📄 smb_cifs.inc

📁 漏洞扫描源码,可以扫描linux,windows,交换机路由器
💻 INC
📖 第 1 页 / 共 5 页
字号:
              raw_dword (d:session_key) +	      raw_word (w:strlen(ipass)) +              raw_word (w:strlen(spass)) +              raw_dword (d:0) +	      raw_dword (d: CAP_UNICODE * session_is_unicode() | CAP_LARGE_FILES | CAP_NT_SMBS | CAP_STATUS32 | CAP_LEVEL_II_OPLOCKS | CAP_NT_FIND );  parameters = smb_parameters (data:parameters);  # If Unicode we must add 1 byte pad if (session_is_unicode() == 1)   spass += raw_string(0x00);    data = ipass + spass +        cstring (string:login) +        cstring (string:domain) +        cstring (string:nes_native_os) +        cstring (string:nes_native_lanman);  data = smb_data (data:data); packet = netbios_packet (header:header, parameters:parameters, data:data); ret = smb_sendrecv (data:packet); if (!ret)   return NULL; data = get_smb_data (smbblob:ret); if (strlen(data)%2)   data = substr(data,1,strlen(data)-1); os_info = get_string (blob:data, pos:0); if (session_is_unicode ())   mult = 2; else   mult = 1; lan_info = get_string (blob:data, pos: (strlen(os_info)+1)*mult); domain_info = get_string (blob:data, pos: (strlen(os_info)+strlen(lan_info)+2)*mult); session_set_host_info (domain:domain_info, os:os_info, lan:lan_info); if (smb_check_success (data:ret) == FALSE)   return NULL; # Some checks in the header first header = get_smb_header (smbblob:ret); if (!header)   return NULL; uid = get_header_uid (header:header); session_set_uid (uid:uid); # We now parse/take information in SMB parameters parameters = get_smb_parameters (smbblob:ret); if (!parameters || (strlen(parameters) < 6))   return NULL;  guest = get_word (blob:parameters, pos:4); session_set_guest (guest:guest); return packet; }#---------------------------------------------------------## Function    : smb_session_setup_andx_kerberos_core      ## Description : Create SMB packet for Kerberos setupandx  ##---------------------------------------------------------#function smb_session_setup_andx_kerberos_core (session_key,login,password,realm,host,mode){ local_var name,dom,pass,spass,ipass,header,parameters,data,packet,response; local_var uid, bloblength, securityblob, guest, key, kerb_data, flags2, code, ret; header = smb_header (Command: SMB_COM_SESSION_SETUP_ANDX,                      Status: nt_status (Status: STATUS_SUCCESS)); kerb_data = kerberos_securityblob (login:login,password:password,realm:realm,host:host); if (isnull(kerb_data))   return NULL;    securityblob = kerb_data[1];  parameters = raw_byte (b:255) + # no further command              raw_byte (b:0) +              raw_word (w:0) +              raw_word (w:session_get_buffersize()) +              raw_word (w:1) +              raw_word (w:0) +              raw_dword (d:session_key) +              raw_word (w:strlen(securityblob)) +              raw_dword (d:0) +	      raw_dword (d: CAP_UNICODE * session_is_unicode() | CAP_LARGE_FILES | CAP_NT_SMBS | CAP_STATUS32 | CAP_LEVEL_II_OPLOCKS | CAP_NT_FIND | CAP_EXTENDED_SECURITY);  parameters = smb_parameters (data:parameters);  # If strlen (securityblob) odd add 1 pad byte if ((strlen (securityblob) % 2) == 0)   securityblob += raw_string(0x00);    data = securityblob +         cstring (string:nes_native_os) +        cstring (string:nes_native_lanman);  data = smb_data (data:data); packet = netbios_packet (header:header, parameters:parameters, data:data); ret = smb_sendrecv (data:packet); if (!ret)   return NULL;  # Some checks in the header first header = get_smb_header (smbblob:ret); if (!header)   return NULL; flags2 = get_header_flags2 (header:header); if (flags2 & SMB_FLAGS2_32BIT_STATUS) {   code = get_header_nt_error_code (header:header);   if (code != STATUS_SUCCESS)     return NULL; } else {   code = get_header_dos_error_code (header:header);   if (code != NO_ERROR)     return NULL; } uid = get_header_uid (header:header); session_set_uid (uid:uid);  # We now parse/take information in SMB parameters parameters = get_smb_parameters (smbblob:ret); if (!parameters || (strlen(parameters) < 8))   return NULL;  guest = get_word (blob:parameters, pos:4); session_set_guest (guest:guest); bloblength = get_word (blob:parameters, pos:6);  # We now parse/take information in SMB parameters data = get_smb_data (smbblob:ret); if (!data)   return NULL;   if (strlen(data) < bloblength)   return NULL;  securityblob = substr (data, 0, bloblength - 1); if (!securityblob)   return NULL; key = check_kerberos_response (data:securityblob, key:kerb_data[0]); if (isnull(key))   return NULL; if (!session_get_mackey() && ((mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) || (mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) && (login)) {  if (key[0] == 0)    session_set_mackey (key:kerb_data[0]);  else    session_set_mackey (key:key[1]);  session_increase_sequencenumber();  session_increase_sequencenumber(); } return packet; }#---------------------------------------------------------## Function    : smb_session_setup_andx_ntlmssp_core       ## Description : Create SMB packet for ntlmssp setupandx   ##---------------------------------------------------------#function smb_session_setup_andx_ntlmssp_core (session_key,login,password,hash,domain,mode){ local_var name,dom,pass,header,parameters,data,packet,response,uid,guest, bloblength, ret, code; local_var challenge, securityblob,securityblob_length,d_name,h_info,os_info,lan_info,mult,hinfo; header = smb_header (Command: SMB_COM_SESSION_SETUP_ANDX,                      Status: nt_status (Status: STATUS_SUCCESS)); securityblob = ntlmssp_negotiate_securityblob (); parameters = raw_byte (b:255) + # no further command              raw_byte (b:0) +              raw_word (w:0) +              raw_word (w:session_get_buffersize()) +              raw_word (w:1) +              raw_word (w:1) +              raw_dword (d:session_key) +              raw_word (w:strlen(securityblob)) +              raw_dword (d:0) +	      raw_dword (d: CAP_UNICODE * session_is_unicode() | CAP_LARGE_FILES | CAP_NT_SMBS | CAP_STATUS32 | CAP_LEVEL_II_OPLOCKS | CAP_NT_FIND | CAP_EXTENDED_SECURITY);  parameters = smb_parameters (data:parameters);  # If strlen (securityblob) odd add 1 pad byte if ((strlen (securityblob) % 2) == 0)   securityblob += raw_string(0x00);    data = securityblob +         cstring (string:nes_native_os) +        cstring (string:nes_native_lanman) +	cstring (string:domain);  data = smb_data (data:data); packet = netbios_packet (header:header, parameters:parameters, data:data); ret = smb_sendrecv (data:packet);  if (!ret)   return NULL; # Some checks in the header first header = get_smb_header (smbblob:ret); if (!header)   return NULL;  code = get_header_nt_error_code (header:header); if (code != STATUS_MORE_PROCESSING_REQUIRED)   return NULL; uid = get_header_uid (header:header); session_set_uid (uid:uid);  # We now parse/take information in SMB parameters parameters = get_smb_parameters (smbblob:ret); if (!parameters)   return NULL;  bloblength = get_word (blob:parameters, pos:6);  # We now parse/take information in SMB parameters data = get_smb_data (smbblob:ret); if (!data)   return NULL;   if (strlen(data) < bloblength)   return NULL;  securityblob = substr (data, 0, bloblength - 1); challenge = ntlmssp_parse_challenge (data:securityblob); if (isnull(challenge))   return NULL;  session_set_addrlist(addrlist:challenge[2]); d_name = get_string2 (blob:challenge[1], pos:0, len:strlen(challenge[1])); challenge = challenge[0]; hinfo = substr(data,bloblength,strlen(data)-1); if ((strlen(hinfo) > 1) && hinfo[0] == '\0')   hinfo = substr(hinfo, 1, strlen(hinfo)-1); os_info = get_string (blob:hinfo, pos:0); if (session_is_unicode ())   mult = 2; else   mult = 1; lan_info = get_string (blob:hinfo, pos: (strlen(os_info)+1)*mult); session_set_host_info (domain:d_name, os:os_info, lan:lan_info); if (login) {  # NTLM use only unicode password  if (session_is_unicode() == 0)  {   session_set_unicode (unicode:1);   if (password)     pass = cstring (string:password, _null:1);   else     pass = NULL;   name = cstring (string:login, _null:1);   dom = cstring (string:domain, _null:1);     session_set_unicode (unicode:0);  }  else  {   pass = cstring (string:password, _null:1);   name = cstring (string:login, _null:1);   dom = cstring (string:domain, _null:1);    } } else {  name = NULL;  pass = NULL;  dom = NULL; } securityblob = ntlmssp_auth_securityblob (password:pass,login:name,hash:hash,domain:dom,challenge:challenge); if (isnull(securityblob))   return NULL; # Security signatures are enabled only if server support them # We use null session_key as we used LMv2 only if (!session_get_mackey() && ((mode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) || (mode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED)) && (login))  # session_set_mackey (key:crap(data:raw_string(0),length:16));   session_set_mackey (key:securityblob[0]); securityblob = securityblob[1]; header = smb_header (Command: SMB_COM_SESSION_SETUP_ANDX,                      Status: nt_status (Status: STATUS_SUCCESS)); parameters = raw_byte (b:255) + # no further command              raw_byte (b:0) +              raw_word (w:0) +              raw_word (w:session_get_buffersize()) +              raw_word (w:1) +              raw_word (w:0) +              raw_dword (d:session_key) +              raw_word (w:strlen(securityblob)) +              raw_dword (d:0) +	      raw_dword (d: CAP_UNICODE * session_is_unicode() | CAP_LARGE_FILES | CAP_NT_SMBS | CAP_STATUS32 | CAP_LEVEL_II_OPLOCKS | CAP_NT_FIND | CAP_EXTENDED_SECURITY);  parameters = smb_parameters (data:parameters);  # If strlen (securityblob) odd add 1 pad byte if ((strlen (securityblob) % 2) == 0)   securityblob += raw_string(0x00);    data = securityblob +         cstring (string:nes_native_os) +        cstring (string:nes_native_lanman) +	cstring (string:domain);  data = smb_data (data:data); packet = netbios_packet (header:header, parameters:parameters, data:data);  ret = smb_sendrecv (data:packet);  if (!ret)   return NULL; # Some checks in the header first header = get_smb_header (smbblob:ret); if (!header)   return NULL;  code = get_header_nt_error_code (header:header); if (code != STATUS_SUCCESS)   return NULL; uid = get_header_uid (header:header); session_set_uid (uid:uid);  # We now parse/take information in SMB parameters parameters = get_smb_parameters (smbblob:ret); if (!parameters || (strlen(parameters) < 8))   return NULL; guest = get_word (blob:parameters, pos:4); session_set_guest (guest:guest); bloblength = get_word (blob:parameters, pos:6); # We now parse/take information in SMB parameters data = get_smb_data (smbblob:ret); if (!data)   return NULL;   if (strlen(data) < bloblength)   return NULL;  securityblob = substr (data, 0, bloblength - 1); challenge = ntlmssp_parse_response (data:securityblob); if (isnull(challenge) || (challenge != 0)) # Accept Completed   return NULL; return packet;}#---------------------------------------------------------## Function    : smb_session_setup_andx                    ## Description : Authenticate to the remote host           ##---------------------------------------------------------#function smb_session_setup_andx (session_key, dialect, challenge, mode, extended, login, password, lm_hash, ntlm_hash, domain, host, realm){ local_var packet, ct, onlyv2; # If cleartext is prohibited we return NULL ct = get_kb_item("SMB/dont_send_in_cleartext"); if ((ct == "yes") && (!(mode & NEGOTIATE_SECURITY_CHALLENGE_RESPONSE))) return NULL; onlyv2 = get_kb_item ("SMB/dont_send_ntlmv1"); # If LANMAN2.1 protocol if (protocol[dialect] == "LANMAN2.1") {  if (onlyv2) return NULL;  packet = smb_session_setup_andx_lanman_core (session_key:session_key,                                               login:login,					       domain:domain,					       password:password,					       hash:lm_hash,					       mode:mode,					       challenge:challenge);  return packet; } # If NT LM 0.12 protocol
💿 文件大小 8554 K
👤 上传用户 szjunhui899
📂 所属分类 Linux/Unix编程
🏷️ 相关标签

#windows #linux #漏洞扫描 #源码
⌨️ 快捷键说明

复制代码 Ctrl + C
搜索代码 Ctrl + F
全屏模式 F11
切换主题 Ctrl + Shift + D
显示快捷键 ?
增大字号 Ctrl + =
减小字号 Ctrl + -