sempervictus
diff --git a/‎lib/msf/core/exploit/dcerpc_services.rb
Lines changed: 87 additions & 61 deletions b/‎lib/msf/core/exploit/dcerpc_services.rb
Lines changed: 87 additions & 61 deletions
@@ -9,6 +9,9 @@ module Exploit::Remote::DCERPC_SERVICES
 
   NDR = Rex::Encoder::NDR
 
+  SERVICE_ALL_ACCESS = 0x0F01FF
+  ERROR_SUCCESS = 0x0
+  ERROR_SERVICE_EXISTS = 0x431
 
   # Calls OpenSCManagerW() to obtain a handle to the service control manager.
   #
@@ -18,7 +21,7 @@ module Exploit::Remote::DCERPC_SERVICES
   #
   # @return [String] the handle to the service control manager or nil if
   #   the call is not successful.
-  def dce_openscmanagerw(dcerpc, rhost, access = 0xF003F)
+  def dce_openscmanagerw(dcerpc, rhost, access = SERVICE_ALL_ACCESS)
     scm_handle = nil
     scm_status = nil
     stubdata =
@@ -29,7 +32,7 @@ def dce_openscmanagerw(dcerpc, rhost, access = 0xF003F)
       response = dcerpc.call(0x0f, stubdata)
       if response
         scm_status = response[20,4].unpack('V').first
-        if scm_status == 0
+        if scm_status == ERROR_SUCCESS
           scm_handle = response[0,20]
         end
       end
@@ -63,10 +66,11 @@ def dce_openscmanagerw(dcerpc, rhost, access = 0xF003F)
   #                 password3 [Fixnum]
   #                 password4 [Fixnum]
   #
-  # @return [String] a handle to the created service.
+  # @return [String, Integer] a handle to the created service, windows
+  #   error code.
   def dce_createservicew(dcerpc, scm_handle, service_name, display_name, binary_path, opts)
     default_opts = {
-      :access => 0x0F01FF,  # Maximum access.
+      :access => SERVICE_ALL_ACCESS,  # Maximum access.
       :type => 0x00000110,  # Interactive, own process.
       :start => 0x00000003, # Start on demand.
       :errors => 0x00000000,# Ignore errors.
@@ -96,34 +100,40 @@ def dce_createservicew(dcerpc, scm_handle, service_name, display_name, binary_pa
       NDR.long(default_opts[:password2]) +
       NDR.long(default_opts[:password3]) +
       NDR.long(default_opts[:password4])
-    response = dcerpc.call(0x0c, stubdata)
-    if dcerpc.last_response and dcerpc.last_response.stub_data
-      svc_handle = dcerpc.last_response.stub_data[4,20]
-      svc_status = dcerpc.last_response.stub_data[20,4]
-    end
+    begin
+      response = dcerpc.call(0x0c, stubdata)
+      if response
+        svc_status = response[20,4].unpack('V').first
 
-    if svc_status.to_i != 0
-      svc_handle = nil
+        if svc_status == ERROR_SUCCESS
+          svc_handle = response[4,20]
+        end
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error creating service: #{e}")
     end
-    return svc_handle
+
+    return svc_handle, svc_status
   end
 
-  # Calls CloseHandle() to close a handle.  Returns true on success, or false.
+  # Calls CloseHandle() to close a handle.
   #
   # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
   # @param handle [String] the handle to close.
   #
-  # @return [Boolean] true if the handle was successfully closed, or false if
-  #                        not.
+  # @return [Integer] Windows error code
   def dce_closehandle(dcerpc, handle)
-    ret = false
-    response = dcerpc.call(0x0, handle)
-    if dcerpc.last_response and dcerpc.last_response.stub_data
-      if dcerpc.last_response.stub_data[20,4].to_i == 0
-        ret = true
+    svc_status = nil
+    begin
+      response = dcerpc.call(0x0, handle)
+      if response
+        svc_status = response[20,4].unpack('V').first
       end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error closing service handle: #{e}")
     end
-    return ret
+
+    svc_status
   end
 
   # Calls OpenServiceW to obtain a handle to an existing service.
@@ -138,16 +148,19 @@ def dce_openservicew(dcerpc, scm_handle, service_name, access = 0xF01FF)
     svc_handle = nil
     svc_status = nil
     stubdata = scm_handle + NDR.wstring(service_name) + NDR.long(access)
-    response = dcerpc.call(0x10, stubdata)
-    if dcerpc.last_response and dcerpc.last_response.stub_data
-      svc_handle = dcerpc.last_response.stub_data[0,20]
-      svc_status = dcerpc.last_response.stub_data[20,4]
+    begin
+      response = dcerpc.call(0x10, stubdata)
+      if response
+        svc_status = response[20,4]
+        if svc_status == ERROR_SUCCESS
+          svc_handle = response[0,20]
+        end
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error opening service handle: #{e}")
     end
 
-    if svc_status.to_i != 0
-      svc_handle = nil
-    end
-    return svc_handle
+    svc_handle
   end
 
   # Calls StartService() on a handle to an existing service in order to start
@@ -159,18 +172,21 @@ def dce_openservicew(dcerpc, scm_handle, service_name, access = 0xF01FF)
   # @param magic1 [Fixnum] an unknown value.
   # @param magic2 [Fixnum] another unknown value.
   #
-  # @return [Boolean] true if the service was successfully started, false if
-  #                        it was not.
+  # @return [Integer] Windows error code
   def dce_startservice(dcerpc, svc_handle, magic1 = 0, magic2 = 0)
-    ret = false
+    svc_status = nil
     stubdata = svc_handle + NDR.long(magic1) + NDR.long(magic2)
-    response = dcerpc.call(0x13, stubdata)
-    if dcerpc.last_response and dcerpc.last_response.stub_data
-      if dcerpc.last_response.stub_data[0,4].to_i == 0
-        ret = true
+
+    begin
+      response = dcerpc.call(0x13, stubdata)
+      if response
+        svc_status = response[0,4].unpack('V').first
       end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error starting service: #{e}")
     end
-    return ret
+
+    svc_status
   end
 
   # Stops a running service.
@@ -179,8 +195,7 @@ def dce_startservice(dcerpc, svc_handle, magic1 = 0, magic2 = 0)
   # @param svc_handle [String] the handle of the service to stop (from
   #                            dce_openservicew()).
   #
-  # @return [Boolean] true if the service was successfully stopped, false if
-  #                   it was not.
+  # @return [Integer] Windows error code
   def dce_stopservice(dcerpc, svc_handle)
     return dce_controlservice(dcerpc, svc_handle, 1)
   end
@@ -193,17 +208,19 @@ def dce_stopservice(dcerpc, svc_handle)
   # @param operation [Fixnum] the operation number to perform (1 = stop
   #                           service; others are unknown).
   #
-  # @return [Boolean] true if the operation was successful, false if it was
-  #                   not.
+  # @return [Integer] Windows error code
   def dce_controlservice(dcerpc, svc_handle, operation)
-    ret = false
-    response = dcerpc.call(0x01, svc_handle + NDR.long(operation))
-    if dcerpc.last_response and dcerpc.last_response.stub_data
-      if dcerpc.last_response.stub_data[28,4].to_i == 0
-        ret = true
+    svc_status = nil
+    begin
+      response = dcerpc.call(0x01, svc_handle + NDR.long(operation))
+      if response
+       svc_status =  dcerpc.last_response.stub_data[28,4].unpack('V').first
       end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error controlling service: #{e}")
     end
-    return ret
+
+    svc_status
   end
 
   # Calls DeleteService() to delete a service.
@@ -212,17 +229,19 @@ def dce_controlservice(dcerpc, svc_handle, operation)
   # @param svc_handle [String] the handle of the service to delete (from
   #                            dce_openservicew()).
   #
-  # @return [Boolean] true if the service was successfully deleted, false if
-  #                        it was not.
+  # @return [Integer] Windows error code
   def dce_deleteservice(dcerpc, svc_handle)
-    ret = false
-    response = dcerpc.call(0x02, svc_handle)
-    if dcerpc.last_response and dcerpc.last_response.stub_data
-      if dcerpc.last_response.stub_data[0,4].to_i == 0
-        ret = true
+    svc_status = nil
+    begin
+      response = dcerpc.call(0x02, svc_handle)
+      if response
+        svc_status = response[0,4].unpack('V').first
       end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error deleting service: #{e}")
     end
-    return ret
+
+    svc_status
   end
 
   # Calls QueryServiceStatus() to query the status of a service.
@@ -236,14 +255,21 @@ def dce_deleteservice(dcerpc, svc_handle)
   #                  2 if the service is stopped.
   def dce_queryservice(dcerpc, svc_handle)
     ret = 0
-    response = dcerpc.call(0x06, svc_handle)
-    if response[0,9] == "\x10\x00\x00\x00\x04\x00\x00\x00\x01"
-      ret = 1
-    elsif response[0,9] == "\x10\x00\x00\x00\x01\x00\x00\x00\x00"
-      ret = 2
+
+    begin
+      response = dcerpc.call(0x06, svc_handle)
+      if response[0,9] == "\x10\x00\x00\x00\x04\x00\x00\x00\x01"
+        ret = 1
+      elsif response[0,9] == "\x10\x00\x00\x00\x01\x00\x00\x00\x00"
+        ret = 2
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error deleting service: #{e}")
     end
-    return ret
+
+    ret
   end
 
 end
 end
+