Fix handlers
jvazquez-r7
parent
ca7aabe9bc
commit
231a2f3110
|
|
@ -12,7 +12,19 @@ module Msf
|
||||||
|
|
||||||
ar = Rex::Text.to_hex(buff, '').to_s
|
ar = Rex::Text.to_hex(buff, '').to_s
|
||||||
loi = ar[156..159].unpack('n*').reverse.pack('n*').to_i(16)
|
loi = ar[156..159].unpack('n*').reverse.pack('n*').to_i(16)
|
||||||
|
=begin
|
||||||
|
# OLD DISPATCHING
|
||||||
|
case loi
|
||||||
|
when CONST::SMB_FIND_FILE_NAMES_INFO
|
||||||
|
smb_cmd_find_file_names_info(c, buff)
|
||||||
|
when CONST::SMB_FIND_FILE_BOTH_DIRECTORY_INFO
|
||||||
|
smb_cmd_find_file_both_directory_info(c, buff)
|
||||||
|
when CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO
|
||||||
|
smb_cmd_find_file_full_directory_info(c, buff)
|
||||||
|
else
|
||||||
|
smb_cmd_find_file_both_directory_info(c, buff)
|
||||||
|
end
|
||||||
|
=end
|
||||||
case loi
|
case loi
|
||||||
when CONST::SMB_FIND_FILE_NAMES_INFO
|
when CONST::SMB_FIND_FILE_NAMES_INFO
|
||||||
#dprint("\t[SMB_FIND_FILE_NAMES_INFO]")
|
#dprint("\t[SMB_FIND_FILE_NAMES_INFO]")
|
||||||
|
|
@ -24,10 +36,9 @@ module Msf
|
||||||
#dprint("\t[SMB_FIND_FILE_FULL_DIRECTORY_INFO]")
|
#dprint("\t[SMB_FIND_FILE_FULL_DIRECTORY_INFO]")
|
||||||
smb_cmd_find_file_full_directory_info(c, buff)
|
smb_cmd_find_file_full_directory_info(c, buff)
|
||||||
else
|
else
|
||||||
#dprint("\t[Unexpected :?]") #TODO
|
dprint("\t\tUnknown LOI [smb_cmd_trans2_find_first2] - #{loi}")
|
||||||
#smb_cmd_trans_find_first2(c, buff)
|
# SEND success with the hope of going ahead...
|
||||||
dprint("Invalid or unknown TRANS2_FIND_FIRST2 REQUEST???")
|
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS)
|
||||||
fail_with(Failure::Unknown, "Invalid or unknown TRANS2_FIND_FIRST2 REQUEST???") #TODO
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ module Msf
|
||||||
module Trans2
|
module Trans2
|
||||||
# This mixin provides methods to handle TRAN2_QUERY_FILE_INFORMATION subcommands
|
# This mixin provides methods to handle TRAN2_QUERY_FILE_INFORMATION subcommands
|
||||||
module QueryFileInformation
|
module QueryFileInformation
|
||||||
|
|
||||||
def smb_cmd_trans2_query_file_information(c, buff)
|
def smb_cmd_trans2_query_file_information(c, buff)
|
||||||
#dprint("[smb_cmd_trans2_query_file_information]")
|
#dprint("[smb_cmd_trans2_query_file_information]")
|
||||||
ar = Rex::Text.to_hex(buff, '').to_s
|
ar = Rex::Text.to_hex(buff, '').to_s
|
||||||
|
|
@ -27,6 +28,29 @@ module Msf
|
||||||
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS)
|
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
|
=begin
|
||||||
|
# OLD DISPATCHING
|
||||||
|
def smb_cmd_trans2_query_file_information(c, buff)
|
||||||
|
#dprint("[smb_cmd_trans2_query_file_information]")
|
||||||
|
ar = Rex::Text.to_hex(buff, '').to_s
|
||||||
|
loi = ar[148..151].unpack('n*').reverse.pack('n*').to_i(16)
|
||||||
|
case loi
|
||||||
|
when 0x03ed
|
||||||
|
dprint("[smb_cmd_trans_query_path_info_standard]")
|
||||||
|
smb_cmd_trans_query_path_info_standard(c, buff)
|
||||||
|
when 0x03ec
|
||||||
|
dprint("[smb_cmd_trans_query_file_info_basic]")
|
||||||
|
smb_cmd_trans_query_file_info_basic(c, buff)
|
||||||
|
when 0x040a
|
||||||
|
dprint("[smb_cmd_trans_query_file_info_network]")
|
||||||
|
smb_cmd_trans_query_file_info_network(c, buff)
|
||||||
|
else
|
||||||
|
dprint("Unknown LOI [smb_cmd_trans_query_path_info_standard] - #{loi.to_s}")
|
||||||
|
smb_cmd_trans_query_file_info_standard(c, buff)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
=end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -7,6 +7,7 @@ module Msf
|
||||||
module Trans2
|
module Trans2
|
||||||
# This mixin provides methods to handle TRAN2_QUERY_PATH_INFORMATION subcommands
|
# This mixin provides methods to handle TRAN2_QUERY_PATH_INFORMATION subcommands
|
||||||
module QueryPathInformation
|
module QueryPathInformation
|
||||||
|
|
||||||
def smb_cmd_trans2_query_path_information(c, buff)
|
def smb_cmd_trans2_query_path_information(c, buff)
|
||||||
#dprint("[smb_cmd_trans2_query_path_information]")
|
#dprint("[smb_cmd_trans2_query_path_information]")
|
||||||
ar = Rex::Text.to_hex(buff, '').to_s
|
ar = Rex::Text.to_hex(buff, '').to_s
|
||||||
|
|
@ -18,17 +19,49 @@ module Msf
|
||||||
smb_cmd_trans_query_path_info_basic(c, buff)
|
smb_cmd_trans_query_path_info_basic(c, buff)
|
||||||
when CONST::SMB_QUERY_FILE_STANDARD_INFO, CONST::SMB_QUERY_FILE_STANDARD_INFO_ALIAS
|
when CONST::SMB_QUERY_FILE_STANDARD_INFO, CONST::SMB_QUERY_FILE_STANDARD_INFO_ALIAS
|
||||||
#dprint("\t\t[query_file_info_standard]")
|
#dprint("\t\t[query_file_info_standard]")
|
||||||
#smb_cmd_trans_query_file_info_standard(c, buff)
|
|
||||||
smb_cmd_trans_query_path_info_standard(c, buff)
|
smb_cmd_trans_query_path_info_standard(c, buff)
|
||||||
when CONST::SMB_QUERY_FILE_NETWORK_OPEN_INFO
|
when CONST::SMB_QUERY_FILE_NETWORK_OPEN_INFO
|
||||||
dprint("\t\t[smb_cmd_trans_query_path_info_network]")
|
dprint("\t\t[smb_cmd_trans_query_path_info_network]")
|
||||||
smb_cmd_trans_query_file_info_network(c, buff)
|
smb_cmd_trans_query_file_info_network(c, buff)
|
||||||
else
|
else
|
||||||
dprint("\t\tUnknown LOI [smb_cmd_trans_query_path_info_basic] - #{loi.to_s}")
|
dprint("\t\tUnknown LOI [smb_cmd_trans2_query_path_information] - #{loi.to_s}")
|
||||||
# SEND success with the hope of going ahead...
|
# SEND success with the hope of going ahead...
|
||||||
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS)
|
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
=begin
|
||||||
|
# oLD DISPATCHING
|
||||||
|
def smb_cmd_trans2_query_path_information(c, buff)
|
||||||
|
#dprint("[smb_cmd_trans2_query_path_information]")
|
||||||
|
ar = Rex::Text.to_hex(buff, '').to_s
|
||||||
|
mdc = ar[86..89].unpack('n*').reverse.pack('n*').to_i(16)
|
||||||
|
loi = ar[144..147].unpack('n*').reverse.pack('n*').to_i(16)
|
||||||
|
|
||||||
|
case mdc # MAX DATA COUNT
|
||||||
|
when CONST::SMB_QUERY_BASIC_MDC
|
||||||
|
case loi
|
||||||
|
when CONST::SMB_QUERY_FILE_BASIC_INFO
|
||||||
|
dprint("[query_file_info_basic]")
|
||||||
|
smb_cmd_trans_query_file_info_basic(c, buff)
|
||||||
|
else
|
||||||
|
dprint("Unknown LOI [smb_cmd_trans_query_path_info_basic] - #{loi.to_s}")
|
||||||
|
smb_cmd_trans_query_path_info_basic(c, buff)
|
||||||
|
end
|
||||||
|
when CONST::SMB_QUERY_STANDARD_MDC1, CONST::SMB_QUERY_STANDARD_MDC2
|
||||||
|
dprint("[smb_cmd_trans_query_path_info_standard]")
|
||||||
|
smb_cmd_trans_query_path_info_standard(c, buff)
|
||||||
|
when CONST::SMB_QUERY_FILE_INTERNAL_INFO_MDC
|
||||||
|
dprint("[smb_cmd_trans_query_file_info_standard]")
|
||||||
|
smb_cmd_trans_query_file_info_standard(c, buff)
|
||||||
|
when CONST::SMB_QUERY_FILE_NETWORK_INFO_MDC
|
||||||
|
dprint("[smb_cmd_trans_query_file_info_network]")
|
||||||
|
smb_cmd_trans_query_file_info_network(c, buff)
|
||||||
|
else
|
||||||
|
dprint("Unknown MDC - Sending to [query_path_info_standard]: #{mdc.to_s}")
|
||||||
|
smb_cmd_trans_query_path_info_standard(c, buff)
|
||||||
|
end
|
||||||
|
end
|
||||||
|
=end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -20,6 +20,8 @@ module Msf
|
||||||
|
|
||||||
payload = pkt['Payload'].v['SetupData'].gsub(/\x00/, '').gsub(/.*\\/, '\\').chomp.strip
|
payload = pkt['Payload'].v['SetupData'].gsub(/\x00/, '').gsub(/.*\\/, '\\').chomp.strip
|
||||||
|
|
||||||
|
puts "FILE BOTH DIRECTORY INFO PAYLOAD\n#{Rex::Text.to_hex_dump(payload)}"
|
||||||
|
|
||||||
print_status("#{Rex::Text.to_hex_dump(payload)}")
|
print_status("#{Rex::Text.to_hex_dump(payload)}")
|
||||||
|
|
||||||
pkt = CONST::SMB_TRANS_RES_PKT.make_struct
|
pkt = CONST::SMB_TRANS_RES_PKT.make_struct
|
||||||
|
|
@ -107,6 +109,7 @@ module Msf
|
||||||
elsif payload && payload == path_name
|
elsif payload && payload == path_name
|
||||||
data = Rex::Text.to_unicode(path_name)
|
data = Rex::Text.to_unicode(path_name)
|
||||||
else
|
else
|
||||||
|
#data = Rex::Text.to_unicode(path_name)
|
||||||
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true)
|
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
@ -135,10 +138,11 @@ module Msf
|
||||||
pkt['Payload'].v['DataCount'] = 14 + data.length
|
pkt['Payload'].v['DataCount'] = 14 + data.length
|
||||||
pkt['Payload'].v['DataOffset'] = 68
|
pkt['Payload'].v['DataOffset'] = 68
|
||||||
pkt['Payload'].v['Payload'] =
|
pkt['Payload'].v['Payload'] =
|
||||||
"\x00" + # Padding
|
"\x00" + # Padding
|
||||||
trans2_params.to_s +
|
trans2_params.to_s +
|
||||||
"\x00\x00" + # Padding
|
"\x00\x00" + # Padding
|
||||||
find_file.to_s
|
find_file.to_s +
|
||||||
|
"\x00\x00"
|
||||||
c.put(pkt.to_s)
|
c.put(pkt.to_s)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -160,12 +160,14 @@ module Msf
|
||||||
c.put(pkt.to_s)
|
c.put(pkt.to_s)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
#
|
#
|
||||||
# Responds to QUERY_PATH_INFO (Standard) requests
|
# Responds to QUERY_PATH_INFO (Standard) requests
|
||||||
#
|
#
|
||||||
# At the moment we just support '\\' path always send a SUCCESS...
|
# At the moment we just support '\\' path always send a SUCCESS...
|
||||||
def smb_cmd_trans_query_path_info_standard(c, buff)
|
def smb_cmd_trans_query_path_info_standard(c, buff)
|
||||||
#dprint("[smb_cmd_trans_query_path_info_standard]")
|
#dprint("[smb_cmd_trans_query_path_info_standard]")
|
||||||
|
smb = @state[c]
|
||||||
pkt = CONST::SMB_TRANS2_PKT.make_struct
|
pkt = CONST::SMB_TRANS2_PKT.make_struct
|
||||||
pkt.from_s(buff)
|
pkt.from_s(buff)
|
||||||
|
|
||||||
|
|
@ -181,6 +183,9 @@ module Msf
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
ar = Rex::Text.to_hex(buff, '').to_s
|
||||||
|
fid = ar[144..147].unpack('n*').reverse.pack('n*')
|
||||||
|
|
||||||
#puts "SETUP_DATA\n#{Rex::Text.to_hex_dump(pkt['Payload'].v['SetupData'])}"
|
#puts "SETUP_DATA\n#{Rex::Text.to_hex_dump(pkt['Payload'].v['SetupData'])}"
|
||||||
smb_data = CONST::SMB_DATA_TRANS2.make_struct
|
smb_data = CONST::SMB_DATA_TRANS2.make_struct
|
||||||
smb_data.from_s(pkt['Payload'].v['SetupData'])
|
smb_data.from_s(pkt['Payload'].v['SetupData'])
|
||||||
|
|
@ -211,6 +216,8 @@ module Msf
|
||||||
attrib = 1 # File attributes => file
|
attrib = 1 # File attributes => file
|
||||||
#elsif path && path.ends_with?(file_name + '.Manifest')
|
#elsif path && path.ends_with?(file_name + '.Manifest')
|
||||||
#attrib = 0 # File attributes => file
|
#attrib = 0 # File attributes => file
|
||||||
|
elsif fid.hex.eql?(smb[:file_id].to_i)
|
||||||
|
attrib = 0
|
||||||
elsif path && path == path_name
|
elsif path && path == path_name
|
||||||
# QUERY_PATH_INFO_PARAMETERS doesn't include a file name, return a Directory answer
|
# QUERY_PATH_INFO_PARAMETERS doesn't include a file name, return a Directory answer
|
||||||
attrib = 1 # File attributes => directory
|
attrib = 1 # File attributes => directory
|
||||||
|
|
@ -260,7 +267,7 @@ module Msf
|
||||||
|
|
||||||
#
|
#
|
||||||
# Responds to QUERY_FILE_INFO (Network) requests
|
# Responds to QUERY_FILE_INFO (Network) requests
|
||||||
#
|
# IT IS PROLLY NOT NEEDED
|
||||||
def smb_cmd_trans_query_file_info_network(c, buff)
|
def smb_cmd_trans_query_file_info_network(c, buff)
|
||||||
pkt = CONST::SMB_TRANS2_PKT.make_struct
|
pkt = CONST::SMB_TRANS2_PKT.make_struct
|
||||||
pkt.from_s(buff)
|
pkt.from_s(buff)
|
||||||
|
|
@ -280,7 +287,7 @@ module Msf
|
||||||
|
|
||||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
||||||
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
||||||
pkt['Payload']['SMB'].v['Flags2'] = flags2
|
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
||||||
pkt['Payload']['SMB'].v['WordCount'] = 10
|
pkt['Payload']['SMB'].v['WordCount'] = 10
|
||||||
pkt['Payload'].v['ParamCountTotal'] = 2
|
pkt['Payload'].v['ParamCountTotal'] = 2
|
||||||
pkt['Payload'].v['DataCountTotal'] = 56
|
pkt['Payload'].v['DataCountTotal'] = 56
|
||||||
|
|
@ -310,7 +317,6 @@ module Msf
|
||||||
new_length = my_pkt[2, 2].unpack("n").first
|
new_length = my_pkt[2, 2].unpack("n").first
|
||||||
c.put(pkt.to_s)
|
c.put(pkt.to_s)
|
||||||
end
|
end
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue