ruby_smb 3.2.4 → 3.2.6

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 8f850321711ac70e25f6b483f82454520f2b567cc349ee02eb99bba5c48dfeb4
-  data.tar.gz: 22ee0ab297710e76071fa8302165b903b39d211205ca1d6b95d697bf3eecae67
+  metadata.gz: 6220ba1edc47882a9d30dd1937d877c22094ebaf9c2a72cb806489a65598e1ce
+  data.tar.gz: 1b650bfdd2b6ba8323e9d3e7f4e161c7a659dddbffc7fa21a03d4a2e538f7297
 SHA512:
-  metadata.gz: 8708897bda47dd2c07b064eaafbbfe8641af469a1b5688a98bbef9e38119675de9ce52287fdb00c75f908e29e70499d14203fc53a11c6824691c315a5ebeb746
-  data.tar.gz: aad169c776223bb67198ba223f0b53d640706540f67ec125d4527a05fa4ac8c42676588b84f5e0385c4db846631783159c2a44801964284b6ae0b78b83c0a031
+  metadata.gz: 9e49bc0af1cd4ad61cba01ec70aecead1adbe3b4d58d6127593878596bdbc7f64c8d50b9aaa396004ffc3a3b5e8cf1806053d0825d44322aa4d4584bdddeced7
+  data.tar.gz: 36ca2d7c9e6256a0faabac441e89ea86d43ccd8d2de342dba4965679d2e2c4fafa541fbc09c4457d656a2cccef1af53fe5ab487245800914ad8b9a6431679088

data/cortex.yaml

@@ -0,0 +1,15 @@
+---
+info:
+  title: Ruby Smb
+  description: A native Ruby implementation of the SMB Protocol Family
+  x-cortex-git:
+    github:
+      alias: r7org
+      repository: rapid7/ruby_smb
+  x-cortex-tag: ruby-smb
+  x-cortex-type: service
+  x-cortex-domain-parents:
+  - tag: metasploit
+openapi: 3.0.1
+servers:
+- url: "/"

data/examples/dump_secrets_from_sid.rb

@@ -60,7 +60,7 @@ dc_infos.each do |dc_info|
     puts "Decrypting hash for user: #{dn}"
 
     entinf_struct = user_record.pmsg_out.msg_getchg.p_objects.entinf
-    object_sid = rid = entinf_struct.p_name.sid[-4..-1].unpack('<L').first
+    object_sid = rid = entinf_struct.p_name.sid[-4..-1].unpack('L<').first
     lm_hash = Net::NTLM.lm_hash('')
     nt_hash = Net::NTLM.ntlm_hash('')
     disabled = nil

data/lib/ruby_smb/dcerpc/alter_context.rb

@@ -0,0 +1,30 @@
+module RubySMB
+  module Dcerpc
+    # The Alter context PDU as defined in
+    # [The alter_context PDU](https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_01)
+    class AlterContext < BinData::Record
+      PTYPE = PTypes::ALTER_CONTEXT
+
+      endian :little
+
+      # PDU Header
+      pdu_header    :pdu_header, label: 'PDU header'
+      ndr_uint16    :max_xmit_frag, label: 'Max transmit frag size', initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
+      ndr_uint16    :max_recv_frag, label: 'Max receive frag size', initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
+      ndr_uint32    :assoc_group_id, label: 'Incarnation of client-server assoc group'
+      p_cont_list_t :p_context_list, label: 'Presentation context list', endpoint: -> { endpoint }
+
+      # Auth Verifier
+      sec_trailer   :sec_trailer, onlyif: -> { pdu_header.auth_length > 0 }
+      string        :auth_value,
+        onlyif: -> { pdu_header.auth_length > 0 },
+        read_length: -> { pdu_header.auth_length }
+
+      def initialize_instance
+        super
+        pdu_header.ptype = PTYPE
+      end
+    end
+  end
+end
+

data/lib/ruby_smb/dcerpc/alter_context_resp.rb

@@ -0,0 +1,42 @@
+module RubySMB
+  module Dcerpc
+    # The Alter context resp PDU as defined in
+    # [The alter_context_resp PDU](https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_02)
+
+    class AlterContextResp < BinData::Record
+      PTYPE = PTypes::ALTER_CONTEXT_RESP
+
+      # Presentation context negotiation results
+      ACCEPTANCE         = 0
+      USER_REJECTION     = 1
+      PROVIDER_REJECTION = 2
+
+      # Reasons for rejection of a context element
+      REASON_NOT_SPECIFIED                     = 0
+      ABSTRACT_SYNTAX_NOT_SUPPORTED            = 1
+      PROPOSED_TRANSFER_SYNTAXES_NOT_SUPPORTED = 2
+      LOCAL_LIMIT_EXCEEDED                     = 3
+
+      endian :little
+
+      # PDU Header
+      pdu_header      :pdu_header, label: 'PDU header'
+      ndr_uint16      :max_xmit_frag, label: 'Max transmit frag size', initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
+      ndr_uint16      :max_recv_frag, label: 'Max receive frag size', initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
+      ndr_uint32      :assoc_group_id, label: 'Association group ID'
+      port_any_t      :sec_addr, label: 'Secondary address'
+      p_result_list_t :p_result_list, label: 'Presentation context result list'
+
+      # Auth Verifier
+      sec_trailer     :sec_trailer, onlyif: -> { pdu_header.auth_length > 0 }
+      string          :auth_value,
+        onlyif: -> { pdu_header.auth_length > 0 },
+        read_length: -> { pdu_header.auth_length }
+
+      def initialize_instance
+        super
+        pdu_header.ptype = PTYPE
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/bind.rb

@@ -2,38 +2,6 @@ module RubySMB
   module Dcerpc
     # The Bind PDU as defined in
     # [The bind PDU](http://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_03)
-    class PContElemT < Ndr::NdrStruct
-      default_parameter byte_align: 4
-      endian :little
-
-      ndr_uint16    :p_cont_id, label: 'Context ID'
-      ndr_uint8     :n_transfer_syn, label: 'Number of transfer syntaxes', initial_value: 1
-      ndr_uint8     :reserved
-      p_syntax_id_t :abstract_syntax, label: 'Abstract syntax',
-        uuid: ->      { endpoint::UUID },
-        ver_major: -> { endpoint::VER_MAJOR },
-        ver_minor: -> { endpoint::VER_MINOR }
-      array         :transfer_syntaxes, label: 'Transfer syntax', type: :p_syntax_id_t,
-        initial_length: -> { n_transfer_syn },
-        uuid: ->      { Ndr::UUID },
-        ver_major: -> { Ndr::VER_MAJOR },
-        ver_minor: -> { Ndr::VER_MINOR },
-        byte_align: 4
-    end
-
-    class PContListT < Ndr::NdrStruct
-      default_parameter byte_align: 4
-      endian :little
-
-      ndr_uint8  :n_context_elem, label: 'Number of context elements', initial_value: -> { 1 }
-      ndr_uint8  :reserved
-      ndr_uint16 :reserved2
-      array      :p_cont_elem, label: 'Presentation context elements', type: :p_cont_elem_t,
-        initial_length: -> {n_context_elem},
-        endpoint: -> {endpoint},
-        byte_align: 4
-    end
-
     class Bind < BinData::Record
       PTYPE = PTypes::BIND
 
@@ -41,9 +9,9 @@ module RubySMB
 
       # PDU Header
       pdu_header    :pdu_header, label: 'PDU header'
-      ndr_uint16    :max_xmit_frag, label: 'max transmit frag size', initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
-      ndr_uint16    :max_recv_frag, label: 'max receive frag size', initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
-      ndr_uint32    :assoc_group_id, label: 'incarnation of client-server assoc group'
+      ndr_uint16    :max_xmit_frag, label: 'Max transmit frag size', initial_value: RubySMB::Dcerpc::MAX_XMIT_FRAG
+      ndr_uint16    :max_recv_frag, label: 'Max receive frag size', initial_value: RubySMB::Dcerpc::MAX_RECV_FRAG
+      ndr_uint32    :assoc_group_id, label: 'Incarnation of client-server assoc group'
       p_cont_list_t :p_context_list, label: 'Presentation context list', endpoint: -> { endpoint }
 
       # Auth Verifier

data/lib/ruby_smb/dcerpc/bind_ack.rb

@@ -2,37 +2,6 @@ module RubySMB
   module Dcerpc
     # The Bind ACK PDU as defined in
     # [The bind_ack PDU](http://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_04_04)
-
-    class PResultT < Ndr::NdrStruct
-      default_parameter byte_align: 4
-      endian :little
-
-      ndr_uint16        :result,          label: 'Presentation context negotiation results'
-      ndr_uint16        :reason,          label: 'Rejection reason'
-      p_syntax_id_t     :transfer_syntax, label: 'Presentation syntax ID',
-        uuid:      -> { Ndr::UUID },
-        ver_major: -> { Ndr::VER_MAJOR },
-        ver_minor: -> { Ndr::VER_MINOR }
-    end
-
-    class PResultListT < Ndr::NdrStruct
-      default_parameter byte_align: 4
-      endian :little
-
-      ndr_uint8  :n_results, label: 'Number of results', initial_value: -> { p_results.size }
-      ndr_uint8  :reserved
-      ndr_uint16 :reserved2
-      array      :p_results, label: 'Results', type: :p_result_t, initial_length: -> { n_results }, byte_align: 4
-    end
-
-    class PortAnyT < Ndr::NdrStruct
-      default_parameter byte_align: 2
-      endian :little
-
-      ndr_uint16  :str_length, label: 'Length', initial_value: -> { port_spec.to_binary_s.size }
-      stringz     :port_spec, label: 'Port string spec', byte_align: 2
-    end
-
     class BindAck < BinData::Record
       PTYPE = PTypes::BIND_ACK
 

data/lib/ruby_smb/dcerpc/client.rb

@@ -209,6 +209,10 @@ module RubySMB
         if auth_level &&
            [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(auth_level)
           set_integrity_privacy(dcerpc_req, auth_level: auth_level, auth_type: auth_type)
+          # Per the spec (MS_RPCE 2.2.2.11): start of the trailer should be a multiple of 16 bytes offset from the start of the stub
+          valid_offset = (((dcerpc_req.sec_trailer.abs_offset - dcerpc_req.stub.abs_offset) % 16))
+          valid_auth_pad = (dcerpc_req.sec_trailer.auth_pad_length == dcerpc_req.auth_pad.length)
+          raise Error::InvalidPacket unless valid_offset == 0 && valid_auth_pad
         end
 
         send_packet(dcerpc_req)

data/lib/ruby_smb/dcerpc/drsr.rb

@@ -613,8 +613,8 @@ module RubySMB
         drs_bind_request = DrsBindRequest.new(pext_client: drs_extensions_int)
         response = dcerpc_request(
           drs_bind_request,
-          auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
-          auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+          auth_level: @auth_level,
+          auth_type: @auth_type
         )
         begin
           drs_bind_response = DrsBindResponse.read(response)
@@ -640,8 +640,8 @@ module RubySMB
           drs_bind_request.pext_client.assign(drs_extensions_int)
           response = dcerpc_request(
             drs_bind_request,
-            auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
-            auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+            auth_level: @auth_level,
+            auth_type: @auth_type
           )
           begin
             drs_bind_response = DrsBindResponse.read(response)
@@ -668,8 +668,8 @@ module RubySMB
         drs_unbind_request = DrsUnbindRequest.new(ph_drs: ph_drs)
         response = dcerpc_request(
           drs_unbind_request,
-          auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
-          auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+            auth_level: @auth_level,
+            auth_type: @auth_type
         )
         begin
           drs_unbind_response = DrsUnbindResponse.read(response)
@@ -709,8 +709,8 @@ module RubySMB
         )
         response = dcerpc_request(
           drs_domain_controller_info_request,
-          auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
-          auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+          auth_level: @auth_level,
+          auth_type: @auth_type
         )
         begin
           drs_domain_controller_info_response = DrsDomainControllerInfoResponse.read(response)
@@ -759,8 +759,8 @@ module RubySMB
         )
         response = dcerpc_request(
           drs_crack_names_request,
-          auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
-          auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+          auth_level: @auth_level,
+          auth_type: @auth_type
         )
         begin
           drs_crack_names_response = DrsCrackNamesResponse.read(response)
@@ -790,8 +790,8 @@ module RubySMB
         unless @session_key
           raise RubySMB::Error::EncryptionError, 'Unable to decrypt attribute value: session key is empty'
         end
-        encrypted_payload = EncryptedPayload.read(attribute)
 
+        encrypted_payload = EncryptedPayload.read(attribute)
         signature = OpenSSL::Digest::MD5.digest(@session_key + encrypted_payload.salt.to_binary_s)
         rc4 = OpenSSL::Cipher.new('rc4')
         rc4.decrypt
@@ -886,8 +886,8 @@ module RubySMB
 
         response = dcerpc_request(
           drs_get_nc_changes_request,
-          auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
-          auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
+          auth_level: @auth_level,
+          auth_type: @auth_type
         )
         begin
           drs_get_nc_changes_response = DrsGetNcChangesResponse.read(response)

data/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_request.rb

@@ -0,0 +1,22 @@
+module RubySMB
+  module Dcerpc
+    module EncryptingFileSystem
+
+      # [3.1.4.2.6 Receiving an EfsRpcDecryptFileSrv Message (Opnum 5)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/043715de-caee-402a-a61b-921743337e78)
+      class EfsRpcDecryptFileSrvRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_conf_var_wide_stringz :file_name
+        ndr_uint32                :open_flag
+
+        def initialize_instance
+          super
+          @opnum = EFS_RPC_DECRYPT_FILE_SRV
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_response.rb

@@ -0,0 +1,21 @@
+module RubySMB
+  module Dcerpc
+    module EncryptingFileSystem
+
+      # [3.1.4.2.6 Receiving an EfsRpcDecryptFileSrv Message (Opnum 5)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/043715de-caee-402a-a61b-921743337e78)
+      class EfsRpcDecryptFileSrvResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32         :error_status
+
+        def initialize_instance
+          super
+          @opnum = EFS_RPC_DECRYPT_FILE_SRV
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_request.rb

@@ -0,0 +1,20 @@
+module RubySMB
+  module Dcerpc
+    module EncryptingFileSystem
+
+      # [3.1.4.2.8 Receiving an EfsRpcQueryRecoveryAgents Message (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/cf759c00-1b90-4c33-9ace-f51c20149cea)
+      class EfsRpcQueryRecoveryAgentsRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_conf_var_wide_stringz :file_name
+
+        def initialize_instance
+          super
+          @opnum = EFS_RPC_QUERY_RECOVERY_AGENTS
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_response.rb

@@ -0,0 +1,21 @@
+module RubySMB
+  module Dcerpc
+    module EncryptingFileSystem
+
+      # [3.1.4.2.8 Receiving an EfsRpcQueryRecoveryAgents Message (Opnum 7)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/cf759c00-1b90-4c33-9ace-f51c20149cea)
+      class EfsRpcQueryRecoveryAgentsResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        encryption_certificate_hash_list_ptr :recover_agents
+        ndr_uint32                           :error_status
+
+        def initialize_instance
+          super
+          @opnum = EFS_RPC_QUERY_RECOVERY_AGENTS
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_request.rb

@@ -0,0 +1,20 @@
+module RubySMB
+  module Dcerpc
+    module EncryptingFileSystem
+
+      # [3.1.4.2.7 Receiving an EfsRpcQueryUsersOnFile Message (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/a058dc6c-bb7e-491c-9143-a5cb1f7e7cea)
+      class EfsRpcQueryUsersOnFileRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_conf_var_wide_stringz :file_name
+
+        def initialize_instance
+          super
+          @opnum = EFS_RPC_QUERY_USERS_ON_FILE
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_response.rb

@@ -0,0 +1,21 @@
+module RubySMB
+  module Dcerpc
+    module EncryptingFileSystem
+
+      # [3.1.4.2.7 Receiving an EfsRpcQueryUsersOnFile Message (Opnum 6)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/a058dc6c-bb7e-491c-9143-a5cb1f7e7cea)
+      class EfsRpcQueryUsersOnFileResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        encryption_certificate_hash_list_ptr :users
+        ndr_uint32                           :error_status
+
+        def initialize_instance
+          super
+          @opnum = EFS_RPC_QUERY_USERS_ON_FILE
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/encrypting_file_system.rb

@@ -35,10 +35,62 @@ module RubySMB
       OVERWRITE_HIDDEN = 0x00000004
       EFS_DROP_ALTERNATE_STREAMS = 0x00000010
 
+      # [2.2.7 EFS_HASH_BLOB](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/242d857f-ac8e-4cc8-b5e4-9314a942f45e)
+      class EfsHashBlob < Ndr::NdrStruct
+        endian :little
+        default_parameter byte_align: 4
+
+        ndr_uint32   :cb_data
+        ndr_byte_conf_array_ptr :b_data
+      end
+
+      class EfsHashBlobPtr < EfsHashBlob
+        extend Ndr::PointerClassPlugin
+      end
+
+      # [2.2.10 ENCRYPTION_CERTIFICATE_HASH](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/3a7e7151-edcb-4b32-a119-35cdce1584c0)
+      class EncryptionCertificateHash < Ndr::NdrStruct
+        endian :little
+        default_parameter byte_align: 4
+
+        ndr_uint32                :cb_total_length
+        prpc_sid                  :user_sid
+        efs_hash_blob_ptr         :certificate_hash
+        ndr_wide_stringz_ptr      :lp_display_information
+      end
+
+      class EncryptionCertificateHashPtr < EncryptionCertificateHash
+        extend Ndr::PointerClassPlugin
+      end
+
+      class EncryptionCertificateHashPtrArrayPtr < Ndr::NdrConfArray
+        default_parameter type: :encryption_certificate_hash_ptr
+        extend Ndr::PointerClassPlugin
+      end
+
+      # [2.2.11 ENCRYPTION_CERTIFICATE_HASH_LIST](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-efsr/2718804c-6ab9-45fd-98cf-541bc3b6bc75)
+      class EncryptionCertificateHashList < BinData::Record
+        endian :little
+        default_parameter byte_align: 4
+
+        uint32                                    :ncert_hash
+        encryption_certificate_hash_ptr_array_ptr :users
+      end
+
+      class EncryptionCertificateHashListPtr < EncryptionCertificateHashList
+        extend Ndr::PointerClassPlugin
+      end
+
+      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_request'
+      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_decrypt_file_srv_response'
       require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_request'
       require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_encrypt_file_srv_response'
       require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_request'
       require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_open_file_raw_response'
+      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_request'
+      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_recover_agents_response'
+      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_request'
+      require 'ruby_smb/dcerpc/encrypting_file_system/efs_rpc_query_users_on_file_response'
     end
   end
 end

data/lib/ruby_smb/dcerpc/p_cont_list_t.rb

@@ -0,0 +1,37 @@
+module RubySMB
+  module Dcerpc
+    # The presentation context list and its element as defined in
+    # [Connection-oriented PDU Data Types - Declarations](https://pubs.opengroup.org/onlinepubs/9629399/chap12.htm#tagcjh_17_06_03_01)
+    class PContElemT < Ndr::NdrStruct
+      default_parameter byte_align: 4
+      endian :little
+
+      ndr_uint16    :p_cont_id, label: 'Context ID'
+      ndr_uint8     :n_transfer_syn, label: 'Number of transfer syntaxes', initial_value: 1
+      ndr_uint8     :reserved
+      p_syntax_id_t :abstract_syntax, label: 'Abstract syntax',
+        uuid: ->      { endpoint::UUID },
+        ver_major: -> { endpoint::VER_MAJOR },
+        ver_minor: -> { endpoint::VER_MINOR }
+      array         :transfer_syntaxes, label: 'Transfer syntax', type: :p_syntax_id_t,
+        initial_length: -> { n_transfer_syn },
+        uuid: ->      { Ndr::UUID },
+        ver_major: -> { Ndr::VER_MAJOR },
+        ver_minor: -> { Ndr::VER_MINOR },
+        byte_align: 4
+    end
+
+    class PContListT < Ndr::NdrStruct
+      default_parameter byte_align: 4
+      endian :little
+
+      ndr_uint8  :n_context_elem, label: 'Number of context elements', initial_value: -> { 1 }
+      ndr_uint8  :reserved
+      ndr_uint16 :reserved2
+      array      :p_cont_elem, label: 'Presentation context elements', type: :p_cont_elem_t,
+        initial_length: -> {n_context_elem},
+        endpoint: -> {endpoint},
+        byte_align: 4
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/p_result_list_t.rb

@@ -0,0 +1,13 @@
+module RubySMB
+  module Dcerpc
+    class PResultListT < Ndr::NdrStruct
+      default_parameter byte_align: 4
+      endian :little
+
+      ndr_uint8  :n_results, label: 'Number of results', initial_value: -> { p_results.size }
+      ndr_uint8  :reserved
+      ndr_uint16 :reserved2
+      array      :p_results, label: 'Results', type: :p_result_t, initial_length: -> { n_results }, byte_align: 4
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/p_result_t.rb

@@ -0,0 +1,15 @@
+module RubySMB
+  module Dcerpc
+    class PResultT < Ndr::NdrStruct
+      default_parameter byte_align: 4
+      endian :little
+
+      ndr_uint16        :result,          label: 'Presentation context negotiation results'
+      ndr_uint16        :reason,          label: 'Rejection reason'
+      p_syntax_id_t     :transfer_syntax, label: 'Presentation syntax ID',
+        uuid:      -> { Ndr::UUID },
+        ver_major: -> { Ndr::VER_MAJOR },
+        ver_minor: -> { Ndr::VER_MINOR }
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/port_any_t.rb

@@ -0,0 +1,11 @@
+module RubySMB
+  module Dcerpc
+    class PortAnyT < Ndr::NdrStruct
+      default_parameter byte_align: 2
+      endian :little
+
+      ndr_uint16  :str_length, label: 'Length', initial_value: -> { port_spec.to_binary_s.size }
+      stringz     :port_spec, label: 'Port string spec', byte_align: 2, onlyif: -> { str_length > 0 }
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/request.rb

@@ -103,9 +103,10 @@ module RubySMB
         end
         string :default
       end
-      string      :auth_pad,
+
+      string    :auth_pad,
         onlyif: -> { has_auth_verifier? },
-        length: -> { (16 - (stub.num_bytes % 16)) % 16 }
+        length: -> { calculate_padding_size }
 
       # Auth Verifier
       sec_trailer :sec_trailer, onlyif: -> { has_auth_verifier? }
@@ -113,6 +114,11 @@ module RubySMB
         onlyif:      -> { has_auth_verifier? },
         read_length: -> { pdu_header.auth_length }
 
+      # Per the spec (MS_RPCE 2.2.2.11): start of the trailer should be a multiple of 16 bytes offset from the start of the stub
+      def calculate_padding_size
+        (16 - (stub.num_bytes % 16)) % 16
+      end
+
       def initialize_instance
         super
         pdu_header.ptype = PTYPE
@@ -125,7 +131,6 @@ module RubySMB
       def has_auth_verifier?
         self.pdu_header.auth_length > 0
       end
-
     end
   end
 end

data/lib/ruby_smb/dcerpc/response.rb

@@ -18,7 +18,7 @@ module RubySMB
       string      :stub, label: 'Stub', read_length: -> { stub_length }
       string      :auth_pad,
         onlyif: -> { has_auth_verifier? },
-        length: -> { (16 - (stub.num_bytes % 16)) % 16 }
+        length: -> { calculate_padding_size }
 
       # Auth Verifier
       sec_trailer :sec_trailer, onlyif: -> { has_auth_verifier? }
@@ -26,6 +26,11 @@ module RubySMB
         onlyif: -> { has_auth_verifier? },
         read_length: -> { pdu_header.auth_length }
 
+      # Per the spec (MS_RPCE 2.2.2.11): start of the trailer should be a multiple of 16 bytes offset from the start of the stub
+      def calculate_padding_size
+        (16 - (stub.num_bytes % 16)) % 16
+      end
+
       def initialize_instance
         super
         pdu_header.ptype = PTYPE