📄 smb_nt.inc
字号:
if(!ret && !ntlmv1) ret = smb_session_setup_NTLMvN(soc:soc, login:login, password:password, domain:domain, cs:smb_neg_prot_cs(prot:prot), version:1); return ret; }}#------------------------------------------------------## connection to a remote share ##------------------------------------------------------# ## connection to the remote IPC share# function smb_tconx(soc,name,uid, share){ high = uid / 256; low = uid % 256; len = 48 + strlen(name) + strlen(share) + 6; ulen = 5 + strlen(name) + strlen(share) + 6; req = raw_string(0x00, 0x00, 0x00, len, 0xFF, 0x53, 0x4D, 0x42, 0x75, 0x00, 0x00, 0x00, 0x00, 0x18, 0x01, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x28, low, high, 0x00, 0x00, 0x04, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, ulen, 0x00, 0x00, 0x5C, 0x5C) + name + raw_string(0x5C) + share +raw_string(0x00) + "?????" + raw_string(0x00); send(socket:soc, data:req); r = smb_recv(socket:soc, length:1024); if(strlen(r) < 10)return(FALSE); if(ord(r[9])==0)return(r); else return(FALSE); }#------------------------------------------------------## Extract the TID from the result of smb_tconx() ##------------------------------------------------------#function tconx_extract_tid(reply){ if(strlen(reply) < 30) return(FALSE); low = ord(reply[28]); high = ord(reply[29]); ret = high * 256; ret = ret + low; return(ret);}#--------------------------------------------------------## Request the creation of a pipe to name. Name must ## contain '\'. ##--------------------------------------------------------#function smbntcreatex(soc, uid, tid, name, always_return_blob){ tid_high = tid / 256; tid_low = tid % 256; uid_high = uid / 256; uid_low = uid % 256; req = raw_string(0xFF, 0x53, 0x4D, 0x42, 0xA2, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0x00, 0x50, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, g_mlo, g_mhi, 0x18, 0xFF, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x9F, 0x01, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, (strlen(name)+1) % 256, 0x00) + name + raw_string (0x00); req = raw_string(0x00, 0x00, 0x00, (strlen(req)%256)) + req; send(socket:soc, data:req); r = smb_recv(socket:soc, length:4000); if ( always_return_blob ) return r; if(strlen(r) < 10)return(FALSE); if(ord(r[9])==0x00)return(r); else return(FALSE);}#--------------------------------------------------------## Extract the ID of our pipe from the result ## of smbntcreatex() ##--------------------------------------------------------#function smbntcreatex_extract_pipe(reply){ if(strlen(reply) < 44) return(FALSE); low = ord(reply[42]); high = ord(reply[43]); ret = high * 256; ret = ret + low; return(ret);}#---------------------------------------------------------## Determines whether the registry is accessible ##---------------------------------------------------------# function pipe_accessible_registry(soc, uid, tid, pipe){ tid_low = tid % 256; tid_high = tid / 256; uid_low = uid % 256; uid_high = uid / 256; pipe_low = pipe % 256; pipe_high = pipe / 256; req = raw_string(0x00, 0x00, 0x00, 0x94, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0x00, 0x1B, 0x81, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, g_mlo, g_mhi, 0x10, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4C, 0x00, 0x48, 0x00, 0x4C, 0x00, 0x02, 0x00, 0x26, 0x00, pipe_low, pipe_high, 0x51, 0x00, 0x5C, 0x50, 0x49, 0x50, 0x45, 0x5C, 0x00, 0x00, 0x00, 0x05, 0x00, 0x0B, 0x00, 0x10, 0x00, 0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x30, 0x16, 0x30, 0x16, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0xd0, 0x8c, 0x33, 0x44, 0x22, 0xF1, 0x31, 0xAA, 0xAA, 0x90, 0x00, 0x38, 0x00, 0x10, 0x03, 0x01, 0x00, 0x00, 0x00, 0x04, 0x5D, 0x88, 0x8A, 0xEB, 0x1C, 0xc9, 0x11, 0x9F, 0xE8, 0x08, 0x00, 0x2B, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00); send(socket:soc, data:req); r = smb_recv(socket:soc, length:4096); if(strlen(r) < 10)return(FALSE); if(ord(r[9])==0)return(r); else return(FALSE);}#----------------------------------------------------------## RegOpenHKLM() ##----------------------------------------------------------#function registry_open_hklm(soc, uid, tid, pipe){ local_var req, tid_low, tid_high, uid_low, uid_high, pipe_low, pipe_high, r; tid_low = tid % 256; tid_high = tid / 256; uid_low = uid % 256; uid_high = uid / 256; pipe_low = pipe % 256; pipe_high = pipe / 256; req = raw_string(0x00, 0x00, 0x00, 0x78, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0x80, 0x1D, 0x83, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, g_mlo, g_mhi, 0x10, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x00, 0x24, 0x00, 0x54, 0x00, 0x02, 0x00, 0x26, 0x00, pipe_low, pipe_high, 0x35, 0x00, 0x00, 0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00, 0x5C, 0x00, 0x00, 0x00, 0x00, 0x5c, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x10, 0xFF, 0x12, 0x00, 0x30, 0x39, 0x01, 0x00, 0x00, 0x00, 0x00, 0x02); send(socket:soc, data:req); r = smb_recv(socket:soc, length:4096); if(strlen(r) < 10)return(FALSE); if(ord(r[9])==0)return(r); else return(FALSE);}#----------------------------------------------------------## RegOpenHKU() ##----------------------------------------------------------#function registry_open_hku(soc, uid, tid, pipe){ local_var req, tid_low, tid_high, uid_low, uid_high, pipe_low, pipe_high, r; tid_low = tid % 256; tid_high = tid / 256; uid_low = uid % 256; uid_high = uid / 256; pipe_low = pipe % 256; pipe_high = pipe / 256; req = raw_string(0x00, 0x00, 0x00, 0x78, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0x80, 0x1D, 0x83, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, g_mlo, g_mhi, 0x10, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x00, 0x24, 0x00, 0x54, 0x00, 0x02, 0x00, 0x26, 0x00, pipe_low, pipe_high, 0x35, 0x00, 0x00, 0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00, 0x5C, 0x00, 0x00, 0x00, 0x00, 0x5c, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x10, 0xFF, 0x12, 0x00, 0x30, 0x39, 0x01, 0x00, 0x00, 0x00, 0x00, 0x02); send(socket:soc, data:req); r = smb_recv(socket:soc, length:4096); if(strlen(r) < 10)return(FALSE); if(ord(r[9])==0)return(r); else return(FALSE);}#----------------------------------------------------------## RegOpenHKCR() ##----------------------------------------------------------#function registry_open_hkcr(soc, uid, tid, pipe){ local_var req, tid_low, tid_high, uid_low, uid_high, pipe_low, pipe_high, r; tid_low = tid % 256; tid_high = tid / 256; uid_low = uid % 256; uid_high = uid / 256; pipe_low = pipe % 256; pipe_high = pipe / 256; req = raw_string(0x00, 0x00, 0x00, 0x78, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0x80, 0x1D, 0x83, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, g_mlo, g_mhi, 0x10, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x00, 0x24, 0x00, 0x54, 0x00, 0x02, 0x00, 0x26, 0x00, pipe_low, pipe_high, 0x35, 0x00, 0x00, 0x5c, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00, 0x5C, 0x00, 0x00, 0x00, 0x00, 0x5c, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x0C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0xFF, 0x12, 0x00, 0x30, 0x39, 0x01, 0x00, 0x00, 0x00, 0x00, 0x02); send(socket:soc, data:req); r = smb_recv(socket:soc, length:4096); if(strlen(r) < 10)return(FALSE); if(ord(r[9])==0)return(r); else return(FALSE);}#----------------------------------------------------------## RegFlush() ##----------------------------------------------------------#function registry_flush(soc, uid, tid, pipe, reply){ local_var magic, req, r, tid_low, tid_high, uid_low, uid_high, pipe_low, pipe_high, name, data, i, len; tid_low = tid % 256; tid_high = tid / 256; uid_low = uid % 256; uid_high = uid / 256; pipe_low = pipe % 256; pipe_high = pipe / 256; magic = raw_string(ord(reply[84])); for(i=1;i<20;i=i+1) { magic = magic + raw_string(ord(reply[84+i])); } req = raw_string(0x00, 0x00, 0x00, 0x78, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, g_mlo, g_mhi, 0x10, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x2c, 0x00, 0x4c, 0x00, 0x02, 0x00, 0x26, 0x00, pipe_low, pipe_high, 0x35, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0xcf, 0x01, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x0b, 0x00) + magic; send(socket:soc, data:req); r = smb_recv(socket:soc, length:65535); return substr(r, strlen(r) - 4, strlen(r) - 1);} #----------------------------------------------------------## RegClose() ##----------------------------------------------------------#function registry_close(soc, uid, tid, pipe, reply){ local_var magic, req, r, tid_low, tid_high, uid_low, uid_high, pipe_low, pipe_high, name, data, i, len; tid_low = tid % 256; tid_high = tid / 256; uid_low = uid % 256; uid_high = uid / 256; pipe_low = pipe % 256; pipe_high = pipe / 256; magic = raw_string(ord(reply[84])); for(i=1;i<20;i=i+1) { magic = magic + raw_string(ord(reply[84+i])); } req = raw_string(0x00, 0x00, 0x00, 0x78, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x08, 0x01, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, g_mlo, g_mhi, 0x10, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0x00, 0x08, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x4c, 0x00, 0x2c, 0x00, 0x4c, 0x00, 0x02, 0x00, 0x26, 0x00, pipe_low, pipe_high, 0x35, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, 0x00, 0x00, 0x00, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, 0x2c, 0x00, 0x00, 0x00, 0xcf, 0x01, 0x00, 0x00, 0x14, 0x00, 0x00, 0x00, 0x00, 0x00, 0x05, 0x00) + magic; send(socket:soc, data:req); r = smb_recv(socket:soc, length:65535); return substr(r, strlen(r) - 4, strlen(r) - 1);}#----------------------------------------------------------## RegDelKey() ##----------------------------------------------------------#function registry_delete_key(soc, uid, tid, pipe, key, reply ){ local_var _na_start, i, error; key_len = strlen(key) + 1; key_len_hi = key_len / 256; key_len_lo = key_len % 256; tid_low = tid % 256; tid_high = tid / 256; uid_low = uid % 256; uid_high = uid / 256; pipe_low = pipe % 256; pipe_high = pipe / 256; uc = unicode3(data:key); len = 148 + strlen(uc); len_hi = len / 256; len_lo = len % 256; z = 40 + strlen(uc); z_lo = z % 256; z_hi = z / 256; y = 81 + strlen(uc); y_lo = y % 256; y_hi = y / 256; x = 64 + strlen(uc); x_lo = x % 256; x_hi = x / 256; if(strlen(reply) < 17)exit(0); magic1 = raw_string(ord(reply[16]), ord(reply[17])); req = raw_string(0x00, 0x00, len_hi, len_lo, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00, 0x00, 0x00, 0x00, 0x18, 0x03, 0x80) + magic1 + raw_string( 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,tid_low, tid_high, 0x00, 0x28, uid_low, uid_high, g_mlo, g_mhi, 0x10, 0x00, 0x00, x_lo, x_hi, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54, 0x00, x_lo, x_hi, 0x54, 0x00, 0x02, 0x00, 0x26, 0x00, pipe_low, pipe_high, y_lo, y_hi, 0x00, 0x5C, 0x00, 0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00, 0x5C, 0x00, 0x00, 0x00, 0x00, 0xb9, 0x05, 0x00, 0x00, 0x03, 0x10, 0x00, 0x00, 0x00, x_lo, x_hi, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, z_lo, z_hi, 0x00, 0x00, 0x00, 0x00, 0x07, 0x00); magic = raw_string(ord(reply[84])); for(i=1;i<20;i=i+1) { magic = magic + raw_string(ord(reply[84+i])); } x = strlen(key) + strlen(key) + 2; x_lo = x % 256; x_hi = x / 256; req = req + magic + raw_string(x_lo, x_hi, x_lo, x_hi, 0x01, 0x00, 0x00, 0x00, key_len_lo, key_len_hi, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, key_len_lo, key_len_hi, 0x00) + uc + raw_string(0); send(socket:soc, data:req); r = smb_recv(socket:soc, length:4096); if(strlen(r) < 10)return(1); error = substr(r, strlen(r) - 4, strlen(r) - 1); return ( ( int(ord(error[3])) * 256 + int(ord(error[2])) ) * 256 + int(ord(error[1])) * 256 ) + int(ord(error[0]));}#----------------------------------------------------------## RegDelValue() ##----------------------------------------------------------#function registry_delete_value(soc, uid, tid, pipe, value, reply ){ local_var _na_start, i, error; key_len = strlen(value) + 1; key_len_hi = key_len / 256; key_len_lo = key_len % 256; tid_low = tid % 256; tid_high = tid / 256; uid_low = uid % 256; uid_high = uid / 256; pipe_low = pipe % 256; pipe_high = pipe / 256; uc = unicode3(data:value); len = 148 + strlen(uc); len_hi = len / 256; len_lo = len % 256; z = 40 + strlen(uc); z_lo = z % 256; z_hi = z / 256; y = 81 + strlen(uc); y_lo = y % 256; y_hi = y / 256; ⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -