Move to using constant values.

This commit adds several constants for TRANS2, QUERY_PATH_INFO, MAX_DATA_COUNT,
and NT2 FLAG2 Bits to smb/constants.rb, which have then been utilised in smb/server.rb
to reduce the use of magic values.

Author: Matthew Hall

lib/rex/proto/smb/constants.rb

@@ -113,6 +113,19 @@ class Constants
 NT_TRANSACT_GET_USER_QUOTA           = 7 # Get quota
 NT_TRANSACT_SET_USER_QUOTA           = 8 # Set quota
 
+# NT Flags2 bits - cifs6.txt section 3.1.2
+FLAGS2_LONG_PATH_COMPONENTS             = 0x0001
+FLAGS2_EXTENDED_ATTRIBUTES              = 0x0002
+FLAGS2_SMB_SECURITY_SIGNATURES          = 0x0004
+FLAGS2_SMB_SECURITY_SIGNATURES_REQUIRED = 0x0010
+FLAGS2_IS_LONG_NAME                     = 0x0040
+FLAGS2_EXTENDED_SECURITY                = 0x0800
+FLAGS2_DFS_PATHNAMES                    = 0x1000
+FLAGS2_READ_PERMIT_EXECUTE              = 0x2000
+FLAGS2_32_BIT_ERROR_CODES               = 0x4000
+FLAGS2_UNICODE_STRINGS                  = 0x8000
+FLAGS2_WIN2K_SIGNATURE                  = 0xC852 
+
 # Open Modes
 OPEN_MODE_CREAT = 0x10   # Create the file if file does not exists. Otherwise, operation fails.
 OPEN_MODE_EXCL  = 0x00   # When used with SMB_O_CREAT, operation fails if file exists. Cannot be used with SMB_O_OPEN.
@@ -169,9 +182,11 @@ class Constants
 TRANS2_FIND_FIRST2 = 1
 TRANS2_FIND_NEXT2 = 2
 TRANS2_QUERY_FS_INFO = 3
+TRANS2_QUERY_PATH_INFO = 5
 TRANS2_SET_PATH_INFO = 6
-
+TRANS2_QUERY_FILE_INFO_STANDARD = 7
 TRANS2_CREATE_DIRECTORY = 13
+TRANS2_QUERY_FILE_INFO_BASIC = 24
 
 # SMB_COM_TRANSACTION2 QUERY_FS_INFO information levels
 SMB_INFO_ALLOCATION = 1
@@ -197,8 +212,23 @@ class Constants
 SMB_QUERY_FILE_COMPRESSION_INFO = 0x10B
 SMB_QUERY_FILE_UNIX_BASIC = 0x200
 SMB_QUERY_FILE_UNIX_LINK = 0x201
+SMB_QUERY_PATH_STANDARD_INFO = 0x03ed
 SMB_INFO_PASSTHROUGH = 0x1000
 
+# SMB_COM_TRANSACTION2 MAX DATA COUNT information levels
+SMB_QUERY_BASIC_MDC = 0x0028
+SMB_QUERY_STANDARD_MDC1 = 0x0018
+SMB_QUERY_STANDARD_MDC2 = 0x0102
+SMB_QUERY_FILE_INTERNAL_INFO_MDC = 0x0008
+SMB_QUERY_FILE_NETWORK_INFO_MDC = 0x0038
+
+# SMB_COM_TRANS2 FIND_FIRST information levels
+SMB_FIND_FILE_DIRECTORY_INFO = 0x101
+SMB_FIND_FILE_FULL_DIRECTORY_INFO = 0x102
+SMB_FIND_FILE_NAMES_INFO = 0x103
+SMB_FIND_FILE_BOTH_DIRECTORY_INFO = 0x104
+SMB_FIND_ID_FULL_DIRECTORY_INFO = 0x105
+SMB_FIND_ID_BOTH_DIRECTORY_INFO = 0x106
 
 # Device Types
 FILE_DEVICE_BEEP = 0x00000001
@@ -261,6 +291,23 @@ class Constants
 FILE_VOLUME_QUOTAS = 0x00000010
 FILE_VOLUME_IS_COMPRESSED = 0x00008000
 
+# SMB_EXT_FILE_ATTR
+# http://msdn.microsoft.com/en-us/library/ee878573(prot.20).aspx
+SMB_EXT_FILE_ATTR_READONLY = 0x00000001
+SMB_EXT_FILE_ATTR_HIDDEN = 0x00000002
+SMB_EXT_FILE_ATTR_SYSTEM = 0x00000004
+SMB_EXT_FILE_ATTR_DIRECTORY = 0x00000010
+SMB_EXT_FILE_ATTR_ARCHIVE = 0x00000020
+SMB_EXT_FILE_ATTR_NORMAL = 0x00000080
+SMB_EXT_FILE_ATTR_TEMPORARY = 0x00000100
+SMB_EXT_FILE_ATTR_COMPRESSED = 0x00000800
+SMB_EXT_FILE_POSIX_SEMANTICS = 0x01000000
+SMB_EXT_FILE_BACKUP_SEMANTICS = 0x02000000
+SMB_EXT_FILE_DELETE_ON_CLOSE = 0x04000000
+SMB_EXT_FILE_SEQUENTIAL_SCAN = 0x08000000
+SMB_EXT_FILE_RANDOM_ACCESS = 0x10000000
+SMB_EXT_FILE_NO_BUFFERING = 0x20000000
+SMB_EXT_FILE_WRITE_THROUGH = 0x80000000
 
 # SMB Error Codes
 SMB_STATUS_SUCCESS =			0x00000000

lib/rex/proto/smb/server.rb

@@ -140,7 +140,10 @@ def register(unc, contents, file_name, hi, lo)
       @hi = hi
       @lo = lo
       @exe = contents
-      @flags2 = 0xc807 # e807 or c807 or c001
+      @flags2 = CONST::FLAGS2_UNICODE_STRINGS + 
+              CONST::FLAGS2_EXTENDED_SECURITY + 
+              CONST::FLAGS2_32_BIT_ERROR_CODES + 
+              CONST::FLAGS2_LONG_PATH_COMPONENTS
   end
 
 protected
@@ -266,9 +269,11 @@ def smb_error(cmd, c, errorclass, esn = false)
     pkt['Payload']['SMB'].v['Command'] = cmd
     pkt['Payload']['SMB'].v['Flags1']  = 0x88
     if esn
-      pkt['Payload']['SMB'].v['Flags2']  = 0xc801
+      pkt['Payload']['SMB'].v['Flags2']  = @flags2 
     else
-      pkt['Payload']['SMB'].v['Flags2']  = 0xc001
+      pkt['Payload']['SMB'].v['Flags2']  = CONST::FLAGS2_UNICODE_STRINGS + 
+                                        CONST::FLAGS2_32_BIT_ERROR_CODES + 
+                                        CONST::FLAGS2_LONG_PATH_COMPONENTS
     end
     pkt['Payload']['SMB'].v['ErrorClass'] = errorclass
     c.put(pkt.to_s)
@@ -354,66 +359,60 @@ def smb_cmd_trans(c, buff)
     sub_command = pkt['Payload'].v['SetupData'].unpack("v").first
     dprint("Command is: #{sub_command.to_s}")
     ar = Rex::Text.to_hex(buff, '').to_s
-    mdc = ar[86..89]
+    mdc = ar[86..89].unpack('n*').reverse.pack('n*').to_i(16)
 
     case sub_command
-      when 0x24 # QUERY_FILE_INFO
-        dprint("[query_file_info_24]")
-        # path info works here
+      when CONST::TRANS2_QUERY_FILE_INFO_BASIC
+        dprint("[query_file_info_basic]")
         smb_cmd_trans_query_path_info_standard(c, buff)
-      when 0x7 # QUERY_FILE_INFO
-        dprint("[query_file_info_7]")
-        loi = ar[148..151]
+      when CONST::TRANS2_QUERY_FILE_INFO_STANDARD
+        dprint("[query_file_info_standard]")
+        loi = ar[148..151].unpack('n*').reverse.pack('n*').to_i(16)
         dprint("LOI is: #{loi}")
         case loi
-         when 'ed03' # Query Path Standard Info
+         when CONST::SMB_QUERY_PATH_STANDARD_INFO 
           smb_cmd_trans_query_path_info_standard(c, buff)
          else
           smb_cmd_trans_query_file_info_standard(c, buff)
          end
-      when 0x5 # QUERY_PATH_INFO
+      when CONST::TRANS2_QUERY_PATH_INFO
        dprint("[query_path_info]")
        dprint("MDC is: #{mdc}")
-       loi = ar[144..147]
+       loi = ar[144..147].unpack('n*').reverse.pack('n*').to_i(16)
        dprint("LOI is: #{loi}")
        case mdc # MAX DATA COUNT
-        when '2800'
-          # Basic is MDC = 40 / 2800 hex
+        when CONST::SMB_QUERY_BASIC_MDC
           case loi
-           when '0101' # Query File Basic Info
+           when CONST::SMB_QUERY_FILE_BASIC_INFO
             dprint("[query_file_info_basic]")
             smb_cmd_trans_query_file_info_basic(c, buff)
            else
             dprint("[query_path_info_basic]")
             smb_cmd_trans_query_path_info_basic(c, buff)
            end
-        when '1800', '0201'
-          # Standard is MDC = 24 / 1800 hex or 258 / 0201 hex
+        when CONST::SMB_QUERY_STANDARD_MDC1, CONST::SMB_QUERY_STANDARD_MDC2 
           dprint("[query_path_info_standard]")
           smb_cmd_trans_query_path_info_standard(c, buff)
-        when '0800'
-          # Internal File info is MDC = 8 / 0800 hex
+        when CONST::SMB_QUERY_FILE_INTERNAL_INFO_MDC 
           dprint("[query_file_info_basic]")
           smb_cmd_trans_query_file_info_standard(c, buff)
-        when '3800'
-          # Query file network open info
+        when CONST::SMB_QUERY_FILE_NETWORK_INFO_MDC 
           dprint("[query_file_info_network]")
           smb_cmd_trans_query_file_info_network(c, buff)
         else
           dprint("Unknown MDC - Sending to [query_path_info_standard]: #{mdc.to_s}")
           smb_cmd_trans_query_path_info_standard(c, buff)
         end
-      when 0x1 # FIND_FIRST2
+      when CONST::TRANS2_FIND_FIRST2
         dprint("find_first2")
-        loi = ar[156..159]
-        dprint("MDC is: #{mdc}")
+        loi = ar[156..159].unpack('n*').reverse.pack('n*').to_i(16)
         dprint("LOI is: #{loi}")
         case loi
-          when '0301' # Find File Names Info # 259
+          when CONST::SMB_FIND_FILE_NAMES_INFO
             smb_cmd_trans_find_first2_file(c, buff)
-          when '0401' # Find File Both Directory Info # 260
+          when CONST::SMB_FIND_FILE_BOTH_DIRECTORY_INFO
             smb_cmd_trans_find_first2(c, buff)
-          when '0201' # Find File Full Directory Info # 258
+          when CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO
             smb_cmd_trans_find_first2_full(c, buff)
           else
             smb_cmd_trans_find_first2(c, buff)
@@ -799,7 +798,7 @@ def smb_cmd_trans_query_path_info_standard(c, buff)
 
     payload = pkt['Payload'].v['SetupData'].gsub(/\x00/, '').gsub(/.*\\/, '').chomp.strip
     ar = Rex::Text.to_hex(buff, '').to_s
-    fid = ar[146..147] + ar[144..145]
+    fid = ar[144..147].unpack('n*').reverse.pack('n*')
     dprint("[smb_cmd_trans_query_path_info_standard] fid is : #{fid.hex}, file_id is : " + self.file_id.to_s)
     dprint("[smb_cmd_trans_query_path_info_standard] Payload length: #{payload.length.to_s}")
 
@@ -857,7 +856,7 @@ def smb_cmd_trans_query_file_info_basic(c, buff)
 
     ar = Rex::Text.to_hex(buff, '').to_s
     dprint("[smb_cmd_trans_query_file_info_basic] ar is : #{ar}")
-    fid = ar[146..147] + ar[144..145]
+    fid = ar[144..147].unpack('n*').reverse.pack('n*')
     dprint("[smb_cmd_trans_query_file_info_basic] fid is : #{fid.hex}, file_id is : " + self.file_id.to_s)
     if ( fid.hex.eql?(self.file_id.to_i) )
       dprint("File match")
@@ -1037,7 +1036,7 @@ def smb_cmd_trans_find_first2(c, buff)
 
     ar = Rex::Text.to_hex(buff, '').to_s
     dprint("[smb_cmd_trans_find_first2] ar is : #{ar}")
-    fid = ar[146..147] + ar[144..145]
+    fid = ar[144..147].unpack('n*').reverse.pack('n*')
     dprint("[smb_cmd_trans_find_first2] fid is : #{fid.hex}, file_id is : " + self.file_id.to_s)
     if ( fid.hex.eql?(self.file_id.to_i) )
       dprint("File match")
@@ -1144,7 +1143,7 @@ def smb_cmd_trans_find_first2_file(c, buff)
 
     ar = Rex::Text.to_hex(buff, '').to_s
     dprint("[smb_cmd_trans_find_first2_file] ar is : #{ar}")
-    fid = ar[146..147] + ar[144..145]
+    fid = ar[144..147].unpack('n*').reverse.pack('n*')
     dprint("[smb_cmd_trans_find_first2_file] fid is : #{fid.hex}, file_id is : " + self.file_id.to_s)
     if ( fid.hex.eql?(self.file_id.to_i) )
       dprint("File match")
@@ -1232,7 +1231,7 @@ def smb_cmd_trans_find_first2_full(c, buff)
 
     ar = Rex::Text.to_hex(buff, '').to_s
     dprint("[smb_cmd_trans_find_first2_full] ar is : #{ar}")
-    fid = ar[146..147] + ar[144..145]
+    fid = ar[144..147].unpack('n*').reverse.pack('n*')
     dprint("[smb_cmd_trans_find_first2_full] fid is : #{fid.hex}, file_id is : " + self.file_id.to_s)
     if ( fid.hex.eql?(self.file_id.to_i) )
       dprint("File match")