Add constants for Negotiation Capabilities

2015-02-25 12:50:33 -06:00 · 2015-02-25 12:50:33 -06:00 · 1caffbea2d
parent 50d50d5353
commit 1caffbea2d
3 changed files with 48 additions and 2 deletions
--- a/lib/msf/core/exploit/smb/server/share.rb
+++ b/lib/msf/core/exploit/smb/server/share.rb
@ -36,6 +36,21 @@ module Msf
        CONST::FLAGS2_32_BIT_ERROR_CODES +
        CONST::FLAGS2_LONG_PATH_COMPONENTS

+      CAPABILITIES = CONST::CAP_UNIX_EXTENSIONS +
+        CONST::CAP_LARGE_WRITEX +
+        CONST::CAP_LARGE_READX +
+        CONST::CAP_PASSTHRU +
+        CONST::CAP_DFS +
+        CONST::CAP_NT_FIND +
+        CONST::CAP_LOCK_AND_READ +
+        CONST::CAP_LEVEL_II_OPLOCKS +
+        CONST::CAP_STATUS32 +
+        CONST::CAP_RPC_REMOTE_APIS +
+        CONST::CAP_NT_SMBS +
+        CONST::CAP_LARGE_FILES +
+        CONST::CAP_UNICODE +
+        CONST::CAP_RAW_MODE
+
      attr_accessor :unc
      attr_accessor :share
      attr_accessor :path_name
--- a/lib/msf/core/exploit/smb/server/share/command/negotiate.rb
+++ b/lib/msf/core/exploit/smb/server/share/command/negotiate.rb
@ -25,7 +25,7 @@ module Msf
            pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
            pkt['Payload']['SMB'].v['WordCount'] = 17
            pkt['Payload'].v['Dialect'] = dialect
-            pkt['Payload'].v['SecurityMode'] = 2 # SHARE Security Mode
+            pkt['Payload'].v['SecurityMode'] = CONST::NEG_SECURITY_PASSWORD
            pkt['Payload'].v['MaxMPX'] = 50
            pkt['Payload'].v['MaxVCS'] = 1
            pkt['Payload'].v['MaxBuff'] = 4356
@ -34,7 +34,7 @@ module Msf
            pkt['Payload'].v['SystemTimeHigh'] = hi
            pkt['Payload'].v['ServerTimeZone'] = 0x0
            pkt['Payload'].v['SessionKey'] = 0
-            pkt['Payload'].v['Capabilities'] = 0x0080f3fd
+            pkt['Payload'].v['Capabilities'] = CAPABILITIES
            pkt['Payload'].v['KeyLength'] = 8
            pkt['Payload'].v['Payload'] = Rex::Text.rand_text_hex(8)

--- a/lib/rex/proto/smb/constants.rb
+++ b/lib/rex/proto/smb/constants.rb
@ -136,6 +136,37 @@ class Constants
  FLAGS2_UNICODE_STRINGS                  = 0x8000
  FLAGS2_WIN2K_SIGNATURE                  = 0xC852

+  # SMB Negotiate Security Modes
+  NEG_SECURITY_SHARE = 1
+  NEG_SECURITY_PASSWORD = 2
+
+  # SMB Negotiate Capabilities
+  # The server supports SMB_COM_READ_RAW and SMB_COM_WRITE_RAW
+  CAP_RAW_MODE         = 0x0001
+  # The server supports SMB_COM_READ_MPX and SMB_COM_WRITE_MPX
+  CAP_MPX_MODE         = 0x0002
+  # The server supports Unicode strings
+  CAP_UNICODE          = 0x0004
+  # The server supports large files with 64 bit offsets
+  CAP_LARGE_FILES      = 0x0008
+  # The server supports the SMBs particular to the NT LM 0.12 dialect
+  CAP_NT_SMBS          = 0x0010
+  # The sever supports remote API requests via RPC
+  CAP_RPC_REMOTE_APIS  = 0x0020
+  # The server can respond with 32 bit status codes in Status.Status
+  CAP_STATUS32         = 0x0040
+  # The server supports level 2 oplocks
+  CAP_LEVEL_II_OPLOCKS = 0x0080
+  # The server supports the SMB_COM_LOCK_AND_READ SMB
+  CAP_LOCK_AND_READ    = 0x0100
+  CAP_NT_FIND          = 0x0200
+  # This server is DFS aware
+  CAP_DFS              = 0x1000
+  CAP_PASSTHRU         = 0x2000
+  CAP_LARGE_READX      = 0x4000
+  CAP_LARGE_WRITEX     = 0x8000
+  CAP_UNIX_EXTENSIONS  = 0x800000
+
  # Open Modes
  OPEN_MODE_CREAT = 0x10   # Create the file if file does not exists. Otherwise, operation fails.
  OPEN_MODE_EXCL  = 0x00   # When used with SMB_O_CREAT, operation fails if file exists. Cannot be used with SMB_O_OPEN.