kavika13 / remcom Goto Github PK

We should both be more flexible, and allow less inconsistent/poor choices for parameter names.

E.g. pwd should be password, or pass, or p. It should also support a hyphen instead of just a slash (not sure if it does now or not).

Todo: Get some repro steps, and plan out the specific changes.

Hello,

I would like to compile your project in Visual Studio Professional 2013.
When I build the project, I have these followings errors:

Error   30  error MSB6006: "CL.exe" exited with code -1073741515.   C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Platforms\Win32\Microsoft.Cpp.Win32.targets   57  5   ProcComs
Error   31  error MSB6006: "CL.exe" exited with code -1073741515.   C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Platforms\Win32\Microsoft.Cpp.Win32.targets   147 5   RemComSvc
Error   34  error MSB6006: "CL.exe" exited with code -1073741515.   C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Platforms\Win32\Microsoft.Cpp.Win32.targets   147 5   RemCom

Here are Warnings:

Message 28  Could not find schema information for the attribute 'Condition'.    C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Platforms\Win32\Microsoft.Cpp.Win32.targets   262 32  Miscellaneous Files
Message 29  Could not find schema information for the attribute 'Condition'.    C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Platforms\Win32\Microsoft.Cpp.Win32.targets   386 32  Miscellaneous Files

Here is log output:

------ Build started: Project: ProcComs, Configuration: Debug Win32 ------
Build started 05/05/2015 14:53:33.
Building with tools version "12.0".

[...]

Target "ComputeMIDLGeneratedCompileInputs" skipped. Previously built successfully.
Target "ComputeCLInputPDBName" in file "C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Microsoft.CppBuild.targets" from project "C:\Users\bob\Tools\RemCom-master\RemCom-master\RemCom.vcxproj" (target "_ClCompile" depends on it):
Done building target "ComputeCLInputPDBName" in project "RemCom.vcxproj".
Target "ResolveReferences" skipped. Previously built successfully.
Target "ComputeReferenceCLInput" in file "C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Microsoft.CppBuild.targets" from project "C:\Users\bob\Tools\RemCom-master\RemCom-master\RemCom.vcxproj" (target "_ClCompile" depends on it):
Task "WriteLinesToFile"
Done executing task "WriteLinesToFile".
Task "Message" skipped, due to false condition; ('$(_REFERENCE_DEBUG)'=='true' and '%(ClCompile.CompileAsManaged)' != 'false' and '%(ClCompile.CompileAsManaged)' != '') was evaluated as (''=='true' and '' != 'false' and '' != '').
Done building target "ComputeReferenceCLInput" in project "RemCom.vcxproj".
Target "MakeDirsForCl" in file "C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Microsoft.CppBuild.targets" from project "C:\Users\bob\Tools\RemCom-master\RemCom-master\RemCom.vcxproj" (target "_ClCompile" depends on it):
Task "MakeDir"
Done executing task "MakeDir".
Done building target "MakeDirsForCl" in project "RemCom.vcxproj".
Target "PrepareForBuild" skipped. Previously built successfully.
Target "SetBuildDefaultEnvironmentVariables" skipped. Previously built successfully.
Target "SetUserMacroEnvironmentVariables" skipped, due to false condition; ('@(BuildMacro)' != '') was evaluated as ('' != '').
Target "_SelectedFiles" in file "C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Microsoft.CppBuild.targets" from project "C:\Users\bob\Tools\RemCom-master\RemCom-master\RemCom.vcxproj" (target "SelectClCompile" depends on it):
Done building target "_SelectedFiles" in project "RemCom.vcxproj".
Target "ComputeMIDLGeneratedCompileInputs" skipped. Previously built successfully.
Target "ComputeCLInputPDBName" skipped. Previously built successfully.
Target "ComputeReferenceCLInput" skipped. Previously built successfully.
Target "_SelectedFiles" skipped. Previously built successfully.
Target "SelectCustomBuild" in file "C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Microsoft.CppBuild.targets" from project "C:\Users\bob\Tools\RemCom-master\RemCom-master\RemCom.vcxproj" (target "SelectClCompile" depends on it):
Done building target "SelectCustomBuild" in project "RemCom.vcxproj".
Target "SelectClCompile" in file "C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Microsoft.CppBuild.targets" from project "C:\Users\bob\Tools\RemCom-master\RemCom-master\RemCom.vcxproj" (target "ClCompile" depends on it):
Done building target "SelectClCompile" in project "RemCom.vcxproj".
Target "GenerateTargetFrameworkMonikerAttribute" skipped, due to false condition; ('$(GenerateTargetFrameworkAttribute)' == 'true') was evaluated as ('false' == 'true').
Target "ClCompile" in file "C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Platforms\Win32\Microsoft.Cpp.Win32.targets" from project "C:\Users\bob\Tools\RemCom-master\RemCom-master\RemCom.vcxproj" (target "_ClCompile" depends on it):
Task "Delete"
Done executing task "Delete".
Task "CL" skipped, due to false condition; ('%(ClCompile.PrecompiledHeader)' == 'Create' and '%(ClCompile.ExcludedFromBuild)'!='true') was evaluated as ('NotUsing' == 'Create' and ''!='true').
Using "CL" task from assembly "Microsoft.Build.CppTasks.Win32, Version=4.0.0.0, Culture=neutral, PublicKeyToken=b03f5f7f11d50a3a".
Task "CL"
  Forcing recompile of all source files due to missing PDB ".\Debug/vc100.pdb".
  Environment Variables passed to tool:
    VS_UNICODE_OUTPUT=720
  C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\CL.exe /c /ZI /nologo /W4 /WX- /Od /Oy- /D _DEBUG /D WIN32 /D _WINDOWS /D _MBCS /Gm- /EHsc /RTC1 /MDd /GS /fp:precise /Zc:wchar_t /Zc:forScope /Fo".\Debug/" /Fd".\Debug/vc100.pdb" /FR"Debug\\" /Gd /TP /analyze- /errorReport:prompt RemCom.cpp
  Tracking command:
  C:\Program Files (x86)\Microsoft SDKs\Windows\v8.0A\bin\NETFX 4.0 Tools\Tracker.exe /d C:\Windows\Microsoft.NET\Framework\v4.0.30319\FileTracker.dll /i C:\Users\bob\Tools\RemCom-master\RemCom-master\Debug /r C:\USERS\BOB\TOOLS\REMCOM-MASTER\REMCOM-MASTER\REMCOM.CPP /b MSBuildConsole_CancelEvent0d8935eeddae4c0aa7120cbdbc89ce2e  /c "C:\Program Files (x86)\Microsoft Visual Studio 10.0\VC\bin\CL.exe"  /c /ZI /nologo /W4 /WX- /Od /Oy- /D _DEBUG /D WIN32 /D _WINDOWS /D _MBCS /Gm- /EHsc /RTC1 /MDd /GS /fp:precise /Zc:wchar_t /Zc:forScope /Fo".\Debug/" /Fd".\Debug/vc100.pdb" /FR"Debug\\" /Gd /TP /analyze- /errorReport:prompt RemCom.cpp
C:\Program Files (x86)\MSBuild\Microsoft.Cpp\v4.0\Platforms\Win32\Microsoft.Cpp.Win32.targets(147,5): error MSB6006: "CL.exe" exited with code -1073741515.
Done executing task "CL" -- FAILED.
Done building target "ClCompile" in project "RemCom.vcxproj" -- FAILED.

Build FAILED.

Time Elapsed 00:00:00.07
========== Build: 0 succeeded, 3 failed, 0 up-to-date, 0 skipped ==========

I don't known how to fix this bug.

Can you help me please?

Thank you in advance.

Needs investigation.

I can't seem to get it to work against a Windows 7 machine.

I have made sure the Admin share is accessible, so I don't think that's the problem. (It stopped giving me error messages about that).

Will get more details (including error message, repro steps, what I did to get pas the admin share error, etc) later.

there should be a way to just check the remcom errors without executing any command on remote machine. - so all prerequisites like remote ip, user id, pw, admin shares are tested.

The space should not be inserted if szArguments is empty. in remcom.cpp.

     if ( !IsCmdLineParameter(_T("c")) )
    _stprintf( pMsg->szCommand, _T("\"%s\" %s"), lpszCommandExe, szArguments );
else
{
    TCHAR drive[_MAX_DRIVE];
    TCHAR dir[_MAX_DIR];
    TCHAR fname[_MAX_FNAME];
    TCHAR ext[_MAX_EXT];

    _tsplitpath( lpszCommandExe, drive, dir, fname, ext );

    _stprintf( pMsg->szCommand, _T("%s%s %s"), fname, ext, szArguments );
}

We need to fix the formatting of the usage dialog.

I know that PsExec probably had cutesy robocopy-like usage instructions, but I'd like to get it more nailed down and clean looking, like Unix tools or built-in DOS utilities.

The text should at least fit on the page.

We should replace its usage by some safe function like stprintf_s or the string buffer io stream class usage.

This is causing the buffer overflow if the command line is bigger than some no of characters - just imagine machine name, command path, some parameters .... and then pipe output to another command

Some of the links in the readme file should point to the original site, but if we're properly forking it, we should redirect some of the links to our own site (e.g. latest binaries).

This is an extremely easy fix, so lets get it in for the first milestone.

Stretch goal: Get some additional verbiage in there saying that the information is old and not necessarily accurate anymore, and mention how we aim to improve on the existing project.

Remote command output should be written as binary stream and should not be processed using printf. This disturbs the remote command binary output.

The program seems to run something locally, though I haven't verified that it actually runs under different credentials.

For the first milestone I must at least get it running a minimal BVT.

This minimal BVT must involve running a process on a remote server. We could also have tests that run locally (for RunAs functionality), but it must be cross-server to validate that the thing does the job it was made for.

Currently, there is a problem with remcom service. If you run the service and then something happens where you are unable to remove the service, for example: a reboot, the service is leaked and tends to clutter up the service console and registry. Since certain tools like impacket python module will spawn lots of remcom services all with a randomly generated name for each service this tends to be a problem. It sounds like it would be a good idea to have just one service which can spawn multiple processes and letting this service start with the machine, but I am not sure how feasible this idea is.

Issue 1. In interactive mode the remote command output is processed for special characters like clear screen.
This causes genuine characters being processed in non interactive session. Hence binary file transfer fails.

We should have a way to capture stderr, stdout and stdin channels and redirect to file.

Also remcom should have silent mode so that above channels are not clobbered with remcom generated characters.

Project should use /GT rather than /GD so that static libraries are linked. In some cases remote machine may not have the vc runtime installed.

For the un-modified RemCom, this is not an issue, as the RemComSvc service stops and uninstalls itself when the last client disconnects. However, if someone were to modify the source so that the stop and uninstall didn't happen (i.e. the service was left running), then if many commands were executed, eventually the non-paged pool would be exhausted causing the server to become unstable.

This is because for each command that is executed, 3 named pipes are created (for stdin, stdout and stderr) and they are never closed.

The fix would be to add lines to close the pipes (free the handles) to the Execute method, following the WaitForSingleObject(hProcess...). Like so:
if ( !pMsg=bNoWait )
{
WaitForSIngleObject( hProcess, INFINITE );
GetExitCodeProcess( hProcess, pReturnCode );
//
CloseHandle( si.hStdOutput );
CloseHandle( si.hStdError );
CloseHandle( si.hStdInput );
//
}

Hopefully I'll get round to creating the fixed version soon, but I wanted to publicise this in case anyone chooses to modify the source for their own purposes.
Jim

I can open C:\windows\system32\notepad.exe on \\localhost, but I cannot open C:\Program Files (x86)\Vim\Vim72\vim.exe, even though the file exists.

I believe this is because it can't handle spaces in the filename.

Repro:

1. Copy an executable file (notepad.exe) to C:\test dir with space\
2. Launch RemCom.exe \\localhost /user:*username* /pwd:*password* "C:\test dir with space\notepad.exe"

Expected:
The program launches correctly

Actual:
An error message is displayed -

Localhost entered for Target Machine .. Going to RunAs Command

Launching Local Process ...
ERROR: API        = CreateProcessWithLogonW.
       error code = 2.
       message    = The system cannot find the file specified.

on windows, because python
always assumes that you are using a bufferd command window, it will not start
in interactive mode and rely on the cmd window to flush the output to the
user.. when you are running from a windowless application that spawns a
process with the CREATE_NO_WINDOW, there is no cmd window to flush the
output for you. In python you can start the interpreter in interactive
mode by using the -i parameter.
example....
impacket-0.9.10\examples>C:\Python27\python.exe psexec.py
myhost/Administrator:mypassword@myhost C:\Windows\System32\cmd.exe /c
python -i
will flush it's output the way it is suppose to.
<<RemComSvc.cpp >>
if ( CreateProcess(
NULL,
szCommand,
NULL,
NULL,
TRUE,
pMsg->dwPriority | CREATE_NO_WINDOW,
NULL,
pMsg->szWorkingDir[0] != _T('\0') ? pMsg->szWorkingDir : NULL,
&si,
&pi ) )
I wonder if there is a fix that we can implement in remcom that would
tell the pipes to continuously flush themselves at regular intervals like a
normal command window will do.
consider the following...

psi->hStdInput = CreateNamedPipe(
szStdInPipe,
PIPE_ACCESS_INBOUND,
PIPE_TYPE_MESSAGE | PIPE_WAIT,
PIPE_UNLIMITED_INSTANCES,
0,
0,
(DWORD)-1,
&SecAttrib);
http://msdn.microsoft.com/en-us/library/windows/desktop/aa365150%28v=vs.85%29.aspx
What if remcom used _PIPE_READMODE_BYTE or _PIPE_READMODE_MESSAGE?
Can some one ratify and confirm the issue for me?

A flag like /quiet or /S /Q should be there to make remcom silent, so that remote command out put can be received correctly.

When the target is a 64 bits system there are some problems when sending and executing a file. For instance with a command like this: remcom \192.168.1.200 /user:midomain\miuser /pwd:mipwd /c miprogram.exe
The result is that the file is copied but it cannot be found when executed.

But as far as I have tested if you only execute a remote command (not transfer it it works fine).

The problem is that remcom first copies the exe to c:\windows\system32 and then executes it form the service that is a 32 bits program.

But 32 bits programs when tun in a 64 bits system by default CANNOT see c:\windows\system32. That is meant to be like that by windows design, see references:
http://support.microsoft.com/kb/942589
http://social.msdn.microsoft.com/Forums/sl-SI/netfx64bit/thread/cfdf4474-266b-4ef5-8992-7fbdc3147521

In short in 64 bits systems there are 2 system32 folders one for 64bits programs and another for 32 bits and remcom is storing the exe in the 64bits system32 and tries to execute it on the 32bits system32 folder.

So... I can think of 2 solutions:

1. keep remcom service as 32 bits and keep storing the exe file in regular (64bits) system32 folder and execute if forcing to use the 64bits folder. That is as easy as making the service to detect that it is running in a 64bits system and to execute the file under c:\windows\sysnative folder that is how 32bits software sees the 64bits system32 folder.

2. Compile remcom service as 64 bits too and distribute it in two flavours 32/64 bits. Then the client can chose what service to install for instance parsing a command line parameter...

This issue may be related (or not) with issue #10

When I just try to run cmd.exe like this:
RemCom.exe \localhost /user:xxx\yyy /pwd:zzz cmd.exe

I get the error: Remote Command Executor
Copyright 2006 The WiseGuyz [ http://talhatariq.wordpress.com ]
Author: Talha Tariq [[email protected]]

Local Admin

Localhost entered for Target Machine .. Going to RunAs Command

Launching Local Process ...
ERROR: API = CreateProcessWithLogonW.
error code = 1783.
message = The stub received bad data.

Any ideas?
I am running windows 8.1 enterprise 64 bit

If you need to pass a lengthy parameter line to the remote command it is truncated.

The command buffer is 0x100 long only.

I am sending a patch enlarging it to 0x500, long enough for most commands

Remcom client writes its own output mainly to stdout and remote command stdout and stderr is written too to remcom client stdout.

The result is that remote command stdout and stderr cant be properly processed.

Also remcom client return code is hidden by remote application return code so you can't process the client error codes.

I propose the following changes:

The client return code is now the real return code, and its even more detailed than before with the following error codes:

//Return Codes:

// (-1) Incorrect parameters
// (-2) Malformed credentials
// (-3) Invalid target name
// (-4) Bad credentials
// (-5) Could not connect to target
// (-6) Error copying executable
// (-7) Error copying service
// (-8) Error executing service
// (-9) Error connecting to remote service

Remote command return code is show at the stdout with the text: "Remote command returned XXX"

Now most of remcom client output goes to stderr.

Remote command stdout and stderr go to the cleitn stdout, but stderr is enclosed by the texts: "Remote program Stderr start:\n" and "Remote program Stderr end."

I noticed that while running remcom. the service is installed as it should but it is installed with service permissions which prevents many things because of the "Restrictive" permissions that windows puts on services. Some examples are: running installers, installing other services, and changing user permissions. This can be fixed by changing the permissions before remcom starts running or using the win32 api calls to include a security authentication token for the CreateProcess command; modifying create process is probably the best option. Otherwise, the process will be started as the $System user which is only bound to create headaches..

There is currently no test suite, so I have no idea if my builds even work or not :)

Plan of action:

• Get the program running
• Get a single BVT working
• Identify specific areas of testing and open additional issues for those

We need to understand and document how the code is structured.

Why are there three projects that feed into one library? What do they all accomplish?

This documentation should go up on the wiki, like the rest of our documentation (currently).

Can we have just file copy mode for remcom ? without executing the same file.

This version can copy a file and execute the same.

The program won't build from MSBuild.

Have to set the PlatformToolset to Windows7.1SDK for it to work in MSBuild.

When providing bad arguments it would be more helpful to get a short error message rather than spamming the entire screen with the usage help message. Especially something telling the user what they got wrong.

Repro:

1. Run RemCom.exe /user:someusername

Expected:
A short message is displayed saying that you've gotten some parameters wrong, or even better, that some specific parameters are missing

Actual:
No error message is displayed - just the usage dialog