📄 smb_nt.inc

📁 漏洞扫描源码,可以扫描linux,windows,交换机路由器
💻 INC
📖 第 1 页 / 共 5 页
字号:
上一页 1 2 3 45
 item_len_lo = item_len % 256; item_len_hi = item_len / 256;  uc2 = unicode2(data:item); len = 188 + strlen(uc2); len_lo = len % 256; len_hi = len / 256;  tid_low = tid % 256; tid_high = tid / 256; uid_low = uid % 256; uid_high = uid / 256; pipe_low = pipe % 256; pipe_high = pipe / 256;  bcc = 121 + strlen(uc2); bcc_lo = bcc % 256; bcc_hi = bcc / 256;  y = 80 + strlen(uc2); y_lo = y % 256; y_hi = y / 256;  z = 104 + strlen(uc2); z_lo = z % 256; z_hi = z / 256; req = raw_string(0x00, 0x00, 		  len_hi, len_lo, 0xFF, 0x53, 0x4D, 0x42, 0x25, 0x00,		  0x00, 0x00, 0x00, 0x18, 0x03, 0x80, 0x1D, 0x83,		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,		  0x00, 0x00, tid_low, tid_high, 0x00, 0x28, uid_low, uid_high,		  g_mlo, g_mhi, 0x10, 0x00, 0x00, z_lo, z_hi, 0x00,		  0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00,		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x54,		  0x00, z_lo, z_hi, 0x54, 0x00, 0x02, 0x00, 0x26,		  0x00, pipe_low, pipe_high, bcc_lo, bcc_hi, 0x00, 0x5C, 0x00,		  0x50, 0x00, 0x49, 0x00, 0x50, 0x00, 0x45, 0x00,		  0x5C, 0x00, 0x00, 0x00, 0x00, 0x5C, 0x05, 0x00,		  0x00, 0x03, 0x10, 0x00, 0x00, 0x00, z_lo, z_hi,		  0x00, 0x00, 0x03, 0x00, 0x00, 0x00, y_lo, y_hi,		  0x00, 0x00, 0x00, 0x00, 0x11, 0x00);		   magic = raw_string(ord(reply[84])); for(i=1;i<20;i=i+1) {   magic = magic + raw_string(ord(reply[84+i])); } x = 2 + strlen(item) + strlen(item); x_lo = x % 256; x_hi = x / 256;   y = y + 3; y_lo = y % 256; y_hi = y / 256;   req = req + magic + raw_string(x_lo, x_hi, 0x0A, 0x02, 0x00, 0xEC,  		0xFD, 0x7F, 0x05, 0x01, 0x00, 0x00, 0x00, 0x00,		0x00, 0x00, item_len_lo, item_len_hi, 0x00)				+ uc2	+ 		raw_string(0x00, 0x34, 0xFF,		0x12, 0x00, 0xEF, 0x10, 0x40, 0x00, 0x18, 0x1E,		0x7c, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00,		0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x3C, 0xFF,		0x12, 0x00, 0x00, 0x04, 0x00, 0x00, 0x30, 0xFF,		0x12, 0x00, 0x00, 0x00, 0x00, 0x00);		 send(socket:soc, data:req); req = smb_recv(socket:soc, length:4000);		 return(req);}		  #------------------------------------------------------## Decode the reply from the registry                   ##------------------------------------------------------#function registry_decode_dword(data){ len = ord(data[2])*256; len = len + ord(data[3]); if(len < 126)return(NULL);  data_offset = ord(data[52])*256; data_offset = data_offset + ord(data[51]) + 4; data_len = ord(data[data_offset+43]); data_len = data_len * 256; data_len = data_len + ord(data[data_offset+44]); index = data_offset + 48; o = ""; for(i=data_len;i>0;i=i-1) {   t *= 256;   t += ord(data[index+i-1]); } return(t);}			  		 #---------------------------------------------------------------------## registry_get_dword()						      ##---------------------------------------------------------------------#function registry_get_dword(key, item){ local_var name, port, login, pass, soc, dom, r, prot, value;  if ( get_kb_item("SMB/samba") ) exit(0);  port = kb_smb_transport(); if(!port)exit(0); name = kb_smb_name(); if(!name)exit(0); if(!get_port_state(port))return(FALSE); login = kb_smb_login(); pass  = kb_smb_password();if(!login)login = "";if(!pass) pass = ""; dom = kb_smb_domain();	   soc = open_sock_tcp(port); if(!soc)exit(0); # # Request the session #  r = smb_session_request(soc:soc,  remote:name); if(!r){ close(soc); return NULL;} # # Negociate the protocol # prot = smb_neg_prot(soc:soc); if(!prot) { close(soc); return NULL;} # # Set up our session # r = smb_session_setup(soc:soc, login:login, password:pass, domain:dom, prot:prot); if(!r){ close(soc); return NULL;} # and extract our uid uid = session_extract_uid(reply:r); # # Connect to the remote IPC and extract the TID # we are attributed #       r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$"); # and extract our tree id tid = tconx_extract_tid(reply:r); # # Create a pipe to \winreg # r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg"); if(!r){ close(soc); return(NULL); } # and extract its ID pipe = smbntcreatex_extract_pipe(reply:r); # # Setup things # r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe); if(!r){ close(soc); return(NULL); } r = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe); r2 = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:key, reply:r); if(r2) { r3 =  registry_get_item_dword(soc:soc, uid:uid, tid:tid, pipe:pipe, item:item, reply:r2); registry_close(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:r2); registry_close(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:r); value = registry_decode_dword(data:r3); close(soc); return(value);  } close(soc); return NULL;}			  #---------------------------------------------------------------------## registry_get_binary()						      ##---------------------------------------------------------------------#function registry_get_binary(key, item){ local_var name, _smb_port, login, pass, domain, soc, uid, tid, r, prot, pipe;if ( get_kb_item("SMB/samba") ) exit(0);name = kb_smb_name();if(!name)exit(0);_smb_port = kb_smb_transport();if(!_smb_port)exit(0);if(!get_port_state(_smb_port))return(FALSE);login = kb_smb_login();pass  = kb_smb_password();domain = kb_smb_domain();if(!login)login = "";if(!pass) pass = "";	  soc = open_sock_tcp(_smb_port);if(!soc)return(FALSE);## Request the session# r = smb_session_request(soc:soc,  remote:name);if(!r) { close(soc); return(FALSE); }## Negociate the protocol#prot = smb_neg_prot(soc:soc);if(!prot){ close(soc); return(FALSE); }## Set up our session#r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);if(!r){ close(soc); return(FALSE); }# and extract our uiduid = session_extract_uid(reply:r);## Connect to the remote IPC and extract the TID# we are attributed#      r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");# and extract our tree idtid = tconx_extract_tid(reply:r);if(!tid){ close(soc); return(FALSE); }## Create a pipe to \winreg#r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");if(!r){ close(soc); return(FALSE);}# and extract its IDpipe = smbntcreatex_extract_pipe(reply:r);## Setup things#r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);if(!r){ close(soc); return(FALSE); }r = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);r2 = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:key, reply:r);if(r2){ r3 =  registry_get_item_sz(soc:soc, uid:uid, tid:tid, pipe:pipe, item:item, reply:r2); registry_close(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:r2); registry_close(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:r); value = registry_decode_binary(data:r3); close(soc); return(value);}close(soc);return(FALSE);}		 #---------------------------------------------------------------------## registry_get_sz()						      ##---------------------------------------------------------------------#function registry_get_sz(key, item){ local_var name, _smb_port, login, pass, domain, soc, uid, tid, r, prot, pipe;if ( get_kb_item("SMB/samba") ) exit(0);name = kb_smb_name();if(!name)exit(0);_smb_port = kb_smb_transport();if(!_smb_port)exit(0);if(!get_port_state(_smb_port))return(FALSE);login = kb_smb_login();pass  = kb_smb_password();domain = kb_smb_domain();if(!login)login = "";if(!pass) pass = "";	  soc = open_sock_tcp(_smb_port);if(!soc)return(FALSE);## Request the session# r = smb_session_request(soc:soc,  remote:name);if(!r) { close(soc); return(FALSE); }## Negociate the protocol#prot = smb_neg_prot(soc:soc);if(!prot){ close(soc); return(FALSE); }## Set up our session#r = smb_session_setup(soc:soc, login:login, password:pass, domain:domain, prot:prot);if(!r){ close(soc); return(FALSE); }# and extract our uiduid = session_extract_uid(reply:r);## Connect to the remote IPC and extract the TID# we are attributed#      r = smb_tconx(soc:soc, name:name, uid:uid, share:"IPC$");# and extract our tree idtid = tconx_extract_tid(reply:r);if(!tid){ close(soc); return(FALSE); }## Create a pipe to \winreg#r = smbntcreatex(soc:soc, uid:uid, tid:tid, name:"\winreg");if(!r){ close(soc); return(FALSE);}# and extract its IDpipe = smbntcreatex_extract_pipe(reply:r);## Setup things#r = pipe_accessible_registry(soc:soc, uid:uid, tid:tid, pipe:pipe);if(!r){ close(soc); return(FALSE); }r = registry_open_hklm(soc:soc, uid:uid, tid:tid, pipe:pipe);r2 = registry_get_key(soc:soc, uid:uid, tid:tid, pipe:pipe, key:key, reply:r);if(r2){ r3 =  registry_get_item_sz(soc:soc, uid:uid, tid:tid, pipe:pipe, item:item, reply:r2); registry_close(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:r2); registry_close(soc:soc, uid:uid, tid:tid, pipe:pipe, reply:r); value = registry_decode_sz(data:r3); close(soc); return(value);}close(soc);return(FALSE);}#---------------------------------------------------------------------------## SAM related functions							    ##---------------------------------------------------------------------------##------------------------------------------------------## Open a pipe to \samr                                 ##------------------------------------------------------#function OpenPipeToSamr(soc, uid, tid){ tid_hi = tid / 256; tid_lo = tid % 256;  uid_hi = uid / 256; uid_lo = uid % 256;   req = raw_string(0x00, 0x00, 		  0x00, 0x60, 0xFF, 0x53, 0x4D, 0x42, 0xA2, 0x00,		  0x00, 0x00, 0x00, 0x18, 0x07, 0xC8, 0x00, 0x00,		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,		  0x00, 0x00, tid_lo, tid_hi, 0x00, 0x28, uid_lo, uid_hi,		  g_mlo, g_mhi, 0x18, 0xFF, 0x00, 0xDE, 0xDE, 0x00,		  0x0A, 0x00, 0x16, 0x00, 0x00, 0x00, 0x00, 0x00, 		  0x00, 0x00, 0x9F, 0x01, 0x02, 0x00, 0x00, 0x00,		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,		  0x00, 0x00, 0x03, 0x00, 0x00, 0x00, 0x01, 0x00,		  0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x02, 0x00,		  0x00, 0x00, 0x03, 0x0D, 0x00, 0x00, 0x5C, 0x00,		  0x73, 0x00, 0x61, 0x00, 0x6D, 0x00, 0x72, 0x00,		  0x00, 0x00);		  		   send(socket:soc, data:req); r = smb_recv(socket:soc, length:4096); if(strlen(r) < 42) return(FALSE); else { 	low = ord(r[42]);	hi  = ord(r[43]);	ret = hi * 256;	ret = ret + low;	return(ret);      }}function samr_smbwritex(soc, tid, uid, pipe){ tid_hi = tid / 256; tid_lo = tid % 256;  uid_hi = uid / 256; uid_lo = uid % 256;  pipe_hi = pipe / 256; pipe_lo = pipe % 256;  req = raw_string(0x00, 0x00, 		  0x00, 0x88, 0xFF, 0x53, 0x4D, 0x42, 0x2F, 0x00,		  0x00, 0x00, 0x00, 0x18, 0x07, 0xC8, 0x00, 0x00,		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,		  0x00, 0x00, tid_lo, tid_hi, 0x00, 0x28, uid_lo, uid_hi,		  g_mlo, g_mhi, 0x0E, 0xFF, 0x00, 0xDE, 0xDE, pipe_lo,		  pipe_hi, 0x00, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0xFF,		  0xFF, 0x08, 0x00, 0x48, 0x00, 0x00, 0x00, 0x48,		  0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x49,		  0x00, 0xEE, 0x05, 0x00, 0x0B, 0x03, 0x10, 0x00,		  0x00, 0x00, 0x48, 0x00, 0x00, 0x00, 0x01, 0x00,		  0x00, 0x00, 0xB8, 0x10, 0xB8, 0x10, 0x00, 0x00,		  0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00,		  0x01, 0x00, 0x78, 0x57, 0x34, 0x12, 0x34, 0x12,		  0xCD, 0xAB, 0xEF, 0x00, 0x01, 0x23, 0x45, 0x67,		  0x89, 0xAC, 0x01, 0x00, 0x00, 0x00, 0x04, 0x5D,		  0x88, 0x8A, 0xEB, 0x1C, 0xC9, 0x11, 0x9F, 0xE8,		  0x08, 0x00, 0x2B, 0x10, 0x48, 0x60, 0x02, 0x00,		  0x00, 0x00);		   send(socket:soc, data:req); r = smb_recv(socket:soc, length:4096);}		function samr_smbreadx(soc, tid, uid, pipe){ tid_hi = tid / 256; tid_lo = tid % 256; uid_hi = uid / 256; uid_lo = uid % 256; pipe_hi = pipe / 256; pipe_lo = pipe % 256; req = raw_string(0x00, 0x00, 		  0x00, 0x3B, 0xFF, 0x53, 0x4D, 0x42, 0x2E, 0x00,		  0x00, 0x00, 0x00, 0x18, 0x07, 0xC8, 0x00, 0x00,		  0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,		  0x00, 0x00, tid_lo, tid_hi, 0x00, 0x28, uid_lo, uid_hi,		  g_mlo, g_mhi, 0x0C, 0xFF, 0x00, 0xDE, 0xDE, pipe_lo,	       pipe_hi, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00,		  0x04, 0xFF, 0xFF, 0xFF, 0xFF, 0x00, 0x04, 0x00, 		  0x00, 0x00, 0x00, 0x00, 0x00);		   send(socket:soc, data:req); r = smb_recv(socket:soc, length:4096);}		    #------------------------------------------------------## Returns the unicode
上一页 1 2 3 45
💿 文件大小 8554 K
👤 上传用户 szjunhui899
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#windows #linux #漏洞扫描 #源码
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -