From ee18cf592bbb61894b8566f845f940685f2b4617 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Wed, 25 Feb 2015 16:00:26 -0600 Subject: [PATCH] Calculate ParamCount and DataCount --- .../server/share/information_level/find.rb | 24 +++++++++---------- .../server/share/information_level/query.rb | 24 +++++++++---------- 2 files changed, 24 insertions(+), 24 deletions(-) diff --git a/lib/msf/core/exploit/smb/server/share/information_level/find.rb b/lib/msf/core/exploit/smb/server/share/information_level/find.rb index fe47bb481f..a129b635f0 100644 --- a/lib/msf/core/exploit/smb/server/share/information_level/find.rb +++ b/lib/msf/core/exploit/smb/server/share/information_level/find.rb @@ -62,11 +62,11 @@ module Msf pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 - pkt['Payload'].v['ParamCountTotal'] = 10 - pkt['Payload'].v['DataCountTotal'] = CONST::SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH + data.length - pkt['Payload'].v['ParamCount'] = 10 + pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length + pkt['Payload'].v['DataCountTotal'] = find_file.to_s.length + pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = CONST::SMB_FIND_FILE_BOTH_DIRECTORY_INFO_HDR_LENGTH + data.length + pkt['Payload'].v['DataCount'] = find_file.to_s.length pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = "\x00" + # Padding @@ -113,11 +113,11 @@ module Msf pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 - pkt['Payload'].v['ParamCountTotal'] = 10 - pkt['Payload'].v['DataCountTotal'] = CONST::SMB_FIND_FILE_NAMES_INFO_HDR_LENGTH + data.length + UNICODE_NULL_LENGTH - pkt['Payload'].v['ParamCount'] = 10 + pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length + pkt['Payload'].v['DataCountTotal'] = find_file.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = CONST::SMB_FIND_FILE_NAMES_INFO_HDR_LENGTH + data.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataCount'] = find_file.to_s.length + UNICODE_NULL_LENGTH pkt['Payload'].v['DataOffset'] = 68 pkt['Payload'].v['Payload'] = "\x00" + # Padding @@ -183,11 +183,11 @@ module Msf pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 - pkt['Payload'].v['ParamCountTotal'] = 10 - pkt['Payload'].v['DataCountTotal'] = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH + data.length - pkt['Payload'].v['ParamCount'] = 10 + pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length + pkt['Payload'].v['DataCountTotal'] = find_file.to_s.length + pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH + data.length + pkt['Payload'].v['DataCount'] = find_file.to_s.length pkt['Payload'].v['DataOffset'] = CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO_HDR_LENGTH pkt['Payload'].v['Payload'] = "\x00" + # Padding diff --git a/lib/msf/core/exploit/smb/server/share/information_level/query.rb b/lib/msf/core/exploit/smb/server/share/information_level/query.rb index dc5f46a737..a983ee49ed 100644 --- a/lib/msf/core/exploit/smb/server/share/information_level/query.rb +++ b/lib/msf/core/exploit/smb/server/share/information_level/query.rb @@ -38,11 +38,11 @@ module Msf pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 - pkt['Payload'].v['ParamCountTotal'] = 2 - pkt['Payload'].v['DataCountTotal'] = CONST::SMB_QUERY_FILE_STANDARD_INFO_HDR_LENGTH + UNICODE_NULL_LENGTH - pkt['Payload'].v['ParamCount'] = 2 + pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length + pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = CONST::SMB_QUERY_FILE_STANDARD_INFO_HDR_LENGTH + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH pkt['Payload'].v['DataOffset'] = 60 pkt['Payload'].v['Payload'] = "\x00" + # Padding @@ -98,11 +98,11 @@ module Msf pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 - pkt['Payload'].v['ParamCountTotal'] = 2 - pkt['Payload'].v['DataCountTotal'] = CONST::SMB_QUERY_FILE_BASIC_INFO_HDR_LENGTH - pkt['Payload'].v['ParamCount'] = 2 + pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length + pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length + pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = CONST::SMB_QUERY_FILE_BASIC_INFO_HDR_LENGTH + pkt['Payload'].v['DataCount'] = query_path_info.to_s.length pkt['Payload'].v['DataOffset'] = 60 pkt['Payload'].v['Payload'] = "\x00" + # Padding @@ -159,11 +159,11 @@ module Msf pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 - pkt['Payload'].v['ParamCountTotal'] = 2 - pkt['Payload'].v['DataCountTotal'] = CONST::SMB_QUERY_FILE_STANDARD_INFO_HDR_LENGTH + UNICODE_NULL_LENGTH - pkt['Payload'].v['ParamCount'] = 2 + pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length + pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = 56 - pkt['Payload'].v['DataCount'] = CONST::SMB_QUERY_FILE_STANDARD_INFO_HDR_LENGTH + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH pkt['Payload'].v['DataOffset'] = 60 pkt['Payload'].v['Payload'] = "\x00" + # Padding