def doStuff(self, rpctransport):
dce = dcerpc.DCERPC_v5(rpctransport)
user, pwd, domain, _, _ = rpctransport.get_credentials()
dce.set_credentials(user,pwd,domain)
dce.connect()
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_max_fragment_size(16)
dce.bind(atsvc.MSRPC_UUID_ATSVC)
at = atsvc.DCERPCAtSvc(dce)
# Check [MS-TSCH] Section 2.3.4
atInfo = atsvc.AT_INFO()
atInfo['JobTime'] = 0
atInfo['DaysOfMonth'] = 0
atInfo['DaysOfWeek'] = 0
atInfo['Flags'] = 0
atInfo['Command'] = ndrutils.NDRUniqueStringW()
atInfo['Command']['Data'] = ('calc.exe\x00').encode('utf-16le')
# Remember to remove it on the target server ;)
resp = at.NetrJobAdd(('\\\\%s'% rpctransport.get_dip()),atInfo)
resp = at.NetrJobEnum(rpctransport.get_dip())
# ToDo: Parse this struct, should be easy
resp.dump()
# Switching context to TSS
dce = dce.alter_ctx(atsvc.MSRPC_UUID_TSS)
# Now atsvc should use that new context
at = atsvc.DCERPCAtSvc(dce)
#path = '\\Microsoft\\Windows\\Media Center'
path = '\\'
resp = at.SchRpcEnumTasks(path)
if resp['Count'] == 1:
print resp['TaskName']['Data']
if resp['ErrorCode'] == atsvc.S_FALSE:
i = 1
done = False
while done is not True:
# More items
try:
resp = at.SchRpcEnumTasks(path,startIndex=i)
except:
break
if resp['Count'] == 1:
print resp['TaskName']['Data']
i += 1
elif resp['ErrorCode'] != atsvc.S_FALSE:
done = True
dce.disconnect()
def doStuff(self, rpctransport):
def output_callback(data):
print data
dce = rpctransport.get_dce_rpc()
dce.set_credentials(*rpctransport.get_credentials())
dce.connect()
#dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
#dce.set_max_fragment_size(16)
dce.bind(atsvc.MSRPC_UUID_ATSVC)
at = atsvc.DCERPCAtSvc(dce)
tmpFileName = ''.join([random.choice(string.letters) for i in range(8)]) + '.tmp'
# Check [MS-TSCH] Section 2.3.4
atInfo = atsvc.AT_INFO()
atInfo['JobTime'] = 0
atInfo['DaysOfMonth'] = 0
atInfo['DaysOfWeek'] = 0
atInfo['Flags'] = 0
atInfo['Command'] = ndrutils.NDRUniqueStringW()
atInfo['Command']['Data'] = ('%%COMSPEC%% /C %s > %%SYSTEMROOT%%\\Temp\\%s\x00' % (self.__command, tmpFileName)).encode('utf-16le')
resp = at.NetrJobAdd(('\\\\%s'% rpctransport.get_dip()),atInfo)
jobId = resp['JobID']
#resp = at.NetrJobEnum(rpctransport.get_dip())
# Switching context to TSS
dce2 = dce.alter_ctx(atsvc.MSRPC_UUID_TSS)
# Now atsvc should use that new context
at = atsvc.DCERPCAtSvc(dce2)
# Leaving this code to show how to enumerate jobs
#path = '\\'
#resp = at.SchRpcEnumTasks(path)
#if resp['Count'] == 1:
# print resp['TaskName']['Data']
# if resp['ErrorCode'] == atsvc.S_FALSE:
# i = 1
# done = False
# while done is not True:
# # More items
# try:
# resp = at.SchRpcEnumTasks(path,startIndex=i)
# except:
# break
# if resp['Count'] == 1:
# print resp['TaskName']['Data']
# i += 1
# elif resp['ErrorCode'] != atsvc.S_FALSE:
# done = True
resp = at.SchRpcRun('\\At%d' % jobId)
# On the first run, it takes a while the remote target to start executing the job
# so I'm setting this sleep.. I don't like sleeps.. but this is just an example
# Best way would be to check the task status before attempting to read the file
time.sleep(3)
# Switching back to the old ctx_id
at = atsvc.DCERPCAtSvc(dce)
resp = at.NetrJobDel('\\\\%s'% rpctransport.get_dip(), jobId, jobId)
smbConnection = rpctransport.get_smb_connection()
while True:
try:
smbConnection.getFile('ADMIN$', 'Temp\\%s' % tmpFileName, output_callback)
break
except Exception, e:
if str(e).find('SHARING') > 0:
time.sleep(3)
else:
raise