From d10385cfedbfe24a761acfaf195e132c2f9df27b Mon Sep 17 00:00:00 2001
From: jvazquez-r7 <juan_vazquez@rapid7.com>
Date: Tue, 24 Feb 2015 19:27:25 -0600
Subject: [PATCH] Add template for SMB_TREE_CONN_ANDX_RES_PKT

---
 .../share/command/session_setup_andx.rb       | 48 ++++++++-----------
 lib/rex/proto/smb/constants.rb                | 16 ++++++-
 2 files changed, 36 insertions(+), 28 deletions(-)

diff --git a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb
index dce85e21ce..4ceaca07bb 100644
--- a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb
+++ b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb
@@ -10,6 +10,17 @@ module Msf
           #
           def smb_cmd_session_setup(c, buff)
             dprint("[SMB_CMD_SESSION_SETUP]")
+
+            tree_connect_response = CONST::SMB_TREE_CONN_ANDX_RES_PKT.make_struct
+            tree_connect_response.v['WordCount'] = 7
+            tree_connect_response.v['AndXCommand'] = 0xff
+            tree_connect_response.v['AndXReserved'] = 0
+            tree_connect_response.v['AndXOffset'] = 0
+            tree_connect_response.v['OptionalSupport'] = 1
+            tree_connect_response.v['AccessRights'] = 0x1200a9
+            tree_connect_response.v['GuestAccessRights'] = 0
+            tree_connect_response.v['Payload'] = "A:\x00#{Rex::Text.to_unicode('NTFS')}\x00\x00"
+
             pkt = CONST::SMB_SETUP_RES_PKT.make_struct
             smb_set_defaults(c, pkt)
 
@@ -22,33 +33,16 @@ module Msf
             pkt['Payload'].v['AndXOffset'] = 96
             pkt['Payload'].v['Action'] = 0x1 # Logged in as Guest
             pkt['Payload'].v['Payload'] =
-                Rex::Text.to_unicode("Unix", 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
-                    Rex::Text.to_unicode("Samba 3.4.7", 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
-                    Rex::Text.to_unicode("WORKGROUP", 'utf-16be') + "\x00\x00\x00" + # Primary DOMAIN # Samba signature
-                    tree_connect_response = ""
-            tree_connect_response << [7].pack("C")  # Tree Connect Response : WordCount
-            tree_connect_response << [0xff].pack("C") # Tree Connect Response : AndXCommand
-            tree_connect_response << [0].pack("C") # Tree Connect Response : Reserved
-            tree_connect_response << [0].pack("v")  # Tree Connect Response : AndXOffset
-            tree_connect_response << [0x1].pack("v")  # Tree Connect Response : Optional Support
-            tree_connect_response << [0xa9].pack("C") # Access Mask for just Read and Exec
-            tree_connect_response << [0x00].pack("C")
-            tree_connect_response << [0x12].pack("C")
-            tree_connect_response << [0x00].pack("C")
-            tree_connect_response << [0].pack("v") # Tree Connect Response : Word Parameter
-            tree_connect_response << [0].pack("v") # Tree Connect Response : Word Parameter
-            tree_connect_response << [13].pack("v") # Tree Connect Response : ByteCount
-            tree_connect_response << "A:\x00" # Service
-            tree_connect_response << "#{Rex::Text.to_unicode("NTFS")}\x00\x00" # Extra byte parameters
-            # Fix the Netbios Session Service Message Length
-            # to have into account the tree_connect_response,
-            # need to do this because there isn't support for
-            # AndX still
-            my_pkt = pkt.to_s + tree_connect_response
-            original_length = my_pkt[2, 2].unpack("n").first
-            original_length = original_length +  tree_connect_response.length
-            my_pkt[2, 2] = [original_length].pack("n")
-            c.put(my_pkt)
+              Rex::Text.to_unicode('Unix', 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
+              Rex::Text.to_unicode('Samba 3.4.7', 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
+              Rex::Text.to_unicode('WORKGROUP', 'utf-16be') + "\x00\x00\x00" # Primary DOMAIN # Samba signature
+
+            full_pkt = pkt.to_s + tree_connect_response.to_s
+            original_length = full_pkt[2, 2].unpack('n')[0]
+            original_length = original_length +  tree_connect_response.to_s.length
+            full_pkt[2, 2] = [original_length].pack('n')
+
+            c.put(full_pkt)
           end
         end
       end
diff --git a/lib/rex/proto/smb/constants.rb b/lib/rex/proto/smb/constants.rb
index c2f551800d..a3f97bf8f5 100644
--- a/lib/rex/proto/smb/constants.rb
+++ b/lib/rex/proto/smb/constants.rb
@@ -1087,7 +1087,6 @@ class Constants
   SMB_READ_RES_PKT = self.make_nbs(SMB_READ_RES_HDR_PKT)
 
 
-
   # A SMB template for SMB Search requests
   SMB_SEARCH_HDR_PKT = Rex::Struct2::CStructTemplate.new(
     [ 'template', 'SMB',                 SMB_HDR ],
@@ -1228,6 +1227,21 @@ class Constants
     ['uint32v', 'SearchStorageType', 0],
     ['string',  'FileName', nil,   '']
   )
+
+  SMB_TREE_CONN_ANDX_RES_PKT = Rex::Struct2::CStructTemplate.new(
+    ['uint8',   'WordCount',         0],
+    ['uint8',   'AndXCommand',       0],
+    ['uint8',   'AndXReserved',      0],
+    ['uint16v', 'AndXOffset',        0],
+    ['uint16v', 'OptionalSupport',   0],
+    ['uint32v', 'AccessRights',      0],
+    ['uint32v', 'GuestAccessRights', 0],
+    ['uint16v', 'ByteCount',         0],
+    ['string',  'Payload', nil,     '']
+  ).create_restraints(
+    [ 'Payload', 'ByteCount',  nil, true ]
+  )
+
 end
 end
 end