internal Boolean StartServiceW() { Console.WriteLine("[+] Starting Service"); serviceHandle = recieve.Skip(112).Take(20).ToArray(); SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x09, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SVCCTLSCMStartServiceW startServiceW = new SVCCTLSCMStartServiceW(); startServiceW.SetContextHandle(serviceHandle); Byte[] bStartService = startServiceW.GetRequest(); DCERPCRequest rpcRequest = new DCERPCRequest(); rpcRequest.SetPacketFlags(new Byte[] { 0x03 }); rpcRequest.SetFragLength(bStartService.Length, 0, 0); rpcRequest.SetCallID(new Byte[] { 0x01, 0x00, 0x00, 0x00 }); rpcRequest.SetContextID(new Byte[] { 0x00, 0x00 }); rpcRequest.SetOpnum(new Byte[] { 0x13, 0x00 }); Byte[] bRPCRequest = rpcRequest.GetRequest(); SMB2WriteRequest writeRequest = new SMB2WriteRequest(); writeRequest.SetGuidHandleFile(guidFileHandle); writeRequest.SetLength(bRPCRequest.Length + bStartService.Length); Byte[] bWriteRequest = writeRequest.GetRequest(); Combine combine = new Combine(); combine.Extend(bWriteRequest); combine.Extend(bRPCRequest); combine.Extend(bStartService); Byte[] bData = combine.Retrieve(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); return(Send(bHeader, bData)); }
internal Boolean CloseServiceHandle() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x09, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SVCCTLSCMCloseServiceHandle closeServiceW = new SVCCTLSCMCloseServiceHandle(); closeServiceW.SetContextHandle(serviceContectHandle); Byte[] bCloseServiceW = closeServiceW.GetRequest(); DCERPCRequest rpcRequest = new DCERPCRequest(); rpcRequest.SetPacketFlags(new Byte[] { 0x03 }); rpcRequest.SetFragLength(bCloseServiceW.Length, 0, 0); rpcRequest.SetCallID(new Byte[] { 0x01, 0x00, 0x00, 0x00 }); rpcRequest.SetContextID(new Byte[] { 0x00, 0x00 }); rpcRequest.SetOpnum(new Byte[] { 0x00, 0x00 }); Byte[] bRPCRequest = rpcRequest.GetRequest(); SMB2WriteRequest writeRequest = new SMB2WriteRequest(); writeRequest.SetGuidHandleFile(guidFileHandle); writeRequest.SetLength(bRPCRequest.Length + bCloseServiceW.Length); Byte[] bWriteRequest = writeRequest.GetRequest(); Combine combine = new Combine(); combine.Extend(bWriteRequest); combine.Extend(bRPCRequest); combine.Extend(bCloseServiceW); Byte[] bData = combine.Retrieve(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); return(Send(bHeader, bData)); }
internal Boolean OpenSCManagerW() { SMB2Header header = new SMB2Header(); header.SetCommand(new Byte[] { 0x09, 0x00 }); header.SetCreditsRequested(new Byte[] { 0x01, 0x00 }); header.SetMessageID(++messageId); header.SetProcessID(processId); header.SetTreeId(treeId); header.SetSessionID(sessionId); SVCCTLSCMOpenSCManagerW openSCManagerW = new SVCCTLSCMOpenSCManagerW(); Byte[] bSCManager = openSCManagerW.GetRequest(); DCERPCRequest rpcRequest = new DCERPCRequest(); rpcRequest.SetPacketFlags(new Byte[] { 0x03 }); rpcRequest.SetFragLength(bSCManager.Length, 0, 0); rpcRequest.SetCallID(new Byte[] { 0x01, 0x00, 0x00, 0x00 }); rpcRequest.SetContextID(new Byte[] { 0x00, 0x00 }); rpcRequest.SetOpnum(new Byte[] { 0x0f, 0x00 }); Byte[] bRPCRequest = rpcRequest.GetRequest(); SMB2WriteRequest writeRequest = new SMB2WriteRequest(); writeRequest.SetGuidHandleFile(guidFileHandle); writeRequest.SetLength(bRPCRequest.Length + bSCManager.Length); Byte[] bWriteRequest = writeRequest.GetRequest(); Combine combine = new Combine(); combine.Extend(bWriteRequest); combine.Extend(bRPCRequest); combine.Extend(bSCManager); Byte[] bData = combine.Retrieve(); if (signing) { header.SetFlags(new Byte[] { 0x08, 0x00, 0x00, 0x00 }); header.SetSignature(sessionKey, ref bData); } Byte[] bHeader = header.GetHeader(); NetBIOSSessionService sessionService = new NetBIOSSessionService(); sessionService.SetHeaderLength(bHeader.Length); sessionService.SetDataLength(bData.Length); Byte[] bSessionService = sessionService.GetNetBIOSSessionService(); Byte[] bSend = Combine.combine(Combine.combine(bSessionService, bHeader), bData); streamSocket.Write(bSend, 0, bSend.Length); streamSocket.Flush(); streamSocket.Read(recieve, 0, recieve.Length); if (GetStatus(recieve.Skip(12).Take(4).ToArray())) { return(true); } else { return(false); } }