Feature Request - EXTAPI "-r" Service management

[mubix]

Allow for use of current user/token to control remote system's services

For example:

meterpreter > use extapi
Loading extension extapi...success.
meterpreter > service_control -r 192.168.168.10 remoteregistry start
[-] extapi_service_control: Operation failed: Access is denied.

[mubix]

@OJ - I don't know if I'll be able to get this one on my own as I think it will need meterpreter options. It looks like we have a hard coded NULL in the OpenSCManager call:

• https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/extapi/service.c#L336
• https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/extapi/service.c#L403
• https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/extapi/service.c#L489

[OJ]

@mubix I can definitely sort this whole thing out for you. It's not a lot of work at all. I can enhance the existing code to take optional cred-related stuff as parameters. The thread impersonation stuff should work when using NULL, but I guess it's not, or I'm misunderstanding.

[mubix]

@OJ the NULL is in the spot where the target system would be as OpenSCManager accepts a remote host in it's options, so

https://github.com/rapid7/metasploit-payloads/blob/master/c/meterpreter/source/extensions/extapi/service.c#L336

        if ((scManager = pOpenSCManagerA(NULL, SERVICES_ACTIVE_DATABASEA, SC_MANAGER_CONNECT | GENERIC_READ)) == NULL)

would be:

        if ((scManager = pOpenSCManagerA(TLV_TYPE_EXT_SERVICE_CONTROL_HOST, SERVICES_ACTIVE_DATABASEA, SC_MANAGER_CONNECT | GENERIC_READ)) == NULL)

or something like that

[OJ]

Ah yes, gotcha. Easy fix. Will get it sorted.