Python impacket.dcerpc.v5.scmr.hROpenServiceW() Examples
The following are 30
code examples of impacket.dcerpc.v5.scmr.hROpenServiceW().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.scmr
, or try the search function
.
.
Example #1
| Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
|
def test_RControlServiceCall(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'CryptSvc\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
req = scmr.RControlService()
req['hService'] = serviceHandle
req['dwControl'] = scmr.SERVICE_CONTROL_STOP
resp = dce.request(req)
except Exception, e:
if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0:
raise
pass
Example #2
| Source File: secretsdump.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def getServiceAccount(self, serviceName):
try:
# Open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName)
serviceHandle = ans['lpServiceHandle']
resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle)
account = resp['lpServiceConfig']['lpServiceStartName'][:-1]
scmr.hRCloseServiceHandle(self.__scmr, serviceHandle)
if account.startswith('.\\'):
account = account[2:]
return account
except Exception as e:
# Don't log if history service is not found, that should be normal
if serviceName.endswith("_history") is False:
LOG.error(e)
return None
Example #3
| Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def test_RQueryServiceStatusEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceStatusEx()
request['hService'] = serviceHandle
request['InfoLevel'] = scmr.SC_STATUS_PROCESS_INFO
request['cbBufSize'] = 100
resp = dce.request(request)
array = b''.join(resp['lpBuffer'])
scmr.SERVICE_STATUS_PROCESS(array)
# ToDo
Example #4
| Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def test_RQueryServiceConfigEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'RemoteRegistry\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceConfigEx()
request['hService'] = serviceHandle
request['dwInfoLevel'] = 0x00000008
#request.dump()
resp = dce.request(request)
resp.dump()
# ToDo
Example #5
| Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def te_RControlServiceExW(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RControlServiceExW()
request['hService'] = serviceHandle
request['dwControl'] = scmr.SERVICE_CONTROL_STOP
request['dwInfoLevel'] = 1
# This is not working, don't know exactly why
request['pControlInParams']['dwReason'] = 0x20000000
request['pControlInParams']['pszComment'] = 'nada\x00'
request['pControlInParams'] = NULL
resp = dce.request(request)
resp.dump()
# ToDo
Example #6
| Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 6 votes |
|
def test_RStartServiceW(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
scmr.hRStartServiceW(dce, serviceHandle, 3, ['arg1\x00', 'arg2\x00', 'arg3\x00'] )
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') <= 0:
raise
scmr.hRCloseServiceHandle(dce, scHandle)
Example #7
| Source File: dump.py From CVE-2019-1040 with MIT License | 6 votes |
|
def getServiceAccount(self, serviceName):
try:
# Open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName)
serviceHandle = ans['lpServiceHandle']
resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle)
account = resp['lpServiceConfig']['lpServiceStartName'][:-1]
scmr.hRCloseServiceHandle(self.__scmr, serviceHandle)
if account.startswith('.\\'):
account = account[2:]
return account
except Exception as e:
# Don't log if history service is not found, that should be normal
if serviceName.endswith("_history") is False:
LOG.error(e)
return None
Example #8
| Source File: dump.py From Exchange2domain with MIT License | 6 votes |
|
def getServiceAccount(self, serviceName):
try:
# Open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName)
serviceHandle = ans['lpServiceHandle']
resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle)
account = resp['lpServiceConfig']['lpServiceStartName'][:-1]
scmr.hRCloseServiceHandle(self.__scmr, serviceHandle)
if account.startswith('.\\'):
account = account[2:]
return account
except Exception, e:
# Don't log if history service is not found, that should be normal
if serviceName.endswith("_history") is False:
LOG.error(e)
return None
Example #9
| Source File: test_scmr.py From cracke-dit with MIT License | 6 votes |
|
def test_query(self):
dce, rpctransport, scHandle = self.connect()
############################
# Query Service Status / Enum Dependent
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
resp = scmr.hRQueryServiceStatus(dce, serviceHandle)
cbBufSize = 0
try:
resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize )
resp.dump()
except scmr.DCERPCSessionError, e:
if str(e).find('ERROR_MORE_DATA') <= 0:
raise
else:
resp = e.get_packet()
Example #10
| Source File: test_scmr.py From cracke-dit with MIT License | 6 votes |
|
def te_RControlServiceExW(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RControlServiceExW()
request['hService'] = serviceHandle
request['dwControl'] = scmr.SERVICE_CONTROL_STOP
request['dwInfoLevel'] = 1
# This is not working, don't know exactly why
request['pControlInParams']['dwReason'] = 0x20000000
request['pControlInParams']['pszComment'] = 'nada\x00'
request['pControlInParams'] = NULL
resp = dce.request(request)
resp.dump()
# ToDo
Example #11
| Source File: test_scmr.py From cracke-dit with MIT License | 6 votes |
|
def test_RQueryServiceConfigEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'RemoteRegistry\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceConfigEx()
request['hService'] = serviceHandle
request['dwInfoLevel'] = 0x00000008
#request.dump()
resp = dce.request(request)
resp.dump()
# ToDo
Example #12
| Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
|
def test_query(self):
dce, rpctransport, scHandle = self.connect()
############################
# Query Service Status / Enum Dependent
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
resp = scmr.hRQueryServiceStatus(dce, serviceHandle)
cbBufSize = 0
try:
resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize )
resp.dump()
except scmr.DCERPCSessionError, e:
if str(e).find('ERROR_MORE_DATA') <= 0:
raise
else:
resp = e.get_packet()
Example #13
| Source File: test_scmr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_query(self):
dce, rpctransport, scHandle = self.connect()
############################
# Query Service Status / Enum Dependent
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
resp = scmr.hRQueryServiceStatus(dce, serviceHandle)
cbBufSize = 0
try:
resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize )
resp.dump()
except scmr.DCERPCSessionError, e:
if str(e).find('ERROR_MORE_DATA') <= 0:
raise
else:
resp = e.get_packet()
Example #14
| Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
|
def te_RControlServiceExW(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RControlServiceExW()
request['hService'] = serviceHandle
request['dwControl'] = scmr.SERVICE_CONTROL_STOP
request['dwInfoLevel'] = 1
# This is not working, don't know exactly why
request['pControlInParams']['dwReason'] = 0x20000000
request['pControlInParams']['pszComment'] = 'nada\x00'
request['pControlInParams'] = NULL
resp = dce.request(request)
resp.dump()
# ToDo
Example #15
| Source File: test_scmr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def test_RQueryServiceConfigEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'RemoteRegistry\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceConfigEx()
request['hService'] = serviceHandle
request['dwInfoLevel'] = 0x00000008
#request.dump()
resp = dce.request(request)
resp.dump()
# ToDo
Example #16
| Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
|
def test_RQueryServiceStatusEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceStatusEx()
request['hService'] = serviceHandle
request['InfoLevel'] = scmr.SC_STATUS_PROCESS_INFO
request['cbBufSize'] = 100
resp = dce.request(request)
array = ''.join(resp['lpBuffer'])
status = scmr.SERVICE_STATUS_PROCESS(array)
#status.dump()
# ToDo
Example #17
| Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
|
def test_RQueryServiceConfigEx(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'RemoteRegistry\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RQueryServiceConfigEx()
request['hService'] = serviceHandle
request['dwInfoLevel'] = 0x00000008
#request.dump()
resp = dce.request(request)
resp.dump()
# ToDo
Example #18
| Source File: test_scmr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
|
def te_RControlServiceExW(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RControlServiceExW()
request['hService'] = serviceHandle
request['dwControl'] = scmr.SERVICE_CONTROL_STOP
request['dwInfoLevel'] = 1
# This is not working, don't know exactly why
request['pControlInParams']['dwReason'] = 0x20000000
request['pControlInParams']['pszComment'] = 'nada\x00'
request['pControlInParams'] = NULL
resp = dce.request(request)
resp.dump()
# ToDo
Example #19
| Source File: serviceinstall.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def uninstall(self):
fileCopied = True
serviceCreated = True
# Do the stuff here
try:
# Let's get the shares
svcManager = self.openSvcManager()
if svcManager != 0:
resp = scmr.hROpenServiceW(self.rpcsvc, svcManager, self.__service_name+'\x00')
service = resp['lpServiceHandle']
LOG.info('Stopping service %s.....' % self.__service_name)
try:
scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP)
except:
pass
LOG.info('Removing service %s.....' % self.__service_name)
scmr.hRDeleteService(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, svcManager)
LOG.info('Removing file %s.....' % self.__binary_service_name)
self.connection.deleteFile(self.share, self.__binary_service_name)
except Exception:
LOG.critical("Error performing the uninstallation, cleaning up" )
try:
scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP)
except:
pass
if fileCopied is True:
try:
self.connection.deleteFile(self.share, self.__binary_service_name)
except:
try:
self.connection.deleteFile(self.share, self.__binary_service_name)
except:
pass
pass
if serviceCreated is True:
try:
scmr.hRDeleteService(self.rpcsvc, service)
except:
pass
Example #20
| Source File: secretsdump.py From PiBunny with MIT License | 5 votes |
|
def __restore(self):
# First of all stop the service if it was originally stopped
if self.__shouldStop is True:
LOG.info('Stopping service %s' % self.__serviceName)
scmr.hRControlService(self.__scmr, self.__serviceHandle, scmr.SERVICE_CONTROL_STOP)
if self.__disabled is True:
LOG.info('Restoring the disabled state for service %s' % self.__serviceName)
scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x4)
if self.__serviceDeleted is False:
# Check again the service we created does not exist, starting a new connection
# Why?.. Hitting CTRL+C might break the whole existing DCE connection
try:
rpc = transport.DCERPCTransportFactory(r'ncacn_np:%s[\pipe\svcctl]' % self.__smbConnection.getRemoteHost())
if hasattr(rpc, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpc.set_credentials(*self.__smbConnection.getCredentials())
rpc.set_kerberos(self.__doKerberos, self.__kdcHost)
self.__scmr = rpc.get_dce_rpc()
self.__scmr.connect()
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
resp = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__tmpServiceName)
service = resp['lpServiceHandle']
scmr.hRDeleteService(self.__scmr, service)
scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self.__scmr, service)
scmr.hRCloseServiceHandle(self.__scmr, self.__serviceHandle)
scmr.hRCloseServiceHandle(self.__scmr, self.__scManagerHandle)
rpc.disconnect()
except Exception, e:
# If service is stopped it'll trigger an exception
# If service does not exist it'll trigger an exception
# So. we just wanna be sure we delete it, no need to
# show this exception message
pass
Example #21
| Source File: smbexec.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def finish(self):
# Just in case the service is still created
try:
self.__scmr = self.__rpc.get_dce_rpc()
self.__scmr.connect()
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self.__scmr)
self.__scHandle = resp['lpScHandle']
resp = scmr.hROpenServiceW(self.__scmr, self.__scHandle, self.__serviceName)
service = resp['lpServiceHandle']
scmr.hRDeleteService(self.__scmr, service)
scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self.__scmr, service)
except scmr.DCERPCException:
pass
Example #22
| Source File: test_rrp.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def connect(self):
if self.rrpStarted is not True:
dce, rpctransport, scHandle = self.connect_scmr()
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00', desiredAccess)
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle )
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >=0:
pass
else:
raise
resp = scmr.hRCloseServiceHandle(dce, scHandle)
self.rrpStarted = True
rpctransport = transport.DCERPCTransportFactory(self.stringBinding)
if len(self.hashes) > 0:
lmhash, nthash = self.hashes.split(':')
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY)
dce.connect()
dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts)
resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS)
return dce, rpctransport, resp['phKey']
Example #23
| Source File: test_scmr.py From PiBunny with MIT License | 5 votes |
|
def te_RNotifyServiceStatusChange(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
request = scmr.RNotifyServiceStatusChange()
request['hService'] =serviceHandle
request['NotifyParams']['tag'] = 1
request['NotifyParams']['pStatusChangeParam1']['dwNotifyMask'] = scmr.SERVICE_NOTIFY_RUNNING
request['pClientProcessGuid'] = '0'*16
#request.dump()
resp = dce.request(request)
resp.dump()
request = scmr.RCloseNotifyHandle()
request['phNotify'] = resp['phNotify']
resp = dce.request(request)
resp.dump()
request = scmr.RGetNotifyResults()
request['hNotify'] = resp['phNotify']
resp = dce.request(request)
resp.dump()
Example #24
| Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def test_query(self):
dce, rpctransport, scHandle = self.connect()
############################
# Query Service Status / Enum Dependent
lpServiceName = 'PlugPlay\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
scmr.hRQueryServiceStatus(dce, serviceHandle)
cbBufSize = 0
try:
resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize )
resp.dump()
except scmr.DCERPCSessionError as e:
if str(e).find('ERROR_MORE_DATA') <= 0:
raise
else:
resp = e.get_packet()
resp.dump()
cbBufSize = resp['pcbBytesNeeded']
resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize )
resp.dump()
scmr.hRCloseServiceHandle(dce, serviceHandle)
scmr.hRCloseServiceHandle(dce, scHandle)
Example #25
| Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 5 votes |
|
def test_RControlServiceCall(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'CryptSvc\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
req = scmr.RControlService()
req['hService'] = serviceHandle
req['dwControl'] = scmr.SERVICE_CONTROL_STOP
dce.request(req)
except Exception as e:
if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0 and str(e).find('ERROR_SERVICE_NOT_ACTIVE') < 0:
raise
pass
scmr.hRCloseServiceHandle(dce, serviceHandle)
import time
time.sleep(1)
resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess )
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle, 0, NULL )
resp.dump()
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') < 0:
raise
return
Example #26
| Source File: dump.py From CVE-2019-1040 with MIT License | 5 votes |
|
def __checkServiceStatus(self):
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__serviceName)
self.__serviceHandle = ans['lpServiceHandle']
# Let's check its status
ans = scmr.hRQueryServiceStatus(self.__scmr, self.__serviceHandle)
if ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_STOPPED:
LOG.info('Service %s is in stopped state'% self.__serviceName)
self.__shouldStop = True
self.__started = False
elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING:
LOG.debug('Service %s is already running'% self.__serviceName)
self.__shouldStop = False
self.__started = True
else:
raise Exception('Unknown service state 0x%x - Aborting' % ans['CurrentState'])
# Let's check its configuration if service is stopped, maybe it's disabled :s
if self.__started is False:
ans = scmr.hRQueryServiceConfigW(self.__scmr,self.__serviceHandle)
if ans['lpServiceConfig']['dwStartType'] == 0x4:
LOG.info('Service %s is disabled, enabling it'% self.__serviceName)
self.__disabled = True
scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x3)
LOG.info('Starting service %s' % self.__serviceName)
scmr.hRStartServiceW(self.__scmr,self.__serviceHandle)
time.sleep(1)
Example #27
| Source File: dump.py From CVE-2019-1040 with MIT License | 5 votes |
|
def __restore(self):
# First of all stop the service if it was originally stopped
if self.__shouldStop is True:
LOG.info('Stopping service %s' % self.__serviceName)
scmr.hRControlService(self.__scmr, self.__serviceHandle, scmr.SERVICE_CONTROL_STOP)
if self.__disabled is True:
LOG.info('Restoring the disabled state for service %s' % self.__serviceName)
scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x4)
if self.__serviceDeleted is False:
# Check again the service we created does not exist, starting a new connection
# Why?.. Hitting CTRL+C might break the whole existing DCE connection
try:
rpc = transport.DCERPCTransportFactory(r'ncacn_np:%s[\pipe\svcctl]' % self.__smbConnection.getRemoteHost())
if hasattr(rpc, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpc.set_credentials(*self.__smbConnection.getCredentials())
rpc.set_kerberos(self.__doKerberos, self.__kdcHost)
self.__scmr = rpc.get_dce_rpc()
self.__scmr.connect()
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
resp = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__tmpServiceName)
service = resp['lpServiceHandle']
scmr.hRDeleteService(self.__scmr, service)
scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self.__scmr, service)
scmr.hRCloseServiceHandle(self.__scmr, self.__serviceHandle)
scmr.hRCloseServiceHandle(self.__scmr, self.__scManagerHandle)
rpc.disconnect()
except Exception as e:
# If service is stopped it'll trigger an exception
# If service does not exist it'll trigger an exception
# So. we just wanna be sure we delete it, no need to
# show this exception message
pass
Example #28
| Source File: smbexec.py From ActiveReign with GNU General Public License v3.0 | 5 votes |
|
def finish(self):
# Just in case the service is still created
try:
self.__scmr = self.__rpctransport.get_dce_rpc()
self.__scmr.connect()
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self.__scmr)
self.__scHandle = resp['lpScHandle']
resp = scmr.hROpenServiceW(self.__scmr, self.__scHandle, self.__serviceName)
service = resp['lpServiceHandle']
scmr.hRDeleteService(self.__scmr, service)
scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self.__scmr, service)
except:
pass
Example #29
| Source File: remotecmd.py From certitude with GNU General Public License v2.0 | 5 votes |
|
def __createService(self):
self.__log__(logging.DEBUG, 'Creating service')
try:
resp = scmr.hROpenServiceW(self.__dcerpc, self.__SVCManager, RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00')
self.__log__(logging.WARNING, 'Service already exists, renewing it')
try:
scmr.hRControlService(self.__dcerpc, resp['lpServiceHandle'], scmr.SERVICE_CONTROL_STOP)
time.sleep(1)
except:
pass
scmr.hRDeleteService(self.__dcerpc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(self.__dcerpc, resp['lpServiceHandle'])
except:
pass
resp = scmr.hRCreateServiceW(
self.__dcerpc,
self.__SVCManager,
RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00',
RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00',
lpBinaryPathName = self.__getWritableUNCPath() + '\\' + RemoteCmd.REMCOMSVC_REMOTE + '\x00',
dwStartType=scmr.SERVICE_DEMAND_START,
)
resp = scmr.hROpenServiceW(self.__dcerpc, self.__SVCManager, RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00')
self.__service = resp['lpServiceHandle']
self.__pendingCleanupActions.append((self.__deleteService, 3))
return
# Drops the binary file to register as a service
Example #30
| Source File: serviceinstall.py From PiBunny with MIT License | 5 votes |
|
def uninstall(self):
fileCopied = True
serviceCreated = True
# Do the stuff here
try:
# Let's get the shares
svcManager = self.openSvcManager()
if svcManager != 0:
resp = scmr.hROpenServiceW(self.rpcsvc, svcManager, self.__service_name+'\x00')
service = resp['lpServiceHandle']
LOG.info('Stoping service %s.....' % self.__service_name)
try:
scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP)
except:
pass
LOG.info('Removing service %s.....' % self.__service_name)
scmr.hRDeleteService(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, service)
scmr.hRCloseServiceHandle(self.rpcsvc, svcManager)
LOG.info('Removing file %s.....' % self.__binary_service_name)
self.connection.deleteFile(self.share, self.__binary_service_name)
except Exception:
LOG.critical("Error performing the uninstallation, cleaning up" )
try:
scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP)
except:
pass
if fileCopied is True:
try:
self.connection.deleteFile(self.share, self.__binary_service_name)
except:
try:
self.connection.deleteFile(self.share, self.__binary_service_name)
except:
pass
pass
if serviceCreated is True:
try:
scmr.hRDeleteService(self.rpcsvc, service)
except:
pass
