hi folks,

What I am trying to achieve is executing some binary
code on a remote NT/2k machine whose valid
Admin/Passwd are with me.
What I do is

- WNetAddConnection2 to authenticate my self on remote machine
- Open the Service Control Manager : OpenSCManager
- Create a service & make it point to a
binary shared from my current machine
- Start, Stop & Delete that service.

This makes my service executable run on remote machine.
But since a service executable cannot do all the fancy Win32
stuff, it can't do all what I want.

Is this the smartest way to execute some binary on a remote
machine whose valid Admin/Passwd are with me ??? I mean, doing this way takes me two binaries.
(psshutdown.exe from sysinternals.com does this stuff with only a single binary.. don't know how..)

Any one done this by some other means ?

~Thanx

Ummm.... I don't know much abt the programming part of it.
But your idea is very good. I appreciate u for bringing this idea to codeguru forums.
I Hope some Guru will tell you whether your approach is good or not.

For me it appears right only.
Regarding doing fancy stuff (Do you mean Interface or interacting with user) if the service is interactive then i think you can do what ever you want, I feel.
Hope you know this.
Is it possible to you to add a .zip of the minimal program or why don't u write an article and send to codeguru so that it will be useful t o other gurus.

cheers
mahanare

hi,

sure... i shall post the code right away..

yeah a SERVICE_INTERACTIVE_PROCESS service
would allow me limited interaction with the current desktop...

this way of doing the task works quite fine...
but i want to know if there is some more elegant way of doing this...
basically going by the "service" way needs me a credential of some account which has "logon as service" right.. if not, u need to open the policy manager and enable the login with that right...
doing all this would leave lots of traces on a system whose network administrator has done his homework well... :)

i guess there might me someone who has done all this breaking & cracking...

Well you had two questions...

1. Is that the best way to do it...sure why not...but you see you only ever need to install your executable once, per machine, before even doing that you should open the SC on the remote and see if your service is already installed, if so then start the service passing your args for your exe.

2. ahh PSShutdown, notice that they install a service (PsShutDownSvc) so they follow how they do it, well I've never looked in great detail, but I presume they have the psssdnsvc.exe packed into the PE image and write the file out to the remote systemroot\system32 on the first call. ...then open the SC and start their service passing args...in future calls...just a guess.


BTW: what is your purpose for doing this?

hi mahanare,

here is the code

the account you are using, should have
SeServiceLogonRight on the target machine.

if you don't have so, you can have this
right given to some account
using LSA routines (LsaOpenPolicy & Co.)

SVice.cpp - does the service creation and deletion on remote machine stuff
tryS.cpp - the actual service that would executed on the remote machin

happy cracking...

Hi Enigma,
Yup! I was also adopting the same way as you are doing right now. But now I am doing it using Active directory using the classes provided by .Net.

Well, about doing the fancy job of shutting down a machine, there is a win32 API for this purpose. I am not able to recollect what it is. I'll post it once I get it.

hi mick,

letting remain my executable and service entries
on the target machine is not the best of an idea... :)
thatz why i go for the entire cycle every time...

i trying to know if there exist a "non-servcie"
way to do all these stuff.

Yeah... this could be a possibility with
PSShutdown.. it could have a separate EXE
dump packed in "psshutdown.exe"...

well.. my purpose ain't that "notorious"
as it sounds... just some R&D in this direction.. :)

"fancy" ain't only the shutdown thing...

does the createprocess succeed.. ??
it doesn't with me..
doesn't give any error but still no process
created...

shutdown works fine...
the routine is ExitWindowsEx...
but u will have to adjust token on your process
to give it the power to shutdown...

Originally posted by the_ENIGMA
"fancy" ain't only the shutdown thing...

does the createprocess succeed.. ??
it doesn't with me..
doesn't give any error but still no process
created...

shutdown works fine...
the routine is ExitWindowsEx...
but u will have to adjust token on your process
to give it the power to shutdown...

1. You shouldn't have any problem calling CreateProcess()
2. Are you calling GetLastError() after the call?
3. You probably need to set SERVICE_INTERACTIVE_PROCESS to interact with the desktop, what is the process doing?

Originally posted by the_ENIGMA
hi mahanare,

here is the code

the account you are using, should have
SeServiceLogonRight on the target machine.

if you don't have so, you can have this
right given to some account
using LSA routines (LsaOpenPolicy & Co.)

SVice.cpp - does the service creation and deletion on remote machine stuff
tryS.cpp - the actual service that would executed on the remote machin

happy cracking...

Hi ENIGMA
Thank you for posting the code

cheers
mahanare

hi mick,

yup..
getlasterror call after the createprocess doesn't
report any error code.. still createprocess API call
goes flat.. no outcome...

possible tht i might be going wrong some where..

I took a look at your .zip...just glancing over it
You need to set:


SERVICE_WIN32_OWN_PROCESS | SERVICE_INTERACTIVE_PROCESS


for the dwServiceType 5, param.

Second after you create the service, call StartService with the service handle returned.

Add code to check if the service already exists, as then you'll need a call to OpenService, then StartService...

i am indeed using SERVICE_INTERACTIVE_PROCESS
as 5 param...

i had sent the code while i was doing some R&D...
thtz why it is commented...

i don't need to check if the service exists or not
becoze i will always delete it before leave....

Originally posted by the_ENIGMA
i had sent the code while i was doing some R&D...
thtz why it is commented...


Yea..I could see that :) :) :)


i don't need to check if the service exists or not
becoze i will always delete it before leave....

Don't know what to tell you, I took your code, modified it somewhat, but nothing that I think would prevent you from starting your service/createprocess, other than 'your not starting your service' :) nor OR'ing the INTERACTIVE...but you said it was influx...could be a domain or local policy setting.

But.... it works fine for me.

Though I would expect GetLastError() to return an error, shrug, look at the taskmanager or use tlist and see if notepad is running but can't get window'd for some reason (like not interactive ;) )

yeah... createprocess should work fine... but still
some freaky things on the target 2k machine,
are preventing a service to create a child process...

:) i'll get into it by morning... or send you the target machine :)