adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Delete unnecessary paddings due to miscalculations

Browse Source
This commit is contained in:
jvazquez-r7
2015-02-26 15:54:00 -06:00
parent 387c966550
commit 89a033c194
4 changed files with 18 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files
lib/msf/core/exploit/smb/server/share.rb
-2
View File
@@ -66,8 +66,6 @@ module Msf
CONST::SMB_WRITE_OWNER_ACCESS |
CONST::SMB_SYNC_ACCESS
UNICODE_NULL_LENGTH = 2
attr_accessor :unc
attr_accessor :share
attr_accessor :path_name
lib/msf/core/exploit/smb/server/share/information_level/find.rb
+6 -13
View File
@@ -67,11 +67,9 @@ module Msf
pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length
pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH
pkt['Payload'].v['DataCount'] = find_file.to_s.length
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length
pkt['Payload'].v['Payload'] =
"\x00" + # Padding
trans2_params.to_s +
"\x00\x00" + # Padding
find_file.to_s
c.put(pkt.to_s)
@@ -112,17 +110,14 @@ module Msf
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
pkt['Payload']['SMB'].v['WordCount'] = 10
pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length
pkt['Payload'].v['DataCountTotal'] = find_file.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataCountTotal'] = find_file.to_s.length
pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length
pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH
pkt['Payload'].v['DataCount'] = find_file.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataCount'] = find_file.to_s.length
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length
pkt['Payload'].v['Payload'] =
"\x00" + # Padding
trans2_params.to_s +
"\x00\x00" + # Padding
find_file.to_s +
"\x00\x00"
find_file.to_s
c.put(pkt.to_s)
end
@@ -186,11 +181,9 @@ module Msf
pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length
pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH
pkt['Payload'].v['DataCount'] = find_file.to_s.length
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length
pkt['Payload'].v['Payload'] =
"\x00" + # Padding
trans2_params.to_s +
"\x00\x00" + # Padding
find_file.to_s
c.put(pkt.to_s)
lib/msf/core/exploit/smb/server/share/information_level/query.rb
+11 -25
View File
@@ -49,11 +49,9 @@ module Msf
pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length
pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH
pkt['Payload'].v['DataCount'] = query_path_info.to_s.length
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length
pkt['Payload'].v['Payload'] =
"\x00" + # Padding
trans2_params.to_s +
"\x00\x00" + # Padding
query_path_info.to_s
c.put(pkt.to_s)
@@ -79,17 +77,14 @@ module Msf
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
pkt['Payload']['SMB'].v['WordCount'] = 10
pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length
pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length
pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length
pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH
pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataCount'] = query_path_info.to_s.length
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length
pkt['Payload'].v['Payload'] =
"\x00" + # Padding
trans2_params.to_s +
"\x00\x00" + # Padding
query_path_info.to_s +
"\x00\x00" # Unknown
query_path_info.to_s
c.put(pkt.to_s)
end
@@ -137,11 +132,9 @@ module Msf
pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length
pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH
pkt['Payload'].v['DataCount'] = query_path_info.to_s.length
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length
pkt['Payload'].v['Payload'] =
"\x00" + # Padding
trans2_params.to_s +
"\x00\x00" + # Padding
query_path_info.to_s
c.put(pkt.to_s)
@@ -187,19 +180,14 @@ module Msf
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
pkt['Payload']['SMB'].v['WordCount'] = 10
pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length
#pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length
pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length
pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH
#pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataCount'] = query_path_info.to_s.length
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length
pkt['Payload'].v['Payload'] =
"\x00" + # Padding
trans2_params.to_s +
"\x00\x00" + # Padding
query_path_info.to_s #+
#"\x00\x00" # Unknown
query_path_info.to_s
c.put(pkt.to_s)
end
@@ -250,15 +238,13 @@ module Msf
pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
pkt['Payload']['SMB'].v['WordCount'] = 10
pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length
pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length
pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length
pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH
pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH
pkt['Payload'].v['DataCount'] = query_path_info.to_s.length
pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length
pkt['Payload'].v['Payload'] =
"\x00" + # Padding
trans2_params.to_s +
"\x00\x00" + # Padding
query_path_info.to_s
c.put(pkt.to_s)
lib/rex/proto/smb/constants.rb
+1 -1
View File
@@ -836,7 +836,7 @@ class Constants
)
SMB_TRANS_RES_PKT = self.make_nbs(SMB_TRANS_RES_HDR_PKT)
SMB_TRANS_RES_PKT_LENGTH = SMB_HDR_LENGTH + 23
SMB_TRANS_RES_PKT_LENGTH = SMB_HDR_LENGTH + 22
# A SMB template for SMB Transaction2 requests
SMB_TRANS2_HDR_PKT = Rex::Struct2::CStructTemplate.new(