Create TRANS2_PARAMETERS template
jvazquez-r7
parent
b24b94ddd3
commit
94ad64546c
|
|
@ -724,23 +724,30 @@ module Msf
|
||||||
if payload && payload.include?(file_name)
|
if payload && payload.include?(file_name)
|
||||||
data = Rex::Text.to_unicode(file_name)
|
data = Rex::Text.to_unicode(file_name)
|
||||||
length = [exe_contents.length].pack("V")
|
length = [exe_contents.length].pack("V")
|
||||||
ea = "\x00\x00"
|
ea = 0
|
||||||
alloc = "\x00\x00\x10\x00\x00\x00\x00\x00" # Allocation Size = 1048576 || 1Mb
|
alloc = "\x00\x00\x10\x00\x00\x00\x00\x00" # Allocation Size = 1048576 || 1Mb
|
||||||
attrib = "\x80\x00\x00\x00" # File
|
attrib = "\x80\x00\x00\x00" # File
|
||||||
search = "\x01\x00"
|
search = 1
|
||||||
elsif payload && payload == path_name
|
elsif payload && payload == path_name
|
||||||
data = Rex::Text.to_unicode(path)
|
data = Rex::Text.to_unicode(path)
|
||||||
length = "\x00\x00\x00\x00"
|
length = "\x00\x00\x00\x00"
|
||||||
ea = "\x21\x00"
|
ea = 0x21
|
||||||
alloc = "\x00\x00\x00\x00\x00\x00\x00\x00" # 0Mb
|
alloc = "\x00\x00\x00\x00\x00\x00\x00\x00" # 0Mb
|
||||||
attrib = "\x10\x00\x00\x00" # Dir
|
attrib = "\x10\x00\x00\x00" # Dir
|
||||||
pkt['Payload'].v['SetupCount'] = 0
|
pkt['Payload'].v['SetupCount'] = 0
|
||||||
search = "\x00\x01"
|
search = 0x100
|
||||||
else
|
else
|
||||||
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true)
|
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
trans2_params = CONST::TRANS2_PARAMETERS.make_struct
|
||||||
|
trans2_params.v['SID'] = 0xfffd
|
||||||
|
trans2_params.v['SearchCount'] = search
|
||||||
|
trans2_params.v['EndOfSearch'] = search
|
||||||
|
trans2_params.v['EaErrorOffset'] = ea
|
||||||
|
trans2_params.v['LastNameOffset'] = 0
|
||||||
|
|
||||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
||||||
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
||||||
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
||||||
|
|
@ -752,29 +759,24 @@ module Msf
|
||||||
pkt['Payload'].v['DataCount'] = 14 + data.length
|
pkt['Payload'].v['DataCount'] = 14 + data.length
|
||||||
pkt['Payload'].v['DataOffset'] = 68
|
pkt['Payload'].v['DataOffset'] = 68
|
||||||
pkt['Payload'].v['Payload'] =
|
pkt['Payload'].v['Payload'] =
|
||||||
"\x00" + # Padding
|
"\x00" + # Padding
|
||||||
# FIND_FIRST2 Parameters
|
trans2_params.to_s + # FIND_FIRST2 Parameters
|
||||||
"\xfd\xff" + # Search ID
|
"\x00\x00" + # Padding
|
||||||
search + # Search count
|
#QUERY_PATH_INFO Data
|
||||||
search + # End Of Search
|
[94 + data.length].pack("V") + # Next Entry Offset
|
||||||
ea + # EA Error Offset
|
"\x00\x00\x00\x00" + # File Index
|
||||||
"\x00\x00" + # Last Name Offset
|
[lo, hi].pack("VV") + # Created
|
||||||
"\x00\x00" + # Padding
|
[lo, hi].pack("VV") + # Last Access
|
||||||
#QUERY_PATH_INFO Data
|
[lo, hi].pack("VV") + # Last Write
|
||||||
[94 + data.length].pack("V") + # Next Entry Offset
|
[lo, hi].pack("VV") + # Change
|
||||||
"\x00\x00\x00\x00" + # File Index
|
length + "\x00\x00\x00\x00" + # End Of File
|
||||||
[lo, hi].pack("VV") + # Created
|
alloc +
|
||||||
[lo, hi].pack("VV") + # Last Access
|
attrib +
|
||||||
[lo, hi].pack("VV") + # Last Write
|
[data.length].pack("V") + # File name len
|
||||||
[lo, hi].pack("VV") + # Change
|
"\x00\x00\x00\x00" + # EA List Length
|
||||||
length + "\x00\x00\x00\x00" + # End Of File
|
"\x00" + # Short file length
|
||||||
alloc +
|
"\x00" + # Reserved
|
||||||
attrib +
|
("\x00" * 24) +
|
||||||
[data.length].pack("V") + # File name len
|
|
||||||
"\x00\x00\x00\x00" + # EA List Length
|
|
||||||
"\x00" + # Short file length
|
|
||||||
"\x00" + # Reserved
|
|
||||||
("\x00" * 24) +
|
|
||||||
data
|
data
|
||||||
c.put(pkt.to_s)
|
c.put(pkt.to_s)
|
||||||
end
|
end
|
||||||
|
|
@ -804,6 +806,13 @@ module Msf
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
trans2_params = CONST::TRANS2_PARAMETERS.make_struct
|
||||||
|
trans2_params.v['SID'] = 0xfffd
|
||||||
|
trans2_params.v['SearchCount'] = 1
|
||||||
|
trans2_params.v['EndOfSearch'] = 1
|
||||||
|
trans2_params.v['EaErrorOffset'] = 0
|
||||||
|
trans2_params.v['LastNameOffset'] = 0
|
||||||
|
|
||||||
# If its asking for a file, return file
|
# If its asking for a file, return file
|
||||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
||||||
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
||||||
|
|
@ -817,12 +826,7 @@ module Msf
|
||||||
pkt['Payload'].v['DataOffset'] = 68
|
pkt['Payload'].v['DataOffset'] = 68
|
||||||
pkt['Payload'].v['Payload'] =
|
pkt['Payload'].v['Payload'] =
|
||||||
"\x00" + # Padding
|
"\x00" + # Padding
|
||||||
# FIND_FIRST2 Parameters
|
trans2_params.to_s + # FIND_FIRST2 Parameters
|
||||||
"\xfd\xff" + # Search ID
|
|
||||||
"\x01\x00" + # Search count
|
|
||||||
"\x01\x00" + # End Of Search
|
|
||||||
"\x00\x00" + # EA Error Offset
|
|
||||||
"\x00\x00" + # Last Name Offset
|
|
||||||
"\x00\x00" + # Padding
|
"\x00\x00" + # Padding
|
||||||
# QUERY_PATH_INFO Data
|
# QUERY_PATH_INFO Data
|
||||||
[14 + data.length].pack("V") + # Next Entry Offset
|
[14 + data.length].pack("V") + # Next Entry Offset
|
||||||
|
|
@ -852,23 +856,30 @@ module Msf
|
||||||
if payload && payload.include?(file_name)
|
if payload && payload.include?(file_name)
|
||||||
data = Rex::Text.to_unicode(file_name)
|
data = Rex::Text.to_unicode(file_name)
|
||||||
length = [exe_contents.length].pack("V")
|
length = [exe_contents.length].pack("V")
|
||||||
ea = "\x00\x00"
|
ea = 0
|
||||||
alloc = "\x00\x00\x10\x00\x00\x00\x00\x00" # Allocation Size = 1048576 || 1Mb
|
alloc = "\x00\x00\x10\x00\x00\x00\x00\x00" # Allocation Size = 1048576 || 1Mb
|
||||||
attrib = "\x80\x00\x00\x00" # File
|
attrib = "\x80\x00\x00\x00" # File
|
||||||
search = "\x01\x00"
|
search = 0x100
|
||||||
elsif payload && payload == path_name
|
elsif payload && payload == path_name
|
||||||
data = path
|
data = path
|
||||||
length = "\x00\x00\x00\x00"
|
length = "\x00\x00\x00\x00"
|
||||||
ea = "\x21\x00"
|
ea = 0x21
|
||||||
alloc = "\x00\x00\x00\x00\x00\x00\x00\x00" # 0Mb
|
alloc = "\x00\x00\x00\x00\x00\x00\x00\x00" # 0Mb
|
||||||
attrib = "\x10\x00\x00\x00" # Dir
|
attrib = "\x10\x00\x00\x00" # Dir
|
||||||
pkt['Payload'].v['SetupCount'] = 0
|
pkt['Payload'].v['SetupCount'] = 0
|
||||||
search = "\x00\x01"
|
search = 1
|
||||||
else
|
else
|
||||||
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true)
|
smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true)
|
||||||
return
|
return
|
||||||
end
|
end
|
||||||
|
|
||||||
|
trans2_params = CONST::TRANS2_PARAMETERS.make_struct
|
||||||
|
trans2_params.v['SID'] = 0xfffd
|
||||||
|
trans2_params.v['SearchCount'] = search
|
||||||
|
trans2_params.v['EndOfSearch'] = search
|
||||||
|
trans2_params.v['EaErrorOffset'] = ea
|
||||||
|
trans2_params.v['LastNameOffset'] = 0
|
||||||
|
|
||||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
||||||
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
||||||
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
||||||
|
|
@ -880,27 +891,22 @@ module Msf
|
||||||
pkt['Payload'].v['DataCount'] = 68 + data.length
|
pkt['Payload'].v['DataCount'] = 68 + data.length
|
||||||
pkt['Payload'].v['DataOffset'] = 68
|
pkt['Payload'].v['DataOffset'] = 68
|
||||||
pkt['Payload'].v['Payload'] =
|
pkt['Payload'].v['Payload'] =
|
||||||
"\x00" + # Padding
|
"\x00" + # Padding
|
||||||
# FIND_FIRST2 Parameters
|
trans2_params.to_s + # FIND_FIRST2 Parameters
|
||||||
"\xfd\xff" + # Search ID
|
"\x00\x00" + # Padding
|
||||||
search + # Search count
|
# QUERY_PATH_INFO Data
|
||||||
search + # End Of Search
|
[68 + data.length].pack("V") + # Next Entry Offset
|
||||||
ea + # EA Error Offset
|
"\x00\x00\x00\x00" + # File Index
|
||||||
"\x00\x00" + # Last Name Offset
|
[lo, hi].pack("VV") + # Created
|
||||||
"\x00\x00" + # Padding
|
[lo, hi].pack("VV") + # Last Access
|
||||||
# QUERY_PATH_INFO Data
|
[lo, hi].pack("VV") + # Last Write
|
||||||
[68 + data.length].pack("V") + # Next Entry Offset
|
[lo, hi].pack("VV") + # Change
|
||||||
"\x00\x00\x00\x00" + # File Index
|
length + "\x00\x00\x00\x00" + # End Of File
|
||||||
[lo, hi].pack("VV") + # Created
|
alloc +
|
||||||
[lo, hi].pack("VV") + # Last Access
|
attrib +
|
||||||
[lo, hi].pack("VV") + # Last Write
|
[data.length].pack("V") + # File name len
|
||||||
[lo, hi].pack("VV") + # Change
|
"\x00\x00\x00\x00" + # EA List Length
|
||||||
length + "\x00\x00\x00\x00" + # End Of File
|
data
|
||||||
alloc +
|
|
||||||
attrib +
|
|
||||||
[data.length].pack("V") + # File name len
|
|
||||||
"\x00\x00\x00\x00" + # EA List Length
|
|
||||||
data
|
|
||||||
c.put(pkt.to_s)
|
c.put(pkt.to_s)
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
|
|
@ -1089,6 +1089,14 @@ SMB_SEARCH_HDR_PKT = Rex::Struct2::CStructTemplate.new(
|
||||||
)
|
)
|
||||||
SMB_SEARCH_PKT = self.make_nbs(SMB_SEARCH_HDR_PKT)
|
SMB_SEARCH_PKT = self.make_nbs(SMB_SEARCH_HDR_PKT)
|
||||||
|
|
||||||
|
# A SMB template for SMB TRANS2 parameters
|
||||||
|
TRANS2_PARAMETERS = Rex::Struct2::CStructTemplate.new(
|
||||||
|
[ 'uint16v', 'SID', 0 ],
|
||||||
|
[ 'uint16v', 'SearchCount', 0 ],
|
||||||
|
[ 'uint16v', 'EndOfSearch', 0 ],
|
||||||
|
[ 'uint16v', 'EaErrorOffset', 0 ],
|
||||||
|
[ 'uint16v', 'LastNameOffset', 0 ]
|
||||||
|
)
|
||||||
|
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue