Python impacket.dcerpc.v5.scmr.hROpenServiceW() Examples
The following are 30
code examples of impacket.dcerpc.v5.scmr.hROpenServiceW().
You can vote up the ones you like or vote down the ones you don't like,
and go to the original project or source file by following the links above each example.
You may also want to check out all available functions/classes of the module
impacket.dcerpc.v5.scmr
, or try the search function
.
Example #1
Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
def test_RControlServiceCall(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'CryptSvc\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] try: req = scmr.RControlService() req['hService'] = serviceHandle req['dwControl'] = scmr.SERVICE_CONTROL_STOP resp = dce.request(req) except Exception, e: if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0: raise pass
Example #2
Source File: secretsdump.py From Slackor with GNU General Public License v3.0 | 6 votes |
def getServiceAccount(self, serviceName): try: # Open the service ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName) serviceHandle = ans['lpServiceHandle'] resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle) account = resp['lpServiceConfig']['lpServiceStartName'][:-1] scmr.hRCloseServiceHandle(self.__scmr, serviceHandle) if account.startswith('.\\'): account = account[2:] return account except Exception as e: # Don't log if history service is not found, that should be normal if serviceName.endswith("_history") is False: LOG.error(e) return None
Example #3
Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 6 votes |
def test_RQueryServiceStatusEx(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RQueryServiceStatusEx() request['hService'] = serviceHandle request['InfoLevel'] = scmr.SC_STATUS_PROCESS_INFO request['cbBufSize'] = 100 resp = dce.request(request) array = b''.join(resp['lpBuffer']) scmr.SERVICE_STATUS_PROCESS(array) # ToDo
Example #4
Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 6 votes |
def test_RQueryServiceConfigEx(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'RemoteRegistry\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RQueryServiceConfigEx() request['hService'] = serviceHandle request['dwInfoLevel'] = 0x00000008 #request.dump() resp = dce.request(request) resp.dump() # ToDo
Example #5
Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 6 votes |
def te_RControlServiceExW(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RControlServiceExW() request['hService'] = serviceHandle request['dwControl'] = scmr.SERVICE_CONTROL_STOP request['dwInfoLevel'] = 1 # This is not working, don't know exactly why request['pControlInParams']['dwReason'] = 0x20000000 request['pControlInParams']['pszComment'] = 'nada\x00' request['pControlInParams'] = NULL resp = dce.request(request) resp.dump() # ToDo
Example #6
Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 6 votes |
def test_RStartServiceW(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] try: scmr.hRStartServiceW(dce, serviceHandle, 3, ['arg1\x00', 'arg2\x00', 'arg3\x00'] ) except Exception as e: if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') <= 0: raise scmr.hRCloseServiceHandle(dce, scHandle)
Example #7
Source File: dump.py From CVE-2019-1040 with MIT License | 6 votes |
def getServiceAccount(self, serviceName): try: # Open the service ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName) serviceHandle = ans['lpServiceHandle'] resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle) account = resp['lpServiceConfig']['lpServiceStartName'][:-1] scmr.hRCloseServiceHandle(self.__scmr, serviceHandle) if account.startswith('.\\'): account = account[2:] return account except Exception as e: # Don't log if history service is not found, that should be normal if serviceName.endswith("_history") is False: LOG.error(e) return None
Example #8
Source File: dump.py From Exchange2domain with MIT License | 6 votes |
def getServiceAccount(self, serviceName): try: # Open the service ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, serviceName) serviceHandle = ans['lpServiceHandle'] resp = scmr.hRQueryServiceConfigW(self.__scmr, serviceHandle) account = resp['lpServiceConfig']['lpServiceStartName'][:-1] scmr.hRCloseServiceHandle(self.__scmr, serviceHandle) if account.startswith('.\\'): account = account[2:] return account except Exception, e: # Don't log if history service is not found, that should be normal if serviceName.endswith("_history") is False: LOG.error(e) return None
Example #9
Source File: test_scmr.py From cracke-dit with MIT License | 6 votes |
def test_query(self): dce, rpctransport, scHandle = self.connect() ############################ # Query Service Status / Enum Dependent lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] resp = scmr.hRQueryServiceStatus(dce, serviceHandle) cbBufSize = 0 try: resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize ) resp.dump() except scmr.DCERPCSessionError, e: if str(e).find('ERROR_MORE_DATA') <= 0: raise else: resp = e.get_packet()
Example #10
Source File: test_scmr.py From cracke-dit with MIT License | 6 votes |
def te_RControlServiceExW(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RControlServiceExW() request['hService'] = serviceHandle request['dwControl'] = scmr.SERVICE_CONTROL_STOP request['dwInfoLevel'] = 1 # This is not working, don't know exactly why request['pControlInParams']['dwReason'] = 0x20000000 request['pControlInParams']['pszComment'] = 'nada\x00' request['pControlInParams'] = NULL resp = dce.request(request) resp.dump() # ToDo
Example #11
Source File: test_scmr.py From cracke-dit with MIT License | 6 votes |
def test_RQueryServiceConfigEx(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'RemoteRegistry\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RQueryServiceConfigEx() request['hService'] = serviceHandle request['dwInfoLevel'] = 0x00000008 #request.dump() resp = dce.request(request) resp.dump() # ToDo
Example #12
Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
def test_query(self): dce, rpctransport, scHandle = self.connect() ############################ # Query Service Status / Enum Dependent lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] resp = scmr.hRQueryServiceStatus(dce, serviceHandle) cbBufSize = 0 try: resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize ) resp.dump() except scmr.DCERPCSessionError, e: if str(e).find('ERROR_MORE_DATA') <= 0: raise else: resp = e.get_packet()
Example #13
Source File: test_scmr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_query(self): dce, rpctransport, scHandle = self.connect() ############################ # Query Service Status / Enum Dependent lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] resp = scmr.hRQueryServiceStatus(dce, serviceHandle) cbBufSize = 0 try: resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize ) resp.dump() except scmr.DCERPCSessionError, e: if str(e).find('ERROR_MORE_DATA') <= 0: raise else: resp = e.get_packet()
Example #14
Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
def te_RControlServiceExW(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RControlServiceExW() request['hService'] = serviceHandle request['dwControl'] = scmr.SERVICE_CONTROL_STOP request['dwInfoLevel'] = 1 # This is not working, don't know exactly why request['pControlInParams']['dwReason'] = 0x20000000 request['pControlInParams']['pszComment'] = 'nada\x00' request['pControlInParams'] = NULL resp = dce.request(request) resp.dump() # ToDo
Example #15
Source File: test_scmr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def test_RQueryServiceConfigEx(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'RemoteRegistry\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RQueryServiceConfigEx() request['hService'] = serviceHandle request['dwInfoLevel'] = 0x00000008 #request.dump() resp = dce.request(request) resp.dump() # ToDo
Example #16
Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
def test_RQueryServiceStatusEx(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RQueryServiceStatusEx() request['hService'] = serviceHandle request['InfoLevel'] = scmr.SC_STATUS_PROCESS_INFO request['cbBufSize'] = 100 resp = dce.request(request) array = ''.join(resp['lpBuffer']) status = scmr.SERVICE_STATUS_PROCESS(array) #status.dump() # ToDo
Example #17
Source File: test_scmr.py From PiBunny with MIT License | 6 votes |
def test_RQueryServiceConfigEx(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'RemoteRegistry\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RQueryServiceConfigEx() request['hService'] = serviceHandle request['dwInfoLevel'] = 0x00000008 #request.dump() resp = dce.request(request) resp.dump() # ToDo
Example #18
Source File: test_scmr.py From CVE-2017-7494 with GNU General Public License v3.0 | 6 votes |
def te_RControlServiceExW(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RControlServiceExW() request['hService'] = serviceHandle request['dwControl'] = scmr.SERVICE_CONTROL_STOP request['dwInfoLevel'] = 1 # This is not working, don't know exactly why request['pControlInParams']['dwReason'] = 0x20000000 request['pControlInParams']['pszComment'] = 'nada\x00' request['pControlInParams'] = NULL resp = dce.request(request) resp.dump() # ToDo
Example #19
Source File: serviceinstall.py From Slackor with GNU General Public License v3.0 | 5 votes |
def uninstall(self): fileCopied = True serviceCreated = True # Do the stuff here try: # Let's get the shares svcManager = self.openSvcManager() if svcManager != 0: resp = scmr.hROpenServiceW(self.rpcsvc, svcManager, self.__service_name+'\x00') service = resp['lpServiceHandle'] LOG.info('Stopping service %s.....' % self.__service_name) try: scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP) except: pass LOG.info('Removing service %s.....' % self.__service_name) scmr.hRDeleteService(self.rpcsvc, service) scmr.hRCloseServiceHandle(self.rpcsvc, service) scmr.hRCloseServiceHandle(self.rpcsvc, svcManager) LOG.info('Removing file %s.....' % self.__binary_service_name) self.connection.deleteFile(self.share, self.__binary_service_name) except Exception: LOG.critical("Error performing the uninstallation, cleaning up" ) try: scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP) except: pass if fileCopied is True: try: self.connection.deleteFile(self.share, self.__binary_service_name) except: try: self.connection.deleteFile(self.share, self.__binary_service_name) except: pass pass if serviceCreated is True: try: scmr.hRDeleteService(self.rpcsvc, service) except: pass
Example #20
Source File: secretsdump.py From PiBunny with MIT License | 5 votes |
def __restore(self): # First of all stop the service if it was originally stopped if self.__shouldStop is True: LOG.info('Stopping service %s' % self.__serviceName) scmr.hRControlService(self.__scmr, self.__serviceHandle, scmr.SERVICE_CONTROL_STOP) if self.__disabled is True: LOG.info('Restoring the disabled state for service %s' % self.__serviceName) scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x4) if self.__serviceDeleted is False: # Check again the service we created does not exist, starting a new connection # Why?.. Hitting CTRL+C might break the whole existing DCE connection try: rpc = transport.DCERPCTransportFactory(r'ncacn_np:%s[\pipe\svcctl]' % self.__smbConnection.getRemoteHost()) if hasattr(rpc, 'set_credentials'): # This method exists only for selected protocol sequences. rpc.set_credentials(*self.__smbConnection.getCredentials()) rpc.set_kerberos(self.__doKerberos, self.__kdcHost) self.__scmr = rpc.get_dce_rpc() self.__scmr.connect() self.__scmr.bind(scmr.MSRPC_UUID_SCMR) # Open SC Manager ans = scmr.hROpenSCManagerW(self.__scmr) self.__scManagerHandle = ans['lpScHandle'] # Now let's open the service resp = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__tmpServiceName) service = resp['lpServiceHandle'] scmr.hRDeleteService(self.__scmr, service) scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP) scmr.hRCloseServiceHandle(self.__scmr, service) scmr.hRCloseServiceHandle(self.__scmr, self.__serviceHandle) scmr.hRCloseServiceHandle(self.__scmr, self.__scManagerHandle) rpc.disconnect() except Exception, e: # If service is stopped it'll trigger an exception # If service does not exist it'll trigger an exception # So. we just wanna be sure we delete it, no need to # show this exception message pass
Example #21
Source File: smbexec.py From Slackor with GNU General Public License v3.0 | 5 votes |
def finish(self): # Just in case the service is still created try: self.__scmr = self.__rpc.get_dce_rpc() self.__scmr.connect() self.__scmr.bind(scmr.MSRPC_UUID_SCMR) resp = scmr.hROpenSCManagerW(self.__scmr) self.__scHandle = resp['lpScHandle'] resp = scmr.hROpenServiceW(self.__scmr, self.__scHandle, self.__serviceName) service = resp['lpServiceHandle'] scmr.hRDeleteService(self.__scmr, service) scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP) scmr.hRCloseServiceHandle(self.__scmr, service) except scmr.DCERPCException: pass
Example #22
Source File: test_rrp.py From Slackor with GNU General Public License v3.0 | 5 votes |
def connect(self): if self.rrpStarted is not True: dce, rpctransport, scHandle = self.connect_scmr() desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \ scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00', desiredAccess) resp.dump() serviceHandle = resp['lpServiceHandle'] try: resp = scmr.hRStartServiceW(dce, serviceHandle ) except Exception as e: if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >=0: pass else: raise resp = scmr.hRCloseServiceHandle(dce, scHandle) self.rrpStarted = True rpctransport = transport.DCERPCTransportFactory(self.stringBinding) if len(self.hashes) > 0: lmhash, nthash = self.hashes.split(':') else: lmhash = '' nthash = '' if hasattr(rpctransport, 'set_credentials'): # This method exists only for selected protocol sequences. rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) dce = rpctransport.get_dce_rpc() #dce.set_auth_level(RPC_C_AUTHN_LEVEL_PKT_INTEGRITY) dce.connect() dce.bind(rrp.MSRPC_UUID_RRP, transfer_syntax = self.ts) resp = rrp.hOpenLocalMachine(dce, MAXIMUM_ALLOWED | rrp.KEY_WOW64_32KEY | rrp.KEY_ENUMERATE_SUB_KEYS) return dce, rpctransport, resp['phKey']
Example #23
Source File: test_scmr.py From PiBunny with MIT License | 5 votes |
def te_RNotifyServiceStatusChange(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] request = scmr.RNotifyServiceStatusChange() request['hService'] =serviceHandle request['NotifyParams']['tag'] = 1 request['NotifyParams']['pStatusChangeParam1']['dwNotifyMask'] = scmr.SERVICE_NOTIFY_RUNNING request['pClientProcessGuid'] = '0'*16 #request.dump() resp = dce.request(request) resp.dump() request = scmr.RCloseNotifyHandle() request['phNotify'] = resp['phNotify'] resp = dce.request(request) resp.dump() request = scmr.RGetNotifyResults() request['hNotify'] = resp['phNotify'] resp = dce.request(request) resp.dump()
Example #24
Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 5 votes |
def test_query(self): dce, rpctransport, scHandle = self.connect() ############################ # Query Service Status / Enum Dependent lpServiceName = 'PlugPlay\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] scmr.hRQueryServiceStatus(dce, serviceHandle) cbBufSize = 0 try: resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize ) resp.dump() except scmr.DCERPCSessionError as e: if str(e).find('ERROR_MORE_DATA') <= 0: raise else: resp = e.get_packet() resp.dump() cbBufSize = resp['pcbBytesNeeded'] resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize ) resp.dump() scmr.hRCloseServiceHandle(dce, serviceHandle) scmr.hRCloseServiceHandle(dce, scHandle)
Example #25
Source File: test_scmr.py From Slackor with GNU General Public License v3.0 | 5 votes |
def test_RControlServiceCall(self): dce, rpctransport, scHandle = self.connect() lpServiceName = 'CryptSvc\x00' desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] try: req = scmr.RControlService() req['hService'] = serviceHandle req['dwControl'] = scmr.SERVICE_CONTROL_STOP dce.request(req) except Exception as e: if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0 and str(e).find('ERROR_SERVICE_NOT_ACTIVE') < 0: raise pass scmr.hRCloseServiceHandle(dce, serviceHandle) import time time.sleep(1) resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) resp.dump() serviceHandle = resp['lpServiceHandle'] try: resp = scmr.hRStartServiceW(dce, serviceHandle, 0, NULL ) resp.dump() except Exception as e: if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') < 0: raise return
Example #26
Source File: dump.py From CVE-2019-1040 with MIT License | 5 votes |
def __checkServiceStatus(self): # Open SC Manager ans = scmr.hROpenSCManagerW(self.__scmr) self.__scManagerHandle = ans['lpScHandle'] # Now let's open the service ans = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__serviceName) self.__serviceHandle = ans['lpServiceHandle'] # Let's check its status ans = scmr.hRQueryServiceStatus(self.__scmr, self.__serviceHandle) if ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_STOPPED: LOG.info('Service %s is in stopped state'% self.__serviceName) self.__shouldStop = True self.__started = False elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING: LOG.debug('Service %s is already running'% self.__serviceName) self.__shouldStop = False self.__started = True else: raise Exception('Unknown service state 0x%x - Aborting' % ans['CurrentState']) # Let's check its configuration if service is stopped, maybe it's disabled :s if self.__started is False: ans = scmr.hRQueryServiceConfigW(self.__scmr,self.__serviceHandle) if ans['lpServiceConfig']['dwStartType'] == 0x4: LOG.info('Service %s is disabled, enabling it'% self.__serviceName) self.__disabled = True scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x3) LOG.info('Starting service %s' % self.__serviceName) scmr.hRStartServiceW(self.__scmr,self.__serviceHandle) time.sleep(1)
Example #27
Source File: dump.py From CVE-2019-1040 with MIT License | 5 votes |
def __restore(self): # First of all stop the service if it was originally stopped if self.__shouldStop is True: LOG.info('Stopping service %s' % self.__serviceName) scmr.hRControlService(self.__scmr, self.__serviceHandle, scmr.SERVICE_CONTROL_STOP) if self.__disabled is True: LOG.info('Restoring the disabled state for service %s' % self.__serviceName) scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x4) if self.__serviceDeleted is False: # Check again the service we created does not exist, starting a new connection # Why?.. Hitting CTRL+C might break the whole existing DCE connection try: rpc = transport.DCERPCTransportFactory(r'ncacn_np:%s[\pipe\svcctl]' % self.__smbConnection.getRemoteHost()) if hasattr(rpc, 'set_credentials'): # This method exists only for selected protocol sequences. rpc.set_credentials(*self.__smbConnection.getCredentials()) rpc.set_kerberos(self.__doKerberos, self.__kdcHost) self.__scmr = rpc.get_dce_rpc() self.__scmr.connect() self.__scmr.bind(scmr.MSRPC_UUID_SCMR) # Open SC Manager ans = scmr.hROpenSCManagerW(self.__scmr) self.__scManagerHandle = ans['lpScHandle'] # Now let's open the service resp = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__tmpServiceName) service = resp['lpServiceHandle'] scmr.hRDeleteService(self.__scmr, service) scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP) scmr.hRCloseServiceHandle(self.__scmr, service) scmr.hRCloseServiceHandle(self.__scmr, self.__serviceHandle) scmr.hRCloseServiceHandle(self.__scmr, self.__scManagerHandle) rpc.disconnect() except Exception as e: # If service is stopped it'll trigger an exception # If service does not exist it'll trigger an exception # So. we just wanna be sure we delete it, no need to # show this exception message pass
Example #28
Source File: smbexec.py From ActiveReign with GNU General Public License v3.0 | 5 votes |
def finish(self): # Just in case the service is still created try: self.__scmr = self.__rpctransport.get_dce_rpc() self.__scmr.connect() self.__scmr.bind(scmr.MSRPC_UUID_SCMR) resp = scmr.hROpenSCManagerW(self.__scmr) self.__scHandle = resp['lpScHandle'] resp = scmr.hROpenServiceW(self.__scmr, self.__scHandle, self.__serviceName) service = resp['lpServiceHandle'] scmr.hRDeleteService(self.__scmr, service) scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP) scmr.hRCloseServiceHandle(self.__scmr, service) except: pass
Example #29
Source File: remotecmd.py From certitude with GNU General Public License v2.0 | 5 votes |
def __createService(self): self.__log__(logging.DEBUG, 'Creating service') try: resp = scmr.hROpenServiceW(self.__dcerpc, self.__SVCManager, RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00') self.__log__(logging.WARNING, 'Service already exists, renewing it') try: scmr.hRControlService(self.__dcerpc, resp['lpServiceHandle'], scmr.SERVICE_CONTROL_STOP) time.sleep(1) except: pass scmr.hRDeleteService(self.__dcerpc, resp['lpServiceHandle']) scmr.hRCloseServiceHandle(self.__dcerpc, resp['lpServiceHandle']) except: pass resp = scmr.hRCreateServiceW( self.__dcerpc, self.__SVCManager, RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00', RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00', lpBinaryPathName = self.__getWritableUNCPath() + '\\' + RemoteCmd.REMCOMSVC_REMOTE + '\x00', dwStartType=scmr.SERVICE_DEMAND_START, ) resp = scmr.hROpenServiceW(self.__dcerpc, self.__SVCManager, RemoteCmd.REMCOMSVC_SERVICE_NAME + '\x00') self.__service = resp['lpServiceHandle'] self.__pendingCleanupActions.append((self.__deleteService, 3)) return # Drops the binary file to register as a service
Example #30
Source File: serviceinstall.py From PiBunny with MIT License | 5 votes |
def uninstall(self): fileCopied = True serviceCreated = True # Do the stuff here try: # Let's get the shares svcManager = self.openSvcManager() if svcManager != 0: resp = scmr.hROpenServiceW(self.rpcsvc, svcManager, self.__service_name+'\x00') service = resp['lpServiceHandle'] LOG.info('Stoping service %s.....' % self.__service_name) try: scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP) except: pass LOG.info('Removing service %s.....' % self.__service_name) scmr.hRDeleteService(self.rpcsvc, service) scmr.hRCloseServiceHandle(self.rpcsvc, service) scmr.hRCloseServiceHandle(self.rpcsvc, svcManager) LOG.info('Removing file %s.....' % self.__binary_service_name) self.connection.deleteFile(self.share, self.__binary_service_name) except Exception: LOG.critical("Error performing the uninstallation, cleaning up" ) try: scmr.hRControlService(self.rpcsvc, service, scmr.SERVICE_CONTROL_STOP) except: pass if fileCopied is True: try: self.connection.deleteFile(self.share, self.__binary_service_name) except: try: self.connection.deleteFile(self.share, self.__binary_service_name) except: pass pass if serviceCreated is True: try: scmr.hRDeleteService(self.rpcsvc, service) except: pass