Create Access rights constants

lib/msf/core/exploit/smb/server/share.rb

@@ -31,26 +31,41 @@ module Msf
 
       FLAGS = CONST::FLAGS_REQ_RES + CONST::FLAGS_CASE_SENSITIVE
 
-      FLAGS2 = CONST::FLAGS2_UNICODE_STRINGS +
-        CONST::FLAGS2_EXTENDED_SECURITY +
-        CONST::FLAGS2_32_BIT_ERROR_CODES +
+      FLAGS2 = CONST::FLAGS2_UNICODE_STRINGS |
+        CONST::FLAGS2_EXTENDED_SECURITY |
+        CONST::FLAGS2_32_BIT_ERROR_CODES |
         CONST::FLAGS2_LONG_PATH_COMPONENTS
 
-      CAPABILITIES = CONST::CAP_UNIX_EXTENSIONS +
-        CONST::CAP_LARGE_WRITEX +
-        CONST::CAP_LARGE_READX +
-        CONST::CAP_PASSTHRU +
-        CONST::CAP_DFS +
-        CONST::CAP_NT_FIND +
-        CONST::CAP_LOCK_AND_READ +
-        CONST::CAP_LEVEL_II_OPLOCKS +
-        CONST::CAP_STATUS32 +
-        CONST::CAP_RPC_REMOTE_APIS +
-        CONST::CAP_NT_SMBS +
-        CONST::CAP_LARGE_FILES +
-        CONST::CAP_UNICODE +
+      CAPABILITIES = CONST::CAP_UNIX_EXTENSIONS |
+        CONST::CAP_LARGE_WRITEX |
+        CONST::CAP_LARGE_READX |
+        CONST::CAP_PASSTHRU |
+        CONST::CAP_DFS |
+        CONST::CAP_NT_FIND |
+        CONST::CAP_LOCK_AND_READ |
+        CONST::CAP_LEVEL_II_OPLOCKS |
+        CONST::CAP_STATUS32 |
+        CONST::CAP_RPC_REMOTE_APIS |
+        CONST::CAP_NT_SMBS |
+        CONST::CAP_LARGE_FILES |
+        CONST::CAP_UNICODE |
         CONST::CAP_RAW_MODE
 
+      CREATE_MAX_ACCESS = CONST::SMB_READ_ACCESS |
+        CONST::SMB_WRITE_ACCESS |
+        CONST::SMB_APPEND_ACCESS |
+        CONST::SMB_READ_EA_ACCESS |
+        CONST::SMB_WRITE_EA_ACCESS |
+        CONST::SMB_EXECUTE_ACCESS |
+        CONST::SMB_DELETE_CHILD_ACCESS |
+        CONST::SMB_READ_ATTRIBUTES_ACCESS |
+        CONST::SMB_WRITE_ATTRIBUTES_ACCESS |
+        CONST::SMB_DELETE_ACCESS |
+        CONST::SMB_READ_CONTROL_ACCESS |
+        CONST::SMB_WRITE_DAC_ACCESS |
+        CONST::SMB_WRITE_OWNER_ACCESS |
+        CONST::SMB_SYNC_ACCESS
+
       attr_accessor :unc
       attr_accessor :share
       attr_accessor :path_name

lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb

@@ -38,7 +38,7 @@ module Msf
               pkt = CONST::SMB_CREATE_RES_PKT.make_struct
               smb_set_defaults(c, pkt)
               pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
-              pkt['Payload']['SMB'].v['ErrorClass'] = 0xC0000034 # OBJECT_NAME_NOT_FOUND
+              pkt['Payload']['SMB'].v['ErrorClass'] = CONST::SMB_STATUS_OBJECT_NAME_NOT_FOUND
               pkt['Payload']['SMB'].v['Flags1'] = FLAGS
               pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
               c.put(pkt.to_s)
@@ -68,10 +68,10 @@ module Msf
             pkt['Payload'].v['AllocHigh'] = 0
             pkt['Payload'].v['EOFLow'] = eof
             pkt['Payload'].v['EOFHigh'] = 0
-            pkt['Payload'].v['FileType'] = 0
-            pkt['Payload'].v['IPCState'] = 0x7
+            pkt['Payload'].v['FileType'] = CONST::SMB_RESOURCE_FILE_TYPE_DISK
+            pkt['Payload'].v['IPCState'] = 0x7 # Number maxim of instance a named pipe can have
             pkt['Payload'].v['IsDirectory'] = is_dir
-            pkt['Payload'].v['MaxAccess'] = 0x1f01ff
+            pkt['Payload'].v['MaxAccess'] = CREATE_MAX_ACCESS
             c.put(pkt.to_s)
           end
         end

lib/rex/proto/smb/constants.rb

@@ -195,6 +195,21 @@ class Constants
   CREATE_ACCESS_OVEREXIST  = 0x04 # Overwrite existing file and fail if it does not exist
   CREATE_ACCESS_OVERCREATE = 0x05 # Overwrite existing file or create it if it does not exist
 
+  # Access Rights
+  SMB_READ_ACCESS = 1
+  SMB_WRITE_ACCESS = 2
+  SMB_APPEND_ACCESS = 4
+  SMB_READ_EA_ACCESS = 8
+  SMB_WRITE_EA_ACCESS = 0x10
+  SMB_EXECUTE_ACCESS = 0x20
+  SMB_DELETE_CHILD_ACCESS = 0x40
+  SMB_READ_ATTRIBUTES_ACCESS = 0x80
+  SMB_WRITE_ATTRIBUTES_ACCESS = 0x100
+  SMB_DELETE_ACCESS = 0x10000
+  SMB_READ_CONTROL_ACCESS = 0x20000
+  SMB_WRITE_DAC_ACCESS = 0x40000
+  SMB_WRITE_OWNER_ACCESS = 0x80000
+  SMB_SYNC_ACCESS = 0x100000
 
   # Wildcard NetBIOS name
   NETBIOS_REDIR = 'CACACACACACACACACACACACACACACAAA'
@@ -217,7 +232,6 @@ class Constants
     # 13 = create_directory
     # 14 = session_setup
 
-
   # SMB_COM_TRANSACTION2 SubCommands
   TRANS2_OPEN2 = 0
   TRANS2_FIND_FIRST2 = 1
@@ -370,6 +384,14 @@ class Constants
   SMB_STATUS_ACCESS_DENIED =		0xC0000022
   SMB_STATUS_LOGON_FAILURE =		0xC000006D
   SMB_STATUS_NO_SUCH_FILE = 0xC000000F
+  SMB_STATUS_OBJECT_NAME_NOT_FOUND = 0xc0000034
+
+  # SMB Resource types
+  SMB_RESOURCE_FILE_TYPE_DISK = 0x0000
+  SMB_RESOURCE_FILE_TYPE_BYTE_MODE_PIPE = 0x0001
+  SMB_RESOURCE_FILE_TYPE_MESSAGE_MODE_PIPE = 0x0002
+  SMB_RESOURCE_FILE_TYPE_PRINTER = 0x0003
+  SMB_RESOURCE_FILE_TYPE_COMM_DEVICE = 0x0004
 
   # SMB Dialect Compatibility
   DIALECT = {}