ruby_smb 3.1.7 → 3.2.1

data/lib/ruby_smb/smb1/pipe.rb

@@ -30,10 +30,18 @@ module RubySMB
           extend RubySMB::Dcerpc::Wkssvc
         when 'netdfs', '\\netdfs'
           extend RubySMB::Dcerpc::Dfsnm
+        when 'cert', '\\cert'
+          extend RubySMB::Dcerpc::Icpr
         end
         super(tree: tree, response: response, name: name)
       end
 
+      def bind(options={})
+        @size = 1024
+        @ntlm_client = @tree.client.ntlm_client
+        super
+      end
+
       # Performs a peek operation on the named pipe
       #
       # @param peek_size [Integer] Amount of data to peek
@@ -98,6 +106,11 @@ module RubySMB
         options.merge!(endpoint: stub_packet.class.name.split('::').at(-2))
         dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: stub_packet.opnum }, options)
         dcerpc_request.stub.read(stub_packet.to_binary_s)
+        if options[:auth_level] &&
+           [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+          set_integrity_privacy(dcerpc_request, auth_level: options[:auth_level], auth_type: options[:auth_type])
+        end
+
         trans_nmpipe_request = RubySMB::SMB1::Packet::Trans::TransactNmpipeRequest.new(options)
         @tree.set_header_fields(trans_nmpipe_request)
         trans_nmpipe_request.set_fid(@fid)
@@ -124,22 +137,33 @@ module RubySMB
           unless dcerpc_response.pdu_header.pfc_flags.first_frag == 1
             raise RubySMB::Dcerpc::Error::InvalidPacket, "Not the first fragment"
           end
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           stub_data = dcerpc_response.stub.to_s
 
           loop do
             break if dcerpc_response.pdu_header.pfc_flags.last_frag == 1
             raw_data = read(bytes: @tree.client.max_buffer_size)
             dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+            if options[:auth_level] &&
+               [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+              handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+            end
             stub_data << dcerpc_response.stub.to_s
           end
           stub_data
         else
           dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           dcerpc_response.stub.to_s
         end
       end
 
-
       private
 
       def dcerpc_response_from_raw_response(raw_data)

data/lib/ruby_smb/smb2/packet/tree_connect_response.rb

@@ -21,7 +21,11 @@ module RubySMB
         uint8                 :reserved,       label: 'Reserved Space', initial_value: 0x00
         share_flags           :share_flags
         share_capabilities    :capabilities
-        file_access_mask      :maximal_access, label: 'Maximal Access'
+        choice                :maximal_access, label: 'Maximal Access', selection: -> { share_type } do
+          file_access_mask      SMB2_SHARE_TYPE_PIPE
+          file_access_mask      SMB2_SHARE_TYPE_PRINT
+          directory_access_mask SMB2_SHARE_TYPE_DISK
+        end
 
         def initialize_instance
           super

data/lib/ruby_smb/smb2/pipe.rb

@@ -27,10 +27,18 @@ module RubySMB
           extend RubySMB::Dcerpc::Wkssvc
         when 'netdfs', '\\netdfs'
           extend RubySMB::Dcerpc::Dfsnm
+        when 'cert', '\\cert'
+          extend RubySMB::Dcerpc::Icpr
         end
         super(tree: tree, response: response, name: name)
       end
 
+      def bind(options={})
+        @size = 1024
+        @ntlm_client = @tree.client.ntlm_client
+        super
+      end
+
       # Performs a peek operation on the named pipe
       #
       # @param peek_size [Integer] Amount of data to peek
@@ -91,6 +99,11 @@ module RubySMB
         options.merge!(endpoint: stub_packet.class.name.split('::').at(-2))
         dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: stub_packet.opnum }, options)
         dcerpc_request.stub.read(stub_packet.to_binary_s)
+        if options[:auth_level] &&
+           [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+          set_integrity_privacy(dcerpc_request, auth_level: options[:auth_level], auth_type: options[:auth_type])
+        end
+
         ioctl_send_recv(dcerpc_request, options)
       end
 
@@ -122,17 +135,29 @@ module RubySMB
           unless dcerpc_response.pdu_header.pfc_flags.first_frag == 1
             raise RubySMB::Dcerpc::Error::InvalidPacket, "Not the first fragment"
           end
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           stub_data = dcerpc_response.stub.to_s
 
           loop do
             break if dcerpc_response.pdu_header.pfc_flags.last_frag == 1
             raw_data = read(bytes: @tree.client.max_buffer_size)
             dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+            if options[:auth_level] &&
+               [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+              handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+            end
             stub_data << dcerpc_response.stub.to_s
           end
           stub_data
         else
           dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+          if options[:auth_level] &&
+             [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+            handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+          end
           dcerpc_response.stub.to_s
         end
       end

data/lib/ruby_smb/utils.rb

@@ -0,0 +1,15 @@
+module RubySMB
+  module Utils
+
+    def self.safe_encode(str, encoding)
+      str.encode(encoding)
+    rescue EncodingError
+      if str.encoding == ::Encoding::ASCII_8BIT
+        str.dup.force_encoding(encoding)
+      else
+        raise
+      end
+    end
+
+  end
+end

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.1.7'.freeze
+  VERSION = '3.2.1'.freeze
 end

data/lib/ruby_smb.rb

@@ -6,11 +6,13 @@ require 'openssl/ccm'
 require 'openssl/cmac'
 require 'windows_error'
 require 'windows_error/nt_status'
+require 'ruby_smb/ntlm/custom/ntlm'
 # A packet parsing and manipulation library for the SMB1 and SMB2 protocols
 #
 # [[MS-SMB] Server Message Block (SMB) Protocol Version 1](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
 # [[MS-SMB2] Server Message Block (SMB) Protocol Versions 2 and 3](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
 module RubySMB
+  require 'ruby_smb/utils'
   require 'ruby_smb/error'
   require 'ruby_smb/create_actions'
   require 'ruby_smb/dispositions'

data/spec/lib/ruby_smb/dcerpc/icpr/cert_server_request_request_spec.rb

@@ -0,0 +1,64 @@
+RSpec.describe RubySMB::Dcerpc::Icpr::CertServerRequestRequest do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :dw_flags }
+  it { is_expected.to respond_to :pwsz_authority }
+  it { is_expected.to respond_to :pdw_request_id }
+  it { is_expected.to respond_to :pctb_attribs }
+  it { is_expected.to respond_to :pctb_request }
+  it { is_expected.to respond_to :opnum }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#dw_flags' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.dw_flags).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pwsz_authority' do
+    it 'is a NdrWideStringzPtr structure' do
+      expect(packet.pwsz_authority).to be_a RubySMB::Dcerpc::Ndr::NdrWideStringzPtr
+    end
+  end
+  describe '#pdw_request_id' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.pdw_request_id).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pctb_attribs' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_attribs).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#pctb_request' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_request).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to CERT_SERVER_REQUEST constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Icpr::CERT_SERVER_REQUEST)
+    end
+  end
+  it 'reads itself' do
+    new_packet = described_class.new({
+      dw_flags: 0,
+      pwsz_authority: 'DC-CA',
+      pdw_request_id: 1,
+      pctb_attribs: { pb: 'ATTRIBUTES'.bytes },
+      pctb_request: { pb: 'REQUEST'.bytes }
+    })
+    expected_output = {
+      dw_flags: 0,
+      pwsz_authority: 'DC-CA'.encode('utf-16le'),
+      pdw_request_id: 1,
+      pctb_attribs: { cb: 10, pb: 'ATTRIBUTES'.bytes },
+      pctb_request: { cb: 7, pb: 'REQUEST'.bytes }
+    }
+    expect(packet.read(new_packet.to_binary_s)).to eq(expected_output)
+  end
+end

data/spec/lib/ruby_smb/dcerpc/icpr/cert_server_request_response_spec.rb

@@ -0,0 +1,71 @@
+RSpec.describe RubySMB::Dcerpc::Icpr::CertServerRequestResponse do
+  subject(:packet) { described_class.new }
+
+  it { is_expected.to respond_to :pdw_request_id }
+  it { is_expected.to respond_to :pdw_disposition }
+  it { is_expected.to respond_to :pctb_cert }
+  it { is_expected.to respond_to :pctb_encoded_cert }
+  it { is_expected.to respond_to :pctb_disposition_message }
+  it { is_expected.to respond_to :error_status }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(packet).to be_a(BinData::Record)
+  end
+  describe '#pdw_request_id' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.pdw_request_id).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pdw_disposition' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.pdw_disposition).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pctb_cert' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_cert).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#pctb_encoded_cert' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_encoded_cert).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#pctb_disposition_message' do
+    it 'is a CertTransBlob structure' do
+      expect(packet.pctb_disposition_message).to be_a RubySMB::Dcerpc::Icpr::CertTransBlob
+    end
+  end
+  describe '#error_status' do
+    it 'is a NdrUint32 structure' do
+      expect(packet.error_status).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#initialize_instance' do
+    it 'sets #opnum to CERT_SERVER_REQUEST constant' do
+      expect(packet.opnum).to eq(RubySMB::Dcerpc::Icpr::CERT_SERVER_REQUEST)
+    end
+  end
+  it 'reads itself' do
+    new_packet = described_class.new({
+      pdw_request_id: 1,
+      pdw_disposition: 0,
+      pctb_cert: { pb: 'CERT'.bytes },
+      pctb_encoded_cert: { pb: 'ENCODED_CERT'.bytes },
+      pctb_disposition_message: { pb: 'DISPOSITION_MESSAGE'.bytes },
+      error_status: 0
+    })
+    expected_output = {
+      pdw_request_id: 1,
+      pdw_disposition: 0,
+      pctb_cert: { cb: 4, pb: 'CERT'.bytes },
+      pctb_encoded_cert: { cb: 12, pb: 'ENCODED_CERT'.bytes },
+      pctb_disposition_message: { cb: 19, pb: 'DISPOSITION_MESSAGE'.bytes },
+      error_status: 0
+    }
+    expect(packet.read(new_packet.to_binary_s)).to eq(expected_output)
+  end
+end

data/spec/lib/ruby_smb/dcerpc/icpr/cert_trans_blob_spec.rb

@@ -0,0 +1,33 @@
+RSpec.describe RubySMB::Dcerpc::Icpr::CertTransBlob do
+  subject(:struct) { described_class.new }
+
+  it { is_expected.to respond_to :cb }
+  it { is_expected.to respond_to :pb }
+
+  it 'is little endian' do
+    expect(described_class.fields.instance_variable_get(:@hints)[:endian]).to eq :little
+  end
+  it 'is a BinData::Record' do
+    expect(struct).to be_a(BinData::Record)
+  end
+  describe '#cb' do
+    it 'is a NdrUint32 structure' do
+      expect(struct.cb).to be_a RubySMB::Dcerpc::Ndr::NdrUint32
+    end
+  end
+  describe '#pb' do
+    it 'is a NdrByteConfArrayPtr structure' do
+      expect(struct.pb).to be_a RubySMB::Dcerpc::Ndr::NdrByteConfArrayPtr
+    end
+  end
+  describe '#buffer' do
+    it 'returns a string' do
+      expect(struct.buffer).to be_a String
+    end
+  end
+  it 'reads itself' do
+    new_struct = described_class.new({ pb: 'BUFFER' })
+    expected_output = { cb: 6, pb: 'BUFFER'.bytes }
+    expect(struct.read(new_struct.to_binary_s)).to eq(expected_output)
+  end
+end

data/spec/lib/ruby_smb/dcerpc_spec.rb

@@ -23,6 +23,7 @@ RSpec.describe RubySMB::Dcerpc do
       allow(RubySMB::Dcerpc::BindAck).to receive(:read).and_return(bind_ack_packet)
       allow(tree).to receive(:client).and_return(client)
       allow(client).to receive(:max_buffer_size=)
+      allow(client).to receive(:ntlm_client)
     end
 
     it 'creates a Bind packet' do
@@ -49,7 +50,7 @@ RSpec.describe RubySMB::Dcerpc do
 
     it 'raises the expected exception when an invalid packet is received' do
       allow(RubySMB::Dcerpc::BindAck).to receive(:read).and_raise(IOError)
-      expect { pipe.bind(options) }.to raise_error(RubySMB::Dcerpc::Error::InvalidPacket)
+      expect { pipe.bind(options) }.to raise_error(RubySMB::Dcerpc::Error::BindError)
     end
 
     it 'raises the expected exception when it is not a BindAck packet' do

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby_smb
 version: !ruby/object:Gem::Version
-  version: 3.1.7
+  version: 3.2.1
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -97,7 +97,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2022-08-03 00:00:00.000000000 Z
+date: 2022-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: redcarpet
@@ -326,6 +326,9 @@ files:
 - lib/ruby_smb/dcerpc/epm/epm_twrt.rb
 - lib/ruby_smb/dcerpc/error.rb
 - lib/ruby_smb/dcerpc/fault.rb
+- lib/ruby_smb/dcerpc/icpr.rb
+- lib/ruby_smb/dcerpc/icpr/cert_server_request_request.rb
+- lib/ruby_smb/dcerpc/icpr/cert_server_request_response.rb
 - lib/ruby_smb/dcerpc/ndr.rb
 - lib/ruby_smb/dcerpc/netlogon.rb
 - lib/ruby_smb/dcerpc/netlogon/netr_server_authenticate3_request.rb
@@ -490,6 +493,8 @@ files:
 - lib/ruby_smb/nbss/session_request.rb
 - lib/ruby_smb/ntlm.rb
 - lib/ruby_smb/ntlm/client.rb
+- lib/ruby_smb/ntlm/custom/ntlm.rb
+- lib/ruby_smb/peer_info.rb
 - lib/ruby_smb/server.rb
 - lib/ruby_smb/server/cli.rb
 - lib/ruby_smb/server/server_client.rb
@@ -669,6 +674,7 @@ files:
 - lib/ruby_smb/smb2/smb2_header.rb
 - lib/ruby_smb/smb2/tree.rb
 - lib/ruby_smb/smb_error.rb
+- lib/ruby_smb/utils.rb
 - lib/ruby_smb/version.rb
 - ruby_smb.gemspec
 - spec/lib/ruby_smb/client_spec.rb
@@ -686,6 +692,9 @@ files:
 - spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/icpr/cert_server_request_request_spec.rb
+- spec/lib/ruby_smb/dcerpc/icpr/cert_server_request_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/icpr/cert_trans_blob_spec.rb
 - spec/lib/ruby_smb/dcerpc/ndr_spec.rb
 - spec/lib/ruby_smb/dcerpc/netlogon/netr_server_authenticate3_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/netlogon/netr_server_authenticate3_response_spec.rb
@@ -1013,6 +1022,9 @@ test_files:
 - spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/icpr/cert_server_request_request_spec.rb
+- spec/lib/ruby_smb/dcerpc/icpr/cert_server_request_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/icpr/cert_trans_blob_spec.rb
 - spec/lib/ruby_smb/dcerpc/ndr_spec.rb
 - spec/lib/ruby_smb/dcerpc/netlogon/netr_server_authenticate3_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/netlogon/netr_server_authenticate3_response_spec.rb