forked from Mr-Un1k0d3r/BOFCode
-
Notifications
You must be signed in to change notification settings - Fork 0
Expand file tree
/
Copy pathservice_lookup.c
More file actions
127 lines (98 loc) · 3.47 KB
/
service_lookup.c
File metadata and controls
127 lines (98 loc) · 3.47 KB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
// Compile BOF: gcc service_lookup.c -c -o service_lookup.x64.o -DCOMPILE_BOF
// Compile EXE: gcc service_lookup.c -o service_lookup.exe
#include <windows.h>
#include <stdio.h>
#ifdef COMPILE_BOF
#warning "Compiling the BOF version of the code"
#include "beacon.h"
#define printf(format, args...) { BeaconPrintf(CALLBACK_OUTPUT, format, ## args); }
DECLSPEC_IMPORT FARPROC WINAPI kernel32$GetProcAddress(HANDLE, CHAR*);
DECLSPEC_IMPORT HANDLE WINAPI kernel32$LoadLibraryA(CHAR*);
FARPROC Resolver(CHAR *lib, CHAR *func) {
FARPROC ptr = kernel32$GetProcAddress(kernel32$LoadLibraryA(lib), func);
printf("%s!%s at 0x%p\n", lib, func, ptr);
return ptr;
}
#define IMPORT_RESOLVE FARPROC snprintf = Resolver("msvcrt", "_snprintf"); \
FARPROC strcmp = Resolver("msvcrt", "strcmp"); \
FARPROC LogonUserA = Resolver("advapi32", "LogonUserA"); \
FARPROC GetLastError = Resolver("kernel32", "GetLastError"); \
FARPROC ImpersonateLoggedOnUser = Resolver("advapi32", "ImpersonateLoggedOnUser"); \
FARPROC LookupAccountNameA = Resolver("advapi32", "LookupAccountNameA"); \
FARPROC CloseHandle = Resolver("kernel32", "CloseHandle"); \
#else
#warning "Compiling the EXE version of the code"
#define IMPORT_RESOLVE ""
#endif
// this is designed to "bypass" the gcc main being renamed to __main
int real_main(int argc, char **argv) {
IMPORT_RESOLVE;
if(argc < 3) {
printf("Usage: %s host(. for local) servicename domain(optional) username(optional) password(optional)\n", argv[0]);
return 0;
}
BOOL bResult = FALSE;
CHAR *hostname = argv[1];
CHAR *userService = argv[2];
CHAR serviceName[256];
snprintf(serviceName, 255, "Nt Service\\%s", argv[2]);
BYTE sid[SECURITY_MAX_SID_SIZE];
DWORD dwSid = sizeof(sid);
CHAR domainName[256];
DWORD dwDomainName = sizeof(domainName);
SID_NAME_USE snu;
if(strcmp(hostname, ".") == 0) {
hostname = NULL;
}
if(argc == 6) {
CHAR* domain = argv[3];
CHAR* username = argv[4];
CHAR* password = argv[5];
HANDLE hToken = NULL;
printf("Username was provided attempting to call LogonUserA.\n");
bResult = LogonUserA(username, domain, password, LOGON32_LOGON_NEW_CREDENTIALS, LOGON32_PROVIDER_DEFAULT, &hToken);
if(!bResult) {
printf("LogonUserA failed %ld\n", GetLastError());
return 0;
}
bResult = FALSE;
bResult = ImpersonateLoggedOnUser(hToken);
if(!bResult) {
printf("ImpersonateLoggedOnUser failed %ld\n", GetLastError());
return 0;
}
CloseHandle(hToken);
}
if(LookupAccountNameA(hostname, serviceName, sid, &dwSid, domainName, &dwDomainName, &snu)) {
if(hostname == NULL) {
printf("%s was found on the local system.\n", userService);
} else {
printf("%s was found on the remote host (%s).\n", userService, hostname);
}
}
return 0;
}
#ifdef COMPILE_BOF
int go(char* args, int length) {
datap p;
BeaconDataParse(&p, args, length);
CHAR *argv[6];
argv[0] = NULL;
DWORD i = 1;
for(i; i < 6; i++) {
argv[i] = BeaconDataExtract(&p, NULL);
}
printf("Running against %s searching for %s\n", argv[1], argv[2]);
if(strcmp(argv[3], "") == 0) {
real_main(3, argv);
} else {
real_main(6, argv);
}
return 0;
}
#else
int main(int argc, char **argv) {
real_main(argc, argv);
return 0;
}
#endif