ruby_smb 3.2.3 → 3.2.4

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA256:
-  metadata.gz: f79e8799ee1ce9b9e57a49e662df1db3afff956330d5a2649033fae5073e6716
-  data.tar.gz: 316e8f6d266e3f909e00a5083ce06411a33e9c2185e437d4dac553742035d1cd
+  metadata.gz: 8f850321711ac70e25f6b483f82454520f2b567cc349ee02eb99bba5c48dfeb4
+  data.tar.gz: 22ee0ab297710e76071fa8302165b903b39d211205ca1d6b95d697bf3eecae67
 SHA512:
-  metadata.gz: 85f66e2314297543555b22e9ada529342caef50d6361e31afa1ba2d777c6b752b51260f6c0161b2788fe1816f04dcd330af61b2074908a08caa462f0e72b5754
-  data.tar.gz: 76417e3878c285b0f67808027b6fde0f8d0e5a6c1849db49bdcec4d2b6a86eb3f95607b8cacf76cfbfc1b8f9d49624c278aa30cfe9eb4bb7d12dd6b5abc947a5
+  metadata.gz: 8708897bda47dd2c07b064eaafbbfe8641af469a1b5688a98bbef9e38119675de9ce52287fdb00c75f908e29e70499d14203fc53a11c6824691c315a5ebeb746
+  data.tar.gz: aad169c776223bb67198ba223f0b53d640706540f67ec125d4527a05fa4ac8c42676588b84f5e0385c4db846631783159c2a44801964284b6ae0b78b83c0a031

data/examples/dump_secrets_from_sid.rb

@@ -26,6 +26,7 @@ client = RubySMB::Dcerpc::Client.new(
 client.connect
 puts('Binding to DRSR...')
 client.bind(
+  endpoint: RubySMB::Dcerpc::Drsr,
   auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
   auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
 )

data/lib/ruby_smb/dcerpc/ndr.rb

@@ -1315,5 +1315,123 @@ module RubySMB::Dcerpc::Ndr
     end
   end
 
+  # (IDL/NDR) Pickles as defined in
+  # [(IDL/NDR) # Pickles](https://pubs.opengroup.org/onlinepubs/9668899/chap2.htm#tagcjh_05_01_07)
+  # and
+  # [2.2.6 Type Serialization Version # 1](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/9a1d0f97-eac0-49ab-a197-f1a581c2d6a0)
+
+  # [2.2.6.1 Common Type Header for the Serialization Stream](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/6d75d40e-e2d2-4420-b9e9-8508a726a9ae)
+  class TypeSerialization1CommonTypeHeader < BinData::Record
+    default_parameter byte_align: 8
+    endian :little
+
+    uint8  :version, initial_value: 1
+    uint8  :endianness, initial_value: 0x10
+    uint16 :common_header_length, initial_value: 8
+    uint32 :filler, initial_value: 0xCCCCCCCC
+  end
+
+  # [2.2.6.2 Private Header for Constructed Type](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/63949ba8-bc88-4c0c-9377-23f14b197827)
+  class TypeSerialization1PrivateHeader < BinData::Record
+    default_parameter byte_align: 8
+    endian :little
+
+    uint32 :object_buffer_length, initial_value: -> { buffer_length(@obj) }
+    uint32 :filler, initial_value: 0x00000000
+
+    def buffer_length(obj)
+      parent.respond_to?(:field_length) ? parent.field_length(obj.parent) : 0
+    end
+  end
+
+  # [2.2.6 Type Serialization Version 1](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/9a1d0f97-eac0-49ab-a197-f1a581c2d6a0)
+  #
+  # This structure is not meant to be instantiated directly. Instead, the
+  # structure with the fields to be serialized needs to inherit from
+  # TypeSerialization1. This class will take care of adding the
+  # TypeSerialization1PrivateHeader fields in front of any NDR constructed type
+  # structures and setting the buffer length field (:object_buffer_length) to
+  # the correct value.
+  #
+  # Example:
+  #
+  # class TestStruct < RubySMB::Dcerpc::Ndr::NdrStruct
+  #   default_parameters byte_align: 8
+  #   endian :little
+
+  #   rpc_unicode_string :full_name
+  #   ndr_uint32 :user_id
+  # end
+
+  # class TestTypeSerialization1 < RubySMB::Dcerpc::Ndr::TypeSerialization1
+  #   default_parameter byte_align: 8
+  #   endian :little
+  #
+  #   test_struct :data1
+  #   uint32 :value1, initial_value: 5
+  #   uint32 :value2, initial_value: 6
+  #   test_struct :data2
+  #   uint32 :value3, initial_value: 7
+  #   test_struct :data3
+  # end
+  #
+  # This will result in the following structure:
+  # {
+  #   :common_header => {:version=>1, :endianness=>16, :common_header_length=>8, :filler=>3435973836},
+  #   :private_header1 => {:object_buffer_length=>12, :filler=>0},
+  #   :data1 => {:full_name=>{:buffer_length=>0, :maximum_length=>0, :buffer=>:null}, :user_id=>0},
+  #   :value1 => 5,
+  #   :value2 => 6,
+  #   :private_header2 => {:object_buffer_length=>12, :filler=>0},
+  #   :data2 => {:full_name=>{:buffer_length=>0, :maximum_length=>0, :buffer=>:null}, :user_id=>0},
+  #   :value3 => 7,
+  #   :private_header3 => {:object_buffer_length=>12, :filler=>0},
+  #   :data3 => {:full_name=>{:buffer_length=>0, :maximum_length=>0, :buffer=>:null}, :user_id=>0}
+  # }
+  #
+  class TypeSerialization1 < BinData::Record
+    PRIVATE_HEADER_BASE_NAME = 'private_header'.freeze
+
+    default_parameter byte_align: 8
+    endian :little
+    search_prefix :type_serialization1
+
+    common_type_header :common_header
+
+    def field_length(obj)
+      length = 0
+      index = find_index_of(obj)
+      if index
+        each_pair {|n, o| length = o.num_bytes if n == field_names[index + 1]}
+      end
+      length
+    end
+
+    def self.method_missing(symbol, *args, &block)
+      return super if dsl_parser.respond_to?(symbol)
+
+      klass = BinData::RegisteredClasses.lookup(symbol, {endian: dsl_parser.endian, search_prefix: dsl_parser.search_prefix})
+      if klass.new.is_a?(ConstructedTypePlugin)
+        # We cannot have two fields with the same name. So, here we look for
+        # existing TypeSerialization1PrivateHeader fields and just increment
+        # the ending number of the last TypeSerialization1PrivateHeader field
+        # to make the new name unique.
+        names = dsl_parser.fields.find_all do |field|
+          field.prototype.instance_variable_get(:@obj_class) == TypeSerialization1PrivateHeader
+        end.map(&:name).sort
+        if names.empty?
+          new_name = "#{PRIVATE_HEADER_BASE_NAME}1"
+        else
+          num = names.last.match(/#{PRIVATE_HEADER_BASE_NAME}(\d)$/)[1].to_i
+          new_name = "#{PRIVATE_HEADER_BASE_NAME}#{num + 1}"
+        end
+
+        super(:private_header, new_name.to_sym)
+      end
+
+      super
+    end
+  end
+
 end
 

data/lib/ruby_smb/dcerpc/samr.rb

@@ -259,6 +259,8 @@ module RubySMB
         3          => 'des-cbc-md5',
         17         => 'aes128-cts-hmac-sha1-96',
         18         => 'aes256-cts-hmac-sha1-96',
+        # Windows Server 2008 and later DC includes a KeyType of -140. Not present when the domain functional level is raised to DS_BEHAVIOR_WIN2008 or greater
+        # [Appendix_A_24](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-samr/fa61e5fc-f8fb-4d5b-9695-c724af0c3829#Appendix_A_24)
         0xffffff74 => 'rc4_hmac'
       }
 

data/lib/ruby_smb/version.rb

@@ -1,3 +1,3 @@
 module RubySMB
-  VERSION = '3.2.3'.freeze
+  VERSION = '3.2.4'.freeze
 end

data/spec/lib/ruby_smb/dcerpc/ndr_spec.rb

@@ -4146,3 +4146,201 @@ RSpec.describe 'Alignment' do
     end
   end
 end
+
+RSpec.describe RubySMB::Dcerpc::Ndr::TypeSerialization1CommonTypeHeader do
+  it 'is a BinData::Record class' do
+    expect(described_class).to be < BinData::Record
+  end
+  it 'has :byte_align parameter set to the expected value' do
+    expect(described_class.default_parameters[:byte_align]).to eq(8)
+  end
+
+  subject { described_class.new }
+
+  it { is_expected.to respond_to :version }
+  it { is_expected.to respond_to :endianness }
+  it { is_expected.to respond_to :common_header_length }
+  it { is_expected.to respond_to :filler }
+
+  context 'with #version' do
+    it 'is a BinData::Uint8' do
+      expect(subject.version).to be_a BinData::Uint8
+    end
+    it 'returns 1 by default' do
+      expect(subject.version).to eq(1)
+    end
+  end
+
+  context 'with #endianness' do
+    it 'is a BinData::Uint8' do
+      expect(subject.endianness).to be_a BinData::Uint8
+    end
+    it 'returns 0x10 by default' do
+      expect(subject.endianness).to eq(0x10)
+    end
+  end
+
+  context 'with #common_header_length' do
+    it 'is a BinData::Uint16le' do
+      expect(subject.common_header_length).to be_a BinData::Uint16le
+    end
+    it 'returns 8 by default' do
+      expect(subject.common_header_length).to eq(8)
+    end
+  end
+
+  context 'with #filler' do
+    it 'is a BinData::Uint32le' do
+      expect(subject.filler).to be_a BinData::Uint32le
+    end
+    it 'returns 0xCCCCCCCC by default' do
+      expect(subject.filler).to eq(0xCCCCCCCC)
+    end
+  end
+
+  it 'reads itself' do
+    values = {version: 4, endianness: 0x33, common_header_length: 44, filler: 0xFFFFFFFF}
+    struct_instance = described_class.new(values)
+    expect(described_class.read(struct_instance.to_binary_s)).to eq(values)
+  end
+end
+
+RSpec.describe RubySMB::Dcerpc::Ndr::TypeSerialization1PrivateHeader do
+  it 'is a BinData::Record class' do
+    expect(described_class).to be < BinData::Record
+  end
+  it 'has :byte_align parameter set to the expected value' do
+    expect(described_class.default_parameters[:byte_align]).to eq(8)
+  end
+
+  subject { described_class.new }
+
+  it { is_expected.to respond_to :object_buffer_length }
+  it { is_expected.to respond_to :filler }
+
+  context 'with #object_buffer_length' do
+    it 'is a BinData::Uint32le' do
+      expect(subject.object_buffer_length).to be_a BinData::Uint32le
+    end
+    it 'calls its parent\'s #field_length method to set its default value' do
+      test_struct = Class.new(BinData::Record) do
+        endian :little
+        type_serialization1_private_header :header
+
+        def field_length(obj);end
+      end.new
+      expect(test_struct).to receive(:field_length).and_return(4)
+      expect(test_struct.header.object_buffer_length).to eq(4)
+    end
+    it 'sets the default value to 0 when its parent doesn\'t implemet #field_length' do
+      expect(subject.object_buffer_length).to eq(0)
+    end
+  end
+
+  context 'with #filler' do
+    it 'is a BinData::Uint32le' do
+      expect(subject.filler).to be_a BinData::Uint32le
+    end
+    it 'returns 0x00000000 by default' do
+      expect(subject.filler).to eq(0x00000000)
+    end
+  end
+
+  it 'reads itself' do
+    values = {object_buffer_length: 4, filler: 0xFFFFFFFF}
+    struct_instance = described_class.new(values)
+    expect(described_class.read(struct_instance.to_binary_s)).to eq(values)
+  end
+end
+
+RSpec.describe RubySMB::Dcerpc::Ndr::TypeSerialization1 do
+  it 'is a BinData::Record class' do
+    expect(described_class).to be < BinData::Record
+  end
+  it 'has :byte_align parameter set to the expected value' do
+    expect(described_class.default_parameters[:byte_align]).to eq(8)
+  end
+
+  subject { described_class.new }
+
+  it { is_expected.to respond_to :common_header }
+
+  context 'with #common_header' do
+    it 'is a TypeSerialization1CommonTypeHeader structure' do
+      expect(subject.common_header).to be_a RubySMB::Dcerpc::Ndr::TypeSerialization1CommonTypeHeader
+    end
+  end
+
+  it 'reads itself' do
+    values = {
+      common_header: {version: 4, endianness: 0x33, common_header_length: 44, filler: 0xFFFFFFFF}
+    }
+    struct_instance = described_class.new(values)
+    expect(described_class.read(struct_instance.to_binary_s)).to eq(values)
+  end
+
+  context 'when inherited' do
+    let(:test_struct) do
+      Class.new(RubySMB::Dcerpc::Ndr::NdrStruct) do
+        default_parameters byte_align: 8
+        endian :little
+
+        rpc_unicode_string :full_name
+        ndr_uint32 :user_id
+      end
+    end
+    before :example do
+      BinData::RegisteredClasses.register('test_struct', test_struct)
+    end
+    after :example do
+      BinData::RegisteredClasses.unregister('test_struct')
+    end
+
+    subject do
+      Class.new(described_class) do
+        default_parameter byte_align: 8
+        endian :little
+
+        test_struct :data1
+        uint32 :value1, initial_value: 5
+        uint32 :value2, initial_value: 6
+        test_struct :data2
+        uint32 :value3, initial_value: 7
+        test_struct :data3
+      end.new
+    end
+
+    it { is_expected.to respond_to :common_header }
+    it { is_expected.to respond_to :private_header1 }
+    it { is_expected.to respond_to :data1 }
+    it { is_expected.to respond_to :value1 }
+    it { is_expected.to respond_to :value2 }
+    it { is_expected.to respond_to :private_header2 }
+    it { is_expected.to respond_to :data2 }
+    it { is_expected.to respond_to :value3 }
+    it { is_expected.to respond_to :private_header3 }
+    it { is_expected.to respond_to :data3 }
+
+    it 'sets the expected default values' do
+      data_obj = test_struct.new
+      expect(subject.data1).to eq(data_obj)
+      expect(subject.value1).to eq(5)
+      expect(subject.value2).to eq(6)
+      expect(subject.data2).to eq(data_obj)
+      expect(subject.value3).to eq(7)
+      expect(subject.data3).to eq(data_obj)
+    end
+
+    it 'sets the correct private header\'s object_buffer_length field value' do
+      data1 = test_struct.new(full_name: 'test string')
+      subject.data1 = data1
+      expect(subject.private_header1.object_buffer_length).to eq(data1.num_bytes)
+      data2 = test_struct.new(full_name: 'another test string')
+      subject.data2 = data2
+      expect(subject.private_header2.object_buffer_length).to eq(data2.num_bytes)
+      data3 = test_struct.new(full_name: 'more string!!!')
+      subject.data3 = data3
+      expect(subject.private_header3.object_buffer_length).to eq(data3.num_bytes)
+    end
+  end
+end

metadata

@@ -1,7 +1,7 @@
 --- !ruby/object:Gem::Specification
 name: ruby_smb
 version: !ruby/object:Gem::Version
-  version: 3.2.3
+  version: 3.2.4
 platform: ruby
 authors:
 - Metasploit Hackers
@@ -97,7 +97,7 @@ cert_chain:
   EknWpNgVhohbot1lfVAMmIhdtOVaRVcQQixWPwprDj/ydB8ryDMDosIMcw+fkoXU
   9GJsSaSRRYQ9UUkVL27b64okU8D48m8=
   -----END CERTIFICATE-----
-date: 2023-01-26 00:00:00.000000000 Z
+date: 2023-01-30 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: redcarpet