ruby_smb 3.3.13 → 3.3.15

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 3c74027d4436875845c9d219abd7cb3243d80acd61fbaeabb9c1256571354634
-  data.tar.gz: 8dbe5857343dbb8e1b163c29a7d3ef8d8e30aa06dc7527195772a058f4022321
+  metadata.gz: c750cc33b1b323d9f28b7ad65702e26758d1341d419ae3271c0cb900b0e254de
+  data.tar.gz: 6d62d69876566ea5fc087104da49ca598ad2705cb9bb99723ac8b22d43cb63ab
 SHA512:
-  metadata.gz: 5ed11e51a9babe4a7e478e4903dd4c201c8e714288ab49766e62ba3c01cf9b8358899276ecece683dbb586777739a016579e06a9dd9e6581e03a408a6a27cf5c
-  data.tar.gz: a7bf609a4b94040075adda0c17728ef306d780d28db06f47fa2d1c9b6729821309c3c5395c5bb8d22ad76fe693f7f7b21a2de9f9239211af64417ef35da16e37
+  metadata.gz: a52b76ed65ba8112c3a8232d8568cfda030007d56e7b982623735b57b0515b6e0a13aab897ba56213a62c83e42132ce5f7d6c2946bee06f641029257c8681cd4
+  data.tar.gz: 87d493f9c4e6380d22f39debbce248e0b7f3c9eb9d8f39a93d5bb5db620fb2b47035ad3cafad6d1ba8bd1aa1d52d88ae3195daf43e5e840c7e11f38f2581ffcc

data/cortex.yaml

@@ -10,6 +10,8 @@ info:
   x-cortex-type: service
   x-cortex-domain-parents:
   - tag: metasploit
+  x-cortex-groups:
+  - exposure:external-ship
 openapi: 3.0.1
 servers:
 - url: "/"

data/examples/epm_client.rb

@@ -0,0 +1,65 @@
+#!/usr/bin/ruby
+
+require 'bundler/setup'
+require 'ruby_smb'
+
+require 'optparse'
+require 'pp'
+
+options = {
+  major_version: 1,
+  minor_version: 0,
+  max_towers: 1,
+}
+
+parser = OptionParser.new do |opts|
+  opts.banner = "Usage: script.rb [options] TARGET PROTOCOL UUID"
+
+  opts.on("--major-version N", Integer, "Specify major version number (default: #{options[:major_version]})") do |v|
+    options[:major_version] = v
+  end
+
+  opts.on("--minor-version N", Integer, "Specify minor version number ((default: #{options[:minor_version]})") do |v|
+    options[:minor_version] = v
+  end
+
+  opts.on("--max-towers N", Integer, "Set the maximum number of towers (default: #{options[:max_towers]})") do |v|
+    options[:max_towers] = v
+  end
+
+  opts.on("-h", "--help", "Prints this help") do
+    puts opts
+    exit
+  end
+end
+
+# Parse and extract positional arguments
+begin
+  parser.order!(ARGV)
+  if ARGV.size != 3
+    raise OptionParser::MissingArgument, "TARGET, PROTOCOL, and UUID are required"
+  end
+
+  options[:target], options[:protocol], options[:uuid] = ARGV
+rescue OptionParser::ParseError => e
+  puts e.message
+  puts parser
+  exit 1
+end
+
+dcerpc_client = RubySMB::Dcerpc::Client.new(options[:target], RubySMB::Dcerpc::Epm)
+dcerpc_client.connect
+dcerpc_client.bind
+dcerpc_client.ept_map(
+  uuid: options[:uuid],
+  maj_ver: options[:major_version],
+  min_ver: options[:minor_version],
+  protocol: options[:protocol].to_sym,
+  max_towers: options[:max_towers]
+).each do |tower|
+  puts "Tower: #{tower[:endpoint]}"
+  tower.each do |key, value|
+    next if key == :endpoint
+    puts "  #{key}: #{value}"
+  end
+end

data/lib/ruby_smb/dcerpc/client.rb

@@ -11,7 +11,6 @@ module RubySMB
       require 'ruby_smb/peer_info'
 
       include Dcerpc
-      include Epm
       include PeerInfo
 
       # The default maximum size of a RPC message that the Client accepts (in bytes)
@@ -146,27 +145,31 @@ module RubySMB
       # @return [TcpSocket] The connected TCP socket
       def connect(port: nil)
         return if @tcp_socket
+
         unless port
-          @tcp_socket = TCPSocket.new(@host, ENDPOINT_MAPPER_PORT)
-          bind(endpoint: Epm)
-          begin
-            host_port = get_host_port_from_ept_mapper(
-              uuid: @endpoint::UUID,
-              maj_ver: @endpoint::VER_MAJOR,
-              min_ver: @endpoint::VER_MINOR
-            )
-          rescue RubySMB::Dcerpc::Error::DcerpcError => e
-            e.message.prepend(
-              "Cannot resolve the remote port number for endpoint #{@endpoint::UUID}. "\
-              "Set @tcp_socket parameter to specify the service port number and bypass "\
-              "EPM port resolution. Error: "
-            )
-            raise e
+          if @endpoint == Epm
+            port = ENDPOINT_MAPPER_PORT
+          else
+            epm_client = Client.new(@host, Epm, read_timeout: @read_timeout)
+            epm_client.connect
+            begin
+              epm_client.bind
+              towers = epm_client.ept_map_endpoint(@endpoint)
+            rescue RubySMB::Dcerpc::Error::DcerpcError => e
+              e.message.prepend(
+                "Cannot resolve the remote port number for endpoint #{@endpoint::UUID}. "\
+                "Set @tcp_socket parameter to specify the service port number and bypass "\
+                "EPM port resolution. Error: "
+              )
+              raise e
+            ensure
+              epm_client.close
+            end
+
+            port = towers.first[:port]
           end
-          port = host_port[:port]
-          @tcp_socket.close
-          @tcp_socket = nil
         end
+
         @tcp_socket = TCPSocket.new(@host, port)
       end
 

data/lib/ruby_smb/dcerpc/epm/epm_twrt.rb

@@ -27,39 +27,39 @@ module RubySMB
 
         uint16 :lhs_bytecount, byte_align: 1, initial_value: -> {prot_identifier.num_bytes}
         # Protocol Identifiers:
-		# 0x00: "OSI Object Identifier [OID]"
-		# 0x02: "DNA Session Control Phase 4"
-		# 0x03: "DNA Session Control V3 Phase 5"
-		# 0x04: "DNA NSP Transport"
-		# 0x05: "OSI TP4 [T-Selector]"
-		# 0x06: "OSI CLNS [NSAP]"
-		# 0x07: "DOD TCP port"
-		# 0x08: "DOD UDP port"
-		# 0x09: "DOD IP v4 big-endian"
-		# 0x0a: "RPC Connectionless v4"
-		# 0x0b: "RPC Connection-oriented v5"
-		# 0x0c: "MS Named Pipes"
-		# 0x0d: "UUID"
-		# 0x0e: "ncadg_ipx"
-		# 0x0f: "NetBIOS Named Pipes"
-		# 0x10: "MS Named Pipe Name" or "Local InterProcess Communication (LRPC)")
-		# 0x11: "MS NetBIOS"
-		# 0x12: "MS NetBEUI"
-		# 0x13: "Netware SPX"
-		# 0x14: "Netware IPX"
-		# 0x15: "NMP_TOWER_ID"
-		# 0x16: "Appletalk Stream [endpoint]"
-		# 0x17: "Appletalk Datagram [endpoint]"
-		# 0x18: "Appletalk [NBP-style Name]"
-		# 0x19: "NetBIOS [CL on all protocols]"
-		# 0x1a: "VINES SPP"
-		# 0x1b: "VINES IPC"
-		# 0x1c: "StreetTalk [name]"
-		# 0x1d: "MSMQ"
-		# 0x1f: "MS IIS (http)"
-		# 0x20: "Unix Domain socket [pathname]"
-		# 0x21: "null"
-		# 0x22: "NetBIOS name"
+        # 0x00: "OSI Object Identifier [OID]"
+        # 0x02: "DNA Session Control Phase 4"
+        # 0x03: "DNA Session Control V3 Phase 5"
+        # 0x04: "DNA NSP Transport"
+        # 0x05: "OSI TP4 [T-Selector]"
+        # 0x06: "OSI CLNS [NSAP]"
+        # 0x07: "DOD TCP port"
+        # 0x08: "DOD UDP port"
+        # 0x09: "DOD IP v4 big-endian"
+        # 0x0a: "RPC Connectionless v4"
+        # 0x0b: "RPC Connection-oriented v5"
+        # 0x0c: "MS Named Pipes"
+        # 0x0d: "UUID"
+        # 0x0e: "ncadg_ipx"
+        # 0x0f: "NetBIOS Named Pipes"
+        # 0x10: "MS Named Pipe Name" or "Local InterProcess Communication (LRPC)")
+        # 0x11: "MS NetBIOS"
+        # 0x12: "MS NetBEUI"
+        # 0x13: "Netware SPX"
+        # 0x14: "Netware IPX"
+        # 0x15: "NMP_TOWER_ID"
+        # 0x16: "Appletalk Stream [endpoint]"
+        # 0x17: "Appletalk Datagram [endpoint]"
+        # 0x18: "Appletalk [NBP-style Name]"
+        # 0x19: "NetBIOS [CL on all protocols]"
+        # 0x1a: "VINES SPP"
+        # 0x1b: "VINES IPC"
+        # 0x1c: "StreetTalk [name]"
+        # 0x1d: "MSMQ"
+        # 0x1f: "MS IIS (http)"
+        # 0x20: "Unix Domain socket [pathname]"
+        # 0x21: "null"
+        # 0x22: "NetBIOS name"
         uint8  :prot_identifier, byte_align: 1, initial_value: 0x0b
         uint16 :rhs_bytecount, byte_align: 1, initial_value: 2
         uint16 :minor_version, byte_align: 1
@@ -77,7 +77,7 @@ module RubySMB
         # default: Host name
         uint8            :identifier, byte_align: 1
         uint16           :rhs_bytecount, byte_align: 1, initial_value: -> { name.length }
-        ndr_fixed_byte_array :name, initial_length: :rhs_bytecount
+        uint8_array      :name, initial_length: :rhs_bytecount, byte_align: 1
       end
 
       class EpmFloorPipeOrPort < Ndr::NdrStruct
@@ -100,9 +100,9 @@ module RubySMB
         uint8  :identifier, byte_align: 1, initial_value: 0x07
         uint16 :rhs_bytecount, byte_align: 1, initial_value: -> { pipe_or_port.num_bytes }
         choice :pipe_or_port, selection: :identifier, byte_align: 1 do
-          ndr_fixed_byte_array 0x10, initial_length: :rhs_bytecount
-          ndr_fixed_byte_array 0x0c, initial_length: :rhs_bytecount
-          ndr_fixed_byte_array 0x0f, initial_length: :rhs_bytecount
+          uint8_array          0x10, initial_length: :rhs_bytecount, byte_align: 1
+          uint8_array          0x0c, initial_length: :rhs_bytecount, byte_align: 1
+          uint8_array          0x0f, initial_length: :rhs_bytecount, byte_align: 1
           uint16be             0x07
           uint16be             0x08
           uint16be             0x13
@@ -110,7 +110,7 @@ module RubySMB
           uint16be             0x1a
           uint16be             0x1b
           uint16be             0x1f
-          ndr_fixed_byte_array :default, initial_length: :rhs_bytecount
+          uint8_array          :default, initial_length: :rhs_bytecount, byte_align: 1
         end
       end
 
@@ -143,17 +143,17 @@ module RubySMB
         uint8  :identifier, byte_align: 1, initial_value: 0x09
         uint16 :rhs_bytecount, byte_align: 1, initial_value: -> { host_or_addr.num_bytes }
         choice :host_or_addr, selection: :identifier, byte_align: 1 do
-          ndr_fixed_byte_array 0x11, initial_length: :rhs_bytecount
-          ndr_fixed_byte_array 0x12, initial_length: :rhs_bytecount
-          ndr_fixed_byte_array 0x22, initial_length: :rhs_bytecount
+          uint8_array          0x11, initial_length: :rhs_bytecount, byte_align: 1
+          uint8_array          0x12, initial_length: :rhs_bytecount, byte_align: 1
+          uint8_array          0x22, initial_length: :rhs_bytecount, byte_align: 1
           epm_ipv4_address     0x09
           epm_ipx_spx_address  0x13
           epm_ipx_spx_address  0x14
-          choice               0x00, selection: -> {rhs_bytecount.num_bytes} do
-            ndr_fixed_byte_array 16, initial_length: 16
-            ndr_fixed_byte_array :default, initial_length: :rhs_bytecount
+          choice               0x00, selection: -> { rhs_bytecount.num_bytes } do
+            uint8_array          16, initial_length: 16, byte_align: 1
+            uint8_array          :default, initial_length: :rhs_bytecount, byte_align: 1
           end
-          ndr_fixed_byte_array :default, initial_length: :rhs_bytecount
+          uint8_array          :default, initial_length: :rhs_bytecount, byte_align: 1
         end
       end
 

data/lib/ruby_smb/dcerpc/epm.rb

@@ -9,37 +9,91 @@ module RubySMB
       # Operation numbers
       EPT_MAP = 0x0003
 
+      # MS-RPCE specific error codes
+      STATUS_NO_ELEMENTS = 0x16C9A0D6
+
       require 'ruby_smb/dcerpc/epm/epm_twrt'
       require 'ruby_smb/dcerpc/epm/epm_ept_map_request'
       require 'ruby_smb/dcerpc/epm/epm_ept_map_response'
 
-      # Retrieve the service port number given a DCERPC interface UUID
-      # See:
-      # [2.2.1.2.5 ept_map Method](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/ab744583-430e-4055-8901-3c6bc007e791)
-      # [https://pubs.opengroup.org/onlinepubs/9629399/apdxo.htm](https://pubs.opengroup.org/onlinepubs/9629399/apdxo.htm)
+      # Map a service to a connection end point.
       #
-      # @param uuid [String] The interface UUID
-      # @param maj_ver [Integer] The interface Major version
-      # @param min_ver [Integer] The interface Minor version
-      # @param max_towers [Integer] The maximum number of elements to be returned
-      # @return [Hash] A hash with the host and port
-      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a
-      #   EpmEptMap packet
-      # @raise [RubySMB::Dcerpc::Error::EpmError] if the response error status
-      #   is not STATUS_SUCCESS
-      def get_host_port_from_ept_mapper(uuid:, maj_ver:, min_ver:, max_towers: 1)
-        decoded_tower = EpmDecodedTowerOctetString.new(
-          interface_identifier: {
-            interface: uuid,
-            major_version: maj_ver,
-            minor_version: min_ver
-          },
-          data_representation: {
-            interface: Ndr::UUID,
-            major_version: Ndr::VER_MAJOR,
-            minor_version: Ndr::VER_MINOR
-          }
-        )
+      # @param uuid [String] The object UUID of the interface.
+      # @param maj_ver [Integer] The major version number of the interface.
+      # @param min_ver [Integer] The minor version number of the interface.
+      # @param max_towers [Integer] The maximum number of results to obtain.
+      # @param protocol [Symbol] The protocol of endpoint to obtain.
+      #
+      # @return [Array<Hash<Symbol,>>] The mapped endpoints. The hash keys will
+      #   depend on the protocol that was selected but an endpoint key will
+      #   always be present.
+      # @raise [NotImplementedError] Raised if the *protocol* argument is not
+      #   supported.
+      def ept_map(uuid:, maj_ver:, min_ver: 0, max_towers: 1, protocol: :ncacn_ip_tcp)
+        interface_identifier = {
+          interface: uuid,
+          major_version: maj_ver,
+          minor_version: min_ver
+        }
+        data_representation = {
+          interface: Ndr::UUID,
+          major_version: Ndr::VER_MAJOR,
+          minor_version: Ndr::VER_MINOR
+        }
+
+        case protocol
+        when :ncacn_ip_tcp
+          decoded_tower = EpmDecodedTowerOctetString.new(
+            interface_identifier: interface_identifier,
+            data_representation: data_representation,
+            pipe_or_port: {
+              identifier: 7, # 0x07: DOD TCP port
+              pipe_or_port: 0
+            },
+            host_or_addr: {
+              identifier: 9, # 0x09: DOD IP v4 address (big-endian)
+              host_or_addr: 0
+            }
+          )
+
+          process_tower = lambda do |tower|
+            port = tower.pipe_or_port.pipe_or_port.value
+            address = IPAddr.new(tower.host_or_addr.host_or_addr.value, Socket::AF_INET)
+            {
+              port: port,
+              address: address,
+              # https://learn.microsoft.com/en-us/windows/win32/midl/ncacn-ip-tcp
+              endpoint: "ncacn_ip_tcp:#{address}[#{port}]"
+            }
+          end
+        when :ncacn_np
+          decoded_tower = EpmDecodedTowerOctetString.new(
+            interface_identifier: interface_identifier,
+            data_representation: data_representation,
+            pipe_or_port: {
+              identifier: 0x0f, # 0x0f: NetBIOS pipe name
+              pipe_or_port: [0]
+            },
+            host_or_addr: {
+              identifier: 0x11, # 0x11: MS NetBIOS host name
+              host_or_addr: [0]
+            }
+          )
+
+          process_tower = lambda do |tower|
+            pipe = tower.pipe_or_port.pipe_or_port[...-1].pack('C*')
+            host = tower.host_or_addr.host_or_addr[...-1].pack('C*')
+            {
+              pipe: pipe,
+              host: host,
+              # https://learn.microsoft.com/en-us/windows/win32/midl/ncacn-nb-nb
+              endpoint: "ncacn_np:#{host}[#{pipe}]"
+            }
+          end
+        else
+          raise NotImplementedError, "Unsupported protocol: #{protocol}"
+        end
+
         tower = EpmTwrt.new(decoded_tower)
         ept_map_request = EpmEptMapRequest.new(
           obj: Uuid.new,
@@ -53,21 +107,31 @@ module RubySMB
         rescue IOError
           raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading EptMapResponse'
         end
-        unless ept_map_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+
+        if ept_map_response.error_status == STATUS_NO_ELEMENTS
+          raise RubySMB::Dcerpc::Error::EpmError,
+            "Error returned with ept_map: "\
+            "(0x16c9a0d6) STATUS_NO_ELEMENTS: There are no elements that satisfy the specified search criteria."
+        elsif ept_map_response.error_status != WindowsError::NTStatus::STATUS_SUCCESS
           raise RubySMB::Dcerpc::Error::EpmError,
             "Error returned with ept_map: "\
             "#{WindowsError::NTStatus.find_by_retval(ept_map_response.error_status.value).join(',')}"
         end
-        tower_binary = ept_map_response.towers[0].tower_octet_string.to_binary_s
-        begin
-          decoded_tower = EpmDecodedTowerOctetString.read(tower_binary)
-        rescue IOError
-          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading EpmDecodedTowerOctetString'
+
+        ept_map_response.towers.map do |tower|
+          tower_binary = tower.tower_octet_string.to_binary_s
+          begin
+            decoded_tower = EpmDecodedTowerOctetString.read(tower_binary)
+          rescue IOError
+            raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading EpmDecodedTowerOctetString'
+          end
+
+          process_tower.(decoded_tower)
         end
-        {
-          port: decoded_tower.pipe_or_port.pipe_or_port.to_i,
-          host: decoded_tower.host_or_addr.host_or_addr.to_i
-        }
+      end
+
+      def ept_map_endpoint(endpoint, **kwargs)
+        ept_map(uuid: endpoint::UUID, maj_ver: endpoint::VER_MAJOR, min_ver: endpoint::VER_MINOR, **kwargs)
       end
     end
   end

data/lib/ruby_smb/dcerpc/error.rb

@@ -70,6 +70,16 @@ module RubySMB
           super(msg)
         end
       end
+
+      class GkdiError < DcerpcError
+        include RubySMB::Error::UnexpectedStatusCode::Mixin
+
+        def initialize(msg, status_code: nil)
+          self.status_code = status_code unless status_code.nil?
+
+          super(msg)
+        end
+      end
     end
   end
 end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_key.rb

@@ -0,0 +1,17 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [2.2.3.1 FFC DH Key](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/f8770f01-036d-4bf6-a4cf-1bd0e3913404)
+      class GkdiFfcDhKey < BinData::Record
+        endian :little
+
+        uint8_array :magic, initial_length: 4, initial_value: [ 0x44, 0x48, 0x50, 0x42 ]
+        uint32      :key_length
+        uint8_array :field_order, initial_length: :key_length
+        uint8_array :generator, initial_length: :key_length
+        uint8_array :public_key, initial_length: :key_length
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_parameters.rb

@@ -0,0 +1,17 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [2.2.2 FFC DH Parameters](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/e15ae269-ee21-446a-a480-de3ea243db5f)
+      class GkdiFfcDhParameters < BinData::Record
+        endian :little
+
+        uint32      :parameters_length, initial_value: -> { (key_length * 2) + offset_of(generator) }
+        uint8_array :magic, initial_length: 4, initial_value: [ 0x44, 0x48, 0x50, 0x4d ]
+        uint32      :key_length
+        uint8_array :field_order, initial_length: :key_length
+        uint8_array :generator, initial_length: :key_length
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_get_key_request.rb

@@ -0,0 +1,26 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [3.1.4.1 GetKey (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/4cac87a3-521e-4918-a272-240f8fabed39)
+      class GkdiGetKeyRequest < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32     :cb_target_sd
+        ndr_conf_array :pb_target_sd, type: :ndr_uint8
+        uuid_ptr       :p_root_key_id
+        ndr_int32      :l0_key_id
+        ndr_int32      :l1_key_id
+        ndr_int32      :l2_key_id
+
+        def initialize_instance
+          super
+          @opnum = GKDI_GET_KEY
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_get_key_response.rb

@@ -0,0 +1,23 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [3.1.4.1 GetKey (Opnum 0)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/4cac87a3-521e-4918-a272-240f8fabed39)
+      class GkdiGetKeyResponse < BinData::Record
+        attr_reader :opnum
+
+        endian :little
+
+        ndr_uint32              :pcb_out
+        ndr_byte_conf_array_ptr :pbb_out
+        ndr_uint32              :error_status
+
+        def initialize_instance
+          super
+          @opnum = GKDI_GET_KEY
+        end
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi/gkdi_group_key_envelope.rb

@@ -0,0 +1,51 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [2.2.4 Group Key Envelope](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/192c061c-e740-4aa0-ab1d-6954fb3e58f7)
+      class GkdiGroupKeyEnvelope < BinData::Record
+        endian :little
+
+        uint32      :version
+        uint8_array :magic, initial_length: 4, initial_value: [ 0x4b, 0x44, 0x53, 0x5b ]
+        uint32      :dw_flags
+        uint32      :l0_index
+        uint32      :l1_index
+        uint32      :l2_index
+        uuid        :root_key_identifier
+        uint32      :cb_kdf_algorithm
+        uint32      :cb_kdf_parameters, initial_value: -> { kdf_parameters.length }
+        uint32      :cb_secret_agreement_algorithm
+        uint32      :cb_secret_agreement_parameters
+        uint32      :private_key_length
+        uint32      :public_key_length
+        uint32      :cb_l1_key
+        uint32      :cb_l2_key
+        uint32      :cb_domain_name
+        uint32      :cb_forest_name
+        stringz16   :kdf_algorithm
+        struct      :kdf_parameters, only_if: -> { cb_kdf_parameters > 0 } do
+          uint8_array :block0, initial_length: 8, initial_value: [ 0, 0, 0, 0, 1, 0, 0, 0 ]
+          uint32      :length_of_hash_name, initial_value: -> { hash_algorithm_name.length }
+          uint8_array :block1, initial_length: 4, initial_value: [ 0, 0, 0, 0 ]
+          stringz16   :hash_algorithm_name
+        end
+        stringz16   :secret_agreement_algorithm
+        uint8_array :secret_agreement_parameters, initial_length: :cb_secret_agreement_parameters
+        stringz16   :domain_name
+        stringz16   :forest_name
+        uint8_array :l1_key, initial_length: 64, only_if: -> { cb_l1_key != 0 }
+        uint8_array :l2_key, initial_length: :l2_key_length, only_if: -> { cb_l2_key != 0 }
+
+        private
+
+        def l2_key_length
+          return 0 if cb_l2_key == 0
+          return 64 if (dw_flags & (1 << 31)) == 0
+
+          public_key_length
+        end
+      end
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/gkdi.rb

@@ -0,0 +1,54 @@
+module RubySMB
+  module Dcerpc
+    module Gkdi
+
+      # [2.1 Transport](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-gkdi/2ca63ad2-2464-4a41-ba84-2e0270e95e86)
+      UUID = 'b9785960-524f-11df-8b6d-83dcded72085'
+      VER_MAJOR = 1
+      VER_MINOR = 0
+
+      # Operation numbers
+      GKDI_GET_KEY = 0x0000
+
+      require 'ruby_smb/dcerpc/gkdi/gkdi_get_key_request'
+      require 'ruby_smb/dcerpc/gkdi/gkdi_get_key_response'
+      require 'ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_key'
+      require 'ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_parameters'
+      require 'ruby_smb/dcerpc/gkdi/gkdi_group_key_envelope'
+
+      def gkdi_get_key(target_sd, root_key_id, l0_key_id, l1_key_id, l2_key_id)
+        target_sd = target_sd.to_binary_s if target_sd.respond_to?(:to_binary_s)
+
+        gkdi_get_key_request = GkdiGetKeyRequest.new(
+          cb_target_sd: target_sd.length,
+          pb_target_sd: target_sd.unpack('C*'),
+          p_root_key_id: root_key_id,
+          l0_key_id: l0_key_id,
+          l1_key_id: l1_key_id,
+          l2_key_id: l2_key_id
+        )
+
+        response = dcerpc_request(
+          gkdi_get_key_request,
+          auth_level: @auth_level,
+          auth_type: @auth_type
+        )
+        begin
+          gkdi_get_key_response = GkdiGetKeyResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading CertServerRequestResponse'
+        end
+        unless gkdi_get_key_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS
+          status_code = WindowsError::Win32.find_by_retval(gkdi_get_key_response.error_status.value).first
+          raise RubySMB::Dcerpc::Error::GkdiError.new(
+            "Error returned with gkdi_get_key: #{status_code}",
+            status_code: status_code
+          )
+        end
+
+        GkdiGroupKeyEnvelope.read(gkdi_get_key_response.pbb_out.snapshot.pack('C*'))
+      end
+
+    end
+  end
+end

data/lib/ruby_smb/dcerpc/request.rb

@@ -124,6 +124,9 @@ module RubySMB
           lsar_close_handle_request              Lsarpc::LSAR_CLOSE_HANDLE
           lsar_lookup_sids_request               Lsarpc::LSAR_LOOKUP_SIDS
         end
+        choice 'Gkdi', selection: -> { opnum } do
+          gkdi_get_key_request Gkdi::GKDI_GET_KEY
+        end
         string :default
       end
 

data/lib/ruby_smb/dcerpc/samr.rb

@@ -522,16 +522,25 @@ module RubySMB
       # [2.2.10.1 USER_PROPERTIES](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/8263e7ab-aba9-43d2-8a36-3a9cb2dd3dad)
       class UserProperties < BinData::Record
         endian :little
+        hide   :bytes_remaining
 
         uint32 :reserved1
-        uint32 :struct_length, initial_value: -> { num_bytes - 12 }
+        # Length, in bytes, of the entire structure, starting from the :reserved4 field (offset 12):
+        uint32 :struct_length, value: -> { num_bytes - 12}
         uint16 :reserved2
         uint16 :reserved3
         string :reserved4, length: 96
         uint16 :property_signature, initial_value: 0x50
-        uint16 :property_count, initial_value: -> { user_properties.size }, onlyif: -> { struct_length > 111 }
-        array  :user_properties, type: :user_property, initial_length: :property_count, onlyif: :property_count?
+        count_bytes_remaining :bytes_remaining
+        # When there are zero `user_property` elements in the `:user_properties` field, this field MUST be omitted;
+        # the resultant `UserProperties` structure has a constant size of 0x6F bytes.
+        uint16 :property_count, value: -> { user_properties.size }, onlyif: :display_user_properties?
+        array  :user_properties, type: :user_property, read_until: -> { array.size == property_count }, onlyif: :display_user_properties?
         uint8  :reserved5
+
+        def display_user_properties?
+          (bytes_remaining > 1 && reading?) || user_properties.size > 0
+        end
       end
 
       # [2.2.10.7 KERB_KEY_DATA_NEW](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/447520a5-e1cc-48cc-8fdc-b90db57f7eac)

data/lib/ruby_smb/dcerpc.rb

@@ -28,6 +28,7 @@ module RubySMB
     DCE_C_AUTHZ_DCE  = 2
 
     require 'windows_error/win32'
+    require 'ruby_smb/dcerpc/client'
     require 'ruby_smb/dcerpc/error'
     require 'ruby_smb/dcerpc/fault'
     require 'ruby_smb/dcerpc/uuid'
@@ -50,6 +51,7 @@ module RubySMB
     require 'ruby_smb/dcerpc/icpr'
     require 'ruby_smb/dcerpc/efsrpc'
     require 'ruby_smb/dcerpc/lsarpc'
+    require 'ruby_smb/dcerpc/gkdi'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/rpc_auth3'
@@ -189,6 +191,8 @@ module RubySMB
     # @raise [ArgumentError] if `:auth_type` is unknown
     # @raise [NotImplementedError] if `:auth_type` is not implemented (yet)
     def bind(options={})
+      options = options.merge(endpoint: @endpoint) if !options[:endpoint] && defined?(:@endpoint) && @endpoint
+
       @call_id ||= 1
       bind_req = Bind.new(options)
       bind_req.pdu_header.call_id = @call_id

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.3.13'.freeze
+  VERSION = '3.3.15'.freeze
 end

data/spec/lib/ruby_smb/dcerpc/client_spec.rb

@@ -1,8 +1,9 @@
 require 'ruby_smb/dcerpc/client'
+require 'ipaddr'
 
 RSpec.describe RubySMB::Dcerpc::Client do
-  it 'includes the RubySMB::Dcerpc::Epm class' do
-    expect(described_class < RubySMB::Dcerpc::Epm).to be true
+  it 'includes the RubySMB::PeerInfo class' do
+    expect(described_class < RubySMB::PeerInfo).to be true
   end
 
   let(:host)     { '1.2.3.4' }
@@ -75,42 +76,38 @@ RSpec.describe RubySMB::Dcerpc::Client do
       end
 
       context 'without TCP port' do
-        let(:host_port) { {host: '0.9.8.7', port: 999} }
+        let(:host_port) { {host: '192.0.2.1', port: 999} }
+        let(:epm_client) { double('EPM DCERPC Client') }
         let(:epm_tcp_socket) { double('EPM TcpSocket') }
         before :example do
-          allow(TCPSocket).to receive(:new).with(host, 135).and_return(epm_tcp_socket)
-          allow(client).to receive(:bind)
-          allow(client).to receive(:get_host_port_from_ept_mapper).and_return(host_port)
-          allow(epm_tcp_socket).to receive(:close)
-        end
-
-        it 'connects to port 135' do
-          client.connect
-          expect(TCPSocket).to have_received(:new).with(host, 135)
+          allow(described_class).to receive(:new).with(host, endpoint).and_call_original
+          allow(described_class).to receive(:new).with(host, RubySMB::Dcerpc::Epm, {:read_timeout => 30}).and_return(epm_client)
+          allow(epm_client).to receive(:connect)
+          allow(epm_client).to receive(:bind)
+          allow(epm_client).to receive(:ept_map_endpoint).with(endpoint).and_return(
+            [{address: IPAddr.new(host_port[:host], Socket::AF_INET), port: host_port[:port]}]
+          )
+          allow(epm_client).to receive(:close)
         end
 
-        it 'binds to the Endpoint Mapper endpoint' do
+        it 'creates a new client bound to the Endpoint Mapper endpoint' do
           client.connect
-          expect(client).to have_received(:bind).with(endpoint: RubySMB::Dcerpc::Epm)
+          expect(described_class).to have_received(:new).with(host, RubySMB::Dcerpc::Epm, {:read_timeout => 30})
         end
 
         it 'gets host and port information from the Endpoint Mapper' do
           client.connect
-          expect(client).to have_received(:get_host_port_from_ept_mapper).with(
-            uuid: endpoint::UUID,
-            maj_ver: endpoint::VER_MAJOR,
-            min_ver: endpoint::VER_MINOR
-          )
+          expect(epm_client).to have_received(:ept_map_endpoint).with(endpoint)
         end
 
-        it 'closes the EPM socket' do
+        it 'closes the EPM client socket' do
           client.connect
-          expect(epm_tcp_socket).to have_received(:close)
+          expect(epm_client).to have_received(:close)
         end
 
         it 'connects to the endpoint and returns the socket' do
           expect(client.connect).to eq(tcp_socket)
-          expect(TCPSocket).to have_received(:new).with(host, 999)
+          expect(TCPSocket).to have_received(:new).with(host, host_port[:port])
         end
       end
     end
@@ -330,7 +327,7 @@ RSpec.describe RubySMB::Dcerpc::Client do
 
         it 'sends an auth3 request' do
           client.bind(**kwargs)
-          expect(client).to have_received(:auth_provider_complete_handshake).with(bindack_response, auth_type: kwargs[:auth_type], auth_level: kwargs[:auth_level])
+          expect(client).to have_received(:auth_provider_complete_handshake).with(bindack_response, auth_type: kwargs[:auth_type], auth_level: kwargs[:auth_level], endpoint: endpoint)
         end
       end
     end

data/spec/lib/ruby_smb/dcerpc/samr/user_properties_spec.rb

@@ -0,0 +1,76 @@
+RSpec.describe RubySMB::Dcerpc::Samr::UserProperties do
+  describe '#read' do
+    context 'when reading a structure with no user properties' do
+      let(:binary) { [ 0, 0x63, 0, 0, 0x50, 0].pack('L<L<S<S<x96<SC') }
+      let(:subject) { described_class.read(binary) }
+
+      it 'does not include the property_count' do
+        expect(subject.property_count?).to be_falsey
+        expect(subject.snapshot).to_not include(:property_count)
+      end
+
+      it 'does not include the user_properties' do
+        expect(subject.user_properties?).to be_falsey
+        expect(subject.snapshot).to_not include(:user_properties)
+      end
+
+      it 'serializes to the value that was read' do
+        expect(subject.to_binary_s).to eq(binary)
+      end
+    end
+
+    context 'when reading a structure with two user properties' do
+      let(:user_property1) { RubySMB::Dcerpc::Samr::UserProperty.new(property_name: 'key1', property_value: 'value1') }
+      let(:user_property2) { RubySMB::Dcerpc::Samr::UserProperty.new(property_name: 'key2', property_value: 'value2') }
+      let(:user_properties) { user_property1.to_binary_s + user_property2.to_binary_s }
+      let(:binary) { [ 0, 0x63 + 2 + user_properties.length, 0, 0, 0x50, 2].pack('L<L<S<S<x96<S<S') + user_properties + "\x00".b }
+      let(:subject) { described_class.read(binary) }
+
+      it 'includes the property_count' do
+        expect(subject.property_count?).to be_truthy
+        expect(subject.property_count).to eq(2)
+        expect(subject.snapshot).to include(:property_count)
+      end
+
+      it 'includes the user_properties' do
+        expect(subject.user_properties?).to be_truthy
+        expect(subject.user_properties).to eq([user_property1, user_property2])
+        expect(subject.snapshot).to include(:user_properties)
+      end
+
+      it 'serializes to the value that was read' do
+        expect(subject.to_binary_s).to eq(binary)
+      end
+
+      context 'when #user_properties is cleared' do
+        before(:each) { subject.user_properties.clear }
+
+        it 'does not include the property_count' do
+          expect(subject.property_count?).to be_falsey
+          expect(subject.snapshot).to_not include(:property_count)
+        end
+
+        it 'does not include the user_properties' do
+          expect(subject.user_properties?).to be_falsey
+          expect(subject.snapshot).to_not include(:user_properties)
+        end
+      end
+    end
+  end
+
+  describe '#initialize' do
+    let(:subject) { described_class.new }
+
+    it 'initializes #struct_length to 0x63' do
+      expect(subject.struct_length).to eq(0x63)
+    end
+
+    it 'initializes #property_signature to 0x50' do
+      expect(subject.property_signature).to eq(0x50)
+    end
+
+    it 'does not include user_properties' do
+      expect(subject.user_properties).to be_empty
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby_smb
 version: !ruby/object:Gem::Version
-  version: 3.3.13
+  version: 3.3.15
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -10,36 +10,10 @@ authors:
 - Dev Mohanty
 - Christophe De La Fuente
 - Spencer McIntyre
-autorequire: 
+autorequire:
 bindir: bin
-cert_chain:
-- |
-  -----BEGIN CERTIFICATE-----
-  MIIERDCCAqygAwIBAgIBATANBgkqhkiG9w0BAQsFADAmMSQwIgYDVQQDDBttc2Zk
-  ZXYvREM9bWV0YXNwbG9pdC9EQz1jb20wHhcNMjMxMDMwMTYwNDI1WhcNMjUxMDI5
-  MTYwNDI1WjAmMSQwIgYDVQQDDBttc2ZkZXYvREM9bWV0YXNwbG9pdC9EQz1jb20w
-  ggGiMA0GCSqGSIb3DQEBAQUAA4IBjwAwggGKAoIBgQDZN/EKv+yVjwiKWvjAVhjF
-  aWNYI0E9bJ5d1qKd29omRYX9a+OOKBCu5+394fyF5RjwU4mYGr2iopX9ixRJrWXH
-  ojs70tEvV1CmvP9rhz7JKzQQoJOkinrz4d+StIylxVxVdgm7DeiB3ruTwvl7qKUv
-  piWzhrBFiVU6XIEAwq6wNEmnv2D+Omyf4h0Tf99hc6G0QmBnU3XydqvnZ+AzUbBV
-  24RH3+NQoigLbvK4M5aOeYhk19di58hznebOw6twHzNczshrBeMFQp985ScNgsvF
-  rL+7HNNwpcpngERwZfzDNn7iYN5X3cyvTcykShtsuPMa5zXsYo42LZrsTF87DW38
-  D8sxL6Dgdqu25Mltdw9m+iD4rHSfb1KJYEoNO+WwBJLO2Y4d6G1CR66tVeWsZspb
-  zneOVC+sDuil7hOm+6a7Y2yrrRyT6IfL/07DywjPAIRUp5+Jn8ZrkWRNo2AOwWBG
-  k5gz7SfJPHuyVnPlxoMA0MTFCUnnnbyHu882TGoJGgMCAwEAAaN9MHswCQYDVR0T
-  BAIwADALBgNVHQ8EBAMCBLAwHQYDVR0OBBYEFIQfNa4E889ZE334cwU7eNu2hScH
-  MCAGA1UdEQQZMBeBFW1zZmRldkBtZXRhc3Bsb2l0LmNvbTAgBgNVHRIEGTAXgRVt
-  c2ZkZXZAbWV0YXNwbG9pdC5jb20wDQYJKoZIhvcNAQELBQADggGBAMfzvKcV27p7
-  pctmpW2JmIXLMrjNLyGJAxELH/t9pJueXdga7uj2fJkYQDbwGw5x4MGyFqhqJLH4
-  l/qsUF3PyAXDTSWLVaqXQVWO+IIHxecG0XjPXTNudzMU0hzqbqiBKvsW7/a3V5BP
-  SWlFzrFkoXWlPouFpoakyYMJjpW4SGdPzRv7pM4OhXtkXpHiRvx5985FrHgHlI89
-  NSIuIUbp8zqk4hP1i9MV0Lc/vTf2gOmo+RHnjqG1NiYfMCYyY/Mcd4W36kGOl468
-  I8VDTwgCufkAzFu7BJ5yCOueqtDcuq+d3YhAyU7NI4+Ja8EwazOnB+07sWhKpg7z
-  yuQ1mWYPmZfVQpoSVv1CvXsoqJYXVPBBLOacKKSj8ArVG6pPn9Bej7IOQdblaFjl
-  DgscAao7wB3xW2BWEp1KnaDWkf1x9ttgoBEYyuYwU7uatB67kBQG1PKvLt79wHvz
-  Dxs+KOjGbBRfMnPgVGYkORKVrZIwlaboHbDKxcVW5xv+oZc7KYXWGg==
-  -----END CERTIFICATE-----
-date: 2024-12-06 00:00:00.000000000 Z
+cert_chain: []
+date: 2025-04-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: redcarpet
@@ -209,6 +183,7 @@ files:
 - examples/enum_domain_users.rb
 - examples/enum_registry_key.rb
 - examples/enum_registry_values.rb
+- examples/epm_client.rb
 - examples/file_server.rb
 - examples/get_computer_info.rb
 - examples/list_directory.rb
@@ -279,6 +254,12 @@ files:
 - lib/ruby_smb/dcerpc/epm/epm_twrt.rb
 - lib/ruby_smb/dcerpc/error.rb
 - lib/ruby_smb/dcerpc/fault.rb
+- lib/ruby_smb/dcerpc/gkdi.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_key.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_ffc_dh_parameters.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_get_key_request.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_get_key_response.rb
+- lib/ruby_smb/dcerpc/gkdi/gkdi_group_key_envelope.rb
 - lib/ruby_smb/dcerpc/icpr.rb
 - lib/ruby_smb/dcerpc/icpr/cert_server_request_request.rb
 - lib/ruby_smb/dcerpc/icpr/cert_server_request_response.rb
@@ -746,6 +727,7 @@ files:
 - spec/lib/ruby_smb/dcerpc/samr/samr_set_information_user2_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/user_properties_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr_spec.rb
 - spec/lib/ruby_smb/dcerpc/sec_trailer_spec.rb
 - spec/lib/ruby_smb/dcerpc/srvsvc/net_share_enum_all_spec.rb
@@ -995,7 +977,7 @@ homepage: https://github.com/rapid7/ruby_smb
 licenses:
 - BSD-3-clause
 metadata: {}
-post_install_message: 
+post_install_message:
 rdoc_options: []
 require_paths:
 - lib
@@ -1010,8 +992,8 @@ required_rubygems_version: !ruby/object:Gem::Requirement
     - !ruby/object:Gem::Version
       version: '0'
 requirements: []
-rubygems_version: 3.5.22
-signing_key: 
+rubygems_version: 3.4.19
+signing_key:
 specification_version: 4
 summary: A pure Ruby implementation of the SMB Protocol Family
 test_files:
@@ -1096,6 +1078,7 @@ test_files:
 - spec/lib/ruby_smb/dcerpc/samr/samr_set_information_user2_response_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_request_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr/samr_unicode_change_password_user2_response_spec.rb
+- spec/lib/ruby_smb/dcerpc/samr/user_properties_spec.rb
 - spec/lib/ruby_smb/dcerpc/samr_spec.rb
 - spec/lib/ruby_smb/dcerpc/sec_trailer_spec.rb
 - spec/lib/ruby_smb/dcerpc/srvsvc/net_share_enum_all_spec.rb