# SECUREAUTH LABS. Copyright 2018 SecureAuth Corporation. All rights reserved. # # This software is provided under under a slightly modified version # of the Apache Software License. See the accompanying LICENSE file # for more information. # # Author: Alberto Solino (@agsolino) # # Description: # [MS-TSCH] ITaskSchedulerService Interface implementation # # Best way to learn how to use these calls is to grab the protocol standard # so you understand what the call does, and then read the test case located # at https://github.com/SecureAuthCorp/impacket/tree/master/tests/SMB_RPC # # Some calls have helper functions, which makes it even easier to use. # They are located at the end of this file. # Helper functions start with "h". # There are test cases for them too. # from impacket.dcerpc.v5.ndr import NDRCALL, NDRSTRUCT, NDRPOINTER, NDRUniConformantArray from impacket.dcerpc.v5.dtypes import DWORD, LPWSTR, ULONG, WSTR, NULL, GUID, PSYSTEMTIME, SYSTEMTIME from impacket.structure import Structure from impacket import hresult_errors, system_errors from impacket.uuid import uuidtup_to_bin from impacket.dcerpc.v5.rpcrt import DCERPCException MSRPC_UUID_TSCHS = uuidtup_to_bin(('86D35949-83C9-4044-B424-DB363231FD0C','1.0')) class DCERPCSessionError(DCERPCException): def __init__(self, error_string=None, error_code=None, packet=None): DCERPCException.__init__(self, error_string, error_code, packet) def __str__( self ): key = self.error_code if key in hresult_errors.ERROR_MESSAGES: error_msg_short = hresult_errors.ERROR_MESSAGES[key][0] error_msg_verbose = hresult_errors.ERROR_MESSAGES[key][1] return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) elif key & 0xffff in system_errors.ERROR_MESSAGES: error_msg_short = system_errors.ERROR_MESSAGES[key & 0xffff][0] error_msg_verbose = system_errors.ERROR_MESSAGES[key & 0xffff][1] return 'TSCH SessionError: code: 0x%x - %s - %s' % (self.error_code, error_msg_short, error_msg_verbose) else: return 'TSCH SessionError: unknown error code: 0x%x' % self.error_code ################################################################################ # CONSTANTS ################################################################################ # 2.3.1 Constant Values CNLEN = 15 DNLEN = CNLEN UNLEN = 256 MAX_BUFFER_SIZE = (DNLEN+UNLEN+1+1) # 2.3.7 Flags TASK_FLAG_INTERACTIVE = 0x1 TASK_FLAG_DELETE_WHEN_DONE = 0x2 TASK_FLAG_DISABLED = 0x4 TASK_FLAG_START_ONLY_IF_IDLE = 0x10 TASK_FLAG_KILL_ON_IDLE_END = 0x20 TASK_FLAG_DONT_START_IF_ON_BATTERIES = 0x40 TASK_FLAG_KILL_IF_GOING_ON_BATTERIES = 0x80 TASK_FLAG_RUN_ONLY_IF_DOCKED = 0x100 TASK_FLAG_HIDDEN = 0x200 TASK_FLAG_RUN_IF_CONNECTED_TO_INTERNET = 0x400 TASK_FLAG_RESTART_ON_IDLE_RESUME = 0x800 TASK_FLAG_SYSTEM_REQUIRED = 0x1000 TASK_FLAG_RUN_ONLY_IF_LOGGED_ON = 0x2000 # 2.3.9 TASK_LOGON_TYPE TASK_LOGON_NONE = 0 TASK_LOGON_PASSWORD = 1 TASK_LOGON_S4U = 2 TASK_LOGON_INTERACTIVE_TOKEN = 3 TASK_LOGON_GROUP = 4 TASK_LOGON_SERVICE_ACCOUNT = 5 TASK_LOGON_INTERACTIVE_TOKEN_OR_PASSWORD = 6 # 2.3.13 TASK_STATE TASK_STATE_UNKNOWN = 0 TASK_STATE_DISABLED = 1 TASK_STATE_QUEUED = 2 TASK_STATE_READY = 3 TASK_STATE_RUNNING = 4 # 2.4.1 FIXDLEN_DATA SCHED_S_TASK_READY = 0x00041300 SCHED_S_TASK_RUNNING = 0x00041301 SCHED_S_TASK_NOT_SCHEDULED = 0x00041301 # 2.4.2.11 Triggers TASK_TRIGGER_FLAG_HAS_END_DATE = 0 TASK_TRIGGER_FLAG_KILL_AT_DURATION_END = 0 TASK_TRIGGER_FLAG_DISABLED = 0 # ToDo: Change this to enums ONCE = 0 DAILY = 1 WEEKLY = 2 MONTHLYDATE = 3 MONTHLYDOW = 4 EVENT_ON_IDLE = 5 EVENT_AT_SYSTEMSTART = 6 EVENT_AT_LOGON = 7 SUNDAY = 0 MONDAY = 1 TUESDAY = 2 WEDNESDAY = 3 THURSDAY = 4 FRIDAY = 5 SATURDAY = 6 JANUARY = 1 FEBRUARY = 2 MARCH = 3 APRIL = 4 MAY = 5 JUNE = 6 JULY = 7 AUGUST = 8 SEPTEMBER = 9 OCTOBER = 10 NOVEMBER = 11 DECEMBER = 12 # 2.4.2.11.8 MONTHLYDOW Trigger FIRST_WEEK = 1 SECOND_WEEK = 2 THIRD_WEEK = 3 FOURTH_WEEK = 4 LAST_WEEK = 5 # 2.3.12 TASK_NAMES TASK_NAMES = LPWSTR # 3.2.5.4.2 SchRpcRegisterTask (Opnum 1) TASK_VALIDATE_ONLY = 1<<(31-31) TASK_CREATE = 1<<(31-30) TASK_UPDATE = 1<<(31-29) TASK_DISABLE = 1<<(31-28) TASK_DON_ADD_PRINCIPAL_ACE = 1<<(31-27) TASK_IGNORE_REGISTRATION_TRIGGERS = 1<<(31-26) # 3.2.5.4.5 SchRpcSetSecurity (Opnum 4) TASK_DONT_ADD_PRINCIPAL_ACE = 1<<(31-27) SCH_FLAG_FOLDER = 1<<(31-2) SCH_FLAG_TASK = 1<<(31-1) # 3.2.5.4.7 SchRpcEnumFolders (Opnum 6) TASK_ENUM_HIDDEN = 1 # 3.2.5.4.13 SchRpcRun (Opnum 12) TASK_RUN_AS_SELF = 1<<(31-31) TASK_RUN_IGNORE_CONSTRAINTS = 1<<(31-30) TASK_RUN_USE_SESSION_ID = 1<<(31-29) TASK_RUN_USER_SID = 1<<(31-28) # 3.2.5.4.18 SchRpcGetTaskInfo (Opnum 17) SCH_FLAG_STATE = 1<<(31-3) ################################################################################ # STRUCTURES ################################################################################ # 2.3.12 TASK_NAMES class TASK_NAMES_ARRAY(NDRUniConformantArray): item = TASK_NAMES class PTASK_NAMES_ARRAY(NDRPOINTER): referent = ( ('Data',TASK_NAMES_ARRAY), ) class WSTR_ARRAY(NDRUniConformantArray): item = WSTR class PWSTR_ARRAY(NDRPOINTER): referent = ( ('Data',WSTR_ARRAY), ) class GUID_ARRAY(NDRUniConformantArray): item = GUID class PGUID_ARRAY(NDRPOINTER): referent = ( ('Data',GUID_ARRAY), ) # 3.2.5.4.13 SchRpcRun (Opnum 12) class SYSTEMTIME_ARRAY(NDRUniConformantArray): item = SYSTEMTIME class PSYSTEMTIME_ARRAY(NDRPOINTER): referent = ( ('Data',SYSTEMTIME_ARRAY), ) # 2.3.8 TASK_USER_CRED class TASK_USER_CRED(NDRSTRUCT): structure = ( ('userId',LPWSTR), ('password',LPWSTR), ('flags',DWORD), ) class TASK_USER_CRED_ARRAY(NDRUniConformantArray): item = TASK_USER_CRED class LPTASK_USER_CRED_ARRAY(NDRPOINTER): referent = ( ('Data',TASK_USER_CRED_ARRAY), ) # 2.3.10 TASK_XML_ERROR_INFO class TASK_XML_ERROR_INFO(NDRSTRUCT): structure = ( ('line',DWORD), ('column',DWORD), ('node',LPWSTR), ('value',LPWSTR), ) class PTASK_XML_ERROR_INFO(NDRPOINTER): referent = ( ('Data',TASK_XML_ERROR_INFO), ) # 2.4.1 FIXDLEN_DATA class FIXDLEN_DATA(Structure): structure = ( ('Product Version','