How to use the smbprotocol.open.FilePipePrinterAccessMask function in smbprotocol
To help you get started, we’ve selected a few smbprotocol examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
jborean93 / pypsexec / tests / test_scmr.py View on Github 
password = os.environ.get('PYPSEXEC_PASSWORD', None)
if server and username and password:
connection = Connection(uuid.uuid4(), server, 445)
session = Session(connection, username, password)
tree = TreeConnect(session, r"\\%s\ADMIN$" % server)
paexec_file = Open(tree, "PAExec.exe")
connection.connect()
try:
session.connect()
tree.connect()
paexec_file.create(ImpersonationLevel.Impersonation,
FilePipePrinterAccessMask.FILE_WRITE_DATA,
FileAttributes.FILE_ATTRIBUTE_NORMAL,
ShareAccess.FILE_SHARE_READ,
CreateDisposition.FILE_OVERWRITE_IF,
CreateOptions.FILE_NON_DIRECTORY_FILE)
paexec_file.write(pkgutil.get_data('pypsexec', 'paexec.exe'), 0)
paexec_file.close(get_attributes=False)
yield session
finally:
paexec_file.create(ImpersonationLevel.Impersonation,
FilePipePrinterAccessMask.DELETE,
FileAttributes.FILE_ATTRIBUTE_NORMAL,
ShareAccess.FILE_SHARE_DELETE,
CreateDisposition.FILE_OVERWRITE_IF,
CreateOptions.FILE_DELETE_ON_CLOSE)
paexec_file.close(get_attributes=False)"""
Thin wrapper around an input Named Pipe. This isn't run in a thread
and any data sent to write is written to the Named Pipe.
:param tree: The SMB tree connected to IPC$
:param name: The name of the input Named Pipe
"""
log.info("Initialising Input Named Pipe with the name: %s" % name)
self.name = name
self.connection = tree.session.connection
self.sid = tree.session.session_id
self.tid = tree.tree_connect_id
self.pipe = open_pipe(tree, name,
FilePipePrinterAccessMask.FILE_WRITE_DATA |
FilePipePrinterAccessMask.FILE_APPEND_DATA |
FilePipePrinterAccessMask.FILE_WRITE_EA |
FilePipePrinterAccessMask.FILE_WRITE_ATTRIBUTES |
FilePipePrinterAccessMask.FILE_READ_ATTRIBUTES |
FilePipePrinterAccessMask.READ_CONTROL |
FilePipePrinterAccessMask.SYNCHRONIZE,
fsctl_wait=True)Pipe in a separate thread and sends that data to the handle_output
method defined by the implementation class. This should not be used
directly, i.e. use OutputPipeBytes instead which returns the Named
Pipe output as a byte string.
:param tree: The SMB tree connected to IPC$
:param name: The name of the output Named Pipe
"""
super(OutputPipe, self).__init__()
log.info("Initialising Output Named Pipe with the name: %s" % name)
self.name = name
self.connection = tree.session.connection
self.sid = tree.session.session_id
self.tid = tree.tree_connect_id
self.pipe = open_pipe(tree, name,
FilePipePrinterAccessMask.FILE_READ_DATA |
FilePipePrinterAccessMask.FILE_READ_ATTRIBUTES |
FilePipePrinterAccessMask.FILE_READ_EA |
FilePipePrinterAccessMask.READ_CONTROL |
FilePipePrinterAccessMask.SYNCHRONIZE,
fsctl_wait=True)
self.sent_first = False
method defined by the implementation class. This should not be used
directly, i.e. use OutputPipeBytes instead which returns the Named
Pipe output as a byte string.
:param tree: The SMB tree connected to IPC$
:param name: The name of the output Named Pipe
"""
super(OutputPipe, self).__init__()
log.info("Initialising Output Named Pipe with the name: %s" % name)
self.name = name
self.connection = tree.session.connection
self.sid = tree.session.session_id
self.tid = tree.tree_connect_id
self.pipe = open_pipe(tree, name,
FilePipePrinterAccessMask.FILE_READ_DATA |
FilePipePrinterAccessMask.FILE_READ_ATTRIBUTES |
FilePipePrinterAccessMask.FILE_READ_EA |
FilePipePrinterAccessMask.READ_CONTROL |
FilePipePrinterAccessMask.SYNCHRONIZE,
fsctl_wait=True)
self.sent_first = False
def open(self):
log.debug("Connecting to SMB Tree %s for SCMR" % self.tree.share_name)
self.tree.connect()
log.debug("Opening handle to svcctl pipe")
self.handle.create(ImpersonationLevel.Impersonation,
FilePipePrinterAccessMask.GENERIC_READ |
FilePipePrinterAccessMask.GENERIC_WRITE,
0,
ShareAccess.FILE_SHARE_READ |
ShareAccess.FILE_SHARE_WRITE |
ShareAccess.FILE_SHARE_DELETE,
CreateDisposition.FILE_OPEN,
CreateOptions.FILE_NON_DIRECTORY_FILE)
# we need to bind svcctl to SCManagerW over DCE/RPC
bind = BindPDU()
bind['pfx_flags'].set_flag(PFlags.PFC_FIRST_FRAG)
bind['pfx_flags'].set_flag(PFlags.PFC_LAST_FRAG)
bind['packed_drep'] = DataRepresentationFormat()
bind['call_id'] = self.call_id
self.call_id += 1
context_ndr = ContextElement()main_pipe.write(start_msg_b, 0)
out_access_mask = FilePipePrinterAccessMask.FILE_READ_DATA | \
FilePipePrinterAccessMask.FILE_READ_ATTRIBUTES | \
FilePipePrinterAccessMask.FILE_READ_EA | \
FilePipePrinterAccessMask.READ_CONTROL | \
FilePipePrinterAccessMask.SYNCHRONIZE
ioctl_pipe(tree, stdout_name)
stdout_pipe = create_pipe(tree, stdout_name, out_access_mask)
ioctl_pipe(tree, stderr_name)
stderr_pipe = create_pipe(tree, stderr_name, out_access_mask)
in_access_mask = FilePipePrinterAccessMask.FILE_WRITE_DATA | \
FilePipePrinterAccessMask.FILE_APPEND_DATA | \
FilePipePrinterAccessMask.FILE_WRITE_EA | \
FilePipePrinterAccessMask.FILE_WRITE_ATTRIBUTES | \
FilePipePrinterAccessMask.FILE_READ_ATTRIBUTES | \
FilePipePrinterAccessMask.READ_CONTROL | \
FilePipePrinterAccessMask.SYNCHRONIZE
ioctl_pipe(tree, stdin_name)
stdin_pipe = create_pipe(tree, stdin_name, in_access_mask)
stdout = b""
stderr = b""
stdout_queue = Queue()
stderr_queue = Queue()
stdout_proc = Process(target=read_pipe, args=(stdout_pipe,stdout_queue,))
stderr_proc = Process(target=read_pipe, args=(stderr_pipe,stderr_queue,))
stdout_proc.start()
stderr_proc.start():param tree: The SMB tree connected to IPC$
:param name: The name of the output Named Pipe
"""
super(OutputPipe, self).__init__()
log.info("Initialising Output Named Pipe with the name: %s" % name)
self.name = name
self.connection = tree.session.connection
self.sid = tree.session.session_id
self.tid = tree.tree_connect_id
self.pipe = open_pipe(tree, name,
FilePipePrinterAccessMask.FILE_READ_DATA |
FilePipePrinterAccessMask.FILE_READ_ATTRIBUTES |
FilePipePrinterAccessMask.FILE_READ_EA |
FilePipePrinterAccessMask.READ_CONTROL |
FilePipePrinterAccessMask.SYNCHRONIZE,
fsctl_wait=True)
self.sent_first = False
Pipe output as a byte string.
:param tree: The SMB tree connected to IPC$
:param name: The name of the output Named Pipe
"""
super(OutputPipe, self).__init__()
log.info("Initialising Output Named Pipe with the name: %s" % name)
self.name = name
self.connection = tree.session.connection
self.sid = tree.session.session_id
self.tid = tree.tree_connect_id
self.pipe = open_pipe(tree, name,
FilePipePrinterAccessMask.FILE_READ_DATA |
FilePipePrinterAccessMask.FILE_READ_ATTRIBUTES |
FilePipePrinterAccessMask.FILE_READ_EA |
FilePipePrinterAccessMask.READ_CONTROL |
FilePipePrinterAccessMask.SYNCHRONIZE,
fsctl_wait=True)
self.sent_first = False
def _delete_file(self, tree, name):
file_open = Open(tree, name)
msgs = [
file_open.create(ImpersonationLevel.Impersonation,
FilePipePrinterAccessMask.DELETE,
FileAttributes.FILE_ATTRIBUTE_NORMAL,
0,
CreateDisposition.FILE_OPEN_IF,
CreateOptions.FILE_NON_DIRECTORY_FILE |
CreateOptions.FILE_DELETE_ON_CLOSE,
send=False),
file_open.close(get_attributes=False, send=False)
]
reqs = self.connection.send_compound([x[0] for x in msgs],
sid=self.session.session_id,
tid=tree.tree_connect_id,
related=True)
# remove the responses from the SMB outstanding requests
msgs[0][1](reqs[0])
msgs[1][1](reqs[1])service_status = scmr_api.query_service_status(service_handle)
if service_status.current_state != CurrentState.SERVICE_STOPPED:
scmr_api.control_service(service_handle,
ControlCode.SERVICE_CONTROL_STOP)
scmr_api.delete_service(service_handle)
scmr_api.close_service_handle_w(service_handle)
# copy the executable across and overwrite the existing file
tree_admin = TreeConnect(session, r"\\%s\ADMIN$"
% session.connection.server_name)
tree_admin.connect()
# Copy the paexec payload to the host
paexec = Open(tree_admin, exe_path)
paexec.open(ImpersonationLevel.Impersonation,
FilePipePrinterAccessMask.FILE_WRITE_DATA,
FileAttributes.FILE_ATTRIBUTE_NORMAL,
ShareAccess.FILE_SHARE_READ,
CreateDisposition.FILE_OVERWRITE_IF,
CreateOptions.FILE_NON_DIRECTORY_FILE)
try:
for (payload, offset) in exe_payload(65536):
paexec.write(payload, offset)
finally:
paexec.close(False)
# now create a branch new service here
service_handle = scmr_api.create_service_wow64_w(
scm_handle,
svc_name,
svc_name,
svc_desired_access,smbprotocol
Interact with a server using the SMB 2/3 Protocol
Package Health Score
82 / 100Popular smbprotocol functions
- smbprotocol.connection.Connection
- smbprotocol.connection.NtStatus
- smbprotocol.exceptions.SMBResponseException
- smbprotocol.ioctl.SMB2IOCTLRequest
- smbprotocol.open.CreateDisposition
- smbprotocol.open.CreateOptions
- smbprotocol.open.CreateOptions.FILE_NON_DIRECTORY_FILE
- smbprotocol.open.FileAttributes
- smbprotocol.open.FileAttributes.FILE_ATTRIBUTE_NORMAL
- smbprotocol.open.FilePipePrinterAccessMask
- smbprotocol.open.ImpersonationLevel
- smbprotocol.open.ImpersonationLevel.Impersonation
- smbprotocol.open.Open
- smbprotocol.open.ShareAccess
- smbprotocol.open.ShareAccess.FILE_SHARE_READ
- smbprotocol.session.Session
- smbprotocol.structure.EnumField
- smbprotocol.structure.IntField
- smbprotocol.structure.Structure
- smbprotocol.tree.TreeConnect