dstruct 0.0.1

data/lib/rex/proto/smb/simpleclient.rb

@@ -0,0 +1,173 @@
+# -*- coding: binary -*-
+module Rex
+module Proto
+module SMB
+class SimpleClient
+
+require 'rex/text'
+require 'rex/struct2'
+require 'rex/proto/smb/constants'
+require 'rex/proto/smb/exceptions'
+require 'rex/proto/smb/evasions'
+require 'rex/proto/smb/crypt'
+require 'rex/proto/smb/utils'
+require 'rex/proto/smb/client'
+require 'rex/proto/smb/simpleclient/open_file'
+require 'rex/proto/smb/simpleclient/open_pipe'
+
+# Some short-hand class aliases
+CONST = Rex::Proto::SMB::Constants
+CRYPT = Rex::Proto::SMB::Crypt
+UTILS = Rex::Proto::SMB::Utils
+XCEPT = Rex::Proto::SMB::Exceptions
+EVADE = Rex::Proto::SMB::Evasions
+
+# Public accessors
+attr_accessor :last_error
+
+# Private accessors
+attr_accessor :socket, :client, :direct, :shares, :last_share
+
+  # Pass the socket object and a boolean indicating whether the socket is netbios or cifs
+  def initialize(socket, direct = false)
+    self.socket = socket
+    self.direct = direct
+    self.client = Rex::Proto::SMB::Client.new(socket)
+    self.shares = { }
+  end
+
+  def login(name = '', user = '', pass = '', domain = '',
+      verify_signature = false, usentlmv2 = false, usentlm2_session = true,
+      send_lm = true, use_lanman_key = false, send_ntlm = true,
+      native_os = 'Windows 2000 2195', native_lm = 'Windows 2000 5.0', spnopt = {})
+
+    begin
+
+      if (self.direct != true)
+        self.client.session_request(name)
+      end
+      self.client.native_os = native_os
+      self.client.native_lm = native_lm
+      self.client.verify_signature = verify_signature
+      self.client.use_ntlmv2 = usentlmv2
+      self.client.usentlm2_session = usentlm2_session
+      self.client.send_lm = send_lm
+      self.client.use_lanman_key =  use_lanman_key
+      self.client.send_ntlm = send_ntlm
+
+      self.client.negotiate
+
+      # Disable NTLMv2 Session for Windows 2000 (breaks authentication on some systems)
+      # XXX: This in turn breaks SMB auth for Windows 2000 configured to enforce NTLMv2
+      # XXX: Tracked by ticket #4785#4785
+      if self.client.native_lm =~ /Windows 2000 5\.0/ and usentlm2_session
+      #	self.client.usentlm2_session = false
+      end
+
+      self.client.spnopt = spnopt
+
+      ok = self.client.session_setup(user, pass, domain)
+    rescue ::Interrupt
+      raise $!
+    rescue ::Exception => e
+      n = XCEPT::LoginError.new
+      n.source = e
+      if(e.respond_to?('error_code'))
+        n.error_code   = e.error_code
+        n.error_reason = e.get_error(e.error_code)
+      end
+      raise n
+    end
+
+    return true
+  end
+
+
+  def login_split_start_ntlm1(name = '')
+
+    begin
+
+      if (self.direct != true)
+        self.client.session_request(name)
+      end
+
+      # Disable extended security
+      self.client.negotiate(false)
+    rescue ::Interrupt
+      raise $!
+    rescue ::Exception => e
+      n = XCEPT::LoginError.new
+      n.source = e
+      if(e.respond_to?('error_code'))
+        n.error_code   = e.error_code
+        n.error_reason = e.get_error(e.error_code)
+      end
+      raise n
+    end
+
+    return true
+  end
+
+
+  def login_split_next_ntlm1(user, domain, hash_lm, hash_nt)
+    begin
+      ok = self.client.session_setup_no_ntlmssp_prehash(user, domain, hash_lm, hash_nt)
+    rescue ::Interrupt
+      raise $!
+    rescue ::Exception => e
+      n = XCEPT::LoginError.new
+      n.source = e
+      if(e.respond_to?('error_code'))
+        n.error_code   = e.error_code
+        n.error_reason = e.get_error(e.error_code)
+      end
+      raise n
+    end
+
+    return true
+  end
+
+  def connect(share)
+    ok = self.client.tree_connect(share)
+    tree_id = ok['Payload']['SMB'].v['TreeID']
+    self.shares[share] = tree_id
+    self.last_share = share
+  end
+
+  def disconnect(share)
+    ok = self.client.tree_disconnect(self.shares[share])
+    self.shares.delete(share)
+  end
+
+
+  def open(path, perm, chunk_size = 48000)
+    mode   = UTILS.open_mode_to_mode(perm)
+    access = UTILS.open_mode_to_access(perm)
+
+    ok = self.client.open(path, mode, access)
+    file_id = ok['Payload'].v['FileID']
+    fh = OpenFile.new(self.client, path, self.client.last_tree_id, file_id)
+    fh.chunk_size = chunk_size
+    fh
+  end
+
+  def delete(*args)
+    self.client.delete(*args)
+  end
+
+  def create_pipe(path, perm = 'c')
+    disposition = UTILS.create_mode_to_disposition(perm)
+    ok = self.client.create_pipe(path, disposition)
+    file_id = ok['Payload'].v['FileID']
+    fh = OpenPipe.new(self.client, path, self.client.last_tree_id, file_id)
+  end
+
+  def trans_pipe(fid, data, no_response = nil)
+    client.trans_named_pipe(fid, data, no_response)
+  end
+
+end
+end
+end
+end
+

data/lib/rex/proto/smb/simpleclient/open_file.rb

@@ -0,0 +1,106 @@
+# -*- coding: binary -*-
+module Rex
+module Proto
+module SMB
+class SimpleClient
+
+class OpenFile
+  attr_accessor	:name, :tree_id, :file_id, :mode, :client, :chunk_size
+
+  def initialize(client, name, tree_id, file_id)
+    self.client = client
+    self.name = name
+    self.tree_id = tree_id
+    self.file_id = file_id
+    self.chunk_size = 48000
+  end
+
+  def delete
+    begin
+      self.close
+    rescue
+    end
+    self.client.delete(self.name, self.tree_id)
+  end
+
+  # Close this open file
+  def close
+    self.client.close(self.file_id, self.tree_id)
+  end
+
+  # Read data from the file
+  def read(length = nil, offset = 0)
+    if (length == nil)
+      data = ''
+      fptr = offset
+      ok = self.client.read(self.file_id, fptr, self.chunk_size)
+      while (ok and ok['Payload'].v['DataLenLow'] > 0)
+        buff = ok.to_s.slice(
+          ok['Payload'].v['DataOffset'] + 4,
+          ok['Payload'].v['DataLenLow']
+        )
+        data << buff
+        if ok['Payload'].v['Remaining'] == 0
+          break
+        end
+        fptr += ok['Payload'].v['DataLenLow']
+
+        begin
+          ok = self.client.read(self.file_id, fptr, self.chunk_size)
+        rescue XCEPT::ErrorCode => e
+          case e.error_code
+          when 0x00050001
+            # Novell fires off an access denied error on EOF
+            ok = nil
+          else
+            raise e
+          end
+        end
+      end
+
+      return data
+    else
+      ok = self.client.read(self.file_id, offset, length)
+      data = ok.to_s.slice(
+        ok['Payload'].v['DataOffset'] + 4,
+        ok['Payload'].v['DataLenLow']
+      )
+      return data
+    end
+  end
+
+  def << (data)
+    self.write(data)
+  end
+
+  # Write data to the file
+  def write(data, offset = 0)
+    # Track our offset into the remote file
+    fptr = offset
+
+    # Duplicate the data so we can use slice!
+    data = data.dup
+
+    # Take our first chunk of bytes
+    chunk = data.slice!(0, self.chunk_size)
+
+    # Keep writing data until we run out
+    while (chunk.length > 0)
+      ok = self.client.write(self.file_id, fptr, chunk)
+      cl = ok['Payload'].v['CountLow']
+
+      # Partial write, push the failed data back into the queue
+      if (cl != chunk.length)
+        data = chunk.slice(cl - 1, chunk.length - cl) + data
+      end
+
+      # Increment our painter and grab the next chunk
+      fptr += cl
+      chunk = data.slice!(0, self.chunk_size)
+    end
+  end
+end
+end
+end
+end
+end

data/lib/rex/proto/smb/simpleclient/open_pipe.rb

@@ -0,0 +1,57 @@
+# -*- coding: binary -*-
+
+module Rex
+module Proto
+module SMB
+class SimpleClient
+
+class OpenPipe < OpenFile
+
+  # Valid modes are: 'trans' and 'rw'
+  attr_accessor :mode
+
+  def initialize(*args)
+    super(*args)
+    self.mode = 'rw'
+    @buff = ''
+  end
+
+  def read_buffer(length, offset=0)
+    length ||= @buff.length
+    @buff.slice!(0, length)
+  end
+
+  def read(length = nil, offset = 0)
+    case self.mode
+    when 'trans'
+      read_buffer(length, offset)
+    when 'rw'
+      super(length, offset)
+    else
+      raise ArgumentError
+    end
+  end
+
+  def write(data, offset = 0)
+    case self.mode
+
+    when 'trans'
+      write_trans(data, offset)
+    when 'rw'
+      super(data, offset)
+    else
+      raise ArgumentError
+    end
+  end
+
+  def write_trans(data, offset=0)
+    ack = self.client.trans_named_pipe(self.file_id, data)
+    doff = ack['Payload'].v['DataOffset']
+    dlen = ack['Payload'].v['DataCount']
+    @buff << ack.to_s[4+doff, dlen]
+  end
+end
+end
+end
+end
+end

data/lib/rex/proto/smb/utils.rb

@@ -0,0 +1,104 @@
+# -*- coding: binary -*-
+require 'rex/text'
+require 'rex/proto/smb/constants'
+
+module Rex
+module Proto
+module SMB
+class Utils
+
+CONST = Rex::Proto::SMB::Constants
+
+  # Creates an access mask for use with the CLIENT.open() call based on a string
+  def self.open_mode_to_access(str)
+    access = CONST::OPEN_ACCESS_READ | CONST::OPEN_SHARE_DENY_NONE
+    str.each_byte { |c|
+      case [c].pack('C').downcase
+        when 'w'
+          access |= CONST::OPEN_ACCESS_READWRITE
+      end
+    }
+    return access
+  end
+
+  # Creates a mode mask for use with the CLIENT.open() call based on a string
+  def self.open_mode_to_mode(str)
+    mode = 0
+
+    str.each_byte { |c|
+      case [c].pack('C').downcase
+        when 'x' # Fail if the file already exists
+          mode |= CONST::OPEN_MODE_EXCL
+        when 't' # Truncate the file if it already exists
+          mode |= CONST::OPEN_MODE_TRUNC
+        when 'c' # Create the file if it does not exist
+          mode |= CONST::OPEN_MODE_CREAT
+        when 'o' # Just open the file, clashes with x
+          mode |= CONST::OPEN_MODE_OPEN
+      end
+    }
+
+    return mode
+  end
+
+  # Returns a disposition value for smb.create based on permission string
+  def self.create_mode_to_disposition(str)
+    str.each_byte { |c|
+      case [c].pack('C').downcase
+        when 'c' # Create the file if it does not exist
+          return CONST::CREATE_ACCESS_OPENCREATE
+        when 'o' # Just open the file and fail if it does not exist
+          return CONST::CREATE_ACCESS_EXIST
+      end
+    }
+
+    return CONST::CREATE_ACCESS_OPENCREATE
+  end
+
+  # NOTE: the difference below came from: Time.utc("1970-1-1") - Time.utc("1601-1-1")
+
+  # Convert a 64-bit signed SMB time to a unix timestamp
+  def self.time_smb_to_unix(thi, tlo)
+    (((thi << 32) + tlo) / 10000000) - 11644473600
+  end
+
+  # Convert a unix timestamp to a 64-bit signed server time
+  def self.time_unix_to_smb(unix_time)
+    t64 = (unix_time + 11644473600) * 10000000
+    thi = (t64 & 0xffffffff00000000) >> 32
+    tlo = (t64 & 0x00000000ffffffff)
+    return [thi, tlo]
+  end
+
+  # Convert a name to its NetBIOS equivalent
+  def self.nbname_encode(str)
+    encoded = ''
+    for x in (0..15)
+      if (x >= str.length)
+        encoded << 'CA'
+      else
+        c = str[x, 1].upcase[0,1].unpack('C*')[0]
+        encoded << [ (c / 16) + 0x41, (c % 16) + 0x41 ].pack('CC')
+      end
+    end
+    return encoded
+  end
+
+  # Convert a name from its NetBIOS equivalent
+  def self.nbname_decode(str)
+    decoded = ''
+    str << 'A' if str.length % 2 != 0
+    while (str.length > 0)
+      two = str.slice!(0, 2).unpack('C*')
+      if (two.length == 2)
+        decoded << [ ((two[0] - 0x41) * 16) + two[1] - 0x41 ].pack('C')
+      end
+    end
+    return decoded
+  end
+
+
+end
+end
+end
+end

data/lib/rex/proto/sunrpc.rb

@@ -0,0 +1,2 @@
+# -*- coding: binary -*-
+require 'rex/proto/sunrpc/client'

data/lib/rex/proto/sunrpc/client.rb

@@ -0,0 +1,196 @@
+# -*- coding: binary -*-
+require 'rex/socket'
+require 'rex/encoder/xdr'
+
+module Rex
+module Proto
+module SunRPC
+
+class RPCTimeout < ::Interrupt
+   def initialize(msg = 'Operation timed out.')
+      @msg = msg
+   end
+
+  def to_s
+    @msg
+  end
+end
+
+# XXX: CPORT!
+class Client
+  AUTH_NULL = 0
+  AUTH_UNIX = 1
+
+  PMAP_PROG = 100000
+  PMAP_VERS = 2
+  PMAP_GETPORT = 3
+
+  CALL = 0
+
+  attr_accessor :rhost, :rport, :proto, :program, :version
+  attr_accessor :pport, :call_sock, :timeout, :context
+
+  attr_accessor :should_fragment
+
+  def initialize(opts)
+    self.rhost   = opts[:rhost]
+    self.rport   = opts[:rport]
+    self.program = opts[:program]
+    self.version = opts[:version]
+    self.timeout = opts[:timeout] || 20
+    self.context = opts[:context] || {}
+    self.proto   = opts[:proto]
+
+    if self.proto.downcase !~ /^(tcp|udp)$/
+      raise ::Rex::ArgumentError, 'Protocol is not "tcp" or "udp"'
+    end
+
+    @pport = nil
+
+    @auth_type = AUTH_NULL
+    @auth_data = ''
+
+    @call_sock = nil
+  end
+
+# XXX: Add optional parameter to have proto be something else
+  def create()
+    proto_num = 0
+    if @proto.eql?('tcp')
+      proto_num = 6
+    elsif @proto.eql?('udp')
+      proto_num = 17
+    end
+
+    buf =
+      Rex::Encoder::XDR.encode(CALL, 2, PMAP_PROG, PMAP_VERS, PMAP_GETPORT,
+        @auth_type, [@auth_data, 400], AUTH_NULL, '',
+        @program, @version, proto_num, 0)
+
+    sock = make_rpc(@proto, @rhost, @rport)
+    send_rpc(sock, buf)
+    ret = recv_rpc(sock)
+    close_rpc(sock)
+
+    return ret
+  end
+
+  def call(procedure, buffer, maxwait = self.timeout)
+    buf =
+      Rex::Encoder::XDR.encode(CALL, 2, @program, @version, procedure,
+        @auth_type, [@auth_data, 400], AUTH_NULL, '')+
+      buffer
+
+    if ! @call_sock
+      @call_sock = make_rpc(@proto, @rhost, @pport)
+    end
+
+    send_rpc(@call_sock, buf)
+    recv_rpc(@call_sock, maxwait)
+  end
+
+  def destroy
+    close_rpc(@call_sock) if @call_sock
+    @call_sock = nil
+  end
+
+  def authnull_create
+    @auth_type = AUTH_NULL
+    @auth_data = ''
+  end
+
+  def authunix_create(host, uid, gid, groupz)
+    raise ::Rex::ArgumentError, 'Hostname length is too long' if host.length > 255
+# 10?
+    raise ::Rex::ArgumentError, 'Too many groups' if groupz.length > 10
+
+    @auth_type = AUTH_UNIX
+    @auth_data =
+      Rex::Encoder::XDR.encode(0, host, uid, gid, groupz) # XXX: TIME! GROUPZ?!
+  end
+
+# XXX: Dirty, integrate some sort of request system into create/call?
+  def portmap_req(host, port, rpc_vers, procedure, buffer)
+    buf = Rex::Encoder::XDR.encode(CALL, 2, PMAP_PROG, rpc_vers, procedure,
+      AUTH_NULL, '', AUTH_NULL, '') + buffer
+
+    sock = make_rpc('tcp', host, port)
+    send_rpc(sock, buf)
+    ret = recv_rpc(sock)
+    close_rpc(sock)
+
+    return ret
+  end
+
+  private
+  def make_rpc(proto, host, port)
+    Rex::Socket.create(
+      'PeerHost'	=> host,
+      'PeerPort'	=> port,
+      'Proto'		=> proto,
+      'Timeout'   => self.timeout,
+      'Context'   => self.context
+    )
+  end
+
+  def build_tcp(buf)
+    if !self.should_fragment
+      return Rex::Encoder::XDR.encode(0x80000000 | buf.length) + buf
+    end
+
+    str = buf.dup
+
+    fragmented = ''
+
+    while (str.size > 0)
+      frag = str.slice!(0, rand(3) + 1)
+      len = frag.size
+      if str.size == 0
+        len |= 0x80000000
+      end
+
+      fragmented += Rex::Encoder::XDR.encode(len) + frag
+    end
+
+    return fragmented
+  end
+
+  def send_rpc(sock, buf)
+    buf = gen_xid() + buf
+    if sock.type?.eql?('tcp')
+      buf = build_tcp(buf)
+    end
+    sock.put(buf)
+  end
+
+  def recv_rpc(sock, maxwait=self.timeout)
+
+    buf = nil
+    begin
+      Timeout.timeout(maxwait) { buf = sock.get }
+    rescue ::Timeout
+    end
+
+    return nil if not buf
+
+    buf.slice!(0..3)
+    if sock.type?.eql?('tcp')
+      buf.slice!(0..3)
+    end
+    return buf if buf.length > 1
+    return nil
+  end
+
+  def close_rpc(sock)
+    sock.close
+  end
+
+  def gen_xid
+    return Rex::Encoder::XDR.encode(rand(0xffffffff) + 1)
+  end
+end
+
+end
+end
+end
+