ruby_smb 1.0.5 → 2.0.3

data/lib/ruby_smb/dcerpc.rb

@@ -1,15 +1,55 @@
 module RubySMB
   module Dcerpc
+    MAX_XMIT_FRAG = 4280
+    MAX_RECV_FRAG = 4280
+
+    require 'windows_error/win32'
     require 'ruby_smb/dcerpc/error'
     require 'ruby_smb/dcerpc/uuid'
     require 'ruby_smb/dcerpc/ndr'
     require 'ruby_smb/dcerpc/ptypes'
     require 'ruby_smb/dcerpc/p_syntax_id_t'
+    require 'ruby_smb/dcerpc/rrp_unicode_string'
+    require 'ruby_smb/dcerpc/rpc_security_attributes'
     require 'ruby_smb/dcerpc/pdu_header'
     require 'ruby_smb/dcerpc/srvsvc'
+    require 'ruby_smb/dcerpc/winreg'
+    require 'ruby_smb/dcerpc/svcctl'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/bind'
     require 'ruby_smb/dcerpc/bind_ack'
+
+
+    # Bind to the remote server interface endpoint.
+    #
+    # @param options [Hash] the options to pass to the Bind request packet. At least, :endpoint must but provided with an existing Dcerpc class
+    # @return [RubySMB::Dcerpc::BindAck] the BindAck response packet
+    # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if an invalid packet is received
+    # @raise [RubySMB::Dcerpc::Error::BindError] if the response is not a BindAck packet or if the Bind result code is not ACCEPTANCE
+    def bind(options={})
+      bind_req = RubySMB::Dcerpc::Bind.new(options)
+      write(data: bind_req.to_binary_s)
+      @size = 1024
+      dcerpc_raw_response = read()
+      begin
+        dcerpc_response = RubySMB::Dcerpc::BindAck.read(dcerpc_raw_response)
+      rescue IOError
+        raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the DCERPC response"
+      end
+      unless dcerpc_response.pdu_header.ptype == RubySMB::Dcerpc::PTypes::BIND_ACK
+        raise RubySMB::Dcerpc::Error::BindError, "Not a BindAck packet"
+      end
+
+      res_list = dcerpc_response.p_result_list
+      if res_list.n_results == 0 ||
+         res_list.p_results[0].result != RubySMB::Dcerpc::BindAck::ACCEPTANCE
+        raise RubySMB::Dcerpc::Error::BindError,
+          "Bind Failed (Result: #{res_list.p_results[0].result}, Reason: #{res_list.p_results[0].reason})"
+      end
+      @tree.client.max_buffer_size = dcerpc_response.max_xmit_frag
+      dcerpc_response
+    end
+
   end
 end

data/lib/ruby_smb/dcerpc/bind.rb

@@ -35,8 +35,8 @@ module RubySMB
 
       pdu_header :pdu_header,        label: 'PDU header'
 
-      uint16 :max_xmit_frag,         label: 'max transmit frag size',    initial_value: 0xFFFF
-      uint16 :max_recv_frag,         label: 'max receive  frag size',    initial_value: 0xFFFF
+      uint16 :max_xmit_frag,         label: 'max transmit frag size',    initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
+      uint16 :max_recv_frag,         label: 'max receive  frag size',    initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
       uint32 :assoc_group_id,        label: 'ncarnation of client-server assoc group'
 
       p_cont_list_t :p_context_list, label: 'Presentation context list', endpoint: -> { endpoint }

data/lib/ruby_smb/dcerpc/bind_ack.rb

@@ -46,8 +46,8 @@ module RubySMB
 
       pdu_header :pdu_header,         label: 'PDU header'
 
-      uint16     :max_xmit_frag,      label: 'Max transmit frag size',  initial_value: 0xFFFF
-      uint16     :max_recv_frag,      label: 'Max receive frag size',   initial_value: 0xFFFF
+      uint16     :max_xmit_frag,      label: 'Max transmit frag size',  initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
+      uint16     :max_recv_frag,      label: 'Max receive frag size',   initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
       uint32     :assoc_group_id,     label: 'Association group ID'
       port_any_t :sec_addr,           label: 'Secondary address'
       string     :pad,                length: -> { pad_length }

data/lib/ruby_smb/dcerpc/error.rb

@@ -10,6 +10,12 @@ module RubySMB
 
       # Raised when an invalid packet is received
       class InvalidPacket < DcerpcError; end
+
+      # Raised when an error is returned during a Winreg operation
+      class WinregError < DcerpcError; end
+
+      # Raised when an error is returned during a Svcctl operation
+      class SvcctlError < DcerpcError; end
     end
   end
 end

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -7,36 +7,280 @@ module RubySMB
       VER_MAJOR = 2
       VER_MINOR = 0
 
-      class NdrString < BinData::Record
+
+      # An NDR Conformant and Varying String representation as defined in
+      # [Transfer Syntax NDR - Conformant and Varying Strings](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02)
+      # The string elements are Stringz16 (unicode)
+      class NdrString < BinData::Primitive
         endian :little
 
-        uint32    :max_count, initial_value: -> { str.length }
+        uint32    :max_count
         uint32    :offset, initial_value: 0
-        uint32    :actual_count, initial_value: -> { str.length }
-        stringz16 :str, read_length: -> { actual_count }
+        uint32    :actual_count
+        stringz16 :str, max_length: -> { actual_count * 2 }, onlyif: -> { actual_count > 0 }
+
+        def get
+          self.actual_count == 0 ? 0 : self.str
+        end
+
+        def set(v)
+          if v == 0
+            self.str.clear
+            self.actual_count = 0
+          else
+            v = v.str if v.is_a?(self.class)
+            unless self.str.equal?(v)
+              if v.empty?
+                self.actual_count = 0
+              else
+                self.actual_count = v.to_s.size + 1
+                self.max_count = self.actual_count
+              end
+            end
+            self.str = v.to_s
+          end
+        end
 
-        def assign(v)
-          self.max_count = v.size
-          self.actual_count = v.size
-          self.str = v
+        def clear
+          # Make sure #max_count and #offset are not cleared out
+          self.str.clear
+          self.actual_count.clear
+        end
+
+        def to_s
+          self.str.to_s
         end
       end
 
-      class NdrLpStr < BinData::Record
+      # An NDR Uni-dimensional Conformant Array of Bytes representation as defined in
+      # [Transfer Syntax NDR - Uni-dimensional Conformant Arrays](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_02)
+      class NdrLpByte < BinData::Primitive
         endian :little
 
-        uint32     :referent_identifier
-        ndr_string :ndr_str
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :uint8, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
 
-        def assign(v)
-          self.ndr_str = v
+        def get
+          self.elements
         end
 
-        def to_s
-          self.ndr_str.str
+        def set(v)
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
+        end
+      end
+
+      # An NDR Uni-dimensional Conformant-varying Arrays of bytes representation as defined in:
+      # [Transfer Syntax NDR - NDR Constructed Types](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_04)
+      class NdrByteArray < BinData::Primitive
+        endian :little
+
+        uint32 :max_count, initial_value: -> { self.actual_count }
+        uint32 :offset, initial_value: 0
+        uint32 :actual_count, initial_value: -> { self.bytes.size }
+        array  :bytes, :type => :uint8, initial_length: -> { self.actual_count }
+
+        def get
+          self.bytes
+        end
+
+        def set(v)
+          v = v.bytes if v.is_a?(self.class)
+          self.bytes = v.to_ary
+          self.max_count = self.bytes.size unless self.bytes.equal?(v)
+        end
+      end
+
+      # An NDR Context Handle representation as defined in
+      # [IDL Data Type Declarations - Basic Type Declarations](http://pubs.opengroup.org/onlinepubs/9629399/apdxn.htm#tagcjh_34_01)
+      class NdrContextHandle < BinData::Primitive
+        endian :little
+
+        uint32 :context_handle_attributes
+        uuid   :context_handle_uuid
+
+        def get
+          {:context_handle_attributes => context_handle_attributes, :context_handle_uuid => context_handle_uuid}
+        end
+
+        def set(handle)
+          if handle.is_a?(Hash)
+            self.context_handle_attributes = handle[:context_handle_attributes]
+            self.context_handle_uuid = handle[:context_handle_uuid]
+          elsif handle.is_a?(NdrContextHandle)
+            read(handle.to_binary_s)
+          else
+            read(handle.to_s)
+          end
+        end
+      end
+
+      # An NDR Top-level Full Pointers representation as defined in
+      # [Transfer Syntax NDR - Top-level Full Pointers](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_11_01)
+      # This class must be inherited and the subclass must have a #referent property
+      class NdrPointer < BinData::Primitive
+        endian :little
+
+        uint32 :referent_id, initial_value: 0
+
+        def do_read(io)
+          self.referent_id.do_read(io)
+          if process_referent?
+            self.referent.do_read(io) unless self.referent_id == 0
+          end
+        end
+
+        def do_write(io)
+          self.referent_id.do_write(io)
+          if process_referent?
+            self.referent.do_write(io) unless self.referent_id == 0
+          end
+        end
+
+        def set(v)
+          if v == :null
+            self.referent.clear
+            self.referent_id = 0
+          else
+            if self.referent.respond_to?(:set)
+              self.referent.set(v)
+            else
+              self.referent = v
+            end
+            self.referent_id = rand(0xFFFFFFFF) if self.referent_id == 0
+          end
+        end
+
+        def get
+          if self.referent_id == 0
+            :null
+          else
+            self.referent
+          end
+        end
+
+        def process_referent?
+          current_parent = parent
+          loop do
+            return true unless current_parent
+            return false if current_parent.is_a?(NdrStruct)
+            current_parent = current_parent.parent
+          end
+        end
+      end
+
+      # A pointer to a NdrString structure
+      class NdrLpStr < NdrPointer
+        endian :little
+
+        ndr_string :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      class NdrLpDword < NdrPointer
+        endian :little
+
+        uint32 :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      # A pointer to an NDR Uni-dimensional Conformant-varying Arrays of bytes
+      class NdrLpByteArray < NdrPointer
+        endian :little
+
+        ndr_byte_array :referent, onlyif: -> { self.referent_id != 0 }
+
+        def set(v)
+          if v != :null && v.is_a?(NdrLpByteArray)
+            super(v.referent)
+          else
+            super(v)
+          end
+        end
+      end
+
+      # A pointer to a Windows FILETIME structure
+      class NdrLpFileTime < NdrPointer
+        endian :little
+
+        file_time :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      # A generic NDR structure that implements logic to #read and #write
+      # (#to_binary_s) in case the structure contains BinData::Array or
+      # NdrPointer fields. This class must be inherited.
+      class NdrStruct < BinData::Record
+
+        def do_read(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.seekbytes(pad) if pad > 0
+                element.referent.do_read(io)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.seekbytes(pad) if pad > 0
+              field.referent.do_read(io)
+            end
+          end
+        end
+
+        def do_write(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.writebytes("\x00" * pad + element.referent.to_binary_s)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.writebytes("\x00" * pad + field.referent.to_binary_s)
+            end
+          end
+        end
+      end
+
+      class NdrStringPtrsw < NdrStruct
+        endian :little
+
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :ndr_lp_str, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
+
+        def get
+          self.elements
+        end
+
+        def set(v)
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
+        end
+
+        def do_num_bytes
+          to_binary_s.size
+        end
+      end
+
+      class NdrLpStringPtrsw < NdrPointer
+        endian :little
+
+        ndr_string_ptrsw :referent, onlyif: -> { self.referent_id != 0 }
+
+        def set(v)
+          super(v.respond_to?(:to_ary) ? v.to_ary : v)
         end
       end
     end
   end
-
 end

data/lib/ruby_smb/dcerpc/pdu_header.rb

@@ -21,7 +21,7 @@ module RubySMB
       end
 
       uint32 :packed_drep, label: 'NDR data representation format label', initial_value: 0x10
-      uint16 :frag_length, label: 'Total length of fragment',             initial_value: -> { parent.do_num_bytes }
+      uint16 :frag_length, label: 'Total length of fragment',             initial_value: -> { parent.num_bytes }
       uint16 :auth_length, label: 'Length of auth_value'
       uint32 :call_id,     label: 'Call identifier',                      initial_value: 1
     end

data/lib/ruby_smb/dcerpc/request.rb

@@ -6,19 +6,51 @@ module RubySMB
       endian :little
 
       pdu_header :pdu_header, label: 'PDU header'
+      uint32     :alloc_hint, label: 'Allocation hint', initial_value: -> { stub.num_bytes }
+      uint16     :p_cont_id,  label: 'Presentation context identification'
+      uint16     :opnum,      label: 'Operation Number'
+      uuid       :object,     label: 'Object UID', onlyif: -> { pdu_header.pfc_flags.object_uuid == 1 }
 
-      uint32 :alloc_hint,     label: 'Allocation hint',  initial_value: -> { stub.do_num_bytes }
-      uint16 :p_cont_id,      label: 'Presentation context identification'
-      uint16 :opnum,          label: 'Operation Number'
-
-      uuid   :object,         label: 'Object UID',      onlyif: -> { pdu_header.pfc_flags.object_uuid == 1 }
-
-      choice :stub, label: 'Stub', selection: -> { opnum } do
-        net_share_enum_all RubySMB::Dcerpc::Srvsvc::NET_SHARE_ENUM_ALL, host: -> { host }
+      choice :stub, label: 'Stub', selection: -> { @obj.parent.get_parameter(:endpoint) || '' } do
+        choice 'Winreg', selection: -> { opnum } do
+          open_root_key_request  RubySMB::Dcerpc::Winreg::OPEN_HKCR, opnum: RubySMB::Dcerpc::Winreg::OPEN_HKCR
+          open_root_key_request  RubySMB::Dcerpc::Winreg::OPEN_HKCU, opnum: RubySMB::Dcerpc::Winreg::OPEN_HKCU
+          open_root_key_request  RubySMB::Dcerpc::Winreg::OPEN_HKLM, opnum: RubySMB::Dcerpc::Winreg::OPEN_HKLM
+          open_root_key_request  RubySMB::Dcerpc::Winreg::OPEN_HKPD, opnum: RubySMB::Dcerpc::Winreg::OPEN_HKPD
+          open_root_key_request  RubySMB::Dcerpc::Winreg::OPEN_HKU,  opnum: RubySMB::Dcerpc::Winreg::OPEN_HKU
+          open_root_key_request  RubySMB::Dcerpc::Winreg::OPEN_HKCC, opnum: RubySMB::Dcerpc::Winreg::OPEN_HKCC
+          open_root_key_request  RubySMB::Dcerpc::Winreg::OPEN_HKPT, opnum: RubySMB::Dcerpc::Winreg::OPEN_HKPT
+          open_root_key_request  RubySMB::Dcerpc::Winreg::OPEN_HKPN, opnum: RubySMB::Dcerpc::Winreg::OPEN_HKPN
+          close_key_request      RubySMB::Dcerpc::Winreg::REG_CLOSE_KEY
+          enum_key_request       RubySMB::Dcerpc::Winreg::REG_ENUM_KEY
+          enum_value_request     RubySMB::Dcerpc::Winreg::REG_ENUM_VALUE
+          open_key_request       RubySMB::Dcerpc::Winreg::REG_OPEN_KEY
+          query_info_key_request RubySMB::Dcerpc::Winreg::REG_QUERY_INFO_KEY
+          query_value_request    RubySMB::Dcerpc::Winreg::REG_QUERY_VALUE
+          create_key_request     RubySMB::Dcerpc::Winreg::REG_CREATE_KEY
+          save_key_request       RubySMB::Dcerpc::Winreg::REG_SAVE_KEY
+          string                 :default
+        end
+        choice 'Srvsvc', selection: -> { opnum } do
+          net_share_enum_all RubySMB::Dcerpc::Srvsvc::NET_SHARE_ENUM_ALL, host: -> { host rescue '' }
+          string             :default
+        end
+        choice 'Svcctl', selection: -> { opnum } do
+          open_sc_manager_w_request       RubySMB::Dcerpc::Svcctl::OPEN_SC_MANAGER_W
+          open_service_w_request          RubySMB::Dcerpc::Svcctl::OPEN_SERVICE_W
+          query_service_status_request    RubySMB::Dcerpc::Svcctl::QUERY_SERVICE_STATUS
+          query_service_config_w_request  RubySMB::Dcerpc::Svcctl::QUERY_SERVICE_CONFIG_W
+          change_service_config_w_request RubySMB::Dcerpc::Svcctl::CHANGE_SERVICE_CONFIG_W
+          start_service_w_request         RubySMB::Dcerpc::Svcctl::START_SERVICE_W
+          control_service_request         RubySMB::Dcerpc::Svcctl::CONTROL_SERVICE
+          close_service_handle_request    RubySMB::Dcerpc::Svcctl::CLOSE_SERVICE_HANDLE
+          string                          :default
+        end
+        string :default
       end
 
       string :auth_verifier, label: 'Authentication verifier',
-        onlyif: -> { pdu_header.auth_length > 0 },
+        onlyif:      -> { pdu_header.auth_length > 0 },
         read_length: -> { pdu_header.auth_length }
 
       def initialize_instance