rex 2.0.4 → 2.0.5

data/lib/rex/post/meterpreter/extensions/extapi/adsi/adsi.rb

@@ -48,14 +48,7 @@ class Adsi
 
     response = client.send_request(request)
 
-    results = []
-    response.each(TLV_TYPE_EXT_ADSI_RESULT) { |r|
-      result = []
-      r.each(TLV_TYPE_EXT_ADSI_VALUE) { |v|
-        result << v.value
-      }
-      results << result
-    }
+    results = extract_results(response)
 
     return {
       :fields  => fields,
@@ -65,6 +58,107 @@ class Adsi
 
   attr_accessor :client
 
+protected
+
+  #
+  # Retrieve the results of the query from the response
+  #   packet that was returned from Meterpreter.
+  #
+  # @param response [Packet] Reference to the received
+  #   packet that was returned from Meterpreter.
+  #
+  # @return [Array[Array[[Hash]]] Collection of results from
+  #   the ADSI query.
+  #
+  def extract_results(response)
+    results = []
+
+    response.each(TLV_TYPE_EXT_ADSI_RESULT) do |r|
+      results << extract_values(r)
+    end
+
+    results
+  end
+
+  #
+  # Extract a single row of results from a TLV group.
+  #
+  # @param tlv_container [Packet] Reference to the TLV
+  #   group to pull the values from.
+  #
+  # @return [Array[Hash]] Collection of values from
+  #   the single ADSI query result row.
+  #
+  def extract_values(tlv_container)
+    values = []
+    tlv_container.get_tlvs(TLV_TYPE_ANY).each do |v|
+      values << extract_value(v)
+    end
+    values
+  end
+
+  #
+  # Convert a single ADSI result value into a usable
+  #   value that also describes its type.
+  #
+  # @param v [TLV] The TLV item that contains the value.
+  #
+  # @return [Hash] The type/value pair from the TLV.
+  #
+  def extract_value(v)
+    value = {
+      :type => :unknown
+    }
+
+    case v.type
+    when TLV_TYPE_EXT_ADSI_STRING
+      value = {
+        :type  => :string,
+        :value => v.value
+      }
+    when TLV_TYPE_EXT_ADSI_NUMBER, TLV_TYPE_EXT_ADSI_BIGNUMBER
+      value = {
+        :type  => :number,
+        :value => v.value
+      }
+    when TLV_TYPE_EXT_ADSI_BOOL
+      value = {
+        :type  => :bool,
+        :value => v.value
+      }
+    when TLV_TYPE_EXT_ADSI_RAW
+      value = {
+        :type  => :raw,
+        :value => v.value
+      }
+    when TLV_TYPE_EXT_ADSI_ARRAY
+      value = {
+        :type  => :array,
+        :value => extract_values(v.value)
+      }
+    when TLV_TYPE_EXT_ADSI_PATH
+      value = {
+        :type     => :path,
+        :volume   => v.get_tlv_value(TLV_TYPE_EXT_ADSI_PATH_VOL),
+        :path     => v.get_tlv_value(TLV_TYPE_EXT_ADSI_PATH_PATH),
+        :vol_type => v.get_tlv_value(TLV_TYPE_EXT_ADSI_PATH_TYPE)
+      }
+    when TLV_TYPE_EXT_ADSI_DN
+      values = v.get_tlvs(TLV_TYPE_ALL)
+      value = {
+        :type   => :dn,
+        :label  => values[0].value
+      }
+
+      if values[1].type == TLV_TYPE_EXT_ADSI_STRING
+        value[:string] = value[1].value
+      else
+        value[:raw] = value[1].value
+      end
+    end
+
+    value
+  end
 end
 
 end; end; end; end; end; end

data/lib/rex/post/meterpreter/extensions/extapi/tlv.rb

@@ -54,21 +54,31 @@ TLV_TYPE_EXT_CLIPBOARD_MON_WIN_CLASS        = TLV_META_TYPE_STRING | (TLV_TYPE_E
 TLV_TYPE_EXT_CLIPBOARD_MON_DUMP             = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 52)
 TLV_TYPE_EXT_CLIPBOARD_MON_PURGE            = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 53)
 
-TLV_TYPE_EXT_ADSI_DOMAIN                    = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 55)
-TLV_TYPE_EXT_ADSI_FILTER                    = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 56)
-TLV_TYPE_EXT_ADSI_FIELD                     = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 57)
-TLV_TYPE_EXT_ADSI_VALUE                     = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 58)
-TLV_TYPE_EXT_ADSI_RESULT                    = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 59)
-TLV_TYPE_EXT_ADSI_MAXRESULTS                = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 60)
-TLV_TYPE_EXT_ADSI_PAGESIZE                  = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 61)
+TLV_TYPE_EXT_ADSI_DOMAIN                    = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 54)
+TLV_TYPE_EXT_ADSI_FILTER                    = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 55)
+TLV_TYPE_EXT_ADSI_FIELD                     = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 56)
+TLV_TYPE_EXT_ADSI_RESULT                    = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 57)
+TLV_TYPE_EXT_ADSI_MAXRESULTS                = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 58)
+TLV_TYPE_EXT_ADSI_PAGESIZE                  = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 59)
+TLV_TYPE_EXT_ADSI_ARRAY                     = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 60)
+TLV_TYPE_EXT_ADSI_STRING                    = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 61)
+TLV_TYPE_EXT_ADSI_NUMBER                    = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 62)
+TLV_TYPE_EXT_ADSI_BIGNUMBER                 = TLV_META_TYPE_QWORD  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 63)
+TLV_TYPE_EXT_ADSI_BOOL                      = TLV_META_TYPE_BOOL   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 64)
+TLV_TYPE_EXT_ADSI_RAW                       = TLV_META_TYPE_RAW    | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 65)
+TLV_TYPE_EXT_ADSI_PATH                      = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 66)
+TLV_TYPE_EXT_ADSI_PATH_VOL                  = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 67)
+TLV_TYPE_EXT_ADSI_PATH_PATH                 = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 68)
+TLV_TYPE_EXT_ADSI_PATH_TYPE                 = TLV_META_TYPE_UINT   | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 69)
+TLV_TYPE_EXT_ADSI_DN                        = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 70)
 
-TLV_TYPE_EXT_WMI_DOMAIN                     = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 65)
-TLV_TYPE_EXT_WMI_QUERY                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 66)
-TLV_TYPE_EXT_WMI_FIELD                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 67)
-TLV_TYPE_EXT_WMI_VALUE                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 68)
-TLV_TYPE_EXT_WMI_FIELDS                     = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 69)
-TLV_TYPE_EXT_WMI_VALUES                     = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 70)
-TLV_TYPE_EXT_WMI_ERROR                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 71)
+TLV_TYPE_EXT_WMI_DOMAIN                     = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 90)
+TLV_TYPE_EXT_WMI_QUERY                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 91)
+TLV_TYPE_EXT_WMI_FIELD                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 92)
+TLV_TYPE_EXT_WMI_VALUE                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 93)
+TLV_TYPE_EXT_WMI_FIELDS                     = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 94)
+TLV_TYPE_EXT_WMI_VALUES                     = TLV_META_TYPE_GROUP  | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 95)
+TLV_TYPE_EXT_WMI_ERROR                      = TLV_META_TYPE_STRING | (TLV_TYPE_EXTENSION_EXTAPI + TLV_EXTENSIONS + 96)
 
 end
 end

data/lib/rex/post/meterpreter/extensions/stdapi/sys/config.rb

@@ -20,6 +20,8 @@ module Sys
 ###
 class Config
 
+  SYSTEM_SID = 'S-1-5-18'
+
   def initialize(client)
     self.client = client
   end
@@ -33,6 +35,22 @@ class Config
     client.unicode_filter_encode( response.get_tlv_value(TLV_TYPE_USER_NAME) )
   end
 
+  #
+  # Gets the SID of the current process/thread.
+  #
+  def getsid
+    request = Packet.create_request('stdapi_sys_config_getsid')
+    response = client.send_request(request)
+    response.get_tlv_value(TLV_TYPE_SID)
+  end
+
+  #
+  # Determine if the current process/thread is running as SYSTEM
+  #
+  def is_system?
+    getsid == SYSTEM_SID
+  end
+
   #
   # Returns a hash of requested environment variables, along with their values.
   # If a requested value doesn't exist in the response, then the value wasn't found.

data/lib/rex/post/meterpreter/extensions/stdapi/tlv.rb

@@ -116,6 +116,7 @@ TLV_TYPE_OS_NAME            = TLV_META_TYPE_STRING  | 1041
 TLV_TYPE_USER_NAME          = TLV_META_TYPE_STRING  | 1042
 TLV_TYPE_ARCHITECTURE       = TLV_META_TYPE_STRING  | 1043
 TLV_TYPE_LANG_SYSTEM        = TLV_META_TYPE_STRING  | 1044
+TLV_TYPE_SID                = TLV_META_TYPE_STRING  | 1045
 
 # Environment
 TLV_TYPE_ENV_VARIABLE       = TLV_META_TYPE_STRING  | 1100

data/lib/rex/post/meterpreter/packet_dispatcher.rb

@@ -96,7 +96,7 @@ module PacketDispatcher
 
     # If the first 4 bytes are "RECV", return the oldest packet from the outbound queue
     if req.body[0,4] == "RECV"
-      rpkt = send_queue.pop
+      rpkt = send_queue.shift
       resp.body = rpkt || ''
       begin
         cli.send_response(resp)

data/lib/rex/post/meterpreter/ui/console.rb

@@ -106,7 +106,7 @@ class Console
       log_error("Operation timed out.")
     rescue RequestError => info
       log_error(info.to_s)
-    rescue Rex::AddressInUse => e
+    rescue Rex::InvalidDestination => e
       log_error(e.message)
     rescue ::Errno::EPIPE, ::OpenSSL::SSL::SSLError, ::IOError
       self.client.kill

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/extapi/adsi.rb

@@ -176,7 +176,7 @@ class Console::CommandDispatcher::Extapi::Adsi
     )
 
     objects[:results].each do |c|
-      table << c
+      table << to_table_row(c)
     end
 
     print_line
@@ -189,6 +189,48 @@ class Console::CommandDispatcher::Extapi::Adsi
     return true
   end
 
+protected
+
+  #
+  # Convert an ADSI result row to a table row so that it can
+  #   be rendered to screen appropriately.
+  #
+  # @param result [Array[Hash]] Array of type/value pairs.
+  #
+  # @return [Array[String]] Renderable view of the value.
+  #
+  def to_table_row(result)
+    values = []
+
+    result.each do |v|
+      case v[:type]
+      when :string, :number, :bool
+        values << v[:value].to_s
+      when :raw
+        # for UI level stuff, rendering raw as hex is really the only option
+        values << Rex::Text.to_hex(v[:value], '')
+      when :array
+        val = "#{to_table_row(v[:value]).join(", ")}"
+
+        # we'll truncate the output of the array because it could be excessive if we
+        # don't. Users who want the detail of this stuff should probably script it.
+        if val.length > 50
+          val = "<#{val[0,50]}..."
+        end
+
+        values << val
+      when :dn
+        values << "#{value[:label]}: #{value[:string] || Rex::Text.to_hex(value[:raw], '')}"
+      when :path
+        values << "Vol: #{v[:volume]}, Path: #{v[:path]}, Type: #{v[:vol_type]}"
+      when :unknown
+        values << "(unknown)"
+      end
+    end
+
+    values
+  end
+
 end
 
 end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/incognito.rb

@@ -221,7 +221,7 @@ class Console::CommandDispatcher::Incognito
   end
 
   def system_privilege_check
-    if (client.sys.config.getuid != "NT AUTHORITY\\SYSTEM")
+    unless client.sys.config.is_system?
       print_line("[-] Warning: Not currently running as SYSTEM, not all tokens will be available")
       print_line("             Call rev2self if primary process token is SYSTEM")
     end

data/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb

@@ -88,6 +88,7 @@ class Console::CommandDispatcher::Stdapi::Sys
       "getpid"      => "Get the current process identifier",
       "getprivs"    => "Attempt to enable all privileges available to the current process",
       "getuid"      => "Get the user that the server is running as",
+      "getsid"      => "Get the SID of the user that the server is running as",
       "getenv"      => "Get one or more environment variable values",
       "kill"        => "Terminate a process",
       "ps"          => "List running processes",
@@ -107,6 +108,7 @@ class Console::CommandDispatcher::Stdapi::Sys
       "getpid"      => [ "stdapi_sys_process_getpid"  ],
       "getprivs"    => [ "stdapi_sys_config_getprivs" ],
       "getuid"      => [ "stdapi_sys_config_getuid" ],
+      "getsid"      => [ "stdapi_sys_config_getsid" ],
       "getenv"      => [ "stdapi_sys_config_getenv" ],
       "kill"        => [ "stdapi_sys_process_kill" ],
       "ps"          => [ "stdapi_sys_process_get_processes" ],
@@ -279,6 +281,13 @@ class Console::CommandDispatcher::Stdapi::Sys
     print_line("Server username: #{client.sys.config.getuid}")
   end
 
+  #
+  # Display the SID of the user that the server is running as.
+  #
+  def cmd_getsid(*args)
+    print_line("Server SID: #{client.sys.config.getsid}")
+  end
+
   #
   # Get the value of one or more environment variables from the target.
   #

data/lib/rex/proto/dcerpc/svcctl.rb

@@ -0,0 +1,2 @@
+# -*- coding: binary -*-
+require 'rex/proto/dcerpc/svcctl/packet'

data/lib/rex/proto/dcerpc/svcctl/packet.rb

@@ -0,0 +1,304 @@
+# -*- coding: binary -*-
+module Rex
+
+###
+# This module implements MSRPC functions that control creating, deleting,
+# starting, stopping, and querying system services.
+###
+module Proto::DCERPC::SVCCTL
+
+  require 'rex/constants/windows'
+  NDR = Rex::Encoder::NDR
+
+
+class Client
+
+  include Rex::Constants::Windows
+
+  attr_accessor :dcerpc_client
+
+  def initialize(dcerpc_client)
+    self.dcerpc_client = dcerpc_client
+  end
+
+  # Returns the Windows Error Code in numeric format
+  #
+  # @param raw_error [String] the raw error code in binary format.
+  #
+  # @return [Integer] the Windows Error Code integer.
+  def error_code(raw_error)
+    raw_error.unpack('V').first
+  end
+
+  # Calls OpenSCManagerW() to obtain a handle to the service control manager.
+  #
+  # @param rhost [String] the target host.
+  # @param access [Fixnum] the access flags requested.
+  #
+  # @return [Array<String,Integer>] the handle to the service control manager or nil if
+  #   the call is not successful and the Windows error code
+  def openscmanagerw(rhost, access = SC_MANAGER_ALL_ACCESS)
+    scm_handle = nil
+    scm_status = nil
+    stubdata =
+      NDR.uwstring("\\\\#{rhost}") +
+      NDR.long(0) +
+      NDR.long(access)
+    begin
+      response = dcerpc_client.call(OPEN_SC_MANAGER_W, stubdata)
+      if response
+        scm_status = error_code(response[20,4])
+        if scm_status == ERROR_SUCCESS
+          scm_handle = response[0,20]
+        end
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error getting scm handle: #{e}")
+    end
+
+    [scm_handle, scm_status]
+  end
+
+  # Calls CreateServiceW() to create a system service.  Returns a handle to
+  # the service on success, or nil.
+  #
+  # @param scm_handle [String] the SCM handle (from {#openscmanagerw}).
+  # @param service_name [String] the service name.
+  # @param display_name [String] the display name.
+  # @param binary_path [String] the path of the binary to run.
+  # @param opts [Hash] arguments for CreateServiceW()
+  # @option opts [Fixnum] :access (SERVICE_ALL_ACCESS) the access level.
+  # @option opts [Fixnum] :type (SERVICE_WIN32_OWN_PROCESS ||
+  #   SERVICE_INTERACTIVE_PROCESS) the type of service.
+  # @option opts [Fixnum] :start (SERVICE_DEMAND_START) the start options.
+  # @option opts [Fixnum] :errors (SERVICE_ERROR_IGNORE) the error options.
+  # @option opts [Fixnum] :load_order_group (0) the load order group.
+  # @option opts [Fixnum] :dependencies (0) the dependencies of the service.
+  # @option opts [Fixnum] :service_start (0)
+  # @option opts [Fixnum] :password1 (0)
+  # @option opts [Fixnum] :password2 (0)
+  # @option opts [Fixnum] :password3 (0)
+  # @option opts [Fixnum] :password4 (0)
+  #
+  # @return [String, Integer] a handle to the created service, windows
+  #   error code.
+  def createservicew(scm_handle, service_name, display_name, binary_path, opts)
+    default_opts = {
+      :access => SERVICE_ALL_ACCESS,
+      :type => SERVICE_WIN32_OWN_PROCESS || SERVICE_INTERACTIVE_PROCESS,
+      :start => SERVICE_DEMAND_START,
+      :errors => SERVICE_ERROR_IGNORE,
+      :load_order_group => 0,
+      :dependencies => 0,
+      :service_start => 0,
+      :password1 => 0,
+      :password2 => 0,
+      :password3 => 0,
+      :password4 => 0
+    }.merge(opts)
+
+    svc_handle  = nil
+    svc_status  = nil
+    stubdata = scm_handle +
+      NDR.wstring(service_name) +
+      NDR.uwstring(display_name) +
+      NDR.long(default_opts[:access]) +
+      NDR.long(default_opts[:type]) +
+      NDR.long(default_opts[:start]) +
+      NDR.long(default_opts[:errors]) +
+      NDR.wstring(binary_path) +
+      NDR.long(default_opts[:load_order_group]) +
+      NDR.long(default_opts[:dependencies]) +
+      NDR.long(default_opts[:service_start]) +
+      NDR.long(default_opts[:password1]) +
+      NDR.long(default_opts[:password2]) +
+      NDR.long(default_opts[:password3]) +
+      NDR.long(default_opts[:password4])
+    begin
+      response = dcerpc_client.call(CREATE_SERVICE_W, stubdata)
+      if response
+        svc_status = error_code(response[24,4])
+
+        if svc_status == ERROR_SUCCESS
+          svc_handle = response[4,20]
+        end
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error creating service: #{e}")
+    end
+
+    return svc_handle, svc_status
+  end
+
+  # Calls ChangeServiceConfig2() to change the service description.
+  #
+  # @param svc_handle [String] the service handle to change.
+  # @param service_description [String] the service description.
+  #
+  # @return [Integer] Windows error code
+  def changeservicedescription(svc_handle, service_description)
+    svc_status = nil
+    stubdata =
+      svc_handle +
+      NDR.long(SERVICE_CONFIG_DESCRIPTION) +
+      NDR.long(1) + # lpInfo -> *SERVICE_DESCRIPTION
+      NDR.long(0x0200) + # SERVICE_DESCRIPTION struct
+      NDR.long(0x04000200) +
+      NDR.wstring(service_description)
+    begin
+      response = dcerpc_client.call(CHANGE_SERVICE_CONFIG2_W, stubdata) # ChangeServiceConfig2
+      svc_status = error_code(response)
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error changing service description : #{e}")
+    end
+
+    svc_status
+  end
+
+
+  # Calls CloseHandle() to close a handle.
+  #
+  # @param handle [String] the handle to close.
+  #
+  # @return [Integer] Windows error code
+  def closehandle(handle)
+    svc_status = nil
+    begin
+      response = dcerpc_client.call(CLOSE_SERVICE_HANDLE, handle)
+      if response
+        svc_status = error_code(response[20,4])
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error closing service handle: #{e}")
+    end
+
+    svc_status
+  end
+
+  # Calls OpenServiceW to obtain a handle to an existing service.
+  #
+  # @param scm_handle [String] the SCM handle (from {#openscmanagerw}).
+  # @param service_name [String] the name of the service to open.
+  # @param access [Fixnum] the level of access requested (default is maximum).
+  #
+  # @return [String, nil] the handle of the service opened, or nil on failure.
+  def openservicew(scm_handle, service_name, access = SERVICE_ALL_ACCESS)
+    svc_handle = nil
+    svc_status = nil
+    stubdata = scm_handle + NDR.wstring(service_name) + NDR.long(access)
+    begin
+      response = dcerpc_client.call(OPEN_SERVICE_W, stubdata)
+      if response
+        svc_status = error_code(response[20,4])
+        if svc_status == ERROR_SUCCESS
+          svc_handle = response[0,20]
+        end
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error opening service handle: #{e}")
+    end
+
+    svc_handle
+  end
+
+  # Calls StartService() on a handle to an existing service in order to start
+  # it.  Returns true on success, or false.
+  #
+  # @param svc_handle [String] the handle of the service (from {#openservicew}).
+  # @param magic1 [Fixnum] an unknown value.
+  # @param magic2 [Fixnum] another unknown value.
+  #
+  # @return [Integer] Windows error code
+  def startservice(svc_handle, magic1 = 0, magic2 = 0)
+    svc_status = nil
+    stubdata = svc_handle + NDR.long(magic1) + NDR.long(magic2)
+
+    begin
+      response = dcerpc_client.call(0x13, stubdata)
+      if response
+        svc_status = error_code(response)
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error starting service: #{e}")
+    end
+
+    svc_status
+  end
+
+  # Stops a running service.
+  #
+  # @param svc_handle [String] the handle of the service (from {#openservicew}).
+  #
+  # @return [Integer] Windows error code
+  def stopservice(svc_handle)
+    dce_controlservice(svc_handle, SERVICE_CONTROL_STOP)
+  end
+
+  # Controls an existing service.
+  #
+  # @param svc_handle [String] the handle of the service (from {#openservicew}).
+  # @param operation [Fixnum] the operation number to perform (1 = stop
+  #                           service; others are unknown).
+  #
+  # @return [Integer] Windows error code
+  def controlservice(svc_handle, operation)
+    svc_status = nil
+    begin
+      response = dcerpc_client.call(CONTROL_SERVICE, svc_handle + NDR.long(operation))
+      if response
+       svc_status =  error_code(response[28,4])
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error controlling service: #{e}")
+    end
+
+    svc_status
+  end
+
+  # Calls DeleteService() to delete a service.
+  #
+  # @param svc_handle [String] the handle of the service (from {#openservicew}).
+  #
+  # @return [Integer] Windows error code
+  def deleteservice(svc_handle)
+    svc_status = nil
+    begin
+      response = dcerpc_client.call(DELETE_SERVICE, svc_handle)
+      if response
+        svc_status = error_code(response)
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error deleting service: #{e}")
+    end
+
+    svc_status
+  end
+
+  # Calls QueryServiceStatus() to query the status of a service.
+  #
+  # @param svc_handle [String] the handle of the service (from {#openservicew}).
+  #
+  # @return [Fixnum] Returns 0 if the query failed (i.e.: a state was returned
+  #                  that isn't implemented), 1 if the service is running, and
+  #                  2 if the service is stopped.
+  def queryservice(svc_handle)
+    ret = 0
+
+    begin
+      response = dcerpc_client.call(QUERY_SERVICE_STATUS, svc_handle)
+      if response[0,9] == "\x10\x00\x00\x00\x04\x00\x00\x00\x01"
+        ret = 1
+      elsif response[0,9] == "\x10\x00\x00\x00\x01\x00\x00\x00\x00"
+        ret = 2
+      end
+    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+      print_error("#{peer} - Error deleting service: #{e}")
+    end
+
+    ret
+  end
+
+end
+end
+end
+