Add templates for SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR and SMB_FIND_FILE_NAMES_INFO_HDR

2015-02-20 09:17:51 -06:00 · 2015-02-20 09:17:51 -06:00 · cf63e09188
parent f2405a5dc0
commit cf63e09188
2 changed files with 66 additions and 24 deletions
--- a/lib/msf/core/exploit/smb/server/share.rb
+++ b/lib/msf/core/exploit/smb/server/share.rb
@ -808,6 +808,11 @@ module Msf
          return
        end

+        find_file = CONST::SMB_FIND_FILE_NAMES_INFO_HDR.make_struct
+        find_file.v['NextEntryOffset'] = CONST::SMB_FIND_FILE_NAMES_INFO_HDR_LENGTH + data.length
+        find_file.v['FileIndex'] = 0
+        find_file.v['FileName'] = data
+
        trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct
        trans2_params.v['SID'] = 0xfffd
        trans2_params.v['SearchCount'] = 1
@ -831,11 +836,7 @@ module Msf
          trans2_params.to_s + # FIND_FIRST2 Parameters
          "\x00\x00" + # Padding
          # QUERY_PATH_INFO Data
-          [14 + data.length].pack("V") + # Next Entry Offset
-          "\x00\x00\x00\x00" + # File Index
-          [data.length].pack("V") + # File Name Len
-          data +
-          "\x00\x00" # Padding
+          find_file.to_s
        c.put(pkt.to_s)
      end

@ -857,17 +858,17 @@ module Msf

        if payload && payload.include?(file_name)
          data = Rex::Text.to_unicode(file_name)
-          length = [exe_contents.length].pack("V")
+          length = exe_contents.length
          ea = 0
-          alloc = "\x00\x00\x10\x00\x00\x00\x00\x00" # Allocation Size = 1048576 || 1Mb
-          attrib = "\x80\x00\x00\x00" # File
+          alloc = 1048576 # Allocation Size = 1048576 || 1Mb
+          attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File
          search = 0x100
        elsif payload && payload == path_name
          data = path
-          length = "\x00\x00\x00\x00"
+          length = 0
          ea = 0x21
-          alloc = "\x00\x00\x00\x00\x00\x00\x00\x00" # 0Mb
-          attrib = "\x10\x00\x00\x00" # Dir
+          alloc = 0 # 0Mb
+          attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY # Dir
          pkt['Payload'].v['SetupCount'] = 0
          search = 1
        else
@ -875,6 +876,22 @@ module Msf
          return
        end

+        find_file = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR.make_struct
+        find_file.v['NextEntryOffset'] = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH + data.length
+        find_file.v['FileIndex'] = 0
+        find_file.v['loCreationTime'] = lo
+        find_file.v['hiCreationTime'] = hi
+        find_file.v['loLastAccessTime'] = lo
+        find_file.v['hiLastAccessTime'] = hi
+        find_file.v['loLastWriteTime'] = lo
+        find_file.v['hiLastWriteTime'] = hi
+        find_file.v['loLastChangeTime'] = lo
+        find_file.v['hiLastChangeTime'] = hi
+        find_file.v['EndOfFile'] = length
+        find_file.v['AllocationSize'] = alloc
+        find_file.v['ExtFileAttributes'] = attrib
+        find_file.v['FileName'] = data
+
        trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct
        trans2_params.v['SID'] = 0xfffd
        trans2_params.v['SearchCount'] = search
@ -896,19 +913,8 @@ module Msf
          "\x00" + # Padding
          trans2_params.to_s + # FIND_FIRST2 Parameters
          "\x00\x00" + # Padding
-          # QUERY_PATH_INFO Data
-          [68 + data.length].pack("V") + # Next Entry Offset
-          "\x00\x00\x00\x00" + # File Index
-          [lo, hi].pack("VV") + # Created
-          [lo, hi].pack("VV") + # Last Access
-          [lo, hi].pack("VV") + # Last Write
-          [lo, hi].pack("VV") + # Change
-          length + "\x00\x00\x00\x00" + # End Of File
-          alloc +
-          attrib +
-          [data.length].pack("V") + # File name len
-          "\x00\x00\x00\x00" + # EA List Length
-          data
+          find_file.to_s
+
        c.put(pkt.to_s)
      end
    end
--- a/lib/rex/proto/smb/constants.rb
+++ b/lib/rex/proto/smb/constants.rb
@ -1125,6 +1125,42 @@ SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR = Rex::Struct2::CStructTemplate.new(

 SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH = 94

+# A template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO Find information level
+SMB_FIND_FILE_NAMES_INFO_HDR = Rex::Struct2::CStructTemplate.new(
+  ['uint32v', 'NextEntryOffset',   0],
+  ['uint32v', 'FileIndex',         0],
+  ['uint32v', 'FileNameLength',    0],
+  ['string',  'FileName', nil, '' ]
+).create_restraints(
+  ['FileName', 'FileNameLength',  nil, true]
+)
+
+SMB_FIND_FILE_NAMES_INFO_HDR_LENGTH = 12
+
+# A template for SMB_FIND_FILE_FULL_DIRECTORY_INFO Find information level
+SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR = Rex::Struct2::CStructTemplate.new(
+  ['uint32v', 'NextEntryOffset',   0],
+  ['uint32v', 'FileIndex',         0],
+  ['uint32v', 'loCreationTime',    0],
+  ['uint32v', 'hiCreationTime',    0],
+  ['uint32v', 'loLastAccessTime',  0],
+  ['uint32v', 'hiLastAccessTime',  0],
+  ['uint32v', 'loLastWriteTime',   0],
+  ['uint32v', 'hiLastWriteTime',   0],
+  ['uint32v', 'loLastChangeTime',  0],
+  ['uint32v', 'hiLastChangeTime',  0],
+  ['uint64v', 'EndOfFile',         0],
+  ['uint64v', 'AllocationSize',    0],
+  ['uint32v', 'ExtFileAttributes', 0],
+  ['uint32v', 'FileNameLength',    0],
+  ['uint32v', 'EaSize',            0],
+  ['string',  'FileName', nil, '' ]
+).create_restraints(
+  ['FileName', 'FileNameLength',  nil, true]
+)
+
+SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH = 68
+
 end
 end
 end