ruby_smb 2.0.7 → 2.0.11

data/lib/ruby_smb/server.rb

@@ -0,0 +1,54 @@
+require 'socket'
+
+module RubySMB
+  # This class provides the SMB server core. Settings that are relevant server wide are managed by this object.
+  # Currently, the server only supports negotiating and authenticating requests. No other server functionality is
+  # available at this time. The negotiating and authentication is supported for SMB versions 1 through 3.1.1.
+  class Server
+    require 'ruby_smb/server/server_client'
+    require 'ruby_smb/gss/provider/ntlm'
+
+    Connection = Struct.new(:client, :thread)
+
+    # @param server_sock the socket on which the server should listen
+    # @param [Gss::Provider] the authentication provider
+    def initialize(server_sock: nil, gss_provider: nil)
+      server_sock = ::TCPServer.new(445) if server_sock.nil?
+
+      @guid = Random.new.bytes(16)
+      @socket = server_sock
+      @connections = []
+      @gss_provider = gss_provider || Gss::Provider::NTLM.new
+      # reject the wildcard dialect because it's not a real dialect we can use for this purpose
+      @dialects = RubySMB::Dialect::ALL.keys.reject { |dialect| dialect == "0x%04x" % RubySMB::SMB2::SMB2_WILDCARD_REVISION }.reverse
+    end
+
+    # Run the server and accept any connections. For each connection, the block will be executed if specified. When the
+    # block returns false, the loop will exit and the server will no long accept new connections.
+    def run(&block)
+      loop do
+        sock = @socket.accept
+        server_client = ServerClient.new(self, RubySMB::Dispatcher::Socket.new(sock))
+        @connections << Connection.new(server_client, Thread.new { server_client.run })
+
+        break unless block.nil? || block.call(server_client)
+      end
+    end
+
+    # The dialects that this server will negotiate with clients, in ascending order of preference.
+    # @!attribute [r] dialects
+    #   @return [Array<String>]
+    attr_accessor :dialects
+
+    # The GSS Provider instance that this server will use to authenticate
+    # incoming client connections.
+    # @!attribute [r] gss_provider
+    #   @return [RubySMB::Gss::Provider::Base]
+    attr_reader :gss_provider
+
+    # The 16 byte GUID that uniquely identifies this server instance.
+    # @!attribute [r] guid
+    attr_reader :guid
+  end
+end
+

data/lib/ruby_smb/signing.rb

@@ -0,0 +1,59 @@
+module RubySMB
+  # Contains the methods for handling packet signing
+  module Signing
+    # The NTLM Session Key used for signing
+    # @!attribute [rw] session_key
+    #   @return [String]
+    attr_accessor :session_key
+
+    # Take an SMB1 packet and sign it.
+    #
+    # @param packet [RubySMB::GenericPacket] the packet to sign
+    # @return [RubySMB::GenericPacket] the signed packet
+    def smb1_sign(packet)
+      # Pack the Sequence counter into a int64le
+      packed_sequence_counter = [sequence_counter].pack('Q<')
+      packet.smb_header.security_features = packed_sequence_counter
+      signature = OpenSSL::Digest::MD5.digest(session_key + packet.to_binary_s)[0, 8]
+      packet.smb_header.security_features = signature
+      @sequence_counter += 1
+
+      packet
+    end
+
+    # Take an SMB2 packet and sign it.
+    #
+    # @param packet [RubySMB::GenericPacket] the packet to sign
+    # @return [RubySMB::GenericPacket] the signed packet
+    def smb2_sign(packet)
+      packet.smb2_header.flags.signed = 1
+      packet.smb2_header.signature = "\x00" * 16
+      hmac = OpenSSL::HMAC.digest(OpenSSL::Digest.new('SHA256'), session_key, packet.to_binary_s)
+      packet.smb2_header.signature = hmac[0, 16]
+
+      packet
+    end
+
+    # Take an SMB3 packet and sign it.
+    #
+    # @param packet [RubySMB::GenericPacket] the packet to sign
+    # @return [RubySMB::GenericPacket] the signed packet
+    def smb3_sign(packet)
+      case @dialect
+      when '0x0300', '0x0302'
+        signing_key = Crypto::KDF.counter_mode(@session_key, "SMB2AESCMAC\x00", "SmbSign\x00")
+      when '0x0311'
+        signing_key = Crypto::KDF.counter_mode(@session_key, "SMBSigningKey\x00", @preauth_integrity_hash_value)
+      else
+        raise Error::SigningError.new("Dialect #{@dialect.inspect} is incompatible with SMBv3 signing")
+      end
+
+      packet.smb2_header.flags.signed = 1
+      packet.smb2_header.signature = "\x00" * 16
+      hmac = OpenSSL::CMAC.digest('AES', signing_key, packet.to_binary_s)
+      packet.smb2_header.signature = hmac[0, 16]
+
+      packet
+    end
+  end
+end

data/lib/ruby_smb/smb1/packet/negotiate_response.rb

@@ -8,17 +8,17 @@ module RubySMB
 
         # An SMB_Parameters Block as defined by the {NegotiateResponse}.
         class ParameterBlock < RubySMB::SMB1::ParameterBlock
-          uint16          :dialect_index, label: 'Dialect Index'
-          security_mode   :security_mode
-          uint16          :max_mpx_count,     label: 'Max Multiplex Count'
-          uint16          :max_number_vcs,    label: 'Max Virtual Circuits'
-          uint32          :max_buffer_size,   label: 'Max Buffer Size'
-          uint32          :max_raw_size,      label: 'Max Raw Size'
-          uint32          :session_key,       label: 'Session Key'
-          capabilities    :capabilities
-          file_time       :system_time,       label: 'Server System Time'
-          int16           :server_time_zone,  label: 'Server TimeZone'
-          uint8           :challenge_length,  label: 'Challenge Length', initial_value: 0x08
+          uint16          :dialect_index,     label: 'Dialect Index'
+          security_mode   :security_mode,     onlyif: -> { dialect_index != 0xffff }
+          uint16          :max_mpx_count,     label: 'Max Multiplex Count', onlyif: -> { dialect_index != 0xffff }
+          uint16          :max_number_vcs,    label: 'Max Virtual Circuits', onlyif: -> { dialect_index != 0xffff }
+          uint32          :max_buffer_size,   label: 'Max Buffer Size', onlyif: -> { dialect_index != 0xffff }
+          uint32          :max_raw_size,      label: 'Max Raw Size', onlyif: -> { dialect_index != 0xffff }
+          uint32          :session_key,       label: 'Session Key', onlyif: -> { dialect_index != 0xffff }
+          capabilities    :capabilities,      onlyif: -> { dialect_index != 0xffff }
+          file_time       :system_time,       label: 'Server System Time', onlyif: -> { dialect_index != 0xffff }
+          int16           :server_time_zone,  label: 'Server TimeZone', onlyif: -> { dialect_index != 0xffff }
+          uint8           :challenge_length,  label: 'Challenge Length', initial_value: 0x08, onlyif: -> { dialect_index != 0xffff }
         end
 
         # An SMB_Data Block as defined by the {NegotiateResponse}

data/lib/ruby_smb/smb1/packet/negotiate_response_extended.rb

@@ -8,7 +8,7 @@ module RubySMB
 
         # An SMB_Parameters Block as defined by the {NegotiateResponseExtended}.
         class ParameterBlock < RubySMB::SMB1::ParameterBlock
-          uint16          :dialect_index, label: 'Dialect Index'
+          uint16          :dialect_index,     label: 'Dialect Index'
           security_mode   :security_mode
           uint16          :max_mpx_count,     label: 'Max Multiplex Count'
           uint16          :max_number_vcs,    label: 'Max Virtual Circuits'

data/lib/ruby_smb/smb1/packet/session_setup_request.rb

@@ -47,7 +47,7 @@ module RubySMB
 
         # Takes an NTLM Type 3 Message and creates the GSS Security Blob
         # for it and sets it in the {RubySMB::SMB1::Packet::SessionSetupRequest::DataBlock#security_blob}
-        # field. It also automaticaly sets the length in
+        # field. It also automatically sets the length in
         # {RubySMB::SMB1::Packet::SessionSetupRequest::ParameterBlock#security_blob_length}
         #
         # @param type3_message [String] the serialized Type 3 NTLM message

data/lib/ruby_smb/smb1/tree.rb

@@ -60,7 +60,7 @@ module RubySMB
         opts = opts.dup
         opts[:filename] = opts[:filename].dup
         opts[:filename].prepend('\\') unless opts[:filename].start_with?('\\')
-        open_file(opts)
+        open_file(**opts)
       end
 
       # Open a file on the remote share.

data/lib/ruby_smb/smb2/negotiate_context.rb

@@ -69,9 +69,22 @@ module RubySMB
     class NetnameNegotiateContextId < BinData::Record
       endian  :little
 
-      stringz16 :net_name, label: 'Net Name'
+      count_bytes_remaining :bytes_remaining
+      default_parameter data_length: nil
+      hide :bytes_remaining
+
+      string16 :net_name, label: 'Net Name', read_length: -> { data_length.nil? ? bytes_remaining : data_length }
     end
 
+    # An SMB2 TRANSPORT_CAPABILITIES context struct as defined in
+    # [2.2.3.1.5 SMB2_TRANSPORT_CAPABILITIES](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/450a1888-a645-4988-8638-5a11f4617545)
+    class TransportCapabilities < BinData::Record
+      SMB2_ACCEPT_TRANSPORT_LEVEL_SECURITY = 1 # Transport security is offered to skip SMB2 encryption on this connection.
+
+      endian :little
+
+      uint32 :flags, label: 'Flags'
+    end
 
     # An SMB2 NEGOTIATE_CONTEXT struct as defined in
     # [2.2.3.1 SMB2 NEGOTIATE_CONTEXT Request Values](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/15332256-522e-4a53-8cd7-0bd17678a2f7)
@@ -84,6 +97,8 @@ module RubySMB
       SMB2_COMPRESSION_CAPABILITIES        = 0x0003
       # The NegotiateContext Data field contains the server name to which the client connects.
       SMB2_NETNAME_NEGOTIATE_CONTEXT_ID    = 0x0005
+      # The NegotiateContext Data field contains the transport capabilities, as specified in section 2.2.3.1.5.
+      SMB2_TRANSPORT_CAPABILITIES          = 0x0006
 
       endian  :little
 
@@ -95,7 +110,8 @@ module RubySMB
         preauth_integrity_capabilities SMB2_PREAUTH_INTEGRITY_CAPABILITIES, label: 'Preauthentication Integrity Capabilities'
         encryption_capabilities        SMB2_ENCRYPTION_CAPABILITIES,        label: 'Encryption Capabilities'
         compression_capabilities       SMB2_COMPRESSION_CAPABILITIES,       label: 'Compression Capabilities'
-        netname_negotiate_context_id   SMB2_NETNAME_NEGOTIATE_CONTEXT_ID,   label: 'Netname Negotiate Context ID'
+        netname_negotiate_context_id   SMB2_NETNAME_NEGOTIATE_CONTEXT_ID,   label: 'Netname Negotiate Context ID', data_length: :data_length
+        transport_capabilities         SMB2_TRANSPORT_CAPABILITIES,         label: 'Transport Capabilities'
       end
 
       def pad_length

data/lib/ruby_smb/smb2/packet/compression_transform_header.rb

@@ -3,6 +3,9 @@ module RubySMB
     module Packet
       # An SMB2 COMPRESSION_TRANSFORM_HEADER Packet as defined in
       # [2.2.42 SMB2 COMPRESSION_TRANSFORM_HEADER](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/1d435f21-9a21-4f4c-828e-624a176cf2a0)
+      # NOTE: On 2021-04-06 the official documentation split the definition of COMPRESSION_TRANSFORM_HEADER into the following two variants:
+      #   * SMB2_COMPRESSION_TRANSFORM_HEADER_CHAINED
+      #   * SMB2_COMPRESSION_TRANSFORM_HEADER_UNCHAINED
       class CompressionTransformHeader < BinData::Record
         endian :little
 
@@ -11,6 +14,7 @@ module RubySMB
         uint16           :compression_algorithm,            label: 'Compression Algorithm'
         uint16           :flags,                            label: 'Flags'
         uint32           :offset,                           label: 'Offset / Length'
+        array            :compressed_data,                  label: 'Compressed Data', type: :uint8, read_until: :eof
       end
 
       # An SMB2 SMB2_COMPRESSION_TRANSFORM_HEADER_PAYLOAD Packet as defined in

data/lib/ruby_smb/smb2/packet/negotiate_request.rb

@@ -64,6 +64,15 @@ module RubySMB
           self.negotiate_context_list
         end
 
+        # Find the first Negotiate Context structure that matches the given
+        # context type
+        #
+        # @param [Integer] the Negotiate Context structure you wish to add
+        # @return [NegotiateContext] the Negotiate Context structure or nil if
+        # not found
+        def find_negotiate_context(type)
+          negotiate_context_list.find { |nc| nc.context_type == type }
+        end
 
         private
 

data/lib/ruby_smb/smb2/packet/negotiate_response.rb

@@ -59,7 +59,6 @@ module RubySMB
           self.negotiate_context_list
         end
 
-
         private
 
         # Determines the correct length for the padding, so that the next

data/lib/ruby_smb/smb2/packet/session_setup_response.rb

@@ -11,8 +11,8 @@ module RubySMB
         uint16              :structure_size, label: 'Structure Size', initial_value: 9
         session_flags       :session_flags
         uint16              :security_buffer_offset,  label: 'Security Buffer Offset', initial_value: 0x48
-        uint16              :security_buffer_length,  label: 'Security Buffer Length'
-        string              :buffer,                  label: 'Security Buffer', length: -> { security_buffer_length }
+        uint16              :security_buffer_length,  label: 'Security Buffer Length', initial_value: -> { buffer.length }
+        string              :buffer,                  label: 'Security Buffer', read_length: -> { security_buffer_length }
 
         def initialize_instance
           super

data/lib/ruby_smb/smb2/packet/tree_connect_request.rb

@@ -101,7 +101,7 @@ module RubySMB
             path.to_binary_s.length
           end
         end
-        string16     :path,           label: 'Path Buffer',    onlyif: -> { flags != SMB2_TREE_CONNECT_FLAG_EXTENSION_PRESENT }
+        string16     :path,           label: 'Path Buffer',    onlyif: -> { flags != SMB2_TREE_CONNECT_FLAG_EXTENSION_PRESENT }, read_length: -> { path_length }
         tree_connect_request_extension :tree_connect_request_extension, label: 'Tree Connect Request Extension', onlyif: -> { flags == SMB2_TREE_CONNECT_FLAG_EXTENSION_PRESENT }
       end
     end

data/lib/ruby_smb/smb2/tree.rb

@@ -61,7 +61,7 @@ module RubySMB
         opts = opts.dup
         opts[:filename] = opts[:filename].dup
         opts[:filename] = opts[:filename][1..-1] if opts[:filename].start_with? '\\'
-        open_file(opts)
+        open_file(**opts)
       end
 
       def open_file(filename:, attributes: nil, options: nil, disposition: RubySMB::Dispositions::FILE_OPEN,

data/lib/ruby_smb/smb2.rb

@@ -1,10 +1,12 @@
 module RubySMB
   # A packet parsing and manipulation library for the SMB2 protocol
   #
-  # [[MS-SMB2] Server Mesage Block (SMB) Protocol Versions 2 and 3](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
+  # [[MS-SMB2] Server Message Block (SMB) Protocol Versions 2 and 3](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
   module SMB2
     # Protocol ID value. Translates to \xFESMB
     SMB2_PROTOCOL_ID = 0xFE534D42
+    # Wildcard revision, see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/63abf97c-0d09-47e2-88d6-6bfa552949a5
+    SMB2_WILDCARD_REVISION = 0x02ff
 
     require 'ruby_smb/smb2/info_type'
     require 'ruby_smb/smb2/commands'

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '2.0.7'.freeze
+  VERSION = '2.0.11'.freeze
 end

data/lib/ruby_smb.rb

@@ -8,8 +8,8 @@ require 'windows_error'
 require 'windows_error/nt_status'
 # A packet parsing and manipulation library for the SMB1 and SMB2 protocols
 #
-# [[MS-SMB] Server Mesage Block (SMB) Protocol Version 1](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
-# [[MS-SMB2] Server Mesage Block (SMB) Protocol Versions 2 and 3](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
+# [[MS-SMB] Server Message Block (SMB) Protocol Version 1](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
+# [[MS-SMB2] Server Message Block (SMB) Protocol Versions 2 and 3](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
 module RubySMB
   require 'ruby_smb/error'
   require 'ruby_smb/dispositions'
@@ -21,9 +21,11 @@ module RubySMB
   require 'ruby_smb/generic_packet'
   require 'ruby_smb/dispatcher'
   require 'ruby_smb/version'
-  require 'ruby_smb/version'
   require 'ruby_smb/smb2'
   require 'ruby_smb/smb1'
   require 'ruby_smb/client'
   require 'ruby_smb/crypto'
+  require 'ruby_smb/compression'
+  require 'ruby_smb/server'
+  require 'ruby_smb/dialect'
 end

data/spec/lib/ruby_smb/client_spec.rb

@@ -209,6 +209,8 @@ RSpec.describe RubySMB::Client do
 
     context 'when signing' do
       it 'calls #smb1_sign if it is an SMB1 packet' do
+        allow(client).to receive(:signing_required).and_return(true)
+        allow(client).to receive(:session_key).and_return(Random.new.bytes(16))
         expect(client).to receive(:smb1_sign).with(smb1_request).and_call_original
         client.send_recv(smb1_request)
       end
@@ -223,15 +225,11 @@ RSpec.describe RubySMB::Client do
 
         it 'calls #smb2_sign if it is an SMB2 client' do
           allow(smb2_client).to receive(:is_status_pending?).and_return(false)
+          allow(smb2_client).to receive(:signing_required).and_return(true)
+          allow(smb2_client).to receive(:session_key).and_return(Random.new.bytes(16))
           expect(smb2_client).to receive(:smb2_sign).with(smb2_request).and_call_original
           smb2_client.send_recv(smb2_request)
         end
-
-        it 'calls #smb3_sign if it is an SMB3 client' do
-          allow(smb3_client).to receive(:is_status_pending?).and_return(false)
-          expect(smb3_client).to receive(:smb3_sign).with(smb2_request).and_call_original
-          smb3_client.send_recv(smb2_request)
-        end
       end
     end
 
@@ -809,6 +807,18 @@ RSpec.describe RubySMB::Client do
       smb1_extended_response.to_binary_s
     }
 
+    let(:smb1_response) {
+      packet = RubySMB::SMB1::Packet::NegotiateResponse.new
+      smb1_capabilities_dup = smb1_capabilities.dup
+      smb1_capabilities_dup[:extended_security] = 0
+
+      packet.parameter_block.capabilities = smb1_capabilities_dup
+      packet
+    }
+    let(:smb1_response_raw) {
+      smb1_response.to_binary_s
+    }
+
     let(:smb2_response) { RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x200) }
     let(:smb3_response) { RubySMB::SMB2::Packet::NegotiateResponse.new(dialect_revision: 0x300) }
 
@@ -997,10 +1007,14 @@ RSpec.describe RubySMB::Client do
 
     describe '#negotiate_response' do
       context 'with only SMB1' do
-        it 'returns a properly formed packet' do
+        it 'returns a properly formed NegotiateResponseExtended packet if extended_security is set as 1' do
           expect(smb1_client.negotiate_response(smb1_extended_response_raw)).to eq smb1_extended_response
         end
 
+        it 'returns a properly formed NegotiateResponse packet if extended_security is set as 0' do
+          expect(smb1_client.negotiate_response(smb1_response_raw)).to eq smb1_response
+        end
+
         it 'raises an exception if the response is not a SMB packet' do
           expect { smb1_client.negotiate_response(random_junk) }.to raise_error(RubySMB::Error::InvalidPacket)
         end
@@ -1015,12 +1029,6 @@ RSpec.describe RubySMB::Client do
           bogus_response.smb_header.command = 0xff
           expect { smb1_client.negotiate_response(bogus_response.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
         end
-
-        it 'considers the response invalid if Extended Security is not enabled' do
-          bogus_response = smb1_extended_response
-          bogus_response.parameter_block.capabilities.extended_security = 0
-          expect { smb1_client.negotiate_response(bogus_response.to_binary_s) }.to raise_error(RubySMB::Error::InvalidPacket)
-        end
       end
 
       context 'with only SMB2' do
@@ -2077,7 +2085,7 @@ RSpec.describe RubySMB::Client do
         it 'generates the HMAC based on the packet and the NTLM session key and signs the packet with it' do
           smb2_client.session_key = 'foo'
           smb2_client.signing_required = true
-          expect(OpenSSL::HMAC).to receive(:digest).with(instance_of(OpenSSL::Digest::SHA256), smb2_client.session_key, request1.to_binary_s).and_return(fake_hmac)
+          expect(OpenSSL::HMAC).to receive(:digest).with(instance_of(OpenSSL::Digest), smb2_client.session_key, request1.to_binary_s).and_return(fake_hmac)
           expect(smb2_client.smb2_sign(request1).smb2_header.signature).to eq fake_hmac
         end
       end
@@ -2177,7 +2185,7 @@ RSpec.describe RubySMB::Client do
             smb3_client.dialect = '0x0202'
             expect { smb3_client.smb3_sign(request) }.to raise_error(
               RubySMB::Error::SigningError,
-              'Dialect is incompatible with SMBv3 signing'
+              'Dialect "0x0202" is incompatible with SMBv3 signing'
             )
           end
         end
@@ -2227,7 +2235,7 @@ RSpec.describe RubySMB::Client do
             smb3_client.dialect = '0x0202'
             expect { smb3_client.smb3_sign(request) }.to raise_error(
               RubySMB::Error::SigningError,
-              'Dialect is incompatible with SMBv3 signing'
+              'Dialect "0x0202" is incompatible with SMBv3 signing'
             )
           end
         end

data/spec/lib/ruby_smb/compression/lznt1_spec.rb

@@ -0,0 +1,32 @@
+require 'spec_helper'
+
+RSpec.describe RubySMB::Compression::LZNT1 do
+  describe '.compress' do
+    it 'generates an empty blob when provided an empty blob' do
+      expected = "".b
+      expect(described_class.compress('')).to eq(expected)
+    end
+
+    it 'generates a compressed blob when provided a string with non-reoccurring characters' do
+      expect(described_class.compress('RubySMB')).to eq("\x060RubySMB".b)
+    end
+
+    it 'generates a compressed blob when provided a string of reoccurring characters' do
+      expect(described_class.compress("\x01" * 0x200)).to eq("\x03\xB0\x02\x01\xFC\x01".b)
+    end
+  end
+
+  describe '.decompress' do
+    it 'generates a decompressed blob for a string with non-reoccurring characters' do
+      expect(described_class.decompress("\x060RubySMB".b)).to eq('RubySMB')
+    end
+
+    it 'generates a decompressed blob for a string of reoccurring characters' do
+      expect(described_class.decompress("\x03\xB0\x02\x01\xFC\x01".b)).to eq("\x01" * 0x200)
+    end
+
+    it 'raises an EncodingError when the length is invalid' do
+      expect { described_class.decompress("\x010".b) }.to raise_error(EncodingError)
+    end
+  end
+end