ruby_smb 1.1.0 → 2.0.4

data/lib/ruby_smb/client/signing.rb

@@ -40,6 +40,25 @@ module RubySMB
         end
         packet
       end
+
+      def smb3_sign(packet)
+        if !session_key.empty? && (signing_required || packet.is_a?(RubySMB::SMB2::Packet::TreeConnectRequest))
+          case @dialect
+          when '0x0300', '0x0302'
+            signing_key = RubySMB::Crypto::KDF.counter_mode(@session_key, "SMB2AESCMAC\x00", "SmbSign\x00")
+          when '0x0311'
+            signing_key = RubySMB::Crypto::KDF.counter_mode(@session_key, "SMBSigningKey\x00", @preauth_integrity_hash_value)
+          else
+            raise RubySMB::Error::SigningError.new('Dialect is incompatible with SMBv3 signing')
+          end
+
+          packet.smb2_header.flags.signed = 1
+          packet.smb2_header.signature = "\x00" * 16
+          hmac = OpenSSL::CMAC.digest('AES', signing_key, packet.to_binary_s)
+          packet.smb2_header.signature = hmac[0, 16]
+        end
+        packet
+      end
     end
   end
 end

data/lib/ruby_smb/client/tree_connect.rb

@@ -33,12 +33,11 @@ module RubySMB
           raise RubySMB::Error::InvalidPacket.new(
             expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
             expected_cmd:   RubySMB::SMB1::Packet::TreeConnectResponse::COMMAND,
-            received_proto: response.smb_header.protocol,
-            received_cmd:   response.smb_header.command
+            packet:         response
           )
         end
         unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
-          raise RubySMB::Error::UnexpectedStatusCode, response.status_code.name
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
         end
         RubySMB::SMB1::Tree.new(client: self, share: share, response: response)
       end
@@ -55,7 +54,7 @@ module RubySMB
       def smb2_tree_connect(share)
         request = RubySMB::SMB2::Packet::TreeConnectRequest.new
         request.smb2_header.tree_id = 65_535
-        request.encode_path(share)
+        request.path = share
         raw_response = send_recv(request)
         response = RubySMB::SMB2::Packet::TreeConnectResponse.read(raw_response)
         smb2_tree_from_response(share, response)
@@ -73,14 +72,13 @@ module RubySMB
           raise RubySMB::Error::InvalidPacket.new(
             expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
             expected_cmd:   RubySMB::SMB2::Packet::TreeConnectResponse::COMMAND,
-            received_proto: response.smb2_header.protocol,
-            received_cmd:   response.smb2_header.command
+            packet:         response
           )
         end
         unless response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
-          raise RubySMB::Error::UnexpectedStatusCode, response.status_code.name
+          raise RubySMB::Error::UnexpectedStatusCode, response.status_code
         end
-        RubySMB::SMB2::Tree.new(client: self, share: share, response: response)
+        RubySMB::SMB2::Tree.new(client: self, share: share, response: response, encrypt: response.share_flags.encrypt == 1)
       end
     end
   end

data/lib/ruby_smb/client/utils.rb

@@ -24,43 +24,50 @@ module RubySMB
         last_tree.id
       end
 
-      def open(path, disposition=RubySMB::Dispositions::FILE_OPEN, write: false, read: true)
-         file = last_tree.open_file(filename: path.sub(/^\\/, ''), write: write, read: read, disposition: disposition)
-         @last_file_id = if file.respond_to?(:guid)
-           file.guid.to_binary_s
-         elsif file.respond_to?(:fid)
-           file.fid.to_binary_s
-         end
-         @open_files[@last_file_id] = file
-         @last_file_id
+      def open(path, disposition=RubySMB::Dispositions::FILE_OPEN, write: false, read: true, pipe: false)
+        if pipe
+         file = last_tree.open_pipe(filename: path, write: write, read: read, disposition: disposition)
+        else
+         file = last_tree.open_file(filename: path, write: write, read: read, disposition: disposition)
+        end
+        @last_file_id = if file.respond_to?(:guid)
+          # SMB2 uses guid
+          file.guid.to_binary_s
+        elsif file.respond_to?(:fid)
+          # SMB1 uses fid
+          file.fid.to_binary_s
+        end
+        @open_files[@last_file_id] = file
+        @last_file_id
       end
 
       def create_pipe(path, disposition=RubySMB::Dispositions::FILE_OPEN_IF)
-        open(path.gsub(/\\/, ''), disposition, write: true, read: true)
+        open(path, disposition, write: true, read: true, pipe: true)
       end
 
       #Writes data to an open file handle
-      def write(file_id, offset = 0, data = '', do_recv = true)
+      def write(file_id = last_file_id, offset = 0, data = '', do_recv = true)
         @open_files[file_id].send_recv_write(data: data, offset: offset)
       end
 
-      def read(file_id, offset = 0, length = last_file.size)
+      def read(file_id = last_file_id, offset = 0, length = last_file.size, do_recv = true)
         data = @open_files[file_id].send_recv_read(read_length: length, offset: offset)
         data.bytes
       end
 
-      def delete(path)
-        file = last_tree.open_file(filename: path.sub(/^\\/, ''), delete: true)
+      def delete(path, tree_id = last_tree_id, do_recv = true)
+        tree = @tree_connects.detect{ |tree| tree.id == tree_id }
+        file = tree.open_file(filename: path.sub(/^\\/, ''), delete: true)
         file.delete
         file.close
       end
 
-      def close(file_id, tree_id)
+      def close(file_id = last_file_id, tree_id = last_tree_id, do_recv = true)
        @open_files[file_id].close
       end
 
-      def tree_disconnect(share)
-       @tree_connects.detect{|tree| tree.id == share }.disconnect!
+      def tree_disconnect(tree_id = last_tree_id, do_recv = true)
+       @tree_connects.detect{|tree| tree.id == tree_id }.disconnect!
       end
 
       def native_os

data/lib/ruby_smb/client/winreg.rb

@@ -6,7 +6,7 @@ module RubySMB
         share = "\\\\#{host}\\IPC$"
         tree = @tree_connects.find {|tree| tree.share == share}
         tree = tree_connect(share) unless tree
-        named_pipe = tree.open_file(filename: "winreg", write: true, read: true)
+        named_pipe = tree.open_pipe(filename: "winreg", write: true, read: true)
         if block_given?
           res = yield named_pipe
           named_pipe.close

data/lib/ruby_smb/crypto.rb

@@ -0,0 +1,30 @@
+module RubySMB
+  module Crypto
+    module KDF
+      def self.counter_mode(ki, label, context, length: 128)
+        digest = OpenSSL::Digest.new('SHA256')
+        r = 32
+
+        n = length / 256
+        n = 1 if n == 0
+
+        raise ArgumentError if n > 2**r - 1
+        result = ""
+
+        n.times do |i|
+          input = [i + 1].pack('L>')
+          input << label
+          input << "\x00"
+          input << context
+          input << [length].pack('L>')
+          k = OpenSSL::HMAC.digest(digest, ki, input)
+          result << k
+        end
+
+        return result[0...(length / 8)]
+      rescue OpenSSL::OpenSSLError => e
+        raise RubySMB::Error::EncryptionError, "Crypto::KDF.counter_mode OpenSSL error: #{e.message}"
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc.rb

@@ -10,9 +10,11 @@ module RubySMB
     require 'ruby_smb/dcerpc/ptypes'
     require 'ruby_smb/dcerpc/p_syntax_id_t'
     require 'ruby_smb/dcerpc/rrp_unicode_string'
+    require 'ruby_smb/dcerpc/rpc_security_attributes'
     require 'ruby_smb/dcerpc/pdu_header'
     require 'ruby_smb/dcerpc/srvsvc'
     require 'ruby_smb/dcerpc/winreg'
+    require 'ruby_smb/dcerpc/svcctl'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/bind'

data/lib/ruby_smb/dcerpc/error.rb

@@ -13,6 +13,9 @@ module RubySMB
 
       # Raised when an error is returned during a Winreg operation
       class WinregError < DcerpcError; end
+
+      # Raised when an error is returned during a Svcctl operation
+      class SvcctlError < DcerpcError; end
     end
   end
 end

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -7,64 +7,88 @@ module RubySMB
       VER_MAJOR = 2
       VER_MINOR = 0
 
-      # An NDR Top-level Full Pointers representation as defined in
-      # [Transfer Syntax NDR - Top-level Full Pointers](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_11_01)
-      # This class must be inherited and the subclass must have a #referent protperty
-      class NdrTopLevelFullPointer < BinData::Primitive
+
+      # An NDR Conformant and Varying String representation as defined in
+      # [Transfer Syntax NDR - Conformant and Varying Strings](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02)
+      # The string elements are Stringz16 (unicode)
+      class NdrString < BinData::Primitive
         endian :little
 
-        uint32 :referent_identifier, initial_value: 0x00020000
+        uint32    :max_count
+        uint32    :offset, initial_value: 0
+        uint32    :actual_count
+        stringz16 :str, max_length: -> { actual_count * 2 }, onlyif: -> { actual_count > 0 }
 
         def get
-          is_a_null_pointer? ? 0 : self.referent
+          self.actual_count == 0 ? 0 : self.str
         end
 
         def set(v)
-          if v.is_a?(Integer) && v == 0
-            self.referent_identifier = 0
+          if v == 0
+            self.str.clear
+            self.actual_count = 0
           else
-            self.referent = v
+            v = v.str if v.is_a?(self.class)
+            unless self.str.equal?(v)
+              if v.empty?
+                self.actual_count = 0
+              else
+                self.actual_count = v.to_s.size + 1
+                self.max_count = self.actual_count
+              end
+            end
+            self.str = v.to_s
           end
         end
 
-        def is_a_null_pointer?
-          self.referent_identifier == 0
+        def clear
+          # Make sure #max_count and #offset are not cleared out
+          self.str.clear
+          self.actual_count.clear
+        end
+
+        def to_s
+          self.str.to_s
         end
       end
 
-      # An NDR Conformant and Varying String representation as defined in
-      # [Transfer Syntax NDR - Conformant and Varying Strings](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02)
-      # The string elements are Stringz16 (unicode)
-      class NdrString < BinData::Primitive
+      # An NDR Uni-dimensional Conformant Array of Bytes representation as defined in
+      # [Transfer Syntax NDR - Uni-dimensional Conformant Arrays](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_02)
+      class NdrLpByte < BinData::Primitive
         endian :little
 
-        uint32    :max_count
-        uint32    :offset,     initial_value: 0
-        uint32    :actual_count
-        stringz16 :str,        read_length: -> { actual_count }, onlyif: -> { actual_count > 0 }
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :uint8, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
 
         def get
-          self.actual_count == 0 ? 0 : self.str
+          self.elements
         end
 
         def set(v)
-          if v.is_a?(Integer) && v == 0
-            self.actual_count = 0
-          else
-            self.str = v
-            self.max_count = self.actual_count = str.to_binary_s.size / 2
-          end
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
         end
       end
 
-      # A pointer to a NdrString structure
-      class NdrLpStr < NdrTopLevelFullPointer
+      # An NDR Uni-dimensional Conformant-varying Arrays of bytes representation as defined in:
+      # [Transfer Syntax NDR - NDR Constructed Types](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_04)
+      class NdrByteArray < BinData::Primitive
         endian :little
 
-        ndr_string :referent, onlyif: -> { !is_a_null_pointer? }
+        uint32 :max_count, initial_value: -> { self.actual_count }
+        uint32 :offset, initial_value: 0
+        uint32 :actual_count, initial_value: -> { self.bytes.size }
+        array  :bytes, :type => :uint8, initial_length: -> { self.actual_count }
 
-        def to_s
-          is_a_null_pointer? ? "\0" : self.referent
+        def get
+          self.bytes
+        end
+
+        def set(v)
+          v = v.bytes if v.is_a?(self.class)
+          self.bytes = v.to_ary
+          self.max_count = self.bytes.size unless self.bytes.equal?(v)
         end
       end
 
@@ -72,6 +96,7 @@ module RubySMB
       # [IDL Data Type Declarations - Basic Type Declarations](http://pubs.opengroup.org/onlinepubs/9629399/apdxn.htm#tagcjh_34_01)
       class NdrContextHandle < BinData::Primitive
         endian :little
+
         uint32 :context_handle_attributes
         uuid   :context_handle_uuid
 
@@ -91,30 +116,170 @@ module RubySMB
         end
       end
 
-      # A pointer to a DWORD
-      class NdrLpDword < NdrTopLevelFullPointer
+      # An NDR Top-level Full Pointers representation as defined in
+      # [Transfer Syntax NDR - Top-level Full Pointers](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_11_01)
+      # This class must be inherited and the subclass must have a #referent property
+      class NdrPointer < BinData::Primitive
         endian :little
 
-        uint32 :referent, onlyif: -> { !is_a_null_pointer? }
+        uint32 :referent_id, initial_value: 0
+
+        def do_read(io)
+          self.referent_id.do_read(io)
+          if process_referent?
+            self.referent.do_read(io) unless self.referent_id == 0
+          end
+        end
+
+        def do_write(io)
+          self.referent_id.do_write(io)
+          if process_referent?
+            self.referent.do_write(io) unless self.referent_id == 0
+          end
+        end
+
+        def set(v)
+          if v == :null
+            self.referent.clear
+            self.referent_id = 0
+          else
+            if self.referent.respond_to?(:set)
+              self.referent.set(v)
+            else
+              self.referent = v
+            end
+            self.referent_id = rand(0xFFFFFFFF) if self.referent_id == 0
+          end
+        end
+
+        def get
+          if self.referent_id == 0
+            :null
+          else
+            self.referent
+          end
+        end
+
+        def process_referent?
+          current_parent = parent
+          loop do
+            return true unless current_parent
+            return false if current_parent.is_a?(NdrStruct)
+            current_parent = current_parent.parent
+          end
+        end
       end
 
-      # An NDR Uni-dimensional Conformant-varying Arrays representation as defined in:
-      # [Transfer Syntax NDR - NDR Constructed Types](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_04)
-      class NdrLpByte < BinData::Record
+      # A pointer to a NdrString structure
+      class NdrLpStr < NdrPointer
+        endian :little
+
+        ndr_string :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      class NdrLpDword < NdrPointer
+        endian :little
+
+        uint32 :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      # A pointer to an NDR Uni-dimensional Conformant-varying Arrays of bytes
+      class NdrLpByteArray < NdrPointer
         endian :little
 
-        uint32 :referent_identifier, initial_value: 0x00020000
-        uint32 :max_count,           initial_value: -> { actual_count }, onlyif: -> { referent_identifier != 0 }
-        uint32 :offset,              initial_value: 0,                   onlyif: -> { referent_identifier != 0 }
-        uint32 :actual_count,        initial_value: -> { bytes.size },   onlyif: -> { referent_identifier != 0 }
-        array  :bytes, :type => :uint8, initial_length: -> { actual_count }, onlyif: -> { referent_identifier != 0 }
+        ndr_byte_array :referent, onlyif: -> { self.referent_id != 0 }
+
+        def set(v)
+          if v != :null && v.is_a?(NdrLpByteArray)
+            super(v.referent)
+          else
+            super(v)
+          end
+        end
       end
 
       # A pointer to a Windows FILETIME structure
-      class NdrLpFileTime < NdrTopLevelFullPointer
+      class NdrLpFileTime < NdrPointer
         endian :little
 
-        file_time :referent, onlyif: -> { !is_a_null_pointer? }
+        file_time :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      # A generic NDR structure that implements logic to #read and #write
+      # (#to_binary_s) in case the structure contains BinData::Array or
+      # NdrPointer fields. This class must be inherited.
+      class NdrStruct < BinData::Record
+
+        def do_read(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.seekbytes(pad) if pad > 0
+                element.referent.do_read(io)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.seekbytes(pad) if pad > 0
+              field.referent.do_read(io)
+            end
+          end
+        end
+
+        def do_write(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.writebytes("\x00" * pad + element.referent.to_binary_s)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.writebytes("\x00" * pad + field.referent.to_binary_s)
+            end
+          end
+        end
+      end
+
+      class NdrStringPtrsw < NdrStruct
+        endian :little
+
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :ndr_lp_str, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
+
+        def get
+          self.elements
+        end
+
+        def set(v)
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
+        end
+
+        def do_num_bytes
+          to_binary_s.size
+        end
+      end
+
+      class NdrLpStringPtrsw < NdrPointer
+        endian :little
+
+        ndr_string_ptrsw :referent, onlyif: -> { self.referent_id != 0 }
+
+        def set(v)
+          super(v.respond_to?(:to_ary) ? v.to_ary : v)
+        end
       end
     end
   end