Monday, January 25, 2010

winexe

http://eol.ovh.org/winexe/ Example: winexe --user= --password= // 'cmd /C set' winexe remotely executes commands on WindowsNT/2000/XP/2003 systems from GNU/Linux (probably also other Unices capable to compile Samba4).
  1. Requirements
  2. Usage
  3. How does it work
  4. How to get it
  5. Remarks
  6. Changelog

Requirements

  • Linux/Unix side:
    • Working network
    • Samba is NOT neccessary
  • Windows side:
    • Working network
    • Standard Windows installation with enabled remote sharing and administration (Windows XP Home do not support remote administration). What does it mean exactly:
      • Enabled services: Workstation, Server
      • "Windows Network" is running and "Printer and File Sharing" are activated
      • Enabled "Remote IPC" and "Remote Admin" shares. To verify it, in cmd box run command "net share", and check if there are ADMIN$ and IPC$ shares. In Windows XP to enable it you should turn off "Simple sharing" in "Control Panel\Folder Options\View\Use simple file sharing".
      • Account with administrative privileges and not empty password
      • Firewall rules allowing traffic between both machines

Usage

winexe started without arguments shows list of options, using "--help" will show their descriptions. Most of the tasks can be done using syntax:
winexe -U [Domain/]User%Password //host command
Where 'host' can be given as ip number or DNS hostname and 'command' is a command which will be run on remote system.
Examples:

# winexe -U HOME/Administrator%Pass123 //192.168.0.10 "ipconfig /all"

# winexe -U HOME/Administrator%Pass123 //host 'cmd /C dir C:\'

# winexe -U HOME/Administrator%Pass123 //host.com 'cmd /C net stop wuauserv && net start wuauserv && echo AutoUpdates service restarted'

# cat | winexe -U HOME/Administrator%Pass123 //host cmd <<EOF
>net stop wuauserv
>net start wuauserv

>echo AutoUpdates service restarted
>exit
>EOF

Many options of winexe are the same as for Samba tools and you can check for their description in Samba documentation. Below description of most important options:
winexe specific
hostWindows hostname provided as ip address or DNS name. Using NETBIOS names should be also possible after playing with Samba specific options.
commandCommand which will be run on remote system. If command contains spaces and/or parameters use quotes and/or double quotes, ex. '"long name.exe" -option -"option with spaces"', if you like to run internal cmd interpreter command use "cmd /C" syntax, ex. "cmd /C ver". If command interact with desktop GUI check option --interactive.
--uninstallUninstall winexesvc service after remote execution
--reinstallReinstall winexesvc service before remote execution
--systemRun command using SYSTEM account
--runas=[DOMAIN/]USERNAME%PASSWORDRun command as user (BEWARE: password is sent in cleartext over net)
--interactive=0|1Desktop interaction: 0 - disallow, 1 - allow. If you allow use also --system switch (Win requirement). Windows Vista do not support this option.
--ostype=0|1|2OS type: 0 - 32bit, 1 - 64bit, 2 - winexe will decide. Determines which version (32bit/64bit) of service will be installed.
General
-U [DOMAIN/]USERNAME[%PASSWORD]User with admin privileges for Windows authentication. If not overrided by other options 'command' will be run on this account. If you omit password you will be prompted.
-d DEBUGLEVELSet debug level, 0 - no debug (default), 11 - highest level (it is safe to use bigger numbers)
Exit code: winexe returns exit code of remote process.

How does it work

  1. winexe connects to IPC$ share of host.
  2. Next it tries to open winexesvc control named pipe (to make things easier pipe is called "ahexe" :)).
  3. If there is not such pipe, winexe copies winexesvc.exe to ADMIN$ share, creates winexesvc service, starts it and tries to connect to control pipe again.
  4. After succesfull connection it passess optional parameters (ex. --runas, --system) and the command itself to winexesvc process via the pipe.
  5. winexesvc creates two pipes: ahexec_stdio%08X, and ahexec_stderr%08X(where %08X is replaced by unique number) and runs command with I/O redirected to those pipes.
  6. winexe redirects those pipes to Linux console.
  7. After command exit winexe return its exit code to system.

How to get it

winexe sources are hosted on Zenoss together with DCOM/WMI client for Linux. You can get sources from here: winexe-source-081123.tar.bz2 How to get it:
  • Precompiled version (linked statically)
    • Download winexe-static-081123.bz2
    • Unpack: bunzip2 winexe-static-081123.bz2
    • Change permissions if necessary: chmod a+x winexe
    • Use it
    • FYI: During static linking I have recieved following warnings:
      bin/static/libldb.a(ldb_modules.o): In function `ldb_try_load_dso':
      ldb_modules.c:(.text+0x4c5): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
      bin/static/libauth.a(auth_unix.o): In function `talloc_getpwnam':
      auth_unix.c:(.text+0x3f6): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
      bin/static/libheimdal_krb5.a(get_default_principal.o): In function `_krb5_get_default_principal_local':
      get_default_principal.c:(.text+0x132): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
      bin/static/libheimdal_krb5.a(addr_families.o): In function `krb5_parse_address':
      addr_families.c:(.text+0x1780): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
      bin/static/libsamba-socket.a(socket_ipv6.o): In function `ipv6_tcp_get_peer_name':
      socket_ipv6.c:(.text+0xa12): warning: Using 'gethostbyaddr' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
      bin/static/libsamba-util.a(system.o): In function `sys_gethostbyname':
      system.c:(.text+0x19): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
      bin/static/libsamba-socket.a(socket_ipv6.o): In function `interpret_addr6':
      socket_ipv6.c:(.text+0x76): warning: Using 'gethostbyname2' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
      bin/static/libheimdal_krb5.a(get_port.o): In function `krb5_getportbyname':
      get_port.c:(.text+0x20): warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
      
      GLIBC version used for linking: 2.9 WARNING:Users reports that static version often crashes on systems with different GLIBC version You can check GLIBC version using command: ldd --version
  • Compile from sources
    • Install necessary packages (gcc, svn, *-devel....)
    • Get sources from winexe-source-081123.tar.bz2.
    • Compile samba according to README file:
      • cd to unpacked tar.bz2 sources
      • ./autogen.sh
      • ./configure
      • make proto bin/winexe
    • Compiled file will be located in wmi/Samba/source/bin/winexe
    • Install winexe:
      install -s wmi/Samba/source/bin/winexe /usr/local/bin/winexe
I have not tested those instructions step by step, but I hope idea is clear.

Remarks

  • winexe is very quiet, if you want to have some (not too much) debug info run with -d 1 parameter.
  • wmi/Samba/source/winexe/winexesvc can be compiled by crosscompiler or in Windows using Cygwin or Mingw32. If you compile service under win after succesfull make, copy winexesvc_exe.c into wmi/Samba/source/winexe/winexesvc/ directory. You can also use 'precompiled' version of winexesvc_exe.c, which is included in svn, you can 'touch' it to fool compiler if neccessary.

Changelog

Changelog:
0.90 - 22/11/08 Added 64bit version of winexesvc, and option --ostype=0|1|2.
   Where os type can be(0 - 32bit, 1 - 64bit, 2 - winexe will decide).                                                                     
0.80 - 26/10/07 Added --interactive option.
   winexesvc is replaced only if version differs on more than last digit.
0.77 - 11/10/07 Fixed bug causing winexe crash during service uninstallation.
0.76 - 10/10/07 Service status is checked during service (un)installation.
   Corrected service installation code(case of deleted winexesvc.exe file).
0.75 - 09/07/07 Added workaround for delayed pipe handle destruction(error 0x000000E7).
   Removed token handle leaks in case of error condition.
0.74 - 04/07/07 Added version checking and automatic service reinstallation
   Pipe names now depends on ProcessID(should solve issue with unterminated winexe processes)
0.73 - 29/06/07 Corrected bug in signal handling
0.72 - 26/06/07 Added winexe INT/TERM signal handling
0.71 - 22/05/07 Workarounds for win2003sp2 service (re)installation issues
   Removed token handle leaks in winexesvc
0.7 - 25/07/06 Making code more pretty.
   By default commands run on user's account.
   Added --system - commands run on system account.
   Added --runas - any user can be impersonated(BEWARE: passwords are sent in clear text).
   Many changes in winexesvc.
0.61 - 07/07/06 Fixed bug in svcctl.idl
   Changed types of 'dependencies' and 'password' params in CreateServiceW.
0.6 - 07/07/06 svcctl.idl cosmetics
   Linux code style applied, semi automatic.
   Removed // style comments.
   Changed includes  to 

0.5 - 06/07/06 Cleaned up winexe/service code.
   Changed deps in winexe/config.mk.
   Renamed directory service to winexesvc.
   STDIN read corrected.
   async_write serialized - now server should receive input in correct order.
0.4 - 02/07/06 Added dependencies in winexe/config.mk to auto rebuild service.
   Turned off timeouts - proces do not disconnect after 60sec.
   Added some debug messages.
   Removed small leaks in winexesvc.
0.3 - 02/07/06 winexe is fully integrated with smb_build system. Now there is
   no need to separately compile winexe/service. I have also removed symlink
   to winexesvc_exe.c, should be cleaner.
0.2 - 02/07/06 Now it works with NT - all pipes are created with security
   descriptor allowing admins to open it.
   Added options --reinstall/--uninstall.
   Added error messages, cleaned debug messages(-d 1).
   Some code cleaning.
   Added 'precompiled' winexe/service/winexesvc_exe.c, for users without
   crosscompiler or windows compile enironment.
0.1 - 01/07/06 In winexe dir added link to winexe/service/winexesvc_exe.c,
   I am not sure if patch utility supports it.
0.0 - 30/06/06 Initial release

Donations

You can support developement of winexe by making donations via PayPal or Moneybookers:
Donate:

My e-mail: andrzej.hajda at wp.pl