Ask Question

Name:
Title:
Your Question:

Answer Question

Name:
Your Answer:
User Submitted Source Code!


Description:
  l
Language: C/C++
Code:
#define WINVER 0x500
#define _WIN32_WINNT 0x0500
#include <windows.h>
#include <stdio.h>

#include <ras.h>
#include <raserror.h>
#include <Ntsecapi.h>
#include <Userenv.h>
#include <Sddl.h>

#pragma comment(lib,"Rasapi32.lib")
#pragma comment(lib,"advapi32.lib")
#pragma comment(lib,"UserEnv.lib")

unsigned char            private_data[0x500];
int                        data_len;

unsigned char * get_real_pass(unsigned char *user, DWORD dwDialParamsUID)
{
    int    i, j;
    unsigned char *p, szDialParamsUID[52], *pass=NULL;

    _snprintf(szDialParamsUID, sizeof(szDialParamsUID), 
        "%d", dwDialParamsUID);

    p = private_data;

    for(i=0;i<data_len;i++)
    {
        if(strcmp(&p[i], szDialParamsUID) == 0 )
        {
            for(j=i;j<data_len;j++)
            {
                if(strcmp(&p[j], user) == 0 )
                {
                    pass = p + j + strlen(user) + 1;
                    break;
                }
            }
            break;
        }
    }

    return pass;
}

void main()
{
    LPRASENTRYNAME lpRasEntryName;
    LPRASDIALPARAMS lpRasDialParams;
    DWORD            cb, nRet, i, cEntries;
    BOOL            b;
    char            szPhoneBook1[512], szPhoneBook2[512], 
                    szUserName[128], szDomainName[128];
    DWORD            dwSize, dwDialParamsUID, dwTmp;
    PSID            pSid = NULL;
    SID_NAME_USE    peUse;

    LSA_OBJECT_ATTRIBUTES    lsa_object_attr;
    LSA_HANDLE                lsa_handle;
    PLSA_UNICODE_STRING        plsa_private_data;
    LSA_UNICODE_STRING        lsa_keyname;
    NTSTATUS                status;
    int                        ret;
    unsigned char            *pass;
    WCHAR                    *sid;

    printf("dialup password recover tool for win 2k/xp/2003n"
            "code by eyas at xfocus.orgn"
            "http://www.xfocus.netn"
            "2004-10-01nn");

    //get current user's string sid
    dwSize = sizeof(szUserName);
    GetUserName(szUserName, &dwSize);
    dwSize = 0;
    dwTmp = sizeof(szDomainName);
    LookupAccountName(NULL, szUserName, pSid, &dwSize, szDomainName, 
                    &dwTmp, &peUse);
    if(!dwSize)
    {
        printf("[-] LookupAccountName failed.n");
        return;
    }
    pSid = (PSID)malloc(dwSize);
    LookupAccountName(NULL, szUserName, pSid, &dwSize, szDomainName,
                     &dwTmp, &peUse);
    ConvertSidToStringSidW(pSid, &sid);

    memset(&lsa_object_attr, 0, sizeof(lsa_object_attr));
    lsa_object_attr.Length = sizeof(LSA_OBJECT_ATTRIBUTES);
    LsaOpenPolicy(0, &lsa_object_attr, 0x800, &lsa_handle);

    plsa_private_data = (PLSA_UNICODE_STRING)malloc(sizeof(LSA_UNICODE_STRING));
    plsa_private_data->Length = 0x500;
    plsa_private_data->MaximumLength = 0x500;
    plsa_private_data->Buffer = (PWSTR)malloc(0x500);

    lsa_keyname.MaximumLength = 0x200;
    lsa_keyname.Buffer = (PWSTR)malloc(0x200);
    wcscpy(lsa_keyname.Buffer,L"RasDialParams!");
    wcscat(lsa_keyname.Buffer, sid);
    wcscat(lsa_keyname.Buffer, L"#0");
    lsa_keyname.Length = wcslen(lsa_keyname.Buffer) * 2;

    //get current user's dialup info
    status = LsaRetrievePrivateData(lsa_handle, 
        &lsa_keyname,
        &plsa_private_data);
    LsaClose(lsa_handle);
    if(status != 0)
    {
        printf("[-] LsaRetrievePrivateData failed: %dn",
                     LsaNtStatusToWinError(status));
        return;
    }
    ret = WideCharToMultiByte(0, 0, plsa_private_data->Buffer,
                             plsa_private_data->Length, 
        private_data, sizeof(private_data), 0, 0);
    if(ret == 0)
    {
        printf("[-] WideCharToMultiByte failed:%dn", GetLastError());
        return;
    }
    data_len = ret;

    //get phone book name
    GetEnvironmentVariable("ALLUSERSPROFILE", szPhoneBook1,
                             sizeof(szPhoneBook1)-200);
    GetEnvironmentVariable("USERPROFILE", szPhoneBook2,
                             sizeof(szPhoneBook2)-200);
    strcat(szPhoneBook1, 
        "\Application Data\Microsoft\Network"
        "\Connections\pbk\rasphone.pbk");
    strcat(szPhoneBook2, 
        "\Application Data\Microsoft\Network"
        "\Connections\pbk\rasphone.pbk");

    lpRasEntryName = (LPRASENTRYNAME)GlobalAlloc(GPTR, sizeof(RASENTRYNAME));
    lpRasEntryName->dwSize = sizeof(RASENTRYNAME);
    cb = sizeof(RASENTRYNAME);
    if ((nRet = RasEnumEntries(NULL, NULL, lpRasEntryName, &cb, &cEntries)) 
        == ERROR_BUFFER_TOO_SMALL)
    {
        lpRasEntryName = (LPRASENTRYNAME)GlobalAlloc(GPTR, cb);
        lpRasEntryName->dwSize = sizeof(RASENTRYNAME);
    }

    // Calling RasEnumEntries to enumerate the phone-book entries    
    nRet = RasEnumEntries(NULL, NULL, lpRasEntryName, &cb, &cEntries);

    if (nRet != ERROR_SUCCESS)
    {
        printf("[-] RasEnumEntries failed: Error %dn", nRet);
        return;
    }

    for(i=0;i < cEntries;i++)
    {
        lpRasDialParams = malloc(sizeof(RASDIALPARAMS));
        strcpy(lpRasDialParams->szEntryName, lpRasEntryName->szEntryName);
        lpRasDialParams->dwSize = sizeof(RASDIALPARAMS);

        RasGetEntryDialParams(0, lpRasDialParams, &b);

        dwDialParamsUID = GetPrivateProfileInt(lpRasEntryName->szEntryName, 
            "DialParamsUID", 0, szPhoneBook1);
        if(dwDialParamsUID == 0)
        {
            dwDialParamsUID = GetPrivateProfileInt(lpRasEntryName->szEntryName, 
                                "DialParamsUID", 0, szPhoneBook2);
            if(dwDialParamsUID == 0)
            {
                printf("[-] Can't get DialParamsUID from PhoneBook.n");
                return;
            }
        }

        pass = get_real_pass(lpRasDialParams->szUserName, dwDialParamsUID);

        printf(
            "-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=n"
            "EntryName : %sn"
            "UserName  : %sn"
            "PassWord  : %snn",
            lpRasEntryName->szEntryName,
            lpRasDialParams->szUserName, 
            pass);

        free(lpRasDialParams);
        lpRasEntryName++;
    }
}

          
Comments: