Navigation

← Previous Changeset
Next Changeset →

Changeset 5072

Timestamp:

08/09/07 10:39:56 (1 year ago)

Author:

hdm

Message:

Resolve a bugin the ASN1 function, add new functionality to the SMB client class.

Files:

framework3/tags/framework-3.0/lib/rex/proto/smb/client.rb (modified) (4 diffs)
framework3/tags/framework-3.0/lib/rex/proto/smb/simpleclient.rb (modified) (4 diffs)
framework3/tags/framework-3.0/lib/rex/proto/smb/utils.rb (modified) (1 diff)

Legend:

: Unmodified
: Added
: Removed
: Modified
: Copied
: Moved

framework3/tags/framework-3.0/lib/rex/proto/smb/client.rb

r4891	r5072
433	433
434	434	# Negotiate a SMB dialect
435		def negotiate()
	435	def negotiate(extended=true)
436	436
437	437	dialects = ['LANMAN1.0', 'LM1.2X002' ]
…	…
448	448	pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NEGOTIATE
449	449	pkt['Payload']['SMB'].v['Flags1'] = 0x18
450		pkt['Payload']['SMB'].v['Flags2'] = 0x2801
	450
	451	if(extended)
	452	pkt['Payload']['SMB'].v['Flags2'] = 0x2801
	453	else
	454	pkt['Payload']['SMB'].v['Flags2'] = 0xc001
	455	end
	456
451	457	pkt['Payload'].v['Payload'] = data
452	458
…	…
619	625	return ack
620	626	end
	627
	628
	629	# Authenticate using NTLMv1 with a precomputed hash pair
	630	def session_setup_ntlmv1_prehash(user, domain, hash_lm, hash_nt)
	631
	632	data = ''
	633	data << hash_lm
	634	data << hash_nt
	635	data << user + "\x00"
	636	data << domain + "\x00"
	637	data << self.native_os + "\x00"
	638	data << self.native_lm + "\x00"
	639
	640	pkt = CONST::SMB_SETUP_NTLMV1_PKT.make_struct
	641	self.smb_defaults(pkt['Payload']['SMB'])
	642
	643	pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
	644	pkt['Payload']['SMB'].v['Flags1'] = 0x18
	645	pkt['Payload']['SMB'].v['Flags2'] = 0x2001
	646	pkt['Payload']['SMB'].v['WordCount'] = 13
	647	pkt['Payload'].v['AndX'] = 255
	648	pkt['Payload'].v['MaxBuff'] = 0xffdf
	649	pkt['Payload'].v['MaxMPX'] = 2
	650	pkt['Payload'].v['VCNum'] = 1
	651	pkt['Payload'].v['PasswordLenLM'] = hash_lm.length
	652	pkt['Payload'].v['PasswordLenNT'] = hash_nt.length
	653	pkt['Payload'].v['Capabilities'] = 64
	654	pkt['Payload'].v['SessionKey'] = self.session_id
	655	pkt['Payload'].v['Payload'] = data
	656
	657	self.smb_send(pkt.to_s)
	658	ack = self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX)
	659
	660	if (ack['Payload'].v['Action'] != 1 and user.length > 0)
	661	self.auth_user = user
	662	end
	663
	664	self.auth_user_id = ack['Payload']['SMB'].v['UserID']
	665
	666	info = ack['Payload'].v['Payload'].split(/\x00/)
	667
	668	self.peer_native_os = info[0]
	669	self.peer_native_lm = info[1]
	670	self.default_domain = info[2]
	671
	672	return ack
	673	end
621	674
622	675	# Authenticate using extended security negotiation (NTLMv2)
…	…
742	795
743	796	self.auth_user_id = ack['Payload']['SMB'].v['UserID']
	797
	798	if (ack['Payload'].v['Action'] != 1 and user.length > 0)
	799	self.auth_user = user
	800	end
744	801
745	802	return ack

framework3/tags/framework-3.0/lib/rex/proto/smb/simpleclient.rb

r3722	r5072
51	51	fptr = offset
52	52	ok = self.client.read(self.file_id, fptr, self.chunk_size)
53		while (ok['Payload'].v['DataLenLow'] > 0)
	53	while (ok and ok['Payload'].v['DataLenLow'] > 0)
54	54	buff = ok.to_s.slice(
55	55	ok['Payload'].v['DataOffset'] + 4,
…	…
61	61	end
62	62	fptr += ok['Payload'].v['DataLenLow']
63		ok = self.client.read(self.file_id, fptr, self.chunk_size)
	63
	64	begin
	65	ok = self.client.read(self.file_id, fptr, self.chunk_size)
	66	rescue XCEPT::ErrorCode => e
	67	case e.error_code
	68	when 0x00050001
	69	# Novell fires off an access denied error on EOF
	70	ok = nil
	71	else
	72	raise e
	73	end
	74	end
64	75	end
	76
65	77	return data
66	78	else
…	…
146	158
147	159	def write_trans(data, offset=0)
148		~~# Payload is not being filled the the response !?!!?~~
149	160	ack = self.client.trans_named_pipe(self.file_id, data)
150		@buff << ack['Payload'].v['Payload']
	161	doff = ack['Payload'].v['DataOffset']
	162	dlen = ack['Payload'].v['DataCount']
	163	@buff << ack.to_s[4+doff, dlen]
151	164	end
152	165	end
…	…
185	198	return true
186	199	end
187
	200
	201
	202	def login_split_start_ntlm1(name = '')
	203
	204	begin
	205
	206	if (self.direct != true)
	207	self.client.session_request(name)
	208	end
	209
	210	# Disable extended security
	211	self.client.negotiate(false)
	212	rescue ::Exception
	213	e = XCEPT::LoginError.new
	214	e.source = $!.to_s
	215	raise e
	216	end
	217
	218	return true
	219	end
	220
	221
	222	def login_split_next_ntlm1(user, domain, hash_lm, hash_nt)
	223	begin
	224	ok = self.client.session_setup_ntlmv1_prehash(user, domain, hash_lm, hash_nt)
	225	rescue ::Exception
	226	e = XCEPT::LoginError.new
	227	e.source = $!.to_s
	228	raise e
	229	end
	230
	231	return true
	232	end
	233
188	234	def connect(share)
189	235	ok = self.client.tree_connect(share)

framework3/tags/framework-3.0/lib/rex/proto/smb/utils.rb

r3631	r5072
95	95	end
96	96
	97	#
	98	# Prepends an ASN1 formatted length field to a piece of data
	99	#
97	100	def self.asn1encode(str = '')
98	101	res = ''
	102
	103	# If the high bit of the first byte is 1, it contains the number of
	104	# length bytes that follow
	105
99	106	case str.length
100		when 0 .. 0x80
	107	when 0 .. 0x7F
101	108	res = [str.length].pack('C') + str
102		when 0x8~~1 .. 0x100~~
	109	when 0x80 .. 0xFF
103	110	res = [0x81, str.length].pack('CC') + str
104		when 0x10~~1 .. 0x100000~~
	111	when 0x100 .. 0xFFFF
105	112	res = [0x82, str.length].pack('Cn') + str
106		when 0x100001 .. 0xffffffff
107		res = [0x83, str.length].pack('CN') + str
108		end
	113	when 0x10000 .. 0xffffff
	114	res = [0x83, str.length >> 16, str.length & 0xFFFF].pack('CCn') + str
	115	when 0x1000000 .. 0xffffffff
	116	res = [0x84, str.length].pack('CN') + str
	117	else
	118	raise "ASN1 str too long"
	119	end
109	120	return res
110	121	end

Navigation

Changeset 5072

Legend:

framework3/tags/framework-3.0/lib/rex/proto/smb/client.rb

framework3/tags/framework-3.0/lib/rex/proto/smb/simpleclient.rb

framework3/tags/framework-3.0/lib/rex/proto/smb/utils.rb

Download in other formats: