📄 smb_cifs.inc
字号:
code = get_header_dos_error_code (header:header); if (code != NO_ERROR) return FALSE; } return TRUE;}#-----------------------------------------------------------------## Encode name and service to the netbios network format ##-----------------------------------------------------------------#function netbios_encode(data,service){ local_var tmpdata, ret, i, o, odiv, omod, c; ret = ""; tmpdata = data; while (strlen(tmpdata) < 15) { tmpdata += " "; } tmpdata += raw_string(service); for(i=0;i<16;i=i+1) { o = ord(tmpdata[i]); odiv = o/16; odiv = odiv + ord("A"); omod = o%16; omod = omod + ord("A"); c = raw_string(odiv, omod); ret = ret+c; } return raw_byte (b:strlen(ret)) + ret;}#-----------------------------------------------------------------## Convert a netbios name to the netbios network format ##-----------------------------------------------------------------#function netbios_name(orig){ return netbios_encode(data:orig, service:0x20);}function netbios_sendrecv (type, data){ local_var req, socket, timeout, header, len, trailer; req = netbios_header (type:type, length:strlen(data)) + data; socket = session_get_socket(); timeout = session_get_timeout (); send (socket:socket, data:req); header = recv(socket:socket, length:4, min:4, timeout:timeout); if (strlen(header) < 4) return(NULL); len = 65535 * ord(header[1]) + 256 * ord(header[2]) + ord(header[3]); if (len > 100000) len = 100000; trailer = recv(socket:socket, length:len, min:len, timeout:timeout); if (strlen(trailer) < len ) return(NULL); return header + trailer;}#==================================================================## Section 4. Netbios Functions ##==================================================================#function netbios_session_request (){ local_var req, resp, rep, port, called_name, calling_name, name, data; port = kb_smb_transport (); if (port == 445) return TRUE; name = get_kb_item ("SMB/netbios_name"); if (name == TRUE) called_name = netbios_name (orig:session_get_hostname()); else called_name = netbios_name (orig:"*SMBSERVER"); calling_name = netbios_name (orig:NULL); data = called_name + raw_byte (b:0) + calling_name + raw_byte (b:0); rep = netbios_sendrecv (type:0x81, data:data); if (!rep) return NULL; if (ord(rep[0]) != 0x82) return FALSE; return TRUE;}#==================================================================## Section 4a. CIFS Functions ##==================================================================##---------------------------------------------------------## Function : smb_negotiate_protocol ## Description : Negotiate the SMB protocol to use ##---------------------------------------------------------## ## SMB header : ## Command : SMB_COM_NEGOTIATE ## Status = STATUS_SUCCESS ## Flags = SMB_FLAGS_CANONICAL_PATHNAMES | ## SMB_FLAGS_CASELESS_PATHNAMES ## Flags2 = SMB_FLAGS2_UNICODE_STRINGS | ## SMB_FLAGS2_KNOWS_LONG_NAMES ## PidHig = 0 ## Signature = NULL (0,0..) ## Tid = 0 ## Uid = 0 ## Mid = 2 ## ## SMB parameters : ## BYTE WordCount; # 0 ## ## SMB data : ## WORD ByteCount; # Number of byte ## { ## BYTE BufferFormat; # 0x02 (Dialect) ## BYTE Name[]; # NTLM 0.12 ## } ## { ## ... # PC NETWORK PROGRAM 1.0 ## # MICROSOFT NETWORKS 1.03 ## # MICROSOFT NETWORKS 3.0 ## # LANMAN1.0 ## # LM1.2X002 ## # Samba ## # NT LANMAN 1.0 ## } # NT LM 0.12 ## ##---------------------------------------------------------#function smb_negotiate_protocol (extended){ local_var header, parameters, data, packet, ret, i; if (isnull(extended) || (extended == TRUE)) header = smb_header (Command: SMB_COM_NEGOTIATE, Status: nt_status (Status: STATUS_SUCCESS), Flags2: SMB_FLAGS2_EXTENDED_SECURITY); else header = smb_header (Command: SMB_COM_NEGOTIATE, Status: nt_status (Status: STATUS_SUCCESS)); parameters = smb_parameters (data:NULL); # No parameters data = NULL; for (i = 0; i < supported_protocol; i++) { data += raw_byte (b:0x02) + ascii (string:protocol[i]); } data = smb_data (data:data); packet = netbios_packet (header:header, parameters:parameters, data:data); return smb_sendrecv (data:packet);}#---------------------------------------------------------## Function : smb_session_setup_andx_lanman_core ## Description : Create SMB packet for LANMAN2.1 setupandx ##---------------------------------------------------------## ## SMB parameters : ## BYTE WordCount; ## BYTE Command; ## BYTE Reserved; ## WORD Offset; ## WORD MaxBufferSize; ## WORD MaxMpxCount; ## WORD VcNumber; ## DWORD SessionKey; ## WORD PasswordLength; ## DWORD Reserved; ## ## SMB data : ## WORD ByteCount; ## BYTE Password[]; ## BYTE AccountName[]; ## BYTE PrimaryDomain[]; ## BYTE NativeOS[]; ## BYTE NativeLanMan[]; ## ##---------------------------------------------------------#function smb_session_setup_andx_lanman_core (session_key,login,domain,password,hash,mode,challenge){ local_var name,dom,pass,header,parameters,data,packet,response,code,flags2,skey,guest,ret,uid,sig; header = smb_header (Command: SMB_COM_SESSION_SETUP_ANDX, Status: nt_status (Status: STATUS_SUCCESS)); # LANMAN2.1 names are uppercase and ascii name = toupper(login); dom = toupper (domain); pass = toupper (password); # If challenge/response mode we generate the response, else we keep plain text password if (pass && (mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE)) { response = LM_Response (password:cstring (string:pass), challenge:challenge, hash:hash); pass = response[0]; skey = response[1] + response[0]; } parameters = raw_byte (b:255) + # no further command raw_byte (b:0) + raw_word (w:0) + raw_word (w:session_get_buffersize()) + raw_word (w:1) + raw_word (w:0) + raw_dword (d:session_key) + raw_word (w:strlen(pass)) + raw_dword (d:0); parameters = smb_parameters (data:parameters); data = pass + cstring (string:name) + cstring (string:dom) + cstring (string:nes_native_os) + cstring (string:nes_native_lanman); data = smb_data (data:data); packet = netbios_packet (header:header, parameters:parameters, data:data); ret = smb_sendrecv (data:packet); if (!ret) return NULL; if (smb_check_success (data:ret) == FALSE) return NULL; # Some checks in the header first header = get_smb_header (smbblob:ret); if (!header) return NULL; sig = hexstr (get_header_signature (header:header)); if ("0000000000000000" >!< sig) { # Security signatures are enabled only if server support them if (!session_get_mackey()); session_set_mackey (key:skey); # we need to mark 2 previous exchange as signed session_increase_sequencenumber(); session_increase_sequencenumber(); } uid = get_header_uid (header:header); session_set_uid (uid:uid); # We now parse/take information in SMB parameters parameters = get_smb_parameters (smbblob:ret); if (!parameters || (strlen(parameters) < 6)) return NULL; guest = get_word (blob:parameters, pos:4); session_set_guest (guest:guest); return packet; }#---------------------------------------------------------## Function : smb_session_setup_andx_ntlm_core ## Description : Create SMB packet for NTLM setupandx ##---------------------------------------------------------## ## SMB parameters : ## BYTE WordCount; ## BYTE Command; ## BYTE Reserved; ## WORD Offset; ## WORD MaxBufferSize; ## WORD MaxMpxCount; ## WORD VcNumber; ## DWORD SessionKey; ## WORD CaseInsensitivePasswordLength; ## WORD CaseSensitivePasswordLength; ## DWORD Reserved; ## DWORD Capabilities; ## ## SMB data : ## WORD ByteCount; ## BYTE CaseInsensitivePassword[]; ## BYTE CaseSensitivePassword[]; ## BYTE Pad; # present with unicode only # # BYTE AccountName[]; ## BYTE PrimaryDomain[]; ## BYTE NativeOS[]; ## BYTE NativeLanMan[]; ## BYTE Pad2[]; # seems to be optionnal ## ##---------------------------------------------------------#function smb_session_setup_andx_ntlm_core (session_key,login,domain,password,lm_hash,ntlm_hash,mode,challenge,version){ local_var name,dom,pass,spass,ipass,header,parameters,data,packet,response,code,flags2,skey,guest; local_var domain_info, os_info, lan_info, mult, ret, uid, hinfo; header = smb_header (Command: SMB_COM_SESSION_SETUP_ANDX, Status: nt_status (Status: STATUS_SUCCESS)); if (!(mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE)) { # SAMBA servers support plain text password in NTLM. # Implementing CIFS don't know exactly how to do with password. # Need to look at SAMBA code return NULL; } ipass = spass = NULL; # NTLM use only unicode password if (session_is_unicode() == 0) { session_set_unicode (unicode:1); pass = cstring (string:password, _null:1); name = cstring (string:login, _null:1); dom = cstring (string:domain, _null:1); session_set_unicode (unicode:0); } else { pass = cstring (string:password, _null:1); name = cstring (string:login, _null:1); dom = cstring (string:domain, _null:1); } # If challenge/response mode we generate the response, else we keep plain text password if ((pass || lm_hash || ntlm_hash) && (mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE)) { # NOT WORKING ! #response= NTLMv2_Response (password:pass, login:name, domain:dom, challenge:challenge); #spass = response[0]; if (version == 2) { response = LMv2_Response (password:pass, login:name, hash:ntlm_hash, domain:dom, challenge:challenge); ipass = response[0]; # Windows allways use unicode password for mac key # like it is null (NTLMv2 to fix) we use a null byte [16] array skey = response[1]; } else { if (pass || ntlm_hash) { response = NTLM_Response (password:pass, hash:ntlm_hash, challenge:challenge); spass = response[0]; } else { response = LM_Response (password:pass, hash:lm_hash, challenge:challenge); ipass = response[0]; } skey = response[1] + response[0]; } # Security signatures are enabled only if server support them if (!session_get_mackey() && ((mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) || (mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED))) session_set_mackey (key:skey); } parameters = raw_byte (b:255) + # no further command raw_byte (b:0) + raw_word (w:0) + raw_word (w:session_get_buffersize()) + raw_word (w:1) + raw_word (w:0) +⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -