mirror of
https://github.com/samba-team/samba.git
synced 2025-01-19 10:03:58 +03:00
166 lines
3.7 KiB
Python
Executable File
166 lines
3.7 KiB
Python
Executable File
#!/usr/bin/python
|
|
|
|
import sys, dcerpc
|
|
|
|
def test_OpenHKLM(pipe):
|
|
|
|
r = {}
|
|
r['unknown'] = {}
|
|
r['unknown']['unknown0'] = 0x9038
|
|
r['unknown']['unknown1'] = 0x0000
|
|
r['access_required'] = 0x02000000
|
|
|
|
result = dcerpc.winreg_OpenHKLM(pipe, r)
|
|
|
|
return result['handle']
|
|
|
|
def test_QueryInfoKey(pipe, handle):
|
|
|
|
r = {}
|
|
r['handle'] = handle
|
|
r['class'] = {}
|
|
r['class']['name'] = None
|
|
|
|
return dcerpc.winreg_QueryInfoKey(pipe, r)
|
|
|
|
def test_CloseKey(pipe, handle):
|
|
|
|
r = {}
|
|
r['handle'] = handle
|
|
|
|
dcerpc.winreg_CloseKey(pipe, r)
|
|
|
|
def test_FlushKey(pipe, handle):
|
|
|
|
r = {}
|
|
r['handle'] = handle
|
|
|
|
dcerpc.winreg_FlushKey(pipe, r)
|
|
|
|
def test_GetVersion(pipe, handle):
|
|
|
|
r = {}
|
|
r['handle'] = handle
|
|
|
|
dcerpc.winreg_GetVersion(pipe, r)
|
|
|
|
def test_GetKeySecurity(pipe, handle):
|
|
|
|
r = {}
|
|
r['handle'] = handle
|
|
r['unknown'] = 4
|
|
r['size'] = None
|
|
r['data'] = {}
|
|
r['data']['max_len'] = 0
|
|
r['data']['data'] = ''
|
|
|
|
result = dcerpc.winreg_GetKeySecurity(pipe, r)
|
|
|
|
print result
|
|
|
|
if result['result'] == dcerpc.WERR_INSUFFICIENT_BUFFER:
|
|
r['size'] = {}
|
|
r['size']['max_len'] = result['data']['max_len']
|
|
r['size']['offset'] = 0
|
|
r['size']['len'] = result['data']['max_len']
|
|
|
|
result = dcerpc.winreg_GetKeySecurity(pipe, r)
|
|
|
|
print result
|
|
|
|
sys.exit(1)
|
|
|
|
def test_Key(pipe, handle, name, depth = 0):
|
|
|
|
# Don't descend too far. Registries can be very deep.
|
|
|
|
if depth > 2:
|
|
return
|
|
|
|
try:
|
|
keyinfo = test_QueryInfoKey(pipe, handle)
|
|
except dcerpc.WERROR, arg:
|
|
if arg[0] == dcerpc.WERR_ACCESS_DENIED:
|
|
return
|
|
|
|
test_GetVersion(pipe, handle)
|
|
|
|
test_FlushKey(pipe, handle)
|
|
|
|
test_GetKeySecurity(pipe, handle)
|
|
|
|
# Enumerate values in this key
|
|
|
|
r = {}
|
|
r['handle'] = handle
|
|
r['name_in'] = {}
|
|
r['name_in']['len'] = 0
|
|
r['name_in']['max_len'] = (keyinfo['max_valnamelen'] + 1) * 2
|
|
r['name_in']['buffer'] = {}
|
|
r['name_in']['buffer']['max_len'] = keyinfo['max_valnamelen'] + 1
|
|
r['name_in']['buffer']['offset'] = 0
|
|
r['name_in']['buffer']['len'] = 0
|
|
r['type'] = 0
|
|
r['value_in'] = {}
|
|
r['value_in']['max_len'] = keyinfo['max_valbufsize']
|
|
r['value_in']['offset'] = 0
|
|
r['value_in']['len'] = 0
|
|
r['value_len1'] = keyinfo['max_valbufsize']
|
|
r['value_len2'] = 0
|
|
|
|
for i in range(0, keyinfo['num_values']):
|
|
|
|
r['enum_index'] = i
|
|
|
|
dcerpc.winreg_EnumValue(pipe, r)
|
|
|
|
# Recursively test subkeys of this key
|
|
|
|
r = {}
|
|
r['handle'] = handle
|
|
r['key_name_len'] = 0
|
|
r['unknown'] = 0x0414
|
|
r['in_name'] = {}
|
|
r['in_name']['unknown'] = 0x20a
|
|
r['in_name']['key_name'] = {}
|
|
r['in_name']['key_name']['name'] = None
|
|
r['class'] = {}
|
|
r['class']['name'] = None
|
|
r['last_changed_time'] = {}
|
|
r['last_changed_time']['low'] = 0
|
|
r['last_changed_time']['high'] = 0
|
|
|
|
for i in range(0, keyinfo['num_subkeys']):
|
|
|
|
r['enum_index'] = i
|
|
|
|
subkey = dcerpc.winreg_EnumKey(pipe, r)
|
|
|
|
s = {}
|
|
s['handle'] = handle
|
|
s['keyname'] = {}
|
|
s['keyname']['name'] = subkey['out_name']['name']
|
|
s['unknown'] = 0
|
|
s['access_mask'] = 0x02000000
|
|
|
|
result = dcerpc.winreg_OpenKey(pipe, s)
|
|
|
|
test_Key(pipe, result['handle'], name + '/' + s['keyname']['name'],
|
|
depth + 1)
|
|
|
|
test_CloseKey(pipe, result['handle'])
|
|
|
|
# Enumerate values
|
|
|
|
def runtests(binding, domain, username, password):
|
|
|
|
print 'Testing WINREG pipe'
|
|
|
|
pipe = dcerpc.pipe_connect(binding,
|
|
dcerpc.DCERPC_WINREG_UUID, dcerpc.DCERPC_WINREG_VERSION,
|
|
domain, username, password)
|
|
|
|
handle = test_OpenHKLM(pipe)
|
|
|
|
test_Key(pipe, handle, 'HKLM')
|