Merge more mixin refactor

Author: jvazquez-r7

lib/msf/core/exploit/smb/server/share/command/close.rb

@@ -9,6 +9,10 @@ module Close
           # Responds to a client CLOSE request
           #
           def smb_cmd_close(c, buff)
+            send_close_res(c)
+          end
+
+          def send_close_res(c)
             pkt = CONST::SMB_CLOSE_RES_PKT.make_struct
             smb_set_defaults(c, pkt)
 

lib/msf/core/exploit/smb/server/share/command/negotiate.rb

@@ -15,6 +15,32 @@ def smb_cmd_negotiate(c, buff)
             dialects = pkt['Payload'].v['Payload'].gsub(/\x00/, '').split(/\x02/).grep(/^\w+/)
             dialect = dialects.index("NT LM 0.12") || dialects.length-1
 
+            send_negotitate_res(c, {
+              dialect: dialect,
+              security_mode: CONST::NEG_SECURITY_PASSWORD,
+              max_mpx: 50,
+              max_vcs: 1,
+              max_buff: 4356,
+              max_raw: 65536,
+              server_time_zone: 0,
+              capabilities: CAPABILITIES,
+              key_length: 8,
+              key: Rex::Text.rand_text_hex(8)
+            })
+          end
+
+          def send_negotitate_res(c, opts = {})
+            dialect = opts[:dialect] || 0
+            security_mode = opts[:security_mode] || 0
+            max_mpx = opts[:max_mpx] || 0
+            max_vcs = opts[:max_vcs] || 0
+            max_buff = opts[:max_buff] || 0
+            max_raw = opts[:max_raw] || 0
+            server_time_zone = opts[:server_time_zone] || 0
+            capabilities = opts[:capabilities] || 0
+            key_length = opts[:key_length] || 0
+            key = opts[:key] || ''
+
             pkt = CONST::SMB_NEG_RES_NT_PKT.make_struct
             smb_set_defaults(c, pkt)
 
@@ -23,18 +49,18 @@ def smb_cmd_negotiate(c, buff)
             pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
             pkt['Payload']['SMB'].v['WordCount'] = 17
             pkt['Payload'].v['Dialect'] = dialect
-            pkt['Payload'].v['SecurityMode'] = CONST::NEG_SECURITY_PASSWORD
-            pkt['Payload'].v['MaxMPX'] = 50
-            pkt['Payload'].v['MaxVCS'] = 1
-            pkt['Payload'].v['MaxBuff'] = 4356
-            pkt['Payload'].v['MaxRaw'] = 65536
+            pkt['Payload'].v['SecurityMode'] = security_mode
+            pkt['Payload'].v['MaxMPX'] = max_mpx
+            pkt['Payload'].v['MaxVCS'] = max_vcs
+            pkt['Payload'].v['MaxBuff'] = max_buff
+            pkt['Payload'].v['MaxRaw'] = max_raw
             pkt['Payload'].v['SystemTimeLow'] = lo
             pkt['Payload'].v['SystemTimeHigh'] = hi
-            pkt['Payload'].v['ServerTimeZone'] = 0x0
+            pkt['Payload'].v['ServerTimeZone'] = server_time_zone
             pkt['Payload'].v['SessionKey'] = 0
-            pkt['Payload'].v['Capabilities'] = CAPABILITIES
-            pkt['Payload'].v['KeyLength'] = 8
-            pkt['Payload'].v['Payload'] = Rex::Text.rand_text_hex(8)
+            pkt['Payload'].v['Capabilities'] = capabilities
+            pkt['Payload'].v['KeyLength'] = key_length
+            pkt['Payload'].v['Payload'] = key
 
             c.put(pkt.to_s)
           end

lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb

@@ -38,6 +38,22 @@ def smb_cmd_create(c, buff)
               return
             end
 
+            send_nt_create_andx_res(c, {
+              file_id: fid,
+              attributes: attribs,
+              end_of_file_low: eof,
+              is_directory: is_dir,
+              alloc_low: 0x100000
+            })
+          end
+
+          def send_nt_create_andx_res(c, opts = {})
+            file_id = opts[:file_id] || 0
+            attributes = opts[:attributes] || 0
+            end_of_file_low = opts[:end_of_file_low] || 0
+            is_directory = opts[:is_directory] || 0
+            alloc_low = opts[:alloc_low] || 0
+
             pkt = CONST::SMB_CREATE_ANDX_RES_PKT.make_struct
             smb_set_defaults(c, pkt)
             pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
@@ -46,7 +62,7 @@ def smb_cmd_create(c, buff)
             pkt['Payload']['SMB'].v['WordCount'] = 42
             pkt['Payload'].v['AndX'] = CONST::SMB_COM_NO_ANDX_COMMAND
             pkt['Payload'].v['OpLock'] = CONST::LEVEL_II_OPLOCK # Grant Oplock on File
-            pkt['Payload'].v['FileID'] = fid
+            pkt['Payload'].v['FileID'] = file_id
             pkt['Payload'].v['Action'] = CONST::FILE_OPEN # The file existed and was opened
             pkt['Payload'].v['CreateTimeLow'] = lo
             pkt['Payload'].v['CreateTimeHigh'] = hi
@@ -56,14 +72,14 @@ def smb_cmd_create(c, buff)
             pkt['Payload'].v['WriteTimeHigh'] = hi
             pkt['Payload'].v['ChangeTimeLow'] = lo
             pkt['Payload'].v['ChangeTimeHigh'] = hi
-            pkt['Payload'].v['Attributes'] = attribs
-            pkt['Payload'].v['AllocLow'] = 0x100000
+            pkt['Payload'].v['Attributes'] = attributes
+            pkt['Payload'].v['AllocLow'] = alloc_low
             pkt['Payload'].v['AllocHigh'] = 0
-            pkt['Payload'].v['EOFLow'] = eof
+            pkt['Payload'].v['EOFLow'] = end_of_file_low
             pkt['Payload'].v['EOFHigh'] = 0
             pkt['Payload'].v['FileType'] = CONST::SMB_RESOURCE_FILE_TYPE_DISK
             pkt['Payload'].v['IPCState'] = 0x7 # Number maxim of instance a named pipe can have
-            pkt['Payload'].v['IsDirectory'] = is_dir
+            pkt['Payload'].v['IsDirectory'] = is_directory
             pkt['Payload'].v['MaxAccess'] = CREATE_MAX_ACCESS
             c.put(pkt.to_s)
           end

lib/msf/core/exploit/smb/server/share/command/read_andx.rb

@@ -18,6 +18,18 @@ def smb_cmd_read(c, buff)
             offset = pkt['Payload'].v['Offset']
             length = pkt['Payload'].v['MaxCountLow']
 
+            send_read_andx_res(c, {
+              data_len_low: length,
+              byte_count: length,
+              data: exe_contents[offset, length]
+            })
+          end
+
+          def send_read_andx_res(c, opts = {})
+            data_len_low = opts[:data_len_low]
+            byte_count = opts[:byte_count]
+            data = opts[:data]
+
             pkt = CONST::SMB_READ_RES_PKT.make_struct
             smb_set_defaults(c, pkt)
 
@@ -27,13 +39,13 @@ def smb_cmd_read(c, buff)
             pkt['Payload']['SMB'].v['WordCount'] = 12
             pkt['Payload'].v['AndX'] = CONST::SMB_COM_NO_ANDX_COMMAND
             pkt['Payload'].v['Remaining'] = 0xffff
-            pkt['Payload'].v['DataLenLow'] = length
+            pkt['Payload'].v['DataLenLow'] = data_len_low
             pkt['Payload'].v['DataOffset'] = CONST::SMB_READ_RES_HDR_PKT_LENGTH
             pkt['Payload'].v['DataLenHigh'] = 0
             pkt['Payload'].v['Reserved3'] = 0
             pkt['Payload'].v['Reserved4'] = 0x0a
-            pkt['Payload'].v['ByteCount'] = length
-            pkt['Payload'].v['Payload'] = exe_contents[offset, length]
+            pkt['Payload'].v['ByteCount'] = byte_count
+            pkt['Payload'].v['Payload'] = data
             c.put(pkt.to_s)
           end
         end