return result
-
def string_to_sid(string):
"""Convert a string SID to a Python dictionary SID. Throws a
ValueError if the SID string was badly formed."""
return sid
-
def call_fn(fn, pipe, args):
"""Wrap up a RPC call and throw an exception is an error was returned."""
result = fn(pipe, args);
- if result & 0xc0000000:
+
+ if result & 0xc0000000L:
raise dcerpc.NTSTATUS(result, dcerpc.nt_errstr(result));
return result;
-
-
+
class SamrHandle:
def __init__(self, pipe, handle):
r.data_in.sdbuf = sdbuf
call_fn(dcerpc.dcerpc_samr_SetSecurity, self.pipe, r)
-
class ConnectHandle(SamrHandle):
r = dcerpc.samr_EnumDomains()
r.data_in.connect_handle = self.handle
- r.data_in.resume_handle = 1
+ r.data_in.resume_handle = 0
r.data_in.buf_size = -1
domains = []
r = dcerpc.samr_LookupDomain()
r.data_in.connect_handle = self.handle
- r.data_in.domain = dcerpc.samr_String()
- r.data_in.domain.string = domain_name
+ r.data_in.domain_name = dcerpc.samr_String()
+ r.data_in.domain_name.string = domain_name
call_fn(dcerpc.dcerpc_samr_LookupDomain, self.pipe, r)
call_fn(dcerpc.dcerpc_samr_Shutdown, self.pipe, r)
+ def GetDomPwInfo(self, domain_name):
+
+ r = dcerpc.samr_GetDomPwInfo()
+ r.data_in.domain_name = dcerpc.samr_String()
+ r.data_in.domain_name.string = domain_name
+
+ call_fn(dcerpc.dcerpc_samr_GetDomPwInfo, self.pipe, r)
+
+ return r.data_out.info
+
+
+ def SetBootKeyInformation(self, unknown1, unknown2, unknown3):
+
+ r = dcerpc.samr_GetBootKeyInformation()
+ r.data_in.connect_handle = self.handle
+ r.data_in.unknown1 = unknown1
+ r.data_in.unknown2 = unknown2
+ r.data_in.unknown3 = unknown3
+
+ call_fn(dcerpc.dcerpc_samr_SetBootKeyInformation, self.pipe, r)
class DomainHandle(SamrHandle):
return getattr(r.data_out.info, 'info%d' % level)
+ def SetDomainInfo(self, level, info):
+
+ r = dcerpc.samr_SetDomainInfo()
+ r.data_in.domain_handle = self.handle
+ r.data_in.level = level
+ r.data_in.info = dcerpc.samr_DomainInfo()
+ setattr(r.data_in.info, 'info%d' % level, info)
+
+ call_fn(dcerpc.dcerpc_samr_SetDomainInfo, self.pipe, r)
+
def EnumDomainGroups(self):
r = dcerpc.samr_EnumDomainGroups()
return (r.data_out.user_handle,
dcerpc.uint32_array_getitem(r.data_out.rid, 0))
-
+
+ def CreateUser2(self, account_name, acct_flags = 0x00000010,
+ access_mask = 0x02000000):
+
+ r = dcerpc.samr_CreateUser2()
+ r.data_in.domain_handle = self.handle
+ r.data_in.account_name = dcerpc.samr_String()
+ r.data_in.account_name.string = account_name
+ r.data_in.acct_flags = acct_flags
+ r.data_in.access_mask = access_mask
+
+ call_fn(dcerpc.dcerpc_samr_CreateUser2, self.pipe, r)
+
+ return (r.data_out.user_handle,
+ dcerpc.uint32_array_getitem(r.data_out.access_granted, 0),
+ dcerpc.uint32_array_getitem(r.data_out.rid, 0))
+
def OpenUser(self, rid, access_mask = 0x02000000):
r = dcerpc.samr_OpenUser()
call_fn(dcerpc.dcerpc_samr_OpenUser, self.pipe, r)
- return UserHandle(pipe, r.data_out.user_handle)
+ return UserHandle(self.pipe, r.data_out.user_handle)
def OpenGroup(self, rid, access_mask = 0x02000000):
call_fn(dcerpc.dcerpc_samr_OpenGroup, self.pipe, r)
- return GroupHandle(pipe, r.data_out.group_handle)
+ return GroupHandle(self.pipe, r.data_out.group_handle)
def OpenAlias(self, rid, access_mask = 0x02000000):
call_fn(dcerpc.dcerpc_samr_OpenAlias, self.pipe, r)
- return AliasHandle(pipe, r.data_out.group_handle)
+ return AliasHandle(self.pipe, r.data_out.alias_handle)
+
+ def CreateDomAlias(self, alias_name, access_mask = 0x02000000):
+
+ r = dcerpc.samr_CreateDomAlias()
+ r.data_in.domain_handle = self.handle
+ r.data_in.alias_name = dcerpc.samr_String()
+ r.data_in.alias_name.string = alias_name
+ r.data_in.access_mask = access_mask
+
+ call_fn(dcerpc.dcerpc_samr_CreateDomAlias, self.pipe, r)
+
+ return (AliasHandle(self.pipe, r.data_out.alias_handle),
+ r.data_out.rid)
def RidToSid(self, rid):
r = dcerpc.samr_RidToSid()
r.data_in.domain_handle = self.handle
+ r.data_in.rid = rid
call_fn(dcerpc.dcerpc_samr_RidToSid, self.pipe, r)
return sid_to_string(r.data_out.sid)
+ def RemoveMemberFromForeignDomain(self, sid):
-class UserHandle(SamrHandle):
- pass
+ r = dcerpc.samr_RemoveMemberFromForeignDomain()
+ r.data_in.domain_handle = self.handle
+ r.data_in.sid = sid
+
+ call_fn(dcerpc.dcerpc_samr_RemoveMemberFromForeignDomain, self.pipe, r)
+
+ def LookupNames(self, names):
+
+ r = dcerpc.samr_LookupNames()
+ r.data_in.domain_handle = self.handle
+ r.data_in.num_names = len(names)
+ r.data_in.names = dcerpc.new_samr_String_array(len(names))
+
+ for i in range(len(names)):
+ s = dcerpc.samr_String()
+ s.string = names[i]
+ dcerpc.samr_String_array_setitem(r.data_in.names, i, s)
+
+ call_fn(dcerpc.dcerpc_samr_LookupNames, self.pipe, r)
+
+ return ([dcerpc.uint32_array_getitem(r.data_out.rids.ids, i)
+ for i in range(r.data_out.rids.count)],
+ [dcerpc.uint32_array_getitem(r.data_out.types.ids, i)
+ for i in range(r.data_out.types.count)])
+
+ def CreateDomainGroup(self, domain_name, access_mask = 0x02000000):
+
+ r = dcerpc.samr_CreateDomainGroup()
+ r.data_in.domain_handle = self.handle
+ r.data_in.name = dcerpc.samr_String()
+ r.data_in.name.string = domain_name
+ r.data_in.access_mask = access_mask
+
+ call_fn(dcerpc.dcerpc_samr_CreateDomainGroup, self.pipe, r)
+
+ def GetAliasMembership(self, sids):
+
+ r = dcerpc.samr_GetAliasMembership()
+ r.data_in.domain_handle = self.handle
+ r.data_in.sids = dcerpc.lsa_SidArray()
+ r.data_in.sids.num_sids = len(sids)
+ r.data_in.sids.sids = dcerpc.new_lsa_SidPtr_array(len(sids))
+
+ for i in range(len(sids)):
+ s = dcerpc.lsa_SidPtr()
+ s.sid = string_to_sid(sids[i])
+ dcerpc.lsa_SidPtr_array_setitem(r.data_in.sids.sids, i, s)
+
+ call_fn(dcerpc.dcerpc_samr_GetAliasMembership, self.pipe, r)
+
+ return [r.ids[x] for x in range(r.count)]
+
+ def QueryDisplayInfo(self, level):
+
+ # TODO: Handle more data returns
+
+ r = dcerpc.samr_QueryDisplayInfo()
+ r.data_in.domain_handle = self.handle
+ r.data_in.level = level
+ r.data_in.start_idx = 0
+ r.data_in.max_entries = 1000
+ r.data_in.buf_size = -1
+
+ call_fn(dcerpc.dcerpc_samr_QueryDisplayInfo, self.pipe, r)
+
+ # TODO: Return a mapping of the various samr_DispInfo
+ # structures here.
+
+ return getattr(r.data_out.info, 'info%d' % level)
+ def QueryDisplayInfo2(self, level):
+
+ # TODO: Handle more data returns
+
+ r = dcerpc.samr_QueryDisplayInfo2()
+ r.data_in.domain_handle = self.handle
+ r.data_in.level = level
+ r.data_in.start_idx = 0
+ r.data_in.max_entries = 1000
+ r.data_in.buf_size = -1
+
+ call_fn(dcerpc.dcerpc_samr_QueryDisplayInfo2, self.pipe, r)
+
+ # TODO: Return a mapping of the various samr_DispInfo
+ # structures here.
+
+ return getattr(r.data_out.info, 'info%d' % level)
+
+ def QueryDisplayInfo3(self, level):
+
+ # TODO: Handle more data returns
+
+ r = dcerpc.samr_QueryDisplayInfo3()
+ r.data_in.domain_handle = self.handle
+ r.data_in.level = level
+ r.data_in.start_idx = 0
+ r.data_in.max_entries = 1000
+ r.data_in.buf_size = -1
+
+ call_fn(dcerpc.dcerpc_samr_QueryDisplayInfo3, self.pipe, r)
+
+ # TODO: Return a mapping of the various samr_DispInfo
+ # structures here.
+ return getattr(r.data_out.info, 'info%d' % level)
+
+ def GetBootKeyInformation(self):
+
+ r = dcerpc.samr_GetBootKeyInformation()
+ r.data_in.domain_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_GetBootKeyInformation, self.pipe, r)
+
+ return r.data_out.unknown
+
+ def SetBootKeyInformation(self):
+
+ r = dcerpc.samr_GetBootKeyInformation()
+ r.data_in.domain_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_GetBootKeyInformation, self.pipe, r)
+
+ def TestPrivateFunctionsDomain(self):
+
+ r = dcerpc.samr_TestPrivateFunctionsDomain()
+ r.data_in.domain_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_TestPrivateFunctionsDomain, self.pipe, r)
+
+class UserHandle(SamrHandle):
+
+ def DeleteUser(self):
+
+ r = dcerpc.samr_DeleteUser()
+ r.data_in.user_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_DeleteUser, self.pipe, r)
+
+ self.handle = None
+
+ def GetUserPwInfo(self):
+
+ r = dcerpc.samr_GetUserPwInfo()
+ r.data_in.user_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_GetUserPwInfo, self.pipe, r)
+
+ return r.data_out.info
+
+ def QueryUserInfo(self, level):
+
+ r = dcerpc.samr_QueryUserInfo()
+ r.data_in.user_handle = self.handle
+ r.data_in.level = level
+
+ call_fn(dcerpc.dcerpc_samr_QueryUserInfo, self.pipe, r)
+
+ return r.data_out.info
+
+ def QueryUserInfo2(self, level):
+
+ r = dcerpc.samr_QueryUserInfo2()
+ r.data_in.user_handle = self.handle
+ r.data_in.level = level
+
+ call_fn(dcerpc.dcerpc_samr_QueryUserInfo2, self.pipe, r)
+
+ return r.data_out.info
+
+ def GetGroupsForUser(self):
+
+ r = dcerpc.samr_GetGroupsForUser()
+ r.data_in.user_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_GetGroupsForUser, self.pipe, r)
+
+ rid_types = [dcerpc.samr_RidType_array_getitem(r.data_out.rids.rid, x)
+ for x in range(r.data_out.rids.count)]
+
+ return [(x.rid, x.type) for x in rid_types]
+
+ def TestPrivateFunctionsUser(self):
+
+ r = dcerpc.samr_TestPrivateFunctionsUser()
+ r.data_in.user_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_TestPrivateFunctionsUser, self.pipe, r)
+
class GroupHandle(SamrHandle):
- pass
-
-class AliasHandle(SamrHandle):
- pass
+ def QueryGroupInfo(self, level):
+
+ r = dcerpc.samr_QueryGroupInfo()
+ r.data_in.group_handle = self.handle
+ r.data_in.level = level
+
+ call_fn(dcerpc.dcerpc_samr_QueryGroupInfo, self.pipe, r)
+
+ return r.data_out.info
+
+ def SetGroupInfo(self, level, info):
+
+ r = dcerpc.samr_SetGroupInfo()
+ r.data_in.group_handle = self.handle
+ r.data_in.level = level
+ r.data_in.info = info
+
+ call_fn(dcerpc.dcerpc_samr_SetGroupInfo, self.pipe, r)
+
+ def QueryGroupMember(self):
+
+ r = dcerpc.samr_QueryGroupMember()
+ r.data_in.group_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_QueryGroupMember, self.pipe, r)
+
+ return [(dcerpc.uint32_array_getitem(r.data_out.rids.rids, x),
+ dcerpc.uint32_array_getitem(r.data_out.rids.unknown, x))
+ for x in range(r.data_out.rids.count)]
+class AliasHandle(SamrHandle):
+
+ def DeleteDomAlias(self):
+
+ r = dcerpc.samr_DeleteDomAlias()
+ r.data_in.alias_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_DeleteDomAlias, self.pipe, r)
+
+ self.handle = None
+
+ def QueryAliasInfo(self, level = 1):
+
+ r = dcerpc.samr_QueryAliasInfo()
+ r.data_in.alias_handle = self.handle
+ r.data_in.level = level
+
+ call_fn(dcerpc.dcerpc_samr_QueryAliasInfo, self.pipe, r)
+
+ return r.data_out.info
+
+ def SetAliasInfo(self, level, info):
+
+ r = dcerpc.samr_SetAliasInfo()
+ r.data_in.alias_handle = self.handle
+ r.data_in.level = level
+ r.data_in.info = info
+
+ call_fn(dcerpc.dcerpc_samr_SetAliasInfo, self.pipe, r)
+
+ def AddAliasMember(self, sid):
+
+ r = dcerpc.samr_AddAliasMember()
+ r.data_in.alias_handle = self.handle
+ r.data_in.sid = string_to_sid(sid)
+
+ call_fn(dcerpc.dcerpc_samr_AddAliasMember, self.pipe, r)
+
+ def AddMultipleMembersToAlias(self, sids):
+
+ r = dcerpc.samr_AddMultipleMembersToAlias()
+ r.data_in.alias_handle = self.handle
+ r.data_in.sids = dcerpc.lsa_SidArray()
+ r.data_in.sids.num_sids = len(sids)
+ r.data_in.sids.sids = dcerpc.new_lsa_SidPtr_array(len(sids))
+
+ for i in range(len(sids)):
+ s = dcerpc.lsa_SidPtr()
+ s.sid = string_to_sid(sids[i])
+ dcerpc.lsa_SidPtr_array_setitem(r.data_in.sids.sids, i, s)
+
+ call_fn(dcerpc.dcerpc_samr_AddMultipleMembersToAlias, self.pipe, r)
+
+ def GetMembersInAlias(self):
+
+ r = dcerpc.samr_GetMembersInAlias()
+ r.data_in.alias_handle = self.handle
+
+ call_fn(dcerpc.dcerpc_samr_GetMembersInAlias, self.pipe, r)
+
+ return [
+ sid_to_string(
+ dcerpc.lsa_SidPtr_array_getitem(r.data_out.sids.sids, x).sid)
+ for x in range(r.data_out.sids.num_sids)]
def Connect(pipe, access_mask = 0x02000000):
return ConnectHandle(pipe, r.data_out.connect_handle)
+
def Connect4(pipe, system_name = '', access_mask = 0x02000000):
r = dcerpc.samr_Connect4()
return ConnectHandle(pipe, r.data_out.connect_handle)
-
-# CreateDomainGroup
-# CreateDomAlias
-# GetAliasMembership
-# LookupNames
-# QueryGroupInfo
-# SetGroupInfo
# AddGroupMember
# DeleteDomainGroup
# DeleteGroupMember
-# QueryGroupMember
# SetMemberAttributesofGroup
-# QueryAliasInfo
-# SetAliasInfo
-# DeleteDomAlias
# AddAliasMember
# DeleteAliasMember
# GetMembersinAlias
-# DeleteUser
-# QueryUserInfo
# SetUserInfo
# ChangePasswordUser
-# GetGroupsForUser
-# QueryDisplayInfo
# GetDisplayEnumerationIndex
-# TestPrivateFunctionsDomain
-# TestPrivateFunctionsUser
-# GetUserPwInfo
# RemoveMemberFromForeignDomain
-# QueryDomainInfo2
-# QueryUserInfo2
-# QueryDisplayInfo2
# GetDisplayEnumerationIndex2
-# CreateUser2
-# QueryDisplayInfo3
-# AddMultipleMembersToAlias
# RemoveMultipleMembersFromAlias
# OemChangePasswordUser2
# ChangePasswordUser2
-# GetDomPwInfo
# SetUserInfo2
-# SetBootKeyInformation
-# GetBootKeyInformation
# ChangePasswordUser3
# SetDsrmPassword
# ValidatePassword