Moar constants
Meatballs
parent
ae8d08c793
commit
fd7f35d8b2
|
|
@ -11,12 +11,47 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
|
||||
SC_MANAGER_ALL_ACCESS = 0xF003F
|
||||
SERVICE_ALL_ACCESS = 0x0F01FF
|
||||
|
||||
ERROR_SUCCESS = 0x0
|
||||
ERROR_FILE_NOT_FOUND = 0x2
|
||||
ERROR_ACCESS_DENIED = 0x5
|
||||
ERROR_SERVICE_REQUEST_TIMEOUT = 0x41D
|
||||
ERROR_SERVICE_EXISTS = 0x431
|
||||
|
||||
CLOSE_SERVICE_HANDLE = 0x00
|
||||
CONTROL_SERVICE = 0x01
|
||||
DELETE_SERVICE = 0x02
|
||||
QUERY_SERVICE_STATUS = 0x05
|
||||
CHANGE_SERVICE_CONFIG_W = 0x0b
|
||||
CREATE_SERVICE_W = 0x0c
|
||||
OPEN_SC_MANAGER_W = 0x0f
|
||||
OPEN_SERVICE_W = 0x10
|
||||
CHANGE_SERVICE_CONFIG2_W = 0x25
|
||||
|
||||
SERVICE_WIN32_OWN_PROCESS = 0x10
|
||||
SERVICE_INTERACTIVE_PROCESS = 0x100
|
||||
|
||||
SERVICE_BOOT_START = 0x00
|
||||
SERVICE_SYSTEM_START = 0x01
|
||||
SERVICE_AUTO_START = 0x02
|
||||
SERVICE_DEMAND_START = 0x03
|
||||
SERVICE_DISABLED = 0x04
|
||||
|
||||
SERVICE_ERROR_IGNORE = 0x0
|
||||
|
||||
SERVICE_CONFIG_DESCRIPTION = 0x01
|
||||
|
||||
SERVICE_CONTROL_STOP = 0x01
|
||||
|
||||
# Returns the Windows Error Code in numeric format
|
||||
#
|
||||
# @param raw_error [String] the raw error code in binary format.
|
||||
#
|
||||
# @return [Integer] the Windows Error Code integer.
|
||||
def error_code(raw_error)
|
||||
raw_error.unpack('V').first
|
||||
end
|
||||
|
||||
# Calls OpenSCManagerW() to obtain a handle to the service control manager.
|
||||
#
|
||||
# @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
|
||||
|
|
@ -33,9 +68,9 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
NDR.long(0) +
|
||||
NDR.long(access)
|
||||
begin
|
||||
response = dcerpc.call(0x0f, stubdata)
|
||||
response = dcerpc.call(OPEN_SC_MANAGER_W, stubdata)
|
||||
if response
|
||||
scm_status = response[20,4].unpack('V').first
|
||||
scm_status = error_code(response[20,4])
|
||||
if scm_status == ERROR_SUCCESS
|
||||
scm_handle = response[0,20]
|
||||
end
|
||||
|
|
@ -74,10 +109,10 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
# error code.
|
||||
def dce_createservicew(dcerpc, scm_handle, service_name, display_name, binary_path, opts)
|
||||
default_opts = {
|
||||
:access => SERVICE_ALL_ACCESS, # Maximum access.
|
||||
:type => 0x00000110, # Interactive, own process.
|
||||
:start => 0x00000003, # Start on demand.
|
||||
:errors => 0x00000000,# Ignore errors.
|
||||
:access => SERVICE_ALL_ACCESS,
|
||||
:type => SERVICE_WIN32_OWN_PROCESS || SERVICE_INTERACTIVE_PROCESS,
|
||||
:start => SERVICE_DEMAND_START,
|
||||
:errors => SERVICE_ERROR_IGNORE,
|
||||
:load_order_group => 0,
|
||||
:dependencies => 0,
|
||||
:service_start => 0,
|
||||
|
|
@ -105,9 +140,9 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
NDR.long(default_opts[:password3]) +
|
||||
NDR.long(default_opts[:password4])
|
||||
begin
|
||||
response = dcerpc.call(0x0c, stubdata)
|
||||
response = dcerpc.call(CREATE_SERVICE_W, stubdata)
|
||||
if response
|
||||
svc_status = response[24,4].unpack('V').first
|
||||
svc_status = error_code(response[24,4])
|
||||
|
||||
if svc_status == ERROR_SUCCESS
|
||||
svc_handle = response[4,20]
|
||||
|
|
@ -131,14 +166,14 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
svc_status = nil
|
||||
stubdata =
|
||||
svc_handle +
|
||||
NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
|
||||
NDR.long(SERVICE_CONFIG_DESCRIPTION) +
|
||||
NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
|
||||
NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
|
||||
NDR.long(0x04000200) +
|
||||
NDR.wstring(service_description)
|
||||
begin
|
||||
response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
|
||||
svc_status = response.unpack('V').first
|
||||
response = dcerpc.call(CHANGE_SERVICE_CONFIG2_W, stubdata) # ChangeServiceConfig2
|
||||
svc_status = error_code(response)
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
|
||||
print_error("#{peer} - Error changing service description : #{e}")
|
||||
end
|
||||
|
|
@ -156,9 +191,9 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
def dce_closehandle(dcerpc, handle)
|
||||
svc_status = nil
|
||||
begin
|
||||
response = dcerpc.call(0x0, handle)
|
||||
response = dcerpc.call(CLOSE_SERVICE_HANDLE, handle)
|
||||
if response
|
||||
svc_status = response[20,4].unpack('V').first
|
||||
svc_status = error_code(response[20,4])
|
||||
end
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
|
||||
print_error("#{peer} - Error closing service handle: #{e}")
|
||||
|
|
@ -180,9 +215,9 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
svc_status = nil
|
||||
stubdata = scm_handle + NDR.wstring(service_name) + NDR.long(access)
|
||||
begin
|
||||
response = dcerpc.call(0x10, stubdata)
|
||||
response = dcerpc.call(OPEN_SERVICE_W, stubdata)
|
||||
if response
|
||||
svc_status = response[20,4]
|
||||
svc_status = error_code(response[20,4])
|
||||
if svc_status == ERROR_SUCCESS
|
||||
svc_handle = response[0,20]
|
||||
end
|
||||
|
|
@ -211,7 +246,7 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
begin
|
||||
response = dcerpc.call(0x13, stubdata)
|
||||
if response
|
||||
svc_status = response[0,4].unpack('V').first
|
||||
svc_status = error_code(response)
|
||||
end
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
|
||||
print_error("#{peer} - Error starting service: #{e}")
|
||||
|
|
@ -228,7 +263,7 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
#
|
||||
# @return [Integer] Windows error code
|
||||
def dce_stopservice(dcerpc, svc_handle)
|
||||
return dce_controlservice(dcerpc, svc_handle, 1)
|
||||
return dce_controlservice(dcerpc, svc_handle, SERVICE_CONTROL_STOP)
|
||||
end
|
||||
|
||||
# Controls an existing service.
|
||||
|
|
@ -243,9 +278,9 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
def dce_controlservice(dcerpc, svc_handle, operation)
|
||||
svc_status = nil
|
||||
begin
|
||||
response = dcerpc.call(0x01, svc_handle + NDR.long(operation))
|
||||
response = dcerpc.call(CONTROL_SERVICE, svc_handle + NDR.long(operation))
|
||||
if response
|
||||
svc_status = dcerpc.last_response.stub_data[28,4].unpack('V').first
|
||||
svc_status = error_code(response[28,4])
|
||||
end
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
|
||||
print_error("#{peer} - Error controlling service: #{e}")
|
||||
|
|
@ -264,9 +299,9 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
def dce_deleteservice(dcerpc, svc_handle)
|
||||
svc_status = nil
|
||||
begin
|
||||
response = dcerpc.call(0x02, svc_handle)
|
||||
response = dcerpc.call(DELETE_SERVICE, svc_handle)
|
||||
if response
|
||||
svc_status = response[0,4].unpack('V').first
|
||||
svc_status = error_code(response)
|
||||
end
|
||||
rescue Rex::Proto::DCERPC::Exceptions::Fault => e
|
||||
print_error("#{peer} - Error deleting service: #{e}")
|
||||
|
|
@ -288,7 +323,7 @@ module Exploit::Remote::DCERPC_SERVICES
|
|||
ret = 0
|
||||
|
||||
begin
|
||||
response = dcerpc.call(0x06, svc_handle)
|
||||
response = dcerpc.call(QUERY_SERVICE_STATUS, svc_handle)
|
||||
if response[0,9] == "\x10\x00\x00\x00\x04\x00\x00\x00\x01"
|
||||
ret = 1
|
||||
elsif response[0,9] == "\x10\x00\x00\x00\x01\x00\x00\x00\x00"
|
||||
|
|
|
|||
Loading…
Reference in New Issue