Exemplo n.º 1
0
    def doSAMRAdd(self, rpctransport):
        dce = rpctransport.get_dce_rpc()
        servHandle = None
        domainHandle = None
        userHandle = None
        try:
            dce.connect()
            dce.bind(samr.MSRPC_UUID_SAMR)

            samrConnectResponse = samr.hSamrConnect5(
                dce, '\\\\%s\x00' % self.__target,
                samr.SAM_SERVER_ENUMERATE_DOMAINS
                | samr.SAM_SERVER_LOOKUP_DOMAIN)
            servHandle = samrConnectResponse['ServerHandle']

            samrEnumResponse = samr.hSamrEnumerateDomainsInSamServer(
                dce, servHandle)
            domains = samrEnumResponse['Buffer']['Buffer']
            domainsWithoutBuiltin = list(
                filter(lambda x: x['Name'].lower() != 'builtin', domains))

            if len(domainsWithoutBuiltin) > 1:
                domain = list(
                    filter(lambda x: x['Name'].lower() == self.__domainNetbios,
                           domains))
                if len(domain) != 1:
                    logging.critical(
                        "This server provides multiple domains and '%s' isn't one of them.",
                        self.__domainNetbios)
                    logging.critical("Available domain(s):")
                    for domain in domains:
                        logging.error(" * %s" % domain['Name'])
                    logging.critical(
                        "Consider using -domain-netbios argument to specify which one you meant."
                    )
                    raise Exception()
                else:
                    selectedDomain = domain[0]['Name']
            else:
                selectedDomain = domainsWithoutBuiltin[0]['Name']

            samrLookupDomainResponse = samr.hSamrLookupDomainInSamServer(
                dce, servHandle, selectedDomain)
            domainSID = samrLookupDomainResponse['DomainId']

            if logging.getLogger().level == logging.DEBUG:
                logging.info("Opening domain %s..." % selectedDomain)
            samrOpenDomainResponse = samr.hSamrOpenDomain(
                dce, servHandle, samr.DOMAIN_LOOKUP | samr.DOMAIN_CREATE_USER,
                domainSID)
            domainHandle = samrOpenDomainResponse['DomainHandle']

            if self.__noAdd or self.__delete:
                try:
                    checkForUser = samr.hSamrLookupNamesInDomain(
                        dce, domainHandle, [self.__computerName])
                except samr.DCERPCSessionError as e:
                    if e.error_code == 0xc0000073:
                        raise Exception("Account %s not found in domain %s!" %
                                        (self.__computerName, selectedDomain))
                    else:
                        raise

                userRID = checkForUser['RelativeIds']['Element'][0]
                if self.__delete:
                    access = samr.DELETE
                    message = "delete"
                else:
                    access = samr.USER_FORCE_PASSWORD_CHANGE
                    message = "set password for"
                try:
                    openUser = samr.hSamrOpenUser(dce, domainHandle, access,
                                                  userRID)
                    userHandle = openUser['UserHandle']
                except samr.DCERPCSessionError as e:
                    if e.error_code == 0xc0000022:
                        raise Exception(
                            "User %s doesn't have right to %s %s!" %
                            (self.__username, message, self.__computerName))
                    else:
                        raise
            else:
                if self.__computerName is not None:
                    try:
                        checkForUser = samr.hSamrLookupNamesInDomain(
                            dce, domainHandle, [self.__computerName])
                        raise Exception(
                            "Account %s already exists! If you just want to set a password, use -no-add."
                            % self.__computerName)
                    except samr.DCERPCSessionError as e:
                        if e.error_code != 0xc0000073:
                            raise
                else:
                    foundUnused = False
                    while not foundUnused:
                        self.__computerName = self.generateComputerName()
                        try:
                            checkForUser = samr.hSamrLookupNamesInDomain(
                                dce, domainHandle, [self.__computerName])
                        except samr.DCERPCSessionError as e:
                            if e.error_code == 0xc0000073:
                                foundUnused = True
                            else:
                                raise

                try:
                    createUser = samr.hSamrCreateUser2InDomain(
                        dce,
                        domainHandle,
                        self.__computerName,
                        samr.USER_WORKSTATION_TRUST_ACCOUNT,
                        samr.USER_FORCE_PASSWORD_CHANGE,
                    )
                except samr.DCERPCSessionError as e:
                    if e.error_code == 0xc0000022:
                        raise Exception(
                            "User %s doesn't have right to create a machine account!"
                            % self.__username)
                    elif e.error_code == 0xc00002e7:
                        raise Exception("User %s machine quota exceeded!" %
                                        self.__username)
                    else:
                        raise

                userHandle = createUser['UserHandle']

            if self.__delete:
                samr.hSamrDeleteUser(dce, userHandle)
                logging.info("Successfully deleted %s." % self.__computerName)
                userHandle = None
            else:
                samr.hSamrSetPasswordInternal4New(dce, userHandle,
                                                  self.__computerPassword)
                if self.__noAdd:
                    logging.info(
                        "Successfully set password of %s to %s." %
                        (self.__computerName, self.__computerPassword))
                else:
                    logging.info(
                        "Successfully added machine account %s with password %s."
                        % (self.__computerName, self.__computerPassword))

        except Exception as e:
            if logging.getLogger().level == logging.DEBUG:
                import traceback
                traceback.print_exc()

            logging.critical(str(e))
        finally:
            if userHandle is not None:
                samr.hSamrCloseHandle(dce, userHandle)
            if domainHandle is not None:
                samr.hSamrCloseHandle(dce, domainHandle)
            if servHandle is not None:
                samr.hSamrCloseHandle(dce, servHandle)
            dce.disconnect()
Exemplo n.º 2
0
 def delete(dce, domain_handle, uniq_id):
     entity_handel = samr.hSamrOpenUser(dce, domain_handle,
                                        userId=uniq_id)['UserHandle']
     samr.hSamrDeleteUser(dce, entity_handel)