Add helpers for path handling on TRANS2 requests

2015-03-02 14:15:25 -06:00 · 2015-03-02 14:15:25 -06:00 · 2004aea7b7
parent 8acde11aaf
commit 2004aea7b7
3 changed files with 31 additions and 14 deletions
--- a/lib/msf/core/exploit/smb/server/share/command/trans2.rb
+++ b/lib/msf/core/exploit/smb/server/share/command/trans2.rb
@ -63,6 +63,34 @@ module Msf

            c.put(pkt.to_s)
          end
+
+          # Converts the path to ascii from unicode and normalizes.
+          #
+          # @param path [String] The path to normalize.
+          # @return [String] The normalized path.
+          def normalize_path(path)
+            normalized = Rex::Text.to_ascii(path).downcase
+            normalized.gsub!(/[\x00]*/, '') #delete padding
+            normalized.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars
+
+            normalized
+          end
+
+          # Expands a path with wildcards, and returns the set of matching files.
+          #
+          # @param path [String] the path to expand
+          # @return [String] The matching file.
+          # @todo It's a shortcut atm, make complete wildcard handling.
+          # @todo return an Array of matching files.
+          def smb_expand(path)
+            search_path = path.gsub(/<\./, '*.') # manage wildcards
+            extension = File.extname(file_name)
+            if search_path == "#{path_name}*#{extension}"
+              search_path = "#{path_name}#{file_name}"
+            end
+
+            search_path
+          end
        end
      end
    end
--- a/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb
+++ b/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb
@ -19,17 +19,8 @@ module Msf
              params.from_s(buff)

              loi = params.v['InformationLevel']
-              search_path = Rex::Text.to_ascii(params.v['FileName']).downcase
-              search_path.gsub!(/[\x00]*/, '') #delete padding
-              search_path.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars
-
-              # Do some managing for wildcards
-              # TODO: Make it better / complete
-              search_path.gsub!(/<\./, '*.') # manage wildcards
-              extension = File.extname(file_name)
-              if search_path == "#{path_name}*#{extension}"
-                search_path = "#{path_name}#{file_name}"
-              end
+              normalized_path = normalize_path(params.v['FileName'])
+              search_path = smb_expand(normalized_path)

              case loi
              when CONST::SMB_FIND_FILE_NAMES_INFO
--- a/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb
+++ b/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb
@ -19,9 +19,7 @@ module Msf
              params.from_s(buff)

              loi = params.v['InformationLevel']
-              file_name = Rex::Text.to_ascii(params.v['FileName']).downcase 
-              file_name.gsub!(/[\x00]*/, '') #delete padding
-              file_name.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars
+              file_name = normalize_path(params.v['FileName'])

              case loi
              when CONST::SMB_QUERY_FILE_STANDARD_INFO, CONST::SMB_QUERY_FILE_STANDARD_INFO_ALIAS, CONST::SMB_QUERY_FILE_INTERNAL_INFO_ALIAS