opensourceinfo: winexe

Monday, January 25, 2010

winexe

http://eol.ovh.org/winexe/ Example: winexe --user= --password= // 'cmd /C set' winexe remotely executes commands on WindowsNT/2000/XP/2003 systems from GNU/Linux (probably also other Unices capable to compile Samba4).

Requirements

Linux/Unix side:
- Working network
- Samba is NOT neccessary
Windows side:
- Working network
- Standard Windows installation with enabled remote sharing and administration (Windows XP Home do not support remote administration). What does it mean exactly:
  - Enabled services: Workstation, Server
  - "Windows Network" is running and "Printer and File Sharing" are activated
  - Enabled "Remote IPC" and "Remote Admin" shares. To verify it, in cmd box run command "net share", and check if there are ADMIN$ and IPC$ shares. In Windows XP to enable it you should turn off "Simple sharing" in "Control Panel\Folder Options\View\Use simple file sharing".
  - Account with administrative privileges and not empty password
  - Firewall rules allowing traffic between both machines

Usage

winexe started without arguments shows list of options, using "--help" will show their descriptions. Most of the tasks can be done using syntax:

winexe -U [Domain/]User%Password //host command

Where 'host' can be given as ip number or DNS hostname and 'command' is a command which will be run on remote system.

Examples:

# winexe -U HOME/Administrator%Pass123 //192.168.0.10 "ipconfig /all"

# winexe -U HOME/Administrator%Pass123 //host 'cmd /C dir C:\'

# winexe -U HOME/Administrator%Pass123 //host.com 'cmd /C net stop wuauserv && net start wuauserv && echo AutoUpdates service restarted'

# cat | winexe -U HOME/Administrator%Pass123 //host cmd <<EOF
>net stop wuauserv
>net start wuauserv

>echo AutoUpdates service restarted
>exit
>EOF

Many options of winexe are the same as for Samba tools and you can check for their description in Samba documentation. Below description of most important options:

winexe specific
host	Windows hostname provided as ip address or DNS name. Using NETBIOS names should be also possible after playing with Samba specific options.
command	Command which will be run on remote system. If command contains spaces and/or parameters use quotes and/or double quotes, ex. '"long name.exe" -option -"option with spaces"', if you like to run internal cmd interpreter command use "cmd /C" syntax, ex. "cmd /C ver". If command interact with desktop GUI check option --interactive.
--uninstall	Uninstall winexesvc service after remote execution
--reinstall	Reinstall winexesvc service before remote execution
--system	Run command using SYSTEM account
--runas=[DOMAIN/]USERNAME%PASSWORD	Run command as user (BEWARE: password is sent in cleartext over net)
--interactive=0\|1	Desktop interaction: 0 - disallow, 1 - allow. If you allow use also --system switch (Win requirement). Windows Vista do not support this option.
--ostype=0\|1\|2	OS type: 0 - 32bit, 1 - 64bit, 2 - winexe will decide. Determines which version (32bit/64bit) of service will be installed.
General
-U [DOMAIN/]USERNAME[%PASSWORD]	User with admin privileges for Windows authentication. If not overrided by other options 'command' will be run on this account. If you omit password you will be prompted.
-d DEBUGLEVEL	Set debug level, 0 - no debug (default), 11 - highest level (it is safe to use bigger numbers)

Exit code: winexe returns exit code of remote process.

How does it work

winexe connects to IPC$ share of host.
Next it tries to open winexesvc control named pipe (to make things easier pipe is called "ahexe" :)).
If there is not such pipe, winexe copies winexesvc.exe to ADMIN$ share, creates winexesvc service, starts it and tries to connect to control pipe again.
After succesfull connection it passess optional parameters (ex. --runas, --system) and the command itself to winexesvc process via the pipe.
winexesvc creates two pipes: ahexec_stdio%08X, and ahexec_stderr%08X(where %08X is replaced by unique number) and runs command with I/O redirected to those pipes.
winexe redirects those pipes to Linux console.
After command exit winexe return its exit code to system.

How to get it

~~winexe sources are hosted on Zenoss together with DCOM/WMI client for Linux.~~ You can get sources from here: winexe-source-081123.tar.bz2 How to get it:

Precompiled version (linked statically)

Download winexe-static-081123.bz2
Unpack: bunzip2 winexe-static-081123.bz2
Change permissions if necessary: chmod a+x winexe
Use it

FYI: During static linking I have recieved following warnings:

bin/static/libldb.a(ldb_modules.o): In function `ldb_try_load_dso':
ldb_modules.c:(.text+0x4c5): warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libauth.a(auth_unix.o): In function `talloc_getpwnam':
auth_unix.c:(.text+0x3f6): warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libheimdal_krb5.a(get_default_principal.o): In function `_krb5_get_default_principal_local':
get_default_principal.c:(.text+0x132): warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libheimdal_krb5.a(addr_families.o): In function `krb5_parse_address':
addr_families.c:(.text+0x1780): warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libsamba-socket.a(socket_ipv6.o): In function `ipv6_tcp_get_peer_name':
socket_ipv6.c:(.text+0xa12): warning: Using 'gethostbyaddr' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libsamba-util.a(system.o): In function `sys_gethostbyname':
system.c:(.text+0x19): warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libsamba-socket.a(socket_ipv6.o): In function `interpret_addr6':
socket_ipv6.c:(.text+0x76): warning: Using 'gethostbyname2' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libheimdal_krb5.a(get_port.o): In function `krb5_getportbyname':
get_port.c:(.text+0x20): warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

GLIBC version used for linking: 2.9 WARNING:Users reports that static version often crashes on systems with different GLIBC version You can check GLIBC version using command: ldd --version

Compile from sources
- Install necessary packages (gcc, svn, *-devel....)
- Get sources from winexe-source-081123.tar.bz2.
- Compile samba according to README file:
  - cd to unpacked tar.bz2 sources
  - ./autogen.sh
  - ./configure
  - make proto bin/winexe
- Compiled file will be located in wmi/Samba/source/bin/winexe
- Install winexe:
```
install -s wmi/Samba/source/bin/winexe /usr/local/bin/winexe
```

I have not tested those instructions step by step, but I hope idea is clear.

Remarks

winexe is very quiet, if you want to have some (not too much) debug info run with -d 1 parameter.
wmi/Samba/source/winexe/winexesvc can be compiled by crosscompiler or in Windows using Cygwin or Mingw32. If you compile service under win after succesfull make, copy winexesvc_exe.c into wmi/Samba/source/winexe/winexesvc/ directory. You can also use 'precompiled' version of winexesvc_exe.c, which is included in svn, you can 'touch' it to fool compiler if neccessary.

Changelog

Changelog:

0.90 - 22/11/08 Added 64bit version of winexesvc, and option --ostype=0|1|2.
Where os type can be(0 - 32bit, 1 - 64bit, 2 - winexe will decide).
0.80 - 26/10/07 Added --interactive option.
winexesvc is replaced only if version differs on more than last digit.
0.77 - 11/10/07 Fixed bug causing winexe crash during service uninstallation.
0.76 - 10/10/07 Service status is checked during service (un)installation.
Corrected service installation code(case of deleted winexesvc.exe file).
0.75 - 09/07/07 Added workaround for delayed pipe handle destruction(error 0x000000E7).
Removed token handle leaks in case of error condition.
0.74 - 04/07/07 Added version checking and automatic service reinstallation
Pipe names now depends on ProcessID(should solve issue with unterminated winexe processes)
0.73 - 29/06/07 Corrected bug in signal handling
0.72 - 26/06/07 Added winexe INT/TERM signal handling
0.71 - 22/05/07 Workarounds for win2003sp2 service (re)installation issues
Removed token handle leaks in winexesvc
0.7 - 25/07/06 Making code more pretty.
By default commands run on user's account.
Added --system - commands run on system account.
Added --runas - any user can be impersonated(BEWARE: passwords are sent in clear text).
Many changes in winexesvc.
0.61 - 07/07/06 Fixed bug in svcctl.idl
Changed types of 'dependencies' and 'password' params in CreateServiceW.
0.6 - 07/07/06 svcctl.idl cosmetics
Linux code style applied, semi automatic.
Removed // style comments.
Changed includes to

0.5 - 06/07/06 Cleaned up winexe/service code.
Changed deps in winexe/config.mk.
Renamed directory service to winexesvc.
STDIN read corrected.
async_write serialized - now server should receive input in correct order.
0.4 - 02/07/06 Added dependencies in winexe/config.mk to auto rebuild service.
Turned off timeouts - proces do not disconnect after 60sec.
Added some debug messages.
Removed small leaks in winexesvc.
0.3 - 02/07/06 winexe is fully integrated with smb_build system. Now there is
no need to separately compile winexe/service. I have also removed symlink
to winexesvc_exe.c, should be cleaner.
0.2 - 02/07/06 Now it works with NT - all pipes are created with security
descriptor allowing admins to open it.
Added options --reinstall/--uninstall.
Added error messages, cleaned debug messages(-d 1).
Some code cleaning.
Added 'precompiled' winexe/service/winexesvc_exe.c, for users without
crosscompiler or windows compile enironment.
0.1 - 01/07/06 In winexe dir added link to winexe/service/winexesvc_exe.c,
I am not sure if patch utility supports it.
0.0 - 30/06/06 Initial release

Donations

You can support developement of winexe by making donations via PayPal or Moneybookers:

Donate:

My e-mail: andrzej.hajda at wp.pl

9 Comments:

At 6:24 AM, ವಿನಾಯಕ said...: Any support for Windows 7?
I want to execute one exe file wich is in Win7 64bit OS.
At 12:51 AM, Anonymous said...: Hi there, the whole thing is going nicely here and ofcourse every one is sharing information, that's actually fine, keep up writing.

Feel free to surf to my web blog; spielen book
At 5:18 AM, Anonymous said...: Hiya! Quick question that's totally off topic. Do you know how to make your site mobile friendly? My blog looks weird when viewing from my iphone4. I'm trying
to find a template or plugin that might be able to correct this
problem. If you have any suggestions, please share.
Appreciate it!

Also visit my blog post ... book of ra kostenlos downloaden
At 2:47 PM, Anonymous said...: Can I simply just say what a comfort to discover somebody
that really knows what they are discussing on the net. You definitely realize how to
bring an issue to light and make it important. More people
should check this out and understand this side of the story.
I was surprised you are not more popular because you most certainly have the gift.

Also visit my webpage :: Glider Rocker
At 5:33 AM, valo67 said...: Hi,

Hope you can help

What ports does it use?

"Firewall rules allowing traffic between both machines" doesn't fly with requests to network firewall teams.

Thanks,

C
At 8:46 PM, Anonymous said...: Look below Document for WinExe example
WinExe example
At 11:21 PM, naveen allem said...: Artificial Intelligence Job Opportunities
At 7:23 AM, Acquisition in Artificial Intelligence said...: Acquisition in Artificial Intelligence
At 5:54 AM, UMJ Modern said...: Thank you for nice information

opensourceinfo