How to use the smbprotocol.open.CreateDisposition function in smbprotocol

To help you get started, we’ve selected a few smbprotocol examples, based on popular ways it is used in public projects.

Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.

github jborean93 / pypsexec / tests / test_scmr.py View on Github external
connection = Connection(uuid.uuid4(), server, 445)
            session = Session(connection, username, password)
            tree = TreeConnect(session, r"\\%s\ADMIN$" % server)
            paexec_file = Open(tree, "PAExec.exe")

            connection.connect()
            try:

                session.connect()
                tree.connect()

                paexec_file.create(ImpersonationLevel.Impersonation,
                                   FilePipePrinterAccessMask.FILE_WRITE_DATA,
                                   FileAttributes.FILE_ATTRIBUTE_NORMAL,
                                   ShareAccess.FILE_SHARE_READ,
                                   CreateDisposition.FILE_OVERWRITE_IF,
                                   CreateOptions.FILE_NON_DIRECTORY_FILE)
                paexec_file.write(pkgutil.get_data('pypsexec', 'paexec.exe'), 0)
                paexec_file.close(get_attributes=False)

                yield session
            finally:
                paexec_file.create(ImpersonationLevel.Impersonation,
                                   FilePipePrinterAccessMask.DELETE,
                                   FileAttributes.FILE_ATTRIBUTE_NORMAL,
                                   ShareAccess.FILE_SHARE_DELETE,
                                   CreateDisposition.FILE_OVERWRITE_IF,
                                   CreateOptions.FILE_DELETE_ON_CLOSE)
                paexec_file.close(get_attributes=False)
                connection.disconnect(True)

        else:
github jborean93 / pypsexec / tests / test_client.py View on Github external
paexec_services.append(service['service_name'])

        smb_tree = TreeConnect(client.session,
                               r"\\%s\ADMIN$" % client.connection.server_name)
        smb_tree.connect()

        share = Open(smb_tree, "")
        share.create(ImpersonationLevel.Impersonation,
                     DirectoryAccessMask.FILE_READ_ATTRIBUTES |
                     DirectoryAccessMask.SYNCHRONIZE |
                     DirectoryAccessMask.FILE_LIST_DIRECTORY,
                     FileAttributes.FILE_ATTRIBUTE_DIRECTORY,
                     ShareAccess.FILE_SHARE_READ |
                     ShareAccess.FILE_SHARE_WRITE |
                     ShareAccess.FILE_SHARE_DELETE,
                     CreateDisposition.FILE_OPEN,
                     CreateOptions.FILE_DIRECTORY_FILE)
        try:
            paexec_files = share.query_directory("PAExec-*.exe",
                                                 FileInformationClass.
                                                 FILE_NAMES_INFORMATION)
        except SMBResponseException as exc:
            if exc.status != NtStatus.STATUS_NO_SUCH_FILE:
                raise exc
            paexec_files = []

        return client, paexec_services, paexec_files
github jborean93 / pypsexec / tests / test_scmr.py View on Github external
paexec_file.create(ImpersonationLevel.Impersonation,
                                   FilePipePrinterAccessMask.FILE_WRITE_DATA,
                                   FileAttributes.FILE_ATTRIBUTE_NORMAL,
                                   ShareAccess.FILE_SHARE_READ,
                                   CreateDisposition.FILE_OVERWRITE_IF,
                                   CreateOptions.FILE_NON_DIRECTORY_FILE)
                paexec_file.write(pkgutil.get_data('pypsexec', 'paexec.exe'), 0)
                paexec_file.close(get_attributes=False)

                yield session
            finally:
                paexec_file.create(ImpersonationLevel.Impersonation,
                                   FilePipePrinterAccessMask.DELETE,
                                   FileAttributes.FILE_ATTRIBUTE_NORMAL,
                                   ShareAccess.FILE_SHARE_DELETE,
                                   CreateDisposition.FILE_OVERWRITE_IF,
                                   CreateOptions.FILE_DELETE_ON_CLOSE)
                paexec_file.close(get_attributes=False)
                connection.disconnect(True)

        else:
            pytest.skip("PYPSEXEC_SERVER, PYPSEXEC_USERNAME, PYPSEXEC_PASSWORD"
                        " environment variables were not set. Integration "
github jborean93 / pypsexec / pypsexec / client.py View on Github external
# check if the service exists and delete it
        log.debug("Ensuring service is deleted before starting")
        self._service.delete()

        # copy across the PAExec payload to C:\Windows\
        smb_tree = TreeConnect(self.session,
                               r"\\%s\ADMIN$" % self.connection.server_name)
        log.info("Connecting to SMB Tree %s" % smb_tree.share_name)
        smb_tree.connect()
        paexec_file = Open(smb_tree, self._exe_file)
        log.debug("Creating open to PAExec file")
        paexec_file.create(ImpersonationLevel.Impersonation,
                           FilePipePrinterAccessMask.FILE_WRITE_DATA,
                           FileAttributes.FILE_ATTRIBUTE_NORMAL,
                           ShareAccess.FILE_SHARE_READ,
                           CreateDisposition.FILE_OVERWRITE_IF,
                           CreateOptions.FILE_NON_DIRECTORY_FILE)
        log.info("Creating PAExec executable at %s\\%s"
                 % (smb_tree.share_name, self._exe_file))
        for (data, o) in paexec_out_stream(self.connection.max_write_size):
            paexec_file.write(data, o)
        log.debug("Closing open to PAExec file")
        paexec_file.close(False)
        log.info("Disconnecting from SMB Tree %s" % smb_tree.share_name)
        smb_tree.disconnect()

        # create the PAExec service
        service_path = r'"%SystemRoot%\{0}" -service'.format(self._exe_file)
        log.info("Creating PAExec service %s" % self.service_name)
        self._service.create(service_path)
github jborean93 / pypsexec / pypsexec / scmr.py View on Github external
def open(self):
        log.debug("Connecting to SMB Tree %s for SCMR" % self.tree.share_name)
        self.tree.connect()

        log.debug("Opening handle to svcctl pipe")
        self.handle.create(ImpersonationLevel.Impersonation,
                           FilePipePrinterAccessMask.GENERIC_READ |
                           FilePipePrinterAccessMask.GENERIC_WRITE,
                           0,
                           ShareAccess.FILE_SHARE_READ |
                           ShareAccess.FILE_SHARE_WRITE |
                           ShareAccess.FILE_SHARE_DELETE,
                           CreateDisposition.FILE_OPEN,
                           CreateOptions.FILE_NON_DIRECTORY_FILE)

        # we need to bind svcctl to SCManagerW over DCE/RPC
        bind = BindPDU()
        bind['pfx_flags'].set_flag(PFlags.PFC_FIRST_FRAG)
        bind['pfx_flags'].set_flag(PFlags.PFC_LAST_FRAG)
        bind['packed_drep'] = DataRepresentationFormat()
        bind['call_id'] = self.call_id
        self.call_id += 1

        context_ndr = ContextElement()
        context_ndr['context_id'] = 0
        context_ndr['abstract_syntax'] = SyntaxIdElement()
        context_ndr['abstract_syntax']['uuid'] = \
            uuid.UUID("367ABB81-9844-35F1-AD32-98F038001003")
        context_ndr['abstract_syntax']['version'] = 2
github jborean93 / pypsexec / pypsexec / exec.py View on Github external
ControlCode.SERVICE_CONTROL_STOP)
                scmr_api.delete_service(service_handle)
                scmr_api.close_service_handle_w(service_handle)

            # copy the executable across and overwrite the existing file
            tree_admin = TreeConnect(session, r"\\%s\ADMIN$"
                                     % session.connection.server_name)
            tree_admin.connect()

            # Copy the paexec payload to the host
            paexec = Open(tree_admin, exe_path)
            paexec.open(ImpersonationLevel.Impersonation,
                        FilePipePrinterAccessMask.FILE_WRITE_DATA,
                        FileAttributes.FILE_ATTRIBUTE_NORMAL,
                        ShareAccess.FILE_SHARE_READ,
                        CreateDisposition.FILE_OVERWRITE_IF,
                        CreateOptions.FILE_NON_DIRECTORY_FILE)
            try:
                for (payload, offset) in exe_payload(65536):
                    paexec.write(payload, offset)
            finally:
                paexec.close(False)

            # now create a branch new service here
            service_handle = scmr_api.create_service_wow64_w(
                scm_handle,
                svc_name,
                svc_name,
                svc_desired_access,
                ServiceType.SERVICE_WIN32_OWN_PROCESS,
                StartType.SERVICE_DEMAND_START,
                ErrorControl.SERVICE_ERROR_NORMAL,
github jborean93 / pypsexec / pypsexec / client.py View on Github external
smb_tree = TreeConnect(self.session,
                               r"\\%s\ADMIN$" % self.connection.server_name)
        smb_tree.connect()

        share = Open(smb_tree, "")
        query_msgs = [
            share.create(ImpersonationLevel.Impersonation,
                         DirectoryAccessMask.FILE_READ_ATTRIBUTES |
                         DirectoryAccessMask.SYNCHRONIZE |
                         DirectoryAccessMask.FILE_LIST_DIRECTORY,
                         FileAttributes.FILE_ATTRIBUTE_DIRECTORY,
                         ShareAccess.FILE_SHARE_READ |
                         ShareAccess.FILE_SHARE_WRITE |
                         ShareAccess.FILE_SHARE_DELETE,
                         CreateDisposition.FILE_OPEN,
                         CreateOptions.FILE_DIRECTORY_FILE,
                         send=False),
            share.query_directory("PAExec-*.exe",
                                  FileInformationClass.FILE_NAMES_INFORMATION,
                                  send=False),
            share.close(False, send=False)
        ]
        query_reqs = self.connection.send_compound([x[0] for x in query_msgs],
                                                   self.session.session_id,
                                                   smb_tree.tree_connect_id,
                                                   related=True)
        # receive response for open and close
        query_msgs[0][1](query_reqs[0])
        query_msgs[2][1](query_reqs[2])
        try:
            # receive the response for query_directory
github jborean93 / pypsexec / pypsexec / client.py View on Github external
def _delete_file(self, tree, name):
        file_open = Open(tree, name)
        msgs = [
            file_open.create(ImpersonationLevel.Impersonation,
                             FilePipePrinterAccessMask.DELETE,
                             FileAttributes.FILE_ATTRIBUTE_NORMAL,
                             0,
                             CreateDisposition.FILE_OPEN_IF,
                             CreateOptions.FILE_NON_DIRECTORY_FILE |
                             CreateOptions.FILE_DELETE_ON_CLOSE,
                             send=False),
            file_open.close(get_attributes=False, send=False)
        ]
        reqs = self.connection.send_compound([x[0] for x in msgs],
                                             sid=self.session.session_id,
                                             tid=tree.tree_connect_id,
                                             related=True)
        # remove the responses from the SMB outstanding requests
        msgs[0][1](reqs[0])
        msgs[1][1](reqs[1])
github jborean93 / pypsexec / pypsexec / exec.py View on Github external
def create_pipe(tree, name, access_mask):
    pipe = Open(tree, name)
    pipe.open(ImpersonationLevel.Impersonation,
              access_mask,
              FileAttributes.FILE_ATTRIBUTE_NORMAL,
              ShareAccess.FILE_SHARE_READ |
              ShareAccess.FILE_SHARE_WRITE |
              ShareAccess.FILE_SHARE_DELETE,
              CreateDisposition.FILE_OPEN,
              CreateOptions.FILE_NON_DIRECTORY_FILE |
              CreateOptions.FILE_SYNCHRONOUS_IO_NONALERT)
    return pipe
github jborean93 / pypsexec / pypsexec / pipe.py View on Github external
log.debug(str(fsctl_data))
        request = tree.session.connection.send(
            wait_pipe,
            sid=tree.session.session_id,
            tid=tree.tree_connect_id
        )

        log.info("Receiving FSCTL_PIPE_WAIT response for pipe: %s"
                 % name)
        tree.session.connection.receive(request)

    pipe.create(ImpersonationLevel.Impersonation,
                access_mask,
                FileAttributes.FILE_ATTRIBUTE_NORMAL,
                0,
                CreateDisposition.FILE_OPEN,
                CreateOptions.FILE_NON_DIRECTORY_FILE |
                CreateOptions.FILE_SYNCHRONOUS_IO_NONALERT)

    return pipe