/// <exception cref="System.IO.IOException"></exception>
internal static void ResolveSids0(string authorityServerName, NtlmPasswordAuthentication
auth, Sid[] sids)
{
DcerpcHandle handle = null;
LsaPolicyHandle policyHandle = null;
lock (SidCache)
{
try
{
handle = DcerpcHandle.GetHandle("ncacn_np:" + authorityServerName + "[\\PIPE\\lsarpc]"
, auth);
string server = authorityServerName;
int dot = server.IndexOf('.');
if (dot > 0 && char.IsDigit(server[0]) == false)
{
server = Runtime.Substring(server, 0, dot);
}
policyHandle = new LsaPolicyHandle(handle, "\\\\" + server, unchecked (0x00000800));
ResolveSids(handle, policyHandle, sids);
}
finally
{
if (handle != null)
{
if (policyHandle != null)
{
policyHandle.Close();
}
handle.Close();
}
}
}
}
/// <exception cref="System.IO.IOException"></exception>
public SamrAliasHandle(DcerpcHandle handle, SamrDomainHandle domainHandle, int access
, int rid)
{
MsrpcSamrOpenAlias rpc = new MsrpcSamrOpenAlias(domainHandle, access, rid, this);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
}
/// <exception cref="System.IO.IOException"></exception>
public SamrAliasHandle(DcerpcHandle handle, SamrDomainHandle domainHandle, int access
, int rid)
{
MsrpcSamrOpenAlias rpc = new MsrpcSamrOpenAlias(domainHandle, access, rid, this);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
}
/// <exception cref="System.IO.IOException"></exception>
public SamrDomainHandle(DcerpcHandle handle, SamrPolicyHandle policyHandle, int access
, Rpc.SidT sid)
{
MsrpcSamrOpenDomain rpc = new MsrpcSamrOpenDomain(policyHandle, access, sid, this
);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
}
/// <exception cref="System.IO.IOException"></exception>
public SamrDomainHandle(DcerpcHandle handle, SamrPolicyHandle policyHandle, int access
, Rpc.SidT sid)
{
MsrpcSamrOpenDomain rpc = new MsrpcSamrOpenDomain(policyHandle, access, sid, this
);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
}
/// <exception cref="System.IO.IOException"></exception>
public LsaPolicyHandle(DcerpcHandle handle, string server, int access)
{
if (server == null)
{
server = "\\\\";
}
MsrpcLsarOpenPolicy2 rpc = new MsrpcLsarOpenPolicy2(server, access, this);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
}
/// <exception cref="System.IO.IOException"></exception>
public LsaPolicyHandle(DcerpcHandle handle, string server, int access)
{
if (server == null)
{
server = "\\\\";
}
MsrpcLsarOpenPolicy2 rpc = new MsrpcLsarOpenPolicy2(server, access, this);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
}
/// <exception cref="System.IO.IOException"></exception>
public virtual Sid[] GetGroupMemberSids(string authorityServerName,
NtlmPasswordAuthentication auth,
int flags)
{
if (Type != SidTypeDomGrp && Type != SidTypeAlias)
{
return(new Sid[0]);
}
DcerpcHandle handle = null;
SamrPolicyHandle policyHandle = null;
SamrDomainHandle domainHandle = null;
Sid domsid = GetDomainSid();
lock (SidCache)
{
try
{
handle = DcerpcHandle.GetHandle("ncacn_np:" + authorityServerName
+ "[\\PIPE\\samr]", auth);
policyHandle = new SamrPolicyHandle(handle,
authorityServerName,
unchecked (0x00000030));
domainHandle = new SamrDomainHandle(handle,
policyHandle,
unchecked (0x00000200),
domsid);
return(GetGroupMemberSids0(handle,
domainHandle,
domsid,
GetRid(),
flags));
}
finally
{
if (handle != null)
{
if (policyHandle != null)
{
if (domainHandle != null)
{
domainHandle.Close();
}
policyHandle.Close();
}
handle.Close();
}
}
}
}
public bool doPsexec(String binPath, NtlmPasswordAuthentication auth, String cmd)
{
Random rnd = new Random();
int randInt = rnd.Next(1, 10000000);
String host = "127.0.0.1";
DcerpcHandle handle = DcerpcHandle.GetHandle("ncacn_np:" + host + "[\\pipe\\svcctl]", auth);
// Open the SCManager on the remote machine and get a handle
// for that open instance (scManagerHandle).
Rpc.PolicyHandle scManagerHandle = new Rpc.PolicyHandle();
svcctl.OpenSCManager openSCManagerRpc = new svcctl.OpenSCManager("\\\\" + host, null,
(0x000F0000 | 0x0001 | 0x0002 | 0x0004 | 0x0008 | 0x0010 | 0x0020), scManagerHandle);
handle.Sendrecv(openSCManagerRpc);
if (openSCManagerRpc.retval != 0)
{
throw new SmbException(openSCManagerRpc.retval, true);
}
Rpc.PolicyHandle svcHandle = new Rpc.PolicyHandle();
svcctl.OpenService openServiceRpc = new svcctl.OpenService(scManagerHandle,
"GetShell" + randInt, svcctl.SC_MANAGER_ALL_ACCESS, svcHandle);
handle.Sendrecv(openServiceRpc);
// If the service didn't exist, create it.
if (openServiceRpc.retval == 1060)
{
// Create a new service.
svcHandle = new Rpc.PolicyHandle();
//code 272 is for an interactive, own process service this was originally svcctl.SC_TYPE_SERVICE_WIN32_OWN_PROCESS
svcctl.CreateServiceW createServiceWRpc = new svcctl.CreateServiceW(
scManagerHandle, "GetShell" + randInt, "GetShell" + randInt,
svcctl.SC_MANAGER_ALL_ACCESS, 272,
svcctl.SC_START_TYPE_SERVICE_DEMAND_START, svcctl.SC_SERVICE_ERROR_NORMAL,
cmd,
null, null, null, 0, null, null, 0, svcHandle);
handle.Sendrecv(createServiceWRpc);
if (createServiceWRpc.retval != 0)
{
throw new SmbException(createServiceWRpc.retval, true);
}
}
svcctl.StartService startServiceRpc = new svcctl.StartService(svcHandle, 0, new String[0]);
handle.Sendrecv(startServiceRpc);
return(true);
}
/// <exception cref="System.IO.IOException"></exception>
internal static void ResolveSids(DcerpcHandle handle, LsaPolicyHandle policyHandle
, Sid[] sids)
{
MsrpcLookupSids rpc = new MsrpcLookupSids(policyHandle, sids);
handle.Sendrecv(rpc);
switch (rpc.Retval)
{
case 0:
case NtStatus.NtStatusNoneMapped:
case unchecked (0x00000107):
{
// NT_STATUS_SOME_NOT_MAPPED
break;
}
default:
{
throw new SmbException(rpc.Retval, false);
}
}
for (int si = 0; si < sids.Length; si++)
{
sids[si].Type = rpc.Names.Names[si].SidType;
sids[si].DomainName = null;
switch (sids[si].Type)
{
case SidTypeUser:
case SidTypeDomGrp:
case SidTypeDomain:
case SidTypeAlias:
case SidTypeWknGrp:
{
int sidIndex = rpc.Names.Names[si].SidIndex;
Rpc.Unicode_string ustr = rpc.Domains.Domains[sidIndex].Name;
sids[si].DomainName = (new UnicodeString(ustr, false)).ToString();
break;
}
}
sids[si].AcctName = (new UnicodeString(rpc.Names.Names[si].Name, false)).ToString
();
sids[si].OriginServer = null;
sids[si].OriginAuth = null;
}
}
/// <exception cref="System.IO.IOException"></exception>
internal static Sid[] GetGroupMemberSids0(DcerpcHandle handle,
SamrDomainHandle domainHandle,
Sid domsid,
int rid,
int flags)
{
SamrAliasHandle aliasHandle = null;
Lsarpc.LsarSidArray sidarray = new Lsarpc.LsarSidArray();
MsrpcGetMembersInAlias rpc = null;
try
{
aliasHandle = new SamrAliasHandle(handle, domainHandle, unchecked (0x0002000c), rid);
rpc = new MsrpcGetMembersInAlias(aliasHandle, sidarray);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
Sid[] sids = new Sid[rpc.Sids.NumSids];
string originServer = handle.GetServer();
NtlmPasswordAuthentication originAuth
= (NtlmPasswordAuthentication)handle.GetPrincipal();
for (int i = 0; i < sids.Length; i++)
{
sids[i] = new Sid(rpc.Sids.Sids[i].Sid, 0, null, null, false);
sids[i].OriginServer = originServer;
sids[i].OriginAuth = originAuth;
}
if (sids.Length > 0 && (flags & SidFlagResolveSids) != 0)
{
ResolveSids(originServer, originAuth, sids);
}
return(sids);
}
finally
{
if (aliasHandle != null)
{
aliasHandle.Close();
}
}
}
/// <exception cref="System.IO.IOException"></exception>
public static Sid GetServerSid(string server,
NtlmPasswordAuthentication auth)
{
DcerpcHandle handle = null;
LsaPolicyHandle policyHandle = null;
Lsarpc.LsarDomainInfo info = new Lsarpc.LsarDomainInfo();
MsrpcQueryInformationPolicy rpc;
lock (SidCache)
{
try
{
handle = DcerpcHandle.GetHandle("ncacn_np:" + server + "[\\PIPE\\lsarpc]", auth);
// NetApp doesn't like the 'generic' access mask values
policyHandle = new LsaPolicyHandle(handle, null, unchecked (0x00000001));
rpc = new MsrpcQueryInformationPolicy(policyHandle,
Lsarpc.PolicyInfoAccountDomain,
info);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
return(new Sid(info.Sid,
SidTypeDomain,
(new UnicodeString(info.Name, false)).ToString(),
null,
false));
}
finally
{
if (handle != null)
{
if (policyHandle != null)
{
policyHandle.Close();
}
handle.Close();
}
}
}
}
/// <exception cref="System.IO.IOException"></exception>
public SamrPolicyHandle(DcerpcHandle handle, string server, int access)
{
if (server == null)
{
server = "\\\\";
}
MsrpcSamrConnect4 rpc = new MsrpcSamrConnect4(server, access, this);
try
{
handle.Sendrecv(rpc);
}
catch (DcerpcException de)
{
if (de.GetErrorCode() != DcerpcError.DcerpcFaultOpRngError)
{
throw;
}
MsrpcSamrConnect2 rpc2 = new MsrpcSamrConnect2(server, access, this);
handle.Sendrecv(rpc2);
}
}
/// <exception cref="System.IO.IOException"></exception>
public SamrPolicyHandle(DcerpcHandle handle, string server, int access)
{
if (server == null)
{
server = "\\\\";
}
MsrpcSamrConnect4 rpc = new MsrpcSamrConnect4(server, access, this);
try
{
handle.Sendrecv(rpc);
}
catch (DcerpcException de)
{
if (de.GetErrorCode() != DcerpcError.DcerpcFaultOpRngError)
{
throw;
}
MsrpcSamrConnect2 rpc2 = new MsrpcSamrConnect2(server, access, this);
handle.Sendrecv(rpc2);
}
}
/// <summary>
/// This specialized method returns a Map of users and local groups for the
/// target server where keys are SIDs representing an account and each value
/// is an List<object> of SIDs represents the local groups that the account is
/// a member of.
/// </summary>
/// <remarks>
/// This specialized method returns a Map of users and local groups for the
/// target server where keys are SIDs representing an account and each value
/// is an List<object> of SIDs represents the local groups that the account is
/// a member of.
/// <p/>
/// This method is designed to assist with computing access control for a
/// given user when the target object's ACL has local groups. Local groups
/// are not listed in a user's group membership (e.g. as represented by the
/// tokenGroups constructed attribute retrived via LDAP).
/// <p/>
/// Domain groups nested inside a local group are currently not expanded. In
/// this case the key (SID) type will be SID_TYPE_DOM_GRP rather than
/// SID_TYPE_USER.
/// </remarks>
/// <param name="authorityServerName">The server from which the local groups will be queried.
/// </param>
/// <param name="auth">The credentials required to query groups and group members.</param>
/// <param name="flags">
/// Flags that control the behavior of the operation. When all
/// name associated with SIDs will be required, the SID_FLAG_RESOLVE_SIDS
/// flag should be used which causes all group member SIDs to be resolved
/// together in a single more efficient operation.
/// </param>
/// <exception cref="System.IO.IOException"></exception>
internal static Hashtable GetLocalGroupsMap(string authorityServerName, NtlmPasswordAuthentication
auth, int flags)
{
Sid domsid = GetServerSid(authorityServerName, auth);
DcerpcHandle handle = null;
SamrPolicyHandle policyHandle = null;
SamrDomainHandle domainHandle = null;
Samr.SamrSamArray sam = new Samr.SamrSamArray();
MsrpcEnumerateAliasesInDomain rpc;
lock (SidCache)
{
try
{
handle = DcerpcHandle.GetHandle("ncacn_np:" + authorityServerName + "[\\PIPE\\samr]"
, auth);
policyHandle = new SamrPolicyHandle(handle, authorityServerName, unchecked (0x02000000));
domainHandle = new SamrDomainHandle(handle, policyHandle, unchecked (0x02000000), domsid);
rpc = new MsrpcEnumerateAliasesInDomain(domainHandle, unchecked (0xFFFF), sam
);
handle.Sendrecv(rpc);
if (rpc.Retval != 0)
{
throw new SmbException(rpc.Retval, false);
}
Hashtable map = new Hashtable();
for (int ei = 0; ei < rpc.Sam.Count; ei++)
{
Samr.SamrSamEntry entry = rpc.Sam.Entries[ei];
Sid[] mems = GetGroupMemberSids0(handle, domainHandle, domsid
, entry.Idx, flags);
Sid groupSid = new Sid(domsid, entry.Idx);
groupSid.Type = SidTypeAlias;
groupSid.DomainName = domsid.GetDomainName();
groupSid.AcctName = (new UnicodeString(entry.Name, false)).ToString();
for (int mi = 0; mi < mems.Length; mi++)
{
List <object> groups = (List <object>)map.Get(mems[mi]);
if (groups == null)
{
groups = new List <object>();
map.Put(mems[mi], groups);
}
if (!groups.Contains(groupSid))
{
groups.Add(groupSid);
}
}
}
return(map);
}
finally
{
if (handle != null)
{
if (policyHandle != null)
{
if (domainHandle != null)
{
domainHandle.Close();
}
policyHandle.Close();
}
handle.Close();
}
}
}
}
