How to use the impacket.dcerpc.v5.scmr.hRCloseServiceHandle function in impacket
To help you get started, we’ve selected a few impacket examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
SecureAuthCorp / impacket / impacket / testcases / SMB-RPC / test_scmr.py View on Github 
def test_RGetServiceDisplayNameW(self):
dce, rpctransport, scHandle = self.connect()
lpServiceName = 'PlugPlay\x00'
lpcchBuffer = len(lpServiceName)+100
resp = scmr.hRGetServiceDisplayNameW(dce, scHandle, lpServiceName, lpcchBuffer)
resp = scmr.hRCloseServiceHandle(dce, scHandle)def test_enumservices(self):
dce, rpctransport, scHandle = self.connect()
#####################
# EnumServicesStatusW
dwServiceType = scmr.SERVICE_KERNEL_DRIVER | scmr.SERVICE_FILE_SYSTEM_DRIVER | scmr.SERVICE_WIN32_OWN_PROCESS | scmr.SERVICE_WIN32_SHARE_PROCESS
dwServiceState = scmr.SERVICE_STATE_ALL
cbBufSize = 0
resp = scmr.hREnumServicesStatusW(dce, scHandle, dwServiceType, dwServiceState)
resp = scmr.hRCloseServiceHandle(dce, scHandle)lpPassword = 'mypwd\x00'.encode('utf-16le')
s = rpctransport.get_smb_connection()
key = s.getSessionKey()
lpPassword = encryptSecret(key, lpPassword)
dwPwSize = len(lpPassword)
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpPassword = NULL
dwPwSize = 0
lpDisplayName = 'MANOLO\x00'
self.changeServiceAndQuery(dce, cbBufSize, newHandle, dwServiceType, dwStartType, dwErrorControl, lpBinaryPathName, lpLoadOrderGroup, lpdwTagId, lpDependencies, dwDependSize, lpServiceStartName, lpPassword, dwPwSize, lpDisplayName)
lpDisplayName = NULL
resp = scmr.hRDeleteService(dce, newHandle)
resp = scmr.hRCloseServiceHandle(dce, newHandle)
resp = scmr.hRCloseServiceHandle(dce, scHandle)rpc.set_credentials(*self.__smbConnection.getCredentials())
rpc.set_kerberos(self.__doKerberos, self.__kdcHost)
self.__scmr = rpc.get_dce_rpc()
self.__scmr.connect()
self.__scmr.bind(scmr.MSRPC_UUID_SCMR)
# Open SC Manager
ans = scmr.hROpenSCManagerW(self.__scmr)
self.__scManagerHandle = ans['lpScHandle']
# Now let's open the service
resp = scmr.hROpenServiceW(self.__scmr, self.__scManagerHandle, self.__tmpServiceName)
service = resp['lpServiceHandle']
scmr.hRDeleteService(self.__scmr, service)
scmr.hRControlService(self.__scmr, service, scmr.SERVICE_CONTROL_STOP)
scmr.hRCloseServiceHandle(self.__scmr, service)
scmr.hRCloseServiceHandle(self.__scmr, self.__serviceHandle)
scmr.hRCloseServiceHandle(self.__scmr, self.__scManagerHandle)
rpc.disconnect()
except Exception as e:
# If service is stopped it'll trigger an exception
# If service does not exist it'll trigger an exception
# So. we just wanna be sure we delete it, no need to
# show this exception message
passcommand += ' & del %s' % self.__batchFile
logger.debug('Creating service with executable path: %s' % command)
resp = scmr.hRCreateServiceW(self.__svc, self.__mgr_handle, '%s\x00' % self.__service_name, '%s\x00'
% self.__service_name, lpBinaryPathName='%s\x00' % command)
self.__service_handle = resp['lpServiceHandle']
try:
scmr.hRStartServiceW(self.__svc, self.__service_handle)
except:
pass
scmr.hRDeleteService(self.__svc, self.__service_handle)
scmr.hRCloseServiceHandle(self.__svc, self.__service_handle)
self.get_output()self.__tmpServiceName = ''.join([random.choice(string.letters) for _ in range(8)]).encode('utf-16le')
command = self.__shell + 'echo ' + data + ' ^> ' + self.__output + ' > ' + self.__batchFile + ' & ' + \
self.__shell + self.__batchFile
command += ' & ' + 'del ' + self.__batchFile
self.__serviceDeleted = False
resp = scmr.hRCreateServiceW(self.__scmr, self.__scManagerHandle, self.__tmpServiceName, self.__tmpServiceName,
lpBinaryPathName=command)
service = resp['lpServiceHandle']
try:
scmr.hRStartServiceW(self.__scmr, service)
except:
pass
scmr.hRDeleteService(self.__scmr, service)
self.__serviceDeleted = True
scmr.hRCloseServiceHandle(self.__scmr, service)to_batch = '{} echo {} ^> {} 2^>^&1 > {}'.format(self.__shell, data, self.__output, self.__batchFile)
command = '{} & {} {}'.format(to_batch, self.__shell, self.__batchFile)
if self.__mode == 'SERVER':
command += ' & ' + self.__copyBack
command = '{} & del {}'.format(command, self.__batchFile )
logging.debug('Executing %s' % command)
resp = scmr.hRCreateServiceW(self.__scmr, self.__scHandle, self.__serviceName, self.__serviceName,
lpBinaryPathName=command, dwStartType=scmr.SERVICE_DEMAND_START)
service = resp['lpServiceHandle']
try:
scmr.hRStartServiceW(self.__scmr, service)
except:
pass
scmr.hRDeleteService(self.__scmr, service)
scmr.hRCloseServiceHandle(self.__scmr, service)
self.get_output()
#print(self.__outputBuffer)resp = scmr.hROpenSCManagerW(scmr_rpc)
sc_handle = resp['lpScHandle']
# start the monkey using the SCM
resp = scmr.hRCreateServiceW(scmr_rpc, sc_handle, self._config.smb_service_name, self._config.smb_service_name,
lpBinaryPathName=cmdline)
service = resp['lpServiceHandle']
try:
scmr.hRStartServiceW(scmr_rpc, service)
status = ScanStatus.USED
except:
status = ScanStatus.SCANNED
pass
T1035Telem(status, UsageEnum.SMB).send()
scmr.hRDeleteService(scmr_rpc, service)
scmr.hRCloseServiceHandle(scmr_rpc, service)
LOG.info("Executed monkey '%s' on remote victim %r (cmdline=%r)",
remote_full_path, self.host, cmdline)
self.add_vuln_port("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1]))
return Trueif serviceHandle:
# Start service
try:
logger.action('STARTING SERVICE %s...' % service_name)
scmr.hRStartServiceW(rpcsvc, serviceHandle)
# is it really need to stop?
# using command line always makes starting service fail because SetServiceStatus() does not get called
#print('Stoping service %s.....' % service_name)
#scmr.hRControlService(rpcsvc, serviceHandle, scmr.SERVICE_CONTROL_STOP)
except Exception as e:
logger.error(str(e))
logger.action('REMOVING SERVICE %s...' % service_name)
scmr.hRDeleteService(rpcsvc, serviceHandle)
scmr.hRCloseServiceHandle(rpcsvc, serviceHandle)
except Exception as e:
logger.error("ServiceExec Error on: %s" % conn.get_remote_host())
logger.error(str(e))
finally:
if svcHandle:
scmr.hRCloseServiceHandle(rpcsvc, svcHandle)
rpcsvc.disconnect()impacket
Network protocols Constructors and Dissectors
Package Health Score
82 / 100Popular impacket functions
- impacket.dcerpc.v5.dcomrt.DCOMANSWER
- impacket.dcerpc.v5.dcomrt.DCOMCALL
- impacket.dcerpc.v5.dtypes.NULL
- impacket.dcerpc.v5.ndr.NDRCALL
- impacket.dcerpc.v5.ndr.NDRPOINTER
- impacket.dcerpc.v5.ndr.NDRSTRUCT
- impacket.dcerpc.v5.ndr.NDRUniConformantArray
- impacket.dcerpc.v5.scmr
- impacket.dcerpc.v5.scmr.hRCloseServiceHandle
- impacket.dcerpc.v5.transport.DCERPCTransportFactory
- impacket.LOG
- impacket.LOG.debug
- impacket.LOG.error
- impacket.LOG.info
- impacket.smb
- impacket.smb.SMB
- impacket.smb.SMBCommand
- impacket.smbconnection.SMBConnection
- impacket.structure.Structure
- impacket.uuid.uuidtup_to_bin