Beispiel #1
0
        internal Boolean StartServiceW()
        {
            Console.WriteLine("[+] Starting Service");
            serviceHandle = recieve.Skip(112).Take(20).ToArray();

            SMB2Header header = new SMB2Header();

            header.SetCommand(new Byte[] { 0x09, 0x00 });
            header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
            header.SetMessageID(++messageId);
            header.SetProcessID(processId);
            header.SetTreeId(treeId);
            header.SetSessionID(sessionId);

            SVCCTLSCMStartServiceW startServiceW = new SVCCTLSCMStartServiceW();

            startServiceW.SetContextHandle(serviceHandle);
            Byte[] bStartService = startServiceW.GetRequest();

            DCERPCRequest rpcRequest = new DCERPCRequest();

            rpcRequest.SetPacketFlags(new Byte[] { 0x03 });
            rpcRequest.SetFragLength(bStartService.Length, 0, 0);
            rpcRequest.SetCallID(new Byte[] { 0x01, 0x00, 0x00, 0x00 });
            rpcRequest.SetContextID(new Byte[] { 0x00, 0x00 });
            rpcRequest.SetOpnum(new Byte[] { 0x13, 0x00 });
            Byte[] bRPCRequest = rpcRequest.GetRequest();

            SMB2WriteRequest writeRequest = new SMB2WriteRequest();

            writeRequest.SetGuidHandleFile(guidFileHandle);
            writeRequest.SetLength(bRPCRequest.Length + bStartService.Length);
            Byte[] bWriteRequest = writeRequest.GetRequest();

            Combine combine = new Combine();

            combine.Extend(bWriteRequest);
            combine.Extend(bRPCRequest);
            combine.Extend(bStartService);
            Byte[] bData = combine.Retrieve();

            if (signing)
            {
                header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
                header.SetSignature(sessionKey, ref bData);
            }
            Byte[] bHeader = header.GetHeader();

            return(Send(bHeader, bData));
        }
Beispiel #2
0
        internal Boolean CloseServiceHandle()
        {
            SMB2Header header = new SMB2Header();

            header.SetCommand(new Byte[] { 0x09, 0x00 });
            header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
            header.SetMessageID(++messageId);
            header.SetProcessID(processId);
            header.SetTreeId(treeId);
            header.SetSessionID(sessionId);

            SVCCTLSCMCloseServiceHandle closeServiceW = new SVCCTLSCMCloseServiceHandle();

            closeServiceW.SetContextHandle(serviceContectHandle);
            Byte[] bCloseServiceW = closeServiceW.GetRequest();

            DCERPCRequest rpcRequest = new DCERPCRequest();

            rpcRequest.SetPacketFlags(new Byte[] { 0x03 });
            rpcRequest.SetFragLength(bCloseServiceW.Length, 0, 0);
            rpcRequest.SetCallID(new Byte[] { 0x01, 0x00, 0x00, 0x00 });
            rpcRequest.SetContextID(new Byte[] { 0x00, 0x00 });
            rpcRequest.SetOpnum(new Byte[] { 0x00, 0x00 });
            Byte[] bRPCRequest = rpcRequest.GetRequest();

            SMB2WriteRequest writeRequest = new SMB2WriteRequest();

            writeRequest.SetGuidHandleFile(guidFileHandle);
            writeRequest.SetLength(bRPCRequest.Length + bCloseServiceW.Length);
            Byte[] bWriteRequest = writeRequest.GetRequest();

            Combine combine = new Combine();

            combine.Extend(bWriteRequest);
            combine.Extend(bRPCRequest);
            combine.Extend(bCloseServiceW);
            Byte[] bData = combine.Retrieve();

            if (signing)
            {
                header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
                header.SetSignature(sessionKey, ref bData);
            }
            Byte[] bHeader = header.GetHeader();

            return(Send(bHeader, bData));
        }
Beispiel #3
0
        internal Boolean OpenSCManagerW()
        {
            SMB2Header header = new SMB2Header();

            header.SetCommand(new Byte[] { 0x09, 0x00 });
            header.SetCreditsRequested(new Byte[] { 0x01, 0x00 });
            header.SetMessageID(++messageId);
            header.SetProcessID(processId);
            header.SetTreeId(treeId);
            header.SetSessionID(sessionId);

            SVCCTLSCMOpenSCManagerW openSCManagerW = new SVCCTLSCMOpenSCManagerW();

            Byte[] bSCManager = openSCManagerW.GetRequest();

            DCERPCRequest rpcRequest = new DCERPCRequest();

            rpcRequest.SetPacketFlags(new Byte[] { 0x03 });
            rpcRequest.SetFragLength(bSCManager.Length, 0, 0);
            rpcRequest.SetCallID(new Byte[] { 0x01, 0x00, 0x00, 0x00 });
            rpcRequest.SetContextID(new Byte[] { 0x00, 0x00 });
            rpcRequest.SetOpnum(new Byte[] { 0x0f, 0x00 });
            Byte[] bRPCRequest = rpcRequest.GetRequest();

            SMB2WriteRequest writeRequest = new SMB2WriteRequest();

            writeRequest.SetGuidHandleFile(guidFileHandle);
            writeRequest.SetLength(bRPCRequest.Length + bSCManager.Length);
            Byte[] bWriteRequest = writeRequest.GetRequest();

            Combine combine = new Combine();

            combine.Extend(bWriteRequest);
            combine.Extend(bRPCRequest);
            combine.Extend(bSCManager);
            Byte[] bData = combine.Retrieve();

            if (signing)
            {
                header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 });
                header.SetSignature(sessionKey, ref bData);
            }
            Byte[] bHeader = header.GetHeader();

            NetBIOSSessionService sessionService = new NetBIOSSessionService();

            sessionService.SetHeaderLength(bHeader.Length);
            sessionService.SetDataLength(bData.Length);
            Byte[] bSessionService = sessionService.GetNetBIOSSessionService();

            Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData);
            streamSocket.Write(bSend, 0, bSend.Length);
            streamSocket.Flush();
            streamSocket.Read(recieve, 0, recieve.Length);

            if (GetStatus(recieve.Skip(12).Take(4).ToArray()))
            {
                return(true);
            }
            else
            {
                return(false);
            }
        }