ruby_smb 3.2.0 → 3.2.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: 9ce8d4ea99335efaf6bbc1ef003231ffa8a809382760e54dc26be04b76e53529
-  data.tar.gz: f284dabf7fe032ae02933a517abb2371f7c7c37eb641876f1cbf2b8cc0e4c2ac
+  metadata.gz: 7b1e12b49f282f15459e21c5f16c6a6fc0f1074b107b97d85395d75a8531df1c
+  data.tar.gz: bccbfe2ef2823c390974786165e822eaa2fb7d1e1a96e8171daabbe871c6b324
 SHA512:
-  metadata.gz: 5cf115ffd4c634f593bceef2bb503d2c0a2b19c5cfa73391887d35ce2691472fabda03e47462b716f8c870d7dedbc5dc815f644887b259d1268658752396ea17
-  data.tar.gz: 46ba6053ca246692ef29c545c8a9682b6675c4bf50d10d3611107bf537470226986aeece854516d59d99afa1642ee2d72fed99f39c1731112292fcbb6d8138d2
+  metadata.gz: fc4ba500076138ce97e1dc369733675600c4892669d9b5db815b4d09c1dc1b47efd0068da6cb7530fafdcdfc326d00b42b91937e44ed5fe2fdb9b4e5b37ffd9a
+  data.tar.gz: b851e6cc8f2846b7b6f7c36b01b14adb089c5d75257315940a282793bb62cce5bdf1f944c7ca3c95f75464914e26753f4ce1577ac446deea2c42c5a84986f82e

data/.github/workflows/verify.yml

@@ -33,17 +33,15 @@ jobs:
       fail-fast: true
       matrix:
         ruby:
-          - 2.6
           - 2.7
           - 3.0
           - 3.1
         os:
-          - ubuntu-18.04
-          - ubuntu-22.04
+          - ubuntu-20.04
+          - ubuntu-latest
         exclude:
-          - { os: ubuntu-22.04, ruby: 2.6 }
-          - { os: ubuntu-22.04, ruby: 2.7 }
-          - { os: ubuntu-22.04, ruby: 3.0 }
+          - { os: ubuntu-latest, ruby: 2.7 }
+          - { os: ubuntu-latest, ruby: 3.0 }
         test_cmd:
           - bundle exec rspec
 

data/lib/ruby_smb/client.rb

@@ -4,6 +4,7 @@ module RubySMB
   class Client
     require 'ruby_smb/ntlm'
     require 'ruby_smb/signing'
+    require 'ruby_smb/utils'
     require 'ruby_smb/client/negotiation'
     require 'ruby_smb/client/authentication'
     require 'ruby_smb/client/tree_connect'
@@ -13,6 +14,7 @@ module RubySMB
     require 'ruby_smb/client/encryption'
 
     include RubySMB::Signing
+    include RubySMB::NTLM
     include RubySMB::Client::Negotiation
     include RubySMB::Client::Authentication
     include RubySMB::Client::TreeConnect
@@ -322,7 +324,7 @@ module RubySMB
       @pid               = rand(0xFFFF)
       @domain            = domain
       @local_workstation = local_workstation
-      @password          = password.encode('utf-8') || ''.encode('utf-8')
+      @password          = RubySMB::Utils.safe_encode((password||''), 'utf-8')
       @sequence_counter  = 0
       @session_id        = 0x00
       @session_key       = ''
@@ -332,7 +334,7 @@ module RubySMB
       @smb1              = smb1
       @smb2              = smb2
       @smb3              = smb3
-      @username          = username.encode('utf-8') || ''.encode('utf-8')
+      @username          = RubySMB::Utils.safe_encode((username||''), 'utf-8')
       @max_buffer_size   = MAX_BUFFER_SIZE
       # These sizes will be modified during negotiation
       @server_max_buffer_size = SERVER_MAX_BUFFER_SIZE
@@ -415,8 +417,8 @@ module RubySMB
                       local_workstation: self.local_workstation, ntlm_flags: NTLM::DEFAULT_CLIENT_FLAGS)
       @domain            = domain
       @local_workstation = local_workstation
-      @password          = pass.encode('utf-8') || ''.encode('utf-8')
-      @username          = user.encode('utf-8') || ''.encode('utf-8')
+      @password          = RubySMB::Utils.safe_encode((pass||''), 'utf-8')
+      @username          = RubySMB::Utils.safe_encode((user||''), 'utf-8')
 
       @ntlm_client = RubySMB::NTLM::Client.new(
           @username,

data/lib/ruby_smb/dcerpc/client.rb

@@ -5,14 +5,16 @@ module RubySMB
     class Client
       require 'bindata'
       require 'windows_error'
-      require 'net/ntlm'
+      require 'ruby_smb/ntlm'
       require 'ruby_smb/dcerpc'
       require 'ruby_smb/gss'
       require 'ruby_smb/peer_info'
+      require 'ruby_smb/utils'
 
       include Dcerpc
       include Epm
       include PeerInfo
+      include Utils
 
       # The default maximum size of a RPC message that the Client accepts (in bytes)
       MAX_BUFFER_SIZE = 64512
@@ -118,15 +120,15 @@ module RubySMB
         @read_timeout      = read_timeout
         @domain            = domain
         @local_workstation = local_workstation
-        @username          = username.encode('utf-8')
-        @password          = password.encode('utf-8')
+        @username          = RubySMB::Utils.safe_encode(username, 'utf-8')
+        @password          = RubySMB::Utils.safe_encode(password, 'utf-8')
         @max_buffer_size   = MAX_BUFFER_SIZE
         @call_id           = 1
         @ctx_id            = 0
         @auth_ctx_id_base  = rand(0xFFFFFFFF)
 
         unless username.empty? && password.empty?
-          @ntlm_client = Net::NTLM::Client.new(
+          @ntlm_client = RubySMB::NTLM::Client.new(
             @username,
             @password,
             workstation: @local_workstation,

data/lib/ruby_smb/dcerpc/icpr.rb

@@ -35,7 +35,7 @@ module RubySMB
       def cert_server_request(attributes:, authority:, csr:)
         cert_server_request_request = CertServerRequestRequest.new(
           pwsz_authority: authority,
-          pctb_attribs: { pb: (attributes.map { |k,v| "#{k}:#{v}" }.join("\n").encode('UTF-16le').force_encoding('ASCII-8bit') + "\x00\x00".b) },
+          pctb_attribs: { pb: (RubySMB::Utils.safe_encode(attributes.map { |k,v| "#{k}:#{v}" }.join("\n"), 'UTF-16le').force_encoding('ASCII-8bit') + "\x00\x00".b) },
           pctb_request: { pb: csr.to_der }
         )
 

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -247,12 +247,22 @@ module RubySMB::Dcerpc::Ndr
 
     def do_read(io)
       if is_a?(ConfPlugin) && should_process_max_count?
-        set_max_count(io.readbytes(4).unpack('L<').first)
+        max_count = io.readbytes(4).unpack1('L<')
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.max_count", max_count.to_s)
+        end
+        set_max_count(max_count)
       end
 
       if is_a?(VarPlugin)
         @offset = io.readbytes(4).unpack('L<').first
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.offset", @offset.to_s)
+        end
         @actual_count = @read_until_index = io.readbytes(4).unpack('L<').first
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.actual_count", @actual_count.to_s)
+        end
       end
 
       if has_elements_to_read?
@@ -523,7 +533,11 @@ module RubySMB::Dcerpc::Ndr
 
     def do_read(io)
       if should_process_max_count?
-        set_max_count(io.readbytes(4).unpack('L<').first)
+        max_count = io.readbytes(4).unpack1('L<')
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.max_count", max_count.to_s)
+        end
+        set_max_count(max_count)
       end
       super
     end
@@ -582,7 +596,13 @@ module RubySMB::Dcerpc::Ndr
 
     def do_read(io)
       @offset = io.readbytes(4).unpack('L<').first
+       BinData.trace_message do |tracer|
+        tracer.trace_obj("#{debug_name}.offset", @offset.to_s)
+      end
       @actual_count = io.readbytes(4).unpack('L<').first
+      BinData.trace_message do |tracer|
+        tracer.trace_obj("#{debug_name}.actual_count", @actual_count.to_s)
+      end
       super if @actual_count > 0
     end
 
@@ -702,7 +722,11 @@ module RubySMB::Dcerpc::Ndr
 
     def do_read(io)
       if should_process_max_count?
-        set_max_count(io.readbytes(4).unpack('L<').first)
+        max_count = io.readbytes(4).unpack1('L<')
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.max_count", max_count.to_s)
+        end
+        set_max_count(max_count)
 
         # Align the structure according to the alignment rules for the structure
         if respond_to?(:referent_bytes_align)
@@ -1034,6 +1058,9 @@ module RubySMB::Dcerpc::Ndr
         end
       else
         @ref_id = io.readbytes(4).unpack('L<').first
+        BinData.trace_message do |tracer|
+          tracer.trace_obj("#{debug_name}.ref_id", @ref_id.to_s)
+        end
         parent_obj = nil
         if parent&.is_a?(ConstructedTypePlugin)
           parent_obj = parent.get_top_level_constructed_type

data/lib/ruby_smb/dcerpc/samr.rb

@@ -320,7 +320,7 @@ module RubySMB
 
         def self.encrypt_password(password, key)
           # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/5fe3c4c4-e71b-440d-b2fd-8448bfaf6e04
-          password = password.encode('UTF-16LE').force_encoding('ASCII-8bit')
+          password = RubySMB::Utils.safe_encode(password, 'UTF-16LE').force_encoding('ASCII-8bit')
           buffer = password.rjust(512, "\x00") + [ password.length ].pack('V')
           salt = SecureRandom.random_bytes(16)
           key = OpenSSL::Digest::MD5.new(salt + key).digest

data/lib/ruby_smb/gss/provider/ntlm.rb

@@ -18,6 +18,7 @@ module RubySMB
         end
 
         class Authenticator < Authenticator::Base
+
           def reset!
             super
             @server_challenge = nil
@@ -141,7 +142,10 @@ module RubySMB
             case type3_msg.ntlm_version
             when :ntlmv1
               my_ntlm_response = Net::NTLM::ntlm_response(
-                ntlm_hash: Net::NTLM::ntlm_hash(account.password.encode('UTF-16LE'), unicode: true),
+                ntlm_hash: Net::NTLM::ntlm_hash(
+                  RubySMB::Utils.safe_encode(account.password, 'UTF-16LE'),
+                  unicode: true
+                ),
                 challenge: @server_challenge
               )
               matches = my_ntlm_response == type3_msg.ntlm_response
@@ -151,9 +155,9 @@ module RubySMB
               their_blob = type3_msg.ntlm_response[digest.digest_length..-1]
 
               ntlmv2_hash = Net::NTLM.ntlmv2_hash(
-                account.username.encode('UTF-16LE'),
-                account.password.encode('UTF-16LE'),
-                type3_msg.domain.encode('UTF-16LE'),  # don't use the account domain because of the special '.' value
+                RubySMB::Utils.safe_encode(account.username, 'UTF-16LE'),
+                RubySMB::Utils.safe_encode(account.password, 'UTF-16LE'),
+                RubySMB::Utils.safe_encode(type3_msg.domain, 'UTF-16LE'),  # don't use the account domain because of the special '.' value
                 {client_challenge: their_blob[16...24], unicode: true}
               )
 
@@ -305,7 +309,10 @@ module RubySMB
           username = username.downcase
           domain = @default_domain if domain.nil? || domain == '.'.encode(domain.encoding)
           domain = domain.downcase
-          @accounts.find { |account| account.username.encode(username.encoding).downcase == username && account.domain.encode(domain.encoding).downcase == domain }
+          @accounts.find do |account|
+            RubySMB::Utils.safe_encode(account.username, username.encoding).downcase == username &&
+              RubySMB::Utils.safe_encode(account.domain, domain.encoding).downcase == domain
+          end
         end
 
         #

data/lib/ruby_smb/ntlm/client.rb

@@ -51,6 +51,10 @@ module RubySMB::NTLM
         !challenge_message.has_flag?(:UNICODE) && challenge_message.has_flag?(:OEM)
       end
 
+      def ntlmv2_hash
+        @ntlmv2_hash ||= RubySMB::NTLM.ntlmv2_hash(username, password, domain, {:client_challenge => client_challenge, :unicode => !use_oem_strings?})
+      end
+
       def calculate_user_session_key!
         if is_anonymous?
           # see MS-NLMP section 3.4

data/lib/ruby_smb/ntlm/custom/ntlm.rb

@@ -0,0 +1,19 @@
+require 'net/ntlm'
+
+module Custom
+  module NTLM
+
+    def self.prepended(base)
+      base.singleton_class.send(:prepend, ClassMethods)
+    end
+
+    module ClassMethods
+      def encode_utf16le(str)
+        str.dup.force_encoding('UTF-8').encode(Encoding::UTF_16LE, Encoding::UTF_8).force_encoding('ASCII-8BIT')
+      end
+    end
+
+  end
+end
+
+Net::NTLM::EncodeUtil.send(:prepend, Custom::NTLM)

data/lib/ruby_smb/ntlm.rb

@@ -1,3 +1,5 @@
+require 'ruby_smb/ntlm/custom/ntlm'
+
 module RubySMB
   module NTLM
     # [[MS-NLMP] 2.2.2.5](https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nlmp/99d90ff4-957f-4c8a-80e4-5bfe5a9a9832)
@@ -56,6 +58,41 @@ module RubySMB
         "Version #{major}.#{minor} (Build #{build}); NTLM Current Revision #{ntlm_revision}"
       end
     end
+
+    class << self
+
+      # Generate a NTLMv2 Hash
+      # @param [String] user The username
+      # @param [String] password The password
+      # @param [String] target The domain or workstation to authenticate to
+      # @option opt :unicode (false) Unicode encode the domain
+      def ntlmv2_hash(user, password, target, opt={})
+        if Net::NTLM.is_ntlm_hash? password
+          decoded_password = Net::NTLM::EncodeUtil.decode_utf16le(password)
+          ntlmhash = [decoded_password.upcase[33,65]].pack('H32')
+        else
+          ntlmhash = Net::NTLM.ntlm_hash(password, opt)
+        end
+
+        if opt[:unicode]
+          # Uppercase operation on username containing non-ASCII characters
+          # after being unicode encoded with `EncodeUtil.encode_utf16le`
+          # doesn't play well. Upcase should be done before encoding.
+          user_upcase = Net::NTLM::EncodeUtil.decode_utf16le(user).upcase
+          user_upcase = Net::NTLM::EncodeUtil.encode_utf16le(user_upcase)
+        else
+          user_upcase = user.upcase
+        end
+        userdomain = user_upcase + target
+
+        unless opt[:unicode]
+          userdomain = Net::NTLM::EncodeUtil.encode_utf16le(userdomain)
+        end
+        OpenSSL::HMAC.digest(OpenSSL::Digest::MD5.new, ntlmhash, userdomain)
+      end
+
+    end
+
   end
 end
 

data/lib/ruby_smb/server/server_client/tree_connect.rb

@@ -7,7 +7,7 @@ module RubySMB
           # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-cifs/b062f3e3-1b65-4a9a-854a-0ee432499d8f
           response = RubySMB::SMB1::Packet::TreeConnectResponse.new
 
-          share_name = request.data_block.path.encode('UTF-8').split('\\', 4).last
+          share_name = RubySMB::Utils.safe_encode(request.data_block.path, 'UTF-8').split('\\', 4).last
           share_provider = @server.shares.transform_keys(&:downcase)[share_name.downcase]
           if share_provider.nil?
             logger.warn("Received TREE_CONNECT request for non-existent share: #{share_name}")
@@ -49,7 +49,7 @@ module RubySMB
             return response
           end
 
-          share_name = request.path.encode('UTF-8').split('\\', 4).last
+          share_name = RubySMB::Utils.safe_encode(request.path, 'UTF-8').split('\\', 4).last
           share_provider = @server.shares.transform_keys(&:downcase)[share_name.downcase]
 
           if share_provider.nil?

data/lib/ruby_smb/smb1/pipe.rb

@@ -147,6 +147,10 @@ module RubySMB
             break if dcerpc_response.pdu_header.pfc_flags.last_frag == 1
             raw_data = read(bytes: @tree.client.max_buffer_size)
             dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+            if options[:auth_level] &&
+               [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+              handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+            end
             stub_data << dcerpc_response.stub.to_s
           end
           stub_data

data/lib/ruby_smb/smb2/pipe.rb

@@ -145,6 +145,10 @@ module RubySMB
             break if dcerpc_response.pdu_header.pfc_flags.last_frag == 1
             raw_data = read(bytes: @tree.client.max_buffer_size)
             dcerpc_response = dcerpc_response_from_raw_response(raw_data)
+            if options[:auth_level] &&
+               [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
+              handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
+            end
             stub_data << dcerpc_response.stub.to_s
           end
           stub_data

data/lib/ruby_smb/utils.rb

@@ -0,0 +1,15 @@
+module RubySMB
+  module Utils
+
+    def self.safe_encode(str, encoding)
+      str.encode(encoding)
+    rescue EncodingError
+      if str.encoding == ::Encoding::ASCII_8BIT
+        str.dup.force_encoding(encoding)
+      else
+        raise
+      end
+    end
+
+  end
+end

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.2.0'.freeze
+  VERSION = '3.2.1'.freeze
 end

data/lib/ruby_smb.rb

@@ -6,11 +6,13 @@ require 'openssl/ccm'
 require 'openssl/cmac'
 require 'windows_error'
 require 'windows_error/nt_status'
+require 'ruby_smb/ntlm/custom/ntlm'
 # A packet parsing and manipulation library for the SMB1 and SMB2 protocols
 #
 # [[MS-SMB] Server Message Block (SMB) Protocol Version 1](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
 # [[MS-SMB2] Server Message Block (SMB) Protocol Versions 2 and 3](https://msdn.microsoft.com/en-us/library/cc246482.aspx)
 module RubySMB
+  require 'ruby_smb/utils'
   require 'ruby_smb/error'
   require 'ruby_smb/create_actions'
   require 'ruby_smb/dispositions'

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby_smb
 version: !ruby/object:Gem::Version
-  version: 3.2.0
+  version: 3.2.1
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -97,7 +97,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2022-08-30 00:00:00.000000000 Z
+date: 2022-11-17 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: redcarpet
@@ -493,6 +493,7 @@ files:
 - lib/ruby_smb/nbss/session_request.rb
 - lib/ruby_smb/ntlm.rb
 - lib/ruby_smb/ntlm/client.rb
+- lib/ruby_smb/ntlm/custom/ntlm.rb
 - lib/ruby_smb/peer_info.rb
 - lib/ruby_smb/server.rb
 - lib/ruby_smb/server/cli.rb
@@ -673,6 +674,7 @@ files:
 - lib/ruby_smb/smb2/smb2_header.rb
 - lib/ruby_smb/smb2/tree.rb
 - lib/ruby_smb/smb_error.rb
+- lib/ruby_smb/utils.rb
 - lib/ruby_smb/version.rb
 - ruby_smb.gemspec
 - spec/lib/ruby_smb/client_spec.rb