From e76caccea02794a9f1a656c560fa40e8bf80a948 Mon Sep 17 00:00:00 2001 From: Meatballs Date: Wed, 2 Apr 2014 23:16:58 +0100 Subject: [PATCH] Handle existing service names --- lib/msf/core/exploit/dcerpc_services.rb | 29 ++++++++++++++++++++++++- lib/msf/core/exploit/smb/psexec.rb | 24 ++------------------ 2 files changed, 30 insertions(+), 23 deletions(-) diff --git a/lib/msf/core/exploit/dcerpc_services.rb b/lib/msf/core/exploit/dcerpc_services.rb index ba88bc51a7..a6713c8752 100644 --- a/lib/msf/core/exploit/dcerpc_services.rb +++ b/lib/msf/core/exploit/dcerpc_services.rb @@ -119,6 +119,33 @@ module Exploit::Remote::DCERPC_SERVICES return svc_handle, svc_status end + # Calls ChangeServiceConfig2() to change the service description. + # + # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use. + # @param svc_handle [String] the service handle to change. + # @param service_description [String] the service description. + # + # @return [Integer] Windows error code + def dce_changeservicedescription(dcerpc, svc_handle, service_description) + svc_status = nil + stubdata = + svc_handle + + NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION + NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION + NDR.long(0x0200) + # SERVICE_DESCRIPTION struct + NDR.long(0x04000200) + + NDR.wstring(service_description) + begin + response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2 + svc_status = response.unpack('V').first + rescue Rex::Proto::DCERPC::Exceptions::Fault => e + print_error("#{peer} - Error changing service description : #{e}") + end + + svc_status + end + + # Calls CloseHandle() to close a handle. # # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use. @@ -147,7 +174,7 @@ module Exploit::Remote::DCERPC_SERVICES # @param access [Fixnum] the level of access requested (default is maximum). # # @return [String, nil] the handle of the service opened, or nil on failure. - def dce_openservicew(dcerpc, scm_handle, service_name, access = 0xF01FF) + def dce_openservicew(dcerpc, scm_handle, service_name, access = SERVICE_ALL_ACCESS) svc_handle = nil svc_status = nil stubdata = scm_handle + NDR.wstring(service_name) + NDR.long(access) diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb index 01593ee423..3ce2159bfa 100644 --- a/lib/msf/core/exploit/smb/psexec.rb +++ b/lib/msf/core/exploit/smb/psexec.rb @@ -61,25 +61,6 @@ module Exploit::Remote::SMB::Psexec end end - def change_service_description(svc_handle, service_description) - svc_status = nil - stubdata = - svc_handle + - NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION - NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION - NDR.long(0x0200) + # SERVICE_DESCRIPTION struct - NDR.long(0x04000200) + - NDR.wstring(service_description) - begin - response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2 - svc_status = response.unpack('V').first - rescue Rex::Proto::DCERPC::Exceptions::Fault => e - print_error("#{peer} - Error changing service description : #{e}") - end - - svc_status - end - # Executes a single windows command. # # If you want to retrieve the output of your command you'll have to @@ -105,13 +86,12 @@ module Exploit::Remote::SMB::Psexec if scm_status == ERROR_ACCESS_DENIED print_error("#{peer} - ERROR_ACCESS_DENIED opening the Service Manager") end + return false unless scm_handle vprint_status("#{peer} - Creating the service...") svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, {}) - return false unless svc_handle && svc_status - case svc_status when ERROR_SUCCESS vprint_good("#{peer} - Successfully created the service") @@ -131,7 +111,7 @@ module Exploit::Remote::SMB::Psexec if service_description vprint_status("#{peer} - Changing service description...") - change_service_description(svc_handle, service_description) + dce_changeservicedescription(dcerpc, svc_handle, service_description) end vprint_status("#{peer} - Starting the service...")