ruby_smb 1.0.5 → 1.1.0

data/lib/ruby_smb/dcerpc/winreg/query_value_response.rb

@@ -0,0 +1,57 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a BaseRegQueryValue Response Packet as defined in
+      # [3.1.5.17 BaseRegQueryValue (Opnum 17)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/8bc10aa3-2f91-44e8-aa33-b3263c49ab9d)
+      class QueryValueResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_lp_dword :lp_type
+        ndr_lp_byte  :lp_data
+        string       :pad, length: -> { pad_length }
+        ndr_lp_dword :lpcb_data
+        ndr_lp_dword :lpcb_len
+        uint32       :error_status
+
+        def initialize_instance
+          super
+          @opnum = REG_QUERY_VALUE
+        end
+
+        # Determines the correct length for the padding in front of
+        # #lpcb_data. It should always force a 4-byte alignment.
+        def pad_length
+          offset = (lp_data.abs_offset + lp_data.to_binary_s.length) % 4
+          (4 - offset) % 4
+        end
+
+        # Returns the data portion of the registry value formatted according to its type:
+        # [3.1.1.5 Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/3d64dbea-f016-4373-8cac-e43bf343837d)
+        def data
+          bytes = lp_data.bytes.to_a.pack('C*')
+          case lp_type
+          when 1,2
+            bytes.force_encoding('utf-16le').strip
+          when 3
+            bytes
+          when 4
+            bytes.unpack('V').first
+          when 5
+            bytes.unpack('N').first
+          when 7
+            str = bytes.force_encoding('utf-16le')
+            str.split("\0".encode('utf-16le'))
+          when 11
+            bytes.unpack('Q<').first
+          else
+            ""
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/winreg/regsam.rb

@@ -0,0 +1,40 @@
+module RubySMB
+  module Dcerpc
+    module Winreg
+
+      # This class represents a REGSAM structure as defined in
+      # [2.2.3 REGSAM](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rrp/fefbc801-b141-4bb1-9dcb-bf366da3ae7e)
+      # [2.4.3 ACCESS_MASK](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/7a53f60e-e730-4dfe-bbe9-b21b62eb790b)
+      class Regsam < BinData::Record
+        endian  :little
+        bit2    :reserved,               label: 'Reserved Space'
+        bit1    :key_create_link,        label: 'Key Create Link'
+        bit1    :key_notify,             label: 'Key Notify'
+        bit1    :key_enumerate_sub_keys, label: 'Key Enumerate Sub Keys'
+        bit1    :key_create_sub_key,     label: 'Key Create Sub Key'
+        bit1    :key_set_value,          label: 'Key Set Value'
+        bit1    :key_query_value,        label: 'Key Query Value'
+        # byte boundary
+        bit6    :reserved2,              label: 'Reserved Space'
+        bit1    :key_wow64_32key,        label: 'Key Wow64 32key'
+        bit1    :key_wow64_64key,        label: 'Key Wow64 64key'
+        # byte boundary
+        bit3    :reserved3,              label: 'Reserved Space'
+        bit1    :synchronize,            label: 'Synchronize'
+        bit1    :write_owner,            label: 'Write Owner'
+        bit1    :write_dac,              label: 'Write DAC'
+        bit1    :read_control,           label: 'Read Control'
+        bit1    :delete_access,          label: 'Delete'
+        # byte boundary
+        bit1    :generic_read,           label: 'Generic Read'
+        bit1    :generic_write,          label: 'Generic Write'
+        bit1    :generic_execute,        label: 'Generic Execute'
+        bit1    :generic_all,            label: 'Generic All'
+        bit2    :reserved4,              label: 'Reserved Space'
+        bit1    :maximum,                label: 'Maximum Allowed'
+        bit1    :system_security,        label: 'System Security'
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/smb1/file.rb

@@ -156,6 +156,8 @@ module RubySMB
       def read_packet(read_length: 0, offset: 0)
         read_request = set_header_fields(RubySMB::SMB1::Packet::ReadAndxRequest.new)
         read_request.parameter_block.max_count_of_bytes_to_return = read_length
+        read_request.parameter_block.min_count_of_bytes_to_return = read_length
+        read_request.parameter_block.remaining = read_length
         read_request.parameter_block.offset = offset
         read_request
       end

data/lib/ruby_smb/smb1/pipe.rb

@@ -3,9 +3,9 @@ module RubySMB
     # Represents a pipe on the Remote server that we can perform
     # various I/O operations on.
     class Pipe < File
-      require 'ruby_smb/smb1/dcerpc'
+      require 'ruby_smb/dcerpc'
 
-      include RubySMB::SMB1::Dcerpc
+      include RubySMB::Dcerpc
 
       # Reference: https://msdn.microsoft.com/en-us/library/ee441883.aspx
       STATUS_DISCONNECTED = 0x0001
@@ -13,6 +13,17 @@ module RubySMB
       STATUS_OK           = 0x0003
       STATUS_CLOSED       = 0x0004
 
+      def initialize(tree:, response:, name:)
+        raise ArgumentError, 'No Name Provided' if name.nil?
+        case name
+        when 'srvsvc'
+          extend RubySMB::Dcerpc::Srvsvc
+        when 'winreg'
+          extend RubySMB::Dcerpc::Winreg
+        end
+        super(tree: tree, response: response, name: name)
+      end
+
       # Performs a peek operation on the named pipe
       #
       # @param peek_size [Integer] Amount of data to peek
@@ -68,6 +79,71 @@ module RubySMB
         state == STATUS_OK
       end
 
+      # Send a DCERPC request with the provided stub packet.
+      #
+      # @params stub_packet [#opnum] the stub packet to add to the DCERPC request
+      # @return [String] the raw DCERPC response stub
+      # @raise [RubySMB::Error::InvalidPacket] if the response is not valid
+      # @raise [RubySMB::Error::UnexpectedStatusCode] if the response status code is different than STATUS_SUCCESS or STATUS_BUFFER_OVERFLOW
+      def dcerpc_request(stub_packet, options={})
+        options.merge!(endpoint: stub_packet.class.name.split('::').at(-2))
+        dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: stub_packet.opnum }, options)
+        dcerpc_request.stub.read(stub_packet.to_binary_s)
+        trans_nmpipe_request = RubySMB::SMB1::Packet::Trans::TransactNmpipeRequest.new(options)
+        @tree.set_header_fields(trans_nmpipe_request)
+        trans_nmpipe_request.set_fid(@fid)
+        trans_nmpipe_request.data_block.trans_data.write_data = dcerpc_request.to_binary_s
+
+        trans_nmpipe_raw_response = @tree.client.send_recv(trans_nmpipe_request)
+        trans_nmpipe_response = RubySMB::SMB1::Packet::Trans::TransactNmpipeResponse.read(trans_nmpipe_raw_response)
+        unless trans_nmpipe_response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB1::Packet::Trans::TransactNmpipeResponse::COMMAND,
+            received_proto: trans_nmpipe_response.smb_header.protocol,
+            received_cmd:   trans_nmpipe_response.smb_header.command
+          )
+        end
+        unless [WindowsError::NTStatus::STATUS_SUCCESS,
+                WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW].include?(trans_nmpipe_response.status_code)
+          raise RubySMB::Error::UnexpectedStatusCode, trans_nmpipe_response.status_code.name
+        end
+
+        raw_data = trans_nmpipe_response.data_block.trans_data.read_data.to_binary_s
+        if trans_nmpipe_response.status_code == WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW
+          raw_data << read(bytes: @tree.client.max_buffer_size - trans_nmpipe_response.parameter_block.data_count)
+          dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          unless dcerpc_response.pdu_header.pfc_flags.first_frag == 1
+            raise RubySMB::Dcerpc::Error::InvalidPacket, "Not the first fragment"
+          end
+          stub_data = dcerpc_response.stub.to_s
+
+          loop do
+            break if dcerpc_response.pdu_header.pfc_flags.last_frag == 1
+            raw_data = read(bytes: @tree.client.max_buffer_size)
+            dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+            stub_data << dcerpc_response.stub.to_s
+          end
+          stub_data
+        else
+          dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          dcerpc_response.stub.to_s
+        end
+      end
+
+
+      private
+
+      def dcerpc_response_from_raw_response(raw_data)
+        dcerpc_response = RubySMB::Dcerpc::Response.read(raw_data)
+        unless dcerpc_response.pdu_header.ptype == RubySMB::Dcerpc::PTypes::RESPONSE
+          raise RubySMB::Dcerpc::Error::InvalidPacket, "Not a Response packet"
+        end
+        dcerpc_response
+      rescue IOError
+        raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the DCERPC response"
+      end
+
     end
   end
 end

data/lib/ruby_smb/smb2/packet/error_packet.rb

@@ -11,10 +11,8 @@ module RubySMB
         uint16       :structure_size,      label: 'Structure Size', initial_value: 9
         uint8        :error_context_count, label: 'ErrorContextCount'
         uint8        :reserved
-        uint32       :byte_count,          label: 'Byte Count of ErrorData',
-                                           initial_value: -> { error_data.num_bytes == 1 ? 0 : error_data.num_bytes }
-        string       :error_data,          label: 'Error Data', initial_value: "\x00",
-                                           read_length: -> { byte_count == 0 ? 1 : byte_count }
+        uint32       :byte_count,          label: 'Byte Count of ErrorData'
+        string       :error_data,          label: 'Error Data', read_length: -> { byte_count }
 
         def valid?
           return smb2_header.protocol == RubySMB::SMB2::SMB2_PROTOCOL_ID &&

data/lib/ruby_smb/smb2/pipe.rb

@@ -3,13 +3,24 @@ module RubySMB
     # Represents a pipe on the Remote server that we can perform
     # various I/O operations on.
     class Pipe < File
-      require 'ruby_smb/smb2/dcerpc'
+      require 'ruby_smb/dcerpc'
 
-      include RubySMB::SMB2::Dcerpc
+      include RubySMB::Dcerpc
 
       STATUS_CONNECTED = 0x00000003
       STATUS_CLOSING   = 0x00000004
 
+      def initialize(tree:, response:, name:)
+        raise ArgumentError, 'No Name Provided' if name.nil?
+        case name
+        when 'srvsvc'
+          extend RubySMB::Dcerpc::Srvsvc
+        when 'winreg'
+          extend RubySMB::Dcerpc::Winreg
+        end
+        super(tree: tree, response: response, name: name)
+      end
+
       # Performs a peek operation on the named pipe
       #
       # @param peek_size [Integer] Amount of data to peek
@@ -67,6 +78,82 @@ module RubySMB
         state == STATUS_CONNECTED
       end
 
+      def dcerpc_request(stub_packet, options={})
+        options.merge!(endpoint: stub_packet.class.name.split('::').at(-2))
+        dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: stub_packet.opnum }, options)
+        dcerpc_request.stub.read(stub_packet.to_binary_s)
+        ioctl_send_recv(dcerpc_request, options)
+      end
+
+      def ioctl_send_recv(action, options={})
+        request = set_header_fields(RubySMB::SMB2::Packet::IoctlRequest.new(options))
+        request.ctl_code = 0x0011C017
+        request.flags.is_fsctl = 0x00000001
+        request.buffer = action.to_binary_s
+
+        ioctl_raw_response = @tree.client.send_recv(request)
+        ioctl_response = RubySMB::SMB2::Packet::IoctlResponse.read(ioctl_raw_response)
+        unless ioctl_response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB2::Packet::IoctlRequest::COMMAND,
+            received_proto: ioctl_response.smb2_header.protocol,
+            received_cmd:   ioctl_response.smb2_header.command
+          )
+        end
+        # TODO: improve the handling of STATUS_PENDING responses
+        if ioctl_response.status_code == WindowsError::NTStatus::STATUS_PENDING
+          sleep 1
+          ioctl_raw_response = @tree.client.dispatcher.recv_packet
+          ioctl_response = RubySMB::SMB2::Packet::IoctlResponse.read(ioctl_raw_response)
+          unless ioctl_response.valid?
+            raise RubySMB::Error::InvalidPacket.new(
+              expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+              expected_cmd:   RubySMB::SMB2::Packet::IoctlRequest::COMMAND,
+              received_proto: ioctl_response.smb2_header.protocol,
+              received_cmd:   ioctl_response.smb2_header.command
+            )
+          end
+        elsif ![WindowsError::NTStatus::STATUS_SUCCESS,
+                WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW].include?(ioctl_response.status_code)
+          raise RubySMB::Error::UnexpectedStatusCode, ioctl_response.status_code.name
+        end
+
+        raw_data = ioctl_response.output_data
+        if ioctl_response.status_code == WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW
+          raw_data << read(bytes: @tree.client.max_buffer_size - ioctl_response.output_count)
+          dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          unless dcerpc_response.pdu_header.pfc_flags.first_frag == 1
+            raise RubySMB::Dcerpc::Error::InvalidPacket, "Not the first fragment"
+          end
+          stub_data = dcerpc_response.stub.to_s
+
+          loop do
+            break if dcerpc_response.pdu_header.pfc_flags.last_frag == 1
+            raw_data = read(bytes: @tree.client.max_buffer_size)
+            dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+            stub_data << dcerpc_response.stub.to_s
+          end
+          stub_data
+        else
+          dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          dcerpc_response.stub.to_s
+        end
+      end
+
+
+      private
+
+      def dcerpc_response_from_raw_response(raw_data)
+        dcerpc_response = RubySMB::Dcerpc::Response.read(raw_data)
+        unless dcerpc_response.pdu_header.ptype == RubySMB::Dcerpc::PTypes::RESPONSE
+          raise RubySMB::Dcerpc::Error::InvalidPacket, "Not a Response packet"
+        end
+        dcerpc_response
+      rescue IOError
+        raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the DCERPC response"
+      end
+
     end
   end
 end

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '1.0.5'.freeze
+  VERSION = '1.1.0'.freeze
 end

data/ruby_smb.gemspec

@@ -6,8 +6,8 @@ require 'ruby_smb/version'
 Gem::Specification.new do |spec|
   spec.name          = 'ruby_smb'
   spec.version       = RubySMB::VERSION
-  spec.authors       = ['David Maloney', 'James Lee', 'Dev Mohanty', 'Christophe De La Fuente']
-  spec.email         = ['DMaloney@rapid7.com', 'egypt@metasploit.com', 'dev_mohanty@rapid7.com', 'paristvinternet-github@yahoo.com']
+  spec.authors       = ['Metasploit Hackers', 'David Maloney', 'James Lee', 'Dev Mohanty', 'Christophe De La Fuente']
+  spec.email         = ['msfdev@metasploit.com']
   spec.summary       = 'A pure Ruby implementation of the SMB Protocol Family'
   spec.description   = ''
   spec.homepage      = 'https://github.com/rapid7/ruby_smb'
@@ -26,7 +26,7 @@ Gem::Specification.new do |spec|
     spec.platform = Gem::Platform::RUBY
   end
 
-  spec.required_ruby_version = '>= 2.2.0'
+  spec.required_ruby_version = '>= 2.3.0'
 
   spec.add_development_dependency 'bundler'
   spec.add_development_dependency 'fivemat'

data/spec/lib/ruby_smb/client_spec.rb

@@ -1325,5 +1325,153 @@ RSpec.describe RubySMB::Client do
     end
   end
 
+  context 'Winreg' do
+    describe '#connect_to_winreg' do
+      let(:host)       { '1.2.3.4' }
+      let(:share)      { "\\\\#{host}\\IPC$" }
+      let(:ipc_tree)   { double('IPC$ tree') }
+      let(:named_pipe) { double('Named pipe') }
+      before :example do
+        allow(ipc_tree).to receive_messages(
+          :share     => share,
+          :open_file => named_pipe
+        )
+        allow(client).to receive(:tree_connect).and_return(ipc_tree)
+      end
+
+      context 'when the client is already connected to the IPC$ share' do
+        before :example do
+          client.tree_connects << ipc_tree
+          allow(ipc_tree).to receive(:share).and_return(share)
+        end
+
+        it 'does not connect to the already connected tree' do
+          client.connect_to_winreg(host)
+          expect(client).to_not have_received(:tree_connect)
+        end
+      end
+
+      it 'calls #tree_connect' do
+        client.connect_to_winreg(host)
+        expect(client).to have_received(:tree_connect).with(share)
+      end
+
+      it 'open \'winreg\' file on the IPC$ Tree' do
+        client.connect_to_winreg(host)
+        expect(ipc_tree).to have_received(:open_file).with(filename: "winreg", write: true, read: true)
+      end
+
+      it 'returns the expected opened named pipe' do
+        expect(client.connect_to_winreg(host)).to eq(named_pipe)
+      end
+
+      context 'when a block is given' do
+        before :example do
+          allow(named_pipe).to receive(:close)
+        end
+
+        it 'yields the expected named_pipe' do
+          client.connect_to_winreg(host) do |np|
+            expect(np).to eq(named_pipe)
+          end
+        end
+
+        it 'closes the named pipe' do
+          client.connect_to_winreg(host) { |np| }
+          expect(named_pipe).to have_received(:close)
+        end
+
+        it 'returns the block return value' do
+          result = double('Result')
+          expect(client.connect_to_winreg(host) { |np| result }).to eq(result)
+        end
+      end
+    end
+
+    describe '#has_registry_key?' do
+      let(:host)       { '1.2.3.4' }
+      let(:key)        { 'HKLM\\Registry\\Key' }
+      let(:named_pipe) { double('Named pipe') }
+      let(:result)     { double('Result') }
+      before :example do
+        allow(client).to receive(:connect_to_winreg).and_yield(named_pipe)
+        allow(named_pipe).to receive(:has_registry_key?).and_return(result)
+      end
+
+      it 'calls #connect_to_winreg to wrap the main logic around' do
+        client.has_registry_key?(host, key)
+        expect(client).to have_received(:connect_to_winreg).with(host)
+      end
+
+      it 'calls Pipe #has_registry_key?' do
+        client.has_registry_key?(host, key)
+        expect(named_pipe).to have_received(:has_registry_key?).with(key)
+      end
+    end
+
+    describe '#read_registry_key_value' do
+      let(:host)        { '1.2.3.4' }
+      let(:key)         { 'HKLM\\Registry\\Key' }
+      let(:value_name)  { 'Value' }
+      let(:named_pipe)  { double('Named pipe') }
+      let(:result)      { double('Result') }
+      before :example do
+        allow(client).to receive(:connect_to_winreg).and_yield(named_pipe)
+        allow(named_pipe).to receive(:read_registry_key_value).and_return(result)
+      end
+
+      it 'calls #connect_to_winreg to wrap the main logic around' do
+        client.read_registry_key_value(host, key, value_name)
+        expect(client).to have_received(:connect_to_winreg).with(host)
+      end
+
+      it 'calls Pipe #read_registry_key_value' do
+        client.read_registry_key_value(host, key, value_name)
+        expect(named_pipe).to have_received(:read_registry_key_value).with(key, value_name)
+      end
+    end
+
+    describe '#enum_registry_key' do
+      let(:host)       { '1.2.3.4' }
+      let(:key)        { 'HKLM\\Registry\\Key' }
+      let(:named_pipe) { double('Named pipe') }
+      let(:result)     { double('Result') }
+      before :example do
+        allow(client).to receive(:connect_to_winreg).and_yield(named_pipe)
+        allow(named_pipe).to receive(:enum_registry_key).and_return(result)
+      end
+
+      it 'calls #connect_to_winreg to wrap the main logic around' do
+        client.enum_registry_key(host, key)
+        expect(client).to have_received(:connect_to_winreg).with(host)
+      end
+
+      it 'calls Pipe #enum_registry_key' do
+        client.enum_registry_key(host, key)
+        expect(named_pipe).to have_received(:enum_registry_key).with(key)
+      end
+    end
+
+    describe '#enum_registry_values' do
+      let(:host)       { '1.2.3.4' }
+      let(:key)        { 'HKLM\\Registry\\Key' }
+      let(:named_pipe) { double('Named pipe') }
+      let(:result)     { double('Result') }
+      before :example do
+        allow(client).to receive(:connect_to_winreg).and_yield(named_pipe)
+        allow(named_pipe).to receive(:enum_registry_values).and_return(result)
+      end
+
+      it 'calls #connect_to_winreg to wrap the main logic around' do
+        client.enum_registry_values(host, key)
+        expect(client).to have_received(:connect_to_winreg).with(host)
+      end
+
+      it 'calls Pipe #enum_registry_values' do
+        client.enum_registry_values(host, key)
+        expect(named_pipe).to have_received(:enum_registry_values).with(key)
+      end
+    end
+  end
 end