diff --git a/lib/msf/core/exploit/smb/server/share.rb b/lib/msf/core/exploit/smb/server/share.rb index 45962a9dd5..5fb7aeb73b 100644 --- a/lib/msf/core/exploit/smb/server/share.rb +++ b/lib/msf/core/exploit/smb/server/share.rb @@ -724,23 +724,30 @@ module Msf if payload && payload.include?(file_name) data = Rex::Text.to_unicode(file_name) length = [exe_contents.length].pack("V") - ea = "\x00\x00" + ea = 0 alloc = "\x00\x00\x10\x00\x00\x00\x00\x00" # Allocation Size = 1048576 || 1Mb attrib = "\x80\x00\x00\x00" # File - search = "\x01\x00" + search = 1 elsif payload && payload == path_name data = Rex::Text.to_unicode(path) length = "\x00\x00\x00\x00" - ea = "\x21\x00" + ea = 0x21 alloc = "\x00\x00\x00\x00\x00\x00\x00\x00" # 0Mb attrib = "\x10\x00\x00\x00" # Dir pkt['Payload'].v['SetupCount'] = 0 - search = "\x00\x01" + search = 0x100 else smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true) return end + trans2_params = CONST::TRANS2_PARAMETERS.make_struct + trans2_params.v['SID'] = 0xfffd + trans2_params.v['SearchCount'] = search + trans2_params.v['EndOfSearch'] = search + trans2_params.v['EaErrorOffset'] = ea + trans2_params.v['LastNameOffset'] = 0 + pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 @@ -752,29 +759,24 @@ module Msf pkt['Payload'].v['DataCount'] = 14 + data.length pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = - "\x00" + # Padding - # FIND_FIRST2 Parameters - "\xfd\xff" + # Search ID - search + # Search count - search + # End Of Search - ea + # EA Error Offset - "\x00\x00" + # Last Name Offset - "\x00\x00" + # Padding - #QUERY_PATH_INFO Data - [94 + data.length].pack("V") + # Next Entry Offset - "\x00\x00\x00\x00" + # File Index - [lo, hi].pack("VV") + # Created - [lo, hi].pack("VV") + # Last Access - [lo, hi].pack("VV") + # Last Write - [lo, hi].pack("VV") + # Change - length + "\x00\x00\x00\x00" + # End Of File - alloc + - attrib + - [data.length].pack("V") + # File name len - "\x00\x00\x00\x00" + # EA List Length - "\x00" + # Short file length - "\x00" + # Reserved - ("\x00" * 24) + + "\x00" + # Padding + trans2_params.to_s + # FIND_FIRST2 Parameters + "\x00\x00" + # Padding + #QUERY_PATH_INFO Data + [94 + data.length].pack("V") + # Next Entry Offset + "\x00\x00\x00\x00" + # File Index + [lo, hi].pack("VV") + # Created + [lo, hi].pack("VV") + # Last Access + [lo, hi].pack("VV") + # Last Write + [lo, hi].pack("VV") + # Change + length + "\x00\x00\x00\x00" + # End Of File + alloc + + attrib + + [data.length].pack("V") + # File name len + "\x00\x00\x00\x00" + # EA List Length + "\x00" + # Short file length + "\x00" + # Reserved + ("\x00" * 24) + data c.put(pkt.to_s) end @@ -804,6 +806,13 @@ module Msf return end + trans2_params = CONST::TRANS2_PARAMETERS.make_struct + trans2_params.v['SID'] = 0xfffd + trans2_params.v['SearchCount'] = 1 + trans2_params.v['EndOfSearch'] = 1 + trans2_params.v['EaErrorOffset'] = 0 + trans2_params.v['LastNameOffset'] = 0 + # If its asking for a file, return file pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['Flags1'] = 0x88 @@ -817,12 +826,7 @@ module Msf pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = "\x00" + # Padding - # FIND_FIRST2 Parameters - "\xfd\xff" + # Search ID - "\x01\x00" + # Search count - "\x01\x00" + # End Of Search - "\x00\x00" + # EA Error Offset - "\x00\x00" + # Last Name Offset + trans2_params.to_s + # FIND_FIRST2 Parameters "\x00\x00" + # Padding # QUERY_PATH_INFO Data [14 + data.length].pack("V") + # Next Entry Offset @@ -852,23 +856,30 @@ module Msf if payload && payload.include?(file_name) data = Rex::Text.to_unicode(file_name) length = [exe_contents.length].pack("V") - ea = "\x00\x00" + ea = 0 alloc = "\x00\x00\x10\x00\x00\x00\x00\x00" # Allocation Size = 1048576 || 1Mb attrib = "\x80\x00\x00\x00" # File - search = "\x01\x00" + search = 0x100 elsif payload && payload == path_name data = path length = "\x00\x00\x00\x00" - ea = "\x21\x00" + ea = 0x21 alloc = "\x00\x00\x00\x00\x00\x00\x00\x00" # 0Mb attrib = "\x10\x00\x00\x00" # Dir pkt['Payload'].v['SetupCount'] = 0 - search = "\x00\x01" + search = 1 else smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true) return end + trans2_params = CONST::TRANS2_PARAMETERS.make_struct + trans2_params.v['SID'] = 0xfffd + trans2_params.v['SearchCount'] = search + trans2_params.v['EndOfSearch'] = search + trans2_params.v['EaErrorOffset'] = ea + trans2_params.v['LastNameOffset'] = 0 + pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['Flags1'] = 0x88 pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 @@ -880,27 +891,22 @@ module Msf pkt['Payload'].v['DataCount'] = 68 + data.length pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = - "\x00" + # Padding - # FIND_FIRST2 Parameters - "\xfd\xff" + # Search ID - search + # Search count - search + # End Of Search - ea + # EA Error Offset - "\x00\x00" + # Last Name Offset - "\x00\x00" + # Padding - # QUERY_PATH_INFO Data - [68 + data.length].pack("V") + # Next Entry Offset - "\x00\x00\x00\x00" + # File Index - [lo, hi].pack("VV") + # Created - [lo, hi].pack("VV") + # Last Access - [lo, hi].pack("VV") + # Last Write - [lo, hi].pack("VV") + # Change - length + "\x00\x00\x00\x00" + # End Of File - alloc + - attrib + - [data.length].pack("V") + # File name len - "\x00\x00\x00\x00" + # EA List Length - data + "\x00" + # Padding + trans2_params.to_s + # FIND_FIRST2 Parameters + "\x00\x00" + # Padding + # QUERY_PATH_INFO Data + [68 + data.length].pack("V") + # Next Entry Offset + "\x00\x00\x00\x00" + # File Index + [lo, hi].pack("VV") + # Created + [lo, hi].pack("VV") + # Last Access + [lo, hi].pack("VV") + # Last Write + [lo, hi].pack("VV") + # Change + length + "\x00\x00\x00\x00" + # End Of File + alloc + + attrib + + [data.length].pack("V") + # File name len + "\x00\x00\x00\x00" + # EA List Length + data c.put(pkt.to_s) end end diff --git a/lib/rex/proto/smb/constants.rb b/lib/rex/proto/smb/constants.rb index 9aecd7eafe..39040d25e8 100644 --- a/lib/rex/proto/smb/constants.rb +++ b/lib/rex/proto/smb/constants.rb @@ -1089,6 +1089,14 @@ SMB_SEARCH_HDR_PKT = Rex::Struct2::CStructTemplate.new( ) SMB_SEARCH_PKT = self.make_nbs(SMB_SEARCH_HDR_PKT) +# A SMB template for SMB TRANS2 parameters +TRANS2_PARAMETERS = Rex::Struct2::CStructTemplate.new( + [ 'uint16v', 'SID', 0 ], + [ 'uint16v', 'SearchCount', 0 ], + [ 'uint16v', 'EndOfSearch', 0 ], + [ 'uint16v', 'EaErrorOffset', 0 ], + [ 'uint16v', 'LastNameOffset', 0 ] +) end end