From ec53e27249aeae849f0006b60155fda4a5e3478a Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Tue, 24 Feb 2015 17:20:41 -0600 Subject: [PATCH] Do better handling of TRAN2_QUERY_FILE_INFORMATION requests --- .../smb/server/share/command/trans2.rb | 9 ++---- .../command/trans2/query_file_information.rb | 21 ++++++++----- .../server/share/information_level/query.rb | 31 ++++++++++--------- 3 files changed, 33 insertions(+), 28 deletions(-) diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2.rb b/lib/msf/core/exploit/smb/server/share/command/trans2.rb index 020a6456c6..a525d1a33d 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2.rb @@ -31,16 +31,13 @@ module Msf case sub_command when CONST::TRANS2_QUERY_FILE_INFO - smb_cmd_trans2_query_file_information(c, buff) + parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding + #smb_cmd_trans2_query_file_information(c, buff) + smb_cmd_trans2_query_file_information(c, parameters) when CONST::TRANS2_QUERY_PATH_INFO smb_cmd_trans2_query_path_information(c, buff) when CONST::TRANS2_FIND_FIRST2 - puts "TRANS2_FIND_FIRST2" - puts "#{Rex::Text.to_hex_dump(pkt['Payload'].v['SetupData'])}" - #smb_cmd_trans2_find_first2(c, buff) parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding - puts "TRANS2_FIND_FIRST2 parameters" - puts "#{Rex::Text.to_hex_dump(parameters)}" smb_cmd_trans2_find_first2(c, parameters) else dprint("\t[Unsupported/Unknown command] SUB_COMMAND: #{sub_command}") diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb b/lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb index baa85ace06..2d1fbfe8f4 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb @@ -10,18 +10,25 @@ module Msf def smb_cmd_trans2_query_file_information(c, buff) #dprint("[smb_cmd_trans2_query_file_information]") - ar = Rex::Text.to_hex(buff, '').to_s - loi = ar[148..151].unpack('n*').reverse.pack('n*').to_i(16) + #ar = Rex::Text.to_hex(buff, '').to_s + #loi = ar[148..151].unpack('n*').reverse.pack('n*').to_i(16) + + params = CONST::SMB_QUERY_FILE_TRANS2_PARAMETERS.make_struct + params.from_s(buff) + + loi = params.v['InformationLevel'] + fid = params.v['FID'] + case loi when CONST::SMB_QUERY_FILE_STANDARD_INFO, CONST::SMB_QUERY_FILE_STANDARD_INFO_ALIAS #dprint("\t\t[smb_cmd_trans_query_file_info_standard]") - smb_cmd_trans_query_file_info_standard(c, buff) + smb_cmd_trans_query_file_info_standard(c, fid) when CONST::SMB_QUERY_FILE_BASIC_INFO, CONST::SMB_QUERY_FILE_BASIC_INFO_ALIAS, CONST::SMB_SET_FILE_BASIC_INFO_ALIAS #dprint("\t\t[smb_cmd_trans_query_file_info_basic]") - smb_cmd_trans_query_file_info_basic(c, buff) - when CONST::SMB_QUERY_FILE_NETWORK_OPEN_INFO - dprint("\t\t[smb_cmd_trans_query_file_info_network]") - smb_cmd_trans_query_file_info_network(c, buff) + smb_cmd_trans_query_file_info_basic(c, fid) + #when CONST::SMB_QUERY_FILE_NETWORK_OPEN_INFO + #dprint("\t\t[smb_cmd_trans_query_file_info_network]") + #smb_cmd_trans_query_file_info_network(c, fid) else dprint("\t\tUnknown LOI [smb_cmd_trans2_query_file_information] - #{loi.to_s}") # SEND success with the hope of going ahead... diff --git a/lib/msf/core/exploit/smb/server/share/information_level/query.rb b/lib/msf/core/exploit/smb/server/share/information_level/query.rb index 91805cbeeb..e2065c1484 100644 --- a/lib/msf/core/exploit/smb/server/share/information_level/query.rb +++ b/lib/msf/core/exploit/smb/server/share/information_level/query.rb @@ -273,8 +273,9 @@ module Msf pkt.from_s(buff) payload = pkt['Payload'].v['SetupData'].gsub(/\x00/, '').gsub(/.*\\/, '').chomp.strip - #dprint("[smb_cmd_trans_query_file_info_network] Payload length: #{payload.length.to_s}") - #dprint("[smb_cmd_trans_query_file_info_network] Payload is : #{payload.to_s}") + + dprint("[smb_cmd_trans_query_file_info_network] Payload length: #{payload.length.to_s}") + dprint("[smb_cmd_trans_query_file_info_network] Payload is : #{payload.to_s}") if payload.length.to_s.eql?('4') attrib = "\x10\x00\x00\x00" # File attributes => directory @@ -296,19 +297,19 @@ module Msf pkt['Payload'].v['DataCount'] = 56 pkt['Payload'].v['DataOffset'] = 60 pkt['Payload'].v['Payload'] = - "\x00" + # Padding - # QUERY_PATH_INFO Parameters - "\x00\x00" + # EA Error Offset - "\x00\x00" + # Padding - # QUERY_PATH_INFO Data - [lo, hi].pack("VV") + # Created - [lo, hi].pack("VV") + # Last Access - [lo, hi].pack("VV") + # Last Write - [lo, hi].pack("VV") + # Change - "\x00\x00\x10\x00\x00\x00\x00\x00" + # Allocation Size = 1048576 || 1Mb - [exe_contents.length].pack("V") + "\x00\x00\x00\x00" + # End Of File - attrib + - "\x00\x00\x00\x00" # Unknown + "\x00" + # Padding + # QUERY_PATH_INFO Parameters + "\x00\x00" + # EA Error Offset + "\x00\x00" + # Padding + # QUERY_PATH_INFO Data + [lo, hi].pack("VV") + # Created + [lo, hi].pack("VV") + # Last Access + [lo, hi].pack("VV") + # Last Write + [lo, hi].pack("VV") + # Change + "\x00\x00\x10\x00\x00\x00\x00\x00" + # Allocation Size = 1048576 || 1Mb + [exe_contents.length].pack("V") + "\x00\x00\x00\x00" + # End Of File + attrib + + "\x00\x00\x00\x00" # Unknown my_pkt = pkt.to_s original_length = my_pkt[2, 2].unpack("n").first