From df50aa0f062e91793cf82e42cbd027305e300a79 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 25 Feb 2015 14:11:38 -0600 Subject: [PATCH] Use constants for DataCount and DataCountTotal --- lib/msf/core/exploit/smb/server/share.rb | 2 ++ .../smb/server/share/information_level/find.rb | 14 ++++++++------ .../smb/server/share/information_level/query.rb | 12 ++++++------ lib/rex/proto/smb/constants.rb | 4 ++++ 4 files changed, 20 insertions(+), 12 deletions(-) diff --git a/lib/msf/core/exploit/smb/server/share.rb b/lib/msf/core/exploit/smb/server/share.rb index 90b1847a1d..2973d867ae 100644 --- a/lib/msf/core/exploit/smb/server/share.rb +++ b/lib/msf/core/exploit/smb/server/share.rb @@ -66,6 +66,8 @@ module Msf CONST::SMB_WRITE_OWNER_ACCESS | CONST::SMB_SYNC_ACCESS + UNICODE_NULL_LENGTH = 2 + attr_accessor :unc attr_accessor :share attr_accessor :path_name diff --git a/lib/msf/core/exploit/smb/server/share/information_level/find.rb b/lib/msf/core/exploit/smb/server/share/information_level/find.rb index 45f3846ced..fe47bb481f 100644 --- a/lib/msf/core/exploit/smb/server/share/information_level/find.rb +++ b/lib/msf/core/exploit/smb/server/share/information_level/find.rb @@ -106,16 +106,18 @@ module Msf trans2_params.v['EaErrorOffset'] = 0 trans2_params.v['LastNameOffset'] = 0 + puts "length: #{find_file.to_s.length}" + # If its asking for a file, return file pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = 10 - pkt['Payload'].v['DataCountTotal'] = 14 + data.length + pkt['Payload'].v['DataCountTotal'] = CONST::SMB_FIND_FILE_NAMES_INFO_HDR_LENGTH + data.length + UNICODE_NULL_LENGTH pkt['Payload'].v['ParamCount'] = 10 pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = 14 + data.length + pkt['Payload'].v['DataCount'] = CONST::SMB_FIND_FILE_NAMES_INFO_HDR_LENGTH + data.length + UNICODE_NULL_LENGTH pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = "\x00" + # Padding @@ -178,15 +180,15 @@ module Msf trans2_params.v['LastNameOffset'] = 0 pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2 - pkt['Payload']['SMB'].v['Flags1'] = 0x88 + pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = 10 - pkt['Payload'].v['DataCountTotal'] = 68 + data.length + pkt['Payload'].v['DataCountTotal'] = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH + data.length pkt['Payload'].v['ParamCount'] = 10 pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = 68 + data.length - pkt['Payload'].v['DataOffset'] = 68 + pkt['Payload'].v['DataCount'] = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH + data.length + pkt['Payload'].v['DataOffset'] = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH pkt['Payload'].v['Payload'] = "\x00" + # Padding trans2_params.to_s + diff --git a/lib/msf/core/exploit/smb/server/share/information_level/query.rb b/lib/msf/core/exploit/smb/server/share/information_level/query.rb index 8c135cb643..dc5f46a737 100644 --- a/lib/msf/core/exploit/smb/server/share/information_level/query.rb +++ b/lib/msf/core/exploit/smb/server/share/information_level/query.rb @@ -39,10 +39,10 @@ module Msf pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = 2 - pkt['Payload'].v['DataCountTotal'] = 24 + pkt['Payload'].v['DataCountTotal'] = CONST::SMB_QUERY_FILE_STANDARD_INFO_HDR_LENGTH + UNICODE_NULL_LENGTH pkt['Payload'].v['ParamCount'] = 2 pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = 24 + pkt['Payload'].v['DataCount'] = CONST::SMB_QUERY_FILE_STANDARD_INFO_HDR_LENGTH + UNICODE_NULL_LENGTH pkt['Payload'].v['DataOffset'] = 60 pkt['Payload'].v['Payload'] = "\x00" + # Padding @@ -99,10 +99,10 @@ module Msf pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = 2 - pkt['Payload'].v['DataCountTotal'] = 40 + pkt['Payload'].v['DataCountTotal'] = CONST::SMB_QUERY_FILE_BASIC_INFO_HDR_LENGTH pkt['Payload'].v['ParamCount'] = 2 pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = 40 + pkt['Payload'].v['DataCount'] = CONST::SMB_QUERY_FILE_BASIC_INFO_HDR_LENGTH pkt['Payload'].v['DataOffset'] = 60 pkt['Payload'].v['Payload'] = "\x00" + # Padding @@ -160,10 +160,10 @@ module Msf pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = 2 - pkt['Payload'].v['DataCountTotal'] = 24 + pkt['Payload'].v['DataCountTotal'] = CONST::SMB_QUERY_FILE_STANDARD_INFO_HDR_LENGTH + UNICODE_NULL_LENGTH pkt['Payload'].v['ParamCount'] = 2 pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = 24 + pkt['Payload'].v['DataCount'] = CONST::SMB_QUERY_FILE_STANDARD_INFO_HDR_LENGTH + UNICODE_NULL_LENGTH pkt['Payload'].v['DataOffset'] = 60 pkt['Payload'].v['Payload'] = "\x00" + # Padding diff --git a/lib/rex/proto/smb/constants.rb b/lib/rex/proto/smb/constants.rb index e1147b27e8..8912142b94 100644 --- a/lib/rex/proto/smb/constants.rb +++ b/lib/rex/proto/smb/constants.rb @@ -1292,6 +1292,8 @@ class Constants ['uint32v', 'Reserved', 0] ) + SMB_QUERY_FILE_BASIC_INFO_HDR_LENGTH = 40 + # A template for SMB_QUERY_FILE_STANDARD_INFO query path information level SMB_QUERY_FILE_STANDARD_INFO_HDR = Rex::Struct2::CStructTemplate.new( ['uint64v', 'AllocationSize', 0], @@ -1301,6 +1303,8 @@ class Constants ['uint8', 'Directory', 0] ) + SMB_QUERY_FILE_STANDARD_INFO_HDR_LENGTH = 22 + # A template for SMB_Data blocks of the SMB_COM_TRANSACTION2 requests SMB_DATA_TRANS2 = Rex::Struct2::CStructTemplate.new( ['uint16v', 'SubCommand', 0],