] = 'nada\x00'
request['pControlInParams'] = NULL
resp = dce.request(request)
resp.dump()
def delete_service(self, name):
if self._svcmgr is None:
raise RuntimeError("ServiceManager must be open() first")
svc_handle = None
try:
try:
resp = impkt_scmr.hROpenServiceW(self._rpcsvcctl, self._svcmgr,
name + "\x00")
svc_handle = resp["lpServiceHandle"]
except Exception as exc:
if str(exc).find("ERROR_SERVICE_DOES_NOT_EXIST") >= 0:
return
else:
raise
try:
impkt_scmr.hRControlService(self._rpcsvcctl, svc_handle,
impkt_scmr.SERVICE_CONTROL_STOP)
except Exception as exc:
if str(exc).find("ERROR_SERVICE_NOT_ACTIVE") < 0:
logger.info(
f'failed to STOP remote service "{name}": {exc}')
# time.sleep(2.0) # TODO: poll service status
try:
impkt_scmr.hRDeleteService(self._rpcsvcctl, svc_handle)
except Exception as exc:
if str(exc).find("ERROR_SERVICE_DOES_NOT_EXIST") < 0:
raise
finally:
if svc_handle is not None:
with contextlib.suppress(Exception):
impkt_scmr.hRCloseServiceHandle(self._rpcsvcctl,
svc_handle)
svc_handle = None
def __restore(self):
# First of all stop the service if it was originally stopped
if self.__shouldStop is True:
logging.info('Stopping service %s' % self.__serviceName)
scmr.hRControlService(self.__scmr, self.__serviceHandle, scmr.SERVICE_CONTROL_STOP)
if self.__disabled is True:
logging.info('Restoring the disabled state for service %s' % self.__serviceName)
scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x4)
if self.__serviceDeleted is False:
# Check again the service we created does not exist, starting a new connection
# Why?.. Hitting CTRL+C might break the whole existing DCE connection
try:
rpc = transport.DCERPCTransportFactory(r'ncacn_np:%s[\pipe\svcctl]' % self.__smbConnection.getRemoteHost())
if hasattr(rpc, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpc.set_credentials(*self.__smbConnection.getCredentials())
rpc.set_kerberos(self.__doKerberos)
self.__scmr = rpc.get_dce_rpc()
self.__scmr.connect()
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
resp = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__tmpServiceName)
service = resp['lpServiceHandle']
scmr.hRDeleteService(self.__scmr, service)
scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self.__scmr, service)
scmr.hRCloseServiceHandle(self.__scmr, self.__serviceHandle)
scmr.hRCloseServiceHandle(self.__scmr, self.__scManagerHandle)
rpc.disconnect()
except Exception, e:
# If service is stopped it'll trigger an exception
# If service does not exist it'll trigger an exception
# So. we just wanna be sure we delete it, no need to
# show this exception message
pass
def __init__(self, rpc, name=SERVICE_NAME):
if type(name) == unicode:
name = name.encode('latin1', errors='ignore')
self._name = name + '\x00'
self._scmr = rpc.get_dce_rpc()
self._scmr.connect()
self._scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self._scmr)
self._scHandle = resp['lpScHandle']
self._serviceHandle = None
try:
resp = scmr.hROpenServiceW(self._scmr, self._scHandle, self._name)
self._serviceHandle = resp['lpServiceHandle']
except Exception, e:
if hasattr(e, 'error_code') and e.error_code == ERROR_SERVICE_DOES_NOT_EXIST:
pass
else:
raise
def connect(self):
if self.rrpStarted is not True:
dce, rpctransport, scHandle = self.connect_scmr()
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00', desiredAccess)
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle )
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >=0:
pass
else:
raise
resp = scmr.hRCloseServiceHandle(dce, scHandle)
self.rrpStarted = True
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts)
resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport, resp['phKey']
def doStuff(self, rpctransport):
dce = rpctransport.get_dce_rpc()
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = svcctl.DCERPCSvcCtl(dce)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
if self.__action != 'LIST' and self.__action != 'CREATE':
ans = scmr.hROpenServiceW(rpc, scManagerHandle,
self.__options.name + '\x00')
serviceHandle = ans['lpServiceHandle']
if self.__action == 'START':
logging.info("Starting service %s" % self.__options.name)
scmr.hRStartServiceW(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'STOP':
logging.info("Stopping service %s" % self.__options.name)
scmr.hRControlService(rpc, serviceHandle,
scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'DELETE':
logging.info("Deleting service %s" % self.__options.name)
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'CONFIG':
logging.info("Querying service config for %s" %
self.__options.name)
resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)
print "TYPE : %2d - " % resp['lpServiceConfig'][
'dwServiceType'],
if resp['lpServiceConfig']['dwServiceType'] & 0x1:
print "SERVICE_KERNEL_DRIVER ",
if resp['lpServiceConfig']['dwServiceType'] & 0x2:
print "SERVICE_FILE_SYSTEM_DRIVER ",
if resp['lpServiceConfig']['dwServiceType'] & 0x10:
print "SERVICE_WIN32_OWN_PROCESS ",
if resp['lpServiceConfig']['dwServiceType'] & 0x20:
print "SERVICE_WIN32_SHARE_PROCESS ",
if resp['lpServiceConfig']['dwServiceType'] & 0x100:
print "SERVICE_INTERACTIVE_PROCESS ",
print ""
print "START_TYPE : %2d - " % resp['lpServiceConfig'][
'dwStartType'],
if resp['lpServiceConfig']['dwStartType'] == 0x0:
print "BOOT START"
elif resp['lpServiceConfig']['dwStartType'] == 0x1:
print "SYSTEM START"
elif resp['lpServiceConfig']['dwStartType'] == 0x2:
print "AUTO START"
elif resp['lpServiceConfig']['dwStartType'] == 0x3:
print "DEMAND START"
elif resp['lpServiceConfig']['dwStartType'] == 0x4:
print "DISABLED"
else:
print "UNKOWN"
print "ERROR_CONTROL : %2d - " % resp['lpServiceConfig'][
'dwErrorControl'],
if resp['lpServiceConfig']['dwErrorControl'] == 0x0:
print "IGNORE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:
print "NORMAL"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:
print "SEVERE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:
print "CRITICAL"
else:
print "UNKOWN"
print "BINARY_PATH_NAME : %s" % resp['lpServiceConfig'][
'lpBinaryPathName'][:-1]
print "LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig'][
'lpLoadOrderGroup'][:-1]
print "TAG : %d" % resp['lpServiceConfig']['dwTagId']
print "DISPLAY_NAME : %s" % resp['lpServiceConfig'][
'lpDisplayName'][:-1]
print "DEPENDENCIES : %s" % resp['lpServiceConfig'][
'lpDependencies'][:-1]
print "SERVICE_START_NAME: %s" % resp['lpServiceConfig'][
'lpServiceStartName'][:-1]
elif self.__action == 'STATUS':
print "Querying status for %s" % self.__options.name
resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)
print "%30s - " % (self.__options.name),
state = resp['lpServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
print "PAUSED"
elif state == scmr.SERVICE_RUNNING:
print "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
print "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
elif self.__action == 'LIST':
logging.info("Listing services available on target")
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)
for i in range(len(resp)):
print "%30s - %70s - " % (resp[i]['lpServiceName'][:-1],
resp[i]['lpDisplayName'][:-1]),
state = resp[i]['ServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
print "PAUSED"
elif state == scmr.SERVICE_RUNNING:
print "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
print "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
print "Total Services: %d" % len(resp)
elif self.__action == 'CREATE':
logging.info("Creating service %s" % self.__options.name)
resp = scmr.hRCreateServiceW(rpc,
scManagerHandle,
self.__options.name + '\x00',
self.__options.display + '\x00',
lpBinaryPathName=self.__options.path +
'\x00')
elif self.__action == 'CHANGE':
logging.info("Changing service config for %s" %
self.__options.name)
if self.__options.start_type is not None:
start_type = int(self.__options.start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_type is not None:
service_type = int(self.__options.service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if self.__options.display is not None:
display = self.__options.display + '\x00'
else:
display = NULL
if self.__options.path is not None:
path = self.__options.path + '\x00'
else:
path = NULL
if self.__options.start_name is not None:
start_name = self.__options.start_name + '\x00'
else:
start_name = NULL
if self.__options.password is not None:
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
password = (self.__options.password +
'\x00').encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
#resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)
resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle,
service_type, start_type,
scmr.SERVICE_ERROR_IGNORE, path,
NULL, NULL, NULL, 0, start_name,
password, 0, display)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
else:
logging.error("Unknown action %s" % self.__action)
scmr.hRCloseServiceHandle(rpc, scManagerHandle)
dce.disconnect()
return
def doStuff(self, rpctransport):
dce = rpctransport.get_dce_rpc()
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = svcctl.DCERPCSvcCtl(dce)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
if self.__action != 'LIST' and self.__action != 'CREATE':
ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.name+'\x00')
serviceHandle = ans['lpServiceHandle']
if self.__action == 'START':
print "Starting service %s" % self.__options.name
scmr.hRStartServiceW(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'STOP':
print "Stopping service %s" % self.__options.name
scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'DELETE':
print "Deleting service %s" % self.__options.name
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'CONFIG':
print "Querying service config for %s" % self.__options.name
resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)
print "TYPE : %2d - " % resp['lpServiceConfig']['dwServiceType'],
if resp['lpServiceConfig']['dwServiceType'] & 0x1:
print "SERVICE_KERNEL_DRIVER ",
if resp['lpServiceConfig']['dwServiceType'] & 0x2:
print "SERVICE_FILE_SYSTEM_DRIVER ",
if resp['lpServiceConfig']['dwServiceType'] & 0x10:
print "SERVICE_WIN32_OWN_PROCESS ",
if resp['lpServiceConfig']['dwServiceType'] & 0x20:
print "SERVICE_WIN32_SHARE_PROCESS ",
if resp['lpServiceConfig']['dwServiceType'] & 0x100:
print "SERVICE_INTERACTIVE_PROCESS ",
print ""
print "START_TYPE : %2d - " % resp['lpServiceConfig']['dwStartType'],
if resp['lpServiceConfig']['dwStartType'] == 0x0:
print "BOOT START"
elif resp['lpServiceConfig']['dwStartType'] == 0x1:
print "SYSTEM START"
elif resp['lpServiceConfig']['dwStartType'] == 0x2:
print "AUTO START"
elif resp['lpServiceConfig']['dwStartType'] == 0x3:
print "DEMAND START"
elif resp['lpServiceConfig']['dwStartType'] == 0x4:
print "DISABLED"
else:
print "UNKOWN"
print "ERROR_CONTROL : %2d - " % resp['lpServiceConfig']['dwErrorControl'],
if resp['lpServiceConfig']['dwErrorControl'] == 0x0:
print "IGNORE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:
print "NORMAL"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:
print "SEVERE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:
print "CRITICAL"
else:
print "UNKOWN"
print "BINARY_PATH_NAME : %s" % resp['lpServiceConfig']['lpBinaryPathName'][:-1]
print "LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig']['lpLoadOrderGroup'][:-1]
print "TAG : %d" % resp['lpServiceConfig']['dwTagId']
print "DISPLAY_NAME : %s" % resp['lpServiceConfig']['lpDisplayName'][:-1]
print "DEPENDENCIES : %s" % resp['lpServiceConfig']['lpDependencies'][:-1]
print "SERVICE_START_NAME: %s" % resp['lpServiceConfig']['lpServiceStartName'][:-1]
elif self.__action == 'STATUS':
print "Querying status for %s" % self.__options.name
resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)
print "%30s - " % (self.__options.name),
state = resp['lpServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
print "PAUSED"
elif state == scmr.SERVICE_RUNNING:
print "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
print "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
elif self.__action == 'LIST':
print "Listing services available on target"
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)
for i in range(len(resp)):
print "%30s - %70s - " % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1]),
state = resp[i]['ServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
print "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
print "PAUSED"
elif state == scmr.SERVICE_RUNNING:
print "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
print "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
print "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
print "STOPPED"
else:
print "UNKOWN"
print "Total Services: %d" % len(resp)
elif self.__action == 'CREATE':
print "Creating service %s" % self.__options.name
resp = scmr.hRCreateServiceW(rpc, scManagerHandle,self.__options.name + '\x00', self.__options.display + '\x00', lpBinaryPathName=self.__options.path + '\x00')
elif self.__action == 'CHANGE':
print "Changing service config for %s" % self.__options.name
if self.__options.start_type is not None:
start_type = int(self.__options.start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_type is not None:
service_type = int(self.__options.service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if self.__options.display is not None:
display = self.__options.display + '\x00'
else:
display = NULL
if self.__options.path is not None:
path = self.__options.path + '\x00'
else:
path = NULL
if self.__options.start_name is not None:
start_name = self.__options.start_name + '\x00'
else:
start_name = NULL
if self.__options.password is not None:
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
password = (self.__options.password+'\x00').encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
#resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)
resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path, NULL, NULL, NULL, 0, start_name, password, 0, display)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
else:
print "Unknown action %s" % self.__action
scmr.hRCloseServiceHandle(rpc, scManagerHandle)
dce.disconnect()
return
def doStuff(self, rpctransport):
dce = rpctransport.get_dce_rpc()
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = svcctl.DCERPCSvcCtl(dce)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
if self.__action != 'LIST' and self.__action != 'CREATE':
ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.service_name+'\x00')
serviceHandle = ans['lpServiceHandle']
if self.__action == 'START':
self.__logger.success("Starting service {}".format(self.__options.service_name))
scmr.hRStartServiceW(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'STOP':
self.__logger.success("Stopping service {}".format(self.__options.service_name))
scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'DELETE':
self.__logger.success("Deleting service {}".format(self.__options.service_name))
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'CONFIG':
self.__logger.success("Service config for {}".format(self.__options.service_name))
resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)
output = "TYPE : %2d - " % resp['lpServiceConfig']['dwServiceType']
if resp['lpServiceConfig']['dwServiceType'] & 0x1:
output += "SERVICE_KERNEL_DRIVER "
if resp['lpServiceConfig']['dwServiceType'] & 0x2:
output += "SERVICE_FILE_SYSTEM_DRIVER "
if resp['lpServiceConfig']['dwServiceType'] & 0x10:
output += "SERVICE_WIN32_OWN_PROCESS "
if resp['lpServiceConfig']['dwServiceType'] & 0x20:
output += "SERVICE_WIN32_SHARE_PROCESS "
if resp['lpServiceConfig']['dwServiceType'] & 0x100:
output += "SERVICE_INTERACTIVE_PROCESS "
self.__logger.results(output)
output = "START_TYPE : %2d - " % resp['lpServiceConfig']['dwStartType']
if resp['lpServiceConfig']['dwStartType'] == 0x0:
output += "BOOT START"
elif resp['lpServiceConfig']['dwStartType'] == 0x1:
output += "SYSTEM START"
elif resp['lpServiceConfig']['dwStartType'] == 0x2:
output += "AUTO START"
elif resp['lpServiceConfig']['dwStartType'] == 0x3:
output += "DEMAND START"
elif resp['lpServiceConfig']['dwStartType'] == 0x4:
output += "DISABLED"
else:
output += "UNKOWN"
self.logger.results(output)
output = "ERROR_CONTROL : %2d - " % resp['lpServiceConfig']['dwErrorControl']
if resp['lpServiceConfig']['dwErrorControl'] == 0x0:
output += "IGNORE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:
output += "NORMAL"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:
output += "SEVERE"
elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:
output += "CRITICAL"
else:
output += "UNKOWN"
self.__logger.results(output)
self.__logger.results("BINARY_PATH_NAME : %s" % resp['lpServiceConfig']['lpBinaryPathName'][:-1])
self.__logger.results("LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig']['lpLoadOrderGroup'][:-1])
self.__logger.results("TAG : %d" % resp['lpServiceConfig']['dwTagId'])
self.__logger.results("DISPLAY_NAME : %s" % resp['lpServiceConfig']['lpDisplayName'][:-1])
self.__logger.results("DEPENDENCIES : %s" % resp['lpServiceConfig']['lpDependencies'][:-1])
self.__logger.results("SERVICE_START_NAME: %s" % resp['lpServiceConfig']['lpServiceStartName'][:-1])
elif self.__action == 'STATUS':
self.__logger.success("Service status for {}".format(self.__options.service_name))
resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)
output = "%s - " % self.__options.service_name
state = resp['lpServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
output += "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
output += "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
output += "PAUSED"
elif state == scmr.SERVICE_RUNNING:
output += "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
output += "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
output += "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
output += "STOPPED"
else:
output += "UNKOWN"
self.__logger.results(output)
elif self.__action == 'LIST':
self.__logger.success("Enumerating services")
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)
for i in range(len(resp)):
output = "%30s - %70s - " % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1])
state = resp[i]['ServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
output += "CONTINUE PENDING"
elif state == scmr.SERVICE_PAUSE_PENDING:
output += "PAUSE PENDING"
elif state == scmr.SERVICE_PAUSED:
output += "PAUSED"
elif state == scmr.SERVICE_RUNNING:
output += "RUNNING"
elif state == scmr.SERVICE_START_PENDING:
output += "START PENDING"
elif state == scmr.SERVICE_STOP_PENDING:
output += "STOP PENDING"
elif state == scmr.SERVICE_STOPPED:
output += "STOPPED"
else:
output += "UNKOWN"
self.__logger.results(output)
self.__logger.results("Total Services: {}".format(len(resp)))
elif self.__action == 'CREATE':
self.__logger.success("Creating service {}".format(self.__options.service_name))
scmr.hRCreateServiceW(rpc, scManagerHandle,self.__options.service_name + '\x00', self.__options.service_display_name + '\x00', lpBinaryPathName=self.__options.service_bin_path + '\x00')
elif self.__action == 'CHANGE':
self.__logger.success("Changing service config for {}".format(self.__options.service_name))
if self.__options.start_type is not None:
start_type = int(self.__options.start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_type is not None:
service_type = int(self.__options.service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_display_name is not None:
display = self.__options.service_display_name + '\x00'
else:
display = NULL
if self.__options.service_bin_path is not None:
path = self.__options.service_bin_path + '\x00'
else:
path = NULL
if self.__options.start_name is not None:
start_name = self.__options.start_name + '\x00'
else:
start_name = NULL
if self.__options.start_pass is not None:
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
try:
password = (self.__options.start_pass+'\x00').encode('utf-16le')
except UnicodeDecodeError:
import sys
password = (self.__options.start_pass+'\x00').decode(sys.getfilesystemencoding()).encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
#resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)
scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path, NULL, NULL, NULL, 0, start_name, password, 0, display)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
else:
logging.error("Unknown action %s" % self.__action)
scmr.hRCloseServiceHandle(rpc, scManagerHandle)
dce.disconnect()
return
serviceHandle = resp['lpServiceHandle']
try:
req = scmr.RControlService()
req['hService'] = serviceHandle
req['dwControl'] = scmr.SERVICE_CONTROL_STOP
resp = dce.request(req)
except Exception, e:
if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0:
raise
pass
resp = scmr.hRCloseServiceHandle(dce, serviceHandle)
import time
time.sleep(1)
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle, 0, NULL )
resp.dump()
except Exception, e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') < 0:
raise
return
class SMBTransport(SCMRTests):
def setUp(self):
SCMRTests.setUp(self)
