ruby_smb 2.0.7 → 2.0.11

data/lib/ruby_smb/gss.rb

@@ -2,6 +2,27 @@ module RubySMB
   # module containing methods required for using the [GSS-API](http://www.rfc-editor.org/rfc/rfc2743.txt)
   # for Secure Protected Negotiation(SPNEGO) in SMB Authentication.
   module Gss
+    require 'ruby_smb/gss/provider'
+
+    OID_SPNEGO = OpenSSL::ASN1::ObjectId.new('1.3.6.1.5.5.2')
+    OID_NEGOEX = OpenSSL::ASN1::ObjectId.new('1.3.6.1.4.1.311.2.2.30')
+    OID_NTLMSSP = OpenSSL::ASN1::ObjectId.new('1.3.6.1.4.1.311.2.2.10')
+
+    # Allow safe navigation of a decoded ASN.1 data structure. Similar to Ruby's
+    # builtin Hash#dig method but using the #value attribute of each ASN object.
+    #
+    # @param asn The ASN object to apply the traversal path on.
+    # @param [Array] path The path to traverse, each element is passed to the
+    #   ASN object's #value's #[] operator.
+    def self.asn1dig(asn, *path)
+      path.each do |part|
+        return nil unless asn&.value
+        asn = asn.value[part]
+      end
+
+      asn
+    end
+
     # Cargo culted from Rex. Hacked Together ASN1 encoding that works for our GSS purposes
     # @todo Document these magic numbers
     def self.asn1encode(str = '')
@@ -25,78 +46,50 @@ module RubySMB
     end
 
     # Create a GSS Security Blob of an NTLM Type 1 Message.
-    # This code has been cargo culted and needs to be researched
-    # and refactored into something better later.
-    # @todo Refactor this into non-magical code
     def self.gss_type1(type1)
-      "\x60".force_encoding('binary') + asn1encode(
-        "\x06".force_encoding('binary') + asn1encode(
-          "\x2b\x06\x01\x05\x05\x02".force_encoding('binary')
-        ) +
-          "\xa0".force_encoding('binary') + asn1encode(
-            "\x30".force_encoding('binary') + asn1encode(
-              "\xa0".force_encoding('binary') + asn1encode(
-                "\x30".force_encoding('binary') + asn1encode(
-                  "\x06".force_encoding('binary') + asn1encode(
-                    "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a".force_encoding('binary')
-                  )
-                )
-              ) +
-                "\xa2".force_encoding('binary') + asn1encode(
-                  "\x04".force_encoding('binary') + asn1encode(
-                    type1
-                  )
-                )
-            )
-          )
-      )
+      OpenSSL::ASN1::ASN1Data.new([
+        OID_SPNEGO,
+        OpenSSL::ASN1::ASN1Data.new([
+          OpenSSL::ASN1::Sequence.new([
+            OpenSSL::ASN1::ASN1Data.new([
+              OpenSSL::ASN1::Sequence.new([
+                OID_NTLMSSP
+              ])
+            ], 0, :CONTEXT_SPECIFIC),
+            OpenSSL::ASN1::ASN1Data.new([
+              OpenSSL::ASN1::OctetString.new(type1)
+            ], 2, :CONTEXT_SPECIFIC)
+          ])
+        ], 0, :CONTEXT_SPECIFIC)
+      ], 0, :APPLICATION).to_der
     end
 
     # Create a GSS Security Blob of an NTLM Type 2 Message.
-    # This code has been cargo culted and needs to be researched
-    # and refactored into something better later.
     def self.gss_type2(type2)
-      blob =
-        "\xa1" + asn1encode(
-          "\x30" + asn1encode(
-            "\xa0" + asn1encode(
-              "\x0a" + asn1encode(
-                "\x01"
-              )
-            ) +
-              "\xa1" + asn1encode(
-                "\x06" + asn1encode(
-                  "\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a"
-                )
-              ) +
-              "\xa2" + asn1encode(
-                "\x04" + asn1encode(
-                  type2
-                )
-              )
-          )
-        )
-
-      blob
+      OpenSSL::ASN1::ASN1Data.new([
+       OpenSSL::ASN1::Sequence.new([
+         OpenSSL::ASN1::ASN1Data.new([
+           OpenSSL::ASN1::Enumerated.new(OpenSSL::BN.new(1))
+         ], 0, :CONTEXT_SPECIFIC),
+         OpenSSL::ASN1::ASN1Data.new([
+           OID_NTLMSSP
+         ], 1, :CONTEXT_SPECIFIC),
+         OpenSSL::ASN1::ASN1Data.new([
+           OpenSSL::ASN1::OctetString.new(type2)
+         ], 2, :CONTEXT_SPECIFIC)
+       ])
+      ], 1, :CONTEXT_SPECIFIC).to_der
     end
 
     # Create a GSS Security Blob of an NTLM Type 3 Message.
-    # This code has been cargo culted and needs to be researched
-    # and refactored into something better later.
-    # @todo Refactor this into non-magical code
     def self.gss_type3(type3)
-      gss =
-        "\xa1".force_encoding('binary') + asn1encode(
-          "\x30".force_encoding('binary') + asn1encode(
-            "\xa2".force_encoding('binary') + asn1encode(
-              "\x04".force_encoding('binary') + asn1encode(
-                type3
-              )
-            )
-          )
-        )
-
-      gss
+      OpenSSL::ASN1::ASN1Data.new([
+        OpenSSL::ASN1::Sequence.new([
+          OpenSSL::ASN1::ASN1Data.new([
+            OpenSSL::ASN1::OctetString.new(type3)
+          ], 2, :CONTEXT_SPECIFIC)
+        ])
+      ], 1, :CONTEXT_SPECIFIC).to_der
     end
   end
 end

data/lib/ruby_smb/ntlm.rb

@@ -0,0 +1,45 @@
+module RubySMB
+  module NTLM
+    # [[MS-NLMP] 2.2.2.5](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832)
+    NEGOTIATE_FLAGS = {
+      :UNICODE                  => 1 << 0,
+      :OEM                      => 1 << 1,
+      :REQUEST_TARGET           => 1 << 2,
+      :SIGN                     => 1 << 4,
+      :SEAL                     => 1 << 5,
+      :DATAGRAM                 => 1 << 6,
+      :LAN_MANAGER_KEY          => 1 << 7,
+      :NTLM                     => 1 << 9,
+      :NT_ONLY                  => 1 << 10,
+      :ANONYMOUS                => 1 << 11,
+      :OEM_DOMAIN_SUPPLIED      => 1 << 12,
+      :OEM_WORKSTATION_SUPPLIED => 1 << 13,
+      :ALWAYS_SIGN              => 1 << 15,
+      :TARGET_TYPE_DOMAIN       => 1 << 16,
+      :TARGET_TYPE_SERVER       => 1 << 17,
+      :TARGET_TYPE_SHARE        => 1 << 18,
+      :EXTENDED_SECURITY        => 1 << 19,
+      :IDENTIFY                 => 1 << 20,
+      :NON_NT_SESSION           => 1 << 22,
+      :TARGET_INFO              => 1 << 23,
+      :VERSION_INFO             => 1 << 25,
+      :KEY128                   => 1 << 29,
+      :KEY_EXCHANGE             => 1 << 30,
+      :KEY56                    => 1 << 31
+    }.freeze
+
+    class OSVersion < BinData::Record
+      endian :big
+
+      uint8  :major
+      uint8  :minor
+      uint16 :build
+      uint32 :ntlm_revision, initial_value: 15
+
+      def to_s
+        "Version #{major}.#{minor} (Build #{build}); NTLM Current Revision #{ntlm_revision}"
+      end
+    end
+  end
+end
+

data/lib/ruby_smb/server/server_client/negotiation.rb

@@ -0,0 +1,155 @@
+require 'securerandom'
+
+module RubySMB
+  class Server
+    class ServerClient
+      module Negotiation
+        #
+        # Handle an SMB negotiation request. Once negotiation is complete, the state will be updated to :session_setup.
+        # At this point the @dialect will have been set along with other dialect-specific values.
+        #
+        # @param [String] raw_request the negotiation request to process
+        def handle_negotiate(raw_request)
+          response = nil
+          case raw_request[0...4].unpack1('L>')
+          when RubySMB::SMB1::SMB_PROTOCOL_ID
+            request = SMB1::Packet::NegotiateRequest.read(raw_request)
+            response = do_negotiate_smb1(request) if request.is_a?(SMB1::Packet::NegotiateRequest)
+          when RubySMB::SMB2::SMB2_PROTOCOL_ID
+            request = SMB2::Packet::NegotiateRequest.read(raw_request)
+            response = do_negotiate_smb2(request) if request.is_a?(SMB2::Packet::NegotiateRequest)
+          end
+
+          if response.nil?
+            disconnect!
+          else
+            send_packet(response)
+          end
+
+          nil
+        end
+
+        def do_negotiate_smb1(request)
+          client_dialects = request.dialects.map(&:dialect_string).map(&:value)
+
+          if client_dialects.include?(Client::SMB1_DIALECT_SMB2_WILDCARD) && \
+              @server.dialects.any? { |dialect| Dialect[dialect].order == Dialect::ORDER_SMB2 }
+            response = SMB2::Packet::NegotiateResponse.new
+            response.smb2_header.credits = 1
+            response.security_mode.signing_enabled = 1
+            response.dialect_revision = SMB2::SMB2_WILDCARD_REVISION
+            response.server_guid = @server.guid
+
+            response.max_transact_size = 0x800000
+            response.max_read_size = 0x800000
+            response.max_write_size = 0x800000
+            response.system_time.set(Time.now)
+            response.security_buffer_offset = response.security_buffer.abs_offset
+            response.security_buffer = process_gss.buffer
+            return response
+          end
+
+          server_dialects = @server.dialects.select { |dialect| Dialect[dialect].order == Dialect::ORDER_SMB1 }
+          dialect = (server_dialects & client_dialects).first
+          if dialect.nil?
+            # 'NT LM 0.12' is currently the only supported dialect
+            # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/80850595-e301-4464-9745-58e4945eb99b
+            response = SMB1::Packet::NegotiateResponse.new
+            response.parameter_block.word_count = 1
+            response.parameter_block.dialect_index = 0xffff
+            response.data_block.byte_count = 0
+            return response
+          end
+
+          response = SMB1::Packet::NegotiateResponseExtended.new
+          response.parameter_block.dialect_index = client_dialects.index(dialect)
+          response.parameter_block.max_mpx_count = 50
+          response.parameter_block.max_number_vcs = 1
+          response.parameter_block.max_buffer_size = 16644
+          response.parameter_block.max_raw_size = 65536
+          server_time = Time.now
+          response.parameter_block.system_time.set(server_time)
+          response.parameter_block.server_time_zone = server_time.utc_offset
+          response.data_block.server_guid = @server.guid
+          response.data_block.security_blob = process_gss.buffer
+
+          @state = :session_setup
+          @dialect = dialect
+          response
+        end
+
+        def do_negotiate_smb2(request)
+          client_dialects = request.dialects.map { |d| "0x%04x" % d }
+          server_dialects = @server.dialects.select { |dialect| Dialect[dialect].order == Dialect::ORDER_SMB2 }
+          dialect = (server_dialects & client_dialects).first
+
+          response = SMB2::Packet::NegotiateResponse.new
+          response.smb2_header.credits = 1
+          response.security_mode.signing_enabled = 1
+          response.server_guid = @server.guid
+          response.max_transact_size = 0x800000
+          response.max_read_size = 0x800000
+          response.max_write_size = 0x800000
+          response.system_time.set(Time.now)
+          if dialect.nil?
+            # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/b39f253e-4963-40df-8dff-2f9040ebbeb1
+            # > If a common dialect is not found, the server MUST fail the request with STATUS_NOT_SUPPORTED.
+            response.smb2_header.nt_status = WindowsError::NTStatus::STATUS_NOT_SUPPORTED.value
+            return response
+          end
+
+          contexts = []
+          hash_algorithm = hash_value = nil
+          if dialect == '0x0311'
+            # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/b39f253e-4963-40df-8dff-2f9040ebbeb1
+            nc = request.find_negotiate_context(SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES)
+            hash_algorithm = SMB2::PreauthIntegrityCapabilities::HASH_ALGORITM_MAP[nc&.data&.hash_algorithms&.first]
+            hash_value = "\x00" * 64
+            unless hash_algorithm
+              response.smb2_header.nt_status = WindowsError::NTStatus::STATUS_INVALID_PARAMETER.value
+              return response
+            end
+
+            contexts << SMB2::NegotiateContext.new(
+              context_type: SMB2::NegotiateContext::SMB2_PREAUTH_INTEGRITY_CAPABILITIES,
+              data: {
+                hash_algorithms: [ SMB2::PreauthIntegrityCapabilities::SHA_512 ],
+                salt: SecureRandom.random_bytes(32)
+              }
+            )
+
+            nc = request.find_negotiate_context(SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES)
+            cipher = nc&.data&.ciphers&.first
+            cipher = 0 unless SMB2::EncryptionCapabilities::ENCRYPTION_ALGORITHM_MAP.include? cipher
+            contexts << SMB2::NegotiateContext.new(
+              context_type: SMB2::NegotiateContext::SMB2_ENCRYPTION_CAPABILITIES,
+              data: {
+                ciphers: [ cipher ]
+              }
+            )
+          end
+
+          # the order in which the response is built is important to ensure it is valid
+          response.dialect_revision = dialect.to_i(16)
+          response.security_buffer_offset = response.security_buffer.abs_offset
+          response.security_buffer = process_gss.buffer
+          if dialect == '0x0311'
+            response.negotiate_context_offset = response.negotiate_context_list.abs_offset
+            contexts.each { |nc| response.add_negotiate_context(nc) }
+          end
+          @preauth_integrity_hash_algorithm = hash_algorithm
+          @preauth_integrity_hash_value = hash_value
+
+          if dialect == '0x0311'
+            update_preauth_hash(request)
+            update_preauth_hash(response)
+          end
+
+          @state = :session_setup
+          @dialect = dialect
+          response
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/server/server_client/session_setup.rb

@@ -0,0 +1,82 @@
+module RubySMB
+  class Server
+    class ServerClient
+      module SessionSetup
+        #
+        # Setup a new session based on the negotiated dialect. Once session setup is complete, the state will be updated
+        # to :authenticated.
+        #
+        # @param [String] raw_request the session setup request to process
+        def handle_session_setup(raw_request)
+          response = nil
+
+          case metadialect.order
+          when Dialect::ORDER_SMB1
+            request = SMB1::Packet::SessionSetupRequest.read(raw_request)
+            response = do_session_setup_smb1(request)
+          when Dialect::ORDER_SMB2
+            request = SMB2::Packet::SessionSetupRequest.read(raw_request)
+            response = do_session_setup_smb2(request)
+          end
+
+          if response.nil?
+            disconnect!
+          else
+            send_packet(response)
+          end
+
+          nil
+        end
+
+        def do_session_setup_smb1(request)
+          gss_result = process_gss(request.data_block.security_blob)
+          return if gss_result.nil?
+
+          response = SMB1::Packet::SessionSetupResponse.new
+          response.smb_header.pid_low = request.smb_header.pid_low
+          response.smb_header.uid = rand(0x10000)
+          response.smb_header.mid = request.smb_header.mid
+          response.smb_header.nt_status = gss_result.nt_status.value
+          response.smb_header.flags.reply = true
+          response.smb_header.flags2.unicode = true
+          response.smb_header.flags2.extended_security = true
+          unless gss_result.buffer.nil?
+            response.parameter_block.security_blob_length = gss_result.buffer.length
+            response.data_block.security_blob = gss_result.buffer
+          end
+
+          if gss_result.nt_status == WindowsError::NTStatus::STATUS_SUCCESS
+            @state = :authenticated
+            @identity = gss_result.identity
+          end
+
+          response
+        end
+
+        def do_session_setup_smb2(request)
+          gss_result = process_gss(request.buffer)
+          return if gss_result.nil?
+
+          response = SMB2::Packet::SessionSetupResponse.new
+          response.smb2_header.nt_status = gss_result.nt_status.value
+          response.smb2_header.credits = 1
+          response.smb2_header.message_id = @message_id += 1
+          response.smb2_header.session_id = @session_id = @session_id || SecureRandom.random_bytes(4).unpack1('V')
+          response.buffer = gss_result.buffer
+
+          update_preauth_hash(request) if @dialect == '0x0311'
+          if gss_result.nt_status == WindowsError::NTStatus::STATUS_SUCCESS
+            @state = :authenticated
+            @identity = gss_result.identity
+            @session_key = @gss_authenticator.session_key
+          elsif gss_result.nt_status == WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED && @dialect == '0x0311'
+            update_preauth_hash(response)
+          end
+
+          response
+        end
+      end
+    end
+  end
+end
+

data/lib/ruby_smb/server/server_client.rb

@@ -0,0 +1,163 @@
+module RubySMB
+  class Server
+    # This class represents a single connected client to the server. It stores and processes connection specific related
+    # information.
+    class ServerClient
+
+      require 'ruby_smb/dialect'
+      require 'ruby_smb/signing'
+      require 'ruby_smb/server/server_client/negotiation'
+      require 'ruby_smb/server/server_client/session_setup'
+
+      include RubySMB::Signing
+      include RubySMB::Server::ServerClient::Negotiation
+      include RubySMB::Server::ServerClient::SessionSetup
+
+      attr_reader :dialect, :identity, :state, :session_key
+
+      # @param [Server] server the server that accepted this connection
+      # @param [Dispatcher::Socket] dispatcher the connection's socket dispatcher
+      def initialize(server, dispatcher)
+        @server = server
+        @dispatcher = dispatcher
+        @state = :negotiate
+        @dialect = nil
+        @message_id = 0
+        @session_id = nil
+        @session_key = nil
+        @gss_authenticator = server.gss_provider.new_authenticator(self)
+        @identity = nil
+        @tree_connections = {}
+        @preauth_integrity_hash_algorithm = nil
+        @preauth_integrity_hash_value = nil
+      end
+
+      #
+      # The dialects metadata definition.
+      #
+      # @return [Dialect::Definition]
+      def metadialect
+        Dialect::ALL[@dialect]
+      end
+
+      #
+      # The peername of the connected socket. This is a combination of the IPv4 or IPv6 address and port number.
+      #
+      # @example Parse the value into an IP address
+      #   ::Socket::unpack_sockaddr_in(server_client.getpeername)
+      #
+      # @return [String]
+      def getpeername
+        @dispatcher.tcp_socket.getpeername
+      end
+
+      #
+      # Handle an authenticated request. This is the main handler for all requests after the connection has been
+      # authenticated.
+      #
+      # @param [String] raw_request the request that should be handled
+      def handle_authenticated(raw_request)
+        response = nil
+
+        case raw_request[0...4].unpack1('L>')
+        when RubySMB::SMB1::SMB_PROTOCOL_ID
+          raise NotImplementedError
+        when RubySMB::SMB2::SMB2_PROTOCOL_ID
+          raise NotImplementedError
+        end
+
+        if response.nil?
+          disconnect!
+          return
+        end
+
+        send_packet(response)
+      end
+
+      #
+      # Process a GSS authentication buffer. If no buffer is specified, the request is assumed to be the first in the
+      # negotiation sequence.
+      #
+      # @param [String, nil] buffer the request GSS request buffer that should be processed
+      # @return [Gss::Provider::Result] the result of the processed GSS request
+      def process_gss(buffer=nil)
+        @gss_authenticator.process(buffer)
+      end
+
+      #
+      # Run the processing loop to receive and handle requests. This loop runs until an exception occurs or the
+      # dispatcher socket is closed.
+      #
+      def run
+        loop do
+          begin
+            raw_request = recv_packet
+          rescue RubySMB::Error::CommunicationError
+            break
+          end
+
+          case @state
+          when :negotiate
+            handle_negotiate(raw_request)
+          when :session_setup
+            handle_session_setup(raw_request)
+          when :authenticated
+            handle_authenticated(raw_request)
+          end
+
+          break if @dispatcher.tcp_socket.closed?
+        end
+      end
+
+      #
+      # Disconnect the remote client.
+      #
+      def disconnect!
+        @state = nil
+        @dispatcher.tcp_socket.close
+      end
+
+      #
+      # Receive a single SMB packet from the dispatcher.
+      #
+      # @return [String] the raw packet
+      def recv_packet
+        @dispatcher.recv_packet
+      end
+
+      #
+      # Send a single SMB packet using the dispatcher. If necessary, the packet will be signed.
+      #
+      # @param [GenericPacket] packet the packet to send
+      def send_packet(packet)
+        if @state == :authenticated && @identity != Gss::Provider::IDENTITY_ANONYMOUS && !@session_key.nil?
+          case metadialect.family
+          when Dialect::FAMILY_SMB2
+            packet = smb2_sign(packet)
+          when Dialect::FAMILY_SMB3
+            packet = smb3_sign(packet)
+          end
+        end
+
+        @dispatcher.send_packet(packet)
+      end
+
+      #
+      # Update the preauth integrity hash as used by dialect 3.1.1 for various cryptographic operations. The algorithm
+      # and hash values must have been initialized prior to calling this.
+      #
+      # @param [String] data the data with which to update the preauth integrity hash
+      def update_preauth_hash(data)
+        unless @preauth_integrity_hash_algorithm
+          raise RubySMB::Error::EncryptionError.new(
+            'Cannot compute the Preauth Integrity Hash value: Preauth Integrity Hash Algorithm is nil'
+          )
+        end
+        @preauth_integrity_hash_value = OpenSSL::Digest.digest(
+          @preauth_integrity_hash_algorithm,
+          @preauth_integrity_hash_value + data.to_binary_s
+        )
+      end
+    end
+  end
+end