How to use the smbprotocol.tree.TreeConnect function in smbprotocol
To help you get started, we’ve selected a few smbprotocol examples, based on popular ways it is used in public projects.
Secure your code as it's written. Use Snyk Code to scan source code in minutes - no build needed - and fix issues immediately.
jborean93 / pypsexec / tests / test_client.py View on Github 
client.disconnect()
client = Client(server, username=username, password=password)
client.connect()
scmr = client._service._scmr
scmr_handle = client._service._scmr_handle
services = scmr.enum_services_status_w(scmr_handle,
ServiceType.
SERVICE_WIN32_OWN_PROCESS,
EnumServiceState.
SERVICE_STATE_ALL)
for service in services:
if service['service_name'].lower().startswith("paexec"):
paexec_services.append(service['service_name'])
smb_tree = TreeConnect(client.session,
r"\\%s\ADMIN$" % client.connection.server_name)
smb_tree.connect()
share = Open(smb_tree, "")
share.create(ImpersonationLevel.Impersonation,
DirectoryAccessMask.FILE_READ_ATTRIBUTES |
DirectoryAccessMask.SYNCHRONIZE |
DirectoryAccessMask.FILE_LIST_DIRECTORY,
FileAttributes.FILE_ATTRIBUTE_DIRECTORY,
ShareAccess.FILE_SHARE_READ |
ShareAccess.FILE_SHARE_WRITE |
ShareAccess.FILE_SHARE_DELETE,
CreateDisposition.FILE_OPEN,
CreateOptions.FILE_DIRECTORY_FILE)
try:
paexec_files = share.query_directory("PAExec-*.exe",svc_desired_access)
except SCMRException as exc:
# check the return code wasn't service does not exist
if exc.return_code != 1060:
raise exc
else:
# delete the service as it already exists
service_status = scmr_api.query_service_status(service_handle)
if service_status.current_state != CurrentState.SERVICE_STOPPED:
scmr_api.control_service(service_handle,
ControlCode.SERVICE_CONTROL_STOP)
scmr_api.delete_service(service_handle)
scmr_api.close_service_handle_w(service_handle)
# copy the executable across and overwrite the existing file
tree_admin = TreeConnect(session, r"\\%s\ADMIN$"
% session.connection.server_name)
tree_admin.connect()
# Copy the paexec payload to the host
paexec = Open(tree_admin, exe_path)
paexec.open(ImpersonationLevel.Impersonation,
FilePipePrinterAccessMask.FILE_WRITE_DATA,
FileAttributes.FILE_ATTRIBUTE_NORMAL,
ShareAccess.FILE_SHARE_READ,
CreateDisposition.FILE_OVERWRITE_IF,
CreateOptions.FILE_NON_DIRECTORY_FILE)
try:
for (payload, offset) in exe_payload(65536):
paexec.write(payload, offset)
finally:
paexec.close(False)def create_service(self):
# check if the service exists and delete it
log.debug("Ensuring service is deleted before starting")
self._service.delete()
# copy across the PAExec payload to C:\Windows\
smb_tree = TreeConnect(self.session,
r"\\%s\ADMIN$" % self.connection.server_name)
log.info("Connecting to SMB Tree %s" % smb_tree.share_name)
smb_tree.connect()
paexec_file = Open(smb_tree, self._exe_file)
log.debug("Creating open to PAExec file")
paexec_file.create(ImpersonationLevel.Impersonation,
FilePipePrinterAccessMask.FILE_WRITE_DATA,
FileAttributes.FILE_ATTRIBUTE_NORMAL,
ShareAccess.FILE_SHARE_READ,
CreateDisposition.FILE_OVERWRITE_IF,
CreateOptions.FILE_NON_DIRECTORY_FILE)
log.info("Creating PAExec executable at %s\\%s"
% (smb_tree.share_name, self._exe_file))
for (data, o) in paexec_out_stream(self.connection.max_write_size):
paexec_file.write(data, o)
log.debug("Closing open to PAExec file")stdout: (Bytes) The stdout.get_bytes() return result
stderr: (Bytes) The stderr.get_bytes() return result
rc: (Int) The return code of the process (The pid of the async
process when async=True)
"""
if run_elevated and run_limited:
raise PypsexecException("Both run_elevated and run_limited are "
"set, only 1 of these can be true")
if stdin is not None and (asynchronous or interactive):
raise PypsexecException("Cannot send stdin data on an interactive "
"or asynchronous process")
log.debug("Making sure PAExec service is running")
self._service.start()
smb_tree = TreeConnect(self.session,
r"\\%s\IPC$" % self.connection.server_name)
log.info("Connecting to SMB Tree %s" % smb_tree.share_name)
smb_tree.connect()
settings = PAExecSettingsBuffer()
settings['processors'] = processors if processors else []
settings['asynchronous'] = asynchronous
settings['dont_load_profile'] = not load_profile
settings['interactive_session'] = interactive_session
settings['interactive'] = interactive
settings['run_elevated'] = run_elevated
settings['run_limited'] = run_limited
settings['username'] = self._encode_string(username)
settings['password'] = self._encode_string(password)
settings['use_system_account'] = use_system_account
settings['working_dir'] = self._encode_string(working_dir)Before calling this function, the connect() function must have already
been called.
"""
scmr = self._service._scmr
services = scmr.enum_services_status_w(
self._service._scmr_handle,
ServiceType.SERVICE_WIN32_OWN_PROCESS,
EnumServiceState.SERVICE_STATE_ALL)
for service in services:
if service['service_name'].lower().startswith("paexec"):
svc = Service(service['service_name'], self.session)
svc.open()
svc.delete()
smb_tree = TreeConnect(self.session,
r"\\%s\ADMIN$" % self.connection.server_name)
smb_tree.connect()
share = Open(smb_tree, "")
query_msgs = [
share.create(ImpersonationLevel.Impersonation,
DirectoryAccessMask.FILE_READ_ATTRIBUTES |
DirectoryAccessMask.SYNCHRONIZE |
DirectoryAccessMask.FILE_LIST_DIRECTORY,
FileAttributes.FILE_ATTRIBUTE_DIRECTORY,
ShareAccess.FILE_SHARE_READ |
ShareAccess.FILE_SHARE_WRITE |
ShareAccess.FILE_SHARE_DELETE,
CreateDisposition.FILE_OPEN,
CreateOptions.FILE_DIRECTORY_FILE,
send=False),def __init__(self, smb_session):
# connect to the IPC tree and open a handle at svcctl
self.tree = TreeConnect(smb_session, r"\\%s\IPC$"
% smb_session.connection.server_name)
self.handle = Open(self.tree, "svcctl")
self.call_id = 0r'"%SystemRoot%\{0}" -service'.format(exe_path),
None,
0,
None,
None,
None)[1]
# start the new service
scmr_api.start_service_w(service_handle)
finally:
scmr_api.close_service_handle_w(scm_handle)
finally:
scmr_api.close()
# connect to named pipe of the service
tree = TreeConnect(session, r"\\%s\IPC$" % session.connection.server_name)
tree.connect()
settings = PAExecSettingsBuffer()
settings['username'] = username.encode('utf-16-le')
settings['password'] = password.encode('utf-16-le')
settings['executable'] = exe.encode('utf-16-le')
settings['arguments'] = arguments.encode('utf-16-le')
input_data_struct = PAExecSettingsMsg()
input_data_struct['unique_id'] = paexec_id
input_data_struct['buffer'] = settings
input_data = input_data_struct.pack()
cleanup_pipes = []
try:
# create pipes and connect to themif exc.return_code != 1060:
raise exc
else:
service_status = scmr_api.query_service_status(service_handle)
if service_status.current_state != CurrentState.SERVICE_STOPPED:
scmr_api.control_service(service_handle,
ControlCode.SERVICE_CONTROL_STOP)
scmr_api.delete_service(service_handle)
scmr_api.close_service_handle_w(service_handle)
finally:
scmr_api.close_service_handle_w(scm_handle)
finally:
scmr_api.close()
# Delete the executable at the end of the task
tree_admin = TreeConnect(session, r"\\%s\ADMIN$"
% session.connection.server_name)
tree_admin.connect()
paexec = Open(tree_admin, exe_path)
paexec.open(ImpersonationLevel.Impersonation,
FilePipePrinterAccessMask.FILE_READ_DATA |
FilePipePrinterAccessMask.DELETE,
0,
0,
CreateDisposition.FILE_OVERWRITE_IF,
CreateOptions.FILE_NON_DIRECTORY_FILE |
CreateOptions.FILE_DELETE_ON_CLOSE)
paexec.close(False)
tree_admin.disconnect()
finally:
connection.disconnect(True)def remove_service(self):
"""
Removes the PAExec service and executable that was created as part of
the create_service function. This does not remove any older executables
or services from previous runs, use cleanup() instead for that purpose.
"""
# Stops/remove the PAExec service and removes the executable
log.debug("Deleting PAExec service at the end of the process")
self._service.delete()
# delete the PAExec executable
smb_tree = TreeConnect(self.session,
r"\\%s\ADMIN$" % self.connection.server_name)
log.info("Connecting to SMB Tree %s" % smb_tree.share_name)
smb_tree.connect()
log.info("Creating open to PAExec file with delete on close flags")
self._delete_file(smb_tree, self._exe_file)
log.info("Disconnecting from SMB Tree %s" % smb_tree.share_name)
smb_tree.disconnect()smbprotocol
Interact with a server using the SMB 2/3 Protocol
Package Health Score
82 / 100Popular smbprotocol functions
- smbprotocol.connection.Connection
- smbprotocol.connection.NtStatus
- smbprotocol.exceptions.SMBResponseException
- smbprotocol.ioctl.SMB2IOCTLRequest
- smbprotocol.open.CreateDisposition
- smbprotocol.open.CreateOptions
- smbprotocol.open.CreateOptions.FILE_NON_DIRECTORY_FILE
- smbprotocol.open.FileAttributes
- smbprotocol.open.FileAttributes.FILE_ATTRIBUTE_NORMAL
- smbprotocol.open.FilePipePrinterAccessMask
- smbprotocol.open.ImpersonationLevel
- smbprotocol.open.ImpersonationLevel.Impersonation
- smbprotocol.open.Open
- smbprotocol.open.ShareAccess
- smbprotocol.open.ShareAccess.FILE_SHARE_READ
- smbprotocol.session.Session
- smbprotocol.structure.EnumField
- smbprotocol.structure.IntField
- smbprotocol.structure.Structure
- smbprotocol.tree.TreeConnect