From 21978a1bfe52185dca75da7c7c6751733abb9608 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Fri, 20 Feb 2015 10:40:45 -0600 Subject: [PATCH] Add template for SMB_QUERY_FILE_BASIC_INFO --- lib/msf/core/exploit/smb/server/share.rb | 47 +++++++++++++----------- lib/rex/proto/smb/constants.rb | 23 +++++++++++- 2 files changed, 47 insertions(+), 23 deletions(-) diff --git a/lib/msf/core/exploit/smb/server/share.rb b/lib/msf/core/exploit/smb/server/share.rb index 7eb4b6ba16..dc6698fe24 100644 --- a/lib/msf/core/exploit/smb/server/share.rb +++ b/lib/msf/core/exploit/smb/server/share.rb @@ -655,19 +655,33 @@ module Msf # For MS13-071, payload is an empty unicode request (4 bytes) if payload.downcase.eql?(file.downcase) or payload.length.to_s.eql?('4') if payload.length.to_s.eql?('4') - attrib = "\x10\x00\x00\x00" # File attributes => directory + attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY # File attributes => directory else - attrib = "\x80\x00\x00\x00" # File attributes => file + attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File attributes => file end else if payload.downcase.include?(file.downcase) - attrib = "\x80\x00\x00\x00" # File attributes => file + attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File attributes => file else # QUERY_PATH_INFO_PARAMETERS doesn't include a file name, return a Directory answer - attrib = "\x10\x00\x00\x00" # File attributes => directory + attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY # File attributes => directory end end + trans2_params = CONST::SMB_TRANS2_QUERY_PATH_INFORMATION_RES_PARAMETERS.make_struct + trans2_params.v['EaErrorOffset'] = 0 + + query_path_info = CONST::SMB_QUERY_FILE_BASIC_INFO_HDR.make_struct + query_path_info.v['loCreationTime'] = lo + query_path_info.v['hiCreationTime'] = hi + query_path_info.v['loLastAccessTime'] = lo + query_path_info.v['hiLastAccessTime'] = hi + query_path_info.v['loLastWriteTime'] = lo + query_path_info.v['hiLastWriteTime'] = hi + query_path_info.v['loLastChangeTime'] = lo + query_path_info.v['hiLastChangeTime'] = hi + query_path_info.v['ExtFileAttributes'] = attrib + # If payload contains our file, send the response if payload.downcase.eql?(file.downcase) or payload.length.to_s.eql?('4') or payload.downcase.include?(file.downcase) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 @@ -682,16 +696,9 @@ module Msf pkt['Payload'].v['DataOffset'] = 60 pkt['Payload'].v['Payload'] = "\x00" + # Padding - # QUERY_PATH_INFO Parameters - "\x00\x00" + # EA Error Offset + trans2_params.to_s + "\x00\x00" + # Padding - #QUERY_PATH_INFO Data - [lo, hi].pack("VV") + # Created - [lo, hi].pack("VV") + # Last Access - [lo, hi].pack("VV") + # Last Write - [lo, hi].pack("VV") + # Change - attrib + - "\x00\x00\x00\x00" # Unknown + query_path_info.to_s c.put(pkt.to_s) else # Else send not found @@ -741,7 +748,7 @@ module Msf return end - trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct + trans2_params = CONST::SMB_TRANS2_FIND_FIRST2_RES_PARAMETERS.make_struct trans2_params.v['SID'] = 0xfffd trans2_params.v['SearchCount'] = search trans2_params.v['EndOfSearch'] = search @@ -776,10 +783,9 @@ module Msf pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = "\x00" + # Padding - trans2_params.to_s + # FIND_FIRST2 Parameters + trans2_params.to_s + "\x00\x00" + # Padding find_file.to_s - #QUERY_PATH_INFO Data c.put(pkt.to_s) end @@ -813,7 +819,7 @@ module Msf find_file.v['FileIndex'] = 0 find_file.v['FileName'] = data - trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct + trans2_params = CONST::SMB_TRANS2_FIND_FIRST2_RES_PARAMETERS.make_struct trans2_params.v['SID'] = 0xfffd trans2_params.v['SearchCount'] = 1 trans2_params.v['EndOfSearch'] = 1 @@ -833,9 +839,8 @@ module Msf pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = "\x00" + # Padding - trans2_params.to_s + # FIND_FIRST2 Parameters + trans2_params.to_s + "\x00\x00" + # Padding - # QUERY_PATH_INFO Data find_file.to_s c.put(pkt.to_s) end @@ -892,7 +897,7 @@ module Msf find_file.v['ExtFileAttributes'] = attrib find_file.v['FileName'] = data - trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct + trans2_params = CONST::SMB_TRANS2_FIND_FIRST2_RES_PARAMETERS.make_struct trans2_params.v['SID'] = 0xfffd trans2_params.v['SearchCount'] = search trans2_params.v['EndOfSearch'] = search @@ -911,7 +916,7 @@ module Msf pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = "\x00" + # Padding - trans2_params.to_s + # FIND_FIRST2 Parameters + trans2_params.to_s + "\x00\x00" + # Padding find_file.to_s diff --git a/lib/rex/proto/smb/constants.rb b/lib/rex/proto/smb/constants.rb index 29b1bdb216..e92bbca983 100644 --- a/lib/rex/proto/smb/constants.rb +++ b/lib/rex/proto/smb/constants.rb @@ -1089,8 +1089,8 @@ SMB_SEARCH_HDR_PKT = Rex::Struct2::CStructTemplate.new( ) SMB_SEARCH_PKT = self.make_nbs(SMB_SEARCH_HDR_PKT) -# A template for SMB TRANS2 parameters -SMB_TRANS2_PARAMETERS = Rex::Struct2::CStructTemplate.new( +# A template for SMB TRANS2_FIND_FIRST response parameters +SMB_TRANS2_FIND_FIRST2_RES_PARAMETERS = Rex::Struct2::CStructTemplate.new( ['uint16v', 'SID', 0], ['uint16v', 'SearchCount', 0], ['uint16v', 'EndOfSearch', 0], @@ -1161,6 +1161,25 @@ SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR = Rex::Struct2::CStructTemplate.new( SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH = 68 +# A template for SMB FIND_FIRST2 TRANS2 response parameters +SMB_TRANS2_QUERY_PATH_INFORMATION_RES_PARAMETERS = Rex::Struct2::CStructTemplate.new( + ['uint16v', 'EaErrorOffset', 0] +) + +# A template for SMB_QUERY_FILE_BASIC_INFO query path information level +SMB_QUERY_FILE_BASIC_INFO_HDR = Rex::Struct2::CStructTemplate.new( + ['uint32v', 'loCreationTime', 0], + ['uint32v', 'hiCreationTime', 0], + ['uint32v', 'loLastAccessTime', 0], + ['uint32v', 'hiLastAccessTime', 0], + ['uint32v', 'loLastWriteTime', 0], + ['uint32v', 'hiLastWriteTime', 0], + ['uint32v', 'loLastChangeTime', 0], + ['uint32v', 'hiLastChangeTime', 0], + ['uint32v', 'ExtFileAttributes', 0], + ['uint32v', 'Reserved', 0] +) + end end end