[jcifs] Re: Remote Execution and SVCCTL

Michael B Allen mba2000 at ioplex.com
Wed Sep 15 23:00:09 GMT 2004


Michael Melhem said:
> HI Mike, et al.
>
> I have converted the the required methods from svcctl.idl into MIDL format
> and have ran the idlc compiler to generate svcctl.java. The converted IDL
> is attacthed to this email. I also wrote a test progam (extending from
> svcctl.java) which does essentially the following:
>
> policy_handle handle = new policy_handle();
> handle.uuid = new uuid_t();

There are a few pitfalls that are going to need some explaining. I think
it would be better if I put that effort into some real documentation but I
can give you some clues now.

DCE/RPC was designed with the C languange in mind. This creates some minor
problems that need to be considered. Consider the following IDL:

        typedef struct {
            uint32_t time_low;
            uint16_t time_mid;
            uint16_t time_hi_and_version;
            uint8_t clock_seq_hi_and_reserved;
            uint8_t clock_seq_low;
            uint8_t node[6];
        } uuid_t;

In C the node member is part of the uuid_t type. But in Java you have to
explicitly allocate arrays. I think it might be necessary to do:

rpc.uuid_t uuid = new rpc.uuid_t();
uuid.node = new byte[6];
...

Some wrapper classes will be in order for more common structures such as
UUID.java, SID.java, etc that handles these little issues automatically.


> OpenSCManagerW scmanager = new OpenSCManagerW("\\\\" + servername, null,
> 0x02000000, handle);
> call(0, scmanager);
>
> System.out.println( scmanager.retval + ": rtme_low" + handle.uuid.time_low
> );
>
> The above seems to work fine because i get a value from
> handle.uuid.time_low

I just picked that field at random though. For all I know a 0 value is
valid as well. It's a crude test.

>, plus the return val is zero. Ethereal looks good
> too. The Problem arises when I try and call openServiceW(). Note, for the
> scmanager argument, I use handle from above (which i know presume is a
> handle to the remote scmanager). Im guessing the SERVICE_ACCESS argument
> (at the moment i have it set it to zero, need to find out the real values
> for these constants from the windows header files?)

Check to see if there's an equivalent Win32 function by searching MSDN:

http://msdn.microsoft.com/library/default.asp?url=/library/en-us/dllproc/base/openservice.asp

> Here T try to get open the remote windows Telnet service..
>
>
> OpenServiceW service = new OpenServiceW(handle, "Telent", 0);
> call(0, service);
>
> The above causes an unknown Fault Exception returned from remote system.
> So im not sure what is happening. When I try call(1, service) its seems to
> get further but stills bombs out.
>
> Im not so privy to the internal workings of jaraparc, so im not sure what
> the first argument of the call() method refers too.????? Usually is just
> set to 0.

That's the "semantics" flag. It looks like it controls DCE operation
attributes like "idempotent", "maybe", etc. You would have to look at the
DCE specification and Jarapac to see how it really alters the behavior of
a call. I recommend just leaving it 0.

> Another thing, the midl interface for OpenServiceW() is as follows:
>
> /*****************/
>  /* Function 0x10 */
>  [op(0x10)]
>  int OpenServiceW([in] policy_handle *scmanager_handle,
>              [in,string,unique] wchat_t *ServiceName,
>              [in] uint32_t access_mask);
>
>
> Note that all the arguments are all [in] arguments, so how am I meant to
> get a handle to the service from this method???

Hmm, that's a good question. The Samba4 IDL should really only be used as
a guide. The MSDN documentation for equivalent Win32 functions is just as
important and if you understand MIDL well it is not uncommon to be able to
derive the IDL entirely from the Win32 API documentation. The MSDN
prototype is:

SC_HANDLE OpenService(
  SC_HANDLE hSCManager,
  LPCTSTR lpServiceName,
  DWORD dwDesiredAccess
);

So perhaps it's:

  [op(0x10)]
  policy_handle *OpenServiceW([in] policy_handle *scmanager_handle,
              [in,string,unique] wchat_t *ServiceName,
              [in] uint32_t access_mask);

Another problem might be that the version of IDLC isn't quite right. I
think it should handle the above just fine but I have a new version that
you should really be using instead. It's not quite through the entire test
suite so I have a little more work to do. I could release it tonight.

Mike


More information about the jcifs mailing list