public CreateServiceW(Rpc.PolicyHandle scmanager_handle,
String service_name,
String display_name,
int access_mask,
int service_type,
int start_type,
int error_control,
String binary_path_name,
String load_order_group,
NdrLong lpdwTagId,
byte[] lpDependencies,
int dependency_size,
String lpServiceStartName,
byte[] password,
int password_size,
Rpc.PolicyHandle service_handle)
{
this.scmanager_handle = scmanager_handle;
this.service_name = service_name;
this.display_name = display_name;
this.access_mask = access_mask;
this.service_type = service_type;
this.start_type = start_type;
this.error_control = error_control;
this.binary_path_name = binary_path_name;
this.load_order_group = load_order_group;
this.lpdwTagId = lpdwTagId;
this.lpDependencies = lpDependencies;
this.dependency_size = dependency_size;
this.lpServiceStartName = lpServiceStartName;
this.password = password;
this.password_size = password_size;
this.service_handle = service_handle;
this.Ptype = 0;
}
public StartService(Rpc.PolicyHandle handle, int num_service_args, String[] service_arg_vectors)
{
this.handle = handle;
this.num_service_args = num_service_args;
this.service_arg_vectors = service_arg_vectors;
this.Ptype = 0;
}
public LsarQueryInformationPolicy(Rpc.PolicyHandle handle, short level, NdrObject
info)
{
this.Handle = handle;
this.Level = level;
this.Info = info;
}
public SamrConnect4(string systemName, int unknown, int accessMask, Rpc.PolicyHandle handle)
{
this.SystemName = systemName;
this.Unknown = unknown;
this.AccessMask = accessMask;
this.Handle = handle;
}
public SamrOpenAlias(Rpc.PolicyHandle domainHandle, int accessMask, int rid, Rpc.PolicyHandle
aliasHandle)
{
this.DomainHandle = domainHandle;
this.AccessMask = accessMask;
this.Rid = rid;
this.AliasHandle = aliasHandle;
}
public SamrOpenDomain(Rpc.PolicyHandle handle, int accessMask, Rpc.SidT sid, Rpc.PolicyHandle
domainHandle)
{
this.Handle = handle;
this.AccessMask = accessMask;
this.Sid = sid;
this.DomainHandle = domainHandle;
}
public LsarOpenPolicy2(string systemName, LsarObjectAttributes objectAttributes
, int desiredAccess, Rpc.PolicyHandle policyHandle)
{
this.SystemName = systemName;
this.ObjectAttributes = objectAttributes;
this.DesiredAccess = desiredAccess;
this.PolicyHandle = policyHandle;
}
public SamrEnumerateAliasesInDomain(Rpc.PolicyHandle domainHandle, int resumeHandle
, int acctFlags, SamrSamArray sam, int numEntries)
{
this.DomainHandle = domainHandle;
this.ResumeHandle = resumeHandle;
this.AcctFlags = acctFlags;
this.Sam = sam;
this.NumEntries = numEntries;
}
public LsarLookupSids(Rpc.PolicyHandle handle, LsarSidArray sids, LsarRefDomainList
domains, LsarTransNameArray names, short level, int count)
{
this.Handle = handle;
this.Sids = sids;
this.Domains = domains;
this.Names = names;
this.Level = level;
this.Count = count;
}
public OpenService(Rpc.PolicyHandle scmanager_handle,
String service_name,
int access_mask,
Rpc.PolicyHandle handle)
{
this.scmanager_handle = scmanager_handle;
this.service_name = service_name;
this.access_mask = access_mask;
this.handle = handle;
this.Ptype = 0;
}
public OpenSCManager(String machine_name,
String database_name,
int access_mask,
Rpc.PolicyHandle handle)
{
this.machine_name = machine_name;
this.database_name = database_name;
this.access_mask = access_mask;
this.handle = handle;
this.Ptype = 0;
}
public bool doPsexec(String binPath, NtlmPasswordAuthentication auth, String cmd)
{
Random rnd = new Random();
int randInt = rnd.Next(1, 10000000);
String host = "127.0.0.1";
DcerpcHandle handle = DcerpcHandle.GetHandle("ncacn_np:" + host + "[\\pipe\\svcctl]", auth);
// Open the SCManager on the remote machine and get a handle
// for that open instance (scManagerHandle).
Rpc.PolicyHandle scManagerHandle = new Rpc.PolicyHandle();
svcctl.OpenSCManager openSCManagerRpc = new svcctl.OpenSCManager("\\\\" + host, null,
(0x000F0000 | 0x0001 | 0x0002 | 0x0004 | 0x0008 | 0x0010 | 0x0020), scManagerHandle);
handle.Sendrecv(openSCManagerRpc);
if (openSCManagerRpc.retval != 0)
{
throw new SmbException(openSCManagerRpc.retval, true);
}
Rpc.PolicyHandle svcHandle = new Rpc.PolicyHandle();
svcctl.OpenService openServiceRpc = new svcctl.OpenService(scManagerHandle,
"GetShell" + randInt, svcctl.SC_MANAGER_ALL_ACCESS, svcHandle);
handle.Sendrecv(openServiceRpc);
// If the service didn't exist, create it.
if (openServiceRpc.retval == 1060)
{
// Create a new service.
svcHandle = new Rpc.PolicyHandle();
//code 272 is for an interactive, own process service this was originally svcctl.SC_TYPE_SERVICE_WIN32_OWN_PROCESS
svcctl.CreateServiceW createServiceWRpc = new svcctl.CreateServiceW(
scManagerHandle, "GetShell" + randInt, "GetShell" + randInt,
svcctl.SC_MANAGER_ALL_ACCESS, 272,
svcctl.SC_START_TYPE_SERVICE_DEMAND_START, svcctl.SC_SERVICE_ERROR_NORMAL,
cmd,
null, null, null, 0, null, null, 0, svcHandle);
handle.Sendrecv(createServiceWRpc);
if (createServiceWRpc.retval != 0)
{
throw new SmbException(createServiceWRpc.retval, true);
}
}
svcctl.StartService startServiceRpc = new svcctl.StartService(svcHandle, 0, new String[0]);
handle.Sendrecv(startServiceRpc);
return(true);
}
public EnumServicesStatus(Rpc.PolicyHandle handle,
int type,
int state,
int buf_size,
byte[] service,
int bytes_needed,
int services_returned,
int resume_handle)
{
this.handle = handle;
this.type = type;
this.state = state;
this.buf_size = buf_size;
this.service = service;
this.bytes_needed = bytes_needed;
this.services_returned = services_returned;
this.resume_handle = resume_handle;
this.Ptype = 0;
}
public LsarLookupSids(Rpc.PolicyHandle handle, LsarSidArray sids, LsarRefDomainList
domains, LsarTransNameArray names, short level, int count)
{
this.Handle = handle;
this.Sids = sids;
this.Domains = domains;
this.Names = names;
this.Level = level;
this.Count = count;
}
public LsarOpenPolicy2(string systemName, LsarObjectAttributes objectAttributes
, int desiredAccess, Rpc.PolicyHandle policyHandle)
{
this.SystemName = systemName;
this.ObjectAttributes = objectAttributes;
this.DesiredAccess = desiredAccess;
this.PolicyHandle = policyHandle;
}
public SetServiceStatus(Rpc.PolicyHandle service_handle, service_status status)
{
this.service_handle = service_handle;
this.status = status;
this.Ptype = 0;
}
public SamrGetMembersInAlias(Rpc.PolicyHandle aliasHandle, Lsarpc.LsarSidArray
sids)
{
this.AliasHandle = aliasHandle;
this.Sids = sids;
}
public SamrEnumerateAliasesInDomain(Rpc.PolicyHandle domainHandle, int resumeHandle
, int acctFlags, SamrSamArray sam, int numEntries)
{
this.DomainHandle = domainHandle;
this.ResumeHandle = resumeHandle;
this.AcctFlags = acctFlags;
this.Sam = sam;
this.NumEntries = numEntries;
}
public SamrConnect4(string systemName, int unknown, int accessMask, Rpc.PolicyHandle
handle)
{
this.SystemName = systemName;
this.Unknown = unknown;
this.AccessMask = accessMask;
this.Handle = handle;
}
public LsarClose(Rpc.PolicyHandle handle)
{
this.Handle = handle;
}
public LsarClose(Rpc.PolicyHandle handle)
{
this.Handle = handle;
}
public LsarQueryInformationPolicy(Rpc.PolicyHandle handle, short level, NdrObject
info)
{
this.Handle = handle;
this.Level = level;
this.Info = info;
}
public SamrOpenDomain(Rpc.PolicyHandle handle, int accessMask, Rpc.SidT sid, Rpc.PolicyHandle
domainHandle)
{
this.Handle = handle;
this.AccessMask = accessMask;
this.Sid = sid;
this.DomainHandle = domainHandle;
}
public SamrGetMembersInAlias(Rpc.PolicyHandle aliasHandle, Lsarpc.LsarSidArray sids)
{
this.AliasHandle = aliasHandle;
this.Sids = sids;
}
public SamrOpenAlias(Rpc.PolicyHandle domainHandle, int accessMask, int rid, Rpc.PolicyHandle
aliasHandle)
{
this.DomainHandle = domainHandle;
this.AccessMask = accessMask;
this.Rid = rid;
this.AliasHandle = aliasHandle;
}
public SamrCloseHandle(Rpc.PolicyHandle handle)
{
this.Handle = handle;
}
public SamrCloseHandle(Rpc.PolicyHandle handle)
{
this.Handle = handle;
}
public DeleteService(Rpc.PolicyHandle service_handle)
{
this.service_handle = service_handle;
this.Ptype = 0;
}
