metasploit-framework/lib/rex/proto/smb/utils.rb

162 lines
3.1 KiB
Ruby
Raw Normal View History

module Rex
module Proto
module SMB
class Utils
require 'rex/text'
# Convert a standard ASCII string to 16-bit Unicode
def self.unicode (str)
str.unpack('C*').pack('v*')
end
# Convert a name to its NetBIOS equivalent
def self.nbname_encode (str)
encoded = ''
for x in (0..15)
if (x >= str.length)
encoded << 'CA'
else
c = str[x, 1].upcase[0]
encoded << [ (c / 16) + 0x41, (c % 16) + 0x41 ].pack('CC')
end
end
return encoded
end
# Convert a name from its NetBIOS equivalent
def self.nbname_decode (str)
decoded = ''
str << 'A' if str.length % 2 != 0
while (str.length > 0)
two = str.slice!(0, 2)
if (two.length == 2)
decoded << [ ((two[0] - 0x41) * 16) + two[1] - 0x41 ].pack('C')
end
end
return decoded
end
def self.asn1encode (str = '')
res = ''
case str.length
when 0 .. 0x80
res = [str.length].pack('C') + str
when 0x81 .. 0x100
res = [0x81, str.length].pack('CC') + str
when 0x101 .. 0x100000
res = [0x82, str.length].pack('Cn') + str
when 0x100001 .. 0xffffffff
res = [0x83, str.length].pack('CN') + str
end
return res
end
def self.make_ntlmv2_secblob_init (domain = 'WORKGROUP', name = 'WORKSTATION')
blob =
"\x60" + self.asn1encode(
"\x06" + self.asn1encode(
"\x2b\x06\x01\x05\x05\x02"
) +
"\xa0" + self.asn1encode(
"\x30" + self.asn1encode(
"\xa0" + self.asn1encode(
"\x30" + self.asn1encode(
"\x06" + self.asn1encode(
"\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
)
)
) +
"\xa2" + self.asn1encode(
"\x04" + self.asn1encode(
"NTLMSSP\x00" +
[1, 0x80201].pack('VV') +
[
domain.length, #length
domain.length, #max length
32
].pack('vvV') +
[
name.length, #length
name.length, #max length
domain.length + 32
].pack('vvV') +
domain + name
)
)
)
)
)
return blob
end
def self.make_ntlmv2_secblob_auth (domain = '', name = '', user = '', lmv2 = '', ntlm = '')
domain_uni = self.unicode(domain)
user_uni = self.unicode(user)
name_uni = self.unicode(name)
ptr = 0
blob =
"\xa1" + self.asn1encode(
"\x30" + self.asn1encode(
"\xa2" + self.asn1encode(
"\x04" + self.asn1encode(
"NTLMSSP\x00" +
[ 3 ].pack('V') +
[ # Lan Manager Response
lmv2.length,
lmv2.length,
(ptr += 64)
].pack('vvV') +
[ # NTLM Manager Response
ntlm.length,
ntlm.length,
(ptr += lmv2.length)
].pack('vvV') +
[ # Domain Name
domain_uni.length,
domain_uni.length,
(ptr += ntlm.length)
].pack('vvV') +
[ # Username
user_uni.length,
user_uni.length,
(ptr += domain_uni.length)
].pack('vvV') +
[ # Hostname
name_uni.length,
name_uni.length,
(ptr += user_uni.length)
].pack('vvV') +
[ # Session Key (none)
0, 0, 0
].pack('vvV') +
[ 0x80201 ].pack('V') +
lmv2 +
ntlm +
domain_uni +
user_uni +
name_uni
))))
return blob
end
end
end
end
end