Evasion code is more sane, mostly working

git-svn-id: file:///home/svn/incoming/trunk@2870 4d416f70-5f16-0410-b530-b9f4589650da

lib/rex/proto/smb/client.rb

@@ -854,6 +854,8 @@ EVADE = Rex::Proto::SMB::Evasions
 		
 		data_offset = pkt.to_s.length - 4
 		
+		filler = EVADE.make_offset_filler(self.evasion_level, 4096 - data.length - data_offset)
+		
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_WRITE_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18
 		pkt['Payload']['SMB'].v['Flags2'] = 0x2001
@@ -867,8 +869,8 @@ EVADE = Rex::Proto::SMB::Evasions
 		pkt['Payload'].v['Remaining'] = data.length
 		# pkt['Payload'].v['DataLenHigh'] = (data.length / 65536).to_i
 		pkt['Payload'].v['DataLenLow'] = (data.length % 65536).to_i
-		pkt['Payload'].v['DataOffset'] = data_offset
+		pkt['Payload'].v['DataOffset'] = data_offset + filler.length
-		pkt['Payload'].v['Payload'] = data
+		pkt['Payload'].v['Payload'] = filler + data
 		
 		self.smb_send(pkt.to_s)
 		
@@ -912,19 +914,41 @@ EVADE = Rex::Proto::SMB::Evasions
 	# Perform a transaction against a given pipe name
 	def trans (pipe, param = '', body = '', setup_count = 0, setup_data = '')
 
-		# null-terminate the pipe parameter if needed
+		# Null-terminate the pipe parameter if needed
 		if (pipe[-1] != 0)
 			pipe << "\x00"
 		end
 		
-		data = pipe + param + body
-
 		pkt = CONST::SMB_TRANS_PKT.make_struct
 		self.smb_defaults(pkt['Payload']['SMB'])
+
+		# Packets larger than mlen will cause XP SP2 to disconnect us ;-(		
+		mlen = 4200
 		
+		# Figure out how much space is taken up by our current arguments
+		xlen =  pipe.length + param.length + body.length
+
+		filler1 = ''
+		filler2 = ''
+
+		# Fill any available space depending on the evasion settings
+		if (xlen < mlen)
+			filler1 = EVADE.make_offset_filler(self.evasion_level, (mlen-xlen)/2)
+			filler2 = EVADE.make_offset_filler(self.evasion_level, (mlen-xlen)/2)
+		end
+
+		# Squish the whole thing together
+		data = pipe + filler1 + param + filler2 + body
+		
+		# Throw some form of a warning out?
+		if (data.length > mlen)
+			# This call will more than likely fail :-(
+		end
+		
+		# Calculate all of the offsets
 		base_offset = pkt.to_s.length + (setup_count * 2) - 4
-		param_offset = base_offset + pipe.length
+		param_offset = base_offset + pipe.length + filler1.length
-		data_offset = param_offset + param.length
+		data_offset = param_offset + filler2.length + param.length
 		
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18

lib/rex/proto/smb/client.rb.ut.rb

@@ -22,7 +22,7 @@ class Rex::Proto::SMB::Client::UnitTest < Test::Unit::TestCase
 		
 	@@host = '192.168.0.219'
 	@@port = 139
-
+	@@evasion = 2
 
 	def test_smb_open_share
 		
@@ -30,7 +30,7 @@ class Rex::Proto::SMB::Client::UnitTest < Test::Unit::TestCase
 		pass = 'SMBTest'
 		share = 'C$'
 		
-		write_data = ('A' * 65000)
+		write_data = ('A' * 256)
 		filename = 'smb_test.txt'
 		
 		s = Rex::Socket.create_tcp(
@@ -39,7 +39,7 @@ class Rex::Proto::SMB::Client::UnitTest < Test::Unit::TestCase
 		)
 
 		c = Klass.new(s)
-		c.evasion_level = 0
+		c.evasion_level = @@evasion
 		
 		# Request a SMB session over NetBIOS
 		puts "[*] Requesting a SMB session over NetBIOS..."
@@ -98,7 +98,7 @@ class Rex::Proto::SMB::Client::UnitTest < Test::Unit::TestCase
 		ok = c.close(c.last_file_id)
 		assert_kind_of(Rex::Struct2::CStruct, ok)
 		
-		puts "[*] Diconnecting from the tree..."	
+		puts "[*] Disconnecting from the tree..."	
 		ok = c.tree_disconnect
 		assert_kind_of(Rex::Struct2::CStruct, ok)
 		
@@ -112,7 +112,7 @@ class Rex::Proto::SMB::Client::UnitTest < Test::Unit::TestCase
 		)
 
 		c = Klass.new(s)
-		c.evasion_level = 0
+		c.evasion_level = @@evasion
 		
 		# Request a SMB session over NetBIOS
 		puts "[*] Requesting a SMB session over NetBIOS..."
@@ -156,7 +156,7 @@ class Rex::Proto::SMB::Client::UnitTest < Test::Unit::TestCase
 		)
 
 		c = Klass.new(s)
-		c.evasion_level = 0
+		c.evasion_level = @@evasion
 		
 		# Request a SMB session over NetBIOS
 		puts "[*] Requesting a SMB session over NetBIOS..."

lib/rex/proto/smb/evasions.rb

@@ -16,7 +16,7 @@ EVASION_MAX   = 3
 			when EVASION_NONE
 				return 0
 			when EVASION_LOW
-				return 125
+				return 61
 			when EVASION_HIGH
 				return 29
 			when EVASION_MAX
@@ -30,14 +30,37 @@ EVASION_MAX   = 3
 			when EVASION_NONE
 				return 0
 			when EVASION_LOW
-				return 0.25
+				return 0.01
 			when EVASION_HIGH
-				return 0.25
+				return 0.10
 			when EVASION_MAX
-				return 0.25
+				return 0.20
 		end
 	end
 
+	# Add bogus filler at the end of the SMB packet and before the data
+	def self.make_offset_filler(level, max_size = 60000, min_size = 512)	
+
+		if (max_size < 0)
+			max_size = 4096
+		end
+		
+		if (min_size < max_size)
+			min_size = max_size - 1
+		end
+		
+		case level
+			when EVASION_NONE
+				return ''
+			when EVASION_LOW
+				return Rex::Text.rand_text(32)
+			when EVASION_HIGH
+				return Rex::Text.rand_text( rand(max_size - min_size) + min_size )
+			when EVASION_MAX
+				Rex::Text.rand_text( rand(max_size) )
+		end
+	end
+	
 	# Obscures a named pipe pathname via leading and trailing slashes
 	def self.make_named_pipe_path(level, pipe)
 		case level
@@ -56,11 +79,11 @@ EVASION_MAX   = 3
 			when EVASION_NONE
 				return '\\PIPE\\'
 			when EVASION_LOW
-				return ('\\' * (1024 + rand(512))) + 'PIPE\\'
+				return ('\\' * (256 - rand(64)) + 'PIPE\\')
 			when EVASION_HIGH
-				return ('\\' * (1024 + rand(512))) + 'PIPE' + ('\\' * (1024 + rand(512)))
+				return Rex::Text.rand_text(512 - rand(128))
 			when EVASION_MAX
-				return Rex::Text.rand_text(4096 - rand(1024))
+				return Rex::Text.rand_text(1024 - rand(256))
 		end
 	end