smbRpc 0.0.3

data/lib/smbRpc/lsarpc/querySecurityObject.rb

@@ -0,0 +1,75 @@
+module SmbRpc
+  class Lsarpc < Rpc
+
+    class LsarQuerySecurityObjectReq < BinData::Record
+      endian :little
+      request :request
+      string :objectHandle, :length => 20
+      uint32 :securityInformation, :initial_value => 4	#1#7 #owner, group and DACL
+
+      def initialize_instance
+        super
+        objectHandle.value = get_parameter(:handle)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 3        			#LsarQuerySecurityObject
+      end
+    end
+
+
+    #[MS-DTYPE] 2.4.4.1 ACE_HEADER
+    class Ace < BinData::Record
+      endian :little
+      uint8 :aceType
+      uint8 :aceFlags
+      uint16 :aceSize
+      string :content, :length => lambda { aceSize - 4 }
+     end
+
+    #[MS-DTYPE] 2.4.5 ACL
+    class Acl < BinData::Record
+      endian :little
+      uint8 :aclRevision
+      uint8 :sbz1					#alignment
+      uint16 :aclSize
+      uint16 :aceCount
+      uint16 :sbz2
+      array :aces, :type => :ace, :initial_length => :aceCount
+    end
+
+    class Lsapr_security_descriptor < BinData::Record
+      endian :little
+      uint8 :revision
+      uint8 :sbz1
+      uint16 :control
+      uint32 :ref_id_owner
+      uint32 :ref_id_group
+      uint32 :ref_id_sacl
+      uint32 :ref_id_dacl
+      acl :dacl
+    end
+
+    class Plsapr_sr_security_descriptor < BinData::Record
+      endian :little
+      uint32 :len
+      uint32 :ref_id_security
+      uint32 :secLen
+      lsapr_security_descriptor :securityDescriptor
+    end
+
+    class LsarQuerySecurityObjectRes < BinData::Record
+      endian :little
+      response :response
+      uint32 :ref_id_SecurityDescriptor
+      plsapr_sr_security_descriptor :securityDescriptor
+      uint32 :windowsError
+    end
+
+    def querySecurityObject(objectHandle:)
+      lsarQuerySecurityObjectReq = LsarQuerySecurityObjectReq.new(handle:objectHandle)
+      lsarQuerySecurityObjectRes = @file.ioctl_send_recv(lsarQuerySecurityObjectReq).buffer
+      lsarQuerySecurityObjectRes.raise_not_error_success("querySecurityObject")
+      lsarQuerySecurityObjectRes = LsarQuerySecurityObjectRes.read(lsarQuerySecurityObjectRes)
+    end
+
+end
+end

data/lib/smbRpc/rpc.rb

@@ -0,0 +1,5 @@
+require"smbRpc/rpc/pdu"
+require"smbRpc/rpc/connection"
+require"smbRpc/rpc/constants"  
+require"smbRpc/rpc/endpoints"
+require"smbRpc/rpc/ndrep"

data/lib/smbRpc/rpc/connection.rb

@@ -0,0 +1,34 @@
+
+module SmbRpc
+  class Rpc
+
+  attr_reader :smb
+
+    def initialize(ip:, port:445, user:"", pass:"")
+      @ip = ip
+      @port = port
+      @user = user
+      @pass = pass
+    end
+
+    def connect
+      sock = TCPSocket.open(@ip, @port)
+      dispatcher = RubySMB::Dispatcher::Socket.new(sock)
+      @smb = RubySMB::Client.new(dispatcher, smb1: true, smb2: true, username: @user, password: @pass)
+      result = @smb.login.value 
+      error = WindowsError::NTStatus.find_by_retval(result.to_i)[0]
+      result == 0? result : (raise "Connect Fail, WinError: %s %s"%[error.name, error.description])
+    end
+
+    def bind(pipe:)
+      @ipc = @smb.tree_connect("\\\\#{@ip}\\IPC$")
+      @file = @ipc.open_file(filename: pipe, read: true, write: true)
+      @file.bind(endpoint: ENDPOINT[pipe])	#ruby_smb bind uses modules as endpoints, so setup and give it one
+    end
+
+    def close
+      @file.close if @file != nil
+      @smb.disconnect!
+    end
+  end
+end

data/lib/smbRpc/rpc/constants.rb

@@ -0,0 +1,64 @@
+
+PFC_FIRST_FRAG = 0x01
+PFC_LAST_FRAG = 0x02
+PFC_PENDING_CANCEL = 0x04
+PFC_RESERVED_1 = 0x08
+PFC_CONC_MPX = 0x10
+PFC_DID_NOT_EXECUTE = 0x20
+PFC_MAYBE = 0x40
+PFC_OBJECT_UUID = 0x80
+
+P_CONT_DEF_RESULT_T = {
+  "ACCEPTANCE" => 0,
+  "USER_REJECTION" => 1,
+  "PROVIDER_REJECTION" => 2
+}
+P_PROVIDER_REASON_T = {
+  "REASON_NOT_SPECIFIED" => 0, 
+  "ABSTRACT_SYNTAX_NOT_SUPPORTED" => 1, 
+  "PROPOSED_TRANSFER_SYNTAXES_NOT_SUPPORTED" => 2, 
+  "LOCAL_LIMIT_EXCEEDED" => 3
+}
+
+PDU_TYPE = {
+  "REQUEST" => 0,
+  "PING" => 1,
+  "RESPONSE" => 2,
+  "FAULT" => 3,
+  "WORKING" => 4,
+  "NOCALL" => 5,
+  "REJECT" => 6,
+  "ACK" => 7,
+  "CL_CANCEL" => 8,
+  "FACK" => 9,
+  "CANCEL_ACK" => 10,
+  "BIND" => 11,
+  "BIND_ACK" => 12,
+  "BIND_NAK" => 13,
+  "ALTER_CONTEXT" => 14,
+  "ALTER_CONTEXT_RESP" => 15,
+  "SHUTDOWN" => 17,
+  "CO_CANCEL" => 18,
+  "ORPHANED" => 19
+}
+
+#PDU Type	Protocol	Type Value
+#request		CO/CL		0
+#ping		CL		1
+#response	CO/CL		2
+#fault		CO/CL		3
+#working		CL		4
+#nocall		CL		5
+#reject		CL		6
+#ack		CL		7
+#cl_cancel	CL		8
+#fack		CL		9
+#cancel_ack	CL		10
+#bind		CO		11
+#bind_ack	CO		12
+#bind_nak	CO		13
+#alter_context	CO		14
+#alter_context_resp	CO	15
+#shutdown	CO		17
+#co_cancel	CO		18
+#orphaned	CO		19

data/lib/smbRpc/rpc/endpoints.rb

@@ -0,0 +1,38 @@
+module SmbRpc
+  module Endpoint
+    module Srvsvc
+      UUID = '4B324FC8-1670-01D3-1278-5A47BF6EE188'
+      VER_MAJOR = 3
+      VER_MINOR = 0
+    end
+    module Svcctl
+      UUID = '367ABB81-9844-35F1-AD32-98F038001003'
+      VER_MAJOR = 2
+      VER_MINOR = 0
+    end
+    module Lsarpc
+      UUID = '12345778-1234-ABCD-EF00-0123456789AB'
+      VER_MAJOR = 0
+      VER_MINOR = 0
+    end
+    module Epmapper
+      UUID = 'e1af8308-5d1f-11c9-91a4-08002b14a0fa'
+      VER_MAJOR = 3
+      VER_MINOR = 0
+    end
+    module Samr
+      UUID = '12345778-1234-ABCD-EF00-0123456789AC'
+      VER_MAJOR = 1
+      VER_MINOR = 0
+    end
+  end
+end
+
+ENDPOINT = {
+  "srvsvc" => SmbRpc::Endpoint::Srvsvc,
+  "svcctl" => SmbRpc::Endpoint::Svcctl,
+  "lsarpc" => SmbRpc::Endpoint::Lsarpc,
+  "epmapper" => SmbRpc::Endpoint::Epmapper,
+  "samr" => SmbRpc::Endpoint::Samr
+}
+

data/lib/smbRpc/rpc/ndrep.rb

@@ -0,0 +1,24 @@
+
+module SmbRpc
+  class Rpc
+
+    class ConformantandVaryingStrings < BinData::Record
+      endian :little
+      uint32 :max_count, :initial_value => :actual_count
+      uint32 :offset
+      uint32 :actual_count, :value => lambda{ str.num_bytes / 2}
+      string :str, :read_length => lambda { actual_count.nonzero?? actual_count.value * 2 : 0 } 
+      string :pad, :onlyif => lambda{ (str.num_bytes % 4) > 0 }, :length => lambda { (4 - (str.num_bytes % 4)) % 4 }
+    end
+
+    class ConformantandVaryingStringsAscii < BinData::Record
+      endian :little
+      uint32 :max_count, :initial_value => :actual_count
+      uint32 :offset
+      uint32 :actual_count, :value => lambda{ str.num_bytes }
+      string :str, :read_length => :actual_count 
+      string :pad, :onlyif => lambda{ (str.num_bytes % 4) > 0}, :length => lambda { (4 - (str.num_bytes % 4)) % 4 }
+    end
+
+  end
+end

data/lib/smbRpc/rpc/pdu.rb

@@ -0,0 +1,40 @@
+
+module SmbRpc
+  class Rpc
+    class PduHead < BinData::Record
+      endian :little
+      uint8  :rpc_vers, :initial_value => 5
+      uint8  :rpc_vers_minor
+      uint8  :ptype					#packet type
+      uint8  :pfc_flags, :initial_value => lambda{ PFC_FIRST_FRAG | PFC_LAST_FRAG }			#flags (see PFC_... )
+      uint32 :drep, :initial_value => 0x10		#NDR data representation format label
+      uint16 :frag_length				#total length of the PDU
+      uint16 :auth_length				#length of auth_value
+      uint32 :call_id, :initial_value => 1		#call identifier for matching rewponse like smb msg ID
+    end
+
+    class Request < BinData::Record
+      endian :little
+      pduHead :pduHead
+      uint32 :alloc_hint
+      uint16 :p_cont_id
+      uint16 :opnum
+      string :auth_verifier, :onlyif => lambda { pduHead.auth_length > 0 }, :length => lambda { pduHead.auth_length }
+      
+      def initialize_instance
+        super
+        pduHead.ptype = PDU_TYPE["REQUEST"]
+      end
+    end
+
+    class Response < BinData::Record
+      endian :little
+      pduHead :pduHead
+      uint32 :alloc_hint
+      uint16 :p_cont_id
+      uint8 :cancel_count
+      uint8 :reserved
+      string :auth_verifier, :onlyif => lambda { pduHead.auth_length > 0 }, :length => lambda { pduHead.auth_length }
+    end
+  end
+end

data/lib/smbRpc/samr.rb

@@ -0,0 +1,40 @@
+require"smbRpc/samr/connect"
+require"smbRpc/samr/constants"
+require"smbRpc/samr/openDomain"
+require"smbRpc/samr/enumerateUsersInDomain"
+require"smbRpc/samr/enumerateDomainsInSamServer"
+require"smbRpc/samr/lookupDomainInSamServer"
+require"smbRpc/samr/closeHandle"
+require"smbRpc/samr/openUser"
+require"smbRpc/samr/queryInformationUser"
+require"smbRpc/samr/enumerateGroupsInDomain"
+require"smbRpc/samr/enumerateAliasesInDomain"
+require"smbRpc/samr/openAlias"
+require"smbRpc/samr/getMembersInAlias"
+require"smbRpc/samr/lookupNamesInDomain"
+require"smbRpc/samr/lookupIdsInDomain"
+require"smbRpc/samr/createUserInDomain"
+require"smbRpc/samr/setInformationUser"
+require"smbRpc/samr/deleteUser"
+require"smbRpc/samr/changePasswordUser"
+require"smbRpc/samr/createGroupInDomain"
+require"smbRpc/samr/createAliasInDomain"
+require"smbRpc/samr/deleteAlias"
+require"smbRpc/samr/addMemberToAlias"
+require"smbRpc/samr/getMembersInAlias"
+require"smbRpc/samr/removeMemberFromAlias"
+require"smbRpc/samr/openGroup"
+require"smbRpc/samr/deleteGroup"
+require"smbRpc/samr/addMemberToGroup"
+require"smbRpc/samr/getMembersInGroup"
+require"smbRpc/samr/removeMemberFromGroup"
+
+module SmbRpc
+  class Samr < Rpc
+    def initialize(**argv)
+      super(argv)
+      self.connect
+      self.bind(pipe:"samr")
+    end
+end
+end

data/lib/smbRpc/samr/addMemberToAlias.rb

@@ -0,0 +1,43 @@
+module SmbRpc
+  class Samr < Rpc
+
+    class SamrAddMemberToAliasReq < BinData::Record
+      endian :little
+      request :request
+      string :aliasHandle, :length => 20
+      sid_element :memberId
+
+      def initialize_instance
+        super
+        aliasHandle.value = get_parameter(:handle)
+        sid = get_parameter(:sid)
+        sidArray = sid.split("-")
+        subAuthorityCount = sidArray.size - 3
+        memberId.sub_auth.value = subAuthorityCount
+        memberId.sid.revision.value = sidArray[1].to_i
+        memberId.sid.subAuthorityCount.value = subAuthorityCount
+        memberId.sid.identifierAuthority.value = [sidArray[2].to_i].pack("N").rjust(6, "\x00")
+        subAuthorityCount.times do |i|
+          memberId.sid.subAuthority[i] = sidArray[i + 3].to_i
+        end
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 31        #SamrAddMemberToAlias
+      end
+    end
+
+    class SamrAddMemberToAliasRes < BinData::Record
+      endian :little
+      response :response
+      uint32 :windowsError
+    end
+
+    def addMemberToAlias(memberId:)
+      samrAddMemberToAliasReq = SamrAddMemberToAliasReq.new(handle:@aliasHandle, sid:memberId)
+      samrAddMemberToAliasRes = @file.ioctl_send_recv(samrAddMemberToAliasReq).buffer
+      samrAddMemberToAliasRes.raise_not_error_success("addMemberToAlias")
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/samr/addMemberToGroup.rb

@@ -0,0 +1,36 @@
+module SmbRpc
+  class Samr < Rpc
+
+    class SamrAddMemberToGroupReq < BinData::Record
+      endian :little
+      request :request
+      string :groupHandle, :length => 20
+      uint32 :memberId			#addMemberToAlias use SID, why not here MS?
+      uint32 :attributes
+
+      def initialize_instance
+        super
+        groupHandle.value = get_parameter(:handle)
+        memberId.value = get_parameter(:rid)
+        attributes.value = get_parameter(:attr)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 22        #SamrAddMemberToGroup
+      end
+    end
+
+    class SamrAddMemberToGroupRes < BinData::Record
+      endian :little
+      response :response
+      uint32 :windowsError
+    end
+
+    def addMemberToGroup(memberId:, attributes:SAMR_SE_GROUP_ATTRIBUTES["SE_GROUP_ENABLED_BY_DEFAULT"])
+      samrAddMemberToGroupReq = SamrAddMemberToGroupReq.new(handle:@groupHandle, rid:memberId, attr:attributes)
+      samrAddMemberToGroupRes = @file.ioctl_send_recv(samrAddMemberToGroupReq).buffer
+      samrAddMemberToGroupRes.raise_not_error_success("addMemberToGroup")
+      return self
+    end
+
+end
+end
+

data/lib/smbRpc/samr/changePasswordUser.rb

@@ -0,0 +1,64 @@
+
+module SmbRpc
+  class Samr < Rpc
+
+    class SamrChangePasswordUserReq < BinData::Record
+      endian :little
+      request :request
+      string :userHandle, :length => 20
+
+      uint32 :lmPresent, :value => 1				
+      uint32 :ref_id_oldLmEncryptedWithNewLm, :value => 1
+      string :oldLmEncryptedWithNewLm, :length => 16
+      uint32 :ref_id_newLmEncryptedWithOldLm, :value => 1
+      string :newLmEncryptedWithOldLm, :length => 16
+
+      uint32 :ntPresent, :value => 1
+      uint32 :ref_id_oldNtEncryptedWithNewNt, :value => 1
+      string :oldNtEncryptedWithNewNt, :length => 16
+      uint32 :ref_id_newNtEncryptedWithOldNt, :value => 1
+      string :newNtEncryptedWithOldNt, :length => 16
+
+      uint32 :ntCrossEncryptionPresent, :value => 1
+      uint32 :ref_id_newNtEncryptedWithNewLm, :value => 1
+      string :newNtEncryptedWithNewLm, :length => 16
+
+      uint32 :lmCrossEncryptionPresent, :value => 1
+      uint32 :ref_id_newLmEncryptedWithNewNt, :value => 1
+      string :newLmEncryptedWithNewNt, :length => 16
+
+      def initialize_instance
+        super
+        userHandle.value = get_parameter(:handle)
+        oldPass = get_parameter(:oldPass)
+        newPass = get_parameter(:newPass)
+        oldLm = [Smbhash.lm_hash(oldPass)].pack("H*")
+        oldNt = [Smbhash.ntlm_hash(oldPass)].pack("H*")
+        newLm = [Smbhash.lm_hash(newPass)].pack("H*")
+        newNt = [Smbhash.ntlm_hash(newPass)].pack("H*")
+        oldLmEncryptedWithNewLm.value = oldLm.to_des_ecb_lm(newLm)
+        newLmEncryptedWithOldLm.value = newLm.to_des_ecb_lm(oldLm)
+        oldNtEncryptedWithNewNt.value = oldNt.to_des_ecb_lm(newNt)
+        newNtEncryptedWithOldNt.value = newNt.to_des_ecb_lm(oldNt)
+        newNtEncryptedWithNewLm.value = newNt.to_des_ecb_lm(newLm)
+        newLmEncryptedWithNewNt.value = newLm.to_des_ecb_lm(newNt)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 38        #SamrChangePasswordUser
+      end
+    end
+
+    class SamrChangePasswordUserRes < BinData::Record
+      endian :little
+      request :request
+      uint32 :windowsError
+    end
+
+    def changePasswordUser(oldPass:, newPass:)
+      samrChangePasswordUserReq = SamrChangePasswordUserReq.new(handle:@userHandle, oldPass:oldPass, newPass:newPass)
+      samrChangePasswordUserRes = @file.ioctl_send_recv(samrChangePasswordUserReq).buffer
+      samrChangePasswordUserRes.raise_not_error_success("changePasswordUser")
+      return self
+    end
+
+end
+end