github.com/n00py/Slackor@v0.0.0-20200610224921-d007fcea1740/impacket/tests/SMB_RPC/test_scmr.py (about) 1 ############################################################################### 2 # Tested so far: 3 # hRCloseServiceHandleCall 4 # RControlService 5 # RDeleteService 6 # RLockServiceDatabase 7 # RQueryServiceObjectSecurity 8 # RQueryServiceStatus 9 # RUnlockServiceDatabase 10 # RNotifyBootConfigStatus 11 # RChangeServiceConfigW 12 # RCreateServiceW 13 # REnumDependentServicesW 14 # REnumServicesStatusW 15 # ROpenSCManager 16 # ROpenServiceW 17 # RQueryServiceConfigW 18 # RQueryServiceLockStatusW 19 # RStartServiceW 20 # CRGetServiceDisplayNameW 21 # RGetServiceKeyNameW 22 # REnumServiceGroupW 23 # RChangeServiceConfig2W 24 # RQueryServiceConfig2W 25 # RQueryServiceStatusEx 26 # REnumServicesStatusExW 27 # RNotifyServiceStatusChange 28 # RGetNotifyResults 29 # RCloseNotifyHandle 30 # RControlServiceExW 31 # RQueryServiceConfigEx 32 # 33 # Not yet: 34 # 35 # RSetServiceObjectSecurity 36 # RSetServiceStatus 37 # RCreateServiceWOW64W 38 # 39 # Shouldn't dump errors against a win7 40 # 41 ################################################################################ 42 43 try: 44 import ConfigParser 45 except ImportError: 46 import configparser as ConfigParser 47 import unittest 48 from struct import unpack 49 50 from impacket.dcerpc.v5 import transport 51 from impacket.dcerpc.v5 import scmr, epm 52 from impacket.dcerpc.v5.ndr import NULL 53 from impacket.crypto import encryptSecret 54 from impacket.uuid import string_to_bin 55 from impacket import ntlm 56 57 58 class SCMRTests(unittest.TestCase): 59 def changeServiceAndQuery(self, dce, cbBufSize, hService, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName): 60 61 try: 62 resp = scmr.hRChangeServiceConfigW( dce, hService, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 63 64 resp = scmr.hRQueryServiceConfigW(dce, hService) 65 resp.dump() 66 # Now let's compare all the results 67 if dwServiceType != scmr.SERVICE_NO_CHANGE: 68 self.assertTrue( resp['lpServiceConfig']['dwServiceType'] == dwServiceType ) 69 if dwStartType != scmr.SERVICE_NO_CHANGE: 70 self.assertTrue( resp['lpServiceConfig']['dwStartType'] == dwStartType ) 71 if dwErrorControl != scmr.SERVICE_NO_CHANGE: 72 self.assertTrue( resp['lpServiceConfig']['dwErrorControl'] == dwErrorControl ) 73 if lpBinaryPathName != NULL: 74 self.assertTrue( resp['lpServiceConfig']['lpBinaryPathName'] == lpBinaryPathName ) 75 if lpBinaryPathName != NULL: 76 self.assertTrue( resp['lpServiceConfig']['lpBinaryPathName'] == lpBinaryPathName ) 77 if lpLoadOrderGroup != NULL: 78 self.assertTrue( resp['lpServiceConfig']['lpLoadOrderGroup'] == lpLoadOrderGroup ) 79 #if lpDependencies != '': 80 # self.assertTrue( resp['lpServiceConfig']['lpDependencies'] == lpDependencies[:-4]+'/\x00\x00\x00') 81 if lpServiceStartName != NULL: 82 self.assertTrue( resp['lpServiceConfig']['lpServiceStartName'] == lpServiceStartName ) 83 if lpDisplayName != NULL: 84 self.assertTrue( resp['lpServiceConfig']['lpDisplayName'] == lpDisplayName ) 85 #if lpdwTagId != scmr.SERVICE_NO_CHANGE: 86 # if resp['lpServiceConfig']['dwTagId']['Data'] != lpdwTagId: 87 # print "ERROR %s" % 'lpdwTagId' 88 except: 89 resp = scmr.hRDeleteService(dce, hService) 90 raise 91 92 def changeServiceAndQuery2(self, dce, info, changeDone): 93 serviceHandle = info['hService'] 94 dwInfoLevel = info['Info']['Union']['tag'] 95 cbBuffSize = 0 96 request = scmr.RQueryServiceConfig2W() 97 request['hService'] = serviceHandle 98 request['dwInfoLevel'] = dwInfoLevel 99 request['cbBufSize'] = cbBuffSize 100 try: 101 resp = dce.request(request) 102 except Exception as e: 103 if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0: 104 raise 105 else: 106 resp = e.get_packet() 107 108 request['cbBufSize'] = resp['pcbBytesNeeded'] 109 resp = dce.request(request) 110 arrayData = b''.join(resp['lpBuffer']) 111 if dwInfoLevel == 1: 112 self.assertTrue(arrayData[4:].decode('utf-16le') == changeDone) 113 elif dwInfoLevel == 2: 114 offset = unpack('<L', arrayData[4:][:4])[0] 115 self.assertTrue(arrayData[offset:][:len(changeDone)*2].decode('utf-16le') == changeDone) 116 elif dwInfoLevel == 3: 117 self.assertTrue( unpack('<L', arrayData)[0] == changeDone) 118 elif dwInfoLevel == 4: 119 self.assertTrue( unpack('<L', arrayData)[0] == changeDone) 120 elif dwInfoLevel == 5: 121 self.assertTrue( unpack('<L', arrayData)[0] == changeDone) 122 elif dwInfoLevel == 6: 123 from builtins import bytes 124 changeDone = bytes(changeDone).decode('utf-16le') 125 self.assertTrue(arrayData[4:].decode('utf-16le') == changeDone) 126 elif dwInfoLevel == 7: 127 self.assertTrue( unpack('<L', arrayData)[0] == changeDone) 128 129 def connect(self): 130 rpctransport = transport.DCERPCTransportFactory(self.stringBinding) 131 if len(self.hashes) > 0: 132 lmhash, nthash = self.hashes.split(':') 133 else: 134 lmhash = '' 135 nthash = '' 136 if hasattr(rpctransport, 'set_credentials'): 137 # This method exists only for selected protocol sequences. 138 rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash) 139 dce = rpctransport.get_dce_rpc() 140 #dce.set_max_fragment_size(32) 141 dce.connect() 142 if self.__class__.__name__ == 'TCPTransport': 143 dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY) 144 dce.bind(scmr.MSRPC_UUID_SCMR) 145 #rpc = scmr.DCERPCSvcCtl(dce) 146 lpMachineName = 'DUMMY\x00' 147 lpDatabaseName = 'ServicesActive\x00' 148 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS | scmr.SC_MANAGER_ENUMERATE_SERVICE 149 150 resp = scmr.hROpenSCManagerW(dce,lpMachineName, lpDatabaseName, desiredAccess) 151 scHandle = resp['lpScHandle'] 152 153 return dce, rpctransport, scHandle 154 155 def test_RChangeServiceConfig2W(self): 156 dce, rpctransport, scHandle = self.connect() 157 lpServiceName = 'TESTSVC\x00' 158 lpDisplayName = 'DisplayName\x00' 159 dwDesiredAccess = scmr.SERVICE_ALL_ACCESS 160 dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS 161 dwStartType = scmr.SERVICE_DEMAND_START 162 dwErrorControl = scmr.SERVICE_ERROR_NORMAL 163 lpBinaryPathName = 'binaryPath\x00' 164 lpLoadOrderGroup = NULL 165 lpdwTagId = NULL 166 lpDependencies = NULL 167 dwDependSize = 0 168 lpServiceStartName = NULL 169 lpPassword = NULL 170 dwPwSize = 0 171 resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize) 172 resp.dump() 173 newHandle = resp['lpServiceHandle'] 174 error = False 175 try: 176 request = scmr.RChangeServiceConfig2W() 177 request['hService'] = newHandle 178 request['Info']['dwInfoLevel'] = 1 179 request['Info']['Union']['tag'] = 1 180 request['Info']['Union']['psd']['lpDescription'] = 'betobeto\x00' 181 resp = dce.request(request) 182 resp.dump() 183 self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psd']['lpDescription']) 184 request['Info']['dwInfoLevel'] = 2 185 request['Info']['Union']['tag'] = 2 186 request['Info']['Union']['psfa']['lpRebootMsg'] = 'rebootMsg\00' 187 request['Info']['Union']['psfa']['lpCommand'] = 'lpCommand\00' 188 resp = dce.request(request) 189 resp.dump() 190 self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psfa']['lpRebootMsg']) 191 request['Info']['dwInfoLevel'] = 3 192 request['Info']['Union']['tag'] = 3 193 request['Info']['Union']['psda']['fDelayedAutostart'] = 1 194 dce.request(request) 195 self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psda']['fDelayedAutostart']) 196 request['Info']['dwInfoLevel'] = 4 197 request['Info']['Union']['tag'] = 4 198 request['Info']['Union']['psfaf']['fFailureActionsOnNonCrashFailures'] = 1 199 dce.request(request) 200 self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psfaf']['fFailureActionsOnNonCrashFailures']) 201 request['Info']['dwInfoLevel'] = 5 202 request['Info']['Union']['tag'] = 5 203 request['Info']['Union']['pssid']['dwServiceSidType'] = 1 204 dce.request(request) 205 self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pssid']['dwServiceSidType']) 206 request['Info']['dwInfoLevel'] = 6 207 request['Info']['Union']['tag'] = 6 208 request['Info']['Union']['psrp']['pRequiredPrivileges'] = list('SeAssignPrimaryTokenPrivilege\x00\x00'.encode('utf-16le')) 209 dce.request(request) 210 self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psrp']['pRequiredPrivileges']) 211 request['Info']['dwInfoLevel'] = 7 212 request['Info']['Union']['tag'] = 7 213 request['Info']['Union']['psps']['dwPreshutdownTimeout'] = 22 214 dce.request(request) 215 self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psps']['dwPreshutdownTimeout']) 216 request['Info']['dwInfoLevel'] = 8 217 request['Info']['Union']['tag'] = 8 218 #request.dump() 219 trigger = scmr.SERVICE_TRIGGER() 220 trigger['dwTriggerType'] = scmr.SERVICE_TRIGGER_TYPE_DOMAIN_JOIN 221 trigger['dwAction'] = scmr.SERVICE_TRIGGER_ACTION_SERVICE_START 222 trigger['pTriggerSubtype'] = string_to_bin(scmr.DOMAIN_JOIN_GUID) 223 item = scmr.SERVICE_TRIGGER_SPECIFIC_DATA_ITEM() 224 item['dwDataType'] = scmr.SERVICE_TRIGGER_DATA_TYPE_STRING 225 item['pData'] = list('FREEFLY\x00'.encode('utf-16le')) 226 #trigger['pDataItems'].append(item) 227 trigger['pDataItems'] = NULL 228 request['Info']['Union']['psti']['pTriggers'].append(trigger) 229 dce.request(request) 230 #self.changeServiceAndQuery2(dce, request, '\x00') 231 request['Info']['dwInfoLevel'] = 9 232 request['Info']['Union']['tag'] = 9 233 request['Info']['Union']['pspn']['usPreferredNode'] = 22 234 # This one doesn't work 235 #resp = dce.request(request) 236 #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['pspn']['usPreferredNode']) 237 request['Info']['dwInfoLevel'] = 10 238 request['Info']['Union']['tag'] = 10 239 request['Info']['Union']['psri']['eLowestRunLevel'] = 1 240 # This one doesn't work 241 #resp = dce.request(request) 242 #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psri']['eLowestRunLevel']) 243 request['Info']['dwInfoLevel'] = 11 244 request['Info']['Union']['tag'] = 11 245 request['Info']['Union']['psma']['fIsManagedAccount'] = 1 246 # This one doesn't work 247 #resp = dce.request(request) 248 #self.changeServiceAndQuery2(dce, request, request['Info']['Union']['psma']['fIsManagedAccount']) 249 250 except Exception as e: 251 import traceback 252 traceback.print_exc() 253 print(e) 254 error = True 255 pass 256 257 scmr.hRDeleteService(dce, newHandle) 258 scmr.hRCloseServiceHandle(dce, newHandle) 259 scmr.hRCloseServiceHandle(dce, scHandle) 260 if error: 261 self.assertTrue( 1 == 0 ) 262 263 def test_REnumServicesStatusExW(self): 264 dce, rpctransport, scHandle = self.connect() 265 266 request = scmr.REnumServicesStatusExW() 267 request['hSCManager'] = scHandle 268 request['InfoLevel'] = scmr.SC_STATUS_PROCESS_INFO 269 request['dwServiceType'] = scmr.SERVICE_WIN32_OWN_PROCESS 270 request['dwServiceState'] = scmr.SERVICE_STATE_ALL 271 request['lpResumeIndex'] = NULL 272 request['pszGroupName'] = NULL 273 request['cbBufSize'] = 0 274 #request.dump() 275 #print "\n" 276 277 # Request again with the right bufSize 278 try: 279 resp = dce.request(request) 280 except Exception as e: 281 if str(e).find('ERROR_MORE_DATA') <= 0: 282 raise 283 else: 284 resp = e.get_packet() 285 resp.dump() 286 request['cbBufSize'] = resp['pcbBytesNeeded'] 287 resp = dce.request(request) 288 resp.dump() 289 290 def test_RQueryServiceStatusEx(self): 291 dce, rpctransport, scHandle = self.connect() 292 lpServiceName = 'PlugPlay\x00' 293 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS 294 295 resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) 296 resp.dump() 297 298 serviceHandle = resp['lpServiceHandle'] 299 300 request = scmr.RQueryServiceStatusEx() 301 request['hService'] = serviceHandle 302 request['InfoLevel'] = scmr.SC_STATUS_PROCESS_INFO 303 request['cbBufSize'] = 100 304 305 resp = dce.request(request) 306 array = b''.join(resp['lpBuffer']) 307 scmr.SERVICE_STATUS_PROCESS(array) 308 309 # ToDo 310 def te_REnumServiceGroupW(self): 311 dce, rpctransport, scHandle = self.connect() 312 313 314 dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS 315 dwServiceState = scmr.SERVICE_STATE_ALL 316 cbBufSize = 10 317 lpResumeIndex = 0 318 pszGroupName = 'RemoteRegistry\x00' 319 320 try: 321 resp = scmr.hREnumServiceGroupW(dce, scHandle, dwServiceType, dwServiceState, cbBufSize, lpResumeIndex, pszGroupName ) 322 resp.dump() 323 except Exception as e: 324 if str(e).find('ERROR_SERVICE_DOES_NOT_EXISTS') <= 0: 325 raise 326 327 scmr.hRCloseServiceHandle(dce, scHandle) 328 329 def test_RQueryServiceConfigEx(self): 330 dce, rpctransport, scHandle = self.connect() 331 lpServiceName = 'RemoteRegistry\x00' 332 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS 333 334 resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) 335 resp.dump() 336 serviceHandle = resp['lpServiceHandle'] 337 338 request = scmr.RQueryServiceConfigEx() 339 request['hService'] = serviceHandle 340 request['dwInfoLevel'] = 0x00000008 341 #request.dump() 342 343 resp = dce.request(request) 344 resp.dump() 345 346 # ToDo 347 def te_RControlServiceExW(self): 348 dce, rpctransport, scHandle = self.connect() 349 lpServiceName = 'PlugPlay\x00' 350 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS 351 352 resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) 353 resp.dump() 354 serviceHandle = resp['lpServiceHandle'] 355 356 request = scmr.RControlServiceExW() 357 request['hService'] = serviceHandle 358 request['dwControl'] = scmr.SERVICE_CONTROL_STOP 359 request['dwInfoLevel'] = 1 360 # This is not working, don't know exactly why 361 request['pControlInParams']['dwReason'] = 0x20000000 362 request['pControlInParams']['pszComment'] = 'nada\x00' 363 request['pControlInParams'] = NULL 364 365 resp = dce.request(request) 366 367 resp.dump() 368 369 # ToDo 370 def te_RNotifyServiceStatusChange(self): 371 dce, rpctransport, scHandle = self.connect() 372 lpServiceName = 'PlugPlay\x00' 373 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS 374 375 resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) 376 resp.dump() 377 serviceHandle = resp['lpServiceHandle'] 378 379 request = scmr.RNotifyServiceStatusChange() 380 request['hService'] =serviceHandle 381 request['NotifyParams']['tag'] = 1 382 request['NotifyParams']['pStatusChangeParam1']['dwNotifyMask'] = scmr.SERVICE_NOTIFY_RUNNING 383 request['pClientProcessGuid'] = '0'*16 384 #request.dump() 385 resp = dce.request(request) 386 resp.dump() 387 388 request = scmr.RCloseNotifyHandle() 389 request['phNotify'] = resp['phNotify'] 390 391 resp = dce.request(request) 392 resp.dump() 393 394 request = scmr.RGetNotifyResults() 395 request['hNotify'] = resp['phNotify'] 396 397 resp = dce.request(request) 398 resp.dump() 399 400 def test_RGetServiceDisplayNameW(self): 401 dce, rpctransport, scHandle = self.connect() 402 403 lpServiceName = 'PlugPlay\x00' 404 lpcchBuffer = len(lpServiceName)+100 405 406 scmr.hRGetServiceDisplayNameW(dce, scHandle, lpServiceName, lpcchBuffer) 407 408 scmr.hRCloseServiceHandle(dce, scHandle) 409 410 def test_RGetServiceKeyNameW(self): 411 dce, rpctransport, scHandle = self.connect() 412 413 lpDisplayName = 'Plug and Play\x00' 414 lpcchBuffer = len(lpDisplayName)+100 415 416 scmr.hRGetServiceKeyNameW(dce, scHandle, lpDisplayName, lpcchBuffer) 417 418 scmr.hRCloseServiceHandle(dce, scHandle) 419 420 def test_RStartServiceW(self): 421 dce, rpctransport, scHandle = self.connect() 422 423 lpServiceName = 'PlugPlay\x00' 424 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS 425 426 resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) 427 resp.dump() 428 serviceHandle = resp['lpServiceHandle'] 429 430 try: 431 scmr.hRStartServiceW(dce, serviceHandle, 3, ['arg1\x00', 'arg2\x00', 'arg3\x00'] ) 432 except Exception as e: 433 if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') <= 0: 434 raise 435 scmr.hRCloseServiceHandle(dce, scHandle) 436 437 def test_RQueryServiceLockStatusW(self): 438 dce, rpctransport, scHandle = self.connect() 439 440 pcbBytesNeeded = 1000 441 scmr.hRQueryServiceLockStatusW(dce, scHandle, pcbBytesNeeded) 442 443 scmr.hRCloseServiceHandle(dce, scHandle) 444 445 def test_enumservices(self): 446 dce, rpctransport, scHandle = self.connect() 447 448 ##################### 449 # EnumServicesStatusW 450 dwServiceType = scmr.SERVICE_KERNEL_DRIVER | scmr.SERVICE_FILE_SYSTEM_DRIVER | scmr.SERVICE_WIN32_OWN_PROCESS | scmr.SERVICE_WIN32_SHARE_PROCESS 451 dwServiceState = scmr.SERVICE_STATE_ALL 452 scmr.hREnumServicesStatusW(dce, scHandle, dwServiceType, dwServiceState) 453 454 scmr.hRCloseServiceHandle(dce, scHandle) 455 456 def test_create_change_delete(self): 457 dce, rpctransport, scHandle = self.connect() 458 459 ##################### 460 # Create / Change / Query / Delete a service 461 lpServiceName = 'TESTSVC\x00' 462 lpDisplayName = 'DisplayName\x00' 463 dwDesiredAccess = scmr.SERVICE_ALL_ACCESS 464 dwServiceType = scmr.SERVICE_WIN32_OWN_PROCESS 465 dwStartType = scmr.SERVICE_DEMAND_START 466 dwErrorControl = scmr.SERVICE_ERROR_NORMAL 467 lpBinaryPathName = 'binaryPath\x00' 468 lpLoadOrderGroup = NULL 469 lpdwTagId = NULL 470 lpDependencies = NULL 471 dwDependSize = 0 472 lpServiceStartName = NULL 473 lpPassword = NULL 474 dwPwSize = 0 475 resp = scmr.hRCreateServiceW(dce, scHandle, lpServiceName, lpDisplayName, dwDesiredAccess, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize) 476 resp.dump() 477 newHandle = resp['lpServiceHandle'] 478 479 # Aca hay que chequear cada uno de los items 480 cbBufSize = 0 481 try: 482 resp = scmr.hRQueryServiceConfigW(dce, newHandle) 483 except Exception as e: 484 if str(e).find('ERROR_INSUFFICIENT_BUFFER') <= 0: 485 raise 486 else: 487 resp = e.get_packet() 488 489 resp.dump() 490 cbBufSize = resp['pcbBytesNeeded']+100 491 492 # Now that we have cbBufSize, let's start changing everything on the service 493 dwServiceType = scmr.SERVICE_WIN32_SHARE_PROCESS 494 dwStartType = scmr.SERVICE_NO_CHANGE 495 dwErrorControl = scmr.SERVICE_NO_CHANGE 496 lpBinaryPathName = NULL 497 lpLoadOrderGroup = NULL 498 lpDependencies = NULL 499 dwDependSize = 0 500 lpServiceStartName = NULL 501 lpPassword = NULL 502 dwPwSize = 0 503 lpDisplayName = NULL 504 lpdwTagId = NULL 505 506 self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 507 dwServiceType = scmr.SERVICE_NO_CHANGE 508 509 dwStartType = scmr.SERVICE_DISABLED 510 self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 511 dwStartType = scmr.SERVICE_NO_CHANGE 512 513 dwErrorControl = scmr.SERVICE_ERROR_SEVERE 514 self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 515 dwErrorControl = scmr.SERVICE_NO_CHANGE 516 517 lpBinaryPathName = 'BETOBETO\x00' 518 self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 519 lpBinaryPathName = NULL 520 521 lpLoadOrderGroup = 'KKKK\x00' 522 self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 523 lpLoadOrderGroup = NULL 524 525 #lpdwTagId = [0] 526 #self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 527 #lpdwTagId = '' 528 529 lpDependencies = 'RemoteRegistry\x00\x00'.encode('utf-16le') 530 dwDependSize = len(lpDependencies) 531 self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 532 lpDependencies = NULL 533 dwDependSize = 0 534 535 lpServiceStartName = '.\\Administrator\x00' 536 self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 537 lpServiceStartName = NULL 538 539 if self.__class__.__name__ == 'SMBTransport': 540 lpPassword = 'mypwd\x00'.encode('utf-16le') 541 s = rpctransport.get_smb_connection() 542 key = s.getSessionKey() 543 lpPassword = encryptSecret(key, lpPassword) 544 dwPwSize = len(lpPassword) 545 self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 546 lpPassword = NULL 547 dwPwSize = 0 548 549 lpDisplayName = 'MANOLO\x00' 550 self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName) 551 552 scmr.hRDeleteService(dce, newHandle) 553 scmr.hRCloseServiceHandle(dce, newHandle) 554 scmr.hRCloseServiceHandle(dce, scHandle) 555 556 def test_query(self): 557 dce, rpctransport, scHandle = self.connect() 558 559 ############################ 560 # Query Service Status / Enum Dependent 561 lpServiceName = 'PlugPlay\x00' 562 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS 563 564 resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) 565 resp.dump() 566 567 serviceHandle = resp['lpServiceHandle'] 568 569 scmr.hRQueryServiceStatus(dce, serviceHandle) 570 571 cbBufSize = 0 572 try: 573 resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize ) 574 resp.dump() 575 except scmr.DCERPCSessionError as e: 576 if str(e).find('ERROR_MORE_DATA') <= 0: 577 raise 578 else: 579 resp = e.get_packet() 580 581 resp.dump() 582 cbBufSize = resp['pcbBytesNeeded'] 583 resp = scmr.hREnumDependentServicesW(dce, serviceHandle, scmr.SERVICE_STATE_ALL,cbBufSize ) 584 resp.dump() 585 scmr.hRCloseServiceHandle(dce, serviceHandle) 586 scmr.hRCloseServiceHandle(dce, scHandle) 587 588 def test_lock_unlock(self): 589 dce, rpctransport, scHandle = self.connect() 590 591 resp = scmr.hRLockServiceDatabase(dce, scHandle) 592 lockHandle = resp['lpLock'] 593 scmr.hRUnlockServiceDatabase(dce, lockHandle) 594 595 scmr.hRCloseServiceHandle(dce, scHandle) 596 597 def test_query_set_object_security(self): 598 dce, rpctransport, scHandle = self.connect() 599 600 try: 601 resp = scmr.hRQueryServiceObjectSecurity(dce, scHandle, scmr.DACL_SECURITY_INFORMATION, 0) 602 resp.dump() 603 except Exception as e: 604 if str(e).find('rpc_s_access_denied') <= 0: 605 raise 606 607 scmr.hRCloseServiceHandle(dce, scHandle) 608 609 def atest_notify_config(self): 610 dce, rpctransport, scHandle = self.connect() 611 lpMachineName = 'DUMMY\x00' 612 613 try: 614 resp = scmr.hRNotifyBootConfigStatus(dce, lpMachineName, 0x0) 615 resp.dump() 616 except scmr.DCERPCSessionError as e: 617 if str(e).find('ERROR_BOOT_ALREADY_ACCEPTED') <= 0: 618 raise 619 620 scmr.hRCloseServiceHandle(dce, scHandle) 621 622 def test_RControlServiceCall(self): 623 dce, rpctransport, scHandle = self.connect() 624 lpServiceName = 'CryptSvc\x00' 625 desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS 626 627 resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) 628 resp.dump() 629 630 serviceHandle = resp['lpServiceHandle'] 631 632 try: 633 req = scmr.RControlService() 634 req['hService'] = serviceHandle 635 req['dwControl'] = scmr.SERVICE_CONTROL_STOP 636 dce.request(req) 637 except Exception as e: 638 if str(e).find('ERROR_DEPENDENT_SERVICES_RUNNING') < 0 and str(e).find('ERROR_SERVICE_NOT_ACTIVE') < 0: 639 raise 640 pass 641 642 scmr.hRCloseServiceHandle(dce, serviceHandle) 643 import time 644 time.sleep(1) 645 resp = scmr.hROpenServiceW(dce, scHandle, lpServiceName, desiredAccess ) 646 resp.dump() 647 648 serviceHandle = resp['lpServiceHandle'] 649 650 try: 651 resp = scmr.hRStartServiceW(dce, serviceHandle, 0, NULL ) 652 resp.dump() 653 except Exception as e: 654 if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') < 0: 655 raise 656 return 657 658 class SMBTransport(SCMRTests): 659 def setUp(self): 660 SCMRTests.setUp(self) 661 configFile = ConfigParser.ConfigParser() 662 configFile.read('dcetests.cfg') 663 self.username = configFile.get('SMBTransport', 'username') 664 self.domain = configFile.get('SMBTransport', 'domain') 665 self.serverName = configFile.get('SMBTransport', 'servername') 666 self.password = configFile.get('SMBTransport', 'password') 667 self.machine = configFile.get('SMBTransport', 'machine') 668 self.hashes = configFile.get('SMBTransport', 'hashes') 669 self.stringBinding = r'ncacn_np:%s[\pipe\svcctl]' % self.machine 670 671 class TCPTransport(SCMRTests): 672 def setUp(self): 673 SCMRTests.setUp(self) 674 configFile = ConfigParser.ConfigParser() 675 configFile.read('dcetests.cfg') 676 self.username = configFile.get('TCPTransport', 'username') 677 self.domain = configFile.get('TCPTransport', 'domain') 678 self.serverName = configFile.get('TCPTransport', 'servername') 679 self.password = configFile.get('TCPTransport', 'password') 680 self.machine = configFile.get('TCPTransport', 'machine') 681 self.hashes = configFile.get('TCPTransport', 'hashes') 682 #print epm.hept_map(self.machine, samr.MSRPC_UUID_SAMR, protocol = 'ncacn_ip_tcp') 683 self.stringBinding = epm.hept_map(self.machine, scmr.MSRPC_UUID_SCMR, protocol = 'ncacn_ip_tcp') 684 685 # Process command-line arguments. 686 if __name__ == '__main__': 687 import sys 688 if len(sys.argv) > 1: 689 testcase = sys.argv[1] 690 suite = unittest.TestLoader().loadTestsFromTestCase(globals()[testcase]) 691 else: 692 suite = unittest.TestLoader().loadTestsFromTestCase(SMBTransport) 693 #suite = unittest.TestLoader().loadTestsFromTestCase(TCPTransport) 694 suite.addTests(unittest.TestLoader().loadTestsFromTestCase(TCPTransport)) 695 unittest.TextTestRunner(verbosity=1).run(suite)