Improve nt_create_andx path parsing

jvazquez-r7 · jvazquez-r7 · commit 0ca0d3d045c4 · 2015-05-04T15:20:51.000-05:00
diff --git a/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb b/lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb
@@ -17,10 +17,17 @@ def smb_cmd_nt_create_andx(c, buff)
             pkt = CONST::SMB_CREATE_PKT.make_struct
             pkt.from_s(buff)
 
-            payload = (pkt['Payload'].v['Payload']).downcase
-            payload.gsub!(/^[\x00]*/, '') # delete padding
-            payload = Rex::Text.ascii_safe_hex(payload)
-            payload.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars
+            payload = pkt['Payload'].v['Payload'].downcase
+
+            if pkt['Payload']['SMB'].v['Flags2'] & CONST::FLAGS2_UNICODE_STRINGS == CONST::FLAGS2_UNICODE_STRINGS
+              # If path length is odd first character is alignment
+              if payload.length.odd?
+                payload = payload[1..-1]
+              end
+              payload = Rex::Text.to_ascii(payload)
+            end
+
+            payload.gsub!(/[\x00]*/, '') # delete nulls
 
             if payload.nil? || payload.empty?
               payload = file_name
diff --git a/lib/msf/core/exploit/smb/server/share/information_level/find.rb b/lib/msf/core/exploit/smb/server/share/information_level/find.rb
@@ -58,7 +58,7 @@ def smb_cmd_find_file_both_directory_info(c, path)
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_names_info(c, path)
-            if path && path.include?(file_name.downcase)
+            if path && path.ends_with?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
             elsif path && folder_name && path.ends_with?(folder_name.downcase)
               data = Rex::Text.to_unicode(path)
