From 1d602d38c9e99236e63806b4371bc60e0e2f4c16 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 28 Feb 2015 12:10:48 -0600 Subject: [PATCH 1/2] Refactor SessionSetupAndx handler --- .../share/command/session_setup_andx.rb | 47 ++++++++++++++----- 1 file changed, 35 insertions(+), 12 deletions(-) diff --git a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb index f278729749f4..f7f43f8e9228 100644 --- a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb +++ b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb @@ -19,6 +19,28 @@ def smb_cmd_session_setup(c, buff) tree_connect_response.v['GuestAccessRights'] = 0 tree_connect_response.v['Payload'] = "A:\x00#{Rex::Text.to_unicode('NTFS')}\x00\x00" + data = Rex::Text.to_unicode('Unix', 'utf-16be') + "\x00\x00" + # Native OS # Samba signature + Rex::Text.to_unicode('Samba 3.4.7', 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature + Rex::Text.to_unicode('WORKGROUP', 'utf-16be') + "\x00\x00\x00" # Primary DOMAIN # Samba signature + + send_session_setup_andx_res(c, { + action: CONST::SMB_SETUP_GUEST, + data: data, + andx: CONST::SMB_COM_TREE_CONNECT_ANDX, + andx_offset: 96, + andx_command: tree_connect_response + }) + end + + def send_session_setup_andx_res(c, opts = {}) + action = opts[:action] || 0 + andx_offset = opts[:andx_offset] || 0 + reserved = opts[:reserved] || 0 + andx = opts[:andx] || CONST::SMB_COM_NO_ANDX_COMMAND + data = opts[:data] || '' + andx_command = opts[:andx_command] || nil + + pkt = CONST::SMB_SETUP_RES_PKT.make_struct smb_set_defaults(c, pkt) @@ -26,19 +48,20 @@ def smb_cmd_session_setup(c, buff) pkt['Payload']['SMB'].v['Flags1'] = FLAGS pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 3 - pkt['Payload'].v['AndX'] = CONST::SMB_COM_TREE_CONNECT_ANDX - pkt['Payload'].v['Reserved1'] = 00 - pkt['Payload'].v['AndXOffset'] = 96 - pkt['Payload'].v['Action'] = CONST::SMB_SETUP_GUEST - pkt['Payload'].v['Payload'] = - Rex::Text.to_unicode('Unix', 'utf-16be') + "\x00\x00" + # Native OS # Samba signature - Rex::Text.to_unicode('Samba 3.4.7', 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature - Rex::Text.to_unicode('WORKGROUP', 'utf-16be') + "\x00\x00\x00" # Primary DOMAIN # Samba signature + pkt['Payload'].v['AndX'] = andx + pkt['Payload'].v['Reserved1'] = reserved + pkt['Payload'].v['AndXOffset'] = andx_offset + pkt['Payload'].v['Action'] = action + pkt['Payload'].v['Payload'] = data - full_pkt = pkt.to_s + tree_connect_response.to_s - original_length = full_pkt[2, 2].unpack('n')[0] - original_length = original_length + tree_connect_response.to_s.length - full_pkt[2, 2] = [original_length].pack('n') + if andx_command + full_pkt = pkt.to_s + andx_command.to_s + original_length = full_pkt[2, 2].unpack('n')[0] + original_length = original_length + andx_command.to_s.length + full_pkt[2, 2] = [original_length].pack('n') + else + full_pkt = pkt.to_s + end c.put(full_pkt) end From eb7ac02d1aa050df1cf7ab012dae6eb512410338 Mon Sep 17 00:00:00 2001 From: jvazquez-r7 Date: Sat, 28 Feb 2015 12:14:58 -0600 Subject: [PATCH 2/2] Normalize handlers names --- lib/msf/core/exploit/smb/server/share.rb | 8 ++++---- .../exploit/smb/server/share/command/nt_create_andx.rb | 2 +- .../core/exploit/smb/server/share/command/read_andx.rb | 2 +- .../smb/server/share/command/session_setup_andx.rb | 2 +- lib/msf/core/exploit/smb/server/share/command/trans2.rb | 2 +- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/lib/msf/core/exploit/smb/server/share.rb b/lib/msf/core/exploit/smb/server/share.rb index 103eb6595f71..412616d20bc4 100644 --- a/lib/msf/core/exploit/smb/server/share.rb +++ b/lib/msf/core/exploit/smb/server/share.rb @@ -145,17 +145,17 @@ def smb_cmd_dispatch(cmd, c, buff) when CONST::SMB_COM_SESSION_SETUP_ANDX word_count = pkt['Payload']['SMB'].v['WordCount'] if word_count == 0x0D # Share Security Mode sessions - smb_cmd_session_setup(c, buff) + smb_cmd_session_setup_andx(c, buff) else print_status("SMB Share - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ") smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS) end when CONST::SMB_COM_TRANSACTION2 - smb_cmd_trans(c, buff) + smb_cmd_trans2(c, buff) when CONST::SMB_COM_NT_CREATE_ANDX - smb_cmd_create(c, buff) + smb_cmd_nt_create_andx(c, buff) when CONST::SMB_COM_READ_ANDX - smb_cmd_read(c, buff) + smb_cmd_read_andx(c, buff) when CONST::SMB_COM_CLOSE smb_cmd_close(c, buff) else diff --git a/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb b/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb index db09f1e68073..1093456aae63 100644 --- a/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb +++ b/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb @@ -8,7 +8,7 @@ module NtCreateAndx # # Responds to a client NT_CREATE_ANDX request # - def smb_cmd_create(c, buff) + def smb_cmd_nt_create_andx(c, buff) smb = @state[c] pkt = CONST::SMB_CREATE_PKT.make_struct pkt.from_s(buff) diff --git a/lib/msf/core/exploit/smb/server/share/command/read_andx.rb b/lib/msf/core/exploit/smb/server/share/command/read_andx.rb index 6f5b6e43378c..821b6e8bcb94 100644 --- a/lib/msf/core/exploit/smb/server/share/command/read_andx.rb +++ b/lib/msf/core/exploit/smb/server/share/command/read_andx.rb @@ -11,7 +11,7 @@ module ReadAndx # by reading the offset and length requested by the client # and sending the appropriate chunk of the payload # - def smb_cmd_read(c, buff) + def smb_cmd_read_andx(c, buff) pkt = CONST::SMB_READ_PKT.make_struct pkt.from_s(buff) diff --git a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb index f7f43f8e9228..d51b689ff9a0 100644 --- a/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb +++ b/lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb @@ -8,7 +8,7 @@ module SessionSetupAndx # # Sets up an SMB session in response to a SESSION_SETUP_ANDX request # - def smb_cmd_session_setup(c, buff) + def smb_cmd_session_setup_andx(c, buff) tree_connect_response = CONST::SMB_TREE_CONN_ANDX_RES_PKT.make_struct tree_connect_response.v['WordCount'] = 7 tree_connect_response.v['AndXCommand'] = CONST::SMB_COM_NO_ANDX_COMMAND diff --git a/lib/msf/core/exploit/smb/server/share/command/trans2.rb b/lib/msf/core/exploit/smb/server/share/command/trans2.rb index ce8424a76f40..c016ab3d8a22 100644 --- a/lib/msf/core/exploit/smb/server/share/command/trans2.rb +++ b/lib/msf/core/exploit/smb/server/share/command/trans2.rb @@ -16,7 +16,7 @@ module Trans2 # QUERY_FILE_INFO (Basic, Standard and Internal) # QUERY_PATH_INFO (Basic and Standard) # - def smb_cmd_trans(c, buff) + def smb_cmd_trans2(c, buff) pkt = CONST::SMB_TRANS2_PKT.make_struct pkt.from_s(buff)