ruby_smb 3.3.5 → 3.3.7

data/lib/ruby_smb/dcerpc/winreg.rb

@@ -16,10 +16,12 @@ module RubySMB
       REG_CREATE_KEY        = 0x06
       REG_ENUM_KEY          = 0x09
       REG_ENUM_VALUE        = 0x0a
+      REG_GET_KEY_SECURITY  = 0x0c
       REG_OPEN_KEY          = 0x0f
       REG_QUERY_INFO_KEY    = 0x10
       REG_QUERY_VALUE       = 0x11
       REG_SAVE_KEY          = 0x14
+      REG_SET_KEY_SECURITY  = 0x15
       OPEN_HKCC             = 0x1b
       OPEN_HKPT             = 0x20
       OPEN_HKPN             = 0x21
@@ -43,6 +45,10 @@ module RubySMB
       require 'ruby_smb/dcerpc/winreg/create_key_response'
       require 'ruby_smb/dcerpc/winreg/save_key_request'
       require 'ruby_smb/dcerpc/winreg/save_key_response'
+      require 'ruby_smb/dcerpc/winreg/get_key_security_request'
+      require 'ruby_smb/dcerpc/winreg/get_key_security_response'
+      require 'ruby_smb/dcerpc/winreg/set_key_security_request'
+      require 'ruby_smb/dcerpc/winreg/set_key_security_response'
 
       ROOT_KEY_MAP = {
         "HKEY_CLASSES_ROOT"         => OPEN_HKCR,
@@ -65,6 +71,8 @@ module RubySMB
 
       BUFFER_SIZE = 1024
 
+      RegValue = Struct.new(:type, :data)
+
       # Open the registry root key and return a handle for it. The key can be
       # either a long format (e.g. HKEY_LOCAL_MACHINE) or a short format
       # (e.g. HKLM)
@@ -105,10 +113,7 @@ module RubySMB
       # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
       def open_key(handle, sub_key)
         openkey_request_packet = RubySMB::Dcerpc::Winreg::OpenKeyRequest.new(hkey: handle, lp_sub_key: sub_key)
-        openkey_request_packet.sam_desired.read_control = 1
-        openkey_request_packet.sam_desired.key_query_value = 1
-        openkey_request_packet.sam_desired.key_enumerate_sub_keys = 1
-        openkey_request_packet.sam_desired.key_notify = 1
+        openkey_request_packet.sam_desired.maximum_allowed = 1
         response = dcerpc_request(openkey_request_packet)
         begin
           open_key_response = RubySMB::Dcerpc::Winreg::OpenKeyResponse.read(response)
@@ -124,11 +129,12 @@ module RubySMB
       end
 
       # Retrieve the data associated with the named value of a specified
-      # registry open key.
+      # registry open key. This will also return the type if required.
       #
       # @param handle [Ndr::NdrContextHandle] the handle for the key
       # @param value_name [String] the name of the value
-      # @return [String] the data of the value entry
+      # @param value_name [Boolean] also return the data type if set to true
+      # @return [RegValue] a RegValue struct containing the data type and the actual data of the value entry
       # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a QueryValueResponse packet
       # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
       def query_value(handle, value_name)
@@ -161,7 +167,7 @@ module RubySMB
             "#{WindowsError::Win32.find_by_retval(query_value_response.error_status.value).join(',')}"
         end
 
-        query_value_response.data
+        RegValue.new(query_value_response.lp_type, query_value_response.data)
       end
 
       # Close the handle to the registry key.
@@ -323,6 +329,7 @@ module RubySMB
       # exists, false otherwise.
       #
       # @param key [String] the registry key to check
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
       # @return [Boolean]
       def has_registry_key?(key, bind: true)
         bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
@@ -345,6 +352,7 @@ module RubySMB
       #
       # @param key [String] the registry key
       # @param value_name [String] the name of the value to read
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
       # @return [String] the data of the value entry
       def read_registry_key_value(key, value_name, bind: true)
         bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
@@ -352,8 +360,8 @@ module RubySMB
         root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
         root_key_handle = open_root_key(root_key)
         subkey_handle = open_key(root_key_handle, sub_key)
-        value = query_value(subkey_handle, value_name)
-        value
+        reg_value = query_value(subkey_handle, value_name)
+        reg_value.data
       ensure
         close_key(subkey_handle) if subkey_handle
         close_key(root_key_handle) if root_key_handle
@@ -363,6 +371,7 @@ module RubySMB
       # is provided, it enumerates its subkeys.
       #
       # @param key [String] the registry key
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
       # @return [Array<String>] the subkeys
       def enum_registry_key(key, bind: true)
         bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
@@ -389,6 +398,7 @@ module RubySMB
       # Enumerate the values for the specified registry key.
       #
       # @param key [String] the registry key
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
       # @return [Array<String>] the values
       def enum_registry_values(key, bind: true)
         bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
@@ -412,6 +422,108 @@ module RubySMB
         close_key(root_key_handle) if root_key_handle && root_key_handle != subkey_handle
       end
 
+
+      # Retrieve the security descriptor for the given registry key handle.
+      #
+      # @param handle [String] the handle to the registry key
+      # @param security_information [] the security information to query (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343). These constants are defined in the `RubySMB::Field::SecurityDescriptor` class
+      # @return [String] The security descriptor as a byte stream
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a GetKeySecurityResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def get_key_security(handle, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        get_key_security_request = RubySMB::Dcerpc::Winreg::GetKeySecurityRequest.new(
+          hkey: handle,
+          security_information: security_information,
+          prpc_security_descriptor_in: { cb_in_security_descriptor: 4096 }
+        )
+        response = dcerpc_request(get_key_security_request)
+        begin
+          get_key_security_response = RubySMB::Dcerpc::Winreg::GetKeySecurityResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the GetKeySecurity response"
+        end
+        unless get_key_security_response.error_status == WindowsError::Win32::ERROR_SUCCESS
+          raise RubySMB::Dcerpc::Error::WinregError, "Error returned when querying information: "\
+            "#{WindowsError::Win32.find_by_retval(get_key_security_response.error_status.value).join(',')}"
+        end
+
+        get_key_security_response.prpc_security_descriptor_out.lp_security_descriptor.to_a.pack('C*')
+      end
+
+      # Retrieve the security descriptor for the given key.
+      #
+      # @param key [String] the registry key
+      # @param security_information [] the security information to query (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343). These constants are defined in the `RubySMB::Field::SecurityDescriptor` class
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
+      # @return [String] The security descriptor as a byte stream
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a GetKeySecurityResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def get_key_security_descriptor(key, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION, bind: true)
+        bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
+
+        root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
+        root_key_handle = open_root_key(root_key)
+        subkey_handle = open_key(root_key_handle, sub_key)
+        get_key_security(subkey_handle, security_information)
+      ensure
+        close_key(subkey_handle) if subkey_handle
+        close_key(root_key_handle) if root_key_handle
+      end
+
+      # Set the security descriptor for the given registry key handle.
+      #
+      # @param handle [String] the handle to the registry key
+      # @param security_descriptor [String] the new security descriptor to set as a byte stream
+      # @param security_information [] the security information to query (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343). These constants are defined in the `RubySMB::Field::SecurityDescriptor` class
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
+      # @return [Integer] The error status returned by the DCERPC call
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a SetKeySecurityResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def set_key_security(handle, security_descriptor, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION)
+        set_key_security_request = RubySMB::Dcerpc::Winreg::SetKeySecurityRequest.new(
+          hkey: handle,
+          security_information: security_information,
+          prpc_security_descriptor: {
+            lp_security_descriptor: security_descriptor.bytes,
+            cb_in_security_descriptor: security_descriptor.b.size,
+            cb_out_security_descriptor: security_descriptor.b.size
+          }
+        )
+        response = dcerpc_request(set_key_security_request)
+        begin
+          set_key_security_response = RubySMB::Dcerpc::Winreg::SetKeySecurityResponse.read(response)
+        rescue IOError
+          raise RubySMB::Dcerpc::Error::InvalidPacket, "Error reading the SetKeySecurity response"
+        end
+        unless set_key_security_response.error_status == WindowsError::Win32::ERROR_SUCCESS
+          raise RubySMB::Dcerpc::Error::WinregError, "Error returned when setting the registry key: "\
+            "#{WindowsError::Win32.find_by_retval(set_key_security_response.error_status.value).join(',')}"
+        end
+
+        set_key_security_response.error_status
+      end
+
+      # Set the security descriptor for the given key.
+      #
+      # @param key [String] the registry key
+      # @param security_descriptor [String] the new security descriptor to set as a byte stream
+      # @param security_information [] the security information to query (see https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343). These constants are defined in the `RubySMB::Field::SecurityDescriptor` class
+      # @param bind [Boolean] Bind to the winreg endpoint if true (default)
+      # @return [Integer] The error status returned by the DCERPC call
+      # @raise [RubySMB::Dcerpc::Error::InvalidPacket] if the response is not a SetKeySecurityResponse packet
+      # @raise [RubySMB::Dcerpc::Error::WinregError] if the response error status is not ERROR_SUCCESS
+      def set_key_security_descriptor(key, security_descriptor, security_information = RubySMB::Field::SecurityDescriptor::OWNER_SECURITY_INFORMATION, bind: true)
+        bind(endpoint: RubySMB::Dcerpc::Winreg) if bind
+
+        root_key, sub_key = key.gsub(/\//, '\\').split('\\', 2)
+        root_key_handle = open_root_key(root_key)
+        subkey_handle = open_key(root_key_handle, sub_key)
+        set_key_security(subkey_handle, security_descriptor, security_information)
+      ensure
+        close_key(subkey_handle) if subkey_handle
+        close_key(root_key_handle) if root_key_handle
+      end
+
     end
   end
 end

data/lib/ruby_smb/field/security_descriptor.rb

@@ -3,6 +3,23 @@ module RubySMB
     # Class representing a SECURITY_DESCRIPTOR as defined in
     # [2.4.6 SECURITY_DESCRIPTOR](https://msdn.microsoft.com/en-us/library/cc230366.aspx)
     class SecurityDescriptor < BinData::Record
+
+      # Security Information as defined in
+      # [2.4.7 SECURITY_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dtyp/23e75ca3-98fd-4396-84e5-86cd9d40d343)
+      OWNER_SECURITY_INFORMATION               = 0x00000001
+      GROUP_SECURITY_INFORMATION               = 0x00000002
+      DACL_SECURITY_INFORMATION                = 0x00000004
+      SACL_SECURITY_INFORMATION                = 0x00000008
+      LABEL_SECURITY_INFORMATION               = 0x00000010
+      UNPROTECTED_SACL_SECURITY_INFORMATION    = 0x10000000
+      UNPROTECTED_DACL_SECURITY_INFORMATION    = 0x20000000
+      PROTECTED_SACL_SECURITY_INFORMATION      = 0x40000000
+      PROTECTED_DACL_SECURITY_INFORMATION      = 0x80000000
+      ATTRIBUTE_SECURITY_INFORMATION           = 0x00000020
+      SCOPE_SECURITY_INFORMATION               = 0x00000040
+      PROCESS_TRUST_LABEL_SECURITY_INFORMATION = 0x00000080
+      BACKUP_SECURITY_INFORMATION              = 0x00010000
+
       endian  :little
       uint8   :revision,  label: 'Revision', initial_value: 0x01
       uint8   :sbz1,      label: 'Resource Manager Control Bits'

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.3.5'.freeze
+  VERSION = '3.3.7'.freeze
 end

data/spec/lib/ruby_smb/dcerpc/ndr_spec.rb

@@ -1352,6 +1352,15 @@ RSpec.describe RubySMB::Dcerpc::Ndr::NdrVarString do
     }
     let(:value) { 'ABCD' }
   end
+  context 'with an empty string' do
+    it_behaves_like 'a NDR String', conformant: false, char_size: 1, null_terminated: false do
+      let(:binary_stream) {
+        "\x00\x00\x00\x00"\
+        "\x00\x00\x00\x00".b
+      }
+      let(:value) { '' }
+    end
+  end
 end
 
 RSpec.describe RubySMB::Dcerpc::Ndr::NdrVarStringz do
@@ -1368,6 +1377,16 @@ RSpec.describe RubySMB::Dcerpc::Ndr::NdrVarStringz do
     }
     let(:value) { 'ABCD' }
   end
+  context 'with an empty string' do
+    it_behaves_like 'a NDR String', conformant: false, char_size: 1, null_terminated: true do
+      let(:binary_stream) {
+        "\x00\x00\x00\x00"\
+        "\x01\x00\x00\x00"\
+        "\x00".b
+      }
+      let(:value) { '' }
+    end
+  end
 end
 
 RSpec.describe RubySMB::Dcerpc::Ndr::NdrVarWideString do
@@ -1383,6 +1402,15 @@ RSpec.describe RubySMB::Dcerpc::Ndr::NdrVarWideString do
     }
     let(:value) { 'ABCD'.encode('utf-16le') }
   end
+  context 'with an empty string' do
+    it_behaves_like 'a NDR String', conformant: false, char_size: 2, null_terminated: false do
+      let(:binary_stream) {
+        "\x00\x00\x00\x00"\
+        "\x00\x00\x00\x00".b
+      }
+      let(:value) { '' }
+    end
+  end
 end
 
 RSpec.describe RubySMB::Dcerpc::Ndr::NdrVarWideStringz do
@@ -1398,6 +1426,16 @@ RSpec.describe RubySMB::Dcerpc::Ndr::NdrVarWideStringz do
     }
     let(:value) { 'ABCD'.encode('utf-16le') }
   end
+  context 'with an empty string' do
+    it_behaves_like 'a NDR String', conformant: false, char_size: 2, null_terminated: true do
+      let(:binary_stream) {
+        "\x00\x00\x00\x00"\
+        "\x01\x00\x00\x00"\
+        "\x00\x00".b
+      }
+      let(:value) { '' }
+    end
+  end
 end
 
 RSpec.describe RubySMB::Dcerpc::Ndr::NdrConfVarString do
@@ -1415,6 +1453,16 @@ RSpec.describe RubySMB::Dcerpc::Ndr::NdrConfVarString do
     }
     let(:value) { 'ABCD' }
   end
+  context 'with an empty string' do
+    it_behaves_like 'a NDR String', conformant: true, char_size: 1, null_terminated: false do
+      let(:binary_stream) {
+        "\x00\x00\x00\x00"\
+        "\x00\x00\x00\x00"\
+        "\x00\x00\x00\x00".b
+      }
+      let(:value) { '' }
+    end
+  end
 end
 
 RSpec.describe RubySMB::Dcerpc::Ndr::NdrConfVarStringz do
@@ -1432,6 +1480,17 @@ RSpec.describe RubySMB::Dcerpc::Ndr::NdrConfVarStringz do
     }
     let(:value) { 'ABCD' }
   end
+  context 'with an empty string' do
+    it_behaves_like 'a NDR String', conformant: true, char_size: 1, null_terminated: true do
+      let(:binary_stream) {
+        "\x01\x00\x00\x00"\
+        "\x00\x00\x00\x00"\
+        "\x01\x00\x00\x00"\
+        "\x00".b
+      }
+      let(:value) { '' }
+    end
+  end
 end
 
 RSpec.describe RubySMB::Dcerpc::Ndr::NdrConfVarWideString do
@@ -1448,6 +1507,16 @@ RSpec.describe RubySMB::Dcerpc::Ndr::NdrConfVarWideString do
     }
     let(:value) { 'ABCD'.encode('utf-16le') }
   end
+  context 'with an empty string' do
+    it_behaves_like 'a NDR String', conformant: true, char_size: 2, null_terminated: false do
+      let(:binary_stream) {
+        "\x00\x00\x00\x00"\
+        "\x00\x00\x00\x00"\
+        "\x00\x00\x00\x00".b
+      }
+      let(:value) { '' }
+    end
+  end
 end
 
 RSpec.describe RubySMB::Dcerpc::Ndr::NdrConfVarWideStringz do
@@ -1464,6 +1533,17 @@ RSpec.describe RubySMB::Dcerpc::Ndr::NdrConfVarWideStringz do
     }
     let(:value) { 'ABCD'.encode('utf-16le') }
   end
+  context 'with an empty string' do
+    it_behaves_like 'a NDR String', conformant: true, char_size: 1, null_terminated: true do
+      let(:binary_stream) {
+        "\x01\x00\x00\x00"\
+        "\x00\x00\x00\x00"\
+        "\x01\x00\x00\x00"\
+        "\x00\x00".b
+      }
+      let(:value) { '' }
+    end
+  end
 end