Pull in @jtesta's DCERPC Services work

Meatballs1 · Meatballs1 · commit f55d78cbe833 · 2014-04-02T21:21:45.000+01:00
diff --git a/lib/msf/core/exploit/dcerpc.rb b/lib/msf/core/exploit/dcerpc.rb
@@ -4,6 +4,7 @@
 require 'msf/core/exploit/dcerpc_epm'
 require 'msf/core/exploit/dcerpc_mgmt'
 require 'msf/core/exploit/dcerpc_lsa'
+require 'msf/core/exploit/dcerpc_services'
 
 module Msf
 
@@ -32,6 +33,7 @@ module Exploit::Remote::DCERPC
   include Exploit::Remote::DCERPC_EPM
   include Exploit::Remote::DCERPC_MGMT
   include Exploit::Remote::DCERPC_LSA
+  include Exploit::Remote::DCERPC_SERVICES
 
   def initialize(info = {})
     super
diff --git a/lib/msf/core/exploit/dcerpc_services.rb b/lib/msf/core/exploit/dcerpc_services.rb
@@ -0,0 +1,245 @@
+# -*- coding: binary -*-
+module Msf
+
+###
+# This module implements MSRPC functions that control creating, deleting,
+# starting, stopping, and querying system services.
+###
+module Exploit::Remote::DCERPC_SERVICES
+
+  NDR = Rex::Encoder::NDR
+
+
+  # Calls OpenSCManagerW() to obtain a handle to the service control manager.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param rhost [String] the target host.
+  # @param access [Fixnum] the access flags requested.
+  #
+  # @return [String] the handle to the service control manager.
+  def dce_openscmanagerw(dcerpc, rhost, access = 0xF003F)
+    scm_handle = nil
+    scm_status = nil
+    stubdata =
+      NDR.uwstring("\\\\#{rhost}") +
+      NDR.long(0) +
+      NDR.long(access)
+    response = dcerpc.call(0x0f, stubdata)
+    if dcerpc.last_response and dcerpc.last_response.stub_data
+      scm_handle = dcerpc.last_response.stub_data[0,20]
+      scm_status = dcerpc.last_response.stub_data[20,4]
+    end
+
+    if scm_status.to_i != 0
+      scm_handle = nil
+    end
+    return scm_handle
+  end
+
+
+  # Calls CreateServiceW() to create a system service.  Returns a handle to
+  # the service on success, or nil.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param scm_handle [String] the SCM handle (from dce_openscmanagerw()).
+  # @param service_name [String] the service name.
+  # @param display_name [String] the display name.
+  # @param binary_path [String] the path of the binary to run.
+  # @param opts [Hash] a hash containing the following keys and values:
+  #                 access [Fixnum] the access level (default is maximum).
+  #                 type [Fixnum] the type of service (default is interactive,
+  #                               own process).
+  #                 start [Fixnum] the start options (default is on demand).
+  #                 errors [Fixnum] the error options (default is ignore).
+  #                 load_order_group [Fixnum] the load order group.
+  #                 dependencies [Fixnum] the dependencies of the service.
+  #                 service_start [Fixnum]
+  #                 password1 [Fixnum]
+  #                 password2 [Fixnum]
+  #                 password3 [Fixnum]
+  #                 password4 [Fixnum]
+  #
+  # @return [String] a handle to the created service.
+  def dce_createservicew(dcerpc, scm_handle, service_name, display_name, binary_path, opts)
+    default_opts = {
+      :access => 0x0F01FF,  # Maximum access.
+      :type => 0x00000110,  # Interactive, own process.
+      :start => 0x00000003, # Start on demand.
+      :errors => 0x00000000,# Ignore errors.
+      :load_order_group => 0,
+      :dependencies => 0,
+      :service_start => 0,
+      :password1 => 0,
+      :password2 => 0,
+      :password3 => 0,
+      :password4 => 0
+    }.merge(opts)
+
+    svc_handle  = nil
+    svc_status  = nil
+    stubdata = scm_handle +
+      NDR.wstring(service_name) +
+      NDR.uwstring(display_name) +
+      NDR.long(default_opts[:access]) +
+      NDR.long(default_opts[:type]) +
+      NDR.long(default_opts[:start]) +
+      NDR.long(default_opts[:errors]) +
+      NDR.wstring(binary_path) +
+      NDR.long(default_opts[:load_order_group]) +
+      NDR.long(default_opts[:dependencies]) +
+      NDR.long(default_opts[:service_start]) +
+      NDR.long(default_opts[:password1]) +
+      NDR.long(default_opts[:password2]) +
+      NDR.long(default_opts[:password3]) +
+      NDR.long(default_opts[:password4])
+    response = dcerpc.call(0x0c, stubdata)
+    if dcerpc.last_response and dcerpc.last_response.stub_data
+      svc_handle = dcerpc.last_response.stub_data[4,20]
+      svc_status = dcerpc.last_response.stub_data[20,4]
+    end
+
+    if svc_status.to_i != 0
+      svc_handle = nil
+    end
+    return svc_handle
+  end
+
+  # Calls CloseHandle() to close a handle.  Returns true on success, or false.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param handle [String] the handle to close.
+  #
+  # @return [Boolean] true if the handle was successfully closed, or false if
+  #                        not.
+  def dce_closehandle(dcerpc, handle)
+    ret = false
+    response = dcerpc.call(0x0, handle)
+    if dcerpc.last_response and dcerpc.last_response.stub_data
+      if dcerpc.last_response.stub_data[20,4].to_i == 0
+        ret = true
+      end
+    end
+    return ret
+  end
+
+  # Calls OpenServiceW to obtain a handle to an existing service.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param scm_handle [String] the SCM handle (from dce_openscmanagerw()).
+  # @param service_name [String] the name of the service to open.
+  # @param access [Fixnum] the level of access requested (default is maximum).
+  #
+  # @return [String, nil] the handle of the service opened, or nil on failure.
+  def dce_openservicew(dcerpc, scm_handle, service_name, access = 0xF01FF)
+    svc_handle = nil
+    svc_status = nil
+    stubdata = scm_handle + NDR.wstring(service_name) + NDR.long(access)
+    response = dcerpc.call(0x10, stubdata)
+    if dcerpc.last_response and dcerpc.last_response.stub_data
+      svc_handle = dcerpc.last_response.stub_data[0,20]
+      svc_status = dcerpc.last_response.stub_data[20,4]
+    end
+
+    if svc_status.to_i != 0
+      svc_handle = nil
+    end
+    return svc_handle
+  end
+
+  # Calls StartService() on a handle to an existing service in order to start
+  # it.  Returns true on success, or false.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param svc_handle [String] the handle of the service to start (from
+  #                            dce_openservicew()).
+  # @param magic1 [Fixnum] an unknown value.
+  # @param magic2 [Fixnum] another unknown value.
+  #
+  # @return [Boolean] true if the service was successfully started, false if
+  #                        it was not.
+  def dce_startservice(dcerpc, svc_handle, magic1 = 0, magic2 = 0)
+    ret = false
+    stubdata = svc_handle + NDR.long(magic1) + NDR.long(magic2)
+    response = dcerpc.call(0x13, stubdata)
+    if dcerpc.last_response and dcerpc.last_response.stub_data
+      if dcerpc.last_response.stub_data[0,4].to_i == 0
+        ret = true
+      end
+    end
+    return ret
+  end
+
+  # Stops a running service.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param svc_handle [String] the handle of the service to stop (from
+  #                            dce_openservicew()).
+  #
+  # @return [Boolean] true if the service was successfully stopped, false if
+  #                   it was not.
+  def dce_stopservice(dcerpc, svc_handle)
+    return dce_controlservice(dcerpc, svc_handle, 1)
+  end
+
+  # Controls an existing service.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param svc_handle [String] the handle of the service to control
+  #                            (from dce_openservicew()).
+  # @param operation [Fixnum] the operation number to perform (1 = stop
+  #                           service; others are unknown).
+  #
+  # @return [Boolean] true if the operation was successful, false if it was
+  #                   not.
+  def dce_controlservice(dcerpc, svc_handle, operation)
+    ret = false
+    response = dcerpc.call(0x01, svc_handle + NDR.long(operation))
+    if dcerpc.last_response and dcerpc.last_response.stub_data
+      if dcerpc.last_response.stub_data[28,4].to_i == 0
+        ret = true
+      end
+    end
+    return ret
+  end
+
+  # Calls DeleteService() to delete a service.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param svc_handle [String] the handle of the service to delete (from
+  #                            dce_openservicew()).
+  #
+  # @return [Boolean] true if the service was successfully deleted, false if
+  #                        it was not.
+  def dce_deleteservice(dcerpc, svc_handle)
+    ret = false
+    response = dcerpc.call(0x02, svc_handle)
+    if dcerpc.last_response and dcerpc.last_response.stub_data
+      if dcerpc.last_response.stub_data[0,4].to_i == 0
+        ret = true
+      end
+    end
+    return ret
+  end
+
+  # Calls QueryServiceStatus() to query the status of a service.
+  #
+  # @param dcerpc [Rex::Proto::DCERPC::Client] the DCERPC client to use.
+  # @param svc_handle [String] the handle of the service to query (from
+  #                            dce_openservicew()).
+  #
+  # @return [Fixnum] Returns 0 if the query failed (i.e.: a state was returned
+  #                  that isn't implemented), 1 if the service is running, and
+  #                  2 if the service is stopped.
+  def dce_queryservice(dcerpc, svc_handle)
+    ret = 0
+    response = dcerpc.call(0x06, svc_handle)
+    if response[0,9] == "\x10\x00\x00\x00\x04\x00\x00\x00\x01"
+      ret = 1
+    elsif response[0,9] == "\x10\x00\x00\x00\x01\x00\x00\x00\x00"
+      ret = 2
+    end
+    return ret
+  end
+
+end
+end
