Create template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO
parent
94ad64546c
commit
571dffa317
|
@ -723,17 +723,17 @@ module Msf
|
||||||
|
|
||||||
if payload && payload.include?(file_name)
|
if payload && payload.include?(file_name)
|
||||||
data = Rex::Text.to_unicode(file_name)
|
data = Rex::Text.to_unicode(file_name)
|
||||||
length = [exe_contents.length].pack("V")
|
length = exe_contents.length
|
||||||
ea = 0
|
ea = 0
|
||||||
alloc = "\x00\x00\x10\x00\x00\x00\x00\x00" # Allocation Size = 1048576 || 1Mb
|
alloc = 1048576 # Allocation Size = 1048576 || 1Mb
|
||||||
attrib = "\x80\x00\x00\x00" # File
|
attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
|
||||||
search = 1
|
search = 1
|
||||||
elsif payload && payload == path_name
|
elsif payload && payload == path_name
|
||||||
data = Rex::Text.to_unicode(path)
|
data = Rex::Text.to_unicode(path)
|
||||||
length = "\x00\x00\x00\x00"
|
length = 0
|
||||||
ea = 0x21
|
ea = 0x21
|
||||||
alloc = "\x00\x00\x00\x00\x00\x00\x00\x00" # 0Mb
|
alloc = 0 # 0Mb
|
||||||
attrib = "\x10\x00\x00\x00" # Dir
|
attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
|
||||||
pkt['Payload'].v['SetupCount'] = 0
|
pkt['Payload'].v['SetupCount'] = 0
|
||||||
search = 0x100
|
search = 0x100
|
||||||
else
|
else
|
||||||
|
@ -741,13 +741,31 @@ module Msf
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
trans2_params = CONST::TRANS2_PARAMETERS.make_struct
|
trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct
|
||||||
trans2_params.v['SID'] = 0xfffd
|
trans2_params.v['SID'] = 0xfffd
|
||||||
trans2_params.v['SearchCount'] = search
|
trans2_params.v['SearchCount'] = search
|
||||||
trans2_params.v['EndOfSearch'] = search
|
trans2_params.v['EndOfSearch'] = search
|
||||||
trans2_params.v['EaErrorOffset'] = ea
|
trans2_params.v['EaErrorOffset'] = ea
|
||||||
trans2_params.v['LastNameOffset'] = 0
|
trans2_params.v['LastNameOffset'] = 0
|
||||||
|
|
||||||
|
find_file = CONST::SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR.make_struct
|
||||||
|
find_file.v['NextEntryOffset'] = 94 + data.length
|
||||||
|
find_file.v['FileIndex'] = 0
|
||||||
|
find_file.v['loCreationTime'] = lo
|
||||||
|
find_file.v['hiCreationTime'] = hi
|
||||||
|
find_file.v['loLastAccessTime'] = lo
|
||||||
|
find_file.v['hiLastAccessTime'] = hi
|
||||||
|
find_file.v['loLastWriteTime'] = lo
|
||||||
|
find_file.v['hiLastWriteTime'] = hi
|
||||||
|
find_file.v['loLastChangeTime'] = lo
|
||||||
|
find_file.v['hiLastChangeTime'] = hi
|
||||||
|
find_file.v['EndOfFile'] = length
|
||||||
|
find_file.v['AllocationSize'] = alloc
|
||||||
|
find_file.v['ExtFileAttributes'] = attrib
|
||||||
|
find_file.v['EaSize'] = 0
|
||||||
|
find_file.v['Reserved'] = 0
|
||||||
|
find_file.v['FileName'] = data
|
||||||
|
|
||||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
||||||
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
||||||
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
||||||
|
@ -762,22 +780,8 @@ module Msf
|
||||||
"\x00" + # Padding
|
"\x00" + # Padding
|
||||||
trans2_params.to_s + # FIND_FIRST2 Parameters
|
trans2_params.to_s + # FIND_FIRST2 Parameters
|
||||||
"\x00\x00" + # Padding
|
"\x00\x00" + # Padding
|
||||||
|
find_file.to_s
|
||||||
#QUERY_PATH_INFO Data
|
#QUERY_PATH_INFO Data
|
||||||
[94 + data.length].pack("V") + # Next Entry Offset
|
|
||||||
"\x00\x00\x00\x00" + # File Index
|
|
||||||
[lo, hi].pack("VV") + # Created
|
|
||||||
[lo, hi].pack("VV") + # Last Access
|
|
||||||
[lo, hi].pack("VV") + # Last Write
|
|
||||||
[lo, hi].pack("VV") + # Change
|
|
||||||
length + "\x00\x00\x00\x00" + # End Of File
|
|
||||||
alloc +
|
|
||||||
attrib +
|
|
||||||
[data.length].pack("V") + # File name len
|
|
||||||
"\x00\x00\x00\x00" + # EA List Length
|
|
||||||
"\x00" + # Short file length
|
|
||||||
"\x00" + # Reserved
|
|
||||||
("\x00" * 24) +
|
|
||||||
data
|
|
||||||
c.put(pkt.to_s)
|
c.put(pkt.to_s)
|
||||||
end
|
end
|
||||||
|
|
||||||
|
@ -806,7 +810,7 @@ module Msf
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
trans2_params = CONST::TRANS2_PARAMETERS.make_struct
|
trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct
|
||||||
trans2_params.v['SID'] = 0xfffd
|
trans2_params.v['SID'] = 0xfffd
|
||||||
trans2_params.v['SearchCount'] = 1
|
trans2_params.v['SearchCount'] = 1
|
||||||
trans2_params.v['EndOfSearch'] = 1
|
trans2_params.v['EndOfSearch'] = 1
|
||||||
|
@ -873,7 +877,7 @@ module Msf
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
trans2_params = CONST::TRANS2_PARAMETERS.make_struct
|
trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct
|
||||||
trans2_params.v['SID'] = 0xfffd
|
trans2_params.v['SID'] = 0xfffd
|
||||||
trans2_params.v['SearchCount'] = search
|
trans2_params.v['SearchCount'] = search
|
||||||
trans2_params.v['EndOfSearch'] = search
|
trans2_params.v['EndOfSearch'] = search
|
||||||
|
|
|
@ -1089,13 +1089,38 @@ SMB_SEARCH_HDR_PKT = Rex::Struct2::CStructTemplate.new(
|
||||||
)
|
)
|
||||||
SMB_SEARCH_PKT = self.make_nbs(SMB_SEARCH_HDR_PKT)
|
SMB_SEARCH_PKT = self.make_nbs(SMB_SEARCH_HDR_PKT)
|
||||||
|
|
||||||
# A SMB template for SMB TRANS2 parameters
|
# A template for SMB TRANS2 parameters
|
||||||
TRANS2_PARAMETERS = Rex::Struct2::CStructTemplate.new(
|
SMB_TRANS2_PARAMETERS = Rex::Struct2::CStructTemplate.new(
|
||||||
[ 'uint16v', 'SID', 0 ],
|
['uint16v', 'SID', 0],
|
||||||
[ 'uint16v', 'SearchCount', 0 ],
|
['uint16v', 'SearchCount', 0],
|
||||||
[ 'uint16v', 'EndOfSearch', 0 ],
|
['uint16v', 'EndOfSearch', 0],
|
||||||
[ 'uint16v', 'EaErrorOffset', 0 ],
|
['uint16v', 'EaErrorOffset', 0],
|
||||||
[ 'uint16v', 'LastNameOffset', 0 ]
|
['uint16v', 'LastNameOffset', 0]
|
||||||
|
)
|
||||||
|
|
||||||
|
# A template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO Find information level
|
||||||
|
SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR = Rex::Struct2::CStructTemplate.new(
|
||||||
|
['uint32v', 'NextEntryOffset', 0],
|
||||||
|
['uint32v', 'FileIndex', 0],
|
||||||
|
['uint32v', 'loCreationTime', 0],
|
||||||
|
['uint32v', 'hiCreationTime', 0],
|
||||||
|
['uint32v', 'loLastAccessTime', 0],
|
||||||
|
['uint32v', 'hiLastAccessTime', 0],
|
||||||
|
['uint32v', 'loLastWriteTime', 0],
|
||||||
|
['uint32v', 'hiLastWriteTime', 0],
|
||||||
|
['uint32v', 'loLastChangeTime', 0],
|
||||||
|
['uint32v', 'hiLastChangeTime', 0],
|
||||||
|
['uint64v', 'EndOfFile', 0],
|
||||||
|
['uint64v', 'AllocationSize', 0],
|
||||||
|
['uint32v', 'ExtFileAttributes', 0],
|
||||||
|
['uint32v', 'FileNameLength', 0],
|
||||||
|
['uint32v', 'EaSize', 0],
|
||||||
|
['uint8', 'ShortNameLength', 0],
|
||||||
|
['uint8', 'Reserved', 0],
|
||||||
|
['string', 'ShortName', 24, '', "\x00"],
|
||||||
|
['string', 'FileName', nil, '' ]
|
||||||
|
).create_restraints(
|
||||||
|
['FileName', 'FileNameLength', nil, true]
|
||||||
)
|
)
|
||||||
|
|
||||||
end
|
end
|
||||||
|
|
Loading…
Reference in New Issue