From cf63e09188ba1e8a870be08dc6f464483406e0b5 Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Fri, 20 Feb 2015 09:17:51 -0600
Subject: [PATCH] Add templates for SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR and
 SMB_FIND_FILE_NAMES_INFO_HDR

---
 lib/msf/core/exploit/smb/server/share.rb | 54 +++++++++++++-----------
 lib/rex/proto/smb/constants.rb           | 36 ++++++++++++++++
 2 files changed, 66 insertions(+), 24 deletions(-)

diff --git a/lib/msf/core/exploit/smb/server/share.rb b/lib/msf/core/exploit/smb/server/share.rb
index 2896132ab3..7eb4b6ba16 100644
--- a/lib/msf/core/exploit/smb/server/share.rb
+++ b/lib/msf/core/exploit/smb/server/share.rb
@@ -808,6 +808,11 @@ module Msf
           return
         end
 
+        find_file = CONST::SMB_FIND_FILE_NAMES_INFO_HDR.make_struct
+        find_file.v['NextEntryOffset'] = CONST::SMB_FIND_FILE_NAMES_INFO_HDR_LENGTH + data.length
+        find_file.v['FileIndex'] = 0
+        find_file.v['FileName'] = data
+
         trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct
         trans2_params.v['SID'] = 0xfffd
         trans2_params.v['SearchCount'] = 1
@@ -831,11 +836,7 @@ module Msf
           trans2_params.to_s + # FIND_FIRST2 Parameters
           "\x00\x00" + # Padding
           # QUERY_PATH_INFO Data
-          [14 + data.length].pack("V") + # Next Entry Offset
-          "\x00\x00\x00\x00" + # File Index
-          [data.length].pack("V") + # File Name Len
-          data +
-          "\x00\x00" # Padding
+          find_file.to_s
         c.put(pkt.to_s)
       end
 
@@ -857,17 +858,17 @@ module Msf
 
         if payload && payload.include?(file_name)
           data = Rex::Text.to_unicode(file_name)
-          length = [exe_contents.length].pack("V")
+          length = exe_contents.length
           ea = 0
-          alloc = "\x00\x00\x10\x00\x00\x00\x00\x00" # Allocation Size = 1048576 || 1Mb
-          attrib = "\x80\x00\x00\x00" # File
+          alloc = 1048576 # Allocation Size = 1048576 || 1Mb
+          attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File
           search = 0x100
         elsif payload && payload == path_name
           data = path
-          length = "\x00\x00\x00\x00"
+          length = 0
           ea = 0x21
-          alloc = "\x00\x00\x00\x00\x00\x00\x00\x00" # 0Mb
-          attrib = "\x10\x00\x00\x00" # Dir
+          alloc = 0 # 0Mb
+          attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY # Dir
           pkt['Payload'].v['SetupCount'] = 0
           search = 1
         else
@@ -875,6 +876,22 @@ module Msf
           return
         end
 
+        find_file = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR.make_struct
+        find_file.v['NextEntryOffset'] = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH + data.length
+        find_file.v['FileIndex'] = 0
+        find_file.v['loCreationTime'] = lo
+        find_file.v['hiCreationTime'] = hi
+        find_file.v['loLastAccessTime'] = lo
+        find_file.v['hiLastAccessTime'] = hi
+        find_file.v['loLastWriteTime'] = lo
+        find_file.v['hiLastWriteTime'] = hi
+        find_file.v['loLastChangeTime'] = lo
+        find_file.v['hiLastChangeTime'] = hi
+        find_file.v['EndOfFile'] = length
+        find_file.v['AllocationSize'] = alloc
+        find_file.v['ExtFileAttributes'] = attrib
+        find_file.v['FileName'] = data
+
         trans2_params = CONST::SMB_TRANS2_PARAMETERS.make_struct
         trans2_params.v['SID'] = 0xfffd
         trans2_params.v['SearchCount'] = search
@@ -896,19 +913,8 @@ module Msf
           "\x00" + # Padding
           trans2_params.to_s + # FIND_FIRST2 Parameters
           "\x00\x00" + # Padding
-          # QUERY_PATH_INFO Data
-          [68 + data.length].pack("V") + # Next Entry Offset
-          "\x00\x00\x00\x00" + # File Index
-          [lo, hi].pack("VV") + # Created
-          [lo, hi].pack("VV") + # Last Access
-          [lo, hi].pack("VV") + # Last Write
-          [lo, hi].pack("VV") + # Change
-          length + "\x00\x00\x00\x00" + # End Of File
-          alloc +
-          attrib +
-          [data.length].pack("V") + # File name len
-          "\x00\x00\x00\x00" + # EA List Length
-          data
+          find_file.to_s
+
         c.put(pkt.to_s)
       end
     end
diff --git a/lib/rex/proto/smb/constants.rb b/lib/rex/proto/smb/constants.rb
index 9cf9938425..29b1bdb216 100644
--- a/lib/rex/proto/smb/constants.rb
+++ b/lib/rex/proto/smb/constants.rb
@@ -1125,6 +1125,42 @@ SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR = Rex::Struct2::CStructTemplate.new(
 
 SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH = 94
 
+# A template for SMB_FIND_FILE_BOTH_DIRECTORY_INFO Find information level
+SMB_FIND_FILE_NAMES_INFO_HDR = Rex::Struct2::CStructTemplate.new(
+  ['uint32v', 'NextEntryOffset',   0],
+  ['uint32v', 'FileIndex',         0],
+  ['uint32v', 'FileNameLength',    0],
+  ['string',  'FileName', nil, '' ]
+).create_restraints(
+  ['FileName', 'FileNameLength',  nil, true]
+)
+
+SMB_FIND_FILE_NAMES_INFO_HDR_LENGTH = 12
+
+# A template for SMB_FIND_FILE_FULL_DIRECTORY_INFO Find information level
+SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR = Rex::Struct2::CStructTemplate.new(
+  ['uint32v', 'NextEntryOffset',   0],
+  ['uint32v', 'FileIndex',         0],
+  ['uint32v', 'loCreationTime',    0],
+  ['uint32v', 'hiCreationTime',    0],
+  ['uint32v', 'loLastAccessTime',  0],
+  ['uint32v', 'hiLastAccessTime',  0],
+  ['uint32v', 'loLastWriteTime',   0],
+  ['uint32v', 'hiLastWriteTime',   0],
+  ['uint32v', 'loLastChangeTime',  0],
+  ['uint32v', 'hiLastChangeTime',  0],
+  ['uint64v', 'EndOfFile',         0],
+  ['uint64v', 'AllocationSize',    0],
+  ['uint32v', 'ExtFileAttributes', 0],
+  ['uint32v', 'FileNameLength',    0],
+  ['uint32v', 'EaSize',            0],
+  ['string',  'FileName', nil, '' ]
+).create_restraints(
+  ['FileName', 'FileNameLength',  nil, true]
+)
+
+SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH = 68
+
 end
 end
 end