ruby_smb 3.1.7 → 3.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 2709740a324a2a43861b70704a20c07ad3302390e40ad2cb2b19aa4574e1718c
-  data.tar.gz: 9a4e4d4e59ae52a67b02f098c4610137182e5ff2cb4106a5d710c5b9e5d0de44
+  metadata.gz: 7b1e12b49f282f15459e21c5f16c6a6fc0f1074b107b97d85395d75a8531df1c
+  data.tar.gz: bccbfe2ef2823c390974786165e822eaa2fb7d1e1a96e8171daabbe871c6b324
 SHA512:
-  metadata.gz: 00004e2a2b38ebdf190ec39bdf6abc27607ac227d705b4e5f7943737a3119ad13102ddf3884bfb697b3f7bca9ec29b45db2a0554811fd41f8e67a9bd96463244
-  data.tar.gz: 677c779a105a0a8c478923e784500c0b9ec1710d9d332a87e4967a372987c3abb86a054254b0ec4ed2e7b4ad11527fa4c3fcc9fb233df92108f8700d3bb21d93
+  metadata.gz: fc4ba500076138ce97e1dc369733675600c4892669d9b5db815b4d09c1dc1b47efd0068da6cb7530fafdcdfc326d00b42b91937e44ed5fe2fdb9b4e5b37ffd9a
+  data.tar.gz: b851e6cc8f2846b7b6f7c36b01b14adb089c5d75257315940a282793bb62cce5bdf1f944c7ca3c95f75464914e26753f4ce1577ac446deea2c42c5a84986f82e

data/.github/workflows/verify.yml

@@ -33,17 +33,15 @@ jobs:
       fail-fast: true
       matrix:
         ruby:
-          - 2.6
           - 2.7
           - 3.0
           - 3.1
         os:
-          - ubuntu-18.04
-          - ubuntu-22.04
+          - ubuntu-20.04
+          - ubuntu-latest
         exclude:
-          - { os: ubuntu-22.04, ruby: 2.6 }
-          - { os: ubuntu-22.04, ruby: 2.7 }
-          - { os: ubuntu-22.04, ruby: 3.0 }
+          - { os: ubuntu-latest, ruby: 2.7 }
+          - { os: ubuntu-latest, ruby: 3.0 }
         test_cmd:
           - bundle exec rspec
 

data/README.md

@@ -186,7 +186,7 @@ Example:
 ```
 ### Using the Client
 
-Sitting on top of the packet layer in RubySMB is the RubySMB::Client class. This is the abstraction that most users of RubySMB will interact with. It provides simple conveience methods for performing SMB actions. It handles the creation, sending and receiving of packets for the user, providing reasonable defaults in many cases.
+Sitting on top of the packet layer in RubySMB is the RubySMB::Client class. This is the abstraction that most users of RubySMB will interact with. It provides simple convenience methods for performing SMB actions. It handles the creation, sending and receiving of packets for the user, providing reasonable defaults in many cases.
 
 #### Negotiation
 

data/lib/ruby_smb/client/authentication.rb

@@ -1,7 +1,11 @@
+require 'ruby_smb/peer_info'
+
 module RubySMB
   class Client
     # This module holds all the backend client methods for authentication.
     module Authentication
+      include RubySMB::PeerInfo
+
       # Responsible for handling Authentication and Session Setup for
       # the SMB Client. It returns the final Status code from the authentication
       # exchange.
@@ -356,36 +360,6 @@ module RubySMB
         packet.security_mode.signing_enabled = 1
         packet
       end
-
-      # Extract and store useful information about the peer/server from the
-      # NTLM Type 2 (challenge) TargetInfo fields.
-      #
-      # @param target_info_str [String] the Target Info string
-      def store_target_info(target_info_str)
-        target_info = Net::NTLM::TargetInfo.new(target_info_str)
-        {
-          Net::NTLM::TargetInfo::MSV_AV_NB_COMPUTER_NAME  => :@default_name,
-          Net::NTLM::TargetInfo::MSV_AV_NB_DOMAIN_NAME    => :@default_domain,
-          Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME => :@dns_host_name,
-          Net::NTLM::TargetInfo::MSV_AV_DNS_DOMAIN_NAME   => :@dns_domain_name,
-          Net::NTLM::TargetInfo::MSV_AV_DNS_TREE_NAME     => :@dns_tree_name
-        }.each do |constant, attribute|
-          if target_info.av_pairs[constant]
-            value = target_info.av_pairs[constant].dup
-            value.force_encoding('UTF-16LE')
-            instance_variable_set(attribute, value.encode('UTF-8'))
-          end
-        end
-      end
-
-      # Extract the peer/server version number from the NTLM Type 2 (challenge)
-      # Version field.
-      #
-      # @param version [String] the version number as a binary string
-      # @return [String] the formated version number (<major>.<minor>.<build>)
-      def extract_os_version(version)
-        version.unpack('CCS').join('.')
-      end
     end
   end
 end

data/lib/ruby_smb/client.rb

@@ -4,6 +4,7 @@ module RubySMB
   class Client
     require 'ruby_smb/ntlm'
     require 'ruby_smb/signing'
+    require 'ruby_smb/utils'
     require 'ruby_smb/client/negotiation'
     require 'ruby_smb/client/authentication'
     require 'ruby_smb/client/tree_connect'
@@ -13,6 +14,7 @@ module RubySMB
     require 'ruby_smb/client/encryption'
 
     include RubySMB::Signing
+    include RubySMB::NTLM
     include RubySMB::Client::Negotiation
     include RubySMB::Client::Authentication
     include RubySMB::Client::TreeConnect
@@ -322,7 +324,7 @@ module RubySMB
       @pid               = rand(0xFFFF)
       @domain            = domain
       @local_workstation = local_workstation
-      @password          = password.encode('utf-8') || ''.encode('utf-8')
+      @password          = RubySMB::Utils.safe_encode((password||''), 'utf-8')
       @sequence_counter  = 0
       @session_id        = 0x00
       @session_key       = ''
@@ -332,7 +334,7 @@ module RubySMB
       @smb1              = smb1
       @smb2              = smb2
       @smb3              = smb3
-      @username          = username.encode('utf-8') || ''.encode('utf-8')
+      @username          = RubySMB::Utils.safe_encode((username||''), 'utf-8')
       @max_buffer_size   = MAX_BUFFER_SIZE
       # These sizes will be modified during negotiation
       @server_max_buffer_size = SERVER_MAX_BUFFER_SIZE
@@ -415,8 +417,8 @@ module RubySMB
                       local_workstation: self.local_workstation, ntlm_flags: NTLM::DEFAULT_CLIENT_FLAGS)
       @domain            = domain
       @local_workstation = local_workstation
-      @password          = pass.encode('utf-8') || ''.encode('utf-8')
-      @username          = user.encode('utf-8') || ''.encode('utf-8')
+      @password          = RubySMB::Utils.safe_encode((pass||''), 'utf-8')
+      @username          = RubySMB::Utils.safe_encode((user||''), 'utf-8')
 
       @ntlm_client = RubySMB::NTLM::Client.new(
           @username,

data/lib/ruby_smb/dcerpc/client.rb

@@ -5,11 +5,16 @@ module RubySMB
     class Client
       require 'bindata'
       require 'windows_error'
-      require 'net/ntlm'
+      require 'ruby_smb/ntlm'
       require 'ruby_smb/dcerpc'
       require 'ruby_smb/gss'
+      require 'ruby_smb/peer_info'
+      require 'ruby_smb/utils'
 
+      include Dcerpc
       include Epm
+      include PeerInfo
+      include Utils
 
       # The default maximum size of a RPC message that the Client accepts (in bytes)
       MAX_BUFFER_SIZE = 64512
@@ -115,15 +120,15 @@ module RubySMB
         @read_timeout      = read_timeout
         @domain            = domain
         @local_workstation = local_workstation
-        @username          = username.encode('utf-8')
-        @password          = password.encode('utf-8')
+        @username          = RubySMB::Utils.safe_encode(username, 'utf-8')
+        @password          = RubySMB::Utils.safe_encode(password, 'utf-8')
         @max_buffer_size   = MAX_BUFFER_SIZE
         @call_id           = 1
         @ctx_id            = 0
         @auth_ctx_id_base  = rand(0xFFFFFFFF)
 
         unless username.empty? && password.empty?
-          @ntlm_client = Net::NTLM::Client.new(
+          @ntlm_client = RubySMB::NTLM::Client.new(
             @username,
             @password,
             workstation: @local_workstation,
@@ -134,11 +139,11 @@ module RubySMB
       end
 
       # Connect to the RPC endpoint. If a TCP socket was not provided, it takes
-      # care of asking the Enpoint Mapper Interface the port used by the given
+      # care of asking the Endpoint Mapper Interface the port used by the given
       # endpoint provided in #initialize and connect a TCP socket
       #
       # @param port [Integer] An optional port number to connect to. If
-      #   provided, it will not ask the Enpoint Mapper Interface for a port
+      #   provided, it will not ask the Endpoint Mapper Interface for a port
       #   number.
       # @return [TcpSocket] The connected TCP socket
       def connect(port: nil)
@@ -172,218 +177,14 @@ module RubySMB
         @tcp_socket.close if @tcp_socket && !@tcp_socket.closed?
       end
 
-      # Add the authentication verifier to the packet. This includes a sec
-      # trailer and the actual authentication data.
-      #
-      # @param req [BinData::Record] the request to be updated
-      # @param auth [String] the authentication data
-      # @param auth_type [Integer] the authentication type
-      # @param auth_level [Integer] the authentication level
-      def add_auth_verifier(req, auth, auth_type, auth_level)
-        req.sec_trailer = {
-          auth_type: auth_type,
-          auth_level: auth_level,
-          auth_context_id: @ctx_id + @auth_ctx_id_base
-        }
-        req.auth_value = auth
-        req.pdu_header.auth_length = auth.length
-
-        nil
-      end
-
       def process_ntlm_type2(type2_message)
-        ntlmssp_offset = type2_message.index('NTLMSSP')
-        type2_blob = type2_message.slice(ntlmssp_offset..-1)
-        type2_b64_message = [type2_blob].pack('m')
-        type3_message = @ntlm_client.init_context(type2_b64_message)
-        auth3 = type3_message.serialize
-
-        @session_key = @ntlm_client.session_key
+        auth3 = super
         challenge_message = @ntlm_client.session.challenge_message
         store_target_info(challenge_message.target_info) if challenge_message.has_flag?(:TARGET_INFO)
         @os_version = extract_os_version(challenge_message.os_version.to_s) unless challenge_message.os_version.empty?
         auth3
       end
 
-      # Send a rpc_auth3 PDU that ends the authentication handshake.
-      #
-      # @param response [BindAck] the BindAck response packet
-      # @param auth_type [Integer] the authentication type
-      # @param auth_level [Integer] the authentication level
-      # @raise [ArgumentError] if `:auth_type` is unknown
-      # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
-      def send_auth3(response, auth_type, auth_level)
-        case auth_type
-        when RPC_C_AUTHN_NONE
-        when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
-          auth3 = process_ntlm_type2(response.auth_value)
-        when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
-          # TODO
-          raise NotImplementedError
-        else
-          raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
-        end
-
-        rpc_auth3 = RpcAuth3.new
-        add_auth_verifier(rpc_auth3, auth3, auth_type, auth_level)
-        rpc_auth3.pdu_header.call_id = @call_id
-
-        # The server should not respond
-        send_packet(rpc_auth3)
-        @call_id += 1
-
-        nil
-      end
-
-      # Bind to the remote server interface endpoint. It takes care of adding
-      # the necessary authentication verifier if `:auth_level` is set to
-      # anything different than RPC_C_AUTHN_LEVEL_NONE
-      #
-      # @param endpoint [Module] the endpoint to bind to. This must be a Dcerpc
-      #   class with UUID, VER_MAJOR and VER_MINOR constants defined.
-      # @param auth_level [Integer] the authentication level
-      # @param auth_type [Integer] the authentication type
-      # @return [BindAck] the BindAck response packet
-      # @raise [Error::InvalidPacket] if an invalid packet is received
-      # @raise [Error::BindError] if the response is not a BindAck packet or if the Bind result code is not ACCEPTANCE
-      # @raise [ArgumentError] if `:auth_type` is unknown
-      # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
-      def bind(endpoint: @endpoint, auth_level: RPC_C_AUTHN_LEVEL_NONE, auth_type: nil)
-        bind_req = Bind.new(endpoint: endpoint)
-        bind_req.pdu_header.call_id = @call_id
-        # TODO: evasion: generate random UUIDs for bogus binds
-
-        if auth_level && auth_level != RPC_C_AUTHN_LEVEL_NONE
-          case auth_type
-          when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
-            raise ArgumentError, "NTLM Client not initialized. Username and password must be provided" unless @ntlm_client
-            type1_message = @ntlm_client.init_context
-            auth = type1_message.serialize
-          when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
-          when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL
-            # TODO
-            raise NotImplementedError
-          else
-            raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
-          end
-          add_auth_verifier(bind_req, auth, auth_type, auth_level)
-        end
-
-        send_packet(bind_req)
-        bindack_response = recv_struct(BindAck)
-        # TODO: see if BindNack response should be handled too
-
-        res_list = bindack_response.p_result_list
-        if res_list.n_results == 0 ||
-           res_list.p_results[0].result != BindAck::ACCEPTANCE
-          raise Error::BindError,
-            "Bind Failed (Result: #{res_list.p_results[0].result}, Reason: #{res_list.p_results[0].reason})"
-        end
-
-        @max_buffer_size = bindack_response.max_xmit_frag
-        @call_id = bindack_response.pdu_header.call_id
-
-        if auth_level && auth_level != RPC_C_AUTHN_LEVEL_NONE
-           # The number of legs needed to build the security context is defined
-           # by the security provider
-           # (see [2.2.1.1.7 Security Providers](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/d4097450-c62f-484b-872f-ddf59a7a0d36))
-          case auth_type
-          when RPC_C_AUTHN_WINNT
-            send_auth3(bindack_response, auth_type, auth_level)
-          when RPC_C_AUTHN_GSS_KERBEROS, RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE
-            # TODO
-            raise NotImplementedError
-          end
-        end
-
-        nil
-      end
-
-      # Extract and store useful information about the peer/server from the
-      # NTLM Type 2 (challenge) TargetInfo fields.
-      #
-      # @param target_info_str [String] the Target Info string
-      def store_target_info(target_info_str)
-        target_info = Net::NTLM::TargetInfo.new(target_info_str)
-        {
-          Net::NTLM::TargetInfo::MSV_AV_NB_COMPUTER_NAME  => :@default_name,
-          Net::NTLM::TargetInfo::MSV_AV_NB_DOMAIN_NAME    => :@default_domain,
-          Net::NTLM::TargetInfo::MSV_AV_DNS_COMPUTER_NAME => :@dns_host_name,
-          Net::NTLM::TargetInfo::MSV_AV_DNS_DOMAIN_NAME   => :@dns_domain_name,
-          Net::NTLM::TargetInfo::MSV_AV_DNS_TREE_NAME     => :@dns_tree_name
-        }.each do |constant, attribute|
-          if target_info.av_pairs[constant]
-            value = target_info.av_pairs[constant].dup
-            value.force_encoding('UTF-16LE')
-            instance_variable_set(attribute, value.encode('UTF-8'))
-          end
-        end
-      end
-
-      # Extract the peer/server version number from the NTLM Type 2 (challenge)
-      # Version field.
-      #
-      # @param version [String] the version number as a binary string
-      # @return [String] the formated version number (<major>.<minor>.<build>)
-      def extract_os_version(version)
-        #version.unpack('CCS').join('.')
-        begin
-          os_version = NTLM::OSVersion.read(version)
-        rescue IOError
-          return ''
-        end
-        return "#{os_version.major}.#{os_version.minor}.#{os_version.build}"
-      end
-
-      # Add the authentication verifier to a Request packet. This includes a
-      # sec trailer and the signature of the packet. This also encrypts the
-      # Request stub if privacy is required (`:auth_level` option is
-      # RPC_C_AUTHN_LEVEL_PKT_PRIVACY).
-      #
-      # @param dcerpc_req [Request] the Request packet to be updated
-      # @param opts [Hash] the authenticaiton options: `:auth_type` and `:auth_level`
-      # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
-      # @raise [ArgumentError] if `:auth_type` is unknown
-      def set_integrity_privacy(dcerpc_req, auth_level:, auth_type:)
-        dcerpc_req.sec_trailer = {
-          auth_type: auth_type,
-          auth_level: auth_level,
-          auth_context_id: @ctx_id + @auth_ctx_id_base
-        }
-        dcerpc_req.auth_value = ' ' * 16
-        dcerpc_req.pdu_header.auth_length = 16
-
-        data_to_sign = plain_stub = dcerpc_req.stub.to_binary_s + dcerpc_req.auth_pad.to_binary_s
-        if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
-          data_to_sign = dcerpc_req.to_binary_s[0..-(dcerpc_req.pdu_header.auth_length + 1)]
-        end
-
-        encrypted_stub = ''
-        if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
-          case auth_type
-          when RPC_C_AUTHN_NONE
-          when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
-            encrypted_stub = @ntlm_client.session.seal_message(plain_stub)
-          when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
-            # TODO
-            raise NotImplementedError
-          else
-            raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
-          end
-        end
-
-        signature = @ntlm_client.session.sign_message(data_to_sign)
-
-        unless encrypted_stub.empty?
-          pad_length = dcerpc_req.sec_trailer.auth_pad_length.to_i
-          dcerpc_req.enable_encrypted_stub
-          dcerpc_req.stub = encrypted_stub[0..-(pad_length + 1)]
-          dcerpc_req.auth_pad = encrypted_stub[-(pad_length)..-1]
-        end
-        dcerpc_req.auth_value = signature
-        dcerpc_req.pdu_header.auth_length = signature.size
-      end
-
       # Send a DCERPC request with the provided stub packet.
       #
       # @param stub_packet [BinData::Record] the stub packet to be sent as
@@ -482,60 +283,6 @@ module RubySMB
         raise Error::CommunicationError, "An error occurred reading from the Socket: #{e.message}"
       end
 
-      # Process the security context received in a response. It decrypts the
-      # encrypted stub if `:auth_level` is set to anything different than
-      # RPC_C_AUTHN_LEVEL_PKT_PRIVACY. It also checks the packet signature and
-      # raises an InvalidPacket error if it fails. Note that the exception is
-      # disabled by default and can be enabled with the
-      # `:raise_signature_error` option
-      #
-      # @param dcerpc_response [Response] the Response packet
-      #   containing the security context to process
-      # @param opts [Hash] the authenticaiton options: `:auth_type` and
-      #   `:auth_level`. To enable errors when signature check fails, set the
-      #   `:raise_signature_error` option to true
-      # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
-      # @raise [Error::CommunicationError] if socket-related error occurs
-      def handle_integrity_privacy(dcerpc_response, auth_level:, auth_type:, raise_signature_error: false)
-        decrypted_stub = ''
-        if auth_level == RPC_C_AUTHN_LEVEL_PKT_PRIVACY
-          encrypted_stub = dcerpc_response.stub.to_binary_s + dcerpc_response.auth_pad.to_binary_s
-          case auth_type
-          when RPC_C_AUTHN_NONE
-          when RPC_C_AUTHN_WINNT, RPC_C_AUTHN_DEFAULT
-            decrypted_stub = @ntlm_client.session.unseal_message(encrypted_stub)
-          when RPC_C_AUTHN_NETLOGON, RPC_C_AUTHN_GSS_NEGOTIATE, RPC_C_AUTHN_GSS_SCHANNEL, RPC_C_AUTHN_GSS_KERBEROS
-            # TODO
-            raise NotImplementedError
-          else
-            raise ArgumentError, "Unsupported Auth Type: #{auth_type}"
-          end
-        end
-
-        unless decrypted_stub.empty?
-          pad_length = dcerpc_response.sec_trailer.auth_pad_length.to_i
-          dcerpc_response.stub = decrypted_stub[0..-(pad_length + 1)]
-          dcerpc_response.auth_pad = decrypted_stub[-(pad_length)..-1]
-        end
-
-        signature = dcerpc_response.auth_value
-        data_to_check = dcerpc_response.stub.to_binary_s
-        if @ntlm_client.flags & NTLM::NEGOTIATE_FLAGS[:EXTENDED_SECURITY] != 0
-          data_to_check = dcerpc_response.to_binary_s[0..-(dcerpc_response.pdu_header.auth_length + 1)]
-        end
-        unless @ntlm_client.session.verify_signature(signature, data_to_check)
-          if raise_signature_error
-            raise Error::InvalidPacket.new(
-              "Wrong packet signature received (set `raise_signature_error` to false to ignore)"
-            )
-          end
-        end
-
-        @call_id += 1
-
-        nil
-      end
-
     end
   end
 end

data/lib/ruby_smb/dcerpc/error.rb

@@ -57,6 +57,16 @@ module RubySMB
           super(msg)
         end
       end
+
+      class IcprError < DcerpcError
+        include RubySMB::Error::UnexpectedStatusCode::Mixin
+
+        def initialize(msg, status_code: nil)
+          self.status_code = status_code unless status_code.nil?
+
+          super(msg)
+        end
+      end
     end
   end
 end

data/lib/ruby_smb/dcerpc/icpr/cert_server_request_request.rb

@@ -0,0 +1,27 @@
+require 'ruby_smb/dcerpc/ndr'
+
+module RubySMB
+  module Dcerpc
+    module Icpr
+
+      # [3.2.4.1.1 CertServerRequest (Opnum 0)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-icpr/0c6f150e-3ead-4006-b37f-ebbf9e2cf2e7)
+      class CertServerRequestRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32           :dw_flags
+        ndr_wide_stringz_ptr :pwsz_authority
+        ndr_uint32           :pdw_request_id
+        cert_trans_blob      :pctb_attribs
+        cert_trans_blob      :pctb_request
+
+        def initialize_instance
+          super
+          @opnum = CERT_SERVER_REQUEST
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/icpr/cert_server_request_response.rb

@@ -0,0 +1,28 @@
+require 'ruby_smb/dcerpc/ndr'
+
+module RubySMB
+  module Dcerpc
+    module Icpr
+
+      # [3.2.4.1.1 CertServerRequest (Opnum 0)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-icpr/0c6f150e-3ead-4006-b37f-ebbf9e2cf2e7)
+      class CertServerRequestResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32      :pdw_request_id
+        ndr_uint32      :pdw_disposition
+        cert_trans_blob :pctb_cert
+        cert_trans_blob :pctb_encoded_cert
+        cert_trans_blob :pctb_disposition_message
+        ndr_uint32      :error_status
+
+        def initialize_instance
+          super
+          @opnum = CERT_SERVER_REQUEST
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/icpr.rb

@@ -0,0 +1,84 @@
+module RubySMB
+  module Dcerpc
+    module Icpr
+
+      # [3.2.4.1 ICertPassage Interface](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-icpr/d98e6cfb-87ba-4915-b3ec-a1b7c6129a53)
+      UUID = '91ae6020-9e3c-11cf-8d7c-00aa00c091be'
+      VER_MAJOR = 0
+      VER_MINOR = 0
+
+      # Operation numbers
+      CERT_SERVER_REQUEST = 0x0000
+
+      # Disposition constants, see
+      # [3.2.1.4.2.1 ICertRequestD::Request (Opnum 3)](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/dbb2e78f-7630-4615-92c4-6734fccfc5a6)
+      CR_DISP_ISSUED           = 0x0003
+      CR_DISP_UNDER_SUBMISSION = 0x0005
+
+      # [2.2.2.2 CERTTRANSBLOB](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-wcce/d6bee093-d862-4122-8f2b-7b49102097dc)
+      # (actually defined in MS-WCCE)
+      class CertTransBlob < Ndr::NdrStruct
+        endian :little
+        default_parameter  byte_align: 4
+
+        ndr_uint32              :cb, initial_value: -> { pb.length }
+        ndr_byte_conf_array_ptr :pb
+
+        def buffer
+          pb.to_ary.pack('C*')
+        end
+      end
+
+      require 'ruby_smb/dcerpc/icpr/cert_server_request_request'
+      require 'ruby_smb/dcerpc/icpr/cert_server_request_response'
+
+      def cert_server_request(attributes:, authority:, csr:)
+        cert_server_request_request = CertServerRequestRequest.new(
+          pwsz_authority: authority,
+          pctb_attribs: { pb: (RubySMB::Utils.safe_encode(attributes.map { |k,v| "#{k}:#{v}" }.join("\n"), 'UTF-16le').force_encoding('ASCII-8bit') + "\x00\x00".b) },
+          pctb_request: { pb: csr.to_der }
+        )
+
+        response = dcerpc_request(
+          cert_server_request_request,
+          auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
+          auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+        )
+        begin
+          cert_server_request_response = CertServerRequestResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading CertServerRequestResponse'
+        end
+
+        ret = {
+          disposition: cert_server_request_response.pdw_disposition.value,
+          disposition_message: cert_server_request_response.pctb_disposition_message.buffer.chomp("\x00\x00").force_encoding('utf-16le').encode,
+          status: {
+            CR_DISP_ISSUED => :issued,
+            CR_DISP_UNDER_SUBMISSION => :submitted,
+          }.fetch(cert_server_request_response.pdw_disposition.value, :error)
+        }
+
+        # note: error_status == RPC_S_BINDING_HAS_NO_AUTH when not properly bound
+        if ret[:status] == :error
+          unless cert_server_request_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+            error_status = cert_server_request_response.error_status.value
+            status_code = WindowsError::Win32.find_by_retval(error_status).first
+            if status_code.nil? && (fault_name = RubySMB::Dcerpc::Fault::Status.name(error_status))
+              status_code = WindowsError::ErrorCode.new(fault_name.to_s, error_status, 'DCERPC fault')
+            end
+            raise RubySMB::Dcerpc::Error::IcprError.new(
+              "Error returned with cert_server_request: #{status_code || "0x#{error_status.to_s(16).rjust(8, '0')}"}",
+              status_code: status_code
+            )
+          end
+        else
+          ret[:certificate] = OpenSSL::X509::Certificate.new(cert_server_request_response.pctb_encoded_cert.buffer)
+        end
+
+        ret
+      end
+
+    end
+  end
+end