metasploit-framework/lib/rex/proto/drda/packet.rb

# -*- coding: binary -*-
require 'rex/proto/drda'

module Rex
module Proto
module DRDA

class Error < StandardError; end
class RespError < Error; end

# See:
# http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/index.jsp?topic=/com.ibm.db29.doc.drda/db2z_excsat.htm
class MGRLVLLS_PARAM < Struct.new(:length, :codepoint, :payload)
  def initialize(args={})
    self[:codepoint] = Constants::MGRLVLLS
    self[:payload] = "\x14\x03\x00\x0a\x24\x07\x00\x0a" +
      "\x14\x74\x00\x05\x24\x0f\x00\x08" +
      "\x14\x40\x00\x09\x1c\x08\x04\xb8"
    self[:length] = self[:payload].to_s.size+4
  end
  def to_s
    self.to_a.pack("nna*")
  end
end

# Currently, only takes a MGRLVLLS param. Extend the struct
# when more parameters are defined.
class EXCSAT_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,
   :codepoint, :mgrlvlls)

  def initialize(args={})
    self[:magic] = 0xd0
    self[:format] = 0x41
    self[:correlid] = 1
    self[:codepoint] = Constants::EXCSAT
    self[:mgrlvlls] = args[:mgrlvlls] || MGRLVLLS_PARAM.new.to_s
    self[:length] = (10 + self[:mgrlvlls].to_s.size)
    self[:length2] = self[:length]-6
  end

  def to_s
    packstr = "nCCnnn"
    packstr += "a*"  # Pack smarter as more params are added.
    self.to_a.pack(packstr)
  end
end

# See http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/index.jsp?topic=/com.ibm.db29.doc.drda/db2z_accsec.htm
# for all sorts of info about SECMEC.
class SECMEC_PARAM < Struct.new(:length, :codepoint, :payload)
  def initialize(args={})
    self[:length] = 6
    self[:codepoint] = Constants::SECMEC
    self[:payload] = 3 # Plaintext username and password.
  end
  def to_s
    self.to_a.pack("nnn")
  end
end

# Relational Database name parameter.
class RDBNAM_PARAM < Struct.new(:length, :codepoint, :payload)
  def initialize(args={})
    self[:length] = 22 # Since the database name is padded out.
    self[:codepoint] = Constants::RDBNAM
    self[:payload] = encode(args[:payload].to_s)
  end

  def encode(str)
    Rex::Text.to_ebcdic([str].pack("A18"))
  end

  def payload=(str)
    self[:payload] = encode(str.to_s)
  end

  def to_s
    self.to_a.pack("nna18")
  end

end

# The ACCSEC DDM is responsible for picking the security mechanism (SECMEC)
# which, in our case, will always be plain text username and password. It
# also sets the relational database name (RDBNAM), if specified. You need
# one to login, but not to probe.
class ACCSEC_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,
   :codepoint, :secmec, :rdbnam)
  def initialize(args={})
    self[:magic] = 0xd0
    self[:format] = args[:format] || 0x01
    self[:correlid] = 2
    self[:codepoint] = Constants::ACCSEC
    self[:secmec] = SECMEC_PARAM.new.to_s
    if args[:dbname] # Include a database name if we're given one.
      self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s
    end
    self[:length] =  10 + self[:secmec].to_s.size + self[:rdbnam].to_s.size
    self[:length2] = self[:length]-6
  end
  def dbname=(str)
    self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s
  end
  def to_s
    packstr = "nCCnnna6"
    packstr += "a22" if self[:rdbnam]
    self.to_a.pack(packstr)
  end
end

class DDM_PARAM < Struct.new(:length, :codepoint, :payload)

  def read(str="")
    raise DRDA::Error, "Input isn't a String." if !str.kind_of? String
    raise DRDA::RespError, "DDM_PARAM is too short" if str.size < 4
    (self[:length], self[:codepoint]) =
      str.unpack("nn")
    raise DRDA::RespError, "DDM_PARAM Length is too short" if self[:length] < 4
    rest = str[4,self[:length]-4] # If it's negative or whatever, it'll end up as "".
    self[:payload] = rest.to_s[0,self[:length]-4]
    return self
  end

  def to_s
    self.to_a.pack("nna*")
  end

end

class BASIC_DDM < Struct.new(:length, :magic, :format, :correlid,
  :length2, :codepoint, :payload)
  def initialize
    self[:payload] = []
  end

  def read(str="")
    self[:payload].clear
    raise DRDA::Error, "Input isn't a String." if !str.kind_of? String
    raise DRDA::RespError, "Response is too short." if str.size < 10
    (self[:length],self[:magic],self[:format],
     self[:correlid],self[:length2],self[:codepoint]) =
     str.unpack("nCCnnn")
    sanity_check
    rest = str[10,self[:length2]-4]
    i = 0
    while (i < rest.size)
      if self[:codepoint] == Constants::SQLCARD # These aren't DDM's.
        this_param = rest[i,self[:length]-10]
      else
        this_param = DDM_PARAM.new.read(rest[i,rest.size])
      end
      self[:payload] << this_param
      i += this_param.to_s.size
    end
    return self
  end

  # Just a quick test.
  def sanity_check
    if self[:length] < 10
      raise DRDA::RespError, "DDM Length is too short."
    elsif self[:length2] < 4
      raise DRDA::RespError, "DDM Length2 is too short."
    elsif self[:length]-6 != self[:length2]
      raise DRDA::RespError, "Codepoint: 0x#{self[:codepoint].to_s(16)} DDM Length2 (0x#{self[:length2].to_s(16)}) isn't six less than Length (0x#{self[:length].to_s(16)})"
    end
  end

  def to_s
    self.to_a.pack("nCCnnn") + self[:payload].map {|x| x.to_s}.join
  end

end

class SERVER_PACKET < Array

  def read(str="")
    raise DRDA::Error, "Input isn't a String." if !str.kind_of? String
    self.clear
    i = 0
    while(i < str.size)
      this_ddm = BASIC_DDM.new.read(str[i,str.size])
      self << this_ddm
      i += this_ddm.to_s.size
    end
    return self
  end

  def to_s; self.join; end
  def sz; self.to_s.size; end

end

class PASSWORD_PARAM < Struct.new(:length, :codepoint, :payload)
  def initialize(args={})
    self[:codepoint] = Constants::PASSWORD
    self[:payload] = Rex::Text.to_ebcdic(args[:payload].to_s)
    self[:length] = self[:payload].size + 4
  end
  def encode(str)
    Rex::Text.to_ebcdic(str)
  end
  def to_s
    self.to_a.pack("nna*")
  end
end

class USERID_PARAM < Struct.new(:length, :codepoint, :payload)
  def initialize(args={})
    self[:codepoint] = Constants::USERID
    self[:payload] = Rex::Text.to_ebcdic(args[:payload].to_s)
    self[:length] = self[:payload].size + 4
  end
  def encode(str)
    Rex::Text.to_ebcdic(str)
  end
  def to_s
    self.to_a.pack("nna*")
  end
end

class SECCHK_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,
  :codepoint, :secmec, :rdbnam, :password, :userid)
  def initialize(args={}) # Takes :dbname, :dbpass, :dbuser
    self[:magic] = 0xd0
    self[:format] = 0x01
    self[:correlid] = 2
    self[:codepoint] = Constants::SECCHK
    self[:secmec] = SECMEC_PARAM.new.to_s
    if args[:dbname] # Include a database name if we're given one.
      self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s
    end
    self[:password] = PASSWORD_PARAM.new(:payload => args[:dbpass]).to_s
    self[:userid] = USERID_PARAM.new(:payload => args[:dbuser]).to_s
    self[:length] = ( 10 + self[:secmec].to_s.size + self[:rdbnam].to_s.size +
           self[:password].to_s.size + self[:userid].to_s.size )
    self[:length2] = self[:length]-6
  end
  def dbname=(str)
    self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s
  end
  def to_s
    packstr = "nCCnnna6"
    packstr += "a22" if self[:rdbnam]
    packstr += "a*a*" # username and password
    self.to_a.pack(packstr)
  end
end

end
end
end
Mark all libraries as defaulting to 8-bit strings 2012-06-29 05:18:28 +00:00			`# -- coding: binary --`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`require 'rex/proto/drda'`

			`module Rex`
			`module Proto`
			`module DRDA`

			`class Error < StandardError; end`
			`class RespError < Error; end`

			`# See:`
Whitespace cleanup 2012-05-24 23:10:26 +00:00			`# http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/index.jsp?topic=/com.ibm.db29.doc.drda/db2z_excsat.htm`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`class MGRLVLLS_PARAM < Struct.new(:length, :codepoint, :payload)`
Retab lib 2013-08-30 21:28:33 +00:00			`def initialize(args={})`
			`self[:codepoint] = Constants::MGRLVLLS`
			`self[:payload] = "\x14\x03\x00\x0a\x24\x07\x00\x0a" +`
			`"\x14\x74\x00\x05\x24\x0f\x00\x08" +`
			`"\x14\x40\x00\x09\x1c\x08\x04\xb8"`
			`self[:length] = self[:payload].to_s.size+4`
			`end`
			`def to_s`
			`self.to_a.pack("nna*")`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`end`

Whitespace cleanup 2012-05-24 23:10:26 +00:00			`# Currently, only takes a MGRLVLLS param. Extend the struct`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`# when more parameters are defined.`
			`class EXCSAT_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,`
Retab lib 2013-08-30 21:28:33 +00:00			`:codepoint, :mgrlvlls)`

			`def initialize(args={})`
			`self[:magic] = 0xd0`
			`self[:format] = 0x41`
			`self[:correlid] = 1`
			`self[:codepoint] = Constants::EXCSAT`
			`self[:mgrlvlls] = args[:mgrlvlls] \|\| MGRLVLLS_PARAM.new.to_s`
			`self[:length] = (10 + self[:mgrlvlls].to_s.size)`
			`self[:length2] = self[:length]-6`
			`end`

			`def to_s`
			`packstr = "nCCnnn"`
			`packstr += "a*" # Pack smarter as more params are added.`
			`self.to_a.pack(packstr)`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`end`

			`# See http://publib.boulder.ibm.com/infocenter/dzichelp/v2r2/index.jsp?topic=/com.ibm.db29.doc.drda/db2z_accsec.htm`
			`# for all sorts of info about SECMEC.`
			`class SECMEC_PARAM < Struct.new(:length, :codepoint, :payload)`
Retab lib 2013-08-30 21:28:33 +00:00			`def initialize(args={})`
			`self[:length] = 6`
			`self[:codepoint] = Constants::SECMEC`
			`self[:payload] = 3 # Plaintext username and password.`
			`end`
			`def to_s`
			`self.to_a.pack("nnn")`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`end`

Whitespace cleanup 2012-05-24 23:10:26 +00:00			`# Relational Database name parameter.`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`class RDBNAM_PARAM < Struct.new(:length, :codepoint, :payload)`
Retab lib 2013-08-30 21:28:33 +00:00			`def initialize(args={})`
			`self[:length] = 22 # Since the database name is padded out.`
			`self[:codepoint] = Constants::RDBNAM`
			`self[:payload] = encode(args[:payload].to_s)`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`def encode(str)`
			`Rex::Text.to_ebcdic([str].pack("A18"))`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`def payload=(str)`
			`self[:payload] = encode(str.to_s)`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00
Retab lib 2013-08-30 21:28:33 +00:00			`def to_s`
			`self.to_a.pack("nna18")`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00
			`end`

			`# The ACCSEC DDM is responsible for picking the security mechanism (SECMEC)`
			`# which, in our case, will always be plain text username and password. It`
			`# also sets the relational database name (RDBNAM), if specified. You need`
			`# one to login, but not to probe.`
			`class ACCSEC_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,`
Retab lib 2013-08-30 21:28:33 +00:00			`:codepoint, :secmec, :rdbnam)`
			`def initialize(args={})`
			`self[:magic] = 0xd0`
			`self[:format] = args[:format] \|\| 0x01`
			`self[:correlid] = 2`
			`self[:codepoint] = Constants::ACCSEC`
			`self[:secmec] = SECMEC_PARAM.new.to_s`
			`if args[:dbname] # Include a database name if we're given one.`
			`self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s`
			`end`
			`self[:length] = 10 + self[:secmec].to_s.size + self[:rdbnam].to_s.size`
			`self[:length2] = self[:length]-6`
			`end`
			`def dbname=(str)`
			`self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s`
			`end`
			`def to_s`
			`packstr = "nCCnnna6"`
			`packstr += "a22" if self[:rdbnam]`
			`self.to_a.pack(packstr)`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`end`

			`class DDM_PARAM < Struct.new(:length, :codepoint, :payload)`

Retab lib 2013-08-30 21:28:33 +00:00			`def read(str="")`
			`raise DRDA::Error, "Input isn't a String." if !str.kind_of? String`
			`raise DRDA::RespError, "DDM_PARAM is too short" if str.size < 4`
			`(self[:length], self[:codepoint]) =`
			`str.unpack("nn")`
			`raise DRDA::RespError, "DDM_PARAM Length is too short" if self[:length] < 4`
			`rest = str[4,self[:length]-4] # If it's negative or whatever, it'll end up as "".`
			`self[:payload] = rest.to_s[0,self[:length]-4]`
			`return self`
			`end`

			`def to_s`
			`self.to_a.pack("nna*")`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00
			`end`

			`class BASIC_DDM < Struct.new(:length, :magic, :format, :correlid,`
Retab lib 2013-08-30 21:28:33 +00:00			`:length2, :codepoint, :payload)`
			`def initialize`
			`self[:payload] = []`
			`end`

			`def read(str="")`
			`self[:payload].clear`
			`raise DRDA::Error, "Input isn't a String." if !str.kind_of? String`
			`raise DRDA::RespError, "Response is too short." if str.size < 10`
			`(self[:length],self[:magic],self[:format],`
			`self[:correlid],self[:length2],self[:codepoint]) =`
			`str.unpack("nCCnnn")`
			`sanity_check`
			`rest = str[10,self[:length2]-4]`
			`i = 0`
			`while (i < rest.size)`
			`if self[:codepoint] == Constants::SQLCARD # These aren't DDM's.`
			`this_param = rest[i,self[:length]-10]`
			`else`
			`this_param = DDM_PARAM.new.read(rest[i,rest.size])`
			`end`
			`self[:payload] << this_param`
			`i += this_param.to_s.size`
			`end`
			`return self`
			`end`

			`# Just a quick test.`
			`def sanity_check`
			`if self[:length] < 10`
			`raise DRDA::RespError, "DDM Length is too short."`
			`elsif self[:length2] < 4`
			`raise DRDA::RespError, "DDM Length2 is too short."`
			`elsif self[:length]-6 != self[:length2]`
			`raise DRDA::RespError, "Codepoint: 0x#{self[:codepoint].to_s(16)} DDM Length2 (0x#{self[:length2].to_s(16)}) isn't six less than Length (0x#{self[:length].to_s(16)})"`
			`end`
			`end`

			`def to_s`
			`self.to_a.pack("nCCnnn") + self[:payload].map {\|x\| x.to_s}.join`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00
			`end`

			`class SERVER_PACKET < Array`

Retab lib 2013-08-30 21:28:33 +00:00			`def read(str="")`
			`raise DRDA::Error, "Input isn't a String." if !str.kind_of? String`
			`self.clear`
			`i = 0`
			`while(i < str.size)`
			`this_ddm = BASIC_DDM.new.read(str[i,str.size])`
			`self << this_ddm`
			`i += this_ddm.to_s.size`
			`end`
			`return self`
			`end`

			`def to_s; self.join; end`
			`def sz; self.to_s.size; end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00
			`end`

			`class PASSWORD_PARAM < Struct.new(:length, :codepoint, :payload)`
Retab lib 2013-08-30 21:28:33 +00:00			`def initialize(args={})`
			`self[:codepoint] = Constants::PASSWORD`
			`self[:payload] = Rex::Text.to_ebcdic(args[:payload].to_s)`
			`self[:length] = self[:payload].size + 4`
			`end`
			`def encode(str)`
			`Rex::Text.to_ebcdic(str)`
			`end`
			`def to_s`
			`self.to_a.pack("nna*")`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`end`

			`class USERID_PARAM < Struct.new(:length, :codepoint, :payload)`
Retab lib 2013-08-30 21:28:33 +00:00			`def initialize(args={})`
			`self[:codepoint] = Constants::USERID`
			`self[:payload] = Rex::Text.to_ebcdic(args[:payload].to_s)`
			`self[:length] = self[:payload].size + 4`
			`end`
			`def encode(str)`
			`Rex::Text.to_ebcdic(str)`
			`end`
			`def to_s`
			`self.to_a.pack("nna*")`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`end`

			`class SECCHK_DDM < Struct.new(:length, :magic, :format, :correlid, :length2,`
Retab lib 2013-08-30 21:28:33 +00:00			`:codepoint, :secmec, :rdbnam, :password, :userid)`
			`def initialize(args={}) # Takes :dbname, :dbpass, :dbuser`
			`self[:magic] = 0xd0`
			`self[:format] = 0x01`
			`self[:correlid] = 2`
			`self[:codepoint] = Constants::SECCHK`
			`self[:secmec] = SECMEC_PARAM.new.to_s`
			`if args[:dbname] # Include a database name if we're given one.`
			`self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s`
			`end`
			`self[:password] = PASSWORD_PARAM.new(:payload => args[:dbpass]).to_s`
			`self[:userid] = USERID_PARAM.new(:payload => args[:dbuser]).to_s`
			`self[:length] = ( 10 + self[:secmec].to_s.size + self[:rdbnam].to_s.size +`
			`self[:password].to_s.size + self[:userid].to_s.size )`
			`self[:length2] = self[:length]-6`
			`end`
			`def dbname=(str)`
			`self[:rdbnam] = RDBNAM_PARAM.new(:payload => args[:dbname]).to_s`
			`end`
			`def to_s`
			`packstr = "nCCnnna6"`
			`packstr += "a22" if self[:rdbnam]`
			`packstr += "aa" # username and password`
			`self.to_a.pack(packstr)`
			`end`
See #726. Adds a DB2 scanner and brute forcer. git-svn-id: file:///home/svn/framework3/trunk@8223 4d416f70-5f16-0410-b530-b9f4589650da 2010-01-25 15:58:24 +00:00			`end`

			`end`
			`end`
			`end`