smb_svc.inc
来自「漏洞扫描源码,可以扫描linux,windows,交换机路由器」· INC 代码 · 共 601 行 · 第 1/2 页
INC
601 行
ret[1] = get_dword (blob:rep, pos:4); # current state ret[2] = get_dword (blob:rep, pos:8); # controls accepted ret[3] = get_dword (blob:rep, pos:12); # exit code ret[4] = get_dword (blob:rep, pos:16); # service specific exit code ret[5] = get_dword (blob:rep, pos:20); # check point ret[6] = get_dword (blob:rep, pos:24); # wait hint return ret;}#---------------------------------------------------------## Function : CreateService ## Description : Add a new service ##---------------------------------------------------------#function CreateService (handle, service_name, display_name, desired_access, service_type, start_service, error_control, path, load_order_group, service_start_name, password){ local_var data, resp, rep, ret, unknown, opnum, name; if (session_is_unicode() == 1) opnum = OPNUM_CREATESERVICEW; else opnum = OPNUM_CREATESERVICEA; data = handle[0] + # Handle class_name (name:service_name) + # Service Name raw_dword (d:0x00020000) + # Ref ID class_name (name:display_name) + # Display Name raw_dword (d:desired_access) + # Desired Access raw_dword (d:service_type) + # Service Type raw_dword (d:start_service) + # StartService raw_dword (d:error_control) + # ErrorControl class_name (name:path) + # Path class_name (name:load_order_group) + # LoadOrderGroup raw_dword (d:0) + # pointer to tagid raw_dword (d:0) + # array of string class_name (name:service_start_name) + # Service Start Name class_name (name:password) + # Password (depend of Service Start Name) raw_dword (d:0) + # unknown raw_dword (d:0) ; # unknown data = dce_rpc_pipe_request (fid:handle[1], code:opnum, data:data); if (!data) return NULL; rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) < 28)) return NULL; resp = get_dword (blob:rep, pos:strlen(rep)-4); if (resp != STATUS_SUCCESS) return NULL; unknown = get_dword (blob:rep, pos:0); ret = NULL; ret[0] = substr (rep, 4, 23); ret[1] = handle[1]; ret[2] = 0; return ret;}#---------------------------------------------------------## Function : StartService ## Description : Start a service ##---------------------------------------------------------#function StartService (handle){ local_var data, resp, rep, ret, unknown, opnum, name; if (session_is_unicode() == 1) opnum = OPNUM_STARTSERVICEW; else opnum = OPNUM_STARTSERVICEA; data = handle[0] + #handle raw_dword (d:0) + # NULL pointer raw_dword (d:0) ; # NULL pointer data = dce_rpc_pipe_request (fid:handle[1], code:opnum, data:data); if (!data) return NULL; rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) != 4)) return NULL; resp = get_dword (blob:rep, pos:0); if (resp != STATUS_SUCCESS) return NULL; return 1;}#---------------------------------------------------------## Function : DeleteService ## Description : Delete a service ##---------------------------------------------------------#function DeleteService (handle){ local_var data, resp, rep, ret; data = handle[0] ; # Handle data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_DELETESERVICE, data:data); if (!data) return NULL; rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) < 4)) return NULL; resp = get_dword (blob:rep, pos:0); if (resp != STATUS_SUCCESS) return NULL; return ret;}#---------------------------------------------------------## Function : CloseServiceHandle ## Description : Close service handle ## Return : 1 on success ##---------------------------------------------------------#function CloseServiceHandle (handle){ local_var data, rep, code, ret; code = NULL; data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_CLOSESERVICE, data:handle[0]); if (data) { rep = dce_rpc_parse_response (fid:handle[1], data:data); if (rep && (strlen (rep) == 24)) { # NULL handle (useless) + code # Return code code = get_dword (blob:rep, pos:20); } } if (handle[2] == 1) ret = smb_close (fid:handle[1]); if (isnull (code) || (code != STATUS_SUCCESS) || (ret != 1)) return NULL; return 1;}#---------------------------------------------------------## Function : QueryServiceStatus ## Description : Query service status ##---------------------------------------------------------#function QueryServiceStatus (handle){ local_var data, resp, rep, ret; data = handle[0] ; # Handle data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_QUERYSERVICE, data:data); if (!data) return NULL; rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) < 10)) return NULL; resp = get_dword (blob:rep, pos:strlen(rep)-4); if (resp != STATUS_SUCCESS) return NULL; ret = NULL; ret[0] = get_dword (blob:rep, pos:0); # service type ret[1] = get_dword (blob:rep, pos:4); # current state ret[2] = get_dword (blob:rep, pos:8); # controls accepted ret[3] = get_dword (blob:rep, pos:12); # exit code ret[4] = get_dword (blob:rep, pos:16); # service specific exit code ret[5] = get_dword (blob:rep, pos:20); # check point ret[6] = get_dword (blob:rep, pos:24); # wait hint return ret;}#---------------------------------------------------------## Function : GetServiceDisplayName ## Description : Get Service Display Name ##---------------------------------------------------------#function GetServiceDisplayName (handle, service){ local_var data, resp, rep, len, max_count, offset, actual_count; if (session_is_unicode ()) opcode = OPNUM_SERVICEDISPLAYNAMEW; else opcode = OPNUM_SERVICEDISPLAYNAMEA; data = handle[0] + # Handle class_name (name:service) + raw_dword (d:0xFFFF); data = dce_rpc_pipe_request (fid:handle[1], code:opcode, data:data); if (!data) return NULL; rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) < 10)) return NULL; resp = get_dword (blob:rep, pos:strlen(rep)-4); if (resp != STATUS_SUCCESS) return NULL; # name array max_count = get_dword (blob:rep, pos:0); offset = get_dword (blob:rep, pos:4); actual_count = get_dword (blob:rep, pos:8); if (session_is_unicode ()) len = actual_count * 2; else len = actual_count; if (strlen(rep) < 12 + len) return NULL; return get_string2 (blob:rep, pos:12, len:len);}#---------------------------------------------------------## Function : QueryServiceObjectSecurity ## Description : Query service security ##---------------------------------------------------------#function QueryServiceObjectSecurity (handle, secinfo){ local_var data, resp, rep, ret, size, buffer_size; data = handle[0] + # Handle raw_dword (d:secinfo) + # level (DACL|SACL) raw_dword (d:0); # buffer size data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_QUERYSERVICESECURITY, data:data); if (!data) return NULL; rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) < 12)) return NULL; # buffer too small resp = get_dword (blob:rep, pos:strlen(rep)-4); if (resp != 0x7A) return NULL; buffer_size = get_dword (blob:rep, pos:4); data = handle[0] + # Handle raw_dword (d:secinfo) + # level (DACL|SACL) raw_dword (d:buffer_size); # buffer size data = dce_rpc_pipe_request (fid:handle[1], code:OPNUM_QUERYSERVICESECURITY, data:data); if (!data) return NULL; rep = dce_rpc_parse_response (fid:handle[1], data:data); if (!rep || (strlen (rep) < 12)) return NULL; resp = get_dword (blob:rep, pos:strlen(rep)-4); if (resp != STATUS_SUCCESS) return NULL; size = get_dword (blob:rep, pos:0); if (strlen(rep) < (size+8)) return NULL; return parse_security_descriptor (blob:substr(rep, 4, strlen(rep)-5));}⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?