Refactor nt_create_andx requests

2015-02-26 23:31:09 -06:00 · 2015-02-26 23:31:09 -06:00 · 5b770f9f7a
parent 70033576fe
commit 5b770f9f7a
1 changed files with 21 additions and 5 deletions
--- a/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb
+++ b/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb
@ -38,6 +38,22 @@ module Msf
              return
            end

+            send_nt_create_andx_res(c, {
+              file_id: fid,
+              attributes: attribs,
+              end_of_file_low: eof,
+              is_directory: is_dir,
+              alloc_low: 0x100000
+            })
+          end
+
+          def send_nt_create_andx_res(c, opts)
+            file_id = opts[:file_id] || 0
+            attributes = opts[:attributes] || 0
+            end_of_file_low = opts[:end_of_file_low] || 0
+            is_directory = opts[:is_directory] || 0
+            alloc_low = opts[:alloc_low] || 0
+
            pkt = CONST::SMB_CREATE_ANDX_RES_PKT.make_struct
            smb_set_defaults(c, pkt)
            pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
@ -46,7 +62,7 @@ module Msf
            pkt['Payload']['SMB'].v['WordCount'] = 42
            pkt['Payload'].v['AndX'] = CONST::SMB_COM_NO_ANDX_COMMAND
            pkt['Payload'].v['OpLock'] = CONST::LEVEL_II_OPLOCK # Grant Oplock on File
-            pkt['Payload'].v['FileID'] = fid
+            pkt['Payload'].v['FileID'] = file_id
            pkt['Payload'].v['Action'] = CONST::FILE_OPEN # The file existed and was opened
            pkt['Payload'].v['CreateTimeLow'] = lo
            pkt['Payload'].v['CreateTimeHigh'] = hi
@ -56,14 +72,14 @@ module Msf
            pkt['Payload'].v['WriteTimeHigh'] = hi
            pkt['Payload'].v['ChangeTimeLow'] = lo
            pkt['Payload'].v['ChangeTimeHigh'] = hi
-            pkt['Payload'].v['Attributes'] = attribs
-            pkt['Payload'].v['AllocLow'] = 0x100000
+            pkt['Payload'].v['Attributes'] = attributes
+            pkt['Payload'].v['AllocLow'] = alloc_low
            pkt['Payload'].v['AllocHigh'] = 0
-            pkt['Payload'].v['EOFLow'] = eof
+            pkt['Payload'].v['EOFLow'] = end_of_file_low
            pkt['Payload'].v['EOFHigh'] = 0
            pkt['Payload'].v['FileType'] = CONST::SMB_RESOURCE_FILE_TYPE_DISK
            pkt['Payload'].v['IPCState'] = 0x7 # Number maxim of instance a named pipe can have
-            pkt['Payload'].v['IsDirectory'] = is_dir
+            pkt['Payload'].v['IsDirectory'] = is_directory
            pkt['Payload'].v['MaxAccess'] = CREATE_MAX_ACCESS
            c.put(pkt.to_s)
          end