Do better handling of TRAN2_QUERY_FILE_INFORMATION requests

lib/msf/core/exploit/smb/server/share/command/trans2.rb

@@ -31,16 +31,13 @@ module Msf
 
             case sub_command
             when CONST::TRANS2_QUERY_FILE_INFO
-              smb_cmd_trans2_query_file_information(c, buff)
+              parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding
+              #smb_cmd_trans2_query_file_information(c, buff)
+              smb_cmd_trans2_query_file_information(c, parameters)
             when CONST::TRANS2_QUERY_PATH_INFO
               smb_cmd_trans2_query_path_information(c, buff)
             when CONST::TRANS2_FIND_FIRST2
-              puts "TRANS2_FIND_FIRST2"
-              puts "#{Rex::Text.to_hex_dump(pkt['Payload'].v['SetupData'])}"
-              #smb_cmd_trans2_find_first2(c, buff)
               parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding
-              puts "TRANS2_FIND_FIRST2 parameters"
-              puts "#{Rex::Text.to_hex_dump(parameters)}"
               smb_cmd_trans2_find_first2(c, parameters)
             else
               dprint("\t[Unsupported/Unknown command] SUB_COMMAND: #{sub_command}")

lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb

@@ -10,18 +10,25 @@ module Msf
 
             def smb_cmd_trans2_query_file_information(c, buff)
               #dprint("[smb_cmd_trans2_query_file_information]")
-              ar = Rex::Text.to_hex(buff, '').to_s
-              loi = ar[148..151].unpack('n*').reverse.pack('n*').to_i(16)
+              #ar = Rex::Text.to_hex(buff, '').to_s
+              #loi = ar[148..151].unpack('n*').reverse.pack('n*').to_i(16)
+
+              params = CONST::SMB_QUERY_FILE_TRANS2_PARAMETERS.make_struct
+              params.from_s(buff)
+
+              loi = params.v['InformationLevel']
+              fid = params.v['FID']
+
               case loi
               when CONST::SMB_QUERY_FILE_STANDARD_INFO, CONST::SMB_QUERY_FILE_STANDARD_INFO_ALIAS
                 #dprint("\t\t[smb_cmd_trans_query_file_info_standard]")
-                smb_cmd_trans_query_file_info_standard(c, buff)
+                smb_cmd_trans_query_file_info_standard(c, fid)
               when CONST::SMB_QUERY_FILE_BASIC_INFO, CONST::SMB_QUERY_FILE_BASIC_INFO_ALIAS, CONST::SMB_SET_FILE_BASIC_INFO_ALIAS
                 #dprint("\t\t[smb_cmd_trans_query_file_info_basic]")
-                smb_cmd_trans_query_file_info_basic(c, buff)
-              when CONST::SMB_QUERY_FILE_NETWORK_OPEN_INFO
-                dprint("\t\t[smb_cmd_trans_query_file_info_network]")
-                smb_cmd_trans_query_file_info_network(c, buff)
+                smb_cmd_trans_query_file_info_basic(c, fid)
+              #when CONST::SMB_QUERY_FILE_NETWORK_OPEN_INFO
+                #dprint("\t\t[smb_cmd_trans_query_file_info_network]")
+                #smb_cmd_trans_query_file_info_network(c, fid)
               else
                 dprint("\t\tUnknown LOI [smb_cmd_trans2_query_file_information] - #{loi.to_s}")
                 # SEND success with the hope of going ahead...

lib/msf/core/exploit/smb/server/share/information_level/query.rb

@@ -273,8 +273,9 @@ module Msf
             pkt.from_s(buff)
 
             payload = pkt['Payload'].v['SetupData'].gsub(/\x00/, '').gsub(/.*\\/, '').chomp.strip
-            #dprint("[smb_cmd_trans_query_file_info_network] Payload length: #{payload.length.to_s}")
-            #dprint("[smb_cmd_trans_query_file_info_network] Payload is : #{payload.to_s}")
+
+            dprint("[smb_cmd_trans_query_file_info_network] Payload length: #{payload.length.to_s}")
+            dprint("[smb_cmd_trans_query_file_info_network] Payload is : #{payload.to_s}")
 
             if payload.length.to_s.eql?('4')
               attrib = "\x10\x00\x00\x00" # File attributes => directory
@@ -296,19 +297,19 @@ module Msf
             pkt['Payload'].v['DataCount'] = 56
             pkt['Payload'].v['DataOffset'] = 60
             pkt['Payload'].v['Payload'] =
-                "\x00" + # Padding
-                # QUERY_PATH_INFO Parameters
-                "\x00\x00" + # EA Error Offset
-                "\x00\x00" + # Padding
-                # QUERY_PATH_INFO Data
-                [lo, hi].pack("VV") + # Created
-                [lo, hi].pack("VV") + # Last Access
-                [lo, hi].pack("VV") + # Last Write
-                [lo, hi].pack("VV") + # Change
-                "\x00\x00\x10\x00\x00\x00\x00\x00" + # Allocation Size = 1048576 || 1Mb
-                [exe_contents.length].pack("V") + "\x00\x00\x00\x00" + # End Of File
-                attrib +
-                "\x00\x00\x00\x00" # Unknown
+              "\x00" + # Padding
+              # QUERY_PATH_INFO Parameters
+              "\x00\x00" + # EA Error Offset
+              "\x00\x00" + # Padding
+              # QUERY_PATH_INFO Data
+              [lo, hi].pack("VV") + # Created
+              [lo, hi].pack("VV") + # Last Access
+              [lo, hi].pack("VV") + # Last Write
+              [lo, hi].pack("VV") + # Change
+              "\x00\x00\x10\x00\x00\x00\x00\x00" + # Allocation Size = 1048576 || 1Mb
+              [exe_contents.length].pack("V") + "\x00\x00\x00\x00" + # End Of File
+              attrib +
+              "\x00\x00\x00\x00" # Unknown
 
             my_pkt = pkt.to_s
             original_length = my_pkt[2, 2].unpack("n").first