diff --git a/lib/msf/core/exploit/smb/server/share/command/close.rb b/lib/msf/core/exploit/smb/server/share/command/close.rb index 9f10ed122b..a95afa0abf 100644 --- a/lib/msf/core/exploit/smb/server/share/command/close.rb +++ b/lib/msf/core/exploit/smb/server/share/command/close.rb @@ -9,10 +9,6 @@ module Msf # Responds to a client CLOSE request # def smb_cmd_close(c, buff) - dprint("[SMB_CMD_CLOSE]") - pkt = CONST::SMB_CLOSE_PKT.make_struct - pkt.from_s(buff) - pkt = CONST::SMB_CLOSE_RES_PKT.make_struct smb_set_defaults(c, pkt) diff --git a/lib/msf/core/exploit/smb/server/share/command/negotiate.rb b/lib/msf/core/exploit/smb/server/share/command/negotiate.rb index d800364903..9485b77195 100644 --- a/lib/msf/core/exploit/smb/server/share/command/negotiate.rb +++ b/lib/msf/core/exploit/smb/server/share/command/negotiate.rb @@ -9,12 +9,10 @@ module Msf # Negotiates a SHARE session with the client # def smb_cmd_negotiate(c, buff) - dprint("[SMB_CMD_NEGOTIATE]") pkt = CONST::SMB_NEG_PKT.make_struct pkt.from_s(buff) dialects = pkt['Payload'].v['Payload'].gsub(/\x00/, '').split(/\x02/).grep(/^\w+/) - dialect = dialects.index("NT LM 0.12") || dialects.length-1 pkt = CONST::SMB_NEG_RES_NT_PKT.make_struct diff --git a/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb b/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb index b494ac44c6..12727797c7 100644 --- a/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb +++ b/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb @@ -9,7 +9,6 @@ module Msf # Responds to a client NT_CREATE_ANDX request # def smb_cmd_create(c, buff) - dprint("[SMB_CMD_CREATE]") smb = @state[c] pkt = CONST::SMB_CREATE_PKT.make_struct pkt.from_s(buff) @@ -25,12 +24,12 @@ module Msf if payload.ends_with?(file_name) fid = smb[:file_id].to_i - attribs = 0x80 # File Attributes + attribs = CONST::SMB_EXT_FILE_ATTR_NORMAL eof = exe_contents.length is_dir = 0 elsif payload.eql?(path_name) fid = smb[:dir_id].to_i - attribs = 0x10 # Ordinary Dir + attribs = CONST::SMB_EXT_FILE_ATTR_DIRECTORY eof = 0 is_dir = 1 else @@ -51,7 +50,7 @@ module Msf pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 42 - pkt['Payload'].v['AndX'] = 0xff # no further commands + pkt['Payload'].v['AndX'] = CONST::SMB_COM_NO_ANDX_COMMAND pkt['Payload'].v['OpLock'] = CONST::LEVEL_II_OPLOCK # Grant Oplock on File pkt['Payload'].v['FileID'] = fid pkt['Payload'].v['Action'] = CONST::FILE_OPEN # The file existed and was opened diff --git a/lib/msf/core/exploit/smb/server/share/command/read_andx.rb b/lib/msf/core/exploit/smb/server/share/command/read_andx.rb index ae494d2d09..81f28cfad4 100644 --- a/lib/msf/core/exploit/smb/server/share/command/read_andx.rb +++ b/lib/msf/core/exploit/smb/server/share/command/read_andx.rb @@ -26,7 +26,7 @@ module Msf pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 12 - pkt['Payload'].v['AndX'] = 0xff # no more commands + pkt['Payload'].v['AndX'] = CONST::SMB_COM_NO_ANDX_COMMAND pkt['Payload'].v['Remaining'] = 0xffff pkt['Payload'].v['DataLenLow'] = length pkt['Payload'].v['DataOffset'] = CONST::SMB_READ_RES_HDR_PKT_LENGTH diff --git a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb index 7860096afd..319030676c 100644 --- a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb +++ b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb @@ -13,7 +13,7 @@ module Msf tree_connect_response = CONST::SMB_TREE_CONN_ANDX_RES_PKT.make_struct tree_connect_response.v['WordCount'] = 7 - tree_connect_response.v['AndXCommand'] = 0xff + tree_connect_response.v['AndXCommand'] = CONST::SMB_COM_NO_ANDX_COMMAND tree_connect_response.v['AndXReserved'] = 0 tree_connect_response.v['AndXOffset'] = 0 tree_connect_response.v['OptionalSupport'] = 1 @@ -28,7 +28,7 @@ module Msf pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 3 - pkt['Payload'].v['AndX'] = 0x75 + pkt['Payload'].v['AndX'] = CONST::SMB_COM_TREE_CONNECT_ANDX pkt['Payload'].v['Reserved1'] = 00 pkt['Payload'].v['AndXOffset'] = 96 pkt['Payload'].v['Action'] = CONST::SMB_SETUP_GUEST diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2.rb b/lib/msf/core/exploit/smb/server/share/command/trans2.rb index 440391f804..385107c392 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2.rb @@ -24,25 +24,22 @@ module Msf data_trans2.from_s(pkt['Payload'].v['SetupData']) sub_command = data_trans2.v['SubCommand'] + parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding case sub_command when CONST::TRANS2_QUERY_FILE_INFO - parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding smb_cmd_trans2_query_file_information(c, parameters) when CONST::TRANS2_QUERY_PATH_INFO - parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding smb_cmd_trans2_query_path_information(c, parameters) when CONST::TRANS2_FIND_FIRST2 - parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding smb_cmd_trans2_find_first2(c, parameters) else - dprint("\t[Unsupported/Unknown command] SUB_COMMAND: #{sub_command}") pkt = CONST::SMB_TRANS_RES_PKT.make_struct smb_set_defaults(c, pkt) pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 - pkt['Payload']['SMB'].v['ErrorClass'] = 0xc0000225 # NT_STATUS_NOT_FOUND + pkt['Payload']['SMB'].v['ErrorClass'] = CONST::SMB_NT_STATUS_NOT_FOUND c.put(pkt.to_s) end end diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb b/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb index dbbdf680da..d22b1eba53 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb @@ -18,8 +18,8 @@ module Msf search_path.gsub!(/[\x00]*/, '') #delete padding search_path.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars - # Do some dummy managing for wildcards - # TODO: improve + # Do some managing for wildcards + # TODO: Make it better / complete search_path.gsub!(/<\./, '*.') # manage wildcards extension = File.extname(file_name) if search_path == "#{path_name}*#{extension}" @@ -34,8 +34,7 @@ module Msf when CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO smb_cmd_find_file_full_directory_info(c, search_path) else - dprint("\t\tUnknown LOI [smb_cmd_trans2_find_first2] - #{loi}") - # SEND success with the hope of going ahead... + # Send STATUS_SUCCESS with the hope of going ahead smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS) end end diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb b/lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb index fcd0890da5..da8cb7bc20 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb @@ -9,7 +9,6 @@ module Msf module QueryFileInformation def smb_cmd_trans2_query_file_information(c, buff) - params = CONST::SMB_TRANS2_QUERY_FILE_PARAMETERS.make_struct params.from_s(buff) @@ -22,8 +21,7 @@ module Msf when CONST::SMB_QUERY_FILE_BASIC_INFO, CONST::SMB_QUERY_FILE_BASIC_INFO_ALIAS, CONST::SMB_SET_FILE_BASIC_INFO_ALIAS smb_cmd_trans_query_file_info_basic(c, fid) else - dprint("\t\tUnknown LOI [smb_cmd_trans2_query_file_information] - #{loi.to_s}") - # SEND success with the hope of going ahead... + # Send STATUS_SUCCESS with the hope of going ahead smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS) end end diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb b/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb index 5f36971ac2..6a88f77153 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2/query_path_information.rb @@ -26,8 +26,7 @@ module Msf when CONST::SMB_QUERY_FILE_NETWORK_OPEN_INFO smb_cmd_trans_query_path_info_network(c, file_name) else - dprint("\t\tUnknown LOI [smb_cmd_trans2_query_path_information] - #{loi.to_s}") - # SEND success with the hope of going ahead... + # Send STATUS_SUCCESS with the hope of going ahead smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS) end end diff --git a/lib/msf/core/exploit/smb/server/share/information_level/find.rb b/lib/msf/core/exploit/smb/server/share/information_level/find.rb index ddc27b38e1..2671a0630f 100644 --- a/lib/msf/core/exploit/smb/server/share/information_level/find.rb +++ b/lib/msf/core/exploit/smb/server/share/information_level/find.rb @@ -81,10 +81,6 @@ module Msf # Command: Find File Names Info # def smb_cmd_find_file_names_info(c, payload) - - pkt = CONST::SMB_TRANS_RES_PKT.make_struct - smb_set_defaults(c, pkt) - if payload && payload.include?(file_name) data = Rex::Text.to_unicode(file_name) elsif payload && payload == path_name @@ -94,6 +90,9 @@ module Msf return end + pkt = CONST::SMB_TRANS_RES_PKT.make_struct + smb_set_defaults(c, pkt) + find_file = CONST::SMB_FIND_FILE_NAMES_INFO_HDR.make_struct find_file.v['NextEntryOffset'] = CONST::SMB_FIND_FILE_NAMES_INFO_HDR_LENGTH + data.length find_file.v['FileIndex'] = 0 @@ -106,8 +105,6 @@ module Msf trans2_params.v['EaErrorOffset'] = 0 trans2_params.v['LastNameOffset'] = 0 - puts "length: #{find_file.to_s.length}" - # If its asking for a file, return file pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['Flags1'] = FLAGS diff --git a/lib/msf/core/exploit/smb/server/share/information_level/query.rb b/lib/msf/core/exploit/smb/server/share/information_level/query.rb index dfb274f651..1d5431fdcc 100644 --- a/lib/msf/core/exploit/smb/server/share/information_level/query.rb +++ b/lib/msf/core/exploit/smb/server/share/information_level/query.rb @@ -72,7 +72,7 @@ module Msf query_path_info.v['EndOfFile'] = exe_contents.length query_path_info.v['NumberOfLinks'] = 1 query_path_info.v['DeletePending'] = 0 - query_path_info.v['Directory'] = 0 #isdir == false + query_path_info.v['Directory'] = 0 pkt = CONST::SMB_TRANS_RES_PKT.make_struct smb_set_defaults(c, pkt) @@ -168,15 +168,13 @@ module Msf if path && path.include?(file_name) #TODO: do it better attrib = 0 # File attributes => file elsif path && path == path_name - # QUERY_PATH_INFO_PARAMETERS doesn't include a file name, return a Directory answer attrib = 1 # File attributes => directory elsif path.nil? || path.empty? || path == "\x00" # empty path - # QUERY_PATH_INFO_PARAMETERS doesn't include a file name, return a Directory answer attrib = 1 # File attributes => directory else pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['ErrorClass'] = CONST::SMB_STATUS_OBJECT_NAME_NOT_FOUND # OBJECT_NAME_NOT_FOUND - pkt['Payload']['SMB'].v['Flags1'] = 0x88 + pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 c.put(pkt.to_s) return diff --git a/lib/rex/proto/smb/constants.rb b/lib/rex/proto/smb/constants.rb index dcaa4b512f..113e5e77ea 100644 --- a/lib/rex/proto/smb/constants.rb +++ b/lib/rex/proto/smb/constants.rb @@ -403,6 +403,7 @@ class Constants SMB_STATUS_LOGON_FAILURE = 0xC000006D SMB_STATUS_NO_SUCH_FILE = 0xC000000F SMB_STATUS_OBJECT_NAME_NOT_FOUND = 0xc0000034 + SMB_NT_STATUS_NOT_FOUND = 0xc0000225 # SMB Resource types SMB_RESOURCE_FILE_TYPE_DISK = 0x0000