ruby_smb 2.0.2 → 2.0.3

data/examples/write_file.rb

@@ -9,18 +9,20 @@
 require 'bundler/setup'
 require 'ruby_smb'
 
-address  = ARGV[0]
-username = ARGV[1]
-password = ARGV[2]
-share    = ARGV[3]
-file     = ARGV[4]
-data     = ARGV[5]
+address      = ARGV[0]
+username     = ARGV[1]
+password     = ARGV[2]
+share        = ARGV[3]
+file         = ARGV[4]
+data         = ARGV[5]
+smb_versions = ARGV[6]&.split(',') || ['1','2','3']
+
 path     = "\\\\#{address}\\#{share}"
 
 sock = TCPSocket.new address, 445
 dispatcher = RubySMB::Dispatcher::Socket.new(sock)
 
-client = RubySMB::Client.new(dispatcher, smb1: true, smb2: true, username: username, password: password)
+client = RubySMB::Client.new(dispatcher, smb1: smb_versions.include?('1'), smb2: smb_versions.include?('2'), smb3: smb_versions.include?('3'), username: username, password: password)
 protocol = client.negotiate
 status = client.authenticate
 

data/lib/ruby_smb/client.rb

@@ -160,9 +160,16 @@ module RubySMB
 
     # The UID set in SMB1
     # @!attribute [rw] user_id
-    #   @return [String]
+    #   @return [Integer]
     attr_accessor :user_id
 
+    # The Process ID set in SMB1
+    # It is randomly generated during the client initialization, but can
+    # be modified using the accessor.
+    # @!attribute [rw] pid
+    #   @return [Integer]
+    attr_accessor :pid
+
     # The maximum size SMB message that the Client accepts (in bytes)
     # The default value is equal to {MAX_BUFFER_SIZE}.
     # @!attribute [rw] max_buffer_size
@@ -258,6 +265,14 @@ module RubySMB
     #   @return [Integer] the negotiated SMB version
     attr_accessor :negotiated_smb_version
 
+    # Whether or not the server supports multi-credit operations. It is
+    # reported by the LARGE_MTU capabiliy as part of the negotiation process
+    # (SMB 2.x and 3.x).
+    # @!attribute [rw] server_supports_multi_credit
+    #   @return [Boolean] true if the server supports multi-credit operations,
+    #   false otherwise
+    attr_accessor :server_supports_multi_credit
+
     # @param dispatcher [RubySMB::Dispatcher::Socket] the packet dispatcher to use
     # @param smb1 [Boolean] whether or not to enable SMB1 support
     # @param smb2 [Boolean] whether or not to enable SMB2 support
@@ -268,6 +283,7 @@ module RubySMB
         raise ArgumentError, 'You must enable at least one Protocol'
       end
       @dispatcher        = dispatcher
+      @pid               = rand(0xFFFF)
       @domain            = domain
       @local_workstation = local_workstation
       @password          = password.encode('utf-8') || ''.encode('utf-8')
@@ -285,6 +301,7 @@ module RubySMB
       @server_max_read_size   = RubySMB::SMB2::File::MAX_PACKET_SIZE
       @server_max_write_size  = RubySMB::SMB2::File::MAX_PACKET_SIZE
       @server_max_transact_size = RubySMB::SMB2::File::MAX_PACKET_SIZE
+      @server_supports_multi_credit = false
 
       # SMB 3.x options
       @session_encrypt_data = always_encrypt
@@ -344,7 +361,7 @@ module RubySMB
     # @param packet [RubySMB::GenericPacket] the packet to set the message id for
     # @return [RubySMB::GenericPacket] the modified packet
     def increment_smb_message_id(packet)
-      packet.smb2_header.message_id = smb2_message_id
+      packet.smb2_header.message_id = self.smb2_message_id
       self.smb2_message_id += 1
       packet
     end
@@ -427,7 +444,8 @@ module RubySMB
       version = packet.packet_smb_version
       case version
       when 'SMB1'
-        packet.smb_header.uid = user_id if user_id
+        packet.smb_header.uid = self.user_id if self.user_id
+        packet.smb_header.pid_low = self.pid if self.pid
         packet = smb1_sign(packet)
       when 'SMB2'
         packet = increment_smb_message_id(packet)
@@ -443,35 +461,32 @@ module RubySMB
         packet = packet
       end
 
+      encrypt_data = false
       if can_be_encrypted?(packet) && encryption_supported? && (@session_encrypt_data || encrypt)
-        send_encrypt(packet)
-        raw_response = recv_encrypt
-        loop do
-          break unless is_status_pending?(raw_response)
-          sleep 1
-          raw_response = recv_encrypt
-        end
-      else
-        dispatcher.send_packet(packet)
-        raw_response = dispatcher.recv_packet
-        loop do
-          break unless is_status_pending?(raw_response)
-          sleep 1
-          raw_response = dispatcher.recv_packet
-        end unless version == 'SMB1'
+        encrypt_data = true
       end
+      send_packet(packet, encrypt: encrypt_data)
+      raw_response = recv_packet(encrypt: encrypt_data)
+      smb2_header = nil
+      loop do
+        smb2_header = RubySMB::SMB2::SMB2Header.read(raw_response)
+        break unless is_status_pending?(smb2_header)
+        sleep 1
+        raw_response = recv_packet(encrypt: encrypt_data)
+      end unless version == 'SMB1'
 
       self.sequence_counter += 1 if signing_required && !session_key.empty?
+      # update the SMB2 message ID according to the received Credit Charged
+      self.smb2_message_id += smb2_header.credit_charge - 1 if smb2_header && self.dialect != '0x0202'
       raw_response
     end
 
     # Check if the response is an asynchronous operation with STATUS_PENDING
     # status code.
     #
-    # @param raw_response [String] the raw response packet
+    # @param smb2_header [String] the response packet SMB2 header
     # @return [Boolean] true if it is a status pending operation, false otherwise
-    def is_status_pending?(raw_response)
-      smb2_header = RubySMB::SMB2::SMB2Header.read(raw_response)
+    def is_status_pending?(smb2_header)
       value = smb2_header.nt_status.value
       status_code = WindowsError::NTStatus.find_by_retval(value).first
       status_code == WindowsError::NTStatus::STATUS_PENDING &&
@@ -497,37 +512,50 @@ module RubySMB
       ['0x0300', '0x0302', '0x0311'].include?(@dialect)
     end
 
-    # Encrypt and send a packet
-    def send_encrypt(packet)
-      begin
-        transform_request = smb3_encrypt(packet.to_binary_s)
-      rescue RubySMB::Error::RubySMBError => e
-        raise RubySMB::Error::EncryptionError, "Error while encrypting #{packet.class.name} packet (SMB #{@dialect}): #{e}"
+    # Encrypt (if required) and send a packet.
+    #
+    # @param encrypt [Boolean] true if the packet should be encrypted, false
+    #   otherwise
+    def send_packet(packet, encrypt: false)
+      if encrypt
+        begin
+          packet = smb3_encrypt(packet.to_binary_s)
+        rescue RubySMB::Error::RubySMBError => e
+          raise RubySMB::Error::EncryptionError, "Error while encrypting #{packet.class.name} packet (SMB #{@dialect}): #{e}"
+        end
       end
-      dispatcher.send_packet(transform_request)
+      dispatcher.send_packet(packet)
     end
 
-    # Receives the raw response through the Dispatcher and decrypt the packet.
+    # Receives the raw response through the Dispatcher and decrypt the packet (if required).
     #
+    # @param encrypt [Boolean] true if the packet is encrypted, false otherwise
     # @return [String] the raw unencrypted packet
-    def recv_encrypt
+    def recv_packet(encrypt: false)
       begin
         raw_response = dispatcher.recv_packet
       rescue RubySMB::Error::CommunicationError => e
-        raise RubySMB::Error::EncryptionError, "Communication error with the "\
-          "remote host: #{e.message}. The server supports encryption but was "\
-          "not able to handle the encrypted request."
-      end
-      begin
-        transform_response = RubySMB::SMB2::Packet::TransformHeader.read(raw_response)
-      rescue IOError
-        raise RubySMB::Error::InvalidPacket, 'Not a SMB2 TransformHeader packet'
+        if encrypt
+          raise RubySMB::Error::EncryptionError, "Communication error with the "\
+            "remote host: #{e.message}. The server supports encryption but was "\
+            "not able to handle the encrypted request."
+        else
+          raise e
+        end
       end
-      begin
-        smb3_decrypt(transform_response)
-      rescue RubySMB::Error::RubySMBError => e
-        raise RubySMB::Error::EncryptionError, "Error while decrypting #{transform_response.class.name} packet (SMB #@dialect}): #{e}"
+      if encrypt
+        begin
+          transform_response = RubySMB::SMB2::Packet::TransformHeader.read(raw_response)
+        rescue IOError
+          raise RubySMB::Error::InvalidPacket, 'Not a SMB2 TransformHeader packet'
+        end
+        begin
+          raw_response = smb3_decrypt(transform_response)
+        rescue RubySMB::Error::RubySMBError => e
+          raise RubySMB::Error::EncryptionError, "Error while decrypting #{transform_response.class.name} packet (SMB #@dialect}): #{e}"
+        end
       end
+      raw_response
     end
 
     # Connects to the supplied share
@@ -568,6 +596,7 @@ module RubySMB
       self.smb2_message_id  = 0
       self.client_encryption_key = nil
       self.server_encryption_key = nil
+      self.server_supports_multi_credit = false
     end
 
     # Requests a NetBIOS Session Service using the provided name.
@@ -605,7 +634,7 @@ module RubySMB
       session_request.session_header.session_packet_type = RubySMB::Nbss::SESSION_REQUEST
       session_request.called_name  = called_name
       session_request.calling_name = calling_name
-      session_request.session_header.packet_length =
+      session_request.session_header.stream_protocol_length =
         session_request.num_bytes - session_request.session_header.num_bytes
       session_request
     end

data/lib/ruby_smb/client/negotiation.rb

@@ -140,6 +140,7 @@ module RubySMB
           self.server_guid = packet.server_guid
           self.server_start_time = packet.server_start_time.to_time if packet.server_start_time != 0
           self.server_system_time = packet.system_time.to_time if packet.system_time != 0
+          self.server_supports_multi_credit = self.dialect != '0x0202' && packet&.capabilities&.large_mtu == 1
           case self.dialect
           when '0x02ff'
           when '0x0300', '0x0302'

data/lib/ruby_smb/dcerpc.rb

@@ -10,9 +10,11 @@ module RubySMB
     require 'ruby_smb/dcerpc/ptypes'
     require 'ruby_smb/dcerpc/p_syntax_id_t'
     require 'ruby_smb/dcerpc/rrp_unicode_string'
+    require 'ruby_smb/dcerpc/rpc_security_attributes'
     require 'ruby_smb/dcerpc/pdu_header'
     require 'ruby_smb/dcerpc/srvsvc'
     require 'ruby_smb/dcerpc/winreg'
+    require 'ruby_smb/dcerpc/svcctl'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/bind'

data/lib/ruby_smb/dcerpc/error.rb

@@ -13,6 +13,9 @@ module RubySMB
 
       # Raised when an error is returned during a Winreg operation
       class WinregError < DcerpcError; end
+
+      # Raised when an error is returned during a Svcctl operation
+      class SvcctlError < DcerpcError; end
     end
   end
 end

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -7,64 +7,88 @@ module RubySMB
       VER_MAJOR = 2
       VER_MINOR = 0
 
-      # An NDR Top-level Full Pointers representation as defined in
-      # [Transfer Syntax NDR - Top-level Full Pointers](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_11_01)
-      # This class must be inherited and the subclass must have a #referent protperty
-      class NdrTopLevelFullPointer < BinData::Primitive
+
+      # An NDR Conformant and Varying String representation as defined in
+      # [Transfer Syntax NDR - Conformant and Varying Strings](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02)
+      # The string elements are Stringz16 (unicode)
+      class NdrString < BinData::Primitive
         endian :little
 
-        uint32 :referent_identifier, initial_value: 0x00020000
+        uint32    :max_count
+        uint32    :offset, initial_value: 0
+        uint32    :actual_count
+        stringz16 :str, max_length: -> { actual_count * 2 }, onlyif: -> { actual_count > 0 }
 
         def get
-          is_a_null_pointer? ? 0 : self.referent
+          self.actual_count == 0 ? 0 : self.str
         end
 
         def set(v)
-          if v.is_a?(Integer) && v == 0
-            self.referent_identifier = 0
+          if v == 0
+            self.str.clear
+            self.actual_count = 0
           else
-            self.referent = v
+            v = v.str if v.is_a?(self.class)
+            unless self.str.equal?(v)
+              if v.empty?
+                self.actual_count = 0
+              else
+                self.actual_count = v.to_s.size + 1
+                self.max_count = self.actual_count
+              end
+            end
+            self.str = v.to_s
           end
         end
 
-        def is_a_null_pointer?
-          self.referent_identifier == 0
+        def clear
+          # Make sure #max_count and #offset are not cleared out
+          self.str.clear
+          self.actual_count.clear
+        end
+
+        def to_s
+          self.str.to_s
         end
       end
 
-      # An NDR Conformant and Varying String representation as defined in
-      # [Transfer Syntax NDR - Conformant and Varying Strings](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_04_02)
-      # The string elements are Stringz16 (unicode)
-      class NdrString < BinData::Primitive
+      # An NDR Uni-dimensional Conformant Array of Bytes representation as defined in
+      # [Transfer Syntax NDR - Uni-dimensional Conformant Arrays](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_02)
+      class NdrLpByte < BinData::Primitive
         endian :little
 
-        uint32    :max_count
-        uint32    :offset,     initial_value: 0
-        uint32    :actual_count
-        stringz16 :str,        read_length: -> { actual_count }, onlyif: -> { actual_count > 0 }
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :uint8, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
 
         def get
-          self.actual_count == 0 ? 0 : self.str
+          self.elements
         end
 
         def set(v)
-          if v.is_a?(Integer) && v == 0
-            self.actual_count = 0
-          else
-            self.str = v
-            self.max_count = self.actual_count = str.to_binary_s.size / 2
-          end
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
         end
       end
 
-      # A pointer to a NdrString structure
-      class NdrLpStr < NdrTopLevelFullPointer
+      # An NDR Uni-dimensional Conformant-varying Arrays of bytes representation as defined in:
+      # [Transfer Syntax NDR - NDR Constructed Types](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_04)
+      class NdrByteArray < BinData::Primitive
         endian :little
 
-        ndr_string :referent, onlyif: -> { !is_a_null_pointer? }
+        uint32 :max_count, initial_value: -> { self.actual_count }
+        uint32 :offset, initial_value: 0
+        uint32 :actual_count, initial_value: -> { self.bytes.size }
+        array  :bytes, :type => :uint8, initial_length: -> { self.actual_count }
 
-        def to_s
-          is_a_null_pointer? ? "\0" : self.referent
+        def get
+          self.bytes
+        end
+
+        def set(v)
+          v = v.bytes if v.is_a?(self.class)
+          self.bytes = v.to_ary
+          self.max_count = self.bytes.size unless self.bytes.equal?(v)
         end
       end
 
@@ -72,6 +96,7 @@ module RubySMB
       # [IDL Data Type Declarations - Basic Type Declarations](http://pubs.opengroup.org/onlinepubs/9629399/apdxn.htm#tagcjh_34_01)
       class NdrContextHandle < BinData::Primitive
         endian :little
+
         uint32 :context_handle_attributes
         uuid   :context_handle_uuid
 
@@ -91,30 +116,170 @@ module RubySMB
         end
       end
 
-      # A pointer to a DWORD
-      class NdrLpDword < NdrTopLevelFullPointer
+      # An NDR Top-level Full Pointers representation as defined in
+      # [Transfer Syntax NDR - Top-level Full Pointers](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_11_01)
+      # This class must be inherited and the subclass must have a #referent property
+      class NdrPointer < BinData::Primitive
         endian :little
 
-        uint32 :referent, onlyif: -> { !is_a_null_pointer? }
+        uint32 :referent_id, initial_value: 0
+
+        def do_read(io)
+          self.referent_id.do_read(io)
+          if process_referent?
+            self.referent.do_read(io) unless self.referent_id == 0
+          end
+        end
+
+        def do_write(io)
+          self.referent_id.do_write(io)
+          if process_referent?
+            self.referent.do_write(io) unless self.referent_id == 0
+          end
+        end
+
+        def set(v)
+          if v == :null
+            self.referent.clear
+            self.referent_id = 0
+          else
+            if self.referent.respond_to?(:set)
+              self.referent.set(v)
+            else
+              self.referent = v
+            end
+            self.referent_id = rand(0xFFFFFFFF) if self.referent_id == 0
+          end
+        end
+
+        def get
+          if self.referent_id == 0
+            :null
+          else
+            self.referent
+          end
+        end
+
+        def process_referent?
+          current_parent = parent
+          loop do
+            return true unless current_parent
+            return false if current_parent.is_a?(NdrStruct)
+            current_parent = current_parent.parent
+          end
+        end
       end
 
-      # An NDR Uni-dimensional Conformant-varying Arrays representation as defined in:
-      # [Transfer Syntax NDR - NDR Constructed Types](http://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_03_04)
-      class NdrLpByte < BinData::Record
+      # A pointer to a NdrString structure
+      class NdrLpStr < NdrPointer
+        endian :little
+
+        ndr_string :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      class NdrLpDword < NdrPointer
+        endian :little
+
+        uint32 :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      # A pointer to an NDR Uni-dimensional Conformant-varying Arrays of bytes
+      class NdrLpByteArray < NdrPointer
         endian :little
 
-        uint32 :referent_identifier, initial_value: 0x00020000
-        uint32 :max_count,           initial_value: -> { actual_count }, onlyif: -> { referent_identifier != 0 }
-        uint32 :offset,              initial_value: 0,                   onlyif: -> { referent_identifier != 0 }
-        uint32 :actual_count,        initial_value: -> { bytes.size },   onlyif: -> { referent_identifier != 0 }
-        array  :bytes, :type => :uint8, initial_length: -> { actual_count }, onlyif: -> { referent_identifier != 0 }
+        ndr_byte_array :referent, onlyif: -> { self.referent_id != 0 }
+
+        def set(v)
+          if v != :null && v.is_a?(NdrLpByteArray)
+            super(v.referent)
+          else
+            super(v)
+          end
+        end
       end
 
       # A pointer to a Windows FILETIME structure
-      class NdrLpFileTime < NdrTopLevelFullPointer
+      class NdrLpFileTime < NdrPointer
         endian :little
 
-        file_time :referent, onlyif: -> { !is_a_null_pointer? }
+        file_time :referent, onlyif: -> { self.referent_id != 0 }
+      end
+
+      # A generic NDR structure that implements logic to #read and #write
+      # (#to_binary_s) in case the structure contains BinData::Array or
+      # NdrPointer fields. This class must be inherited.
+      class NdrStruct < BinData::Record
+
+        def do_read(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.seekbytes(pad) if pad > 0
+                element.referent.do_read(io)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.seekbytes(pad) if pad > 0
+              field.referent.do_read(io)
+            end
+          end
+        end
+
+        def do_write(io)
+          super(io)
+          each_pair do |_name, field|
+            case field
+            when BinData::Array
+              field.each do |element|
+                next unless element.is_a?(NdrPointer)
+                next if element.referent_id == 0
+                pad = (4 - io.offset % 4) % 4
+                io.writebytes("\x00" * pad + element.referent.to_binary_s)
+              end
+            when NdrPointer
+              next if field.referent_id == 0
+              pad = (4 - io.offset % 4) % 4
+              io.writebytes("\x00" * pad + field.referent.to_binary_s)
+            end
+          end
+        end
+      end
+
+      class NdrStringPtrsw < NdrStruct
+        endian :little
+
+        uint32 :max_count, initial_value: -> { self.elements.size }
+        array  :elements, type: :ndr_lp_str, read_until: -> { index == self.max_count - 1 }, onlyif: -> { self.max_count > 0 }
+
+        def get
+          self.elements
+        end
+
+        def set(v)
+          v = v.elements if v.is_a?(self.class)
+          self.elements = v.to_ary
+          self.max_count = self.elements.size unless self.elements.equal?(v)
+        end
+
+        def do_num_bytes
+          to_binary_s.size
+        end
+      end
+
+      class NdrLpStringPtrsw < NdrPointer
+        endian :little
+
+        ndr_string_ptrsw :referent, onlyif: -> { self.referent_id != 0 }
+
+        def set(v)
+          super(v.respond_to?(:to_ary) ? v.to_ary : v)
+        end
       end
     end
   end