smb_cmd_trans_query_path_info_standard

lib/msf/core/exploit/smb/server/share/information_level/query.rb

@@ -79,22 +79,36 @@ module Msf
               return
             end
 
+            puts "SETUP_DATA\n#{Rex::Text.to_hex_dump(pkt['Payload'].v['SetupData'])}"
             smb_data = CONST::SMB_DATA_TRANS2.make_struct
             smb_data.from_s(pkt['Payload'].v['SetupData'])
 
+            puts "SMB_DATA\n#{Rex::Text.to_hex_dump(smb_data.to_s)}"
+
             params = smb_data.v['Parameters']
+
+            puts "params\n#{Rex::Text.to_hex_dump(params.to_s)}"
+
             params.gsub!(/^[\x00]*/, '') #remove padding
 
             trans_params = CONST::SMB_QUERY_PATH_TRANS2_PARAMETERS.make_struct
             trans_params.from_s(params)
 
             path = Rex::Text.to_ascii(trans_params.v['FileName'])
+            path.gsub!(/[\x00]*$/, '') #remove padding
+
+            puts "path: #{path}"
+            puts "path: #{Rex::Text.to_hex_dump(path)}"
 
             pkt = CONST::SMB_TRANS_RES_PKT.make_struct
             smb_set_defaults(c, pkt)
 
             if path && path.ends_with?(file_name) #TODO: do it better
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File attributes => file
+            elsif path && path.ends_with?(file_name + '.Local')
+              attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File attributes => file
+            elsif path && path.ends_with?(file_name + '.Manifest')
+              attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File attributes => file
             elsif path && path == path_name
               # QUERY_PATH_INFO_PARAMETERS doesn't include a file name, return a Directory answer
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY # File attributes => directory
@@ -152,21 +166,65 @@ module Msf
           # At the moment we just support '\\' path always send a SUCCESS...
           def smb_cmd_trans_query_path_info_standard(c, buff)
             dprint("[smb_cmd_trans_query_path_info_standard]")
-            #smb = @state[c]
-            #pkt = CONST::SMB_TRANS2_PKT.make_struct
-            #pkt.from_s(buff)
+            pkt = CONST::SMB_TRANS2_PKT.make_struct
+            pkt.from_s(buff)
 
-            #payload = pkt['Payload'].v['SetupData'].gsub(/\x00/, '').gsub(/.*\\/, '').chomp.strip
-            #ar = Rex::Text.to_hex(buff, '').to_s
-            #fid = ar[144..147].unpack('n*').reverse.pack('n*')
+            # we don't know how to parse it.... better object name not found
+            if pkt['Payload'].v['SetupCount'] != 1
+              pkt = CONST::SMB_TRANS_RES_PKT.make_struct
+              smb_set_defaults(c, pkt)
+              pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
+              pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 # OBJECT_NAME_NOT_FOUND
+              pkt['Payload']['SMB'].v['Flags1'] = 0x88
+              pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
+              c.put(pkt.to_s)
+              return
+            end
 
-            # If FileID matches or matches file, send file response
-            #if ( fid.hex.eql?(smb[:file_id].to_i) or payload.length.eql?(file_name.length) )
-            #attrib2 = 0 # IsFile
-            #else
-            # Otherwise return a Directory answer
-            attrib2 = 1 # IsDir
-            #end
+            puts "SETUP_DATA\n#{Rex::Text.to_hex_dump(pkt['Payload'].v['SetupData'])}"
+            smb_data = CONST::SMB_DATA_TRANS2.make_struct
+            smb_data.from_s(pkt['Payload'].v['SetupData'])
+
+            puts "SMB_DATA\n#{Rex::Text.to_hex_dump(smb_data.to_s)}"
+
+            params = smb_data.v['Parameters']
+
+            puts "params\n#{Rex::Text.to_hex_dump(params.to_s)}"
+
+            params.gsub!(/^[\x00]*/, '') #remove padding
+
+            trans_params = CONST::SMB_QUERY_PATH_TRANS2_PARAMETERS.make_struct
+            trans_params.from_s(params)
+
+            path = Rex::Text.to_ascii(trans_params.v['FileName'])
+            path.gsub!(/[\x00]*$/, '') #remove padding
+
+            puts "path: #{path}"
+            puts "path: #{Rex::Text.to_hex_dump(path)}"
+
+            pkt = CONST::SMB_TRANS_RES_PKT.make_struct
+            smb_set_defaults(c, pkt)
+
+            if path && path.ends_with?(file_name) #TODO: do it better
+              attrib = 0 # File attributes => file
+            elsif path && path.ends_with?(file_name + '.Local')
+              attrib = 0 # File attributes => file
+            elsif path && path.ends_with?(file_name + '.Manifest')
+              attrib = 0 # File attributes => file
+            elsif path && path == path_name
+              # QUERY_PATH_INFO_PARAMETERS doesn't include a file name, return a Directory answer
+              attrib = 1 # File attributes => directory
+            elsif path.nil? || path.empty? || path == "\x00" # empty path
+              # QUERY_PATH_INFO_PARAMETERS doesn't include a file name, return a Directory answer
+              attrib = 1 # File attributes => directory
+            else
+              pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
+              pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 # OBJECT_NAME_NOT_FOUND
+              pkt['Payload']['SMB'].v['Flags1'] = 0x88
+              pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
+              c.put(pkt.to_s)
+              return
+            end
 
             trans2_params = CONST::SMB_TRANS2_QUERY_PATH_INFORMATION_RES_PARAMETERS.make_struct
             trans2_params.v['EaErrorOffset'] = 0
@@ -176,7 +234,7 @@ module Msf
             query_path_info.v['EndOfFile'] = exe_contents.length
             query_path_info.v['NumberOfLinks'] = 1
             query_path_info.v['DeletePending'] = 0
-            query_path_info.v['Directory'] = attrib2
+            query_path_info.v['Directory'] = attrib
 
             pkt = CONST::SMB_TRANS_RES_PKT.make_struct
             smb_set_defaults(c, pkt)