def __scmr_change(self,
display=None,
path=None,
service_type=None,
start_type=None,
start_name=None,
password=None):
'''
Change the configuration of a service
'''
if start_type is not None:
start_type = int(start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if service_type is not None:
service_type = int(service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if display is not None:
display = '%s\x00' % display
else:
display = NULL
if path is not None:
path = '%s\x00' % path
else:
path = NULL
if start_name is not None:
start_name = '%s\x00' % start_name
else:
start_name = NULL
if password is not None:
s = self.trans.get_smb_connection()
key = s.getSessionKey()
password = ('%s\x00' % password).encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
scmr.hRChangeServiceConfigW(self.__rpc, self.__service_handle,
service_type, start_type,
scmr.SERVICE_ERROR_IGNORE, path, NULL,
NULL, NULL, 0, start_name, password, 0,
display)
dwDependSize = 0
lpServiceStartName = '.\\Administrator\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType,
dwStartType, dwErrorControl,
lpBinaryPathName, lpLoadOrderGroup,
lpdwTagId, lpDependencies, dwDependSize,
lpServiceStartName, lpPassword, dwPwSize,
lpDisplayName)
lpServiceStartName = NULL
if self.__class__.__name__ == 'SMBTransport':
lpPassword = '******'.encode('utf-16le')
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
lpPassword = encryptSecret(key, lpPassword)
dwPwSize = len(lpPassword)
self.changeServiceAndQuery(
dce, cbBufSize, newHandle, dwServiceType, dwStartType,
dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId,
lpDependencies, dwDependSize, lpServiceStartName, lpPassword,
dwPwSize, lpDisplayName)
lpPassword = NULL
dwPwSize = 0
lpDisplayName = 'MANOLO\x00'
self.changeServiceAndQuery(
dce, cbBufSize, newHandle, dwServiceType, dwStartType,
dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId,
lpDependencies, dwDependSize, lpServiceStartName, lpPassword,
dwPwSize, lpDisplayName)
def doStuff(self, rpctransport):
dce = rpctransport.get_dce_rpc()
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = svcctl.DCERPCSvcCtl(dce)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
if self.__action != 'LIST' and self.__action != 'CREATE':
ans = scmr.hROpenServiceW(rpc, scManagerHandle,
self.__options.name + '\x00')
serviceHandle = ans['lpServiceHandle']
if self.__action == 'START':
logging.info("Starting service %s" % self.__options.name)
scmr.hRStartServiceW(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'STOP':
logging.info("Stopping service %s" % self.__options.name)
scmr.hRControlService(rpc, serviceHandle,
scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'DELETE':
logging.info("Deleting service %s" % self.__options.name)
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'CONFIG':
logging.info("Querying service config for %s" %
self.__options.name)
resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)
print("TYPE : %2d - " %
resp['lpServiceConfig']['dwServiceType'],
end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x1:
print("SERVICE_KERNEL_DRIVER ", end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x2:
print("SERVICE_FILE_SYSTEM_DRIVER ", end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x10:
print("SERVICE_WIN32_OWN_PROCESS ", end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x20:
print("SERVICE_WIN32_SHARE_PROCESS ", end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x100:
print("SERVICE_INTERACTIVE_PROCESS ", end=' ')
print("")
print("START_TYPE : %2d - " %
resp['lpServiceConfig']['dwStartType'],
end=' ')
if resp['lpServiceConfig']['dwStartType'] == 0x0:
print("BOOT START")
elif resp['lpServiceConfig']['dwStartType'] == 0x1:
print("SYSTEM START")
elif resp['lpServiceConfig']['dwStartType'] == 0x2:
print("AUTO START")
elif resp['lpServiceConfig']['dwStartType'] == 0x3:
print("DEMAND START")
elif resp['lpServiceConfig']['dwStartType'] == 0x4:
print("DISABLED")
else:
print("UNKNOWN")
print("ERROR_CONTROL : %2d - " %
resp['lpServiceConfig']['dwErrorControl'],
end=' ')
if resp['lpServiceConfig']['dwErrorControl'] == 0x0:
print("IGNORE")
elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:
print("NORMAL")
elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:
print("SEVERE")
elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:
print("CRITICAL")
else:
print("UNKNOWN")
print("BINARY_PATH_NAME : %s" %
resp['lpServiceConfig']['lpBinaryPathName'][:-1])
print("LOAD_ORDER_GROUP : %s" %
resp['lpServiceConfig']['lpLoadOrderGroup'][:-1])
print("TAG : %d" %
resp['lpServiceConfig']['dwTagId'])
print("DISPLAY_NAME : %s" %
resp['lpServiceConfig']['lpDisplayName'][:-1])
print("DEPENDENCIES : %s" %
resp['lpServiceConfig']['lpDependencies'][:-1])
print("SERVICE_START_NAME: %s" %
resp['lpServiceConfig']['lpServiceStartName'][:-1])
elif self.__action == 'STATUS':
print("Querying status for %s" % self.__options.name)
resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)
print("%30s - " % self.__options.name, end=' ')
state = resp['lpServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print("CONTINUE PENDING")
elif state == scmr.SERVICE_PAUSE_PENDING:
print("PAUSE PENDING")
elif state == scmr.SERVICE_PAUSED:
print("PAUSED")
elif state == scmr.SERVICE_RUNNING:
print("RUNNING")
elif state == scmr.SERVICE_START_PENDING:
print("START PENDING")
elif state == scmr.SERVICE_STOP_PENDING:
print("STOP PENDING")
elif state == scmr.SERVICE_STOPPED:
print("STOPPED")
else:
print("UNKNOWN")
elif self.__action == 'LIST':
logging.info("Listing services available on target")
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)
for i in range(len(resp)):
print("%30s - %70s - " % (resp[i]['lpServiceName'][:-1],
resp[i]['lpDisplayName'][:-1]),
end=' ')
state = resp[i]['ServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print("CONTINUE PENDING")
elif state == scmr.SERVICE_PAUSE_PENDING:
print("PAUSE PENDING")
elif state == scmr.SERVICE_PAUSED:
print("PAUSED")
elif state == scmr.SERVICE_RUNNING:
print("RUNNING")
elif state == scmr.SERVICE_START_PENDING:
print("START PENDING")
elif state == scmr.SERVICE_STOP_PENDING:
print("STOP PENDING")
elif state == scmr.SERVICE_STOPPED:
print("STOPPED")
else:
print("UNKNOWN")
print("Total Services: %d" % len(resp))
elif self.__action == 'CREATE':
logging.info("Creating service %s" % self.__options.name)
scmr.hRCreateServiceW(rpc,
scManagerHandle,
self.__options.name + '\x00',
self.__options.display + '\x00',
lpBinaryPathName=self.__options.path +
'\x00')
elif self.__action == 'CHANGE':
logging.info("Changing service config for %s" %
self.__options.name)
if self.__options.start_type is not None:
start_type = int(self.__options.start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_type is not None:
service_type = int(self.__options.service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if self.__options.display is not None:
display = self.__options.display + '\x00'
else:
display = NULL
if self.__options.path is not None:
path = self.__options.path + '\x00'
else:
path = NULL
if self.__options.start_name is not None:
start_name = self.__options.start_name + '\x00'
else:
start_name = NULL
if self.__options.password is not None:
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
try:
password = (self.__options.password +
'\x00').encode('utf-16le')
except UnicodeDecodeError:
import sys
password = (self.__options.password + '\x00').decode(
sys.getfilesystemencoding()).encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
#resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)
scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type,
start_type, scmr.SERVICE_ERROR_IGNORE,
path, NULL, NULL, NULL, 0, start_name,
password, 0, display)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
else:
logging.error("Unknown action %s" % self.__action)
scmr.hRCloseServiceHandle(rpc, scManagerHandle)
dce.disconnect()
return
lpDependencies = 'RemoteRegistry\x00\x00'.encode('utf-16le')
dwDependSize = len(lpDependencies)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = '.\\Administrator\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpServiceStartName = NULL
if self.__class__.__name__ == 'SMBTransport':
lpPassword = '******'.encode('utf-16le')
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
lpPassword = encryptSecret(key, lpPassword)
dwPwSize = len(lpPassword)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpPassword = NULL
dwPwSize = 0
lpDisplayName = 'MANOLO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpDisplayName = NULL
resp = scmr.hRDeleteService(dce, newHandle)
resp = scmr.hRCloseServiceHandle(dce, newHandle)
resp = scmr.hRCloseServiceHandle(dce, scHandle)
def test_query(self):
dce, rpctransport, scHandle = self.connect()
def test_create_change_delete(self):
dce, rpctransport, scHandle = self.connect()
#####################
# Create / Change / Query / Delete a service
lpServiceName = 'TESTSVC\x00'
lpDisplayName = 'DisplayName\x00'
dwDesiredAccess = scmr.SERVICE_ALL_ACCESS
dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS
dwStartType = scmr.SERVICE_DEMAND_START
dwErrorControl = scmr.SERVICE_ERROR_NORMAL
lpBinaryPathName = 'binaryPath\x00'
lpLoadOrderGroup = NULL
lpdwTagId = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize)
resp.dump()
newHandle = resp['lpServiceHandle']
# Aca hay que chequear cada uno de los items
cbBufSize = 0
try:
resp = scmr.hRQueryServiceConfigW(dce, newHandle)
except Exception as e:
if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0:
raise
else:
resp = e.get_packet()
resp.dump()
cbBufSize = resp['pcbBytesNeeded']+100
# Now that we have cbBufSize, let's start changing everything on the service
dwServiceType = scmr.SERVICE_WIN32_SHARE_PROCESS
dwStartType = scmr.SERVICE_NO_CHANGE
dwErrorControl = scmr.SERVICE_NO_CHANGE
lpBinaryPathName = NULL
lpLoadOrderGroup = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
lpDisplayName = NULL
lpdwTagId = NULL
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwServiceType = scmr.SERVICE_NO_CHANGE
dwStartType = scmr.SERVICE_DISABLED
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwStartType = scmr.SERVICE_NO_CHANGE
dwErrorControl = scmr.SERVICE_ERROR_SEVERE
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwErrorControl = scmr.SERVICE_NO_CHANGE
lpBinaryPathName = 'BETOBETO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpBinaryPathName = NULL
lpLoadOrderGroup = 'KKKK\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpLoadOrderGroup = NULL
#lpdwTagId = [0]
#self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
#lpdwTagId = ''
lpDependencies = 'RemoteRegistry\x00\x00'.encode('utf-16le')
dwDependSize = len(lpDependencies)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = '.\\Administrator\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpServiceStartName = NULL
if self.__class__.__name__ == 'SMBTransport':
lpPassword = '******'.encode('utf-16le')
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
lpPassword = encryptSecret(key, lpPassword)
dwPwSize = len(lpPassword)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpPassword = NULL
dwPwSize = 0
lpDisplayName = 'MANOLO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
scmr.hRDeleteService(dce, newHandle)
scmr.hRCloseServiceHandle(dce, newHandle)
scmr.hRCloseServiceHandle(dce, scHandle)
def doStuff(self, rpctransport):
dce = rpctransport.get_dce_rpc()
#dce.set_credentials(self.__username, self.__password)
dce.connect()
#dce.set_max_fragment_size(1)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = svcctl.DCERPCSvcCtl(dce)
rpc = dce
ans = scmr.hROpenSCManagerW(rpc)
scManagerHandle = ans['lpScHandle']
if self.__action != 'LIST' and self.__action != 'CREATE':
ans = scmr.hROpenServiceW(rpc, scManagerHandle, self.__options.name+'\x00')
serviceHandle = ans['lpServiceHandle']
if self.__action == 'START':
logging.info("Starting service %s" % self.__options.name)
scmr.hRStartServiceW(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'STOP':
logging.info("Stopping service %s" % self.__options.name)
scmr.hRControlService(rpc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'DELETE':
logging.info("Deleting service %s" % self.__options.name)
scmr.hRDeleteService(rpc, serviceHandle)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
elif self.__action == 'CONFIG':
logging.info("Querying service config for %s" % self.__options.name)
resp = scmr.hRQueryServiceConfigW(rpc, serviceHandle)
print("TYPE : %2d - " % resp['lpServiceConfig']['dwServiceType'], end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x1:
print("SERVICE_KERNEL_DRIVER ", end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x2:
print("SERVICE_FILE_SYSTEM_DRIVER ", end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x10:
print("SERVICE_WIN32_OWN_PROCESS ", end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x20:
print("SERVICE_WIN32_SHARE_PROCESS ", end=' ')
if resp['lpServiceConfig']['dwServiceType'] & 0x100:
print("SERVICE_INTERACTIVE_PROCESS ", end=' ')
print("")
print("START_TYPE : %2d - " % resp['lpServiceConfig']['dwStartType'], end=' ')
if resp['lpServiceConfig']['dwStartType'] == 0x0:
print("BOOT START")
elif resp['lpServiceConfig']['dwStartType'] == 0x1:
print("SYSTEM START")
elif resp['lpServiceConfig']['dwStartType'] == 0x2:
print("AUTO START")
elif resp['lpServiceConfig']['dwStartType'] == 0x3:
print("DEMAND START")
elif resp['lpServiceConfig']['dwStartType'] == 0x4:
print("DISABLED")
else:
print("UNKNOWN")
print("ERROR_CONTROL : %2d - " % resp['lpServiceConfig']['dwErrorControl'], end=' ')
if resp['lpServiceConfig']['dwErrorControl'] == 0x0:
print("IGNORE")
elif resp['lpServiceConfig']['dwErrorControl'] == 0x1:
print("NORMAL")
elif resp['lpServiceConfig']['dwErrorControl'] == 0x2:
print("SEVERE")
elif resp['lpServiceConfig']['dwErrorControl'] == 0x3:
print("CRITICAL")
else:
print("UNKNOWN")
print("BINARY_PATH_NAME : %s" % resp['lpServiceConfig']['lpBinaryPathName'][:-1])
print("LOAD_ORDER_GROUP : %s" % resp['lpServiceConfig']['lpLoadOrderGroup'][:-1])
print("TAG : %d" % resp['lpServiceConfig']['dwTagId'])
print("DISPLAY_NAME : %s" % resp['lpServiceConfig']['lpDisplayName'][:-1])
print("DEPENDENCIES : %s" % resp['lpServiceConfig']['lpDependencies'][:-1])
print("SERVICE_START_NAME: %s" % resp['lpServiceConfig']['lpServiceStartName'][:-1])
elif self.__action == 'STATUS':
print("Querying status for %s" % self.__options.name)
resp = scmr.hRQueryServiceStatus(rpc, serviceHandle)
print("%30s - " % self.__options.name, end=' ')
state = resp['lpServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print("CONTINUE PENDING")
elif state == scmr.SERVICE_PAUSE_PENDING:
print("PAUSE PENDING")
elif state == scmr.SERVICE_PAUSED:
print("PAUSED")
elif state == scmr.SERVICE_RUNNING:
print("RUNNING")
elif state == scmr.SERVICE_START_PENDING:
print("START PENDING")
elif state == scmr.SERVICE_STOP_PENDING:
print("STOP PENDING")
elif state == scmr.SERVICE_STOPPED:
print("STOPPED")
else:
print("UNKNOWN")
elif self.__action == 'LIST':
logging.info("Listing services available on target")
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_SHARE_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, svcctl.SERVICE_WIN32_OWN_PROCESS )
#resp = rpc.EnumServicesStatusW(scManagerHandle, serviceType = svcctl.SERVICE_FILE_SYSTEM_DRIVER, serviceState = svcctl.SERVICE_STATE_ALL )
resp = scmr.hREnumServicesStatusW(rpc, scManagerHandle)
for i in range(len(resp)):
print("%30s - %70s - " % (resp[i]['lpServiceName'][:-1], resp[i]['lpDisplayName'][:-1]), end=' ')
state = resp[i]['ServiceStatus']['dwCurrentState']
if state == scmr.SERVICE_CONTINUE_PENDING:
print("CONTINUE PENDING")
elif state == scmr.SERVICE_PAUSE_PENDING:
print("PAUSE PENDING")
elif state == scmr.SERVICE_PAUSED:
print("PAUSED")
elif state == scmr.SERVICE_RUNNING:
print("RUNNING")
elif state == scmr.SERVICE_START_PENDING:
print("START PENDING")
elif state == scmr.SERVICE_STOP_PENDING:
print("STOP PENDING")
elif state == scmr.SERVICE_STOPPED:
print("STOPPED")
else:
print("UNKNOWN")
print("Total Services: %d" % len(resp))
elif self.__action == 'CREATE':
logging.info("Creating service %s" % self.__options.name)
scmr.hRCreateServiceW(rpc, scManagerHandle, self.__options.name + '\x00', self.__options.display + '\x00',
lpBinaryPathName=self.__options.path + '\x00')
elif self.__action == 'CHANGE':
logging.info("Changing service config for %s" % self.__options.name)
if self.__options.start_type is not None:
start_type = int(self.__options.start_type)
else:
start_type = scmr.SERVICE_NO_CHANGE
if self.__options.service_type is not None:
service_type = int(self.__options.service_type)
else:
service_type = scmr.SERVICE_NO_CHANGE
if self.__options.display is not None:
display = self.__options.display + '\x00'
else:
display = NULL
if self.__options.path is not None:
path = self.__options.path + '\x00'
else:
path = NULL
if self.__options.start_name is not None:
start_name = self.__options.start_name + '\x00'
else:
start_name = NULL
if self.__options.password is not None:
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
try:
password = (self.__options.password+'\x00').encode('utf-16le')
except UnicodeDecodeError:
import sys
password = (self.__options.password+'\x00').decode(sys.getfilesystemencoding()).encode('utf-16le')
password = encryptSecret(key, password)
else:
password = NULL
#resp = scmr.hRChangeServiceConfigW(rpc, serviceHandle, display, path, service_type, start_type, start_name, password)
scmr.hRChangeServiceConfigW(rpc, serviceHandle, service_type, start_type, scmr.SERVICE_ERROR_IGNORE, path,
NULL, NULL, NULL, 0, start_name, password, 0, display)
scmr.hRCloseServiceHandle(rpc, serviceHandle)
else:
logging.error("Unknown action %s" % self.__action)
scmr.hRCloseServiceHandle(rpc, scManagerHandle)
dce.disconnect()
return
def test_create_change_delete(self):
dce, rpctransport, scHandle = self.connect()
#####################
# Create / Change / Query / Delete a service
lpServiceName = 'TESTSVC\x00'
lpDisplayName = 'DisplayName\x00'
dwDesiredAccess = scmr.SERVICE_ALL_ACCESS
dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS
dwStartType = scmr.SERVICE_DEMAND_START
dwErrorControl = scmr.SERVICE_ERROR_NORMAL
lpBinaryPathName = 'binaryPath\x00'
lpLoadOrderGroup = NULL
lpdwTagId = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize)
resp.dump()
newHandle = resp['lpServiceHandle']
# Aca hay que chequear cada uno de los items
cbBufSize = 0
try:
resp = scmr.hRQueryServiceConfigW(dce, newHandle)
except Exception as e:
if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0:
raise
else:
resp = e.get_packet()
resp.dump()
cbBufSize = resp['pcbBytesNeeded']+100
# Now that we have cbBufSize, let's start changing everything on the service
dwServiceType = scmr.SERVICE_WIN32_SHARE_PROCESS
dwStartType = scmr.SERVICE_NO_CHANGE
dwErrorControl = scmr.SERVICE_NO_CHANGE
lpBinaryPathName = NULL
lpLoadOrderGroup = NULL
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = NULL
lpPassword = NULL
dwPwSize = 0
lpDisplayName = NULL
lpdwTagId = NULL
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwServiceType = scmr.SERVICE_NO_CHANGE
dwStartType = scmr.SERVICE_DISABLED
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwStartType = scmr.SERVICE_NO_CHANGE
dwErrorControl = scmr.SERVICE_ERROR_SEVERE
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
dwErrorControl = scmr.SERVICE_NO_CHANGE
lpBinaryPathName = 'BETOBETO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpBinaryPathName = NULL
lpLoadOrderGroup = 'KKKK\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpLoadOrderGroup = NULL
#lpdwTagId = [0]
#self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
#lpdwTagId = ''
lpDependencies = 'RemoteRegistry\x00\x00'.encode('utf-16le')
dwDependSize = len(lpDependencies)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpDependencies = NULL
dwDependSize = 0
lpServiceStartName = '.\\Administrator\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpServiceStartName = NULL
if self.__class__.__name__ == 'SMBTransport':
lpPassword = '******'.encode('utf-16le')
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
lpPassword = encryptSecret(key, lpPassword)
dwPwSize = len(lpPassword)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpPassword = NULL
dwPwSize = 0
lpDisplayName = 'MANOLO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
scmr.hRDeleteService(dce, newHandle)
scmr.hRCloseServiceHandle(dce, newHandle)
scmr.hRCloseServiceHandle(dce, scHandle)
def crypt(string,password):
try:
return crypto.encryptSecret(password,string)
except Exception as e:
print e