Refactor SessionSetupAndx handler

2015-02-28 12:10:48 -06:00 · 2015-02-28 12:10:48 -06:00 · 1d602d38c9
parent 544f88620d
commit 1d602d38c9
1 changed files with 35 additions and 12 deletions
--- a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb
+++ b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb
@ -19,6 +19,28 @@ module Msf
            tree_connect_response.v['GuestAccessRights'] = 0
            tree_connect_response.v['Payload'] = "A:\x00#{Rex::Text.to_unicode('NTFS')}\x00\x00"

+            data = Rex::Text.to_unicode('Unix', 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
+              Rex::Text.to_unicode('Samba 3.4.7', 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
+              Rex::Text.to_unicode('WORKGROUP', 'utf-16be') + "\x00\x00\x00" # Primary DOMAIN # Samba signature
+
+            send_session_setup_andx_res(c, {
+              action: CONST::SMB_SETUP_GUEST,
+              data: data,
+              andx: CONST::SMB_COM_TREE_CONNECT_ANDX,
+              andx_offset: 96,
+              andx_command: tree_connect_response
+            })
+          end
+
+          def send_session_setup_andx_res(c, opts = {})
+            action = opts[:action] || 0
+            andx_offset = opts[:andx_offset] || 0
+            reserved = opts[:reserved] || 0
+            andx = opts[:andx] || CONST::SMB_COM_NO_ANDX_COMMAND
+            data = opts[:data] || ''
+            andx_command = opts[:andx_command] || nil
+
+
            pkt = CONST::SMB_SETUP_RES_PKT.make_struct
            smb_set_defaults(c, pkt)

@ -26,19 +48,20 @@ module Msf
            pkt['Payload']['SMB'].v['Flags1'] = FLAGS
            pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
            pkt['Payload']['SMB'].v['WordCount'] = 3
-            pkt['Payload'].v['AndX'] = CONST::SMB_COM_TREE_CONNECT_ANDX
-            pkt['Payload'].v['Reserved1'] = 00
-            pkt['Payload'].v['AndXOffset'] = 96
-            pkt['Payload'].v['Action'] = CONST::SMB_SETUP_GUEST
-            pkt['Payload'].v['Payload'] =
-              Rex::Text.to_unicode('Unix', 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
-              Rex::Text.to_unicode('Samba 3.4.7', 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
-              Rex::Text.to_unicode('WORKGROUP', 'utf-16be') + "\x00\x00\x00" # Primary DOMAIN # Samba signature
+            pkt['Payload'].v['AndX'] = andx
+            pkt['Payload'].v['Reserved1'] = reserved
+            pkt['Payload'].v['AndXOffset'] = andx_offset
+            pkt['Payload'].v['Action'] = action
+            pkt['Payload'].v['Payload'] = data

-            full_pkt = pkt.to_s + tree_connect_response.to_s
+            if andx_command
+              full_pkt = pkt.to_s + andx_command.to_s
              original_length = full_pkt[2, 2].unpack('n')[0]
-            original_length = original_length +  tree_connect_response.to_s.length
+              original_length = original_length +  andx_command.to_s.length
              full_pkt[2, 2] = [original_length].pack('n')
+            else
+              full_pkt = pkt.to_s
+            end

            c.put(full_pkt)
          end