Handle existing service names
parent
fde4a3ea0a
commit
e76caccea0
|
@ -119,6 +119,33 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
return svc_handle, svc_status
|
||||
end
|
||||
|
||||
# Calls ChangeServiceConfig2() to change the service description.
|
||||
#
|
||||
# @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
|
||||
# @param svc_handle [String] the service handle to change.
|
||||
# @param service_description [String] the service description.
|
||||
#
|
||||
# @return [Integer] Windows error code
|
||||
def dce_changeservicedescription(dcerpc, svc_handle, service_description)
|
||||
svc_status = nil
|
||||
stubdata =
|
||||
svc_handle +
|
||||
NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
|
||||
NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
|
||||
NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
|
||||
NDR.long(0x04000200) +
|
||||
NDR.wstring(service_description)
|
||||
begin
|
||||
response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
|
||||
svc_status = response.unpack('V').first
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
|
||||
print_error("#{peer} - Error changing service description : #{e}")
|
||||
end
|
||||
|
||||
svc_status
|
||||
end
|
||||
|
||||
|
||||
# Calls CloseHandle() to close a handle.
|
||||
#
|
||||
# @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
|
||||
|
@ -147,7 +174,7 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
# @param access [Fixnum] the level of access requested (default is maximum).
|
||||
#
|
||||
# @return [String, nil] the handle of the service opened, or nil on failure.
|
||||
def dce_openservicew(dcerpc, scm_handle, service_name, access = 0xF01FF)
|
||||
def dce_openservicew(dcerpc, scm_handle, service_name, access = SERVICE_ALL_ACCESS)
|
||||
svc_handle = nil
|
||||
svc_status = nil
|
||||
stubdata = scm_handle + NDR.wstring(service_name) + NDR.long(access)
|
||||
|
|
|
@ -61,25 +61,6 @@ module Exploit::Remote::SMB::Psexec
|
|||
end
|
||||
end
|
||||
|
||||
def change_service_description(svc_handle, service_description)
|
||||
svc_status = nil
|
||||
stubdata =
|
||||
svc_handle +
|
||||
NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
|
||||
NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
|
||||
NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
|
||||
NDR.long(0x04000200) +
|
||||
NDR.wstring(service_description)
|
||||
begin
|
||||
response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
|
||||
svc_status = response.unpack('V').first
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
|
||||
print_error("#{peer} - Error changing service description : #{e}")
|
||||
end
|
||||
|
||||
svc_status
|
||||
end
|
||||
|
||||
# Executes a single windows command.
|
||||
#
|
||||
# If you want to retrieve the output of your command you'll have to
|
||||
|
@ -105,13 +86,12 @@ module Exploit::Remote::SMB::Psexec
|
|||
if scm_status == ERROR_ACCESS_DENIED
|
||||
print_error("#{peer} - ERROR_ACCESS_DENIED opening the Service Manager")
|
||||
end
|
||||
|
||||
return false unless scm_handle
|
||||
|
||||
vprint_status("#{peer} - Creating the service...")
|
||||
svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, {})
|
||||
|
||||
return false unless svc_handle && svc_status
|
||||
|
||||
case svc_status
|
||||
when ERROR_SUCCESS
|
||||
vprint_good("#{peer} - Successfully created the service")
|
||||
|
@ -131,7 +111,7 @@ module Exploit::Remote::SMB::Psexec
|
|||
|
||||
if service_description
|
||||
vprint_status("#{peer} - Changing service description...")
|
||||
change_service_description(svc_handle, service_description)
|
||||
dce_changeservicedescription(dcerpc, svc_handle, service_description)
|
||||
end
|
||||
|
||||
vprint_status("#{peer} - Starting the service...")
|
||||
|
|
Loading…
Reference in New Issue