Add template for SMB_TREE_CONN_ANDX_RES_PKT

2015-02-24 19:27:25 -06:00 · 2015-02-24 19:27:25 -06:00 · d10385cfed
parent 1f1d95bb37
commit d10385cfed
2 changed files with 36 additions and 28 deletions
--- a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb
+++ b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb
@ -10,6 +10,17 @@ module Msf
          #
          def smb_cmd_session_setup(c, buff)
            dprint("[SMB_CMD_SESSION_SETUP]")
+
+            tree_connect_response = CONST::SMB_TREE_CONN_ANDX_RES_PKT.make_struct
+            tree_connect_response.v['WordCount'] = 7
+            tree_connect_response.v['AndXCommand'] = 0xff
+            tree_connect_response.v['AndXReserved'] = 0
+            tree_connect_response.v['AndXOffset'] = 0
+            tree_connect_response.v['OptionalSupport'] = 1
+            tree_connect_response.v['AccessRights'] = 0x1200a9
+            tree_connect_response.v['GuestAccessRights'] = 0
+            tree_connect_response.v['Payload'] = "A:\x00#{Rex::Text.to_unicode('NTFS')}\x00\x00"
+
            pkt = CONST::SMB_SETUP_RES_PKT.make_struct
            smb_set_defaults(c, pkt)

@ -22,33 +33,16 @@ module Msf
            pkt['Payload'].v['AndXOffset'] = 96
            pkt['Payload'].v['Action'] = 0x1 # Logged in as Guest
            pkt['Payload'].v['Payload'] =
-                Rex::Text.to_unicode("Unix", 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
-                    Rex::Text.to_unicode("Samba 3.4.7", 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
-                    Rex::Text.to_unicode("WORKGROUP", 'utf-16be') + "\x00\x00\x00" + # Primary DOMAIN # Samba signature
-                    tree_connect_response = ""
-            tree_connect_response << [7].pack("C")  # Tree Connect Response : WordCount
-            tree_connect_response << [0xff].pack("C") # Tree Connect Response : AndXCommand
-            tree_connect_response << [0].pack("C") # Tree Connect Response : Reserved
-            tree_connect_response << [0].pack("v")  # Tree Connect Response : AndXOffset
-            tree_connect_response << [0x1].pack("v")  # Tree Connect Response : Optional Support
-            tree_connect_response << [0xa9].pack("C") # Access Mask for just Read and Exec
-            tree_connect_response << [0x00].pack("C")
-            tree_connect_response << [0x12].pack("C")
-            tree_connect_response << [0x00].pack("C")
-            tree_connect_response << [0].pack("v") # Tree Connect Response : Word Parameter
-            tree_connect_response << [0].pack("v") # Tree Connect Response : Word Parameter
-            tree_connect_response << [13].pack("v") # Tree Connect Response : ByteCount
-            tree_connect_response << "A:\x00" # Service
-            tree_connect_response << "#{Rex::Text.to_unicode("NTFS")}\x00\x00" # Extra byte parameters
-            # Fix the Netbios Session Service Message Length
-            # to have into account the tree_connect_response,
-            # need to do this because there isn't support for
-            # AndX still
-            my_pkt = pkt.to_s + tree_connect_response
-            original_length = my_pkt[2, 2].unpack("n").first
-            original_length = original_length +  tree_connect_response.length
-            my_pkt[2, 2] = [original_length].pack("n")
-            c.put(my_pkt)
+              Rex::Text.to_unicode('Unix', 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
+              Rex::Text.to_unicode('Samba 3.4.7', 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
+              Rex::Text.to_unicode('WORKGROUP', 'utf-16be') + "\x00\x00\x00" # Primary DOMAIN # Samba signature
+
+            full_pkt = pkt.to_s + tree_connect_response.to_s
+            original_length = full_pkt[2, 2].unpack('n')[0]
+            original_length = original_length +  tree_connect_response.to_s.length
+            full_pkt[2, 2] = [original_length].pack('n')
+
+            c.put(full_pkt)
          end
        end
      end
--- a/lib/rex/proto/smb/constants.rb
+++ b/lib/rex/proto/smb/constants.rb
@ -1087,7 +1087,6 @@ class Constants
  SMB_READ_RES_PKT = self.make_nbs(SMB_READ_RES_HDR_PKT)


-
  # A SMB template for SMB Search requests
  SMB_SEARCH_HDR_PKT = Rex::Struct2::CStructTemplate.new(
    [ 'template', 'SMB',                 SMB_HDR ],
@ -1228,6 +1227,21 @@ class Constants
    ['uint32v', 'SearchStorageType', 0],
    ['string',  'FileName', nil,   '']
  )
+
+  SMB_TREE_CONN_ANDX_RES_PKT = Rex::Struct2::CStructTemplate.new(
+    ['uint8',   'WordCount',         0],
+    ['uint8',   'AndXCommand',       0],
+    ['uint8',   'AndXReserved',      0],
+    ['uint16v', 'AndXOffset',        0],
+    ['uint16v', 'OptionalSupport',   0],
+    ['uint32v', 'AccessRights',      0],
+    ['uint32v', 'GuestAccessRights', 0],
+    ['uint16v', 'ByteCount',         0],
+    ['string',  'Payload', nil,     '']
+  ).create_restraints(
+    [ 'Payload', 'ByteCount',  nil, true ]
+  )
+
 end
 end
 end