Merge find information level refactoring

Author: jvazquez-r7

lib/msf/core/exploit/smb/server.rb

@@ -133,7 +133,7 @@ def smb_error(cmd, c, errorclass, esn = false)
         pkt = CONST::SMB_BASE_PKT.make_struct
         smb_set_defaults(c, pkt)
         pkt['Payload']['SMB'].v['Command'] = cmd
-        pkt['Payload']['SMB'].v['Flags1']  = 0x88
+        pkt['Payload']['SMB'].v['Flags1']  = CONST::FLAGS_REQ_RES | CONST::FLAGS_CASE_SENSITIVE
         if esn
           pkt['Payload']['SMB'].v['Flags2']  =
             CONST::FLAGS2_UNICODE_STRINGS +

lib/msf/core/exploit/smb/server/share.rb

@@ -66,8 +66,6 @@ module Share
         CONST::SMB_WRITE_OWNER_ACCESS |
         CONST::SMB_SYNC_ACCESS
 
-      UNICODE_NULL_LENGTH = 2
-
       attr_accessor :unc
       attr_accessor :share
       attr_accessor :path_name
@@ -87,14 +85,6 @@ def initialize(info = {})
           ], Msf::Exploit::Remote::SMB::Server::Share)
       end
 
-      #
-      # Debugging
-      #
-      def dprint(msg)
-        $stdout.puts "#{msg}"
-        #dlog("#{msg}", 'rex', LEV_3)
-      end
-
       def setup
         super
 
@@ -140,7 +130,6 @@ def smb_conn(c)
       #
       def smb_cmd_dispatch(cmd, c, buff)
         smb = @state[c]
-        #dprint("Received command #{cmd.to_s(16)} from #{smb[:name]}")
 
         pkt = CONST::SMB_BASE_PKT.make_struct
         pkt.from_s(buff)
@@ -154,11 +143,11 @@ def smb_cmd_dispatch(cmd, c, buff)
           when CONST::SMB_COM_NEGOTIATE
             smb_cmd_negotiate(c, buff)
           when CONST::SMB_COM_SESSION_SETUP_ANDX
-            wordcount = pkt['Payload']['SMB'].v['WordCount']
-            if wordcount == 0x0D # Share Security Mode sessions
+            word_count = pkt['Payload']['SMB'].v['WordCount']
+            if word_count == 0x0D # Share Security Mode sessions
               smb_cmd_session_setup(c, buff)
             else
-              dprint("SMB Share - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ")
+              print_status("SMB Share - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type , ignoring... ")
               smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS)
             end
           when CONST::SMB_COM_TRANSACTION2

lib/msf/core/exploit/smb/server/share/command/close.rb

@@ -9,10 +9,6 @@ module Close
           # Responds to a client CLOSE request
           #
           def smb_cmd_close(c, buff)
-            dprint("[SMB_CMD_CLOSE]")
-            pkt = CONST::SMB_CLOSE_PKT.make_struct
-            pkt.from_s(buff)
-
             pkt = CONST::SMB_CLOSE_RES_PKT.make_struct
             smb_set_defaults(c, pkt)
 

lib/msf/core/exploit/smb/server/share/command/negotiate.rb

@@ -9,12 +9,10 @@ module Negotiate
           # Negotiates a SHARE session with the client
           #
           def smb_cmd_negotiate(c, buff)
-            dprint("[SMB_CMD_NEGOTIATE]")
             pkt = CONST::SMB_NEG_PKT.make_struct
             pkt.from_s(buff)
 
             dialects = pkt['Payload'].v['Payload'].gsub(/\x00/, '').split(/\x02/).grep(/^\w+/)
-
             dialect = dialects.index("NT LM 0.12") || dialects.length-1
 
             pkt = CONST::SMB_NEG_RES_NT_PKT.make_struct

lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb

@@ -9,7 +9,6 @@ module NtCreateAndx
           # Responds to a client NT_CREATE_ANDX request
           #
           def smb_cmd_create(c, buff)
-            dprint("[SMB_CMD_CREATE]")
             smb = @state[c]
             pkt = CONST::SMB_CREATE_PKT.make_struct
             pkt.from_s(buff)
@@ -25,23 +24,17 @@ def smb_cmd_create(c, buff)
 
             if payload.ends_with?(file_name)
               fid = smb[:file_id].to_i
-              attribs = 0x80 # File Attributes
+              attribs = CONST::SMB_EXT_FILE_ATTR_NORMAL
               eof = exe_contents.length
               is_dir = 0
             elsif payload.eql?(path_name)
               fid = smb[:dir_id].to_i
-              attribs = 0x10 # Ordinary Dir
+              attribs = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
               eof = 0
               is_dir = 1
             else
               # Otherwise send not found
-              pkt = CONST::SMB_CREATE_RES_PKT.make_struct
-              smb_set_defaults(c, pkt)
-              pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NT_CREATE_ANDX
-              pkt['Payload']['SMB'].v['ErrorClass'] = CONST::SMB_STATUS_OBJECT_NAME_NOT_FOUND
-              pkt['Payload']['SMB'].v['Flags1'] = FLAGS
-              pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
-              c.put(pkt.to_s)
+              smb_error(CONST::SMB_COM_NT_CREATE_ANDX, c, CONST::SMB_STATUS_OBJECT_NAME_NOT_FOUND, true)
               return
             end
 
@@ -51,7 +44,7 @@ def smb_cmd_create(c, buff)
             pkt['Payload']['SMB'].v['Flags1'] = FLAGS
             pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
             pkt['Payload']['SMB'].v['WordCount'] = 42
-            pkt['Payload'].v['AndX'] = 0xff # no further commands
+            pkt['Payload'].v['AndX'] = CONST::SMB_COM_NO_ANDX_COMMAND
             pkt['Payload'].v['OpLock'] = CONST::LEVEL_II_OPLOCK # Grant Oplock on File
             pkt['Payload'].v['FileID'] = fid
             pkt['Payload'].v['Action'] = CONST::FILE_OPEN # The file existed and was opened

lib/msf/core/exploit/smb/server/share/command/read_andx.rb

@@ -12,7 +12,6 @@ module ReadAndx
           # and sending the appropriate chunk of the payload
           #
           def smb_cmd_read(c, buff)
-            dprint("[SMB_CMD_READ]")
             pkt = CONST::SMB_READ_PKT.make_struct
             pkt.from_s(buff)
 
@@ -26,7 +25,7 @@ def smb_cmd_read(c, buff)
             pkt['Payload']['SMB'].v['Flags1'] = FLAGS
             pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
             pkt['Payload']['SMB'].v['WordCount'] = 12
-            pkt['Payload'].v['AndX'] = 0xff # no more commands
+            pkt['Payload'].v['AndX'] = CONST::SMB_COM_NO_ANDX_COMMAND
             pkt['Payload'].v['Remaining'] = 0xffff
             pkt['Payload'].v['DataLenLow'] = length
             pkt['Payload'].v['DataOffset'] = CONST::SMB_READ_RES_HDR_PKT_LENGTH

lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb

@@ -9,11 +9,9 @@ module SessionSetupAndx
           # Sets up an SMB session in response to a SESSION_SETUP_ANDX request
           #
           def smb_cmd_session_setup(c, buff)
-            dprint("[SMB_CMD_SESSION_SETUP]")
-
             tree_connect_response = CONST::SMB_TREE_CONN_ANDX_RES_PKT.make_struct
             tree_connect_response.v['WordCount'] = 7
-            tree_connect_response.v['AndXCommand'] = 0xff
+            tree_connect_response.v['AndXCommand'] = CONST::SMB_COM_NO_ANDX_COMMAND
             tree_connect_response.v['AndXReserved'] = 0
             tree_connect_response.v['AndXOffset'] = 0
             tree_connect_response.v['OptionalSupport'] = 1
@@ -28,7 +26,7 @@ def smb_cmd_session_setup(c, buff)
             pkt['Payload']['SMB'].v['Flags1'] = FLAGS
             pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
             pkt['Payload']['SMB'].v['WordCount'] = 3
-            pkt['Payload'].v['AndX'] = 0x75
+            pkt['Payload'].v['AndX'] = CONST::SMB_COM_TREE_CONNECT_ANDX
             pkt['Payload'].v['Reserved1'] = 00
             pkt['Payload'].v['AndXOffset'] = 96
             pkt['Payload'].v['Action'] = CONST::SMB_SETUP_GUEST

lib/msf/core/exploit/smb/server/share/command/trans2.rb

@@ -24,29 +24,40 @@ def smb_cmd_trans(c, buff)
             data_trans2.from_s(pkt['Payload'].v['SetupData'])
 
             sub_command = data_trans2.v['SubCommand']
+            parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding
 
             case sub_command
             when CONST::TRANS2_QUERY_FILE_INFO
-              parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding
               smb_cmd_trans2_query_file_information(c, parameters)
             when CONST::TRANS2_QUERY_PATH_INFO
-              parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding
               smb_cmd_trans2_query_path_information(c, parameters)
             when CONST::TRANS2_FIND_FIRST2
-              parameters = data_trans2.v['Parameters'].gsub(/^[\x00]*/, '') #delete padding
               smb_cmd_trans2_find_first2(c, parameters)
             else
-              dprint("\t[Unsupported/Unknown command] SUB_COMMAND: #{sub_command}")
-              pkt = CONST::SMB_TRANS_RES_PKT.make_struct
-              smb_set_defaults(c, pkt)
-              pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
-              pkt['Payload']['SMB'].v['Flags1'] = FLAGS
-              pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
-              pkt['Payload']['SMB'].v['ErrorClass'] = 0xc0000225 # NT_STATUS_NOT_FOUND
-              c.put(pkt.to_s)
+              smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_NT_STATUS_NOT_FOUND, true)
             end
           end
 
+          def send_trans2_res(c, parameters, data)
+            pkt = CONST::SMB_TRANS_RES_PKT.make_struct
+            smb_set_defaults(c, pkt)
+
+            pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TRANSACTION2
+            pkt['Payload']['SMB'].v['Flags1'] = FLAGS
+            pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
+            pkt['Payload']['SMB'].v['WordCount'] = 10
+            pkt['Payload'].v['ParamCountTotal'] = parameters.to_s.length
+            pkt['Payload'].v['DataCountTotal'] = data.to_s.length
+            pkt['Payload'].v['ParamCount'] = parameters.to_s.length
+            pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH
+            pkt['Payload'].v['DataCount'] = data.to_s.length
+            pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + parameters.to_s.length
+            pkt['Payload'].v['Payload'] =
+              parameters.to_s +
+              data.to_s
+
+            c.put(pkt.to_s)
+          end
         end
       end
     end

lib/msf/core/exploit/smb/server/share/command/trans2/find_first2.rb

@@ -18,8 +18,8 @@ def smb_cmd_trans2_find_first2(c, buff)
               search_path.gsub!(/[\x00]*/, '') #delete padding
               search_path.gsub!(/\\x([0-9a-f]{2})/i, '') # delete hex chars
 
-              # Do some dummy managing for wildcards
-              # TODO: improve
+              # Do some managing for wildcards
+              # TODO: Make it better / complete
               search_path.gsub!(/<\./, '*.') # manage wildcards
               extension = File.extname(file_name)
               if search_path == "#{path_name}*#{extension}"
@@ -34,8 +34,7 @@ def smb_cmd_trans2_find_first2(c, buff)
               when CONST::SMB_FIND_FILE_FULL_DIRECTORY_INFO
                 smb_cmd_find_file_full_directory_info(c, search_path)
               else
-                dprint("\t\tUnknown LOI [smb_cmd_trans2_find_first2] - #{loi}")
-                # SEND success with the hope of going ahead...
+                # Send STATUS_SUCCESS with the hope of going ahead
                 smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS)
               end
             end

lib/msf/core/exploit/smb/server/share/command/trans2/query_file_information.rb

@@ -9,7 +9,6 @@ module Trans2
           module QueryFileInformation
 
             def smb_cmd_trans2_query_file_information(c, buff)
-
               params = CONST::SMB_TRANS2_QUERY_FILE_PARAMETERS.make_struct
               params.from_s(buff)
 
@@ -22,8 +21,7 @@ def smb_cmd_trans2_query_file_information(c, buff)
               when CONST::SMB_QUERY_FILE_BASIC_INFO, CONST::SMB_QUERY_FILE_BASIC_INFO_ALIAS, CONST::SMB_SET_FILE_BASIC_INFO_ALIAS
                 smb_cmd_trans_query_file_info_basic(c, fid)
               else
-                dprint("\t\tUnknown LOI [smb_cmd_trans2_query_file_information] - #{loi.to_s}")
-                # SEND success with the hope of going ahead...
+                # Send STATUS_SUCCESS with the hope of going ahead
                 smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_SUCCESS)
               end
             end