130 lines
2.8 KiB
Ruby
130 lines
2.8 KiB
Ruby
#!/usr/bin/ruby
|
|
|
|
$:.unshift(File.join(File.dirname(__FILE__), '..', '..', '..'))
|
|
|
|
require 'rex/test'
|
|
require 'rex/proto/smb'
|
|
require 'rex/proto/dcerpc'
|
|
require 'rex/socket'
|
|
|
|
class Rex::Proto::SMB::SimpleClient::UnitTest < Test::Unit::TestCase
|
|
|
|
Klass = Rex::Proto::SMB::SimpleClient
|
|
|
|
# Alias over the Rex DCERPC protocol modules
|
|
DCERPCPacket = Rex::Proto::DCERPC::Packet
|
|
DCERPCClient = Rex::Proto::DCERPC::Client
|
|
DCERPCResponse = Rex::Proto::DCERPC::Response
|
|
DCERPCUUID = Rex::Proto::DCERPC::UUID
|
|
XCEPT = Rex::Proto::SMB::Exceptions
|
|
|
|
FILE_CREATE = 0x10
|
|
FILE_TRUNC = 0x02
|
|
FILE_OPEN = 0x01
|
|
|
|
|
|
def test_smb_open_share
|
|
user = 'SMBTest'
|
|
pass = 'SMBTest'
|
|
share = 'C$'
|
|
|
|
write_data = ('A' * (1024 * 8))
|
|
filename = 'smb_tester.txt'
|
|
begin
|
|
timeout($_REX_TEST_TIMEOUT) {
|
|
s = Rex::Socket.create_tcp(
|
|
'PeerHost' => $_REX_TEST_SMB_HOST,
|
|
'PeerPort' => 445
|
|
)
|
|
|
|
c = Klass.new(s, true)
|
|
c.client.evasion_level = 0
|
|
|
|
begin
|
|
c.login('*SMBSERVER', user, pass)
|
|
rescue XCEPT::LoginError
|
|
flunk('login failure')
|
|
end
|
|
|
|
c.connect(share)
|
|
|
|
f = c.open(filename, 'rwct')
|
|
f << write_data
|
|
f.close
|
|
|
|
f = c.open(filename, 'ro')
|
|
d = f.read()
|
|
f.close
|
|
|
|
c.delete(filename)
|
|
c.disconnect(share)
|
|
|
|
s.close
|
|
}
|
|
rescue Timeout::Error
|
|
flunk('timeout')
|
|
end
|
|
end
|
|
|
|
def test_smb_dcerpc
|
|
begin
|
|
timeout($_REX_TEST_TIMEOUT) {
|
|
s = Rex::Socket.create_tcp(
|
|
'PeerHost' => $_REX_TEST_SMB_HOST,
|
|
'PeerPort' => 445
|
|
)
|
|
|
|
c = Klass.new(s, true)
|
|
c.client.evasion_level = 0
|
|
|
|
user = ''
|
|
pass = ''
|
|
|
|
begin
|
|
c.login('*SMBSERVER', user, pass)
|
|
rescue XCEPT::LoginError
|
|
flunk('login failure')
|
|
end
|
|
|
|
c.connect('IPC$')
|
|
f = c.create_pipe('\BROWSER')
|
|
|
|
bind, ctx = DCERPCPacket.make_bind_fake_multi(
|
|
'4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0',
|
|
10,
|
|
4
|
|
)
|
|
|
|
# Evasion techniques:
|
|
# 1) Write the bind out a few bytes at a time with a random offset
|
|
# 2) Read the response back a few bytes at a time with a random offset
|
|
|
|
# Write the bind request out in random chunk sizes
|
|
while (bind.length > 0)
|
|
f.write( bind.slice!(0, (rand(20)+5)), rand(1024)+1 )
|
|
end
|
|
|
|
d = ''
|
|
# Read the response back a few bytes a time
|
|
begin
|
|
while(true)
|
|
t = (f.read((rand(20)+5), rand(1024)+1))
|
|
last if ! t.length
|
|
d << t
|
|
end
|
|
rescue XCEPT::NoReply
|
|
end
|
|
|
|
r = DCERPCResponse.new(d)
|
|
assert_equal(r.type, 12)
|
|
assert_equal(r.ack_result[ctx-0], 0)
|
|
assert_equal(r.ack_result[ctx-1], 2)
|
|
|
|
s.close
|
|
}
|
|
rescue Timeout::Error
|
|
flunk('timeout')
|
|
end
|
|
end
|
|
end
|