smbRpc 0.0.3

data/lib/smbRpc/svcctl/deleteService.rb

@@ -0,0 +1,31 @@
+module SmbRpc
+  class Svcctl < Rpc
+
+    class DeleteServiceReq < BinData::Record
+      endian :little
+      request :request
+      string :serviceHandle, :length => 20
+
+      def initialize_instance
+        super
+        serviceHandle.value = get_parameter(:handle)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 2        #RDeleteService
+      end
+    end
+
+    class DeleteServiceRes < BinData::Record
+      endian :little
+      request :response
+      uint32 :windowsError
+    end
+
+    def deleteService()
+      deleteServiceReq = DeleteServiceReq.new(handle:@serviceHandle)
+      deleteServiceRes = @file.ioctl_send_recv(deleteServiceReq).buffer
+      deleteServiceRes.raise_not_error_success("deleteService")
+      return 0
+    end
+
+end
+end

data/lib/smbRpc/svcctl/enumServicesStatus.rb

@@ -0,0 +1,96 @@
+module SmbRpc
+  class Svcctl < Rpc
+    class EnumServicesStatusReq < BinData::Record
+      default_parameter :bytesNeeded => 0
+      endian :little
+      request :request
+      string :scHandle, :length => 20
+      uint32 :serviceType
+      uint32 :serviceState
+      uint32 :bufSize
+      uint32 :ref_id_resume, :value => 1
+      uint32 :resume_handle
+
+      def initialize_instance
+        super
+        scHandle.value = get_parameter(:handle)
+        bufSize.value = get_parameter(:bytesNeeded)
+        serviceType.value = get_parameter(:type)
+        serviceState.value = get_parameter(:state)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 14        #REnumServicesStatusW
+      end
+    end
+
+    class Service_status < BinData::Record
+      endian :little
+      uint32 :ref_id_serviceName
+      uint32 :ref_id_displayName
+      uint32 :serviceType               #SERVICE_STATUS nested struct begin
+      uint32 :currentState              #different from SmbRpc::Svcctl::SERVICE_STATE
+      uint32 :controlsAccepted
+      uint32 :win32ExitCode
+      uint32 :serviceSpecificExitCode
+      uint32 :checkPoint
+      uint32 :waitHint                  #SERVICE_STATUS nested struct ends
+      string :serviceName
+      string :displayName
+    end
+ 
+    class Enum_service_statusw < BinData::Record
+      array :service_status_array, :type => :service_status, :initial_length => :servicesReturned
+    end
+
+    class EnumServicesStatusRes < BinData::Record
+      endian :little
+      request :response
+      uint32 :buffLen
+      string :buffer, :onlyif => lambda{ buffLen > 0 }, :read_length => :buffLen
+      uint32 :bytesNeeded
+      uint32 :servicesReturned
+      uint32 :ref_id_resumeIndex
+      uint32 :resumeIndex
+      uint32 :windowsError
+
+    def getService
+        enum_service_statusw = Enum_service_statusw.new(:servicesReturned => self.servicesReturned)
+        enum_service_statusw.read(self.buffer)
+        num = self.servicesReturned * 36
+        serviceStr = self.buffer[num..-1 ].scan(/\w.+?\x00\x00\x00/)
+        len = enum_service_statusw.service_status_array.length - 1      #get service array index
+        len.downto(0).each do |idx|     #lopp backward b/c MS thaough it was cool to add a buffer in the middle of struct :(
+          enum_service_statusw.service_status_array[idx].displayName = serviceStr.pop.unpack("v*").pack("C*").chop
+          enum_service_statusw.service_status_array[idx].serviceName = serviceStr.pop.unpack("v*").pack("C*").chop
+        end
+        return enum_service_statusw.service_status_array
+      end
+    end
+
+    #[MS-SCMR] SC_MANAGER_ENUMERATE_SERVICE access right MUST have been granted to the caller when the RPC context handle 
+    #to the service record was created
+    def enumServicesStatus(type:SVCCTL_SERVICE_TYPE["ALL"], state:SVCCTL_SERVICE_STATE["SERVICE_STATE_ALL"])
+      services = []
+      response = ""
+      idx = 0
+      loop do
+        enumServicesStatusReq = EnumServicesStatusReq.new(handle:@scHandle, bytesNeeded:512, type:type, state:state)
+        enumServicesStatusReq.resume_handle = idx
+        enumServicesStatusRes = @file.ioctl_send_recv(enumServicesStatusReq).buffer
+        response = enumServicesStatusRes
+        enumServicesStatusRes = EnumServicesStatusRes.read(enumServicesStatusRes)
+        idx = enumServicesStatusRes.resumeIndex
+        enumServicesStatusRes.getService.each do |i|
+        services << { serviceType:i.serviceType, currentState:i.currentState,
+                      controlsAccepted:i.controlsAccepted, win32ExitCode:i.win32ExitCode,
+                      serviceSpecificExitCode:i.serviceSpecificExitCode, checkPoint:i.checkPoint,
+                      waitHint:i.waitHint, serviceName:i.serviceName, displayName:i.displayName
+                    }
+        end
+        break if enumServicesStatusRes.windowsError == 0 || enumServicesStatusRes.windowsError != 234
+      end
+      response.raise_not_error_success("enumServicesStatus")
+      return services
+    end
+
+end
+end

data/lib/smbRpc/svcctl/openScm.rb

@@ -0,0 +1,37 @@
+module SmbRpc
+  class Svcctl < Rpc
+
+    class OpenScmReq < BinData::Record
+      endian :little
+      request :request
+      uint32 :ref_id_machine_name, :value => 1
+      conformantandVaryingStrings :machine_name
+      uint32 :databaseName
+      uint32 :desiredAccess
+
+      def initialize_instance
+        super
+        machine_name.str = "\\\\#{get_parameter(:serverName)}\x00".bytes.pack("v*")
+        desiredAccess.value = get_parameter(:accessMask)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 15        #ROpenSCManagerW
+      end
+    end
+
+    class OpenScmRes < BinData::Record
+      endian :little
+      response :response
+      string :scHandle, :length => 20
+      uint32 :windowsError
+    end
+
+    def openScm(scAccessMask:)
+      openScmReq = OpenScmReq.new(serverName:@ip, accessMask:scAccessMask)
+      openScmRes = @file.ioctl_send_recv(openScmReq).buffer
+      openScmRes.raise_not_error_success("openScm")
+      openScmRes = OpenScmRes.read(openScmRes)
+      @scHandle = openScmRes.scHandle
+      return self
+    end
+end
+end

data/lib/smbRpc/svcctl/openService.rb

@@ -0,0 +1,36 @@
+module SmbRpc
+  class Svcctl < Rpc
+    class OpenServiceReq < BinData::Record
+      endian :little
+      request :request
+      string :scHandle, :length => 20
+      conformantandVaryingStrings :serviceName
+      uint32 :desiredAccess
+
+      def initialize_instance
+        super
+        scHandle.value = get_parameter(:handle)
+        serviceName.str = "#{get_parameter(:svcName)}\x00".bytes.pack("v*")
+        desiredAccess.value = get_parameter(:access)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 16        #ROpenServiceW
+      end
+    end
+
+    class OpenServiceRes < BinData::Record
+      endian :little
+      request :request
+      string :serviceHandle, :length => 20
+      uint32 :windowsError
+    end
+
+    def openService(serviceName:, serviceAccessMask:)
+      openServiceReq = OpenServiceReq.new(svcName:serviceName, handle:@scHandle, access:serviceAccessMask)
+      openServiceRes = @file.ioctl_send_recv(openServiceReq).buffer
+      openServiceRes.raise_not_error_success("openService")
+      openServiceRes = OpenServiceRes.read(openServiceRes)
+      @serviceHandle = openServiceRes.serviceHandle
+      return self
+    end
+end
+end

data/lib/smbRpc/svcctl/queryServiceConfig.rb

@@ -0,0 +1,67 @@
+
+module SmbRpc
+  class Svcctl < Rpc
+
+    class QueryServiceConfigReq  < BinData::Record
+      mandatory_parameter :handle
+      endian :little
+      request :request
+      string :serviceHandle, :length => 20
+      uint32 :bufSize
+
+      def initialize_instance
+        super
+        serviceHandle.value = get_parameter(:handle)
+        bufSize.value = get_parameter(:bytesNeeded)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 17        #RQueryServiceConfigW
+      end
+    end
+
+    class Query_service_configw  < BinData::Record
+      endian :little
+      uint32 :serviceType
+      uint32 :startType
+      uint32 :errorControl
+      uint32 :ref_id_binaryPathName
+      uint32 :ref_id_loadOrderGroup
+      uint32 :tagId
+      uint32 :ref_id_dependencies
+      uint32 :ref_id_serviceStartName
+      uint32 :ref_id_displayName
+      conformantandVaryingStrings :binaryPathName
+      conformantandVaryingStrings :loadOrderGroup
+      conformantandVaryingStrings :dependencies
+      conformantandVaryingStrings :serviceStartName
+      conformantandVaryingStrings :displayName
+    end
+
+    class QueryServiceConfigRes < BinData::Record
+      endian :little
+      request :response
+      query_service_configw :serviceConfig
+      uint32 :bytesNeeded       #bytes needed to return all data if function fail
+      uint32 :windowsError
+    end
+
+    def queryServiceConfig()
+      queryServiceConfigReq = QueryServiceConfigReq.new(handle:@serviceHandle, bytesNeeded:512)
+      queryServiceConfigRes = @file.ioctl_send_recv(queryServiceConfigReq).buffer
+      queryServiceConfigRes.raise_not_error_success("queryServiceConfig")
+      queryServiceConfigRes = QueryServiceConfigRes.read(queryServiceConfigRes)
+      config = queryServiceConfigRes.serviceConfig
+      return {
+        serviceType:config.serviceType,
+        startType:config.startType,
+        errorControl:config.errorControl,
+        tagId:config.tagId,
+        binaryPathName:config.binaryPathName.str.unpack("v*").pack("C*").chop,
+        loadOrderGroup:config.loadOrderGroup.str.unpack("v*").pack("C*").chop,
+        dependencies:config.dependencies.str.unpack("v*").pack("C*").chop,
+        serviceStartName:config.serviceStartName.str.unpack("v*").pack("C*").chop,
+        displayName:config.displayName.str.unpack("v*").pack("C*").chop
+      }
+    end
+
+end
+end

data/lib/smbRpc/svcctl/startService.rb

@@ -0,0 +1,35 @@
+module SmbRpc
+  class Svcctl < Rpc
+
+    class StartServiceReq  < BinData::Record
+      mandatory_parameter :handle
+      endian :little
+      request :request
+      string :serviceHandle, :length => 20
+      uint32 :argc
+      uint32 :argv
+
+      def initialize_instance
+        super
+        serviceHandle.value = get_parameter(:handle)
+        request.pduHead.frag_length = self.num_bytes
+        request.opnum.value = 19        #RStartServiceW
+      end
+    end
+
+    class StartServiceRes  < BinData::Record
+      endian :little
+      request :response
+      uint32 :windowsError
+    end
+
+    def startService()
+      startServiceReq = StartServiceReq.new(handle:@serviceHandle)
+      startServiceRes = @file.ioctl_send_recv(startServiceReq).buffer
+      startServiceRes.raise_not_error_success("startService")
+      return 0
+    end
+
+end
+end
+

data/lib/smbRpc/updateRuby_smb.rb

@@ -0,0 +1,3 @@
+require"smbRpc/updateRuby_smb/client"
+require"smbRpc/updateRuby_smb/ioctl_request"
+require"smbRpc/updateRuby_smb/dcerpc"

data/lib/smbRpc/updateRuby_smb/client.rb

@@ -0,0 +1,29 @@
+module RubySMB
+  class Client
+
+    def send_recv(packet)
+      case packet.packet_smb_version
+      when 'SMB1'
+        packet.smb_header.uid = user_id if user_id
+        packet = smb1_sign(packet)
+      when 'SMB2'
+        packet = increment_smb_message_id(packet)
+        packet.smb2_header.session_id = session_id
+        unless packet.is_a?(RubySMB::SMB2::Packet::SessionSetupRequest)
+          packet = smb2_sign(packet)
+        end
+      else
+        packet = packet
+      end
+      dispatcher.send_packet(packet)
+      raw_response = dispatcher.recv_packet
+
+      #fix ioctl_send_recv() raise error when receive STATUS_PENDING
+      #force repeat read request if server sends NtStatus STATUS_PENDING
+      raw_response = dispatcher.recv_packet if raw_response[8,4].unpack("V")[0] == WindowsError::NTStatus::STATUS_PENDING.value
+
+      self.sequence_counter += 1 if signing_required && !session_key.empty?
+      raw_response
+    end
+  end
+end

data/lib/smbRpc/updateRuby_smb/dcerpc.rb

@@ -0,0 +1,30 @@
+module RubySMB
+  module SMB2
+    module Dcerpc
+
+      def ioctl_send_recv(action, options={})
+	#update ioctl_send_recv to use the new RubySMB::SMB2::Packet::IoctlRequest2 structure and avoid `ioctl_send_recv': STATUS_BUFFER_OVERFLOW
+        request = set_header_fields(RubySMB::SMB2::Packet::IoctlRequest2.new(options))
+        request.ctl_code = 0x0011C017
+        request.flags.is_fsctl = 0x00000001
+        request.buffer = action.to_binary_s
+        ioctl_raw_response = @tree.client.send_recv(request)
+        ioctl_response = RubySMB::SMB2::Packet::IoctlResponse.read(ioctl_raw_response)
+        unless ioctl_response.valid?
+          raise RubySMB::Error::InvalidPacket.new(
+            expected_proto: RubySMB::SMB2::SMB2_PROTOCOL_ID,
+            expected_cmd:   RubySMB::SMB2::Packet::IoctlRequest::COMMAND,
+            received_proto: ioctl_response.smb2_header.protocol,
+            received_cmd:   ioctl_response.smb2_header.command
+          )
+        end
+        unless ioctl_response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, ioctl_response.status_code.name
+        end
+        ioctl_response
+      end
+
+    end
+  end
+end
+

data/lib/smbRpc/updateRuby_smb/ioctl_request.rb

@@ -0,0 +1,53 @@
+module RubySMB
+  module SMB2
+    module Packet
+      # An SMB2 Ioctl Request Packet as defined in
+      # [2.2.31 SMB2 IOCTL Request](https://msdn.microsoft.com/en-us/library/cc246545.aspx)
+      class IoctlRequest2 < RubySMB::GenericPacket
+	#copy IoctlRequest to IoctlRequest2 to change max_output_response initial_value
+        COMMAND = RubySMB::SMB2::Commands::IOCTL
+
+        endian :little
+
+        smb2_header   :smb2_header
+        uint16        :structure_size,      label: 'Structure Size',      initial_value: 57
+        uint16        :reserved1,           label: 'Reserved Space'
+        uint32        :ctl_code,            label: 'Control Code'
+        smb2_fileid   :file_id,             label: 'File Id'
+        uint32        :input_offset,        label: 'Input Offset',        initial_value: -> { calc_input_offset }
+        uint32        :input_count,         label: 'Input Count',         initial_value: -> { buffer.do_num_bytes }
+        uint32        :max_input_response,  label: 'Max Input Response'
+        uint32        :output_offset,       label: 'Output Offset',       initial_value: -> { input_offset + output_count }
+        uint32        :output_count,        label: 'Output Count'
+	#change initial_value from 2014 to 0x2000 to avoid /lib/ruby_smb/smb2/dcerpc.rb:67:in `ioctl_send_recv': STATUS_BUFFER_OVERFLOW
+        uint32        :max_output_response, label: 'Max Output response', initial_value: 0x2000
+
+        struct :flags do
+          bit7  :reserved1, label: 'Reserved Space'
+          bit1  :is_fsctl,  label: 'FSCTL not IOCTL'
+
+          bit8  :reserved2, label: 'Reserved Space'
+          bit8  :reserved3, label: 'Reserved Space'
+          bit8  :reserved4, label: 'Reserved Space'
+        end
+
+        uint32  :reserved2, label: 'Reserved Space'
+        string  :buffer,    label: 'Input Buffer', read_length: -> { input_count + output_count }
+
+        # Calculates the value for the input_offset field.
+        # If the input buffer is empty then this should be set to 0,
+        # otherwise it should return the absolute offset of the input buffer.
+        #
+        # @return [Integer] the value to store in #input_offset
+        def calc_input_offset
+          if input_count.zero?
+            0
+          else
+            buffer.abs_offset
+          end
+        end
+
+      end
+    end
+  end
+end

data/lib/smbRpc/updateString.rb

@@ -0,0 +1,3 @@
+require"smbRpc/updateString/raise_not_error_success"
+require"smbRpc/updateString/to_des_ecb_lm"
+

data/lib/smbRpc/updateString/raise_not_error_success.rb

@@ -0,0 +1,11 @@
+class String
+
+  def raise_not_error_success(funcName)
+    winError = self[-4,4].unpack("V")[0]
+    error = WindowsError::Win32.find_by_retval(winError)[0]
+    error = WindowsError::NTStatus.find_by_retval(winError)[0] if error.nil?
+    raise "%s Fail, WinError: %s 0x%08x"%[funcName, "UNKNOWN ERROR CODE", winError ] if error.nil?
+    error.value == 0? error.value : (raise "%s Fail, WinError: %s %s"%[funcName, error.name, error.description])
+  end
+
+end