Python impacket.dcerpc.v5.scmr.SERVICE_DEMAND_START Examples
The following are 9
code examples of impacket.dcerpc.v5.scmr.SERVICE_DEMAND_START().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.scmr
, or try the search function
.
Example #1
Source File: mysmb.py From AutoBlue-MS17-010 with MIT License | 6 votes |
def execute_remote(self, data): to_batch = '{} echo {} ^> {} 2^>^&1 > {}'.format(self.__shell, data, self.__output, self.__batchFile) command = '{} & {} {}'.format(to_batch, self.__shell, self.__batchFile) if self.__mode == 'SERVER': command += ' & ' + self.__copyBack command = '{} & del {}'.format(command, self.__batchFile ) logging.debug('Executing %s' % command) resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName, lpBinaryPathName=command, dwStartType=scmr.SERVICE_DEMAND_START) service = resp['lpServiceHandle'] try: scmr.hRStartServiceW(self.__scmr, service) except: pass scmr.hRDeleteService(self.__scmr, service) scmr.hRCloseServiceHandle(self.__scmr, service) self.get_output() #print(self.__outputBuffer)
Example #2
Source File: smbexec.py From Slackor with GNU General Public License v3.0 | 6 votes |
def execute_remote(self, data): command = self.__shell + 'echo ' + data + ' ^> ' + self.__output + ' 2^>^&1 > ' + self.__batchFile + ' & ' + \ self.__shell + self.__batchFile if self.__mode == 'SERVER': command += ' & ' + self.__copyBack command += ' & ' + 'del ' + self.__batchFile logging.debug('Executing %s' % command) resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName, lpBinaryPathName=command, dwStartType=scmr.SERVICE_DEMAND_START) service = resp['lpServiceHandle'] try: scmr.hRStartServiceW(self.__scmr, service) except: pass scmr.hRDeleteService(self.__scmr, service) scmr.hRCloseServiceHandle(self.__scmr, service) self.get_output()
Example #3
Source File: test_scmr.py From CVE-2017-7494 with GNU General Public License v3.0 | 5 votes |
def test_create_change_delete(self): dce, rpctransport, scHandle = self.connect() ##################### # Create / Change / Query / Delete a service lpServiceName = 'TESTSVC\x00' lpDisplayName = 'DisplayName\x00' dwDesiredAccess = scmr.SERVICE_ALL_ACCESS dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS dwStartType = scmr.SERVICE_DEMAND_START dwErrorControl = scmr.SERVICE_ERROR_NORMAL lpBinaryPathName = 'binaryPath\x00' lpLoadOrderGroup = NULL lpdwTagId = NULL lpDependencies = NULL dwDependSize = 0 lpServiceStartName = NULL lpPassword = NULL dwPwSize = 0 resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize) resp.dump() newHandle = resp['lpServiceHandle'] # Aca hay que chequear cada uno de los items cbBufSize = 0 try: resp = scmr.hRQueryServiceConfigW(dce, newHandle) except Exception, e: if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0: raise else: resp = e.get_packet()
Example #4
Source File: smbexec.py From CrackMapExec with BSD 2-Clause "Simplified" License | 5 votes |
def execute_fileless(self, data): self.__output = gen_random_string(6) self.__batchFile = gen_random_string(6) + '.bat' local_ip = self.__rpctransport.get_socket().getsockname()[0] if self.__retOutput: command = self.__shell + data + ' ^> \\\\{}\\{}\\{}'.format(local_ip, self.__share_name, self.__output) else: command = self.__shell + data with open(os.path.join('/tmp', 'cme_hosted', self.__batchFile), 'w') as batch_file: batch_file.write(command) logging.debug('Hosting batch file with command: ' + command) command = self.__shell + '\\\\{}\\{}\\{}'.format(local_ip,self.__share_name, self.__batchFile) logging.debug('Command to execute: ' + command) logging.debug('Remote service {} created.'.format(self.__serviceName)) resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName, lpBinaryPathName=command, dwStartType=scmr.SERVICE_DEMAND_START) service = resp['lpServiceHandle'] try: logging.debug('Remote service {} started.'.format(self.__serviceName)) scmr.hRStartServiceW(self.__scmr, service) except: pass logging.debug('Remote service {} deleted.'.format(self.__serviceName)) scmr.hRDeleteService(self.__scmr, service) scmr.hRCloseServiceHandle(self.__scmr, service) self.get_output_fileless()
Example #5
Source File: test_scmr.py From cracke-dit with MIT License | 5 votes |
def test_create_change_delete(self): dce, rpctransport, scHandle = self.connect() ##################### # Create / Change / Query / Delete a service lpServiceName = 'TESTSVC\x00' lpDisplayName = 'DisplayName\x00' dwDesiredAccess = scmr.SERVICE_ALL_ACCESS dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS dwStartType = scmr.SERVICE_DEMAND_START dwErrorControl = scmr.SERVICE_ERROR_NORMAL lpBinaryPathName = 'binaryPath\x00' lpLoadOrderGroup = NULL lpdwTagId = NULL lpDependencies = NULL dwDependSize = 0 lpServiceStartName = NULL lpPassword = NULL dwPwSize = 0 resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize) resp.dump() newHandle = resp['lpServiceHandle'] # Aca hay que chequear cada uno de los items cbBufSize = 0 try: resp = scmr.hRQueryServiceConfigW(dce, newHandle) except Exception, e: if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0: raise else: resp = e.get_packet()
Example #6
Source File: serviceinstall.py From Slackor with GNU General Public License v3.0 | 5 votes |
def createService(self, handle, share, path): LOG.info("Creating service %s on %s....." % (self.__service_name, self.connection.getRemoteHost())) # First we try to open the service in case it exists. If it does, we remove it. try: resp = scmr.hROpenServiceW(self.rpcsvc, handle, self.__service_name+'\x00') except Exception as e: if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') >= 0: # We're good, pass the exception pass else: raise e else: # It exists, remove it scmr.hRDeleteService(self.rpcsvc, resp['lpServiceHandle']) scmr.hRCloseServiceHandle(self.rpcsvc, resp['lpServiceHandle']) # Create the service command = '%s\\%s' % (path, self.__binary_service_name) try: resp = scmr.hRCreateServiceW(self.rpcsvc, handle,self.__service_name + '\x00', self.__service_name + '\x00', lpBinaryPathName=command + '\x00', dwStartType=scmr.SERVICE_DEMAND_START) except: LOG.critical("Error creating service %s on %s" % (self.__service_name, self.connection.getRemoteHost())) raise else: return resp['lpServiceHandle']
Example #7
Source File: remotecmd.py From certitude with GNU General Public License v2.0 | 5 votes |
def __createService(self): self.__log__(logging.DEBUG, 'Creating service') try: resp = scmr.hROpenServiceW(self.__dcerpc, self.__SVCManager, RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00') self.__log__(logging.WARNING, 'Service already exists, renewing it') try: scmr.hRControlService(self.__dcerpc, resp['lpServiceHandle'], scmr.SERVICE_CONTROL_STOP) time.sleep(1) except: pass scmr.hRDeleteService(self.__dcerpc, resp['lpServiceHandle']) scmr.hRCloseServiceHandle(self.__dcerpc, resp['lpServiceHandle']) except: pass resp = scmr.hRCreateServiceW( self.__dcerpc, self.__SVCManager, RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00', RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00', lpBinaryPathName = self.__getWritableUNCPath() + '\\' + RemoteCmd.REMCOMSVC_REMOTE + '\x00', dwStartType=scmr.SERVICE_DEMAND_START, ) resp = scmr.hROpenServiceW(self.__dcerpc, self.__SVCManager, RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00') self.__service = resp['lpServiceHandle'] self.__pendingCleanupActions.append((self.__deleteService, 3)) return # Drops the binary file to register as a service
Example #8
Source File: test_scmr.py From PiBunny with MIT License | 5 votes |
def test_create_change_delete(self): dce, rpctransport, scHandle = self.connect() ##################### # Create / Change / Query / Delete a service lpServiceName = 'TESTSVC\x00' lpDisplayName = 'DisplayName\x00' dwDesiredAccess = scmr.SERVICE_ALL_ACCESS dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS dwStartType = scmr.SERVICE_DEMAND_START dwErrorControl = scmr.SERVICE_ERROR_NORMAL lpBinaryPathName = 'binaryPath\x00' lpLoadOrderGroup = NULL lpdwTagId = NULL lpDependencies = NULL dwDependSize = 0 lpServiceStartName = NULL lpPassword = NULL dwPwSize = 0 resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize) resp.dump() newHandle = resp['lpServiceHandle'] # Aca hay que chequear cada uno de los items cbBufSize = 0 try: resp = scmr.hRQueryServiceConfigW(dce, newHandle) except Exception, e: if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0: raise else: resp = e.get_packet()
Example #9
Source File: smbexec.py From ActiveReign with GNU General Public License v3.0 | 4 votes |
def execute(self, command): # Init New Command self.__outputBuffer = '' if self.noOutput: cmd = self.__shell + command else: cmd = self.__shell + command + " ^> \\\\{}\\{}{} 2>&1".format(self.ip, self.share, self.path + self.outfile) self.logger.debug("SMBexec: {}".format(cmd)) # Write cmd to Service File for exec self.logger.debug("Creating {} to execute command".format(self.batchFile)) if self.fileless_output: # Create bat service on AR3 server share with open(os.path.join('/tmp', '.ar3', self.batchFile), 'w') as batch_file: batch_file.write(cmd) else: # Create .bat service on target system in /Windows/Temp to execute command tid = self.smbcon.con.connectTree(self.share) fid = self.smbcon.con.createFile(tid, "{}{}".format(self.path.replace('\\', '/'), self.batchFile)) self.smbcon.con.writeFile(tid, fid, cmd) self.smbcon.con.closeFile(tid, fid) # Create new CMD to execute .bat service_command = self.__shell + '\\\\{}\\{}{}{}'.format(self.ip, self.share, self.path, self.batchFile) self.logger.debug('Executing: ' + service_command) # Create Service self.logger.debug('Remote service {} created.'.format(self.__serviceName)) resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName, lpBinaryPathName=service_command, dwStartType=scmr.SERVICE_DEMAND_START) service = resp['lpServiceHandle'] # Start Service try: self.logger.debug('Remote service {} started.'.format(self.__serviceName)) scmr.hRStartServiceW(self.__scmr, service) except Exception as e: pass #self._outputBuffer += str(e) # Delete Service self.logger.debug('Remote service {} deleted.'.format(self.__serviceName)) scmr.hRDeleteService(self.__scmr, service,) scmr.hRCloseServiceHandle(self.__scmr, service) # Get output if self.noOutput: self.__outputBuffer = "Command executed with no output" elif self.fileless_output: self.get_output_fileless() else: self.get_output() self.cleanup() # Cleanup and return data self.finish() return self.__outputBuffer