infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Parse SMB_CMD_CREATE requests

bug/bundler_fix
jvazquez-r7 2015-02-25 11:09:14 -06:00
parent d10385cfed
commit 50f8731980
1 changed files with 41 additions and 43 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

84
lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb
View File

@ -14,25 +14,35 @@ module Msf
pkt = CONST::SMB_CREATE_PKT.make_struct pkt = CONST::SMB_CREATE_PKT.make_struct
pkt.from_s(buff) pkt.from_s(buff)
# Tries to do CREATE and X payload = (pkt['Payload'].v['Payload'])
payload = pkt['Payload'].v['Payload'].gsub(/\x00/, '').gsub(/.*\\/, '\\').chomp.strip.split('\\').last payload.gsub!(/^[\x00]*/, '') # delete padding
file = file_name payload = Rex::Text.to_ascii(payload)
path = path_name payload.gsub!(/[\x00]*$/, '') # delete padding
if payload.nil? if payload.nil? || payload.empty?
payload = file payload = file_name
end end
if payload.length.to_s.eql?('1') or payload.eql?(path) if payload.ends_with?(file_name)
fid = smb[:dir_id].to_i
attribs = 0x10 # Ordinary Dir
eof = 0
isdir = 1
else
fid = smb[:file_id].to_i fid = smb[:file_id].to_i
attribs = 0x80 # File Attributes attribs = 0x80 # File Attributes
eof = exe_contents.length eof = exe_contents.length
isdir = 0 is_dir = 0
elsif payload == path_name
fid = smb[:dir_id].to_i
attribs = 0x10 # Ordinary Dir
eof = 0
is_dir = 1
else
# Otherwise send not found
pkt = CONST::SMB_CREATE_RES_PKT.make_struct
smb_set_defaults(c, pkt)
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 # OBJECT_NAME_NOT_FOUND
pkt['Payload']['SMB'].v['Flags1'] = 0x88
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
c.put(pkt.to_s)
return
end end
pkt = CONST::SMB_CREATE_RES_PKT.make_struct pkt = CONST::SMB_CREATE_RES_PKT.make_struct
@ -60,38 +70,26 @@ module Msf
pkt['Payload'].v['EOFHigh'] = 0 pkt['Payload'].v['EOFHigh'] = 0
pkt['Payload'].v['FileType'] = 0 pkt['Payload'].v['FileType'] = 0
pkt['Payload'].v['IPCState'] = 0x7 pkt['Payload'].v['IPCState'] = 0x7
pkt['Payload'].v['IsDirectory'] = isdir pkt['Payload'].v['IsDirectory'] = is_dir
# As above, if payload is a file or "\" send found response connect_response = ""
if (payload.downcase.eql?(file.downcase)) or payload.length.to_s.eql?('1') or payload.eql?(path) # GUID
connect_response = "" connect_response << ([0].pack("C") * 16)
# GUID # File ID
connect_response << ([0].pack("C") * 16) connect_response << ([0].pack("C") * 6)
# File ID # Access Rights
connect_response << ([0].pack("C") * 6) connect_response << [0xff].pack("C")
# Access Rights connect_response << [0x01].pack("C")
connect_response << [0xff].pack("C") connect_response << [0x1f].pack("C")
connect_response << [0x01].pack("C") connect_response << [0].pack("C")
connect_response << [0x1f].pack("C") connect_response << ([0].pack("C") * 4) # Guest access
connect_response << [0].pack("C") connect_response << ([0].pack("C") * 2) # Byte Count
connect_response << ([0].pack("C") * 4) # Guest access
connect_response << ([0].pack("C") * 2) # Byte Count
my_pkt = pkt.to_s + connect_response my_pkt = pkt.to_s + connect_response
original_length = my_pkt[2, 2].unpack("n").first original_length = my_pkt[2, 2].unpack("n").first
original_length = original_length + connect_response.length original_length = original_length + connect_response.length
my_pkt[2, 2] = [original_length].pack("n") my_pkt[2, 2] = [original_length].pack("n")
c.put(my_pkt) c.put(my_pkt)
else
# Otherwise send not found
pkt = CONST::SMB_CREATE_RES_PKT.make_struct
smb_set_defaults(c, pkt)
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 # OBJECT_NAME_NOT_FOUND
pkt['Payload']['SMB'].v['Flags1'] = 0x88
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
c.put(pkt.to_s)
end
end end
end end
end end