Add template for SMB_QUERY_FILE_STANDARD_INFO
jvazquez-r7
parent
21978a1bfe
commit
a91d19e0e7
|
|
@ -493,8 +493,9 @@ module Msf
|
|||
#
|
||||
def smb_cmd_trans_query_file_info_standard(c, buff)
|
||||
dprint("[smb_cmd_trans_query_file_info_standard]")
|
||||
pkt = CONST::SMB_TRANS2_PKT.make_struct
|
||||
pkt.from_s(buff)
|
||||
|
||||
trans2_params = CONST::SMB_TRANS2_QUERY_PATH_INFORMATION_RES_PARAMETERS.make_struct
|
||||
trans2_params.v['EaErrorOffset'] = 0
|
||||
|
||||
pkt = CONST::SMB_TRANS_RES_PKT.make_struct
|
||||
smb_set_defaults(c, pkt)
|
||||
|
|
@ -512,7 +513,7 @@ module Msf
|
|||
pkt['Payload'].v['Payload'] =
|
||||
"\x00" + # Padding
|
||||
# QUERY_FILE Parameters
|
||||
"\x00\x00" + # EA Error Offset
|
||||
trans2_params.to_s +
|
||||
"\x00\x00" + # Padding
|
||||
# QUERY_FILE_INFO Data
|
||||
"\x95\x1c\x02\x00\x00\x00\x00\x00"
|
||||
|
|
@ -534,12 +535,22 @@ module Msf
|
|||
|
||||
# If FileID matches or matches file, send file response
|
||||
if ( fid.hex.eql?(smb[:file_id].to_i) or payload.length.eql?(file_name.length) )
|
||||
attrib2 = "\x00" # IsFile
|
||||
attrib2 = 0 # IsFile
|
||||
else
|
||||
# Otherwise return a Directory answer
|
||||
attrib2 = "\x01" # IsDir
|
||||
attrib2 = 1 # IsDir
|
||||
end
|
||||
|
||||
trans2_params = CONST::SMB_TRANS2_QUERY_PATH_INFORMATION_RES_PARAMETERS.make_struct
|
||||
trans2_params.v['EaErrorOffset'] = 0
|
||||
|
||||
query_path_info = CONST::SMB_QUERY_FILE_STANDARD_INFO_HDR.make_struct
|
||||
query_path_info.v['AllocationSize'] = 1048576
|
||||
query_path_info.v['EndOfFile'] = exe_contents.length
|
||||
query_path_info.v['NumberOfLinks'] = 1
|
||||
query_path_info.v['DeletePending'] = 0
|
||||
query_path_info.v['Directory'] = attrib2
|
||||
|
||||
pkt = CONST::SMB_TRANS_RES_PKT.make_struct
|
||||
smb_set_defaults(c, pkt)
|
||||
|
||||
|
|
@ -555,15 +566,9 @@ module Msf
|
|||
pkt['Payload'].v['DataOffset'] = 60
|
||||
pkt['Payload'].v['Payload'] =
|
||||
"\x00" + # Padding
|
||||
# QUERY_PATH_INFO Parameters
|
||||
"\x00\x00" + # EA Error Offset
|
||||
trans2_params.to_s +
|
||||
"\x00\x00" + # Padding
|
||||
# QUERY_PATH_INFO Data
|
||||
"\x00\x00\x10\x00\x00\x00\x00\x00" + # Allocation Size = 1048576 || 1Mb
|
||||
[exe_contents.length].pack("V") + "\x00\x00\x00\x00" + # End Of File
|
||||
"\x01\x00\x00\x00" + # Link Count
|
||||
"\x00" + # Delete Pending
|
||||
attrib2 +
|
||||
query_path_info.to_s +
|
||||
"\x00\x00" # Unknown
|
||||
c.put(pkt.to_s)
|
||||
end
|
||||
|
|
@ -597,14 +602,29 @@ module Msf
|
|||
|
||||
# If payload contains our file extension, send file response
|
||||
if payext and payext.downcase.eql?(fileext.downcase)
|
||||
attrib = "\x80\x00\x00\x00" # File attributes => file
|
||||
attrib = SMB_EXT_FILE_ATTR_NORMAL # File attributes => file
|
||||
elsif payload.length.to_s.eql?('1') or payload.eql?(path)
|
||||
# if QUERY_PATH_INFO_PARAMETERS doesn't include a file name,
|
||||
# return a Directory answer
|
||||
attrib = "\x10\x00\x00\x00" # File attributes => directory
|
||||
attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY # File attributes => directory
|
||||
end
|
||||
|
||||
if (payext and payext.downcase.eql?(fileext.downcase)) or payload.length.to_s.eql?('1') or payload.length.to_s.eql?('4') or payload.eql?(path)
|
||||
|
||||
trans2_params = CONST::SMB_TRANS2_QUERY_PATH_INFORMATION_RES_PARAMETERS.make_struct
|
||||
trans2_params.v['EaErrorOffset'] = 0
|
||||
|
||||
query_path_info = CONST::SMB_QUERY_FILE_BASIC_INFO_HDR.make_struct
|
||||
query_path_info.v['loCreationTime'] = lo
|
||||
query_path_info.v['hiCreationTime'] = hi
|
||||
query_path_info.v['loLastAccessTime'] = lo
|
||||
query_path_info.v['hiLastAccessTime'] = hi
|
||||
query_path_info.v['loLastWriteTime'] = lo
|
||||
query_path_info.v['hiLastWriteTime'] = hi
|
||||
query_path_info.v['loLastChangeTime'] = lo
|
||||
query_path_info.v['hiLastChangeTime'] = hi
|
||||
query_path_info.v['ExtFileAttributes'] = attrib
|
||||
|
||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
||||
pkt['Payload']['SMB'].v['Flags1'] = 0x88
|
||||
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
|
||||
|
|
@ -617,16 +637,9 @@ module Msf
|
|||
pkt['Payload'].v['DataOffset'] = 60
|
||||
pkt['Payload'].v['Payload'] =
|
||||
"\x00" + # Padding
|
||||
# QUERY_PATH_INFO Parameters
|
||||
"\x00\x00" + # EA Error Offset
|
||||
trans2_params.to_s +
|
||||
"\x00\x00" + # Padding
|
||||
#QUERY_PATH_INFO Data
|
||||
[lo, hi].pack("VV") + # Created
|
||||
[lo, hi].pack("VV") + # Last Access
|
||||
[lo, hi].pack("VV") + # Last Write
|
||||
[lo, hi].pack("VV") + # Change
|
||||
attrib +
|
||||
"\x00\x00\x00\x00" # Unknown
|
||||
query_path_info.to_s
|
||||
c.put(pkt.to_s)
|
||||
else
|
||||
pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
|
||||
|
|
|
|||
|
|
@ -1180,6 +1180,15 @@ SMB_QUERY_FILE_BASIC_INFO_HDR = Rex::Struct2::CStructTemplate.new(
|
|||
['uint32v', 'Reserved', 0]
|
||||
)
|
||||
|
||||
# A template for SMB_QUERY_FILE_STANDARD_INFO query path information level
|
||||
SMB_QUERY_FILE_STANDARD_INFO_HDR = Rex::Struct2::CStructTemplate.new(
|
||||
['uint64v', 'AllocationSize', 0],
|
||||
['uint64v', 'EndOfFile', 0],
|
||||
['uint32v', 'NumberOfLinks', 0],
|
||||
['uint8', 'DeletePending', 0],
|
||||
['uint8', 'Directory', 0]
|
||||
)
|
||||
|
||||
end
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue