Refactor service_create
Meatballs
parent
5adc9e93f4
commit
9028060f7d
|
|
@ -276,28 +276,41 @@ module Services
|
|||
# Create a service that runs +executable_on_host+ on the session host
|
||||
#
|
||||
# @param name [String] Name of the service to be used as the key
|
||||
# @param display_name [String] Name of the service as displayed by mmc
|
||||
# @param executable_on_host [String] EXE on the remote filesystem to
|
||||
# be used as the service executable
|
||||
# @param startup [Fixnum] Constant used by CreateServiceA for startup
|
||||
# type: 2 for Auto, 3 for Manual, 4 for Disable. Default is Auto
|
||||
# @param opts [Hash] Settings to be modified
|
||||
# @param server [String,nil] A hostname or IP address. Default is the
|
||||
# remote localhost
|
||||
#
|
||||
# @return [true,false] True if there were no errors, false otherwise
|
||||
# @return [GetLastError] 0 if the function succeeds
|
||||
#
|
||||
def service_create(name, display_name, executable_on_host, startup=2, server=nil)
|
||||
def service_create(name, opts, server=nil)
|
||||
access = "SC_MANAGER_CONNECT | SC_MANAGER_CREATE_SERVICE | SC_MANAGER_QUERY_LOCK_STATUS"
|
||||
open_sc_manager(:host=>server, :access=>access) do |manager|
|
||||
|
||||
opts[:display] ||= Rex::Text.rand_text_alpha(8)
|
||||
opts[:desired_access] ||= "SERVICE_START"
|
||||
opts[:service_type] ||= "SERVICE_WIN32_OWN_PROCESS"
|
||||
opts[:starttype] ||= START_TYPE_AUTO
|
||||
opts[:error_control] ||= "SERVICE_ERROR_IGNORE"
|
||||
opts[:path] ||= nil
|
||||
opts[:logroup] ||= nil
|
||||
opts[:tag_id] ||= nil
|
||||
opts[:dependencies] ||= nil
|
||||
opts[:startname] ||= nil
|
||||
opts[:password] ||= nil
|
||||
|
||||
newservice = advapi32.CreateServiceA(manager,
|
||||
name,
|
||||
display_name,
|
||||
"SERVICE_START",
|
||||
"SERVICE_WIN32_OWN_PROCESS",
|
||||
startup,
|
||||
0,
|
||||
executable_on_host,
|
||||
nil, nil, nil, nil, nil
|
||||
opts[:display],
|
||||
opts[:desired_access],
|
||||
opts[:service_type],
|
||||
opts[:starttype],
|
||||
opts[:error_control],
|
||||
opts[:path],
|
||||
opts[:logroup],
|
||||
opts[:tag_id], # out
|
||||
opts[:dependencies],
|
||||
opts[:startname],
|
||||
opts[:password]
|
||||
)
|
||||
|
||||
if newservice
|
||||
|
|
|
|||
|
|
@ -107,7 +107,13 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
print_status("#{server.ljust(16)} Creating service #{name}")
|
||||
|
||||
# 3 is Manual startup. Should probably have constants for this junk
|
||||
service_create(name, display_name, service_executable, 3, server)
|
||||
service_create(name,
|
||||
{
|
||||
:display => display_name,
|
||||
:path => service_executable,
|
||||
:starttype=> "START_TYPE_MANUAL"
|
||||
},
|
||||
server)
|
||||
|
||||
# If everything went well, this will create a session. If not, it
|
||||
# might be permissions issues or possibly we failed to create the
|
||||
|
|
|
|||
|
|
@ -56,7 +56,7 @@ class Metasploit3 < Msf::Exploit::Local
|
|||
|
||||
print_status("Trying to add a new service...")
|
||||
service_name = Rex::Text.rand_text_alpha((rand(8)+6))
|
||||
if service_create(service_name,"",path,startup=2)
|
||||
if service_create(service_name, {:path => path, :display=>""})
|
||||
print_status("Created service... #{service_name}")
|
||||
write_exe(path, service_name)
|
||||
if service_start(service_name) == ERROR::SUCCESS
|
||||
|
|
|
|||
|
|
@ -77,7 +77,7 @@ class Metasploit3 < Msf::Post
|
|||
return
|
||||
end
|
||||
|
||||
inst = install_driver(driver: driver, start: start, name: name, error: error, service: service)
|
||||
inst = install_driver(path: driver, starttype: start, name: name, error_control: error, service_type: service)
|
||||
|
||||
if inst
|
||||
ss = service_start(name)
|
||||
|
|
@ -95,18 +95,7 @@ class Metasploit3 < Msf::Post
|
|||
end
|
||||
|
||||
def install_driver(opts={})
|
||||
service_all_access = 0xF01FF
|
||||
service_type = SERVICE_TYPE[opts[:service]]
|
||||
service_error_type = ERROR_TYPE[opts[:error]]
|
||||
service_start_type = START_TYPE[opts[:start]]
|
||||
advapi32 = client.railgun.advapi32
|
||||
name = opts[:name]
|
||||
# Default access: sc_manager_all_access (0xF003F)
|
||||
ro = open_sc_manager()
|
||||
|
||||
rc = advapi32.CreateServiceA(ro, name, name, service_all_access, service_type, service_start_type, service_error_type, opts[:driver], nil, nil, nil, nil, nil)
|
||||
close_sc_manager(ro)
|
||||
|
||||
rc = service_create(opts[:name], opts)
|
||||
if rc['GetLastError'] == Windows::Error::SUCCESS
|
||||
print_status("Service object \"#{name}\" added to the Service Control Manager database.")
|
||||
close_sc_manager(rc['return'])
|
||||
|
|
|
|||
|
|
@ -338,9 +338,10 @@ class Metasploit3 < Msf::Post
|
|||
def install_as_service(script_on_target)
|
||||
if is_system? or is_admin?
|
||||
print_status("Installing as service..")
|
||||
nam = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
print_status("Creating service #{nam}")
|
||||
datastore['ACTION'] == 'REXE' ? service_create(nam, nam, "cmd /c \"#{script_on_target}\"") : service_create(nam, nam, "cscript \"#{script_on_target}\"")
|
||||
datastore['ACTION'] == 'REXE' ? path = "cmd /c \"#{script_on_target}\"" : path = "cscript \"#{script_on_target}\""
|
||||
name = Rex::Text.rand_text_alpha(rand(8)+8)
|
||||
print_status("Creating service #{name}")
|
||||
service_create(name, {:path => path})
|
||||
|
||||
@clean_up_rc << "execute -H -f sc -a \"delete #{nam}\"\n"
|
||||
else
|
||||
|
|
|
|||
Loading…
Reference in New Issue