Module: Msf::Exploit::Remote::SMB::Server::Share::Command::SessionSetupAndx

Included in:
Msf::Exploit::Remote::SMB::Server::Share
Defined in:
lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb

Instance Method Summary collapse

Instance Method Details

#send_session_setup_andx_res(c, opts = {}) ⇒ Integer

Builds and sends an SMB_COM_NT_CREATE_ANDX response.

Parameters:

  • c (Socket)

    The client to answer.

  • opts (Hash{Symbol => <Integer, String, Rex::Struct2::CStruct>}) (defaults to: {})

    Response custom values.

Options Hash (opts):

  • :action (Integer)

    SMB Configuration result.

  • :andx_offset (Integer)

    The offset in bytes from the start of the SMB Header to the start of the WordCount field in the next SMBCommand.

  • :reserved (Integer)

    Reserved field.

  • :andx (Integer)

    The command code for the next SMB Command in the packet.

  • :data (String)

    The SMB_Data for the SMB_COM_SESSION_SETUP_ANDX response.

  • :andx_command (Rex::Struct2::CStruct)

    The next SMB Command in the packet.

Returns:

  • (Integer)

    The number of bytes returned to the client as response.


51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
 
# File 'lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb', line 51

def send_session_setup_andx_res(c, opts = {})
  action = opts[:action] || 0
  andx_offset = opts[:andx_offset] || 0
  reserved = opts[:reserved] || 0
  andx = opts[:andx] || CONST::SMB_COM_NO_ANDX_COMMAND
  data = opts[:data] || ''
  andx_command = opts[:andx_command] || nil

  pkt = CONST::SMB_SETUP_RES_PKT.make_struct
  smb_set_defaults(c, pkt)

  pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_SESSION_SETUP_ANDX
  pkt['Payload']['SMB'].v['Flags1'] = FLAGS
  pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
  pkt['Payload']['SMB'].v['WordCount'] = CONST::SMB_SESSION_SETUP_ANDX_RES_WORD_COUNT
  pkt['Payload'].v['AndX'] = andx
  pkt['Payload'].v['Reserved1'] = reserved
  pkt['Payload'].v['AndXOffset'] = andx_offset
  pkt['Payload'].v['Action'] = action
  pkt['Payload'].v['Payload'] = data

  if andx_command
    full_pkt = pkt.to_s + andx_command.to_s
    original_length = full_pkt[2, 2].unpack('n')[0]
    original_length = original_length +  andx_command.to_s.length
    full_pkt[2, 2] = [original_length].pack('n')
  else
    full_pkt = pkt.to_s
  end

  c.put(full_pkt)
end

#smb_cmd_session_setup_andx(c, buff) ⇒ Integer

Handles an SMB_COM_SESSION_SETUP_ANDX command, used by the client to configure an SMB Session.

Parameters:

  • c (Socket)

    The client sending the request.

  • buff (String)

    The data including the client request.

Returns:

  • (Integer)

    The number of bytes returned to the client as response.


15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
 
# File 'lib/msf/core/exploit/smb/server/share/command/session_setup_andx.rb', line 15

def smb_cmd_session_setup_andx(c, buff)
  tree_connect_response = CONST::SMB_TREE_CONN_ANDX_RES_PKT.make_struct
  tree_connect_response.v['WordCount'] = CONST::SMB_TREE_CONN_ANDX_WORD_COUNT
  tree_connect_response.v['AndXCommand'] = CONST::SMB_COM_NO_ANDX_COMMAND
  tree_connect_response.v['AndXReserved'] = 0
  tree_connect_response.v['AndXOffset'] = 0
  tree_connect_response.v['OptionalSupport'] = 1
  tree_connect_response.v['AccessRights'] = TREE_CONNECT_MAX_ACCESS
  tree_connect_response.v['GuestAccessRights'] = 0
  tree_connect_response.v['Payload'] = "A:\x00#{Rex::Text.to_unicode('NTFS')}\x00\x00"

  data = Rex::Text.to_unicode('Unix', 'utf-16be') + "\x00\x00" + # Native OS # Samba signature
    Rex::Text.to_unicode('Samba 3.4.7', 'utf-16be') + "\x00\x00" + # Native LAN Manager # Samba signature
    Rex::Text.to_unicode('WORKGROUP', 'utf-16be') + "\x00\x00\x00" # Primary DOMAIN # Samba signature

  send_session_setup_andx_res(c, {
    action: CONST::SMB_SETUP_GUEST,
    data: data,
    andx: CONST::SMB_COM_TREE_CONNECT_ANDX,
    andx_offset: 96,
    andx_command: tree_connect_response
  })
end