Merge session_setup refactoring

Author: jvazquez-r7

lib/msf/core/exploit/smb/server/share.rb

@@ -145,17 +145,17 @@ def smb_cmd_dispatch(cmd, c, buff)
           when CONST::SMB_COM_SESSION_SETUP_ANDX
             word_count = pkt['Payload']['SMB'].v['WordCount']
             if word_count == 0x0D # Share Security Mode sessions
-              smb_cmd_session_setup(c, buff)
+              smb_cmd_session_setup_andx(c, buff)
             else
               print_status("SMB Share - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ")
               smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS)
             end
           when CONST::SMB_COM_TRANSACTION2
-            smb_cmd_trans(c, buff)
+            smb_cmd_trans2(c, buff)
           when CONST::SMB_COM_NT_CREATE_ANDX
-            smb_cmd_create(c, buff)
+            smb_cmd_nt_create_andx(c, buff)
           when CONST::SMB_COM_READ_ANDX
-            smb_cmd_read(c, buff)
+            smb_cmd_read_andx(c, buff)
           when CONST::SMB_COM_CLOSE
             smb_cmd_close(c, buff)
           else

lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb

@@ -8,7 +8,7 @@ module NtCreateAndx
           #
           # Responds to a client NT_CREATE_ANDX request
           #
-          def smb_cmd_create(c, buff)
+          def smb_cmd_nt_create_andx(c, buff)
             smb = @state[c]
             pkt = CONST::SMB_CREATE_PKT.make_struct
             pkt.from_s(buff)

lib/msf/core/exploit/smb/server/share/command/read_andx.rb

@@ -11,7 +11,7 @@ module ReadAndx
           # by reading the offset and length requested by the client
           # and sending the appropriate chunk of the payload
           #
-          def smb_cmd_read(c, buff)
+          def smb_cmd_read_andx(c, buff)
             pkt = CONST::SMB_READ_PKT.make_struct
             pkt.from_s(buff)
 

lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb

@@ -8,7 +8,7 @@ module SessionSetupAndx
           #
           # Sets up an SMB session in response to a SESSION_SETUP_ANDX request
           #
-          def smb_cmd_session_setup(c, buff)
+          def smb_cmd_session_setup_andx(c, buff)
             tree_connect_response = CONST::SMB_TREE_CONN_ANDX_RES_PKT.make_struct
             tree_connect_response.v['WordCount'] = 7
             tree_connect_response.v['AndXCommand'] = CONST::SMB_COM_NO_ANDX_COMMAND
@@ -19,26 +19,49 @@ def smb_cmd_session_setup(c, buff)
             tree_connect_response.v['GuestAccessRights'] = 0
             tree_connect_response.v['Payload'] = "A:\x00#{Rex::Text.to_unicode('NTFS')}\x00\x00"
 
+            data = Rex::Text.to_unicode('Unix', 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
+              Rex::Text.to_unicode('Samba 3.4.7', 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
+              Rex::Text.to_unicode('WORKGROUP', 'utf-16be') + "\x00\x00\x00" # Primary DOMAIN # Samba signature
+
+            send_session_setup_andx_res(c, {
+              action: CONST::SMB_SETUP_GUEST,
+              data: data,
+              andx: CONST::SMB_COM_TREE_CONNECT_ANDX,
+              andx_offset: 96,
+              andx_command: tree_connect_response
+            })
+          end
+
+          def send_session_setup_andx_res(c, opts = {})
+            action = opts[:action] || 0
+            andx_offset = opts[:andx_offset] || 0
+            reserved = opts[:reserved] || 0
+            andx = opts[:andx] || CONST::SMB_COM_NO_ANDX_COMMAND
+            data = opts[:data] || ''
+            andx_command = opts[:andx_command] || nil
+
+
             pkt = CONST::SMB_SETUP_RES_PKT.make_struct
             smb_set_defaults(c, pkt)
 
             pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
             pkt['Payload']['SMB'].v['Flags1'] = FLAGS
             pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
             pkt['Payload']['SMB'].v['WordCount'] = 3
-            pkt['Payload'].v['AndX'] = CONST::SMB_COM_TREE_CONNECT_ANDX
-            pkt['Payload'].v['Reserved1'] = 00
-            pkt['Payload'].v['AndXOffset'] = 96
-            pkt['Payload'].v['Action'] = CONST::SMB_SETUP_GUEST
-            pkt['Payload'].v['Payload'] =
-              Rex::Text.to_unicode('Unix', 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
-              Rex::Text.to_unicode('Samba 3.4.7', 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
-              Rex::Text.to_unicode('WORKGROUP', 'utf-16be') + "\x00\x00\x00" # Primary DOMAIN # Samba signature
+            pkt['Payload'].v['AndX'] = andx
+            pkt['Payload'].v['Reserved1'] = reserved
+            pkt['Payload'].v['AndXOffset'] = andx_offset
+            pkt['Payload'].v['Action'] = action
+            pkt['Payload'].v['Payload'] = data
 
-            full_pkt = pkt.to_s + tree_connect_response.to_s
-            original_length = full_pkt[2, 2].unpack('n')[0]
-            original_length = original_length +  tree_connect_response.to_s.length
-            full_pkt[2, 2] = [original_length].pack('n')
+            if andx_command
+              full_pkt = pkt.to_s + andx_command.to_s
+              original_length = full_pkt[2, 2].unpack('n')[0]
+              original_length = original_length +  andx_command.to_s.length
+              full_pkt[2, 2] = [original_length].pack('n')
+            else
+              full_pkt = pkt.to_s
+            end
 
             c.put(full_pkt)
           end

lib/msf/core/exploit/smb/server/share/command/trans2.rb

@@ -16,7 +16,7 @@ module Trans2
           #  QUERY_FILE_INFO (Basic, Standard and Internal)
           #  QUERY_PATH_INFO (Basic and Standard)
           #
-          def smb_cmd_trans(c, buff)
+          def smb_cmd_trans2(c, buff)
             pkt = CONST::SMB_TRANS2_PKT.make_struct
             pkt.from_s(buff)