我正在尝试为命令创建NTLMSSP身份验证的安全博客:
smb_com_session_setup_andx,但我无法创建它,这是我正在使用的代码。
unsigned char *parameters_ptr = _tango_smb_getParametersPointer(smb);
unsigned int parameters_offset = 0;
// AndX Command
*((unsigned char *)(parameters_ptr + parameters_offset)) = SMB_COM_NONE;
parameters_offset+=2; // 1 byte reserved
// AndX Offset
*((unsigned short *)(parameters_ptr + parameters_offset)) = 0;
parameters_offset+=2;
// MaxBufferSize
//MaxBufferSize | Win-7=0x1104 (4356) | WinXP=0xffff (65535)
//changeapply //MAX_SMB_SIZE_Windows7
*((unsigned short *)(parameters_ptr + parameters_offset)) = MAX_SMB_SIZE_Windows7;
parameters_offset+=2;
// MaxMpxCount
//MaxMpxCount | Win-7=50 | WinXP=2
//changeapply //MAX_SMB_SIZE_Windows7
*((unsigned short *)(parameters_ptr + parameters_offset)) = 50;
parameters_offset+=2;
// VcNumber
//VcNumber | Win-7= (8) | WinXP= (1300)
//changeapply
*((unsigned short *)(parameters_ptr + parameters_offset)) = 6;
parameters_offset+=2;
// SessionKey
*((unsigned int *)(parameters_ptr + parameters_offset)) = connection->session_key;
parameters_offset+=4;
// CaseInsensitivePasswordLength (used for response of challenge/response security)
// SecurityBlobLength in Windows7 (used for response of challenge/response security)
//CaseInsensitivePasswordLength | Win-7=66 | WinXP=24
//changeapply
//blob length
*((unsigned int *)(parameters_ptr + parameters_offset)) = 298;
parameters_offset+=2;
// Reserved
*((unsigned int *)(parameters_ptr + parameters_offset)) = 0;
parameters_offset+=4;
//Windows7 don't this argument
// CaseSensitivePasswordLength
// *((unsigned short *)(parameters_ptr + parameters_offset)) = 0;
// parameters_offset+=2;
// Capabilities
//For Xp Capabilites = CAP_EXTENDED_SECURITY | CAP_STATUS32 | CAP_RAW_MODE
// = 0x80000041
//For Windows 7 Capabilites = 0x8000c05c
// printf("Cababilites %0x",CAP_EXTENDED_SECURITY | CAP_STATUS32 | CAP_RAW_MODE);
//changeapply
*((unsigned int *)(parameters_ptr + parameters_offset)) = 0x8000c05c;
parameters_offset+=4;
//ByteCount | Win-7=123 | WinXP=44
//changeapply may apply
_tango_smb_setParametersSize(smb, parameters_offset);
printf("parameters_offset %d\n",parameters_offset);
// Data
unsigned char *data_ptr = _tango_smb_getDataPointer(smb);
unsigned int data_offset = 0;
// LM-Security response
//LM-Security response | Win-7=66 | WinXP=24
//security blob started from here
int temp=0;
unsigned char *protocol="NTLMSSP";
strcpy((char *)((sec_response + temp)), protocol);
temp += strlen((char *)(sec_response + temp)) + 1;
int type=0x00000003;
sec_response[temp]=type;
temp+=4;
short lm_resp_len=0x18; // LanManager response length (always 0x18)
sec_response[temp]=lm_resp_len;
temp+=2;
short lm_resp_max_len=0x18; // LanManager response max length
sec_response[temp]=lm_resp_max_len;
temp+=2;
int lm_resp_off=10; // LanManager response offset
sec_response[temp]=lm_resp_off;
temp+=4;
short nt_resp_len=0x18; // NT response length (always 0x18)
sec_response[temp]=nt_resp_len;
temp+=2;
short nt_resp_max_len=0x18; // NT response max length
sec_response[temp]=nt_resp_max_len;
temp+=2;
int nt_resp_off=11; // NT response offset
sec_response[temp]=nt_resp_off;
temp+=4;
short dom_len=10; // NT domain name length
sec_response[temp]=dom_len;
temp+=2;
short dom_max_len=20; // NT domain name max length
sec_response[temp]=dom_max_len;
temp+=2;
int dom_off=10; // NT domain name offset (always 0x0040)
sec_response[temp]=dom_off;
temp+=4;
short user_len=8; // username length
sec_response[temp]=user_len;
temp+=2;
short user_max_len=20 ; // username max length
sec_response[temp]=user_max_len;
temp+=2;
int user_off=20; // username offset
sec_response[temp]=user_off;
temp+=4;
short host_len=40; // local workstation name length
sec_response[temp]=host_len;
temp+=2;
short host_max_len=20; // local workstation name max length
sec_response[temp]=host_max_len;
temp+=2;
int host_off=1; // local workstation name offset
sec_response[temp]=host_off;
temp+=4;
short session_len=11; // session key length
sec_response[temp]=session_len;
temp+=2;
short session_max_len=14; // session key max length
sec_response[temp]=session_max_len;
temp+=2;
int session_off=9; // session key offset
sec_response[temp]=session_off;
temp+=4;
int flags=20; // 0x00008201
sec_response[temp]=flags;
temp+=4;
char *domain="example"; // NT domain name (UCS-16LE)
strcpy((char *)((sec_response + temp)), domain);
temp += strlen((char *)(sec_response + temp)) + 1;
char *user="waqar"; // username (UCS-16LE)
strcpy((char *)((sec_response + temp)), user);
temp += strlen((char *)(sec_response + temp)) + 1;
char *host="eeeddd"; // local workstation name (UCS-16LE)
strcpy((char *)((sec_response + temp)), host);
temp += strlen((char *)(sec_response + temp)) + 1;
char *lm_resp="aaa"; // LanManager response
strcpy((char *)((sec_response + temp)), lm_resp);
temp += strlen((char *)(sec_response + temp)) + 1;
char *nt_resp="aaaaa"; // NT response
strcpy((char *)((sec_response + temp)), nt_resp);
temp += strlen((char *)(sec_response + temp)) + 1;
printf("len2: %lu",strlen(sec_response));
memcpy(data_ptr + data_offset, sec_response, strlen(sec_response));
data_offset += strlen(sec_response);
// NativeOS
strcpy((char *)((data_ptr + data_offset)), "Mac OS X 10.6.8");
data_offset += strlen((char *)(data_ptr + data_offset)) + 1;
// NativeLanMan
strcpy((char *)((data_ptr + data_offset)), "SMBFS 1.6.7");
data_offset += strlen((char *)(data_ptr + data_offset)) + 1;
// data_offset += 29;
_tango_smb_setDataSize(smb, data_offset);