From 2004aea7b7b5d9d7f3dad10ccf8a9d8d7b9e740e Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Mon, 2 Mar 2015 14:15:25 -0600 Subject: [PATCH] Add helpers for path handling on TRANS2 requests --- .../smb/server/share/command/trans2.rb | 28 +++++++++++++++++++ .../share/command/trans2/find_first2.rb | 13 ++------- .../command/trans2/query_path_information.rb | 4 +-- 3 files changed, 31 insertions(+), 14 deletions(-) diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2.rb b/lib/msf/core/exploit/smb/server/share/command/trans2.rb index 54f72ccd10..813afa9b65 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2.rb @@ -63,6 +63,34 @@ module Msf c.put(pkt.to_s) end + + # Converts the path to ascii from unicode and normalizes. + # + # @param path [String] The path to normalize. + # @return [String] The normalized path. + def normalize_path(path) + normalized = Rex::Text.to_ascii(path).downcase + normalized.gsub!(/[\x00]*/, '') #delete padding + normalized.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars + + normalized + end + + # Expands a path with wildcards, and returns the set of matching files. + # + # @param path [String] the path to expand + # @return [String] The matching file. + # @todo It's a shortcut atm, make complete wildcard handling. + # @todo return an Array of matching files. + def smb_expand(path) + search_path = path.gsub(/<\./, '*.') # manage wildcards + extension = File.extname(file_name) + if search_path == "#{path_name}*#{extension}" + search_path = "#{path_name}#{file_name}" + end + + search_path + end end end end diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb b/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb index a5d5a9c3f1..43d628122c 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb @@ -19,17 +19,8 @@ module Msf params.from_s(buff) loi = params.v['InformationLevel'] - search_path = Rex::Text.to_ascii(params.v['FileName']).downcase - search_path.gsub!(/[\x00]*/, '') #delete padding - search_path.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars - - # Do some managing for wildcards - # TODO: Make it better / complete - search_path.gsub!(/<\./, '*.') # manage wildcards - extension = File.extname(file_name) - if search_path == "#{path_name}*#{extension}" - search_path = "#{path_name}#{file_name}" - end + normalized_path = normalize_path(params.v['FileName']) + search_path = smb_expand(normalized_path) case loi when CONST::SMB_FIND_FILE_NAMES_INFO diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb b/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb index abad97425d..9dfda6685e 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb @@ -19,9 +19,7 @@ module Msf params.from_s(buff) loi = params.v['InformationLevel'] - file_name = Rex::Text.to_ascii(params.v['FileName']).downcase - file_name.gsub!(/[\x00]*/, '') #delete padding - file_name.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars + file_name = normalize_path(params.v['FileName']) case loi when CONST::SMB_QUERY_FILE_STANDARD_INFO, CONST::SMB_QUERY_FILE_STANDARD_INFO_ALIAS, CONST::SMB_QUERY_FILE_INTERNAL_INFO_ALIAS