2005-09-16 09:27:41 +00:00
|
|
|
module Rex
|
|
|
|
module Proto
|
|
|
|
module SMB
|
|
|
|
class Client
|
|
|
|
|
|
|
|
require 'rex/text'
|
|
|
|
require 'rex/struct2'
|
|
|
|
require 'rex/proto/smb/constants'
|
2005-09-22 09:04:40 +00:00
|
|
|
require 'rex/proto/smb/exceptions'
|
2005-09-23 03:43:04 +00:00
|
|
|
require 'rex/proto/smb/evasions'
|
2005-09-16 09:27:41 +00:00
|
|
|
require 'rex/proto/smb/crypt'
|
|
|
|
require 'rex/proto/smb/utils'
|
|
|
|
|
|
|
|
|
|
|
|
# Some short-hand class aliases
|
|
|
|
CONST = Rex::Proto::SMB::Constants
|
|
|
|
CRYPT = Rex::Proto::SMB::Crypt
|
|
|
|
UTILS = Rex::Proto::SMB::Utils
|
2005-09-22 09:04:40 +00:00
|
|
|
XCEPT = Rex::Proto::SMB::Exceptions
|
2005-09-23 03:43:04 +00:00
|
|
|
EVADE = Rex::Proto::SMB::Evasions
|
2005-09-16 09:27:41 +00:00
|
|
|
|
|
|
|
def initialize (socket)
|
|
|
|
self.socket = socket
|
|
|
|
self.native_os = 'Windows 2000 2195'
|
|
|
|
self.native_lm = 'Windows 2000 5.0'
|
|
|
|
self.encrypt_passwords = 1
|
|
|
|
self.extended_security = 0
|
2005-09-19 23:35:51 +00:00
|
|
|
self.multiplex_id = rand(0xffff)
|
|
|
|
self.process_id = rand(0xffff)
|
2005-09-22 09:04:40 +00:00
|
|
|
self.read_timeout = 10
|
2005-09-23 03:43:04 +00:00
|
|
|
self.evasion_level = EVADE::EVASION_NONE
|
2005-09-16 09:27:41 +00:00
|
|
|
end
|
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
# Read a SMB packet from the socket
|
|
|
|
def smb_recv
|
2005-09-22 09:04:40 +00:00
|
|
|
|
2005-11-16 17:56:07 +00:00
|
|
|
data = socket.get_once(-1, self.read_timeout)
|
2005-09-22 09:04:40 +00:00
|
|
|
|
2005-10-03 13:51:05 +00:00
|
|
|
|
2005-11-16 17:56:07 +00:00
|
|
|
if (data.nil? or data.length < 4)
|
2005-10-03 13:51:05 +00:00
|
|
|
raise XCEPT::NoReply
|
2005-09-22 09:04:40 +00:00
|
|
|
end
|
2005-09-19 23:35:51 +00:00
|
|
|
|
|
|
|
|
2005-11-16 17:56:07 +00:00
|
|
|
recv_len = data[2,2].unpack('n')[0]
|
2005-09-19 23:35:51 +00:00
|
|
|
if (recv_len == 0)
|
2005-11-16 17:56:07 +00:00
|
|
|
return data
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
|
|
|
|
2005-11-16 17:56:07 +00:00
|
|
|
recv_len += 4
|
|
|
|
|
|
|
|
while (data.length != recv_len)
|
2005-09-23 09:14:03 +00:00
|
|
|
buff = ''
|
|
|
|
|
|
|
|
begin
|
2005-11-16 17:56:07 +00:00
|
|
|
buff << self.socket.timed_read(recv_len - data.length, self.read_timeout)
|
2005-10-03 13:51:05 +00:00
|
|
|
rescue Timeout::Error
|
2005-09-23 09:14:03 +00:00
|
|
|
rescue
|
|
|
|
raise XCEPT::ReadPacket
|
|
|
|
end
|
2005-09-23 03:43:04 +00:00
|
|
|
|
2005-11-16 17:56:07 +00:00
|
|
|
if (buff.nil? or buff.length == 0)
|
2005-09-23 03:43:04 +00:00
|
|
|
raise XCEPT::ReadPacket
|
|
|
|
end
|
|
|
|
|
2005-11-16 17:56:07 +00:00
|
|
|
data << buff
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
|
|
|
|
2005-11-16 17:56:07 +00:00
|
|
|
return data
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Send a SMB packet down the socket
|
2005-09-23 03:43:04 +00:00
|
|
|
def smb_send (data, evasion = self.evasion_level)
|
|
|
|
|
2005-11-17 19:41:54 +00:00
|
|
|
# size = EVADE.send_block_size(evasion)
|
|
|
|
# wait = EVADE.send_wait_time(evasion)
|
|
|
|
|
|
|
|
# Socket-level evasion is being moved into Rex::Socket
|
|
|
|
size = 0
|
|
|
|
wait = 0
|
2005-09-23 03:43:04 +00:00
|
|
|
|
2005-09-22 09:04:40 +00:00
|
|
|
begin
|
2005-09-23 03:43:04 +00:00
|
|
|
# Just send the packet and return
|
|
|
|
if (size == 0 or size >= data.length)
|
|
|
|
return self.socket.put(data)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Break the packet up into chunks and wait between them
|
|
|
|
ret = 0
|
|
|
|
while ( (chunk = data.slice!(0, size)).length > 0 )
|
|
|
|
ret = self.socket.put(chunk)
|
|
|
|
if (wait > 0)
|
|
|
|
select(nil, nil, nil, wait)
|
|
|
|
end
|
|
|
|
end
|
|
|
|
return ret
|
|
|
|
|
2005-09-22 09:04:40 +00:00
|
|
|
rescue
|
|
|
|
raise XCEPT::WritePacket
|
|
|
|
end
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Set the SMB parameters to some reasonable defaults
|
|
|
|
def smb_defaults(packet)
|
|
|
|
packet.v['MultiplexID'] = self.multiplex_id.to_i
|
2005-09-22 09:04:40 +00:00
|
|
|
packet.v['TreeID'] = self.last_tree_id.to_i
|
2005-09-19 23:35:51 +00:00
|
|
|
packet.v['UserID'] = self.auth_user_id.to_i
|
|
|
|
packet.v['ProcessID'] = self.process_id.to_i
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# The main dispatcher for all incoming SMB packets
|
2005-09-23 03:43:04 +00:00
|
|
|
def smb_recv_parse(expected_type, ignore_errors = false)
|
2005-09-22 09:04:40 +00:00
|
|
|
|
|
|
|
# This will throw an exception if it fails to read the whole packet
|
2005-09-19 23:35:51 +00:00
|
|
|
data = self.smb_recv
|
|
|
|
|
|
|
|
pkt = CONST::SMB_BASE_PKT.make_struct
|
|
|
|
pkt.from_s(data)
|
2005-09-23 03:43:04 +00:00
|
|
|
res = pkt
|
2005-09-19 23:35:51 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
begin
|
|
|
|
case pkt['Payload']['SMB'].v['Command']
|
|
|
|
|
|
|
|
when CONST::SMB_COM_NEGOTIATE
|
|
|
|
res = smb_parse_negotiate(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_SESSION_SETUP_ANDX
|
|
|
|
res = smb_parse_session_setup(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_TREE_CONNECT_ANDX
|
|
|
|
res = smb_parse_tree_connect(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_TREE_DISCONNECT
|
|
|
|
res = smb_parse_tree_disconnect(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_CREATE_ANDX
|
|
|
|
res = smb_parse_create(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_TRANSACTION, CONST::SMB_COM_TRANSACTION2
|
|
|
|
res = smb_parse_trans(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_NT_TRANSACT
|
|
|
|
res = smb_parse_nttrans(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_OPEN_ANDX
|
|
|
|
res = smb_parse_open(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_WRITE_ANDX
|
|
|
|
res = smb_parse_write(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_READ_ANDX
|
|
|
|
res = smb_parse_read(pkt, data)
|
2005-09-22 09:04:40 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
when CONST::SMB_COM_CLOSE
|
|
|
|
res = smb_parse_close(pkt, data)
|
|
|
|
|
|
|
|
when CONST::SMB_COM_DELETE
|
|
|
|
res = smb_parse_delete(pkt, data)
|
|
|
|
|
|
|
|
else
|
|
|
|
raise XCEPT::InvalidCommand
|
|
|
|
end
|
|
|
|
|
|
|
|
if (pkt['Payload']['SMB'].v['Command'] != expected_type)
|
|
|
|
raise XCEPT::InvalidType
|
|
|
|
end
|
|
|
|
|
|
|
|
if (ignore_errors == false and pkt['Payload']['SMB'].v['ErrorClass'] != 0)
|
|
|
|
raise XCEPT::ErrorCode
|
|
|
|
end
|
|
|
|
|
|
|
|
rescue XCEPT::InvalidWordCount, XCEPT::InvalidCommand, XCEPT::InvalidType, XCEPT::ErrorCode
|
|
|
|
$!.word_count = pkt['Payload']['SMB'].v['WordCount']
|
|
|
|
$!.command = pkt['Payload']['SMB'].v['Command']
|
|
|
|
$!.error_code = pkt['Payload']['SMB'].v['ErrorClass']
|
|
|
|
raise $!
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
return res
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Process incoming SMB_COM_NEGOTIATE packets
|
|
|
|
def smb_parse_negotiate (pkt, data)
|
|
|
|
#Process NTLM negotiate responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 17)
|
|
|
|
res = CONST::SMB_NEG_RES_NT_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process LANMAN negotiate responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 13)
|
|
|
|
res = CONST::SMB_NEG_RES_LM_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process ERROR negotiate responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 1)
|
|
|
|
res = CONST::SMB_NEG_RES_ERR_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
|
|
|
end
|
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
raise XCEPT::InvalidWordCount
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Process incoming SMB_COM_SESSION_SETUP_ANDX packets
|
|
|
|
def smb_parse_session_setup(pkt, data)
|
2005-09-22 04:04:06 +00:00
|
|
|
# Process NTLMv2 negotiate responses
|
2005-09-19 23:35:51 +00:00
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 4)
|
|
|
|
res = CONST::SMB_SETUP_NTLMV2_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
2005-09-22 04:04:06 +00:00
|
|
|
|
|
|
|
# Process NTLMv1 and LANMAN responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 3)
|
|
|
|
res = CONST::SMB_SETUP_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
2005-09-22 09:04:40 +00:00
|
|
|
end
|
2005-09-22 04:04:06 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
raise XCEPT::InvalidWordCount
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
# Process incoming SMB_COM_TREE_CONNECT_ANDX packets
|
|
|
|
def smb_parse_tree_connect(pkt, data)
|
|
|
|
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 3)
|
|
|
|
res = CONST::SMB_TREE_CONN_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
|
|
|
end
|
2005-09-22 09:04:40 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
raise XCEPT::InvalidWordCount
|
2005-09-22 04:04:06 +00:00
|
|
|
end
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
# Process incoming SMB_COM_TREE_DISCONNECT packets
|
|
|
|
def smb_parse_tree_disconnect(pkt, data)
|
|
|
|
|
|
|
|
# Process SMB responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
res = CONST::SMB_TREE_DISCONN_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
raise XCEPT::InvalidWordCount
|
|
|
|
end
|
|
|
|
|
2005-09-22 09:04:40 +00:00
|
|
|
# Process incoming SMB_COM_CREATE_ANDX packets
|
|
|
|
def smb_parse_create(pkt, data)
|
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
# Windows says 42, but Samba says 34, same structure :-/
|
2005-09-22 09:04:40 +00:00
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 42)
|
|
|
|
res = CONST::SMB_CREATE_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
2005-11-15 23:02:17 +00:00
|
|
|
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 34)
|
|
|
|
res = CONST::SMB_CREATE_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
2005-09-22 09:04:40 +00:00
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
|
|
|
end
|
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
raise XCEPT::InvalidWordCount
|
2005-09-22 09:04:40 +00:00
|
|
|
end
|
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
# Process incoming SMB_COM_TRANSACTION packets
|
2005-09-22 09:04:40 +00:00
|
|
|
def smb_parse_trans(pkt, data)
|
|
|
|
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 10)
|
|
|
|
res = CONST::SMB_TRANS_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
2005-09-22 04:04:06 +00:00
|
|
|
|
2005-09-22 09:04:40 +00:00
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
|
|
|
end
|
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
raise XCEPT::InvalidWordCount
|
2005-09-22 09:04:40 +00:00
|
|
|
end
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
# Process incoming SMB_COM_NT_TRANSACT packets
|
|
|
|
def smb_parse_nttrans(pkt, data)
|
|
|
|
|
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
|
|
|
end
|
|
|
|
|
|
|
|
raise XCEPT::InvalidWordCount
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process incoming SMB_COM_OPEN_ANDX packets
|
|
|
|
def smb_parse_open(pkt, data)
|
|
|
|
# Process open responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 15)
|
|
|
|
res = CONST::SMB_OPEN_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
|
|
|
end
|
|
|
|
|
|
|
|
raise XCEPT::InvalidWordCount
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process incoming SMB_COM_WRITE_ANDX packets
|
|
|
|
def smb_parse_write(pkt, data)
|
|
|
|
|
|
|
|
# Process write responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 6)
|
|
|
|
res = CONST::SMB_WRITE_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
|
|
|
end
|
|
|
|
|
|
|
|
raise XCEPT::InvalidWordCount
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process incoming SMB_COM_READ_ANDX packets
|
|
|
|
def smb_parse_read(pkt, data)
|
|
|
|
|
|
|
|
# Process write responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 12)
|
|
|
|
res = CONST::SMB_READ_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
|
|
|
end
|
|
|
|
|
|
|
|
raise XCEPT::InvalidWordCount
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process incoming SMB_COM_CLOSE packets
|
|
|
|
def smb_parse_close(pkt, data)
|
|
|
|
|
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
return pkt
|
|
|
|
end
|
|
|
|
|
|
|
|
raise XCEPT::InvalidWordCount
|
|
|
|
end
|
|
|
|
|
|
|
|
# Process incoming SMB_COM_DELETE packets
|
|
|
|
def smb_parse_delete(pkt, data)
|
|
|
|
|
|
|
|
# Process SMB error responses
|
|
|
|
if (pkt['Payload']['SMB'].v['WordCount'] == 0)
|
|
|
|
res = CONST::SMB_DELETE_RES_PKT.make_struct
|
|
|
|
res.from_s(data)
|
|
|
|
return res
|
|
|
|
end
|
|
|
|
|
|
|
|
raise XCEPT::InvalidWordCount
|
|
|
|
end
|
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
# Request a SMB session over NetBIOS
|
2005-09-16 09:27:41 +00:00
|
|
|
def session_request (name = '*SMBSERVER')
|
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
data = ''
|
|
|
|
data << "\x20" + UTILS.nbname_encode(name) + "\x00"
|
|
|
|
data << "\x20" + CONST::NETBIOS_REDIR + "\x00"
|
|
|
|
|
|
|
|
pkt = CONST::NBRAW_PKT.make_struct
|
2005-09-22 09:04:40 +00:00
|
|
|
pkt.v['Type'] = 0x81
|
|
|
|
pkt['Payload'].v['Payload'] = data
|
2005-09-19 23:35:51 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
# Most SMB implementations can't handle this being fragmented
|
|
|
|
self.smb_send(pkt.to_s, EVADE::EVASION_NONE)
|
2005-09-19 23:35:51 +00:00
|
|
|
res = self.smb_recv
|
2005-09-16 09:27:41 +00:00
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
ack = CONST::NBRAW_PKT.make_struct
|
|
|
|
ack.from_s(res)
|
|
|
|
|
|
|
|
if (ack.v['Type'] != 130)
|
2005-09-22 09:04:40 +00:00
|
|
|
raise XCEPT::NetbiosSessionFailed
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
2005-09-16 09:27:41 +00:00
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
return ack
|
2005-09-16 09:27:41 +00:00
|
|
|
end
|
2005-09-19 23:35:51 +00:00
|
|
|
|
|
|
|
# Negotiate a SMB dialect
|
|
|
|
def negotiate ()
|
|
|
|
|
|
|
|
dialects = []
|
|
|
|
dialects << 'LANMAN1.0'
|
|
|
|
dialects << 'LM1.2X002'
|
|
|
|
|
|
|
|
if (self.encrypt_passwords == 1)
|
|
|
|
dialects << 'NT LANMAN 1.0'
|
|
|
|
dialects << 'NT LM 0.12'
|
|
|
|
end
|
|
|
|
|
|
|
|
data = ''
|
|
|
|
dialects.each { |dialect| data << "\x02" + dialect + "\x00" }
|
|
|
|
|
|
|
|
pkt = CONST::SMB_NEG_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NEGOTIATE
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2801
|
|
|
|
pkt['Payload'].v['Payload'] = data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
2005-09-23 03:43:04 +00:00
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_NEGOTIATE)
|
2005-09-19 23:35:51 +00:00
|
|
|
|
|
|
|
idx = ack['Payload'].v['Dialect']
|
|
|
|
|
|
|
|
# Check for failed dialect selection
|
|
|
|
if (idx < 0 or idx >= dialects.length)
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
# Set the selected dialect
|
|
|
|
self.dialect = dialects[idx]
|
|
|
|
|
|
|
|
# Does the server support extended security negotiation?
|
|
|
|
if (ack['Payload'].v['Capabilities'] & 0x80000000)
|
|
|
|
self.extended_security = 1
|
|
|
|
end
|
|
|
|
|
|
|
|
# Set the security mode
|
|
|
|
self.security_mode = ack['Payload'].v['SecurityMode']
|
|
|
|
|
|
|
|
# Set the challenge key
|
|
|
|
if (ack['Payload'].v['EncryptionKey'] != nil)
|
|
|
|
self.challenge_key = ack['Payload'].v['EncryptionKey']
|
|
|
|
end
|
|
|
|
|
|
|
|
# Set the session identifier
|
|
|
|
if (ack['Payload'].v['SessionKey'] != nil)
|
|
|
|
self.session_id = ack['Payload'].v['SessionKey']
|
|
|
|
end
|
|
|
|
|
|
|
|
# Set the server GUID
|
|
|
|
if (ack['Payload'].v['GUID'] != nil)
|
|
|
|
self.server_guid = ack['Payload'].v['GUID']
|
|
|
|
end
|
2005-10-02 06:53:39 +00:00
|
|
|
|
|
|
|
if (ack['Payload'].v['ServerDate'] > 0)
|
|
|
|
stamp = UTILS.servertime(ack['Payload'].v['ServerDate'],ack['Payload'].v['ServerTime'])
|
|
|
|
end
|
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Authenticate and establish a session
|
|
|
|
def session_setup (*args)
|
|
|
|
if (self.dialect =~ /^(NT LANMAN 1.0|NT LM 0.12)$/)
|
|
|
|
return self.extended_security == 1 ?
|
|
|
|
self.session_setup_ntlmv2(*args) : self.session_setup_ntlmv1(*args)
|
|
|
|
end
|
|
|
|
|
|
|
|
if (self.dialect =~ /^(LANMAN1.0|LM1.2X002)$/)
|
|
|
|
return self.session_setup_clear(*args)
|
|
|
|
end
|
|
|
|
|
2005-09-23 09:14:03 +00:00
|
|
|
raise XCEPT::UnknownDialect
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
2005-09-22 04:04:06 +00:00
|
|
|
|
|
|
|
# Authenticate using clear-text passwords
|
|
|
|
def session_setup_clear(user = '', pass = '', domain = '')
|
|
|
|
|
|
|
|
data = ''
|
|
|
|
data << pass + "\x00"
|
|
|
|
data << user + "\x00"
|
|
|
|
data << domain + "\x00"
|
|
|
|
data << self.native_os + "\x00"
|
|
|
|
data << self.native_lm + "\x00"
|
|
|
|
|
|
|
|
pkt = CONST::SMB_SETUP_LANMAN_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 10
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
|
|
|
pkt['Payload'].v['MaxBuff'] = 0xffdf
|
|
|
|
pkt['Payload'].v['MaxMPX'] = 2
|
|
|
|
pkt['Payload'].v['VCNum'] = 1
|
|
|
|
pkt['Payload'].v['PasswordLen'] = pass.length + 1
|
|
|
|
pkt['Payload'].v['Capabilities'] = 64
|
|
|
|
pkt['Payload'].v['SessionKey'] = self.session_id
|
|
|
|
pkt['Payload'].v['Payload'] = data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
2005-09-23 03:43:04 +00:00
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX)
|
2005-09-22 04:04:06 +00:00
|
|
|
|
|
|
|
if (ack['Payload'].v['Action'] != 1 and user.length > 0)
|
|
|
|
self.auth_user = user
|
|
|
|
end
|
|
|
|
|
|
|
|
self.auth_user_id = ack['Payload']['SMB'].v['UserID']
|
|
|
|
|
|
|
|
info = ack['Payload'].v['Payload'].split(/\x00/)
|
|
|
|
self.peer_native_os = info[0]
|
|
|
|
self.peer_native_lm = info[1]
|
|
|
|
self.default_domain = info[2]
|
|
|
|
|
|
|
|
return ack
|
|
|
|
end
|
2005-09-19 23:35:51 +00:00
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
# Authenticate using NTLMv1
|
|
|
|
def session_setup_ntlmv1(user = '', pass = '', domain = '')
|
2005-09-16 09:27:41 +00:00
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
hash_lm = pass.length > 0 ? CRYPT.lanman_des(pass, self.challenge_key) : ''
|
|
|
|
hash_nt = pass.length > 0 ? CRYPT.ntlm_md4(pass, self.challenge_key) : ''
|
|
|
|
|
|
|
|
data = ''
|
|
|
|
data << hash_lm
|
|
|
|
data << hash_nt
|
|
|
|
data << user + "\x00"
|
|
|
|
data << domain + "\x00"
|
|
|
|
data << self.native_os + "\x00"
|
|
|
|
data << self.native_lm + "\x00"
|
|
|
|
|
|
|
|
pkt = CONST::SMB_SETUP_NTLMV1_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 13
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
|
|
|
pkt['Payload'].v['MaxBuff'] = 0xffdf
|
|
|
|
pkt['Payload'].v['MaxMPX'] = 2
|
|
|
|
pkt['Payload'].v['VCNum'] = 1
|
|
|
|
pkt['Payload'].v['PasswordLenLM'] = hash_lm.length
|
|
|
|
pkt['Payload'].v['PasswordLenNT'] = hash_nt.length
|
|
|
|
pkt['Payload'].v['Capabilities'] = 64
|
|
|
|
pkt['Payload'].v['SessionKey'] = self.session_id
|
|
|
|
pkt['Payload'].v['Payload'] = data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
2005-09-23 03:43:04 +00:00
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX)
|
2005-09-22 04:04:06 +00:00
|
|
|
|
|
|
|
if (ack['Payload'].v['Action'] != 1 and user.length > 0)
|
|
|
|
self.auth_user = user
|
|
|
|
end
|
|
|
|
|
|
|
|
self.auth_user_id = ack['Payload']['SMB'].v['UserID']
|
|
|
|
|
|
|
|
info = ack['Payload'].v['Payload'].split(/\x00/)
|
2005-11-15 23:02:17 +00:00
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
self.peer_native_os = info[0]
|
|
|
|
self.peer_native_lm = info[1]
|
|
|
|
self.default_domain = info[2]
|
|
|
|
|
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
|
|
|
# Authenticate using extended security negotiation (NTLMv2)
|
2005-09-23 03:43:04 +00:00
|
|
|
def session_setup_ntlmv2(user = '', pass = '', domain = '', name = nil)
|
2005-09-19 23:35:51 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
if (name == nil)
|
|
|
|
name = Rex::Text.rand_text_alphanumeric(16)
|
|
|
|
end
|
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
data = ''
|
|
|
|
blob = UTILS.make_ntlmv2_secblob_init(domain, name)
|
|
|
|
|
|
|
|
native_data = ''
|
|
|
|
native_data << self.native_os + "\x00"
|
|
|
|
native_data << self.native_lm + "\x00"
|
2005-09-16 09:27:41 +00:00
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
pkt = CONST::SMB_SETUP_NTLMV2_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2801
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 12
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
|
|
|
pkt['Payload'].v['MaxBuff'] = 0xffdf
|
|
|
|
pkt['Payload'].v['MaxMPX'] = 2
|
|
|
|
pkt['Payload'].v['VCNum'] = 1
|
|
|
|
pkt['Payload'].v['SecurityBlobLen'] = blob.length
|
|
|
|
pkt['Payload'].v['Capabilities'] = 0x8000d05c
|
|
|
|
pkt['Payload'].v['SessionKey'] = self.session_id
|
|
|
|
pkt['Payload'].v['Payload'] = blob + native_data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
2005-09-23 03:43:04 +00:00
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, true)
|
2005-09-19 23:35:51 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
# Make sure the error code tells us to continue processing
|
2005-09-19 23:35:51 +00:00
|
|
|
if (ack['Payload']['SMB'].v['ErrorClass'] != 0xc0000016)
|
2005-09-23 03:43:04 +00:00
|
|
|
failure = XCEPT::ErrorCode.new
|
2005-09-23 09:14:03 +00:00
|
|
|
failure.word_count = ack['Payload']['SMB'].v['WordCount']
|
|
|
|
failure.command = ack['Payload']['SMB'].v['Command']
|
|
|
|
failure.error_code = ack['Payload']['SMB'].v['ErrorClass']
|
2005-09-23 03:43:04 +00:00
|
|
|
raise failure
|
2005-09-19 23:35:51 +00:00
|
|
|
end
|
2005-09-23 03:43:04 +00:00
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
# Extract the SecurityBlob from the response
|
|
|
|
data = ack['Payload'].v['Payload']
|
|
|
|
blob = data.slice!(0, ack['Payload'].v['SecurityBlobLen'])
|
|
|
|
|
|
|
|
# Extract the native lanman and os strings
|
|
|
|
info = data.split(/\x00/)
|
|
|
|
self.peer_native_os = info[0]
|
|
|
|
self.peer_native_lm = info[1]
|
|
|
|
|
|
|
|
# Save the temporary UserID for use in the next request
|
|
|
|
temp_user_id = ack['Payload']['SMB'].v['UserID']
|
|
|
|
|
|
|
|
# Extract the NTLM challenge key the lazy way
|
|
|
|
cidx = blob.index("NTLMSSP\x00\x02\x00\x00\x00")
|
|
|
|
if (cidx == -1)
|
|
|
|
puts "No challenge found"
|
|
|
|
return nil
|
|
|
|
end
|
|
|
|
|
|
|
|
# Store the challenge key
|
|
|
|
self.challenge_key = blob[cidx + 24, 8]
|
|
|
|
|
|
|
|
# Generate a random client-side challenge
|
|
|
|
client_challenge = Rex::Text.rand_text(8)
|
|
|
|
|
|
|
|
# Generate the nonce
|
|
|
|
nonce = CRYPT.md5_hash(self.challenge_key + client_challenge)
|
|
|
|
|
|
|
|
# Generate the NTLM hash
|
|
|
|
resp_ntlm = CRYPT.ntlm_md4(pass, nonce[0, 8])
|
|
|
|
|
|
|
|
# Generate the fake LANMAN hash
|
|
|
|
resp_lmv2 = client_challenge + ("\x00" * 16)
|
|
|
|
|
|
|
|
# Create the ntlmv2 security blob data
|
|
|
|
blob = UTILS.make_ntlmv2_secblob_auth(domain, name, user, resp_lmv2, resp_ntlm)
|
|
|
|
|
|
|
|
pkt = CONST::SMB_SETUP_NTLMV2_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2801
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 12
|
|
|
|
pkt['Payload']['SMB'].v['UserID'] = temp_user_id
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
|
|
|
pkt['Payload'].v['MaxBuff'] = 0xffdf
|
|
|
|
pkt['Payload'].v['MaxMPX'] = 2
|
|
|
|
pkt['Payload'].v['VCNum'] = 1
|
|
|
|
pkt['Payload'].v['SecurityBlobLen'] = blob.length
|
|
|
|
pkt['Payload'].v['Capabilities'] = 0x8000d05c
|
|
|
|
pkt['Payload'].v['SessionKey'] = self.session_id
|
|
|
|
pkt['Payload'].v['Payload'] = blob + native_data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
2005-09-23 09:14:03 +00:00
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, true)
|
2005-09-22 04:04:06 +00:00
|
|
|
|
2005-09-23 09:14:03 +00:00
|
|
|
# Make sure that authentication succeeded
|
|
|
|
if (ack['Payload']['SMB'].v['ErrorClass'] != 0)
|
|
|
|
if (user.length == 0)
|
|
|
|
return self.session_setup_ntlmv1(user, pass, domain)
|
|
|
|
end
|
|
|
|
|
|
|
|
failure = XCEPT::ErrorCode.new
|
|
|
|
failure.word_count = ack['Payload']['SMB'].v['WordCount']
|
|
|
|
failure.command = ack['Payload']['SMB'].v['Command']
|
|
|
|
failure.error_code = ack['Payload']['SMB'].v['ErrorClass']
|
|
|
|
raise failure
|
|
|
|
end
|
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
self.auth_user_id = ack['Payload']['SMB'].v['UserID']
|
2005-09-23 03:43:04 +00:00
|
|
|
|
2005-09-19 23:35:51 +00:00
|
|
|
return ack
|
|
|
|
end
|
2005-09-22 04:04:06 +00:00
|
|
|
|
|
|
|
|
2005-11-26 02:34:39 +00:00
|
|
|
# An exploit helper function for sending arbitrary SPNEGO blobs
|
|
|
|
def session_setup_ntlmv2_blob(blob = '')
|
|
|
|
native_data = ''
|
|
|
|
native_data << self.native_os + "\x00"
|
|
|
|
native_data << self.native_lm + "\x00"
|
|
|
|
|
|
|
|
pkt = CONST::SMB_SETUP_NTLMV2_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2801
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 12
|
|
|
|
pkt['Payload']['SMB'].v['UserID'] = 0
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
|
|
|
pkt['Payload'].v['MaxBuff'] = 0xffdf
|
|
|
|
pkt['Payload'].v['MaxMPX'] = 2
|
|
|
|
pkt['Payload'].v['VCNum'] = 1
|
|
|
|
pkt['Payload'].v['SecurityBlobLen'] = blob.length
|
|
|
|
pkt['Payload'].v['Capabilities'] = 0x8000d05c
|
|
|
|
pkt['Payload'].v['SessionKey'] = self.session_id
|
|
|
|
pkt['Payload'].v['Payload'] = blob + native_data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
|
|
|
self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, false)
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
# Connect to a specified share with an optional password
|
|
|
|
def tree_connect(share = 'IPC$', pass = '')
|
|
|
|
|
|
|
|
data = ''
|
|
|
|
data << pass + "\x00"
|
|
|
|
data << share + "\x00"
|
|
|
|
data << '?????' + "\x00"
|
|
|
|
|
|
|
|
pkt = CONST::SMB_TREE_CONN_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TREE_CONNECT_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 4
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
|
|
|
pkt['Payload'].v['PasswordLen'] = pass.length + 1
|
|
|
|
pkt['Payload'].v['Capabilities'] = 64
|
|
|
|
pkt['Payload'].v['Payload'] = data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
2005-09-22 09:04:40 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_TREE_CONNECT_ANDX)
|
2005-09-22 04:04:06 +00:00
|
|
|
|
|
|
|
self.last_tree_id = ack['Payload']['SMB'].v['TreeID']
|
|
|
|
info = ack['Payload'].v['Payload'].split(/\x00/)
|
2005-09-23 03:43:04 +00:00
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
# Disconnect from the current tree
|
|
|
|
def tree_disconnect(tree_id = self.last_tree_id)
|
|
|
|
|
|
|
|
pkt = CONST::SMB_TREE_DISCONN_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TREE_DISCONNECT
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 0
|
|
|
|
pkt['Payload']['SMB'].v['TreeID'] = tree_id
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
|
|
|
|
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_TREE_DISCONNECT)
|
|
|
|
|
|
|
|
if (tree_id == self.last_tree_id)
|
|
|
|
self.last_tree_id = 0
|
|
|
|
end
|
|
|
|
|
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
|
|
|
# Returns a SMB_CREATE_RES response for a given named pipe
|
|
|
|
def open_named_pipe(pipe_name)
|
|
|
|
self.create(EVADE.make_named_pipe_path(self.evasion_level, pipe_name))
|
|
|
|
end
|
|
|
|
|
2005-09-22 09:04:40 +00:00
|
|
|
# Creates a file or opens an existing pipe
|
2005-10-03 13:51:05 +00:00
|
|
|
def create(filename, disposition = 1, impersonation = 2)
|
2005-09-22 09:04:40 +00:00
|
|
|
|
|
|
|
pkt = CONST::SMB_CREATE_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_CREATE_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 24
|
|
|
|
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
2005-10-02 06:53:39 +00:00
|
|
|
pkt['Payload'].v['FileNameLen'] = filename.length
|
2005-09-22 09:04:40 +00:00
|
|
|
pkt['Payload'].v['CreateFlags'] = 0x16
|
2005-10-03 13:51:05 +00:00
|
|
|
pkt['Payload'].v['AccessMask'] = 0x02000000 # Maximum Allowed
|
2005-09-22 09:04:40 +00:00
|
|
|
pkt['Payload'].v['ShareAccess'] = 7
|
2005-10-03 13:51:05 +00:00
|
|
|
pkt['Payload'].v['CreateOptions'] = 0
|
|
|
|
pkt['Payload'].v['Impersonation'] = impersonation
|
2005-09-22 09:04:40 +00:00
|
|
|
pkt['Payload'].v['Disposition'] = disposition
|
2005-10-02 06:53:39 +00:00
|
|
|
pkt['Payload'].v['Payload'] = filename + "\x00"
|
2005-09-22 09:04:40 +00:00
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_CREATE_ANDX)
|
|
|
|
|
|
|
|
# Save off the FileID
|
|
|
|
if (ack['Payload'].v['FileID'] > 0)
|
|
|
|
self.last_file_id = ack['Payload'].v['FileID']
|
2005-09-22 09:04:40 +00:00
|
|
|
end
|
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
|
|
|
# Deletes a file from a share
|
2005-10-02 06:53:39 +00:00
|
|
|
def delete(filename, tree_id = self.last_tree_id)
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
pkt = CONST::SMB_DELETE_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_DELETE
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['TreeID'] = tree_id
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 1
|
|
|
|
|
|
|
|
pkt['Payload'].v['SearchAttributes'] = 0x06
|
|
|
|
pkt['Payload'].v['BufferFormat'] = 4
|
2005-10-02 06:53:39 +00:00
|
|
|
pkt['Payload'].v['Payload'] = filename + "\x00"
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
|
|
|
|
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_DELETE)
|
|
|
|
|
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
|
|
|
# Opens an existing file or creates a new one
|
2005-10-02 06:53:39 +00:00
|
|
|
def open(filename, mode = 0x12, access = 0x42)
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
pkt = CONST::SMB_OPEN_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_OPEN_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 15
|
|
|
|
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
2005-10-02 06:53:39 +00:00
|
|
|
pkt['Payload'].v['Access'] = access
|
2005-09-23 03:43:04 +00:00
|
|
|
pkt['Payload'].v['SearchAttributes'] = 0x06
|
|
|
|
pkt['Payload'].v['OpenFunction'] = mode
|
2005-10-02 06:53:39 +00:00
|
|
|
pkt['Payload'].v['Payload'] = filename + "\x00"
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
|
|
|
|
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_OPEN_ANDX)
|
2005-09-22 09:04:40 +00:00
|
|
|
|
|
|
|
# Save off the FileID
|
|
|
|
if (ack['Payload'].v['FileID'] > 0)
|
|
|
|
self.last_file_id = ack['Payload'].v['FileID']
|
|
|
|
end
|
|
|
|
|
|
|
|
return ack
|
2005-09-23 03:43:04 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Closes an open file handle
|
2005-09-23 09:14:03 +00:00
|
|
|
def close(file_id = self.last_file_id, tree_id = self.last_tree_id)
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
pkt = CONST::SMB_CLOSE_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_CLOSE
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
2005-09-23 09:14:03 +00:00
|
|
|
pkt['Payload']['SMB'].v['TreeID'] = tree_id
|
2005-09-23 03:43:04 +00:00
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 3
|
|
|
|
|
|
|
|
pkt['Payload'].v['FileID'] = file_id
|
|
|
|
pkt['Payload'].v['LastWrite'] = -1
|
2005-09-22 09:04:40 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
self.smb_send(pkt.to_s)
|
|
|
|
|
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_CLOSE)
|
|
|
|
|
|
|
|
return ack
|
2005-09-22 09:04:40 +00:00
|
|
|
end
|
2005-09-22 04:04:06 +00:00
|
|
|
|
2005-09-22 09:04:40 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
# Writes data to an open file handle
|
|
|
|
def write(file_id = self.last_file_id, offset = 0, data = '')
|
|
|
|
|
|
|
|
pkt = CONST::SMB_WRITE_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
data_offset = pkt.to_s.length - 4
|
|
|
|
|
2005-09-23 06:27:22 +00:00
|
|
|
filler = EVADE.make_offset_filler(self.evasion_level, 4096 - data.length - data_offset)
|
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 14
|
|
|
|
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
|
|
|
pkt['Payload'].v['FileID'] = file_id
|
|
|
|
pkt['Payload'].v['Offset'] = offset
|
|
|
|
pkt['Payload'].v['Reserved2'] = -1
|
|
|
|
pkt['Payload'].v['WriteMode'] = 8
|
|
|
|
pkt['Payload'].v['Remaining'] = data.length
|
|
|
|
# pkt['Payload'].v['DataLenHigh'] = (data.length / 65536).to_i
|
|
|
|
pkt['Payload'].v['DataLenLow'] = (data.length % 65536).to_i
|
2005-09-23 06:27:22 +00:00
|
|
|
pkt['Payload'].v['DataOffset'] = data_offset + filler.length
|
|
|
|
pkt['Payload'].v['Payload'] = filler + data
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
|
|
|
|
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_WRITE_ANDX)
|
|
|
|
|
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Reads data from an open file handle
|
|
|
|
def read(file_id = self.last_file_id, offset = 0, data_length = 64000)
|
|
|
|
|
|
|
|
pkt = CONST::SMB_READ_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_READ_ANDX
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 10
|
|
|
|
|
|
|
|
pkt['Payload'].v['AndX'] = 255
|
|
|
|
pkt['Payload'].v['FileID'] = file_id
|
|
|
|
pkt['Payload'].v['Offset'] = offset
|
|
|
|
# pkt['Payload'].v['MaxCountHigh'] = (data_length / 65536).to_i
|
|
|
|
pkt['Payload'].v['MaxCountLow'] = (data_length % 65536).to_i
|
|
|
|
pkt['Payload'].v['MinCount'] = data_length
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
2005-10-03 13:51:05 +00:00
|
|
|
|
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_READ_ANDX, true)
|
|
|
|
|
|
|
|
err = ack['Payload']['SMB'].v['ErrorClass']
|
|
|
|
|
|
|
|
# Catch some non-fatal error codes
|
|
|
|
if (err != 0 && err != CONST::SMB_ERROR_BUFFER_OVERFLOW)
|
|
|
|
failure = XCEPT::ErrorCode.new
|
|
|
|
failure.word_count = ack['Payload']['SMB'].v['WordCount']
|
|
|
|
failure.command = ack['Payload']['SMB'].v['Command']
|
|
|
|
failure.error_code = ack['Payload']['SMB'].v['ErrorClass']
|
|
|
|
raise failure
|
|
|
|
end
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2005-09-22 09:04:40 +00:00
|
|
|
# Perform a transaction against a named pipe
|
2005-09-23 03:43:04 +00:00
|
|
|
def trans_named_pipe (file_id, data = '')
|
|
|
|
pipe = EVADE.make_trans_named_pipe_name(self.evasion_level)
|
|
|
|
self.trans(pipe, '', data, 2, [0x26, file_id].pack('vv') )
|
2005-09-22 09:04:40 +00:00
|
|
|
end
|
|
|
|
|
|
|
|
# Perform a transaction against a given pipe name
|
2005-09-22 04:04:06 +00:00
|
|
|
def trans (pipe, param = '', body = '', setup_count = 0, setup_data = '')
|
|
|
|
|
2005-09-23 06:27:22 +00:00
|
|
|
# Null-terminate the pipe parameter if needed
|
2005-09-22 04:04:06 +00:00
|
|
|
if (pipe[-1] != 0)
|
|
|
|
pipe << "\x00"
|
|
|
|
end
|
|
|
|
|
|
|
|
pkt = CONST::SMB_TRANS_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
2005-09-23 06:27:22 +00:00
|
|
|
|
|
|
|
# Packets larger than mlen will cause XP SP2 to disconnect us ;-(
|
|
|
|
mlen = 4200
|
|
|
|
|
|
|
|
# Figure out how much space is taken up by our current arguments
|
|
|
|
xlen = pipe.length + param.length + body.length
|
|
|
|
|
|
|
|
filler1 = ''
|
|
|
|
filler2 = ''
|
|
|
|
|
|
|
|
# Fill any available space depending on the evasion settings
|
|
|
|
if (xlen < mlen)
|
|
|
|
filler1 = EVADE.make_offset_filler(self.evasion_level, (mlen-xlen)/2)
|
|
|
|
filler2 = EVADE.make_offset_filler(self.evasion_level, (mlen-xlen)/2)
|
|
|
|
end
|
|
|
|
|
|
|
|
# Squish the whole thing together
|
|
|
|
data = pipe + filler1 + param + filler2 + body
|
|
|
|
|
|
|
|
# Throw some form of a warning out?
|
|
|
|
if (data.length > mlen)
|
|
|
|
# This call will more than likely fail :-(
|
|
|
|
end
|
2005-09-22 09:04:40 +00:00
|
|
|
|
2005-09-23 06:27:22 +00:00
|
|
|
# Calculate all of the offsets
|
2005-09-22 09:04:40 +00:00
|
|
|
base_offset = pkt.to_s.length + (setup_count * 2) - 4
|
2005-09-23 06:27:22 +00:00
|
|
|
param_offset = base_offset + pipe.length + filler1.length
|
|
|
|
data_offset = param_offset + filler2.length + param.length
|
2005-09-22 09:04:40 +00:00
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 14 + setup_count
|
2005-09-22 09:04:40 +00:00
|
|
|
|
|
|
|
pkt['Payload'].v['ParamCountTotal'] = param.length
|
|
|
|
pkt['Payload'].v['DataCountTotal'] = body.length
|
|
|
|
pkt['Payload'].v['ParamCountMax'] = 1024
|
|
|
|
pkt['Payload'].v['DataCountMax'] = 65504
|
|
|
|
pkt['Payload'].v['ParamCount'] = param.length
|
|
|
|
pkt['Payload'].v['ParamOffset'] = param_offset
|
|
|
|
pkt['Payload'].v['DataCount'] = body.length
|
|
|
|
pkt['Payload'].v['DataOffset'] = data_offset
|
|
|
|
pkt['Payload'].v['SetupCount'] = setup_count
|
|
|
|
pkt['Payload'].v['SetupData'] = setup_data
|
|
|
|
|
2005-09-22 04:04:06 +00:00
|
|
|
pkt['Payload'].v['Payload'] = data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
2005-09-23 03:43:04 +00:00
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_TRANSACTION)
|
2005-09-22 04:04:06 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
# Perform a transaction2 request using the specified subcommand, parameters, and data
|
|
|
|
def trans2 (subcommand, param = '', body = '', setup_count = 0, setup_data = '')
|
|
|
|
|
|
|
|
data = param + body
|
|
|
|
|
|
|
|
pkt = CONST::SMB_TRANS2_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
2005-09-22 04:04:06 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
base_offset = pkt.to_s.length + (setup_count * 2) - 4
|
|
|
|
param_offset = base_offset + pipe.length
|
|
|
|
data_offset = param_offset + param.length
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 15 + setup_count
|
|
|
|
|
|
|
|
pkt['Payload'].v['ParamCountTotal'] = param.length
|
|
|
|
pkt['Payload'].v['DataCountTotal'] = body.length
|
|
|
|
pkt['Payload'].v['ParamCountMax'] = 1024
|
|
|
|
pkt['Payload'].v['DataCountMax'] = 65504
|
|
|
|
pkt['Payload'].v['ParamCount'] = param.length
|
|
|
|
pkt['Payload'].v['ParamOffset'] = param_offset
|
|
|
|
pkt['Payload'].v['DataCount'] = body.length
|
|
|
|
pkt['Payload'].v['DataOffset'] = data_offset
|
|
|
|
pkt['Payload'].v['SetupCount'] = setup_count
|
|
|
|
pkt['Payload'].v['SetupData'] = setup_data
|
|
|
|
pkt['Payload'].v['Subcommand'] = subcommand
|
|
|
|
|
|
|
|
pkt['Payload'].v['Payload'] = data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_TRANSACTION2)
|
2005-09-22 04:04:06 +00:00
|
|
|
|
2005-09-22 09:04:40 +00:00
|
|
|
return ack
|
2005-09-23 03:43:04 +00:00
|
|
|
end
|
2005-09-19 23:35:51 +00:00
|
|
|
|
2005-09-23 03:43:04 +00:00
|
|
|
|
|
|
|
# Perform a nttransaction request using the specified subcommand, parameters, and data
|
|
|
|
def nttrans (subcommand, param = '', body = '', setup_count = 0, setup_data = '')
|
|
|
|
|
|
|
|
data = param + body
|
|
|
|
|
|
|
|
pkt = CONST::SMB_NTTRANS_PKT.make_struct
|
|
|
|
self.smb_defaults(pkt['Payload']['SMB'])
|
|
|
|
|
|
|
|
base_offset = pkt.to_s.length + (setup_count * 2) - 4
|
|
|
|
param_offset = base_offset + pipe.length
|
|
|
|
data_offset = param_offset + param.length
|
|
|
|
|
|
|
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_TRANSACT
|
|
|
|
pkt['Payload']['SMB'].v['Flags1'] = 0x18
|
|
|
|
pkt['Payload']['SMB'].v['Flags2'] = 0x2001
|
|
|
|
pkt['Payload']['SMB'].v['WordCount'] = 19 + setup_count
|
|
|
|
|
|
|
|
pkt['Payload'].v['ParamCountTotal'] = param.length
|
|
|
|
pkt['Payload'].v['DataCountTotal'] = body.length
|
|
|
|
pkt['Payload'].v['ParamCountMax'] = 1024
|
|
|
|
pkt['Payload'].v['DataCountMax'] = 65504
|
|
|
|
pkt['Payload'].v['ParamCount'] = param.length
|
|
|
|
pkt['Payload'].v['ParamOffset'] = param_offset
|
|
|
|
pkt['Payload'].v['DataCount'] = body.length
|
|
|
|
pkt['Payload'].v['DataOffset'] = data_offset
|
|
|
|
pkt['Payload'].v['SetupCount'] = setup_count
|
|
|
|
pkt['Payload'].v['SetupData'] = setup_data
|
|
|
|
pkt['Payload'].v['Subcommand'] = subcommand
|
|
|
|
|
|
|
|
pkt['Payload'].v['Payload'] = data
|
|
|
|
|
|
|
|
self.smb_send(pkt.to_s)
|
|
|
|
ack = self.smb_recv_parse(CONST::SMB_COM_NT_TRANSACT)
|
|
|
|
return ack
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
|
2005-09-16 09:27:41 +00:00
|
|
|
# public methods
|
2005-09-23 03:43:04 +00:00
|
|
|
attr_accessor :native_os, :native_lm, :encrypt_passwords, :extended_security, :read_timeout, :evasion_level
|
2005-09-16 09:27:41 +00:00
|
|
|
attr_reader :dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
|
|
|
|
attr_reader :default_domain, :default_name, :auth_user, :auth_user_id
|
2005-09-22 09:04:40 +00:00
|
|
|
attr_reader :multiplex_id, :last_tree_id, :last_file_id, :process_id
|
2005-09-19 23:35:51 +00:00
|
|
|
attr_reader :security_mode, :server_guid
|
2005-09-16 09:27:41 +00:00
|
|
|
|
|
|
|
# private methods
|
2005-09-19 23:35:51 +00:00
|
|
|
protected
|
2005-09-16 09:27:41 +00:00
|
|
|
attr_writer :dialect, :session_id, :challenge_key, :peer_native_lm, :peer_native_os
|
|
|
|
attr_writer :default_domain, :default_name, :auth_user, :auth_user_id
|
2005-09-22 09:04:40 +00:00
|
|
|
attr_writer :multiplex_id, :last_tree_id, :last_file_id, :process_id
|
2005-09-19 23:35:51 +00:00
|
|
|
attr_writer :security_mode, :server_guid
|
|
|
|
|
2005-09-16 09:27:41 +00:00
|
|
|
attr_accessor :socket
|
|
|
|
|
|
|
|
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|