Class: RubySMB::SMB1::Pipe

Inherits:

File

• Object
• File
• RubySMB::SMB1::Pipe

Includes:

Dcerpc

Defined in:

lib/ruby_smb/smb1/pipe.rb

Overview

Represents a pipe on the Remote server that we can perform various I/O operations on.

Constant Summary

STATUS_DISCONNECTED =

Reference: https://msdn.microsoft.com/en-us/library/ee441883.aspx

0x0001

STATUS_LISTENING =

0x0002

STATUS_OK =

0x0003

STATUS_CLOSED =

0x0004

Constants included from Dcerpc

Dcerpc::DCE_C_AUTHZ_DCE, Dcerpc::DCE_C_AUTHZ_NAME, Dcerpc::MAX_RECV_FRAG, Dcerpc::MAX_XMIT_FRAG, Dcerpc::RPC_C_AUTHN_DEFAULT, Dcerpc::RPC_C_AUTHN_GSS_KERBEROS, Dcerpc::RPC_C_AUTHN_GSS_NEGOTIATE, Dcerpc::RPC_C_AUTHN_GSS_SCHANNEL, Dcerpc::RPC_C_AUTHN_LEVEL_CALL, Dcerpc::RPC_C_AUTHN_LEVEL_CONNECT, Dcerpc::RPC_C_AUTHN_LEVEL_DEFAULT, Dcerpc::RPC_C_AUTHN_LEVEL_NONE, Dcerpc::RPC_C_AUTHN_LEVEL_PKT, Dcerpc::RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY, Dcerpc::RPC_C_AUTHN_NETLOGON, Dcerpc::RPC_C_AUTHN_NONE, Dcerpc::RPC_C_AUTHN_WINNT

Instance Attribute Summary

Attributes inherited from File

#attributes, #fid, #last_access, #last_change, #last_write, #name, #size, #size_on_disk, #tree

Instance Method Summary

• #bind(options = {}) ⇒ Object
• #dcerpc_request(stub_packet, options = {}) ⇒ String

  Send a DCERPC request with the provided stub packet.

• #initialize(tree:, response:, name:) ⇒ Pipe constructor

  A new instance of Pipe.

• #is_connected? ⇒ Boolean

  True if pipe is connected, false otherwise.

• #peek(peek_size: 0) ⇒ RubySMB::SMB1::Packet::Trans::PeekNmpipeResponse

  Performs a peek operation on the named pipe.

• #peek_available ⇒ Integer

  The number of bytes available to be read from the pipe.

• #peek_state ⇒ Integer

  Pipe status.

Methods included from Dcerpc

#add_auth_verifier, #handle_integrity_privacy, #max_buffer_size=, #process_ntlm_type2, #recv_struct, #send_auth3, #send_packet, #set_integrity_privacy

Methods inherited from File

#append, #close, #delete, #delete_packet, #read, #read_packet, #rename, #rename_packet, #send_recv_read, #send_recv_write, #set_header_fields, #write, #write_packet

Constructor Details

#initialize(tree:, response:, name:) ⇒ Pipe

Returns a new instance of Pipe.

Raises:

• (ArgumentError)

# File 'lib/ruby_smb/smb1/pipe.rb', line 16

def initialize(tree:, response:, name:)
  raise ArgumentError, 'No Name Provided' if name.nil?
  case name
  when 'netlogon', '\\netlogon'
    extend RubySMB::Dcerpc::Netlogon
  when 'srvsvc', '\\srvsvc'
    extend RubySMB::Dcerpc::Srvsvc
  when 'svcctl', '\\svcctl'
    extend RubySMB::Dcerpc::Svcctl
  when 'winreg', '\\winreg'
    extend RubySMB::Dcerpc::Winreg
  when 'samr', '\\samr'
    extend RubySMB::Dcerpc::Samr
  when 'wkssvc', '\\wkssvc'
    extend RubySMB::Dcerpc::Wkssvc
  when 'netdfs', '\\netdfs'
    extend RubySMB::Dcerpc::Dfsnm
  when 'cert', '\\cert'
    extend RubySMB::Dcerpc::Icpr
  end
  super(tree: tree, response: response, name: name)
end

Instance Method Details

#bind(options = {}) ⇒ Object

# File 'lib/ruby_smb/smb1/pipe.rb', line 39

def bind(options={})
  @size = 1024
  @ntlm_client = @tree.client.ntlm_client
  super
end

#dcerpc_request(stub_packet, options = {}) ⇒ String

Send a DCERPC request with the provided stub packet.

Returns:

• (String) —

  the raw DCERPC response stub

Raises:

• (RubySMB::Error::InvalidPacket) —

  if the response is not valid

• (RubySMB::Error::UnexpectedStatusCode) —

  if the response status code is different than STATUS_SUCCESS or STATUS_BUFFER_OVERFLOW

# File 'lib/ruby_smb/smb1/pipe.rb', line 105

def dcerpc_request(stub_packet, options={})
  options.merge!(endpoint: stub_packet.class.name.split('::').at(-2))
  dcerpc_request = RubySMB::Dcerpc::Request.new({ opnum: stub_packet.opnum }, options)
  dcerpc_request.stub.read(stub_packet.to_binary_s)
  if options[:auth_level] &&
     [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
    set_integrity_privacy(dcerpc_request, auth_level: options[:auth_level], auth_type: options[:auth_type])
  end

  trans_nmpipe_request = RubySMB::SMB1::Packet::Trans::TransactNmpipeRequest.new(options)
  @tree.set_header_fields(trans_nmpipe_request)
  trans_nmpipe_request.set_fid(@fid)
  trans_nmpipe_request.data_block.trans_data.write_data = dcerpc_request.to_binary_s

  trans_nmpipe_raw_response = @tree.client.send_recv(trans_nmpipe_request)
  trans_nmpipe_response = RubySMB::SMB1::Packet::Trans::TransactNmpipeResponse.read(trans_nmpipe_raw_response)
  unless trans_nmpipe_response.valid?
    raise RubySMB::Error::InvalidPacket.new(
      expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
      expected_cmd:   RubySMB::SMB1::Packet::Trans::TransactNmpipeResponse::COMMAND,
      packet:         trans_nmpipe_response
    )
  end
  unless [WindowsError::NTStatus::STATUS_SUCCESS,
          WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW].include?(trans_nmpipe_response.status_code)
    raise RubySMB::Error::UnexpectedStatusCode, trans_nmpipe_response.status_code
  end

  raw_data = trans_nmpipe_response.data_block.trans_data.read_data.to_binary_s
  if trans_nmpipe_response.status_code == WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW
    raw_data << read(bytes: @tree.client.max_buffer_size - trans_nmpipe_response.parameter_block.data_count)
    dcerpc_response = dcerpc_response_from_raw_response(raw_data)
    unless dcerpc_response.pdu_header.pfc_flags.first_frag == 1
      raise RubySMB::Dcerpc::Error::InvalidPacket, "Not the first fragment"
    end
    if options[:auth_level] &&
       [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
      handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
    end
    stub_data = dcerpc_response.stub.to_s

    loop do
      break if dcerpc_response.pdu_header.pfc_flags.last_frag == 1
      raw_data = read(bytes: @tree.client.max_buffer_size)
      dcerpc_response = dcerpc_response_from_raw_response(raw_data)
      if options[:auth_level] &&
         [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
        handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
      end
      stub_data << dcerpc_response.stub.to_s
    end
    stub_data
  else
    dcerpc_response = dcerpc_response_from_raw_response(raw_data)
    if options[:auth_level] &&
       [RPC_C_AUTHN_LEVEL_PKT_INTEGRITY, RPC_C_AUTHN_LEVEL_PKT_PRIVACY].include?(options[:auth_level])
      handle_integrity_privacy(dcerpc_response, auth_level: options[:auth_level], auth_type: options[:auth_type])
    end
    dcerpc_response.stub.to_s
  end
end

#is_connected? ⇒ Boolean

Returns True if pipe is connected, false otherwise.

Returns:

• (Boolean) —

  True if pipe is connected, false otherwise

# File 'lib/ruby_smb/smb1/pipe.rb', line 87

def is_connected?
  begin
    state = peek_state
  rescue RubySMB::Error::UnexpectedStatusCode => e
    if e.message == 'STATUS_INVALID_HANDLE'
      return false
    end
    raise e
  end
  state == STATUS_OK
end

#peek(peek_size: 0) ⇒ RubySMB::SMB1::Packet::Trans::PeekNmpipeResponse

Performs a peek operation on the named pipe

Parameters:

• peek_size (Integer) (defaults to: 0) —

  Amount of data to peek

Returns:

• (RubySMB::SMB1::Packet::Trans::PeekNmpipeResponse)

Raises:

• (RubySMB::Error::InvalidPacket) —

  If not a valid PeekNmpipeResponse

• (RubySMB::Error::UnexpectedStatusCode) —

  If status is not STATUS_BUFFER_OVERFLOW or STATUS_SUCCESS

# File 'lib/ruby_smb/smb1/pipe.rb', line 51

def peek(peek_size: 0)
  packet = RubySMB::SMB1::Packet::Trans::PeekNmpipeRequest.new
  packet.fid = @fid
  packet.parameter_block.max_data_count = peek_size
  packet = @tree.set_header_fields(packet)
  raw_response = @tree.client.send_recv(packet)
  response = RubySMB::SMB1::Packet::Trans::PeekNmpipeResponse.read(raw_response)
  unless response.valid?
    raise RubySMB::Error::InvalidPacket.new(
      expected_proto: RubySMB::SMB1::SMB_PROTOCOL_ID,
      expected_cmd:   RubySMB::SMB1::Packet::Trans::PeekNmpipeRequest::COMMAND,
      packet:         response
    )
  end

  unless response.status_code == WindowsError::NTStatus::STATUS_BUFFER_OVERFLOW or response.status_code == WindowsError::NTStatus::STATUS_SUCCESS
    raise RubySMB::Error::UnexpectedStatusCode, response.status_code
  end

  response
end

#peek_available ⇒ Integer

Returns The number of bytes available to be read from the pipe.

Returns:

• (Integer) —

  The number of bytes available to be read from the pipe

# File 'lib/ruby_smb/smb1/pipe.rb', line 74

def peek_available
  packet = peek
  # Only 1 of these should be non-zero
  packet.data_block.trans_parameters.read_data_available or packet.data_block.trans_parameters.message_bytes_length
end

#peek_state ⇒ Integer

Returns Pipe status.

Returns:

• (Integer) —

  Pipe status

# File 'lib/ruby_smb/smb1/pipe.rb', line 81

def peek_state
  packet = peek
  packet.data_block.trans_parameters.pipe_state
end