impacket icon indicating copy to clipboard operation
impacket copied to clipboard

Published 20 hours ago verified publisher icon fortra

Exception when running tstool.py with verb qwinsta

Open d0gkiller87 opened this issue 2 years ago • 1 comments

Configuration

impacket version: v0.10.1.dev1 (commit 3c6713e) Python version: 3.8.10 (x64) Target OS: Windows 10 21H2 (Build 19044.1826)

Debug Output With Command String

python3 tstool.py [email protected] -hashes :aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa qwinsta

Impacket v0.10.1.dev1 - Copyright 2022 SecureAuth Corporation

Traceback (most recent call last):
  File "C:\python38\current\Scripts\tstool.py", line 612, in <module>
    tsHandler.run(remoteName, options.target_ip)
  File "C:\python38\current\Scripts\tstool.py", line 82, in run
    getattr(self,'do_'+self.__action)()
  File "C:\python38\current\Scripts\tstool.py", line 159, in do_qwinsta
    self.enumerate_sessions_info()
  File "C:\python38\current\Scripts\tstool.py", line 143, in enumerate_sessions_info
    self.sessions[SessionId]['ConnectTime'] = sessdata['LSMSessionInfoExPtr']['LSM_SessionInfo_Level1']['ConnectTime']
  File "C:\python38\current\lib\site-packages\impacket\dcerpc\v5\ndr.py", line 140, in __getitem__
    return self.fields[key]['Data']
  File "C:\python38\current\lib\site-packages\impacket\dcerpc\v5\tsts.py", line 181, in __getitem__
    return datetime.fromtimestamp(getUnixTime(int(str(self.fields[key]))))
OSError: [Errno 22] Invalid argument
[-] [Errno 22] Invalid argument

Additional context

For some reason, running tstool.py with verb qwinsta will cause an exception. This is what I've known so far: In file impacket\dcerpc\v5\tsts.py line 181, self.fields['Data'] holds the value 0. which was passed to getUnixTime() and it returns a negative number. That negative number was passed to datetime.fromtimestamp() which eventually caused an OSError.

I'm afraid that I can't to dig deeper right away. The fix I found is to simply return 0 in getUnixTime() when the numbers passed in are lower than 116444736000000000 and everything seems to be working now.

d0gkiller87 avatar Jul 26 '22 08:07 d0gkiller87

@nopernik I think your help may be needed.

mohemiv avatar Aug 30 '22 07:08 mohemiv

Sorry for late answer. Looks like this issue exists only in Windows OS. Windows:

>>> datetime.fromtimestamp(-1)
Traceback (most recent call last):
  File "<stdin>", line 1, in <module>
OSError: [Errno 22] Invalid argument

Linux:

>>> datetime.fromtimestamp(-1)
datetime.datetime(1970, 1, 1, 1, 59, 59)

Seems implemented in commit #1375

nopernik avatar Jun 16 '23 09:06 nopernik