ruby_smb 2.0.1 → 2.0.6

data/lib/ruby_smb/client/winreg.rb

@@ -6,7 +6,7 @@ module RubySMB
         share = "\\\\#{host}\\IPC$"
         tree = @tree_connects.find {|tree| tree.share == share}
         tree = tree_connect(share) unless tree
-        named_pipe = tree.open_file(filename: "winreg", write: true, read: true)
+        named_pipe = tree.open_pipe(filename: "winreg", write: true, read: true)
         if block_given?
           res = yield named_pipe
           named_pipe.close

data/lib/ruby_smb/dcerpc.rb

@@ -10,15 +10,19 @@ module RubySMB
     require 'ruby_smb/dcerpc/ptypes'
     require 'ruby_smb/dcerpc/p_syntax_id_t'
     require 'ruby_smb/dcerpc/rrp_unicode_string'
+    require 'ruby_smb/dcerpc/rpc_security_attributes'
     require 'ruby_smb/dcerpc/pdu_header'
     require 'ruby_smb/dcerpc/srvsvc'
+    require 'ruby_smb/dcerpc/svcctl'
     require 'ruby_smb/dcerpc/winreg'
+    require 'ruby_smb/dcerpc/netlogon'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/bind'
     require 'ruby_smb/dcerpc/bind_ack'
 
 
+
     # Bind to the remote server interface endpoint.
     #
     # @param options [Hash] the options to pass to the Bind request packet. At least, :endpoint must but provided with an existing Dcerpc class

data/lib/ruby_smb/dcerpc/error.rb

@@ -13,6 +13,9 @@ module RubySMB
 
       # Raised when an error is returned during a Winreg operation
       class WinregError < DcerpcError; end
+
+      # Raised when an error is returned during a Svcctl operation
+      class SvcctlError < DcerpcError; end
     end
   end
 end

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -7,64 +7,185 @@ module RubySMB
       VER_MAJOR = 2
       VER_MINOR = 0
 
-      # An NDR Top-level Full Pointers representation as defined in
-      # [Transfer Syntax NDR - Top-level Full Pointers](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_11_01)
-      # This class must be inherited and the subclass must have a #referent protperty
-      class NdrTopLevelFullPointer < BinData::Primitive
+      # An NDR Enum type as defined in
+      # [Transfer Syntax NDR - Enumerated Types](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_02_05_01)
+      class NdrEnum < BinData::Int16le; end
+
+      # An NDR Conformant and Varying String representation as defined in
+      # [Transfer Syntax NDR - Conformant and Varying Strings](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02)
+      # The string elements are Stringz16 (unicode)
+      class NdrString < BinData::Primitive
         endian :little
 
-        uint32 :referent_identifier, initial_value: 0x00020000
+        uint32    :max_count
+        uint32    :offset, initial_value: 0
+        uint32    :actual_count
+        stringz16 :str, max_length: -> { actual_count * 2 }, onlyif: -> { actual_count > 0 }
 
         def get
-          is_a_null_pointer? ? 0 : self.referent
+          self.actual_count == 0 ? 0 : self.str
         end
 
         def set(v)
-          if v.is_a?(Integer) && v == 0
-            self.referent_identifier = 0
+          if v == 0
+            self.str.clear
+            self.actual_count = 0
           else
-            self.referent = v
+            v = v.str if v.is_a?(self.class)
+            unless self.str.equal?(v)
+              if v.empty?
+                self.actual_count = 0
+              else
+                self.actual_count = v.to_s.size + 1
+                self.max_count = self.actual_count
+              end
+            end
+            self.str = v.to_s
           end
         end
 
-        def is_a_null_pointer?
-          self.referent_identifier == 0
+        def clear
+          # Make sure #max_count and #offset are not cleared out
+          self.str.clear
+          self.actual_count.clear
+        end
+
+        def to_s
+          self.str.to_s
         end
       end
 
-      # An NDR Conformant and Varying String representation as defined in
-      # [Transfer Syntax NDR - Conformant and Varying Strings](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02)
-      # The string elements are Stringz16 (unicode)
-      class NdrString < BinData::Primitive
+      # An NDR Uni-dimensional Conformant Array of Bytes representation as defined in
+      # [Transfer Syntax NDR - Uni-dimensional Conformant Arrays](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_02)
+      class NdrLpByte < BinData::Primitive
         endian :little
 
-        uint32    :max_count
-        uint32    :offset,     initial_value: 0
-        uint32    :actual_count
-        stringz16 :str,        read_length: -> { actual_count }, onlyif: -> { actual_count > 0 }
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :uint8, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
 
         def get
-          self.actual_count == 0 ? 0 : self.str
+          self.elements
         end
 
         def set(v)
-          if v.is_a?(Integer) && v == 0
-            self.actual_count = 0
-          else
-            self.str = v
-            self.max_count = self.actual_count = str.to_binary_s.size / 2
-          end
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
         end
       end
 
-      # A pointer to a NdrString structure
-      class NdrLpStr < NdrTopLevelFullPointer
+      # An NDR Uni-dimensional Conformant-varying Arrays of bytes representation as defined in:
+      # [Transfer Syntax NDR - NDR Constructed Types](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_04)
+      class NdrByteArray < BinData::Primitive
         endian :little
 
-        ndr_string :referent, onlyif: -> { !is_a_null_pointer? }
+        uint32 :max_count, initial_value: -> { self.actual_count }
+        uint32 :offset, initial_value: 0
+        uint32 :actual_count, initial_value: -> { self.bytes.size }
+        array  :bytes, :type => :uint8, initial_length: -> { self.actual_count }
 
-        def to_s
-          is_a_null_pointer? ? "\0" : self.referent
+        def get
+          self.bytes
+        end
+
+        def set(v)
+          v = v.bytes if v.is_a?(self.class)
+          self.bytes = v.to_ary
+          self.max_count = self.bytes.size unless self.bytes.equal?(v)
+        end
+      end
+
+      # An NDR Uni-dimensional Fixed Array of bytes representation as defined in:
+      # [Transfer Syntax NDR - NDR Constructed Types](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_01)
+      class NdrFixedByteArray < BinData::BasePrimitive
+        optional_parameters :read_length, :length, :pad_byte, :pad_front
+        default_parameters pad_byte: 0
+        mutually_exclusive_parameters :length, :value
+
+        def initialize_shared_instance
+          if (has_parameter?(:value) || has_parameter?(:asserted_value)) && !has_parameter?(:read_length)
+            extend WarnNoReadLengthPlugin
+          end
+          super
+        end
+
+        def assign(val)
+          super(fixed_byte_array(val))
+        end
+
+        def snapshot
+          clamp_to_length(super)
+        end
+
+        class << self
+          def arg_processor
+            NdrFixedByteArrayArgProcessor.new
+          end
+        end
+
+        private
+
+        def clamp_to_length(val)
+          val = fixed_byte_array(val)
+          len = eval_parameter(:length) || val.length
+          if val.length > len
+            val = val.first(len)
+          elsif val.length < len
+            pad = eval_parameter(:pad_byte)
+            if get_parameter(:pad_front)
+              val = val.insert(0, *Array.new(len - val.length, pad))
+            else
+              val = val.fill(pad, val.length...len)
+            end
+          end
+
+          val
+        end
+
+        def fixed_byte_array(val)
+          val = val.bytes if val.is_a? String
+          val.to_ary
+        end
+
+        def read_and_return_value(io)
+          len = eval_parameter(:read_length) || eval_parameter(:length) || 0
+          io.readbytes(len)
+        end
+
+        def sensible_default
+          [ ]
+        end
+
+        def value_to_binary_string(val)
+          clamp_to_length(val).pack('C*')
+        end
+
+        class NdrFixedByteArrayArgProcessor < BinData::BaseArgProcessor
+          def sanitize_parameters!(obj_class, obj_params)
+            obj_params.must_be_integer(:length, :pad_byte)
+            obj_params.sanitize(:pad_byte) { |byte| sanitized_pad_byte(byte) }
+          end
+
+          private
+
+          def sanitized_pad_byte(byte)
+            if byte.is_a?(String)
+              raise ArgumentError, ':pad_byte must not contain more than 1 byte' if byte.bytesize > 1
+
+              byte = byte.ord
+            end
+            raise ArgumentError, ':pad_byte must be within the range of 0 - 255' unless ((byte >= 0) && (byte <= 255))
+
+            byte
+          end
+        end
+
+        # Warns when reading if :value && no :read_length
+        module WarnNoReadLengthPlugin
+          def read_and_return_value(io)
+            warn "#{debug_name} does not have a :read_length parameter - returning empty array"
+            ""
+          end
         end
       end
 
@@ -72,6 +193,7 @@ module RubySMB
       # [IDL Data Type Declarations - Basic Type Declarations](http://pubs.opengroup.org/onlinepubs/9629399/apdxn.htm#tagcjh_34_01)
       class NdrContextHandle < BinData::Primitive
         endian :little
+
         uint32 :context_handle_attributes
         uuid   :context_handle_uuid
 
@@ -91,30 +213,170 @@ module RubySMB
         end
       end
 
-      # A pointer to a DWORD
-      class NdrLpDword < NdrTopLevelFullPointer
+      # An NDR Top-level Full Pointers representation as defined in
+      # [Transfer Syntax NDR - Top-level Full Pointers](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_11_01)
+      # This class must be inherited and the subclass must have a #referent property
+      class NdrPointer < BinData::Primitive
         endian :little
 
-        uint32 :referent, onlyif: -> { !is_a_null_pointer? }
+        uint32 :referent_id, initial_value: 0
+
+        def do_read(io)
+          self.referent_id.do_read(io)
+          if process_referent?
+            self.referent.do_read(io) unless self.referent_id == 0
+          end
+        end
+
+        def do_write(io)
+          self.referent_id.do_write(io)
+          if process_referent?
+            self.referent.do_write(io) unless self.referent_id == 0
+          end
+        end
+
+        def set(v)
+          if v == :null
+            self.referent.clear
+            self.referent_id = 0
+          else
+            if self.referent.respond_to?(:set)
+              self.referent.set(v)
+            else
+              self.referent = v
+            end
+            self.referent_id = rand(0xFFFFFFFF) if self.referent_id == 0
+          end
+        end
+
+        def get
+          if self.referent_id == 0
+            :null
+          else
+            self.referent
+          end
+        end
+
+        def process_referent?
+          current_parent = parent
+          loop do
+            return true unless current_parent
+            return false if current_parent.is_a?(NdrStruct)
+            current_parent = current_parent.parent
+          end
+        end
       end
 
-      # An NDR Uni-dimensional Conformant-varying Arrays representation as defined in:
-      # [Transfer Syntax NDR - NDR Constructed Types](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_04)
-      class NdrLpByte < BinData::Record
+      # A pointer to a NdrString structure
+      class NdrLpStr < NdrPointer
         endian :little
 
-        uint32 :referent_identifier, initial_value: 0x00020000
-        uint32 :max_count,           initial_value: -> { actual_count }, onlyif: -> { referent_identifier != 0 }
-        uint32 :offset,              initial_value: 0,                   onlyif: -> { referent_identifier != 0 }
-        uint32 :actual_count,        initial_value: -> { bytes.size },   onlyif: -> { referent_identifier != 0 }
-        array  :bytes, :type => :uint8, initial_length: -> { actual_count }, onlyif: -> { referent_identifier != 0 }
+        ndr_string :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      class NdrLpDword < NdrPointer
+        endian :little
+
+        uint32 :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      # A pointer to an NDR Uni-dimensional Conformant-varying Arrays of bytes
+      class NdrLpByteArray < NdrPointer
+        endian :little
+
+        ndr_byte_array :referent, onlyif: -> { self.referent_id != 0 }
+
+        def set(v)
+          if v != :null && v.is_a?(NdrLpByteArray)
+            super(v.referent)
+          else
+            super(v)
+          end
+        end
       end
 
       # A pointer to a Windows FILETIME structure
-      class NdrLpFileTime < NdrTopLevelFullPointer
+      class NdrLpFileTime < NdrPointer
+        endian :little
+
+        file_time :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      # A generic NDR structure that implements logic to #read and #write
+      # (#to_binary_s) in case the structure contains BinData::Array or
+      # NdrPointer fields. This class must be inherited.
+      class NdrStruct < BinData::Record
+
+        def do_read(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.seekbytes(pad) if pad > 0
+                element.referent.do_read(io)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.seekbytes(pad) if pad > 0
+              field.referent.do_read(io)
+            end
+          end
+        end
+
+        def do_write(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.writebytes("\x00" * pad + element.referent.to_binary_s)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.writebytes("\x00" * pad + field.referent.to_binary_s)
+            end
+          end
+        end
+      end
+
+      class NdrStringPtrsw < NdrStruct
+        endian :little
+
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :ndr_lp_str, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
+
+        def get
+          self.elements
+        end
+
+        def set(v)
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
+        end
+
+        def do_num_bytes
+          to_binary_s.size
+        end
+      end
+
+      class NdrLpStringPtrsw < NdrPointer
         endian :little
 
-        file_time :referent, onlyif: -> { !is_a_null_pointer? }
+        ndr_string_ptrsw :referent, onlyif: -> { self.referent_id != 0 }
+
+        def set(v)
+          super(v.respond_to?(:to_ary) ? v.to_ary : v)
+        end
       end
     end
   end

data/lib/ruby_smb/dcerpc/netlogon.rb

@@ -0,0 +1,101 @@
+module RubySMB
+  module Dcerpc
+    module Netlogon
+
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/592edbc8-f6f1-40c0-9ab3-fe6725ac6d7e
+      UUID = '12345678-1234-abcd-ef00-01234567cffb'
+      VER_MAJOR = 1
+      VER_MINOR = 0
+
+      # Operation numbers
+      NETR_SERVER_REQ_CHALLENGE = 4
+      NETR_SERVER_AUTHENTICATE3 = 26
+      NETR_SERVER_PASSWORD_SET2 = 30
+
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3b224201-b531-43e2-8c79-b61f6dea8640
+      class LogonsrvHandle < Ndr::NdrLpStr; end
+
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/d55e2632-7163-4f6c-b662-4b870e8cc1cd
+      class NetlogonCredential < Ndr::NdrFixedByteArray
+        default_parameters length: 8
+      end
+
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/76c93227-942a-4687-ab9d-9d972ffabdab
+      class NetlogonAuthenticator < BinData::Record
+        endian :little
+
+        netlogon_credential :credential
+        uint32              :timestamp
+      end
+
+      # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/4d1235e3-2c96-4e9f-a147-3cb338a0d09f
+      class NetlogonSecureChannelType < Ndr::NdrEnum
+        # enum example from dmendel/bindata#38 https://github.com/dmendel/bindata/issues/38#issuecomment-46397163
+        ALL = {
+          0 => :NullSecureChannel,
+          1 => :MsvApSecureChannel,
+          2 => :WorkstationSecureChannel,
+          3 => :TrustedDnsDomainSecureChannel,
+          4 => :TrustedDomainSecureChannel,
+          5 => :UasServerSecureChannel,
+          6 => :ServerSecureChannel,
+          7 => :CdcServerSecureChannel
+        }
+        ALL.each_pair { |val,sym| const_set(sym.to_s.gsub(/([a-z])([A-Z])/, '\1_\2').upcase, val) }
+        default_parameter assert: -> { ALL.keys.include? value }
+
+        def as_enum
+          ALL[value]
+        end
+
+        def assign(val)
+          if val.is_a? Symbol
+            val = ALL.key(val)
+            raise ArgumentError, 'invalid value name' if val.nil?
+          end
+
+          super
+        end
+      end
+
+      require 'ruby_smb/dcerpc/netlogon/netr_server_authenticate3_request'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_authenticate3_response'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_password_set2_request'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_password_set2_response'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_req_challenge_request'
+      require 'ruby_smb/dcerpc/netlogon/netr_server_req_challenge_response'
+
+      # Calculate the netlogon session key from the provided shared secret and
+      # challenges. The shared secret is an NTLM hash.
+      #
+      # @param shared_secret [String] the share secret between the client and the server
+      # @param client_challenge [String] the client challenge portion of the negotiation
+      # @param server_challenge [String] the server challenge portion of the negotiation
+      # @return [String] the session key for encryption
+      def self.calculate_session_key(shared_secret, client_challenge, server_challenge)
+        client_challenge = client_challenge.to_binary_s if client_challenge.is_a? NetlogonCredential
+        server_challenge = server_challenge.to_binary_s if server_challenge.is_a? NetlogonCredential
+
+        hmac = OpenSSL::HMAC.new(shared_secret, OpenSSL::Digest::SHA256.new)
+        hmac << client_challenge
+        hmac << server_challenge
+        hmac.digest.first(16)
+      end
+
+      # Encrypt the input data using the specified session key. This is used for
+      # certain Netlogon service operations including the authentication
+      # process. Per the specification, this uses AES-128-CFB8 with an all zero
+      # initialization vector.
+      #
+      # @param session_key [String] the session key to use for encryption (must be 16 bytes long)
+      # @param input_data [String] the data to encrypt
+      # @return [String] the encrypted data
+      def self.encrypt_credential(session_key, input_data)
+        cipher = OpenSSL::Cipher.new('AES-128-CFB8').encrypt
+        cipher.iv = "\x00" * 16
+        cipher.key = session_key
+        cipher.update(input_data) + cipher.final
+      end
+    end
+  end
+end