Parse SMB_CMD_CREATE requests
jvazquez-r7
parent
d10385cfed
commit
50f8731980
|
|
@ -14,25 +14,35 @@ module Msf
|
|||
pkt = CONST::SMB_CREATE_PKT.make_struct
|
||||
pkt.from_s(buff)
|
||||
|
||||
# Tries to do CREATE and X
|
||||
payload = pkt['Payload'].v['Payload'].gsub(/\x00/, '').gsub(/.*\\/, '\\').chomp.strip.split('\\').last
|
||||
file = file_name
|
||||
path = path_name
|
||||
payload = (pkt['Payload'].v['Payload'])
|
||||
payload.gsub!(/^[\x00]*/, '') # delete padding
|
||||
payload = Rex::Text.to_ascii(payload)
|
||||
payload.gsub!(/[\x00]*$/, '') # delete padding
|
||||
|
||||
if payload.nil?
|
||||
payload = file
|
||||
if payload.nil? || payload.empty?
|
||||
payload = file_name
|
||||
end
|
||||
|
||||
if payload.length.to_s.eql?('1') or payload.eql?(path)
|
||||
fid = smb[:dir_id].to_i
|
||||
attribs = 0x10 # Ordinary Dir
|
||||
eof = 0
|
||||
isdir = 1
|
||||
else
|
||||
if payload.ends_with?(file_name)
|
||||
fid = smb[:file_id].to_i
|
||||
attribs = 0x80 # File Attributes
|
||||
eof = exe_contents.length
|
||||
isdir = 0
|
||||
is_dir = 0
|
||||
elsif payload == path_name
|
||||
fid = smb[:dir_id].to_i
|
||||
attribs = 0x10 # Ordinary Dir
|
||||
eof = 0
|
||||
is_dir = 1
|
||||
else
|
||||
# Otherwise send not found
|
||||
pkt = CONST::SMB_CREATE_RES_PKT.make_struct
|
||||
smb_set_defaults(c, pkt)
|
||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
|
||||
pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 # OBJECT_NAME_NOT_FOUND
|
||||
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
||||
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
||||
c.put(pkt.to_s)
|
||||
return
|
||||
end
|
||||
|
||||
pkt = CONST::SMB_CREATE_RES_PKT.make_struct
|
||||
|
|
@ -60,38 +70,26 @@ module Msf
|
|||
pkt['Payload'].v['EOFHigh'] = 0
|
||||
pkt['Payload'].v['FileType'] = 0
|
||||
pkt['Payload'].v['IPCState'] = 0x7
|
||||
pkt['Payload'].v['IsDirectory'] = isdir
|
||||
pkt['Payload'].v['IsDirectory'] = is_dir
|
||||
|
||||
# As above, if payload is a file or "\" send found response
|
||||
if (payload.downcase.eql?(file.downcase)) or payload.length.to_s.eql?('1') or payload.eql?(path)
|
||||
connect_response = ""
|
||||
# GUID
|
||||
connect_response << ([0].pack("C") * 16)
|
||||
# File ID
|
||||
connect_response << ([0].pack("C") * 6)
|
||||
# Access Rights
|
||||
connect_response << [0xff].pack("C")
|
||||
connect_response << [0x01].pack("C")
|
||||
connect_response << [0x1f].pack("C")
|
||||
connect_response << [0].pack("C")
|
||||
connect_response << ([0].pack("C") * 4) # Guest access
|
||||
connect_response << ([0].pack("C") * 2) # Byte Count
|
||||
connect_response = ""
|
||||
# GUID
|
||||
connect_response << ([0].pack("C") * 16)
|
||||
# File ID
|
||||
connect_response << ([0].pack("C") * 6)
|
||||
# Access Rights
|
||||
connect_response << [0xff].pack("C")
|
||||
connect_response << [0x01].pack("C")
|
||||
connect_response << [0x1f].pack("C")
|
||||
connect_response << [0].pack("C")
|
||||
connect_response << ([0].pack("C") * 4) # Guest access
|
||||
connect_response << ([0].pack("C") * 2) # Byte Count
|
||||
|
||||
my_pkt = pkt.to_s + connect_response
|
||||
original_length = my_pkt[2, 2].unpack("n").first
|
||||
original_length = original_length + connect_response.length
|
||||
my_pkt[2, 2] = [original_length].pack("n")
|
||||
c.put(my_pkt)
|
||||
else
|
||||
# Otherwise send not found
|
||||
pkt = CONST::SMB_CREATE_RES_PKT.make_struct
|
||||
smb_set_defaults(c, pkt)
|
||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
|
||||
pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 # OBJECT_NAME_NOT_FOUND
|
||||
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
||||
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
||||
c.put(pkt.to_s)
|
||||
end
|
||||
my_pkt = pkt.to_s + connect_response
|
||||
original_length = my_pkt[2, 2].unpack("n").first
|
||||
original_length = original_length + connect_response.length
|
||||
my_pkt[2, 2] = [original_length].pack("n")
|
||||
c.put(my_pkt)
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue