RubyGems - ruby_smb - Versions diffs - 2.0.1 → 2.0.6 - Mend

ruby_smb 2.0.1 → 2.0.6

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (143) hide show

data/lib/ruby_smb/client/winreg.rb CHANGED

@@ -6,7 +6,7 @@ module RubySMB
         share = "\\\\#{host}\\IPC$"
         tree = @tree_connects.find {|tree| tree.share == share}
         tree = tree_connect(share) unless tree
-        named_pipe = tree.open_file(filename: "winreg", write: true, read: true)
+        named_pipe = tree.open_pipe(filename: "winreg", write: true, read: true)
         if block_given?
           res = yield named_pipe
           named_pipe.close

data/lib/ruby_smb/dcerpc.rb CHANGED

@@ -10,15 +10,19 @@ module RubySMB
     require 'ruby_smb/dcerpc/ptypes'
     require 'ruby_smb/dcerpc/p_syntax_id_t'
     require 'ruby_smb/dcerpc/rrp_unicode_string'
+    require 'ruby_smb/dcerpc/rpc_security_attributes'
     require 'ruby_smb/dcerpc/pdu_header'
     require 'ruby_smb/dcerpc/srvsvc'
+    require 'ruby_smb/dcerpc/svcctl'
     require 'ruby_smb/dcerpc/winreg'
+    require 'ruby_smb/dcerpc/netlogon'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/bind'
     require 'ruby_smb/dcerpc/bind_ack'
     # Bind to the remote server interface endpoint.
     #
     # @param options [Hash] the options to pass to the Bind request packet. At least, :endpoint must but provided with an existing Dcerpc class

data/lib/ruby_smb/dcerpc/error.rb CHANGED

@@ -13,6 +13,9 @@ module RubySMB
       # Raised when an error is returned during a Winreg operation
       class WinregError < DcerpcError; end
+      # Raised when an error is returned during a Svcctl operation
+      class SvcctlError < DcerpcError; end
     end
   end
 end

data/lib/ruby_smb/dcerpc/ndr.rb CHANGED

@@ -7,64 +7,185 @@ module RubySMB
       VER_MAJOR = 2
       VER_MINOR = 0
-      # An NDR Top-level Full Pointers representation as defined in
-      # [Transfer Syntax NDR - Top-level Full Pointers](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_11_01)
-      # This class must be inherited and the subclass must have a #referent protperty
-      class NdrTopLevelFullPointer < BinData::Primitive
+      # An NDR Enum type as defined in
+      # [Transfer Syntax NDR - Enumerated Types](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_02_05_01)
+      class NdrEnum < BinData::Int16le; end
+      # An NDR Conformant and Varying String representation as defined in
+      # [Transfer Syntax NDR - Conformant and Varying Strings](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02)
+      # The string elements are Stringz16 (unicode)
+      class NdrString < BinData::Primitive
         endian :little
-        uint32 :referent_identifier, initial_value: 0x00020000
+        uint32    :max_count
+        uint32    :offset, initial_value: 0
+        uint32    :actual_count
+        stringz16 :str, max_length: -> { actual_count * 2 }, onlyif: -> { actual_count > 0 }
         def get
-          is_a_null_pointer? ? 0 : self.referent
+          self.actual_count == 0 ? 0 : self.str
         end
         def set(v)
-          if v.is_a?(Integer) && v == 0
-            self.referent_identifier = 0
+          if v == 0
+            self.str.clear
+            self.actual_count = 0
           else
-            self.referent = v
+            v = v.str if v.is_a?(self.class)
+            unless self.str.equal?(v)
+              if v.empty?
+                self.actual_count = 0
+              else
+                self.actual_count = v.to_s.size + 1
+                self.max_count = self.actual_count
+              end
+            end
+            self.str = v.to_s
           end
         end
-        def is_a_null_pointer?
-          self.referent_identifier == 0
+        def clear
+          # Make sure #max_count and #offset are not cleared out
+          self.str.clear
+          self.actual_count.clear
+        end
+        def to_s
+          self.str.to_s
         end
       end
-      # An NDR Conformant and Varying String representation as defined in
-      # [Transfer Syntax NDR - Conformant and Varying Strings](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02)
-      # The string elements are Stringz16 (unicode)
-      class NdrString < BinData::Primitive
+      # An NDR Uni-dimensional Conformant Array of Bytes representation as defined in
+      # [Transfer Syntax NDR - Uni-dimensional Conformant Arrays](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_02)
+      class NdrLpByte < BinData::Primitive
         endian :little
-        uint32    :max_count
-        uint32    :offset,     initial_value: 0
-        uint32    :actual_count
-        stringz16 :str,        read_length: -> { actual_count }, onlyif: -> { actual_count > 0 }
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :uint8, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
         def get
-          self.actual_count == 0 ? 0 : self.str
+          self.elements
         end
         def set(v)
-          if v.is_a?(Integer) && v == 0
-            self.actual_count = 0
-          else
-            self.str = v
-            self.max_count = self.actual_count = str.to_binary_s.size / 2
-          end
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
         end
       end
-      # A pointer to a NdrString structure
-      class NdrLpStr < NdrTopLevelFullPointer
+      # An NDR Uni-dimensional Conformant-varying Arrays of bytes representation as defined in:
+      # [Transfer Syntax NDR - NDR Constructed Types](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_04)
+      class NdrByteArray < BinData::Primitive
         endian :little
-        ndr_string :referent, onlyif: -> { !is_a_null_pointer? }
+        uint32 :max_count, initial_value: -> { self.actual_count }
+        uint32 :offset, initial_value: 0
+        uint32 :actual_count, initial_value: -> { self.bytes.size }
+        array  :bytes, :type => :uint8, initial_length: -> { self.actual_count }
-        def to_s
-          is_a_null_pointer? ? "\0" : self.referent
+        def get
+          self.bytes
+        end
+        def set(v)
+          v = v.bytes if v.is_a?(self.class)
+          self.bytes = v.to_ary
+          self.max_count = self.bytes.size unless self.bytes.equal?(v)
+        end
+      end
+      # An NDR Uni-dimensional Fixed Array of bytes representation as defined in:
+      # [Transfer Syntax NDR - NDR Constructed Types](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_01)
+      class NdrFixedByteArray < BinData::BasePrimitive
+        optional_parameters :read_length, :length, :pad_byte, :pad_front
+        default_parameters pad_byte: 0
+        mutually_exclusive_parameters :length, :value
+        def initialize_shared_instance
+          if (has_parameter?(:value) || has_parameter?(:asserted_value)) && !has_parameter?(:read_length)
+            extend WarnNoReadLengthPlugin
+          end
+          super
+        end
+        def assign(val)
+          super(fixed_byte_array(val))
+        end
+        def snapshot
+          clamp_to_length(super)
+        end
+        class << self
+          def arg_processor
+            NdrFixedByteArrayArgProcessor.new
+          end
+        end
+        private
+        def clamp_to_length(val)
+          val = fixed_byte_array(val)
+          len = eval_parameter(:length) || val.length
+          if val.length > len
+            val = val.first(len)
+          elsif val.length < len
+            pad = eval_parameter(:pad_byte)
+            if get_parameter(:pad_front)
+              val = val.insert(0, *Array.new(len - val.length, pad))
+            else
+              val = val.fill(pad, val.length...len)
+            end
+          end
+          val
+        end
+        def fixed_byte_array(val)
+          val = val.bytes if val.is_a? String
+          val.to_ary
+        end
+        def read_and_return_value(io)
+          len = eval_parameter(:read_length) || eval_parameter(:length) || 0
+          io.readbytes(len)
+        end
+        def sensible_default
+          [ ]
+        end
+        def value_to_binary_string(val)
+          clamp_to_length(val).pack('C*')
+        end
+        class NdrFixedByteArrayArgProcessor < BinData::BaseArgProcessor
+          def sanitize_parameters!(obj_class, obj_params)
+            obj_params.must_be_integer(:length, :pad_byte)
+            obj_params.sanitize(:pad_byte) { |byte| sanitized_pad_byte(byte) }
+          end
+          private
+          def sanitized_pad_byte(byte)
+            if byte.is_a?(String)
+              raise ArgumentError, ':pad_byte must not contain more than 1 byte' if byte.bytesize > 1
+              byte = byte.ord
+            end
+            raise ArgumentError, ':pad_byte must be within the range of 0 - 255' unless ((byte >= 0) && (byte <= 255))
+            byte
+          end
+        end
+        # Warns when reading if :value && no :read_length
+        module WarnNoReadLengthPlugin
+          def read_and_return_value(io)
+            warn "#{debug_name} does not have a :read_length parameter - returning empty array"
+            ""
+          end
         end
       end
@@ -72,6 +193,7 @@ module RubySMB
       # [IDL Data Type Declarations - Basic Type Declarations](http://pubs.opengroup.org/onlinepubs/9629399/apdxn.htm#tagcjh_34_01)
       class NdrContextHandle < BinData::Primitive
         endian :little
         uint32 :context_handle_attributes
         uuid   :context_handle_uuid
@@ -91,30 +213,170 @@ module RubySMB
         end
       end
-      # A pointer to a DWORD
-      class NdrLpDword < NdrTopLevelFullPointer
+      # An NDR Top-level Full Pointers representation as defined in
+      # [Transfer Syntax NDR - Top-level Full Pointers](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_11_01)
+      # This class must be inherited and the subclass must have a #referent property
+      class NdrPointer < BinData::Primitive
         endian :little
-        uint32 :referent, onlyif: -> { !is_a_null_pointer? }
+        uint32 :referent_id, initial_value: 0
+        def do_read(io)
+          self.referent_id.do_read(io)
+          if process_referent?
+            self.referent.do_read(io) unless self.referent_id == 0
+          end
+        end
+        def do_write(io)
+          self.referent_id.do_write(io)
+          if process_referent?
+            self.referent.do_write(io) unless self.referent_id == 0
+          end
+        end
+        def set(v)
+          if v == :null
+            self.referent.clear
+            self.referent_id = 0
+          else
+            if self.referent.respond_to?(:set)
+              self.referent.set(v)
+            else
+              self.referent = v
+            end
+            self.referent_id = rand(0xFFFFFFFF) if self.referent_id == 0
+          end
+        end
+        def get
+          if self.referent_id == 0
+            :null
+          else
+            self.referent
+          end
+        end
+        def process_referent?
+          current_parent = parent
+          loop do
+            return true unless current_parent
+            return false if current_parent.is_a?(NdrStruct)
+            current_parent = current_parent.parent
+          end
+        end
       end
-      # An NDR Uni-dimensional Conformant-varying Arrays representation as defined in:
-      # [Transfer Syntax NDR - NDR Constructed Types](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_04)
-      class NdrLpByte < BinData::Record
+      # A pointer to a NdrString structure
+      class NdrLpStr < NdrPointer
         endian :little
-        uint32 :referent_identifier, initial_value: 0x00020000
-        uint32 :max_count,           initial_value: -> { actual_count }, onlyif: -> { referent_identifier != 0 }
-        uint32 :offset,              initial_value: 0,                   onlyif: -> { referent_identifier != 0 }
-        uint32 :actual_count,        initial_value: -> { bytes.size },   onlyif: -> { referent_identifier != 0 }
-        array  :bytes, :type => :uint8, initial_length: -> { actual_count }, onlyif: -> { referent_identifier != 0 }
+        ndr_string :referent, onlyif: -> { self.referent_id != 0 }
+      end
+      class NdrLpDword < NdrPointer
+        endian :little
+        uint32 :referent, onlyif: -> { self.referent_id != 0 }
+      end
+      # A pointer to an NDR Uni-dimensional Conformant-varying Arrays of bytes
+      class NdrLpByteArray < NdrPointer
+        endian :little
+        ndr_byte_array :referent, onlyif: -> { self.referent_id != 0 }
+        def set(v)
+          if v != :null && v.is_a?(NdrLpByteArray)
+            super(v.referent)
+          else
+            super(v)
+          end
+        end
       end
       # A pointer to a Windows FILETIME structure
-      class NdrLpFileTime < NdrTopLevelFullPointer
+      class NdrLpFileTime < NdrPointer
+        endian :little
+        file_time :referent, onlyif: -> { self.referent_id != 0 }
+      end
+      # A generic NDR structure that implements logic to #read and #write
+      # (#to_binary_s) in case the structure contains BinData::Array or
+      # NdrPointer fields. This class must be inherited.
+      class NdrStruct < BinData::Record
+        def do_read(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.seekbytes(pad) if pad > 0
+                element.referent.do_read(io)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.seekbytes(pad) if pad > 0
+              field.referent.do_read(io)
+            end
+          end
+        end
+        def do_write(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.writebytes("\x00" * pad + element.referent.to_binary_s)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.writebytes("\x00" * pad + field.referent.to_binary_s)
+            end
+          end
+        end
+      end
+      class NdrStringPtrsw < NdrStruct
+        endian :little
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :ndr_lp_str, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
+        def get
+          self.elements
+        end
+        def set(v)
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
+        end
+        def do_num_bytes
+          to_binary_s.size
+        end
+      end
+      class NdrLpStringPtrsw < NdrPointer
         endian :little
-        file_time :referent, onlyif: -> { !is_a_null_pointer? }
+        ndr_string_ptrsw :referent, onlyif: -> { self.referent_id != 0 }
+        def set(v)
+          super(v.respond_to?(:to_ary) ? v.to_ary : v)
+        end
       end
     end
   end

data/lib/ruby_smb/dcerpc/netlogon.rb ADDED

@@ -0,0 +1,101 @@
+module RubySMB
+  module Dcerpc
+    module Netlogon
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/592edbc8-f6f1-40c0-9ab3-fe6725ac6d7e
+      UUID = '12345678-1234-abcd-ef00-01234567cffb'
+      VER_MAJOR = 1
+      VER_MINOR = 0
+      # Operation numbers
+      NETR_SERVER_REQ_CHALLENGE = 4
+      NETR_SERVER_AUTHENTICATE3 = 26
+      NETR_SERVER_PASSWORD_SET2 = 30
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3b224201-b531-43e2-8c79-b61f6dea8640
+      class LogonsrvHandle < Ndr::NdrLpStr; end
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/d55e2632-7163-4f6c-b662-4b870e8cc1cd
+      class NetlogonCredential < Ndr::NdrFixedByteArray
+        default_parameters length: 8
+      end
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/76c93227-942a-4687-ab9d-9d972ffabdab
+      class NetlogonAuthenticator < BinData::Record
+        endian :little
+        netlogon_credential :credential
+        uint32              :timestamp
+      end
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f
+      class NetlogonSecureChannelType < Ndr::NdrEnum
+        # enum example from dmendel/bindata#38 https://github.com/dmendel/bindata/issues/38#issuecomment-46397163
+        ALL = {
+          0 => :NullSecureChannel,
+          1 => :MsvApSecureChannel,
+          2 => :WorkstationSecureChannel,
+          3 => :TrustedDnsDomainSecureChannel,
+          4 => :TrustedDomainSecureChannel,
+          5 => :UasServerSecureChannel,
+          6 => :ServerSecureChannel,
+          7 => :CdcServerSecureChannel
+        }
+        ALL.each_pair { |val,sym| const_set(sym.to_s.gsub(/([a-z])([A-Z])/, '\1_\2').upcase, val) }
+        default_parameter assert: -> { ALL.keys.include? value }
+        def as_enum
+          ALL[value]
+        end
+        def assign(val)
+          if val.is_a? Symbol
+            val = ALL.key(val)
+            raise ArgumentError, 'invalid value name' if val.nil?
+          end
+          super
+        end
+      end
+      require 'ruby_smb/dcerpc/netlogon/netr_server_authenticate3_request'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_authenticate3_response'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_password_set2_request'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_password_set2_response'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_req_challenge_request'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_req_challenge_response'
+      # Calculate the netlogon session key from the provided shared secret and
+      # challenges. The shared secret is an NTLM hash.
+      #
+      # @param shared_secret [String] the share secret between the client and the server
+      # @param client_challenge [String] the client challenge portion of the negotiation
+      # @param server_challenge [String] the server challenge portion of the negotiation
+      # @return [String] the session key for encryption
+      def self.calculate_session_key(shared_secret, client_challenge, server_challenge)
+        client_challenge = client_challenge.to_binary_s if client_challenge.is_a? NetlogonCredential
+        server_challenge = server_challenge.to_binary_s if server_challenge.is_a? NetlogonCredential
+        hmac = OpenSSL::HMAC.new(shared_secret, OpenSSL::Digest::SHA256.new)
+        hmac << client_challenge
+        hmac << server_challenge
+        hmac.digest.first(16)
+      end
+      # Encrypt the input data using the specified session key. This is used for
+      # certain Netlogon service operations including the authentication
+      # process. Per the specification, this uses AES-128-CFB8 with an all zero
+      # initialization vector.
+      #
+      # @param session_key [String] the session key to use for encryption (must be 16 bytes long)
+      # @param input_data [String] the data to encrypt
+      # @return [String] the encrypted data
+      def self.encrypt_credential(session_key, input_data)
+        cipher = OpenSSL::Cipher.new('AES-128-CFB8').encrypt
+        cipher.iv = "\x00" * 16
+        cipher.key = session_key
+        cipher.update(input_data) + cipher.final
+      end
+    end
+  end
+end