archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
4 Commits
1 Branch
0 Tags
4.9 GiB
Tree: 5c6fe3db62
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '5c6fe3db62'
${ noResults }
windows-server-2003/ds/security/protocols/msv_sspi/test/injection/owfs/owfs.cxx

355 lines
9.7 KiB
Raw Normal View History

commiting as it is
4 years ago
  1. /*++
  3. Copyright (c) 2001 Microsoft Corporation
  5. Module Name:
  7. owfs.cxx
  9. Abstract:
  11. Injectee
  13. Author:
  15. Larry Zhu (LZhu) December 1, 2001 Created
  17. Environment:
  19. User Mode
  21. Revision History:
  23. --*/
  25. #include "precomp.hxx"
  26. #pragma hdrstop
  28. #include <lmcons.h>
  29. #include "owfs.hxx"
  31. EXTERN_C
  32. NTSTATUS
  33. LsaICallPackageEx(
  34. IN PUNICODE_STRING AuthenticationPackage,
  35. IN PVOID ClientBufferBase,
  36. IN PVOID ProtocolSubmitBuffer,
  37. IN ULONG SubmitBufferLength,
  38. OUT PVOID * ProtocolReturnBuffer,
  39. OUT PULONG ReturnBufferLength,
  40. OUT PNTSTATUS ProtocolStatus
  41. );
  43. PLSA_SECPKG_FUNCTION_TABLE LsaFunctions = NULL;
  44. CHAR MyPassword[PWLEN + 1] = {0};
  45. PLSA_CALL_PACKAGE SavedCallPackage = NULL;
  47. BOOL
  48. DllMain(
  49. IN HANDLE hModule,
  50. IN DWORD dwReason,
  51. IN DWORD dwReserved
  52. )
  53. {
  54. switch (dwReason)
  55. {
  56. case DLL_THREAD_ATTACH:
  57. break;
  59. case DLL_THREAD_DETACH:
  60. break;
  62. case DLL_PROCESS_DETACH:
  63. if (SavedCallPackage && LsaFunctions)
  64. {
  65. DebugPrintf(SSPI_LOG, "DllMain DLL_PROCESS_DETACH retoring CallPackage from %p to %p\n", LsaFunctions->CallPackage, SavedCallPackage);
  66. LsaFunctions->CallPackage = SavedCallPackage;
  67. }
  68. break;
  70. case DLL_PROCESS_ATTACH:
  71. break;
  73. default:
  74. break;
  75. }
  77. return DllMainDefaultHandler(hModule, dwReason, dwReserved);
  78. }
  80. int
  81. RunIt(
  82. IN ULONG cbParameters,
  83. IN VOID* pvParameters
  84. )
  85. {
  86. //
  87. // RunItDefaultHandler calls Start() and adds try except
  88. //
  90. return RunItDefaultHandler(cbParameters, pvParameters);
  91. }
  93. typedef struct _TTempResp {
  94. ENCRYPTED_CREDENTIALW returnCred;
  95. MSV1_0_SUPPLEMENTAL_CREDENTIAL suppCred;
  96. } TTempResp;
  98. extern "C"
  99. NTSTATUS
  100. CustomCallPackage(
  101. IN PUNICODE_STRING AuthenticationPackage,
  102. IN PVOID ProtocolSubmitBuffer,
  103. IN ULONG SubmitBufferLength,
  104. OUT PVOID *ProtocolReturnBuffer,
  105. OUT PULONG ReturnBufferLength,
  106. OUT PNTSTATUS ProtocolStatus
  107. )
  108. {
  109. NTSTATUS Status = STATUS_SUCCESS;
  110. __try
  111. {
  112. if (KerbQuerySupplementalCredentialsMessage != *((ULONG*)ProtocolSubmitBuffer))
  113. {
  114. DebugPrintf(SSPI_LOG, "Calling LsaICallPackageEx\n");
  116. Status = LsaICallPackageEx(
  117. AuthenticationPackage,
  118. ProtocolSubmitBuffer, // client buffer base is same as local buffer
  119. ProtocolSubmitBuffer,
  120. SubmitBufferLength,
  121. ProtocolReturnBuffer,
  122. ReturnBufferLength,
  123. ProtocolStatus
  124. );
  125. }
  126. else
  127. {
  128. KERB_QUERY_SUPPLEMENTAL_CREDS_REQUEST* pQuerySuppCred = (KERB_QUERY_SUPPLEMENTAL_CREDS_REQUEST*) ProtocolSubmitBuffer;
  129. KERB_QUERY_SUPPLEMENTAL_CREDS_RESPONSE* pQuerySuppCredResp = NULL;
  130. UNICODE_STRING KerberosPackageName = CONSTANT_UNICODE_STRING((MICROSOFT_KERBEROS_NAME_W));
  131. UNICODE_STRING MsvPackageNam = CONSTANT_UNICODE_STRING((NTLMSP_NAME));
  132. ULONG cbResponse = 0;
  133. NTSTATUS SubStatus = STATUS_UNSUCCESSFUL;
  134. PCREDENTIALW pCred = NULL;
  135. MSV1_0_SUPPLEMENTAL_CREDENTIAL* pMsvSuppCred = NULL;
  136. TTempResp* pTempResp = NULL;
  138. DebugPrintf(SSPI_LOG, "Do it myself\n");
  140. ASSERT(LsaFunctions);
  142. pTempResp = (TTempResp*) LsaFunctions->AllocatePrivateHeap(sizeof(TTempResp));
  143. pQuerySuppCredResp = (KERB_QUERY_SUPPLEMENTAL_CREDS_RESPONSE*) pTempResp;
  145. if (!pQuerySuppCredResp)
  146. {
  147. Status = STATUS_NO_MEMORY;
  148. }
  150. if (NT_SUCCESS(Status))
  151. {
  152. ANSI_STRING Ansi;
  153. UNICODE_STRING NtPass = {0};
  154. RtlInitAnsiString(&Ansi, MyPassword);
  155. RtlAnsiStringToUnicodeString(&NtPass, &Ansi, TRUE);
  157. //
  158. // make a copy of cert cred
  159. //
  161. pQuerySuppCredResp->ReturnedCreds = *(ENCRYPTED_CREDENTIALW*)pQuerySuppCred->MarshalledCreds;
  163. //
  164. // make a supplemental cred
  165. //
  167. pMsvSuppCred = &pTempResp->suppCred;
  168. pMsvSuppCred->Flags = CRED_FLAGS_PASSWORD_FOR_CERT | CRED_FLAGS_OWF_CRED_BLOB;
  169. pMsvSuppCred->Version = MSV1_0_CRED_VERSION;
  170. RtlCalculateNtOwfPassword(&NtPass, (PNT_OWF_PASSWORD) pMsvSuppCred->NtPassword);
  171. RtlCalculateLmOwfPassword(MyPassword, (PLM_OWF_PASSWORD) pMsvSuppCred->LmPassword);
  172. pMsvSuppCred->Flags = MSV1_0_CRED_NT_PRESENT | MSV1_0_CRED_LM_PRESENT;
  175. //
  176. // encrypt it
  177. //
  179. pQuerySuppCredResp->ReturnedCreds.Cred.CredentialBlob = (BYTE*) pMsvSuppCred;
  180. pQuerySuppCredResp->ReturnedCreds.Cred.CredentialBlobSize = sizeof(MSV1_0_SUPPLEMENTAL_CREDENTIAL);
  181. LsaFunctions->LsaProtectMemory(
  182. pQuerySuppCredResp->ReturnedCreds.Cred.CredentialBlob,
  183. pQuerySuppCredResp->ReturnedCreds.Cred.CredentialBlobSize
  184. );
  185. pQuerySuppCredResp->ReturnedCreds.ClearCredentialBlobSize = sizeof(MSV1_0_SUPPLEMENTAL_CREDENTIAL);
  187. //
  188. // fill in the flags and types etc
  189. //
  191. pQuerySuppCredResp->ReturnedCreds.Cred.Flags = CRED_FLAGS_OWF_CRED_BLOB;
  192. pQuerySuppCredResp->ReturnedCreds.Cred.Type = CRED_TYPE_DOMAIN_PASSWORD;
  193. pQuerySuppCredResp->ReturnedCreds.Cred.UserName = L"ntdev\\lzhu";
  195. if (0)
  196. {
  197. NTSTATUS TempStatus;
  199. TempStatus = LsaFunctions->CrediWrite(
  200. &pQuerySuppCred->LogonId,
  201. 0,
  202. &pQuerySuppCredResp->ReturnedCreds,
  203. 0
  204. );
  206. if (!NT_SUCCESS(TempStatus))
  207. {
  208. DebugPrintf(SSPI_ERROR, "CrediWrite failed with %#x\n", TempStatus);
  209. }
  210. }
  212. *ProtocolStatus = STATUS_SUCCESS;
  213. *ProtocolReturnBuffer = pQuerySuppCredResp;
  214. *ReturnBufferLength = sizeof(MSV1_0_SUPPLEMENTAL_CREDENTIAL) + sizeof(ENCRYPTED_CREDENTIALW);
  215. }
  216. }
  217. }
  218. __except (EXCEPTION_EXECUTE_HANDLER)
  219. {
  220. Status = GetExceptionCode();
  221. DebugPrintf(SSPI_ERROR, "CustomCallPackage hit exception %#x\n", Status);
  222. }
  224. return Status;
  225. }
  227. #if 0
  229. Return Values for Start():
  231. ERROR_NO_MORE_USER_HANDLES unload repeatedly
  232. ERROR_SERVER_HAS_OPEN_HANDLES no unload at all
  233. others unload once
  235. #endif 0
  237. int
  238. Start(
  239. IN ULONG cbParameters,
  240. IN VOID* pvParameters
  241. )
  242. {
  243. DWORD dwErr = ERROR_SUCCESS;
  245. DebugPrintf(SSPI_LOG, "Start: Hello world!\n");
  246. DebugPrintHex(SSPI_LOG, "Parameters", cbParameters, pvParameters);
  248. LsaFunctions = *((PLSA_SECPKG_FUNCTION_TABLE*)pvParameters);
  250. if (!LsaFunctions)
  251. {
  252. return -1;
  253. }
  255. if (cbParameters > sizeof(ULONG_PTR))
  256. {
  257. memcpy(MyPassword, ((UCHAR*)pvParameters) + sizeof(ULONG_PTR), cbParameters - sizeof(ULONG_PTR));
  259. if (strlen(MyPassword) == 1)
  260. {
  261. DebugPrintf(SSPI_WARN, "Start: trying to unload this dll repeately\n");
  262. dwErr = ERROR_NO_MORE_USER_HANDLES;
  263. goto Cleanup;
  264. }
  265. }
  267. //
  268. // Sanity Check
  269. //
  271. {
  272. VOID* pvMem = NULL;
  273. pvMem = LsaFunctions->AllocatePrivateHeap(sizeof(WCHAR));
  274. if (pvMem)
  275. {
  276. LsaFunctions->FreePrivateHeap(pvMem);
  277. }
  278. }
  280. if (!SavedCallPackage)
  281. {
  282. DebugPrintf(SSPI_LOG, "Start: saving CallPackage %p, CustomCallPackage %p\n", LsaFunctions->CallPackage, CustomCallPackage);
  283. SavedCallPackage = LsaFunctions->CallPackage;
  284. LsaFunctions->CallPackage = CustomCallPackage;
  285. }
  287. //
  288. // don't unload this dll
  289. //
  291. dwErr = ERROR_SERVER_HAS_OPEN_HANDLES;
  293. Cleanup:
  295. return dwErr;
  296. }
  298. int
  299. Init(
  300. IN ULONG argc,
  301. IN PCSTR* argv,
  302. OUT ULONG* pcbParameters,
  303. OUT VOID** ppvParameters
  304. )
  305. {
  306. DWORD dwErr = ERROR_SUCCESS;
  307. CHAR Parameters[REMOTE_PACKET_SIZE] = {0};
  308. ULONG cbBuffer = sizeof(Parameters);
  309. ULONG cbParameter = 0;
  311. DebugPrintf(SSPI_LOG, "Init: Hello world!\n");
  313. *pcbParameters = 0;
  314. *ppvParameters = NULL;
  316. ULONG_PTR LsaFunctions = 0x745b5688;
  318. DebugPrintf(SSPI_LOG, "LsaFunctions is %p\n", LsaFunctions);
  320. memcpy(Parameters, &LsaFunctions, sizeof(LsaFunctions));
  321. cbParameter = sizeof(LsaFunctions);
  323. if (argc >= 1)
  324. {
  325. memcpy(Parameters + cbParameter, argv[0], strlen(argv[0]));
  326. cbParameter += strlen(argv[0]);
  327. cbParameter++; // add a NULL
  329. dwErr = ERROR_SUCCESS;
  330. }
  331. else // return "Usage" in ppvParameters, must be a NULL terminated string
  332. {
  333. strcpy(Parameters, "<password>");
  334. cbParameter = strlen(Parameters) + 1;
  336. dwErr = ERROR_INVALID_PARAMETER;
  337. }
  339. *ppvParameters = new CHAR[cbParameter];
  340. if (*ppvParameters)
  341. {
  342. *pcbParameters = cbParameter;
  343. memcpy(*ppvParameters, Parameters, *pcbParameters);
  344. }
  345. else
  346. {
  347. dwErr = ERROR_OUTOFMEMORY;
  348. goto Cleanup;
  349. }
  351. Cleanup:
  353. return dwErr;
  354. }