winexe homepage :)

winexe

Donate:

winexe remotely executes commands on WindowsNT/2000/XP/2003 systems from GNU/Linux (probably also other Unices capable to compile Samba4).

Requirements
Usage
How does it work
How to get it
Remarks
Changelog
Donations

Requirements

Linux/Unix side:
- Working network
- Samba is NOT neccessary
Windows side:
- Working network
- Standard Windows installation with enabled remote sharing and administration (Windows XP Home do not support remote administration). What does it mean exactly:
  - Enabled services: Workstation, Server
  - "Windows Network" is running and "Printer and File Sharing" are activated
  - Enabled "Remote IPC" and "Remote Admin" shares. To verify it, in cmd box run command "net share", and check if there are ADMIN$ and IPC$ shares. In Windows XP to enable it you should turn off "Simple sharing" in "Control Panel\Folder Options\View\Use simple file sharing".
  - Account with administrative privileges and not empty password
  - Firewall rules allowing traffic between both machines

Usage

winexe started without arguments shows list of options, using "--help" will show their descriptions. Most of the tasks can be done using syntax:

winexe -U [Domain/]User%Password //host command

Where 'host' can be given as ip number or DNS hostname and 'command' is a command which will be run on remote system.

Examples:

# winexe -U HOME/Administrator%Pass123 //192.168.0.10 "ipconfig /all"

# winexe -U HOME/Administrator%Pass123 //host 'cmd /C dir C:\'

# winexe -U HOME/Administrator%Pass123 //host.com 'cmd /C net stop wuauserv && net start wuauserv && echo AutoUpdates service restarted'

# cat | winexe -U HOME/Administrator%Pass123 //host cmd <<EOF
>net stop wuauserv
>net start wuauserv
>echo AutoUpdates service restarted
>exit
>EOF

Many options of winexe are the same as for Samba tools and you can check for their description in Samba documentation. Below description of most important options:

winexe specific
host	Windows hostname provided as ip address or DNS name. Using NETBIOS names should be also possible after playing with Samba specific options.
command	Command which will be run on remote system. If command contains spaces and/or parameters use quotes and/or double quotes, ex. '"long name.exe" -option -"option with spaces"', if you like to run internal cmd interpreter command use "cmd /C" syntax, ex. "cmd /C ver". If command interact with desktop GUI check option --interactive.
--uninstall	Uninstall winexesvc service after remote execution
--reinstall	Reinstall winexesvc service before remote execution
--system	Run command using SYSTEM account
--runas=[DOMAIN/]USERNAME%PASSWORD	Run command as user (BEWARE: password is sent in cleartext over net)
--interactive=0\|1	Desktop interaction: 0 - disallow, 1 - allow. If you allow use also --system switch (Win requirement). Windows Vista do not support this option.
General
-U [DOMAIN/]USERNAME[%PASSWORD]	User with admin privileges for Windows authentication. If not overrided by other options 'command' will be run on this account. If you omit password you will be prompted.
-d DEBUGLEVEL	Set debug level, 0 - no debug (default), 11 - highest level (it is safe to use bigger numbers)

Exit code: winexe returns exit code of remote process.

How does it work

winexe connects to IPC$ share of host.
Next it tries to open winexesvc control named pipe (to make things easier pipe is called "ahexe" :)).
If there is not such pipe, winexe copies winexesvc.exe to ADMIN$ share, creates winexesvc service, starts it and tries to connect to control pipe again.
After succesfull connection it passess optional parameters (ex. --runas, --system) and the command itself to winexesvc process via the pipe.
winexesvc creates two pipes: ahexec_stdio%08X, and ahexec_stderr%08X(where %08X is replaced by unique number) and runs command with I/O redirected to those pipes.
winexe redirects those pipes to Linux console.
After command exit winexe return its exit code to system.

How to get it

winexe sources are hosted on Zenoss together with DCOM/WMI client for Linux.
You can get also 'release' sources from here: winexe-source-071026.tar.bz2

How to get it:

Precompiled version (linked statically)

Download winexe-static-071026.bz2
Unpack: bunzip2 winexe-static-071026.bz2
Change permissions if necessary: chmod a+x winexe
Use it

FYI: During static linking I have recieved following warnings:

/usr/lib/gcc/i686-pld-linux/4.1.1/../../../libpam.a(pam_handlers.o)(.text+0xefa): In function `_pam_add_handler':
pam_handlers.c: warning: Using 'dlopen' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libauth.a(auth_unix.o)(.text+0x444): In function `talloc_getpwnam':
auth/auth_unix.c:109: warning: Using 'getpwnam' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libheimdal_krb5.a(get_default_principal.o)(.text+0x132): In function `_krb5_get_default_principal_local':
heimdal/lib/krb5/get_default_principal.c:79: warning: Using 'getpwuid' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libheimdal_krb5.a(addr_families.o)(.text+0x1773): In function `krb5_parse_address':
heimdal/lib/krb5/addr_families.c:952: warning: Using 'getaddrinfo' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libsamba-socket.a(socket_ipv6.o)(.text+0xad4): In function `ipv6_tcp_get_peer_name':
lib/socket/socket_ipv6.c:285: warning: Using 'gethostbyaddr' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libsamba-util.a(system.o)(.text+0x19): In function `sys_gethostbyname':
lib/util/system.c:79: warning: Using 'gethostbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libsamba-socket.a(socket_ipv6.o)(.text+0x76): In function `interpret_addr6':
lib/socket/socket_ipv6.c:37: warning: Using 'gethostbyname2' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking
bin/static/libheimdal_krb5.a(get_port.o)(.text+0x20): In function `krb5_getportbyname':
heimdal/lib/krb5/get_port.c:46: warning: Using 'getservbyname' in statically linked applications requires at runtime the shared libraries from the glibc version used for linking

GLIBC version used for linking: 2.3.6
WARNING:Users reports that static version often crashes on systems with different GLIBC version
You can check GLIBC version using command: ldd --version

Compile from sources
- Install necessary packages (gcc, svn, *-devel....)
- Get sources from SVN repository:
```
svn co http://dev.zenoss.org/svn/trunk/wmi wmi
```
  or from winexe-source-071026.tar.bz2.
- Compile samba according to README file:
  - cd wmi/Samba/source or to unpacked tar.bz2 sources
  - ./autogen.sh
  - ./configure
  - make proto bin/winexe
- Compiled file will be located in wmi/Samba/source/bin/winexe
- Install winexe:
```
install -s wmi/Samba/source/bin/winexe /usr/local/bin/winexe
```

I have not tested those instructions step by step, but I hope idea is clear.

Remarks

winexe is very quiet, if you want to have some (not too much) debug info run with -d 1 parameter.
wmi/Samba/source/winexe/winexesvc can be compiled by crosscompiler or in Windows using Cygwin or Mingw32. If you compile service under win after succesfull make, copy winexesvc_exe.c into wmi/Samba/source/winexe/winexesvc/ directory. You can also use 'precompiled' version of winexesvc_exe.c, which is included in svn, you can 'touch' it to fool compiler if neccessary.

Changelog

Development changelog is located at Zenoss trac.
Release changelog:

0.80 - 26/10/07 Added --interactive option.
winexesvc is replaced only if version differs on more than last digit.
0.77 - 11/10/07 Fixed bug causing winexe crash during service uninstallation.
0.76 - 10/10/07 Service status is checked during service (un)installation.
Corrected service installation code(case of deleted winexesvc.exe file).
0.75 - 09/07/07 Added workaround for delayed pipe handle destruction(error 0x000000E7).
Removed token handle leaks in case of error condition.
0.74 - 04/07/07 Added version checking and automatic service reinstallation
Pipe names now depends on ProcessID(should solve issue with unterminated winexe processes)
0.73 - 29/06/07 Corrected bug in signal handling
0.72 - 26/06/07 Added winexe INT/TERM signal handling
0.71 - 22/05/07 Workarounds for win2003sp2 service (re)installation issues
Removed token handle leaks in winexesvc
0.7 - 25/07/06 Making code more pretty.
By default commands run on user's account.
Added --system - commands run on system account.
Added --runas - any user can be impersonated(BEWARE: passwords are sent in clear text).
Many changes in winexesvc.
0.61 - 07/07/06 Fixed bug in svcctl.idl
Changed types of 'dependencies' and 'password' params in CreateServiceW.
0.6 - 07/07/06 svcctl.idl cosmetics
Linux code style applied, semi automatic.
Removed // style comments.
Changed includes to
0.5 - 06/07/06 Cleaned up winexe/service code.
Changed deps in winexe/config.mk.
Renamed directory service to winexesvc.
STDIN read corrected.
async_write serialized - now server should receive input in correct order.
0.4 - 02/07/06 Added dependencies in winexe/config.mk to auto rebuild service.
Turned off timeouts - proces do not disconnect after 60sec.
Added some debug messages.
Removed small leaks in winexesvc.
0.3 - 02/07/06 winexe is fully integrated with smb_build system. Now there is
no need to separately compile winexe/service. I have also removed symlink
to winexesvc_exe.c, should be cleaner.
0.2 - 02/07/06 Now it works with NT - all pipes are created with security
descriptor allowing admins to open it.
Added options --reinstall/--uninstall.
Added error messages, cleaned debug messages(-d 1).
Some code cleaning.
Added 'precompiled' winexe/service/winexesvc_exe.c, for users without
crosscompiler or windows compile enironment.
0.1 - 01/07/06 In winexe dir added link to winexe/service/winexesvc_exe.c,
I am not sure if patch utility supports it.
0.0 - 30/06/06 Initial release

Donations

You can support developement of winexe by making donations via PayPal or Moneybookers:

Donate:

My e-mail: andrzej.hajda at wp.pl