diff --git a/lib/msf/core/exploit/smb/server/share.rb b/lib/msf/core/exploit/smb/server/share.rb index 55682e31bf..103eb6595f 100644 --- a/lib/msf/core/exploit/smb/server/share.rb +++ b/lib/msf/core/exploit/smb/server/share.rb @@ -66,8 +66,6 @@ module Msf CONST::SMB_WRITE_OWNER_ACCESS | CONST::SMB_SYNC_ACCESS - UNICODE_NULL_LENGTH = 2 - attr_accessor :unc attr_accessor :share attr_accessor :path_name diff --git a/lib/msf/core/exploit/smb/server/share/information_level/find.rb b/lib/msf/core/exploit/smb/server/share/information_level/find.rb index 6e70f91651..50bcf26d0e 100644 --- a/lib/msf/core/exploit/smb/server/share/information_level/find.rb +++ b/lib/msf/core/exploit/smb/server/share/information_level/find.rb @@ -67,11 +67,9 @@ module Msf pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH pkt['Payload'].v['DataCount'] = find_file.to_s.length - pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length pkt['Payload'].v['Payload'] = - "\x00" + # Padding trans2_params.to_s + - "\x00\x00" + # Padding find_file.to_s c.put(pkt.to_s) @@ -112,17 +110,14 @@ module Msf pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length - pkt['Payload'].v['DataCountTotal'] = find_file.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataCountTotal'] = find_file.to_s.length pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH - pkt['Payload'].v['DataCount'] = find_file.to_s.length + UNICODE_NULL_LENGTH - pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataCount'] = find_file.to_s.length + pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length pkt['Payload'].v['Payload'] = - "\x00" + # Padding trans2_params.to_s + - "\x00\x00" + # Padding - find_file.to_s + - "\x00\x00" + find_file.to_s c.put(pkt.to_s) end @@ -186,11 +181,9 @@ module Msf pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH pkt['Payload'].v['DataCount'] = find_file.to_s.length - pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length pkt['Payload'].v['Payload'] = - "\x00" + # Padding trans2_params.to_s + - "\x00\x00" + # Padding find_file.to_s c.put(pkt.to_s) diff --git a/lib/msf/core/exploit/smb/server/share/information_level/query.rb b/lib/msf/core/exploit/smb/server/share/information_level/query.rb index 14a275ec2e..db78dc6033 100644 --- a/lib/msf/core/exploit/smb/server/share/information_level/query.rb +++ b/lib/msf/core/exploit/smb/server/share/information_level/query.rb @@ -49,11 +49,9 @@ module Msf pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH pkt['Payload'].v['DataCount'] = query_path_info.to_s.length - pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length pkt['Payload'].v['Payload'] = - "\x00" + # Padding trans2_params.to_s + - "\x00\x00" + # Padding query_path_info.to_s c.put(pkt.to_s) @@ -79,17 +77,14 @@ module Msf pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length - pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH - pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH - pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length pkt['Payload'].v['Payload'] = - "\x00" + # Padding trans2_params.to_s + - "\x00\x00" + # Padding - query_path_info.to_s + - "\x00\x00" # Unknown + query_path_info.to_s c.put(pkt.to_s) end @@ -137,11 +132,9 @@ module Msf pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH pkt['Payload'].v['DataCount'] = query_path_info.to_s.length - pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length pkt['Payload'].v['Payload'] = - "\x00" + # Padding trans2_params.to_s + - "\x00\x00" + # Padding query_path_info.to_s c.put(pkt.to_s) @@ -187,19 +180,14 @@ module Msf pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length - #pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH - #pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH pkt['Payload'].v['DataCount'] = query_path_info.to_s.length - pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length pkt['Payload'].v['Payload'] = - "\x00" + # Padding trans2_params.to_s + - "\x00\x00" + # Padding - query_path_info.to_s #+ - #"\x00\x00" # Unknown + query_path_info.to_s c.put(pkt.to_s) end @@ -250,15 +238,13 @@ module Msf pkt['Payload']['SMB'].v['Flags2'] = FLAGS2 pkt['Payload']['SMB'].v['WordCount'] = 10 pkt['Payload'].v['ParamCountTotal'] = trans2_params.to_s.length - pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataCountTotal'] = query_path_info.to_s.length pkt['Payload'].v['ParamCount'] = trans2_params.to_s.length pkt['Payload'].v['ParamOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH - pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + UNICODE_NULL_LENGTH - pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length + UNICODE_NULL_LENGTH + pkt['Payload'].v['DataCount'] = query_path_info.to_s.length + pkt['Payload'].v['DataOffset'] = CONST::SMB_TRANS_RES_PKT_LENGTH + trans2_params.to_s.length pkt['Payload'].v['Payload'] = - "\x00" + # Padding trans2_params.to_s + - "\x00\x00" + # Padding query_path_info.to_s c.put(pkt.to_s) diff --git a/lib/rex/proto/smb/constants.rb b/lib/rex/proto/smb/constants.rb index 113e5e77ea..7713f8fdf1 100644 --- a/lib/rex/proto/smb/constants.rb +++ b/lib/rex/proto/smb/constants.rb @@ -836,7 +836,7 @@ class Constants ) SMB_TRANS_RES_PKT = self.make_nbs(SMB_TRANS_RES_HDR_PKT) - SMB_TRANS_RES_PKT_LENGTH = SMB_HDR_LENGTH + 23 + SMB_TRANS_RES_PKT_LENGTH = SMB_HDR_LENGTH + 22 # A SMB template for SMB Transaction2 requests SMB_TRANS2_HDR_PKT = Rex::Struct2::CStructTemplate.new(