def OpenSCManager(self,host,access=0):
"""
opens a remote Service Control Manager
Returns 0 on failure
On Windows 2000 this will connect to services.exe, which will then
call OpenSCManager for you. Actually it doesn't call the routine
itself. It appears to call some other routine internally that does the
real work. So you can't breakpoint on OpenSCManager or CreateServiceW
(sorry)
If you breakpoint on OpenSCManager, and you aren't seeing it get called, then that's normal.
Try breakpointing on RPCImpersonateClient and seeing what is
going on there.
"""
self.log("Using msrpcuser: %s msrpcpassword: %s"%(self.msrpcuser,self.msrpcpassword))
connectionList = ["ncacn_np:%s[\\svcctl]"% (host)]
self.myDCE = msrpc.DCE("367abb81-9844-35f1-ad32-98f038001003", "2.0", connectionList, covertness = self.covertness, getsock=self)
self.myDCE.setUsername(self.msrpcuser)
self.myDCE.setPassword(self.msrpcpassword)
self.myDCE.setDomain(self.domain)
try:
map=self.myDCE.connect()
if not map:
self.raiseError("Could not connect to remote server - service is not running or the host is firewalled.")
except Exception, msg:
self.log(msg)
return 0
def get_shares(self, user, password):
"""
Makes the connection to the remote server and gets the
shares. This is called twice, once with the typical thing
and once with bob:None, since XP does a weird thing
with users and password.
"""
connectionList = ["ncacn_np:%s[\\browser]" % (self.target.interface)]
self.myDCE = msrpc.DCE("4b324fc8-1670-01d3-1278-5a47bf6ee188",
"3.0",
connectionList,
covertness=self.covertness,
getsock=self)
devlog('shareenum::run', "myDCE: %s" % self.myDCE)
self.myDCE.setUsername(user)
self.myDCE.setPassword(password)
try:
devlog('shareenum::run', "myDCE.connect: %s" % self.myDCE.connect)
map = self.myDCE.connect()
devlog('shareenum::run', "map: %s" % map)
if not map:
self.raiseError(
"Could not connect to remote server - service is not running or the host is firewalled."
)
except Exception, msg:
devlog(
'shareenum::run',
"Could not connect to remote server (%s): %s" %
(Exception, msg))
self.log(msg)
return 0
def ServicesConnect(self):
connectionList=['ncacn_np:%s[\\browser]'%(self.host),'ncacn_np:%s[\\svcctl]'%(self.host)]
self.myDCE=msrpc.DCE(self.UUID,self.uuidversion,connectionList,covertness=self.covertness,getsock=self, domain=self.domain)
self.myDCE.setUsername(self.user)
self.myDCE.setPassword(self.password)
self.log('Setting username and password to %s:%s'%(self.user,self.password))
try:
map=self.myDCE.connect()
if not map:
self.raiseError('Could not connect to remote server - service is not running or the host is firewalled.')
except Exception, msg:
self.log(msg)
return False
def getLoggedInUsers(self, osstr):
"""
Get the logged in users instead of all the users using wksvc
"""
userlist = []
if "Windows" in osstr:
self.log("Windows found, using wksvc to enumerate users")
#connect to named pipe
#bind to RPC server
# when you have to add a custom port: "ncacn_ip_tcp:%s[1060]"% (self.target.interface)
connectionList = [
"ncacn_np:%s[\\browser]" % (self.target.interface)
]
if self.customport:
connectionList = [
"ncacn_ip_tcp:%s[%d]" %
(self.target.interface, self.customport)
] + connectionList
self.myDCE = msrpc.DCE("6bffd098-a112-3610-9833-46c3f87e345a",
"1.0",
connectionList,
covertness=self.covertness,
getsock=self)
self.myDCE.setUsername(self.user)
self.myDCE.setPassword(self.password)
self.log("Setting username and password to %s:%s" %
(self.user, self.password))
try:
map = self.myDCE.connect()
if not map:
self.raiseError(
"Could not connect to remote server - service is not running or the host is firewalled."
)
except Exception, msg:
self.log(msg)
return 0
pkt = self.createEnumPkt()
#send to function_02
ret = 0
try:
ret = msrpc.get_all_stubs(self.myDCE.call(2, pkt, response=1))
except Exception, msg:
self.log("Could not call MSRPC Function: %s" % msg)
def connect(self):
"""
Using self.connectionList, this function tries to connect
to the remote target UUID - this way we support any kind
of connection CANVAS supports
"""
self.myDCE = msrpc.DCE(self.UUID, self.version, self.connectionList)
self.myDCE.setUsername(self.user)
self.myDCE.setPassword(self.password)
try:
map = self.myDCE.connect()
if not map:
self.raiseError(
"Could not connect to remote server - service is not running or the host is firewalled."
)
except Exception, msg:
self.log(msg)
return 0
def get_context_handle(self, default_string, default_int, opcode, uuid):
"""
Sends the request to get a context handle
"""
self.mydce = None
self.fuzzing = False #no fuzzing during this part
old_default_int = self.default_int
old_default_string = self.default_string
ret = "" #failure string
self.default_string = default_string
self.default_int = default_int
self.log(
"[*] Trying to get context handle with default string: %s:%d from opcode %d"
% (default_string, default_int, opcode.opnum))
testpack = ""
for element in opcode.elements:
try:
testpack += element.serialize()
except:
self.log("[*] Serialization bug! Look into this later")
continue
request = opcode.serialize()
mydce = msrpc.DCE(uuid.ifid, uuid.version, self.connectionList)
mydce.setUsername(self.user)
mydce.setPassword(self.password)
self.log("[*] Connecting to ifid: %s" % uuid.ifid)
try:
mydce.connect()
except msrpc.DCEException, msg:
self.log("[*] Couldn't connect to ifid %s!" % uuid.ifid)
self.log(
"[*] During context_handle finding - this should never happen")
self.log("[*] Killed service! %s with opcode %s" %
(uuid.ifid, opcode.opnum))
time.sleep(50)
return ret
def LsaConnect(self, user=None):
"""
Connect to endpoint, return true if success
"""
# when you want to add a custom port: "ncacn_ip_tcp:%s[1060]"% (self.target.interface)
# dont forget to add the custom port to the has_named_pipes call
connectionList = [
"ncacn_np:%s[\\browser]" % (self.target.interface),
"ncacn_np:%s[\\lsarpc]" % (self.target.interface),
"ncacn_np:%s[\\netlogon]" % (self.target.interface),
"ncacn_np:%s[\\lsass]" % (self.target.interface)
]
if self.customport:
connectionList = [
"ncacn_ip_tcp:%s[%d]" %
(self.target.interface, self.customport)
] + connectionList # we wanna try customport first
self.myDCE = msrpc.DCE("12345778-1234-abcd-ef00-0123456789ab",
"0.0",
connectionList,
covertness=self.covertness,
getsock=self)
if user == None:
user = self.user
self.log("Trying LsaConnect with user: %s" % user)
self.myDCE.setUsername(user)
self.myDCE.setPassword(self.password)
self.log("Setting username and password to %s:%s" %
(user, self.password))
try:
map = self.myDCE.connect()
if not map:
self.raiseError(
"Could not connect to remote server - service is not running or the host is firewalled."
)
except Exception, msg:
self.log(msg)
return False
def run_on_idl(self):
"""
Set self.idl and then call this from run()
"""
rpc = None
send = True
opnum = None #None is default
context_handle = None #None is default
DEBUG = False
idl = self.idl
host = self.host
skip_to_ifid = "" #"" is default
start_fuzznum = None #None is default
#set the NDR fuzzer object
ndr.g_fuzz_object = self
#default strings
for self.default_string in self.default_strings:
self.log("Set default string to %s" % repr(self.default_string))
#default integers
for self.default_int in self.default_ints:
self.log("Set default integer to 0x%2.2x" % self.default_int)
for uuid in idl:
self.UUID = uuid.ifid
if skip_to_ifid and not self.UUID == skip_to_ifid:
continue
if skip_to_ifid:
skip_to_ifid = ""
self.version = uuid.version
self.buildConnectionList()
self.log("Connectionlist=%s" % self.connectionList)
self.log("Connecting as %s:%s" %
(self.user, self.password))
self.done_with_ifid = False
#we'll set below variable when we find out that we both need
#a context handle, and know how to get one (using try_to_get_context_handle())
self.get_context_handle_opcode = None
# We loop through all the opcodes for each uuid the parser gave us
for opcode in uuid.opcodes:
self.log(
"Opcode: %s. Default int: %s Default String: %s" %
(str(opcode.opnum), self.default_int,
repr(self.default_string)))
self.did_connect = False
if self.done_with_ifid == True:
break
#skip some opnums if needed
if opnum != None:
if opcode.opnum != opnum:
continue
opnum = None #reset since we've skipped to it
if len(opcode.elements) == 0:
self.log("Not doing opcode %d, no elements" %
opcode.opnum)
continue
self.opcode = opcode
self.done_with_opcode = False
#fuzznum is which variable to fuzz
if start_fuzznum != None:
fuzznum = start_fuzznum
start_fuzznum = None
else:
fuzznum = 0
self.max_fuzznum = False
self.next_fuzz_element = None #set to 0 to initialize search, set to a number for the next fuzz number
while not self.max_fuzznum:
self.log("Doing fuzznum: %d" % fuzznum)
#here we skip to the next element we're fuzzing if we found one!
if self.next_fuzz_element:
self.log(
"[*] Skipping to next fuzz element: %d" %
self.next_fuzz_element)
fuzznum = self.next_fuzz_element
self.next_fuzz_element = None
#this will be true if we did not find anything to fuzz in this opcode!
if self.next_fuzz_element == 0:
self.log(
"[*] Nothing left to fuzz on this opcode!")
self.done_with_opcode = True
self.fuzznum = fuzznum
fuzznum += 1
self.done_with_element = False
self.total_elements = 0
if self.done_with_opcode:
break
#reset our fuzzer
self.reset_fuzzer()
while not self.done_with_element:
self.log("Doing element fuzz")
#first we connect
mydce = msrpc.DCE(uuid.ifid, uuid.version,
self.connectionList)
mydce.setUsername(self.user)
mydce.setPassword(self.password)
self.log("[*] Connecting to ifid: %s" %
uuid.ifid)
try:
mydce.connect()
except msrpc.DCEException, msg:
self.log(
"[*] Couldn't connect to ifid %s!" %
uuid.ifid)
self.done_with_opcode = True
self.done_with_element = True
self.done_with_ifid = True
if self.did_connect:
self.log(
"[*] Killed service! %s with opcode %s"
% (uuid.ifid, opcode.opnum))
time.sleep(50)
break
self.did_connect = True
self.log("[*] Connected")
self.log(" opcode: %x elements: [%02d]" %
(opcode.opnum, len(opcode.elements)))
testpack = ""
request = ""
if self.get_context_handle_opcode:
self.log("Getting context handle")
default_int, default_string, context_opcode = self.get_context_handle_opcode
context_handle = self.get_context_handle(
default_string, default_int,
context_opcode, uuid)
self.log("Setting context handle to %s" %
repr(context_handle))
opcode.set_context_handle(context_handle)
mydce = self.mydce #reset this to the same connection we had before when we were getting a context handle
#set our flag so we know it's there.
#if we for whatever reason don't have any string elements to fuzz
#then this will get us out of the loop
self.ran_get_fuzz_data = False
self.current_element = 0
self.second_serialize = False
# Again I have to pass twice because of union dependencies
for element in opcode.elements:
if DEBUG:
dump_ndr(element)
try:
#self.log("DEBUG: element.serialize called on %s"%str(element))
testpack += element.serialize()
except:
self.log(
"[*] Serialization bug! Look into this later"
)
self.done_with_opcode = True
self.done_with_element = True
break
#self.log("DEBUG: Done with pass 1")
if self.done_with_element:
self.log("Done with this element...")
continue
#reset current_element?
# This is all you do to serialize the data for the wire
#self.log("Serializing a second time")
self.second_serialize = True
self.current_element = 0
request += opcode.serialize()
#self.log("Done with pass 2")
if len(request) != len(testpack):
self.log(
"[*] Length of testpack %d length of request %d"
% (len(testpack), len(request)))
#self.log("Done serializing"
if not self.ran_get_fuzz_data:
#nothing to fuzz!
self.log(
"[*] Nothing to fuzz on this opcode!")
self.done_with_element = True
self.done_with_opcode = True
self.log("[*] Sending %s [opcode: %d]" %
(uuid.ifid, opcode.opnum))
self.log("[*] Length of Fuzz Request [%s]" %
len(request))
#self.log("[*] Request: %s"%print_hex(request))
try:
ret = mydce.call(opcode.opnum,
request,
response=1)
self.log("[*] Sent - got ret")
except msrpc.DCEException, msg:
self.log("[*] Sent - got exception")
if str(msg).count("1c00001a"):
self.log("[*] Need a context handle!")
#this is a tricky thing
#we essentially need to go into the uuid and find
#the routine we can use to get the context handle
#of course, this may require calling it with some sort
#of valid argument, which we can't do
#but we'll try
if self.get_context_handle_opcode == False:
self.log(
"[*] Need context handle, but can't get one"
)
self.done_with_element = True
self.done_with_opcode = True
elif self.get_context_handle_opcode != None:
#in this case, we already had a context handle,
#so we're failing even WITH a context handle, so we bail
self.log(
"[*] Failing even with context handle - bail"
)
self.done_with_element = True
self.done_with_opcode = True
else:
if self.do_context_handle_grab:
self.log(
"[*] Trying to get context handle function"
)
#we didn't have a context handle. So let's try to figure out how to get one
if not self.try_to_get_context_handle(
uuid):
self.log(
"[*] We tried, but failed to get a valid context handle!"
)
#set this so we don't try again
self.get_context_handle_opcode = False
self.done_with_element = True
self.done_with_opcode = True
continue
elif str(msg).count("6f7"):
self.log("[*] Bad marshaller?")
#not sure if I want this next line...
self.done_with_element = True
continue
elif str(msg).count("received 5"):
self.log("[*] Bad authentication")
self.done_with_element = True
self.done_with_opcode = True
continue
elif str(msg).count("Broken pipe"):
self.log("[*] Broken pipe")
continue
elif str(msg).count(
"unpack requires a string argument of length"
):
self.log("[*] SMB error: %s" % msg)
#essentially we are a size_is and we're sending huge amounts of data...no need to continue this.
self.done_with_element = True
continue
elif str(msg).count(
"A failed packet received 1c00001b"
):
self.log(
"[*] Found memory leak vulnerability!"
)
self.done_with_element = True
elif str(msg).count("1c010003"):
self.log(
"[*] No such interface, sorry")
self.done_with_ifid = True
self.done_with_element = True
self.done_with_opcode = True
continue
elif str(msg).count("1c010002") or str(
msg).count("c002002e"):
self.log(
"[*] opcode is > than implemented opcodes!"
)
self.done_with_ifid = True
self.done_with_element = True
self.done_with_opcode = True
continue
elif str(msg).count("1c000006"):
self.log("[*] nca_s_fault_invalid_tag")
#who knows?
continue
elif str(msg).count("1c000007"):
self.log("[*] Invalid bound error")
self.done_with_element = True
continue
elif str(msg).count("1c000017"):
self.log("[*] Pipe Discipline fault")
continue
elif str(msg).count("timeout"):
self.log(
"[*] Timeout on RECV - sitting in exception in debugger?"
)
continue
elif str(msg).count(
"Connection reset by peer"):
self.log(
"[*] Connection reset by peer - very strange. Did someone kill the process?"
)
continue
else:
self.log("msg: %s" % msg)
raise
recvbuffer = None
if ret:
recvbuffer = msrpc.get_all_stubs(ret)
else:
self.log("[*] No response received?")
if recvbuffer:
self.log("[*] Received [%s]" %
print_hex(recvbuffer))