public bool doPsexec(String binPath, NtlmPasswordAuthentication auth,String cmd)
{
Random rnd = new Random();
int randInt = rnd.Next(1,10000000);
String host = "127.0.0.1";
DcerpcHandle handle = DcerpcHandle.GetHandle("ncacn_np:" + host + "[\\pipe\\svcctl]", auth);
// Open the SCManager on the remote machine and get a handle
// for that open instance (scManagerHandle).
Rpc.PolicyHandle scManagerHandle = new Rpc.PolicyHandle();
svcctl.OpenSCManager openSCManagerRpc = new svcctl.OpenSCManager("\\\\" + host, null,
(0x000F0000 | 0x0001 | 0x0002 | 0x0004 | 0x0008 | 0x0010 | 0x0020), scManagerHandle);
handle.Sendrecv(openSCManagerRpc);
if (openSCManagerRpc.retval != 0)
{
throw new SmbException(openSCManagerRpc.retval, true);
}
Rpc.PolicyHandle svcHandle = new Rpc.PolicyHandle();
svcctl.OpenService openServiceRpc = new svcctl.OpenService(scManagerHandle,
"GetShell"+randInt, svcctl.SC_MANAGER_ALL_ACCESS, svcHandle);
handle.Sendrecv(openServiceRpc);
// If the service didn't exist, create it.
if (openServiceRpc.retval == 1060)
{
// Create a new service.
svcHandle = new Rpc.PolicyHandle();
//code 272 is for an interactive, own process service this was originally svcctl.SC_TYPE_SERVICE_WIN32_OWN_PROCESS
svcctl.CreateServiceW createServiceWRpc = new svcctl.CreateServiceW(
scManagerHandle, "GetShell"+randInt, "GetShell"+randInt,
svcctl.SC_MANAGER_ALL_ACCESS, 272,
svcctl.SC_START_TYPE_SERVICE_DEMAND_START, svcctl.SC_SERVICE_ERROR_NORMAL,
cmd,
null, null, null, 0, null, null, 0, svcHandle);
handle.Sendrecv(createServiceWRpc);
if (createServiceWRpc.retval != 0)
{
throw new SmbException(createServiceWRpc.retval, true);
}
}
svcctl.StartService startServiceRpc = new svcctl.StartService(svcHandle, 0, new String[0]);
handle.Sendrecv(startServiceRpc);
return true;
}
public EnumServicesStatus(Rpc.PolicyHandle handle,
int type,
int state,
int buf_size,
byte[] service,
int bytes_needed,
int services_returned,
int resume_handle) {
this.handle = handle;
this.type = type;
this.state = state;
this.buf_size = buf_size;
this.service = service;
this.bytes_needed = bytes_needed;
this.services_returned = services_returned;
this.resume_handle = resume_handle;
this.Ptype = 0;
}
public StartService(Rpc.PolicyHandle handle, int num_service_args, String[] service_arg_vectors) {
this.handle = handle;
this.num_service_args = num_service_args;
this.service_arg_vectors = service_arg_vectors;
this.Ptype = 0;
}
public OpenService(Rpc.PolicyHandle scmanager_handle,
String service_name,
int access_mask,
Rpc.PolicyHandle handle) {
this.scmanager_handle = scmanager_handle;
this.service_name = service_name;
this.access_mask = access_mask;
this.handle = handle;
this.Ptype = 0;
}
public OpenSCManager(String machine_name,
String database_name,
int access_mask,
Rpc.PolicyHandle handle) {
this.machine_name = machine_name;
this.database_name = database_name;
this.access_mask = access_mask;
this.handle = handle;
this.Ptype = 0;
}
public CreateServiceW(Rpc.PolicyHandle scmanager_handle,
String service_name,
String display_name,
int access_mask,
int service_type,
int start_type,
int error_control,
String binary_path_name,
String load_order_group,
NdrLong lpdwTagId,
byte[] lpDependencies,
int dependency_size,
String lpServiceStartName,
byte[] password,
int password_size,
Rpc.PolicyHandle service_handle) {
this.scmanager_handle = scmanager_handle;
this.service_name = service_name;
this.display_name = display_name;
this.access_mask = access_mask;
this.service_type = service_type;
this.start_type = start_type;
this.error_control = error_control;
this.binary_path_name = binary_path_name;
this.load_order_group = load_order_group;
this.lpdwTagId = lpdwTagId;
this.lpDependencies = lpDependencies;
this.dependency_size = dependency_size;
this.lpServiceStartName = lpServiceStartName;
this.password = password;
this.password_size = password_size;
this.service_handle = service_handle;
this.Ptype = 0;
}
public SetServiceStatus(Rpc.PolicyHandle service_handle, service_status status) {
this.service_handle = service_handle;
this.status = status;
this.Ptype = 0;
}
public DeleteService(Rpc.PolicyHandle service_handle) {
this.service_handle = service_handle;
this.Ptype = 0;
}
