Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
def _get_paexec_files_and_services(self, client):
server = os.environ['PYPSEXEC_SERVER']
username = os.environ['PYPSEXEC_USERNAME']
password = os.environ['PYPSEXEC_PASSWORD']
paexec_services = []
# need to close and reopen the connection to ensure deletes are
# processed
client.disconnect()
client = Client(server, username=username, password=password)
client.connect()
scmr = client._service._scmr
scmr_handle = client._service._scmr_handle
services = scmr.enum_services_status_w(scmr_handle,
ServiceType.
SERVICE_WIN32_OWN_PROCESS,
EnumServiceState.
SERVICE_STATE_ALL)
for service in services:
if service['service_name'].lower().startswith("paexec"):
paexec_services.append(service['service_name'])
smb_tree = TreeConnect(client.session,
r"\\%s\ADMIN$" % client.connection.server_name)
smb_tree.connect()
share = Open(smb_tree, "")
share.create(ImpersonationLevel.Impersonation,
DirectoryAccessMask.FILE_READ_ATTRIBUTES |
DirectoryAccessMask.SYNCHRONIZE |
DirectoryAccessMask.FILE_LIST_DIRECTORY,
def test_enumerate_services_small_buffer(self, session):
scmr = SCMRApi(session)
scmr.open()
try:
scmr_handle = scmr.open_sc_manager_w(
session.connection.server_name,
None,
DesiredAccess.SC_MANAGER_CONNECT |
DesiredAccess.SC_MANAGER_CREATE_SERVICE |
DesiredAccess.SC_MANAGER_ENUMERATE_SERVICE)
actual = scmr.enum_services_status_w(scmr_handle,
ServiceType.
SERVICE_INTERACTIVE_PROCESS,
EnumServiceState.
SERVICE_STATE_ALL)
assert len(actual) > 0
assert isinstance(actual[0]['display_name'], string_types)
assert isinstance(actual[0]['service_name'], string_types)
assert isinstance(actual[0]['service_status'], ServiceStatus)
finally:
if scmr_handle:
scmr.close_service_handle_w(scmr_handle)
scmr.close()
def test_enumerate_services(self, session):
scmr = SCMRApi(session)
scmr.open()
try:
scmr_handle = scmr.open_sc_manager_w(
session.connection.server_name,
None,
DesiredAccess.SC_MANAGER_CONNECT |
DesiredAccess.SC_MANAGER_CREATE_SERVICE |
DesiredAccess.SC_MANAGER_ENUMERATE_SERVICE)
types = ServiceType.SERVICE_INTERACTIVE_PROCESS | \
ServiceType.SERVICE_KERNEL_DRIVER | \
ServiceType.SERVICE_WIN32_SHARE_PROCESS | \
ServiceType.SERVICE_WIN32_OWN_PROCESS | \
ServiceType.SERVICE_FILE_SYSTEM_DRIVER
actual = scmr.enum_services_status_w(scmr_handle,
types,
EnumServiceState.
SERVICE_STATE_ALL)
assert len(actual) > 0
assert isinstance(actual[0]['display_name'], string_types)
assert isinstance(actual[0]['service_name'], string_types)
assert isinstance(actual[0]['service_status'], ServiceStatus)
finally:
if scmr_handle:
scmr.close_service_handle_w(scmr_handle)
scmr.close()
def test_enumerate_services(self, session):
scmr = SCMRApi(session)
scmr.open()
try:
scmr_handle = scmr.open_sc_manager_w(
session.connection.server_name,
None,
DesiredAccess.SC_MANAGER_CONNECT |
DesiredAccess.SC_MANAGER_CREATE_SERVICE |
DesiredAccess.SC_MANAGER_ENUMERATE_SERVICE)
types = ServiceType.SERVICE_INTERACTIVE_PROCESS | \
ServiceType.SERVICE_KERNEL_DRIVER | \
ServiceType.SERVICE_WIN32_SHARE_PROCESS | \
ServiceType.SERVICE_WIN32_OWN_PROCESS | \
ServiceType.SERVICE_FILE_SYSTEM_DRIVER
actual = scmr.enum_services_status_w(scmr_handle,
types,
EnumServiceState.
SERVICE_STATE_ALL)
assert len(actual) > 0
assert isinstance(actual[0]['display_name'], string_types)
assert isinstance(actual[0]['service_name'], string_types)
assert isinstance(actual[0]['service_status'], ServiceStatus)
finally:
if scmr_handle:
scmr.close_service_handle_w(scmr_handle)
scmr.close()
def test_enumerate_services(self, session):
scmr = SCMRApi(session)
scmr.open()
try:
scmr_handle = scmr.open_sc_manager_w(
session.connection.server_name,
None,
DesiredAccess.SC_MANAGER_CONNECT |
DesiredAccess.SC_MANAGER_CREATE_SERVICE |
DesiredAccess.SC_MANAGER_ENUMERATE_SERVICE)
types = ServiceType.SERVICE_INTERACTIVE_PROCESS | \
ServiceType.SERVICE_KERNEL_DRIVER | \
ServiceType.SERVICE_WIN32_SHARE_PROCESS | \
ServiceType.SERVICE_WIN32_OWN_PROCESS | \
ServiceType.SERVICE_FILE_SYSTEM_DRIVER
actual = scmr.enum_services_status_w(scmr_handle,
types,
EnumServiceState.
SERVICE_STATE_ALL)
assert len(actual) > 0
assert isinstance(actual[0]['display_name'], string_types)
assert isinstance(actual[0]['service_name'], string_types)
assert isinstance(actual[0]['service_status'], ServiceStatus)
finally:
if scmr_handle:
scmr.close_service_handle_w(scmr_handle)
scmr.close()
def test_unpack_status(self):
actual = ServiceStatus()
data = b"\x10\x00\x00\x00" \
b"\x04\x00\x00\x00" \
b"\x01\x00\x00\x00" \
b"\x00\x00\x00\x00" \
b"\x01\x00\x00\x00" \
b"\x02\x00\x00\x00" \
b"\x03\x00\x00\x00"
data = actual.unpack(data)
assert len(actual) == 28
assert data == b""
assert actual['service_type'].get_value() == \
ServiceType.SERVICE_WIN32_OWN_PROCESS
assert actual['current_state'].get_value() == \
CurrentState.SERVICE_RUNNING
assert actual['controls_accepted'].get_value() == \
ControlsAccepted.SERVICE_ACCEPT_STOP
assert actual['win32_exit_code'].get_value() == 0
assert actual['service_specified_exit_code'].get_value() == 1
assert actual['check_point'].get_value() == 2
assert actual['wait_hint'].get_value() == 3
def test_enumerate_services(self, session):
scmr = SCMRApi(session)
scmr.open()
try:
scmr_handle = scmr.open_sc_manager_w(
session.connection.server_name,
None,
DesiredAccess.SC_MANAGER_CONNECT |
DesiredAccess.SC_MANAGER_CREATE_SERVICE |
DesiredAccess.SC_MANAGER_ENUMERATE_SERVICE)
types = ServiceType.SERVICE_INTERACTIVE_PROCESS | \
ServiceType.SERVICE_KERNEL_DRIVER | \
ServiceType.SERVICE_WIN32_SHARE_PROCESS | \
ServiceType.SERVICE_WIN32_OWN_PROCESS | \
ServiceType.SERVICE_FILE_SYSTEM_DRIVER
actual = scmr.enum_services_status_w(scmr_handle,
types,
EnumServiceState.
SERVICE_STATE_ALL)
assert len(actual) > 0
assert isinstance(actual[0]['display_name'], string_types)
assert isinstance(actual[0]['service_name'], string_types)
assert isinstance(actual[0]['service_status'], ServiceStatus)
finally:
if scmr_handle:
scmr.close_service_handle_w(scmr_handle)
scmr.close()
def __init__(self):
self.fields = OrderedDict([
('service_type', FlagField(
size=4,
flag_type=ServiceType,
flag_strict=False
)),
('current_state', EnumField(
size=4,
enum_type=CurrentState
)),
('controls_accepted', FlagField(
size=4,
flag_type=ControlsAccepted,
flag_strict=False
)),
('win32_exit_code', IntField(size=4)),
('service_specified_exit_code', IntField(size=4)),
('check_point', IntField(size=4)),
('wait_hint', IntField(size=4))
])
def create(self, path):
self._open_service()
if self._handle:
return
self._handle = self._scmr.create_service_w(
self._scmr_handle,
self.name,
self.name,
DesiredAccess.SERVICE_QUERY_STATUS | DesiredAccess.SERVICE_START |
DesiredAccess.SERVICE_STOP | DesiredAccess.DELETE,
ServiceType.SERVICE_WIN32_OWN_PROCESS,
StartType.SERVICE_DEMAND_START,
ErrorControl.SERVICE_ERROR_NORMAL,
path,
None,
0,
None,
None,
None
)[1]
def cleanup(self):
"""
Cleans up any old services or payloads that may have been left behind
on a previous failure. This will search C:\\Windows for any files
starting with PAExec-*.exe and delete them. It will also stop and
remove any services that start with PAExec-* if they exist.
Before calling this function, the connect() function must have already
been called.
"""
scmr = self._service._scmr
services = scmr.enum_services_status_w(
self._service._scmr_handle,
ServiceType.SERVICE_WIN32_OWN_PROCESS,
EnumServiceState.SERVICE_STATE_ALL)
for service in services:
if service['service_name'].lower().startswith("paexec"):
svc = Service(service['service_name'], self.session)
svc.open()
svc.delete()
smb_tree = TreeConnect(self.session,
r"\\%s\ADMIN$" % self.connection.server_name)
smb_tree.connect()
share = Open(smb_tree, "")
query_msgs = [
share.create(ImpersonationLevel.Impersonation,
DirectoryAccessMask.FILE_READ_ATTRIBUTES |
DirectoryAccessMask.SYNCHRONIZE |