Handle existing service names

bug/bundler_fix
Meatballs 2014-04-02 23:16:58 +01:00
parent fde4a3ea0a
commit e76caccea0
No known key found for this signature in database
GPG Key ID: 5380EAF01F2F8B38
2 changed files with 30 additions and 23 deletions

View File

@ -119,6 +119,33 @@ module Exploit::Remote::DCERPC_SERVICES
return svc_handle, svc_status
end
# Calls ChangeServiceConfig2() to change the service description.
#
# @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
# @param svc_handle [String] the service handle to change.
# @param service_description [String] the service description.
#
# @return [Integer] Windows error code
def dce_changeservicedescription(dcerpc, svc_handle, service_description)
svc_status = nil
stubdata =
svc_handle +
NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
NDR.long(0x04000200) +
NDR.wstring(service_description)
begin
response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
svc_status = response.unpack('V').first
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
print_error("#{peer} - Error changing service description : #{e}")
end
svc_status
end
# Calls CloseHandle() to close a handle.
#
# @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
@ -147,7 +174,7 @@ module Exploit::Remote::DCERPC_SERVICES
# @param access [Fixnum] the level of access requested (default is maximum).
#
# @return [String, nil] the handle of the service opened, or nil on failure.
def dce_openservicew(dcerpc, scm_handle, service_name, access = 0xF01FF)
def dce_openservicew(dcerpc, scm_handle, service_name, access = SERVICE_ALL_ACCESS)
svc_handle = nil
svc_status = nil
stubdata = scm_handle + NDR.wstring(service_name) + NDR.long(access)

View File

@ -61,25 +61,6 @@ module Exploit::Remote::SMB::Psexec
end
end
def change_service_description(svc_handle, service_description)
svc_status = nil
stubdata =
svc_handle +
NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
NDR.long(0x04000200) +
NDR.wstring(service_description)
begin
response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
svc_status = response.unpack('V').first
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
print_error("#{peer} - Error changing service description : #{e}")
end
svc_status
end
# Executes a single windows command.
#
# If you want to retrieve the output of your command you'll have to
@ -105,13 +86,12 @@ module Exploit::Remote::SMB::Psexec
if scm_status == ERROR_ACCESS_DENIED
print_error("#{peer} - ERROR_ACCESS_DENIED opening the Service Manager")
end
return false unless scm_handle
vprint_status("#{peer} - Creating the service...")
svc_handle, svc_status = dce_createservicew(dcerpc, scm_handle, service_name, display_name, command, {})
return false unless svc_handle && svc_status
case svc_status
when ERROR_SUCCESS
vprint_good("#{peer} - Successfully created the service")
@ -131,7 +111,7 @@ module Exploit::Remote::SMB::Psexec
if service_description
vprint_status("#{peer} - Changing service description...")
change_service_description(svc_handle, service_description)
dce_changeservicedescription(dcerpc, svc_handle, service_description)
end
vprint_status("#{peer} - Starting the service...")