ruby_smb 3.1.2 → 3.1.5

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 498d32e1eeed4cb410f03dfdc5ea1b23dd5506d89e387a3533494b9f73294ffa
-  data.tar.gz: 838a864709be049725a3978de10d71a0cf9eb75e91d00468cdee07fc5e614250
+  metadata.gz: 4749ae5185070d44e447593cd863ee5ac17a87468b16b14a251f68e0166b7663
+  data.tar.gz: b63378e4367136e0c6dffc35aa02b5c5ce1df450d5b64300eaee060e7938e9ec
 SHA512:
-  metadata.gz: e60651395300c2f7bc88049e7572a2b5376646615da08a1978d8e71afe694ca2f32396e124cbda71cc203811ff8df0241aa072f58aeffa8265498789cab7696f
-  data.tar.gz: e9d3bd5ffb781a01e4382d8f0f2327cd384d4be520a394fbf00336fbc23b9913fae58b380c05c1782c320364edd8ac5e729639091c0f54b32208469972810705
+  metadata.gz: f09557d4ba6148796bb6adf2c1169ebad237f021527975fabb179e1eb2099cfb2c17e45d3b57629c7fc61106092317076e41c77d39f8cb3d4335d280a75e144c
+  data.tar.gz: e969cc9f474e64e4cf7ba9bcf39e1dfc30b9e365bf6c758abd1e7ff905a6e9a3a8f3c3b33fc88f3104b7998201406d8b78bca34e746c58cfa4c03353bd94f789

data/examples/file_server.rb

@@ -3,81 +3,19 @@
 require 'bundler/setup'
 require 'optparse'
 require 'ruby_smb'
-require 'ruby_smb/gss/provider/ntlm'
 
 # we just need *a* default encoding to handle the strings from the NTLM messages
 Encoding.default_internal = 'UTF-8' if Encoding.default_internal.nil?
 
-options = {
-  allow_anonymous: true,
-  allow_guests: false,
-  domain: nil,
-  username: 'RubySMB',
-  password: 'password',
-  share_name: 'home',
-  share_path: '.',
-  smbv1: true,
-  smbv2: true,
-  smbv3: true
-}
-OptionParser.new do |opts|
-  opts.banner = "Usage: #{File.basename(__FILE__)} [options]"
-  opts.on("--path PATH", "The path to share (default: #{options[:share_path]})") do |path|
+options = RubySMB::Server::Cli.parse(defaults: { share_path: '.' }) do |options, parser|
+  parser.banner = "Usage: #{File.basename(__FILE__)} [options]"
+
+  parser.on("--share-path SHARE_PATH", "The path to share (default: #{options[:share_path]})") do |path|
     options[:share_path] = path
   end
-  opts.on("--share SHARE", "The share name (default: #{options[:share_name]})") do |share|
-    options[:share_name] = share
-  end
-  opts.on("--[no-]anonymous", "Allow anonymous access (default: #{options[:allow_anonymous]})") do |allow_anonymous|
-    options[:allow_anonymous] = allow_anonymous
-  end
-  opts.on("--[no-]smbv1", "Enable or disable SMBv1 (default: #{options[:smbv1] ? 'Enabled' : 'Disabled'})") do |smbv1|
-    options[:smbv1] = smbv1
-  end
-  opts.on("--[no-]smbv2", "Enable or disable SMBv2 (default: #{options[:smbv2] ? 'Enabled' : 'Disabled'})") do |smbv2|
-    options[:smbv2] = smbv2
-  end
-  opts.on("--[no-]smbv3", "Enable or disable SMBv3 (default: #{options[:smbv3] ? 'Enabled' : 'Disabled'})") do |smbv3|
-    options[:smbv3] = smbv3
-  end
-  opts.on("--[no-]guests", "Allow guest accounts (default: #{options[:allow_guests]})") do |allow_guests|
-    options[:allow_guests] = allow_guests
-  end
-  opts.on("--username USERNAME", "The account's username (default: #{options[:username]})") do |username|
-    if username.include?('\\')
-      options[:domain], options[:username] = username.split('\\', 2)
-    else
-      options[:username] = username
-    end
-  end
-  opts.on("--password PASSWORD", "The account's password (default: #{options[:password]})") do |password|
-    options[:password] = password
-  end
-end.parse!
-
-ntlm_provider = RubySMB::Gss::Provider::NTLM.new(
-  allow_anonymous: options[:allow_anonymous],
-  allow_guests: options[:allow_guests]
-)
-ntlm_provider.put_account(options[:username], options[:password], domain: options[:domain])  # password can also be an NTLM hash
-
-server = RubySMB::Server.new(
-  gss_provider: ntlm_provider,
-  logger: :stdout
-)
-server.dialects.select! { |dialect| RubySMB::Dialect[dialect].family != RubySMB::Dialect::FAMILY_SMB1 } unless options[:smbv1]
-server.dialects.select! { |dialect| RubySMB::Dialect[dialect].family != RubySMB::Dialect::FAMILY_SMB2 } unless options[:smbv2]
-server.dialects.select! { |dialect| RubySMB::Dialect[dialect].family != RubySMB::Dialect::FAMILY_SMB3 } unless options[:smbv3]
-
-if server.dialects.empty?
-  puts "at least one version must be enabled"
-  exit false
 end
 
+server = RubySMB::Server::Cli.build(options)
 server.add_share(RubySMB::Server::Share::Provider::Disk.new(options[:share_name], options[:share_path]))
-puts "server is running"
-server.run do
-  puts "received connection"
-  true
-end
 
+RubySMB::Server::Cli.run(server)

data/examples/virtual_file_server.rb

@@ -3,7 +3,6 @@
 require 'bundler/setup'
 require 'optparse'
 require 'ruby_smb'
-require 'ruby_smb/gss/provider/ntlm'
 
 # we just need *a* default encoding to handle the strings from the NTLM messages
 Encoding.default_internal = 'UTF-8' if Encoding.default_internal.nil?
@@ -32,70 +31,23 @@ MAGIC_8_BALL_ANSWERS = [
   'Very doubtful'
 ]
 
-options = {
-  allow_anonymous: true,
-  domain: nil,
-  username: 'RubySMB',
-  password: 'password',
-  share_name: 'home',
-  smbv1: true,
-  smbv2: true,
-  smbv3: true
-}
-OptionParser.new do |opts|
-  opts.banner = "Usage: #{File.basename(__FILE__)} [options]"
-  opts.on("--share SHARE", "The share name (default: #{options[:share_name]})") do |share|
-    options[:share_name] = share
-  end
-  opts.on("--[no-]anonymous", "Allow anonymous access (default: #{options[:allow_anonymous]})") do |allow_anonymous|
-    options[:allow_anonymous] = allow_anonymous
-  end
-  opts.on("--[no-]smbv1", "Enable or disable SMBv1 (default: #{options[:smbv1] ? 'Enabled' : 'Disabled'})") do |smbv1|
-    options[:smbv1] = smbv1
-  end
-  opts.on("--[no-]smbv2", "Enable or disable SMBv2 (default: #{options[:smbv2] ? 'Enabled' : 'Disabled'})") do |smbv2|
-    options[:smbv2] = smbv2
-  end
-  opts.on("--[no-]smbv3", "Enable or disable SMBv3 (default: #{options[:smbv3] ? 'Enabled' : 'Disabled'})") do |smbv3|
-    options[:smbv3] = smbv3
-  end
-  opts.on("--username USERNAME", "The account's username (default: #{options[:username]})") do |username|
-    if username.include?('\\')
-      options[:domain], options[:username] = username.split('\\', 2)
-    else
-      options[:username] = username
-    end
-  end
-  opts.on("--password PASSWORD", "The account's password (default: #{options[:password]})") do |password|
-    options[:password] = password
-  end
-  opts.on("--virtual-content CONTENT", "The virtual share contents") do |virtual_content|
+options = RubySMB::Server::Cli.parse do |options, parser|
+  parser.banner = "Usage: #{File.basename(__FILE__)} [options]"
+
+  parser.on("--virtual-content CONTENT", "The virtual share contents") do |virtual_content|
     options[:virtual_content] = virtual_content
   end
-  opts.on("--virtual-name NAME", "The virtual share file name") do |virtual_name|
+
+  parser.on("--virtual-name NAME", "The virtual share file name") do |virtual_name|
     options[:virtual_name] = virtual_name
   end
-  opts.on("--virtual-type TYPE", "The virtual share type") do |virtual_type|
+
+  parser.on("--virtual-type TYPE", "The virtual share type") do |virtual_type|
     options[:virtual_type] = virtual_type
   end
-end.parse!
-
-ntlm_provider = RubySMB::Gss::Provider::NTLM.new(allow_anonymous: options[:allow_anonymous])
-ntlm_provider.put_account(options[:username], options[:password], domain: options[:domain])  # password can also be an NTLM hash
-
-server = RubySMB::Server.new(
-  gss_provider: ntlm_provider,
-  logger: :stdout
-)
-server.dialects.select! { |dialect| RubySMB::Dialect[dialect].family != RubySMB::Dialect::FAMILY_SMB1 } unless options[:smbv1]
-server.dialects.select! { |dialect| RubySMB::Dialect[dialect].family != RubySMB::Dialect::FAMILY_SMB2 } unless options[:smbv2]
-server.dialects.select! { |dialect| RubySMB::Dialect[dialect].family != RubySMB::Dialect::FAMILY_SMB3 } unless options[:smbv3]
-
-if server.dialects.empty?
-  puts "at least one version must be enabled"
-  exit false
 end
 
+server = RubySMB::Server::Cli.build(options)
 virtual_disk = RubySMB::Server::Share::Provider::VirtualDisk.new(options[:share_name])
 
 # greeting is a static text file
@@ -135,9 +87,5 @@ elsif options[:virtual_content] || options[:virtual_name] || options[:virtual_ty
 end
 
 server.add_share(virtual_disk)
-puts "server is running"
-server.run do |server_client|
-  puts "received connection"
-  true
-end
 
+RubySMB::Server::Cli.run(server)

data/lib/ruby_smb/client/authentication.rb

@@ -80,7 +80,7 @@ module RubySMB
         type2_b64_message = smb1_type2_message(challenge_packet)
         type3_message = @ntlm_client.init_context(type2_b64_message)
 
-        @session_key = @ntlm_client.session_key
+        @application_key = @session_key = @ntlm_client.session_key
         challenge_message = @ntlm_client.session.challenge_message
         store_target_info(challenge_message.target_info) if challenge_message.has_flag?(:TARGET_INFO)
         @os_version = extract_os_version(challenge_message.os_version.to_s) unless challenge_message.os_version.empty?
@@ -146,7 +146,7 @@ module RubySMB
       end
 
       # Takes the raw binary string and returns a {RubySMB::SMB1::Packet::SessionSetupResponse}
-      def smb1_ntlmssp_final_packet(raw_response)
+      def smb1_session_setup_response(raw_response)
         packet = RubySMB::SMB1::Packet::SessionSetupResponse.read(raw_response)
 
         unless packet.valid?
@@ -159,6 +159,11 @@ module RubySMB
         packet
       end
 
+      # Takes the raw binary string and returns a {RubySMB::SMB1::Packet::SessionSetupResponse}
+      def smb1_ntlmssp_final_packet(raw_response)
+        smb1_session_setup_response(raw_response)
+      end
+
       # Takes the raw binary string and returns a {RubySMB::SMB1::Packet::SessionSetupResponse}
       def smb1_ntlmssp_challenge_packet(raw_response)
         packet = RubySMB::SMB1::Packet::SessionSetupResponse.read(raw_response)
@@ -205,7 +210,7 @@ module RubySMB
         type2_b64_message = smb2_type2_message(challenge_packet)
         type3_message = @ntlm_client.init_context(type2_b64_message)
 
-        @session_key = @ntlm_client.session_key
+        @application_key = @session_key = @ntlm_client.session_key
         challenge_message = ntlm_client.session.challenge_message
         store_target_info(challenge_message.target_info) if challenge_message.has_flag?(:TARGET_INFO)
         @os_version = extract_os_version(challenge_message.os_version.to_s) unless challenge_message.os_version.empty?
@@ -222,6 +227,21 @@ module RubySMB
             # disable encryption when necessary
             @session_encrypt_data = false
           end
+
+          # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/7fd079ca-17e6-4f02-8449-46b606ea289c
+          if @dialect == '0x0300' || @dialect == '0x0302'
+            @application_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMB2APP\x00",
+              "SmbRpc\x00"
+            )
+          else
+            @application_key = RubySMB::Crypto::KDF.counter_mode(
+              @session_key,
+              "SMBAppKey\x00",
+              @preauth_integrity_hash_value
+            )
+          end
           # otherwise, leave encryption to the default value that it was initialized to
         end
         ######
@@ -235,7 +255,7 @@ module RubySMB
       end
 
       # Takes the raw binary string and returns a {RubySMB::SMB2::Packet::SessionSetupResponse}
-      def smb2_ntlmssp_final_packet(raw_response)
+      def smb2_session_setup_response(raw_response)
         packet = RubySMB::SMB2::Packet::SessionSetupResponse.read(raw_response)
         unless packet.valid?
           raise RubySMB::Error::InvalidPacket.new(
@@ -248,6 +268,11 @@ module RubySMB
         packet
       end
 
+      # Takes the raw binary string and returns a {RubySMB::SMB2::Packet::SessionSetupResponse}
+      def smb2_ntlmssp_final_packet(raw_response)
+        smb2_session_setup_response(raw_response)
+      end
+
       # Takes the raw binary string and returns a {RubySMB::SMB2::Packet::SessionSetupResponse}
       def smb2_ntlmssp_challenge_packet(raw_response)
         packet = RubySMB::SMB2::Packet::SessionSetupResponse.read(raw_response)

data/lib/ruby_smb/client/negotiation.rb

@@ -118,6 +118,7 @@ module RubySMB
           self.server_max_buffer_size = packet.parameter_block.max_buffer_size - 260
           self.negotiated_smb_version = 1
           self.session_encrypt_data = false
+          self.negotiation_security_buffer = packet.data_block.security_blob
           'SMB1'
         when RubySMB::SMB2::Packet::NegotiateResponse
           self.smb1 = false
@@ -137,6 +138,7 @@ module RubySMB
           self.server_start_time = packet.server_start_time.to_time if packet.server_start_time != 0
           self.server_system_time = packet.system_time.to_time if packet.system_time != 0
           self.server_supports_multi_credit = self.dialect != '0x0202' && packet&.capabilities&.large_mtu == 1
+          self.negotiation_security_buffer = packet.security_buffer
           case self.dialect
           when '0x02ff'
           when '0x0300', '0x0302'

data/lib/ruby_smb/client.rb

@@ -54,6 +54,13 @@ module RubySMB
     # The default maximum size of a SMB message that the Server accepts (in bytes)
     SERVER_MAX_BUFFER_SIZE = 4356
 
+    # The application key. After authenticating to the remote server, this value is the session key for dialects less
+    # than version 3 and a unique value for v3 dialects. See:
+    # https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-smb2/901ae284-31d3-4ea1-ae8a-766fc8bfe00e
+    # @!attribute [rw] application_key
+    #   @return [String]
+    attr_accessor :application_key
+
     # The dispatcher responsible for sending packets
     # @!attribute [rw] dispatcher
     #   @return [RubySMB::Dispatcher::Socket]
@@ -288,13 +295,19 @@ module RubySMB
     attr_accessor :negotiated_smb_version
 
     # Whether or not the server supports multi-credit operations. It is
-    # reported by the LARGE_MTU capabiliy as part of the negotiation process
+    # reported by the LARGE_MTU capability as part of the negotiation process
     # (SMB 2.x and 3.x).
     # @!attribute [rw] server_supports_multi_credit
     #   @return [Boolean] true if the server supports multi-credit operations,
     #   false otherwise
     attr_accessor :server_supports_multi_credit
 
+    # The negotiated security buffer. This is nil until the negotiation process
+    # has finished.
+    # @!attribute [rw] negotiation_security_buffer
+    #   @return [String] The raw security buffer bytes
+    attr_accessor :negotiation_security_buffer
+
     # @param dispatcher [RubySMB::Dispatcher::Socket] the packet dispatcher to use
     # @param smb1 [Boolean] whether or not to enable SMB1 support
     # @param smb2 [Boolean] whether or not to enable SMB2 support
@@ -313,6 +326,7 @@ module RubySMB
       @sequence_counter  = 0
       @session_id        = 0x00
       @session_key       = ''
+      @application_key   = ''
       @session_is_guest  = false
       @signing_required  = false
       @smb1              = smb1
@@ -332,7 +346,7 @@ module RubySMB
       # session setup response is received
       @session_encrypt_data = always_encrypt
 
-      @ntlm_client = Net::NTLM::Client.new(
+      @ntlm_client = RubySMB::NTLM::Client.new(
         @username,
         @password,
         workstation: @local_workstation,
@@ -404,7 +418,7 @@ module RubySMB
       @password          = pass.encode('utf-8') || ''.encode('utf-8')
       @username          = user.encode('utf-8') || ''.encode('utf-8')
 
-      @ntlm_client = Net::NTLM::Client.new(
+      @ntlm_client = RubySMB::NTLM::Client.new(
           @username,
           @password,
           workstation: @local_workstation,
@@ -617,6 +631,7 @@ module RubySMB
     def wipe_state!
       self.session_id       = 0x00
       self.user_id          = 0x00
+      self.application_key  = ''
       self.session_key      = ''
       self.session_is_guest = false
       self.sequence_counter = 0

data/lib/ruby_smb/dcerpc/error.rb

@@ -13,6 +13,19 @@ module RubySMB
       # Raised when an invalid packet is received
       class InvalidPacket < DcerpcError; end
 
+      # Raised when a fault response is received
+      class FaultError < InvalidPacket
+        attr_reader :status_code
+        def initialize(message=nil, status:)
+          @status_code = status
+          super(message)
+        end
+
+        def status_name
+          RubySMB::Dcerpc::Fault::Status.name(@status_code)
+        end
+      end
+
       # Raised when an error is returned during a Winreg operation
       class WinregError < DcerpcError; end
 

data/lib/ruby_smb/dcerpc/fault.rb

@@ -0,0 +1,83 @@
+module RubySMB::Dcerpc::Fault
+  module Status
+    # DCERPC
+    NCA_S_FAULT_OTHER              = 0x00000001
+    NCA_S_FAULT_ACCESS_DENIED      = 0x00000005
+    NCA_S_FAULT_NDR                = 0x000006F7
+    NCA_S_FAULT_CANT_PERFORM       = 0x000006D8
+    NCA_S_FAULT_INT_DIV_BY_ZERO    = 0x1C000001
+    NCA_S_FAULT_ADDR_ERROR         = 0x1C000002
+    NCA_S_FAULT_FP_DIV_ZERO        = 0x1C000003
+    NCA_S_FAULT_FP_UNDERFLOW       = 0x1C000004
+    NCA_S_FAULT_FP_OVERFLOW        = 0x1C000005
+    NCA_S_FAULT_INVALID_TAG        = 0x1C000006
+    NCA_S_FAULT_INVALID_BOUND      = 0x1C000007
+    NCA_RPC_VERSION_MISMATCH       = 0x1C000008
+    NCA_UNSPEC_REJECT              = 0x1C000009
+    NCA_S_BAD_ACTID                = 0x1C00000A
+    NCA_WHO_ARE_YOU_FAILED         = 0x1C00000B
+    NCA_MANAGER_NOT_ENTERED        = 0x1C00000C
+    NCA_S_FAULT_CANCEL             = 0x1C00000D
+    NCA_S_FAULT_ILL_INST           = 0x1C00000E
+    NCA_S_FAULT_FP_ERROR           = 0x1C00000F
+    NCA_S_FAULT_INT_OVERFLOW       = 0x1C000010
+    NCA_S_FAULT_PIPE_EMPTY         = 0x1C000014
+    NCA_S_FAULT_PIPE_CLOSED        = 0x1C000015
+    NCA_S_FAULT_PIPE_ORDER         = 0x1C000016
+    NCA_S_FAULT_PIPE_DISCIPLINE    = 0x1C000017
+    NCA_S_FAULT_PIPE_COMM_ERROR    = 0x1C000018
+    NCA_S_FAULT_PIPE_MEMORY        = 0x1C000019
+    NCA_S_FAULT_CONTEXT_MISMATCH   = 0x1C00001A
+    NCA_S_FAULT_REMOTE_NO_MEMORY   = 0x1C00001B
+    NCA_INVALID_PRES_CONTEXT_ID    = 0x1C00001C
+    NCA_UNSUPPORTED_AUTHN_LEVEL    = 0x1C00001D
+    NCA_INVALID_CHECKSUM           = 0x1C00001F
+    NCA_INVALID_CRC                = 0x1C000020
+    NCS_S_FAULT_USER_DEFINED       = 0x1C000021
+    NCA_S_FAULT_TX_OPEN_FAILED     = 0x1C000022
+    NCA_S_FAULT_CODESET_CONV_ERROR = 0x1C000023
+    NCA_S_FAULT_OBJECT_NOT_FOUND   = 0x1C000024
+    NCA_S_FAULT_NO_CLIENT_STUB     = 0x1C000025
+    NCA_OP_RNG_ERROR               = 0x1C010002
+    NCA_UNK_IF                     = 0x1C010003
+    NCA_WRONG_BOOT_TIME            = 0x1C010006
+    NCA_S_YOU_CRASHED              = 0x1C010009
+    NCA_PROTO_ERROR                = 0x1C01000B
+    NCA_OUT_ARGS_TOO_BIG           = 0x1C010013
+    NCA_SERVER_TOO_BUSY            = 0x1C010014
+    NCA_UNSUPPORTED_TYPE           = 0x1C010017
+    # Microsoft specific codes
+    E_NOTIMPL                      = 0x80004001
+    E_POINTER                      = 0x80004003
+    E_AOBRT                        = 0x80004004
+    E_UNEXPECTED                   = 0x8000FFFF
+    RPC_E_SERVERFAULT              = 0x80010105
+    RPC_E_DISCONNECTED             = 0x80010108
+    RPC_E_INVALID_IPID             = 0x80010113
+    RPC_E_TIMEOUT                  = 0x8001011F
+    DISP_E_MEMBERNOTFOUND          = 0x80020003
+    DISP_E_UNKNOWNNAME             = 0x80020006
+    DISP_E_BADPARAMCOUNT           = 0x8002000E
+    CBA_E_MALFORMED                = 0x8004CB00
+    CBA_E_UNKNOWNOBJECT            = 0x8004CB01
+    CBA_E_INVALIDID                = 0x8004CB05
+    CBA_E_INVALIDCOOKIE            = 0x8004CB09
+    CBA_E_QOSTYPEUNSUPPORTED       = 0x8004CB0B
+    CBA_E_QOSVALUEUNSUPPORTED      = 0x8004CB0C
+    CBA_E_NOTAPPLICABLE            = 0x8004CB0F
+    CBA_E_LIMITVIOLATION           = 0x8004CB12
+    CBA_E_QOSTYPENOTAPPLICABLE     = 0x8004CB13
+    CBA_E_OUTOFPARTNERACCOS        = 0x8004CB18
+    CBA_E_FLAGUNSUPPORTED          = 0x8004CB1C
+    CBA_E_FRAMECOUNTUNSUPPORTED    = 0x8004CB23
+    CBA_E_MODECHANGE               = 0x8004CB25
+    E_OUTOFMEMORY                  = 0x8007000E
+    E_INVALIDARG                   = 0x80070057
+    RPC_S_PROCNUM_OUT_OF_RANGE     = 0x800706D1
+    OR_INVALID_OXID                = 0x80070776
+
+    def self.name(value)
+      constants.select { |c| c.upcase == c }.find { |c| const_get(c) == value }
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -312,29 +312,31 @@ module RubySMB::Dcerpc::Ndr
     def initialize_instance
       @read_until_index = 0
       @max_count = 0
+      @max_count_set = false
       super
     end
 
     def insert(index, *objs)
       obj = super
-      @max_count = length
+      @max_count = length unless @max_count_set
       obj
     end
 
     def slice_index(index)
       obj = super
-      @max_count = length
+      @max_count = length unless @max_count_set
       obj
     end
 
     def []=(index, value)
       obj = super
-      @max_count = length
+      @max_count = length unless @max_count_set
       obj
     end
 
     def set_max_count(val)
       @max_count = @read_until_index = val
+      @max_count_set = true
     end
   end
 
@@ -650,7 +652,7 @@ module RubySMB::Dcerpc::Ndr
     include ConstructedTypePlugin
 
     def should_process_max_count?
-      # According to the NDR defintion for Structures Containing a Conformant
+      # According to the NDR definition for Structures Containing a Conformant
       # Array:
       #
       # "In the NDR representation of a structure that contains a
@@ -761,13 +763,13 @@ module RubySMB::Dcerpc::Ndr
         return (4 - (rel_offset % 4)) % 4
       end
       if obj.is_a?(ConfPlugin)
-        # `max_count` should have been handled at the begining of the structure
+        # `max_count` should have been handled at the beginning of the structure
         # already. We need to fix `rel_offset` since it includes the
         # `max_count` 4 bytes, plus the possible padding bytes needed to align
         # the structure. This is required because BinData Struct is not
-        # aware of `max_count` and considere the first field to be the begining
+        # aware of `max_count` and consider the first field to be the beginning
         # of the structure instead. We have to make sure the alignment is
-        # calculated from the begining of the structure.
+        # calculated from the beginning of the structure.
         align = eval_parameter(:byte_align)
         pad_length = (align - (4 % align)) % align
         rel_offset += (4 + pad_length)
@@ -776,7 +778,7 @@ module RubySMB::Dcerpc::Ndr
         # (not Varying). The size information (max_count) has been place in
         # from of the structure and no other size information is present before
         # the actual elements of the array. Therefore, the alignment must be
-        # done accroding to th rules of the elements. Since a NdrArray has its
+        # done according to the rules of the elements. Since a NdrArray has its
         # default :byte_align value set to 4 (:max_count size), we have to make
         # sure the element size is used instead.
         unless obj.is_a?(VarPlugin)
@@ -838,6 +840,10 @@ module RubySMB::Dcerpc::Ndr
     end
   end
 
+  #
+  # [Unions](https://pubs.opengroup.org/onlinepubs/9629399/chap14.htm#tagcjh_19_03_08)
+  #
+
   # TODO: Unions
   # TODO: Pipes
 
@@ -1207,6 +1213,11 @@ module RubySMB::Dcerpc::Ndr
     extend PointerClassPlugin
   end
 
+  class NdrUint16ArrayPtr < NdrConfVarArray
+    default_parameters type: :ndr_uint16
+    extend PointerClassPlugin
+  end
+
   class NdrFileTimePtr < NdrFileTime
     extend PointerClassPlugin
   end

data/lib/ruby_smb/dcerpc/request.rb

@@ -60,16 +60,21 @@ module RubySMB
           string                          :default
         end
         choice 'Samr', selection: -> { opnum } do
-          samr_connect_request                     Samr::SAMR_CONNECT
-          samr_lookup_domain_in_sam_server_request Samr::SAMR_LOOKUP_DOMAIN_IN_SAM_SERVER
-          samr_open_domain_request                 Samr::SAMR_OPEN_DOMAIN
-          samr_enumerate_users_in_domain_request   Samr::SAMR_ENUMERATE_USERS_IN_DOMAIN
-          samr_rid_to_sid_request                  Samr::SAMR_RID_TO_SID
-          samr_close_handle_request                Samr::SAMR_CLOSE_HANDLE
-          samr_get_alias_membership_request        Samr::SAMR_GET_ALIAS_MEMBERSHIP
-          samr_open_user_request                   Samr::SAMR_OPEN_USER
-          samr_get_groups_for_user_request         Samr::SAMR_GET_GROUPS_FOR_USER
-          string                                   :default
+          samr_connect_request                         Samr::SAMR_CONNECT
+          samr_lookup_domain_in_sam_server_request     Samr::SAMR_LOOKUP_DOMAIN_IN_SAM_SERVER
+          samr_open_domain_request                     Samr::SAMR_OPEN_DOMAIN
+          samr_enumerate_users_in_domain_request       Samr::SAMR_ENUMERATE_USERS_IN_DOMAIN
+          samr_rid_to_sid_request                      Samr::SAMR_RID_TO_SID
+          samr_close_handle_request                    Samr::SAMR_CLOSE_HANDLE
+          samr_get_alias_membership_request            Samr::SAMR_GET_ALIAS_MEMBERSHIP
+          samr_open_user_request                       Samr::SAMR_OPEN_USER
+          samr_get_groups_for_user_request             Samr::SAMR_GET_GROUPS_FOR_USER
+          samr_enumerate_domains_in_sam_server_request Samr::SAMR_ENUMERATE_DOMAINS_IN_SAM_SERVER
+          samr_lookup_names_in_domain_request          Samr::SAMR_LOOKUP_NAMES_IN_DOMAIN
+          samr_create_user2_in_domain_request          Samr::SAMR_CREATE_USER2_IN_DOMAIN
+          samr_set_information_user2_request           Samr::SAMR_SET_INFORMATION_USER2
+          samr_delete_user_request                     Samr::SAMR_DELETE_USER
+          string                                       :default
         end
         choice 'Wkssvc', selection: -> { opnum } do
           netr_wksta_get_info_request Wkssvc::NETR_WKSTA_GET_INFO

data/lib/ruby_smb/dcerpc/rrp_rpc_unicode_string.rb

@@ -109,6 +109,11 @@ module RubySMB
       end
     end
 
+    class RpcUnicodeStringConfVarArray < Ndr::NdrConfVarArray
+      extend Ndr::ArrayClassPlugin
+      default_parameters type: :rpc_unicode_string
+    end
+
     # A pointer to a RPC_UNICODE_STRING structure
     class PrpcUnicodeString < RpcUnicodeString
       extend Ndr::PointerClassPlugin

data/lib/ruby_smb/dcerpc/samr/samr_create_user2_in_domain_request.rb

@@ -0,0 +1,24 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.4.4 SamrCreateUser2InDomain (Opnum 50)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/a98d7fbb-1735-4fbf-b41a-ef363c899002)
+      class SamrCreateUser2InDomainRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        sampr_handle         :domain_handle
+        rpc_unicode_string   :name
+        ndr_uint32           :account_type
+        ndr_uint32           :desired_access
+
+        def initialize_instance
+          super
+          @opnum = SAMR_CREATE_USER2_IN_DOMAIN
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/samr/samr_create_user2_in_domain_response.rb

@@ -0,0 +1,24 @@
+module RubySMB
+  module Dcerpc
+    module Samr
+
+      # [3.1.5.4.4 SamrCreateUser2InDomain (Opnum 50)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/a98d7fbb-1735-4fbf-b41a-ef363c899002)
+      class SamrCreateUser2InDomainResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        sampr_handle         :user_handle
+        ndr_uint32           :granted_access
+        ndr_uint32           :relative_id
+        ndr_uint32           :error_status
+
+        def initialize_instance
+          super
+          @opnum = SAMR_CREATE_USER2_IN_DOMAIN
+        end
+      end
+
+    end
+  end
+end