line |
stmt |
bran |
cond |
sub |
pod |
time |
code |
1
|
|
|
|
|
|
|
# SMB-Perl library, Copyright (C) 2014-2018 Mikhael Goikhman, migo@cpan.org |
2
|
|
|
|
|
|
|
# |
3
|
|
|
|
|
|
|
# This program is free software: you can redistribute it and/or modify |
4
|
|
|
|
|
|
|
# it under the terms of the GNU General Public License as published by |
5
|
|
|
|
|
|
|
# the Free Software Foundation, either version 3 of the License, or |
6
|
|
|
|
|
|
|
# (at your option) any later version. |
7
|
|
|
|
|
|
|
# |
8
|
|
|
|
|
|
|
# This program is distributed in the hope that it will be useful, |
9
|
|
|
|
|
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of |
10
|
|
|
|
|
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the |
11
|
|
|
|
|
|
|
# GNU General Public License for more details. |
12
|
|
|
|
|
|
|
# |
13
|
|
|
|
|
|
|
# You should have received a copy of the GNU General Public License |
14
|
|
|
|
|
|
|
# along with this program. If not, see . |
15
|
|
|
|
|
|
|
|
16
|
|
|
|
|
|
|
package SMB::DCERPC; |
17
|
|
|
|
|
|
|
|
18
|
2
|
|
|
2
|
|
3825
|
use strict; |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
59
|
|
19
|
2
|
|
|
2
|
|
12
|
use warnings; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
60
|
|
20
|
|
|
|
|
|
|
|
21
|
2
|
|
|
2
|
|
343
|
use parent 'SMB'; |
|
2
|
|
|
|
|
237
|
|
|
2
|
|
|
|
|
11
|
|
22
|
|
|
|
|
|
|
|
23
|
2
|
|
|
2
|
|
576
|
use bytes; |
|
2
|
|
|
|
|
14
|
|
|
2
|
|
|
|
|
23
|
|
24
|
|
|
|
|
|
|
|
25
|
2
|
|
|
2
|
|
380
|
use SMB::Parser; |
|
2
|
|
|
|
|
4
|
|
|
2
|
|
|
|
|
54
|
|
26
|
2
|
|
|
2
|
|
327
|
use SMB::Packer; |
|
2
|
|
|
|
|
5
|
|
|
2
|
|
|
|
|
180
|
|
27
|
|
|
|
|
|
|
|
28
|
|
|
|
|
|
|
# DCERPC 5.0 protocol |
29
|
|
|
|
|
|
|
|
30
|
|
|
|
|
|
|
use constant { |
31
|
|
|
|
|
|
|
# for bind contexts |
32
|
2
|
|
|
|
|
6936
|
UUID_AS_SRVSVC => "\xc8\x4f\x32\x4b\x70\x16\xd3\x01\x12\x78\x5a\x47\xbf\x6e\xe1\x88", |
33
|
|
|
|
|
|
|
UUID_TS_32BIT_NDR => "\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60", |
34
|
|
|
|
|
|
|
UUID_TS_64BIT_NDR => "\x33\x05\x71\x71\xba\xbe\x37\x49\x83\x19\xb5\xdb\xef\x9c\xcc\x36", |
35
|
|
|
|
|
|
|
UUID_TS_BIND_TIME => "\x2c\x1c\xb7\x6c\x12\x98\x40\x45\x03\x00\x00\x00\x00\x00\x00\x00", |
36
|
|
|
|
|
|
|
UUID_TS_NULL => "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00", |
37
|
|
|
|
|
|
|
|
38
|
|
|
|
|
|
|
PACKET_TYPE_REQUEST => 0, |
39
|
|
|
|
|
|
|
PACKET_TYPE_RESPONSE => 2, |
40
|
|
|
|
|
|
|
PACKET_TYPE_BIND => 11, |
41
|
|
|
|
|
|
|
PACKET_TYPE_BIND_ACK => 12, |
42
|
|
|
|
|
|
|
|
43
|
|
|
|
|
|
|
STATE_INITIAL => 0, |
44
|
|
|
|
|
|
|
STATE_BIND => 1, |
45
|
|
|
|
|
|
|
STATE_BIND_ACK => 2, |
46
|
|
|
|
|
|
|
STATE_REQUEST => 3, |
47
|
|
|
|
|
|
|
STATE_RESPONSE => 4, |
48
|
2
|
|
|
2
|
|
15
|
}; |
|
2
|
|
|
|
|
4
|
|
49
|
|
|
|
|
|
|
|
50
|
|
|
|
|
|
|
our %operation_codes = ( |
51
|
|
|
|
|
|
|
16 => 'NetShareGetInfo', |
52
|
|
|
|
|
|
|
); |
53
|
|
|
|
|
|
|
|
54
|
|
|
|
|
|
|
our %operations = reverse %operation_codes; |
55
|
|
|
|
|
|
|
|
56
|
|
|
|
|
|
|
sub new ($%) { |
57
|
2
|
|
|
2
|
1
|
441
|
my $class = shift; |
58
|
2
|
|
|
|
|
6
|
my %options = @_; |
59
|
|
|
|
|
|
|
|
60
|
|
|
|
|
|
|
die "No name (service name) in constructor" |
61
|
2
|
50
|
|
|
|
8
|
unless defined $options{name}; |
62
|
|
|
|
|
|
|
|
63
|
2
|
|
|
|
|
11
|
return $class->SUPER::new( |
64
|
|
|
|
|
|
|
state => STATE_INITIAL, |
65
|
|
|
|
|
|
|
current_packet_type => undef, |
66
|
|
|
|
|
|
|
current_context_id => undef, |
67
|
|
|
|
|
|
|
current_call_id => 1, |
68
|
|
|
|
|
|
|
requested_opnum => undef, |
69
|
|
|
|
|
|
|
requested_opinfo => {}, |
70
|
|
|
|
|
|
|
contexts => [], |
71
|
|
|
|
|
|
|
parser => SMB::Parser->new, |
72
|
|
|
|
|
|
|
packer => SMB::Packer->new, |
73
|
|
|
|
|
|
|
%options, |
74
|
|
|
|
|
|
|
); |
75
|
|
|
|
|
|
|
} |
76
|
|
|
|
|
|
|
|
77
|
|
|
|
|
|
|
sub parse_common ($$$) { |
78
|
6
|
|
|
6
|
0
|
13
|
my $self = shift; |
79
|
6
|
|
|
|
|
10
|
my $payload = shift; |
80
|
6
|
|
|
|
|
8
|
my $packet_type = shift; |
81
|
|
|
|
|
|
|
|
82
|
6
|
|
|
|
|
24
|
my $parser = $self->parser; |
83
|
6
|
|
|
|
|
24
|
$parser->set($payload); |
84
|
|
|
|
|
|
|
|
85
|
6
|
|
50
|
|
|
16
|
my $version_major = $parser->uint8 // '-'; |
86
|
6
|
|
50
|
|
|
12
|
my $version_minor = $parser->uint8 // '-'; |
87
|
6
|
50
|
33
|
|
|
22
|
return $self->err("Got unsupported DCERPC version ($version_major.$version_minor)") |
88
|
|
|
|
|
|
|
unless $version_major eq 5 && $version_minor eq 0; |
89
|
|
|
|
|
|
|
|
90
|
6
|
|
50
|
|
|
10
|
my $given_packet_type = $parser->uint8 // '-'; |
91
|
6
|
50
|
|
|
|
12
|
return $self->err("Got DCERPC packet_type $given_packet_type (expected $packet_type)") |
92
|
|
|
|
|
|
|
unless $packet_type eq $given_packet_type; |
93
|
6
|
|
|
|
|
14
|
$self->current_packet_type($packet_type); |
94
|
|
|
|
|
|
|
|
95
|
6
|
|
50
|
|
|
10
|
my $packet_flags = $parser->uint8 // '-'; |
96
|
6
|
50
|
|
|
|
13
|
return $self->err("Got unsupported DCERPC packet_flags ($packet_flags)") |
97
|
|
|
|
|
|
|
unless $packet_flags eq 3; |
98
|
|
|
|
|
|
|
|
99
|
6
|
|
50
|
|
|
14
|
my $data_representation = $parser->uint32 // '-'; |
100
|
6
|
50
|
|
|
|
14
|
return $self->err("Got unsupported DCERPC data_representation ($data_representation)") |
101
|
|
|
|
|
|
|
unless $data_representation eq 0x10; |
102
|
|
|
|
|
|
|
|
103
|
6
|
|
|
|
|
13
|
my $len = $parser->uint16; |
104
|
6
|
|
50
|
|
|
11
|
my $auth_len = $parser->uint16 // '-'; |
105
|
6
|
50
|
|
|
|
12
|
return $self->err("Got unsupported DCERPC auth_len ($auth_len)") |
106
|
|
|
|
|
|
|
unless $auth_len eq 0; |
107
|
|
|
|
|
|
|
|
108
|
6
|
|
50
|
|
|
7
|
my $call_id = $parser->uint32 // '-'; |
109
|
6
|
|
|
|
|
15
|
$self->current_call_id($call_id); |
110
|
|
|
|
|
|
|
|
111
|
6
|
100
|
100
|
|
|
24
|
if ($packet_type == PACKET_TYPE_BIND || $packet_type == PACKET_TYPE_BIND_ACK) { |
112
|
2
|
|
|
|
|
8
|
$parser->uint16; # max_xmit_frag |
113
|
2
|
|
|
|
|
4
|
$parser->uint16; # max_recv_frag |
114
|
2
|
|
|
|
|
3
|
$parser->uint32; # assoc_group |
115
|
2
|
|
|
|
|
9
|
$self->current_context_id(undef); |
116
|
2
|
|
|
|
|
6
|
$self->requested_opnum(undef); |
117
|
|
|
|
|
|
|
} else { |
118
|
4
|
|
|
|
|
8
|
$parser->uint32; # alloc hint |
119
|
4
|
|
|
|
|
8
|
$self->current_context_id($parser->uint16); |
120
|
4
|
|
|
|
|
6
|
$self->requested_opnum($parser->uint16); |
121
|
|
|
|
|
|
|
} |
122
|
|
|
|
|
|
|
|
123
|
6
|
|
|
|
|
17
|
return 1; |
124
|
|
|
|
|
|
|
} |
125
|
|
|
|
|
|
|
|
126
|
|
|
|
|
|
|
sub pack_common ($$) { |
127
|
6
|
|
|
6
|
0
|
8
|
my $self = shift; |
128
|
6
|
|
|
|
|
9
|
my $packet_type = shift; |
129
|
|
|
|
|
|
|
|
130
|
6
|
|
|
|
|
26
|
my $packer = $self->packer; |
131
|
6
|
|
|
|
|
20
|
$packer->reset; |
132
|
|
|
|
|
|
|
|
133
|
6
|
|
|
|
|
15
|
$packer |
134
|
|
|
|
|
|
|
->mark('dcerpc-start') |
135
|
|
|
|
|
|
|
->uint8(5) # version_major |
136
|
|
|
|
|
|
|
->uint8(0) # version_minor |
137
|
|
|
|
|
|
|
->uint8($packet_type) |
138
|
|
|
|
|
|
|
->uint8(3) # packet_flags |
139
|
|
|
|
|
|
|
->uint32(0x10) # data_representation |
140
|
|
|
|
|
|
|
->stub('frag-length', 'uint16') |
141
|
|
|
|
|
|
|
->uint16(0) # auth_len |
142
|
|
|
|
|
|
|
->uint32($self->current_call_id) |
143
|
|
|
|
|
|
|
; |
144
|
|
|
|
|
|
|
|
145
|
6
|
100
|
100
|
|
|
27
|
if ($packet_type == PACKET_TYPE_BIND || $packet_type == PACKET_TYPE_BIND_ACK) { |
146
|
2
|
|
|
|
|
5
|
$packer->uint16(4280); # max_xmit_frag |
147
|
2
|
|
|
|
|
33
|
$packer->uint16(4280); # max_recv_frag |
148
|
2
|
|
|
|
|
4
|
$packer->uint32(0x5011); # assoc_group |
149
|
|
|
|
|
|
|
} else { |
150
|
4
|
|
|
|
|
8
|
$packer->uint32(100); # alloc hint |
151
|
4
|
|
|
|
|
9
|
$packer->uint16($self->current_context_id); |
152
|
4
|
|
|
|
|
8
|
$packer->uint16($self->requested_opnum); |
153
|
|
|
|
|
|
|
} |
154
|
|
|
|
|
|
|
|
155
|
6
|
|
|
|
|
21
|
$self->current_packet_type($packet_type); |
156
|
|
|
|
|
|
|
|
157
|
6
|
|
|
|
|
7
|
return 1; |
158
|
|
|
|
|
|
|
} |
159
|
|
|
|
|
|
|
|
160
|
|
|
|
|
|
|
sub finalize_pack_common ($) { |
161
|
6
|
|
|
6
|
0
|
7
|
my $self = shift; |
162
|
6
|
|
|
|
|
6
|
my $packet_type = shift; |
163
|
|
|
|
|
|
|
|
164
|
6
|
|
|
|
|
10
|
my $packer = $self->packer; |
165
|
|
|
|
|
|
|
|
166
|
6
|
|
|
|
|
11
|
$packer->fill('frag-length', $packer->diff('dcerpc-start')); |
167
|
|
|
|
|
|
|
|
168
|
6
|
|
|
|
|
12
|
return ($packer->data, SMB::STATUS_SUCCESS); |
169
|
|
|
|
|
|
|
} |
170
|
|
|
|
|
|
|
|
171
|
|
|
|
|
|
|
sub error ($$$) { |
172
|
0
|
|
|
0
|
0
|
0
|
my $self = shift; |
173
|
0
|
|
|
|
|
0
|
my $status = shift; |
174
|
0
|
|
|
|
|
0
|
my $message = shift; |
175
|
|
|
|
|
|
|
|
176
|
0
|
|
|
|
|
0
|
$self->err($message); |
177
|
|
|
|
|
|
|
|
178
|
0
|
0
|
|
|
|
0
|
return (undef, $status) |
179
|
|
|
|
|
|
|
if (caller(1))[3] =~ /::generate_/; |
180
|
0
|
|
|
|
|
0
|
return $status; |
181
|
|
|
|
|
|
|
} |
182
|
|
|
|
|
|
|
|
183
|
|
|
|
|
|
|
sub process_bind_request ($$) { |
184
|
1
|
|
|
1
|
1
|
1032
|
my $self = shift; |
185
|
1
|
|
50
|
|
|
4
|
my $payload = shift // ''; |
186
|
|
|
|
|
|
|
|
187
|
1
|
50
|
|
|
|
4
|
return $self->error(SMB::STATUS_INVALID_SMB, "No STATE_INITIAL on bind_request") |
188
|
|
|
|
|
|
|
unless $self->state == STATE_INITIAL; |
189
|
|
|
|
|
|
|
|
190
|
1
|
50
|
|
|
|
4
|
return $self->error(SMB::STATUS_INVALID_PARAMETER, "Skipping wrong bind_request packet") |
191
|
|
|
|
|
|
|
unless $self->parse_common($payload, PACKET_TYPE_BIND); |
192
|
|
|
|
|
|
|
|
193
|
1
|
|
|
|
|
2
|
my $parser = $self->parser; |
194
|
|
|
|
|
|
|
|
195
|
1
|
|
|
|
|
5
|
$self->contexts([]); |
196
|
1
|
|
|
|
|
2
|
my $num_contexts = $parser->uint32; |
197
|
|
|
|
|
|
|
|
198
|
1
|
|
|
|
|
3
|
for (0 .. $num_contexts - 1) { |
199
|
3
|
|
|
|
|
4
|
my $context_id = $parser->uint16; |
200
|
3
|
50
|
|
|
|
6
|
return $self->error(SMB::STATUS_INVALID_PARAMETER, "Got context id $context_id, expected $_") |
201
|
|
|
|
|
|
|
unless $context_id eq $_; |
202
|
3
|
|
|
|
|
4
|
my $num = $parser->uint16; |
203
|
3
|
50
|
|
|
|
6
|
return $self->error(SMB::STATUS_INVALID_PARAMETER, "Got unexpected num_trans_items ($num)") |
204
|
|
|
|
|
|
|
unless $num eq 1; |
205
|
|
|
|
|
|
|
|
206
|
3
|
|
|
|
|
4
|
my $as_uuid = $parser->bytes(16); |
207
|
3
|
|
|
|
|
13
|
my $as_version = $parser->uint32; |
208
|
|
|
|
|
|
|
|
209
|
3
|
|
|
|
|
4
|
my $ts_uuid = $parser->bytes(16); |
210
|
3
|
|
|
|
|
4
|
my $ts_version = $parser->uint32; |
211
|
|
|
|
|
|
|
|
212
|
3
|
|
|
|
|
2
|
$self->contexts([@{$self->contexts}, $ts_uuid]); |
|
3
|
|
|
|
|
6
|
|
213
|
|
|
|
|
|
|
} |
214
|
|
|
|
|
|
|
|
215
|
1
|
|
|
|
|
2
|
$self->state(STATE_BIND); |
216
|
|
|
|
|
|
|
|
217
|
1
|
|
|
|
|
7
|
return SMB::STATUS_SUCCESS; |
218
|
|
|
|
|
|
|
} |
219
|
|
|
|
|
|
|
|
220
|
|
|
|
|
|
|
sub generate_bind_request ($) { |
221
|
1
|
|
|
1
|
1
|
9
|
my $self = shift; |
222
|
|
|
|
|
|
|
|
223
|
1
|
50
|
|
|
|
11
|
return $self->error(SMB::STATUS_INVALID_SMB, "No STATE_INITIAL on bind_response") |
224
|
|
|
|
|
|
|
unless $self->state == STATE_INITIAL; |
225
|
|
|
|
|
|
|
|
226
|
1
|
|
|
|
|
3
|
$self->pack_common(PACKET_TYPE_BIND); |
227
|
|
|
|
|
|
|
|
228
|
1
|
|
|
|
|
2
|
my $packer = $self->packer; |
229
|
|
|
|
|
|
|
|
230
|
1
|
|
|
|
|
2
|
$packer->uint32(3); # num_contexts |
231
|
|
|
|
|
|
|
|
232
|
1
|
|
|
|
|
3
|
for (0 .. 2) { |
233
|
3
|
100
|
|
|
|
12
|
$packer |
|
|
100
|
|
|
|
|
|
|
|
100
|
|
|
|
|
|
234
|
|
|
|
|
|
|
->uint16($_) # context id |
235
|
|
|
|
|
|
|
->uint16(1) # num_trans_items |
236
|
|
|
|
|
|
|
->bytes(UUID_AS_SRVSVC) |
237
|
|
|
|
|
|
|
->uint32(3) # as_version |
238
|
|
|
|
|
|
|
->bytes($_ == 0 ? UUID_TS_32BIT_NDR : $_ == 1 ? UUID_TS_64BIT_NDR : UUID_TS_BIND_TIME) |
239
|
|
|
|
|
|
|
->uint32($_ == 0 ? 2 : 1) # ts_version |
240
|
|
|
|
|
|
|
; |
241
|
|
|
|
|
|
|
} |
242
|
|
|
|
|
|
|
|
243
|
1
|
|
|
|
|
3
|
$self->state(STATE_BIND); |
244
|
|
|
|
|
|
|
|
245
|
1
|
|
|
|
|
2
|
return $self->finalize_pack_common; |
246
|
|
|
|
|
|
|
} |
247
|
|
|
|
|
|
|
|
248
|
|
|
|
|
|
|
sub process_bind_ack_response ($$) { |
249
|
1
|
|
|
1
|
1
|
1010
|
my $self = shift; |
250
|
1
|
|
50
|
|
|
5
|
my $payload = shift // ''; |
251
|
|
|
|
|
|
|
|
252
|
1
|
50
|
|
|
|
5
|
return $self->error(SMB::STATUS_INVALID_SMB, "No STATE_BIND on bind_ack_request") |
253
|
|
|
|
|
|
|
unless $self->state == STATE_BIND; |
254
|
|
|
|
|
|
|
|
255
|
1
|
50
|
|
|
|
4
|
return $self->error(SMB::STATUS_INVALID_PARAMETER, "Skipping wrong bind_request packet") |
256
|
|
|
|
|
|
|
unless $self->parse_common($payload, PACKET_TYPE_BIND_ACK); |
257
|
|
|
|
|
|
|
|
258
|
1
|
|
|
|
|
3
|
my $parser = $self->parser; |
259
|
|
|
|
|
|
|
|
260
|
1
|
|
|
|
|
2
|
my $scndry_addr_len = $parser->uint16; |
261
|
1
|
|
|
|
|
2
|
my $scndry_addr = $parser->bytes($scndry_addr_len); |
262
|
1
|
|
|
|
|
3
|
$parser->skip(1); |
263
|
|
|
|
|
|
|
|
264
|
1
|
|
|
|
|
2
|
$self->contexts([]); |
265
|
1
|
|
|
|
|
1
|
my $num_results = $parser->uint32; |
266
|
|
|
|
|
|
|
|
267
|
1
|
|
|
|
|
3
|
for (0 .. $num_results - 1) { |
268
|
3
|
|
|
|
|
5
|
my $ack_result = $parser->uint16; |
269
|
3
|
|
|
|
|
5
|
my $ack_reason = $parser->uint16; |
270
|
|
|
|
|
|
|
|
271
|
3
|
|
|
|
|
5
|
my $ts_uuid = $parser->bytes(16); |
272
|
3
|
|
|
|
|
4
|
my $ts_version = $parser->uint32; |
273
|
|
|
|
|
|
|
|
274
|
3
|
|
|
|
|
3
|
$self->contexts([@{$self->contexts}, $ts_uuid]); |
|
3
|
|
|
|
|
5
|
|
275
|
|
|
|
|
|
|
} |
276
|
|
|
|
|
|
|
|
277
|
1
|
|
|
|
|
2
|
$self->state(STATE_BIND_ACK); |
278
|
|
|
|
|
|
|
|
279
|
1
|
|
|
|
|
3
|
return SMB::STATUS_SUCCESS; |
280
|
|
|
|
|
|
|
} |
281
|
|
|
|
|
|
|
|
282
|
|
|
|
|
|
|
sub generate_bind_ack_response ($$) { |
283
|
1
|
|
|
1
|
1
|
496
|
my $self = shift; |
284
|
|
|
|
|
|
|
|
285
|
1
|
50
|
|
|
|
4
|
return $self->error(SMB::STATUS_INVALID_SMB, "No STATE_BIND on bind_ack_response") |
286
|
|
|
|
|
|
|
unless $self->state == STATE_BIND; |
287
|
|
|
|
|
|
|
|
288
|
1
|
|
|
|
|
4
|
$self->pack_common(PACKET_TYPE_BIND_ACK); |
289
|
|
|
|
|
|
|
|
290
|
1
|
|
|
|
|
2
|
my $packer = $self->packer; |
291
|
|
|
|
|
|
|
|
292
|
1
|
|
|
|
|
8
|
my $scndry_addr = sprintf "\\PIPE\\%s\0", $self->name; |
293
|
1
|
|
|
|
|
3
|
$packer->uint16(length($scndry_addr)); |
294
|
1
|
|
|
|
|
3
|
$packer->bytes($scndry_addr); |
295
|
1
|
|
|
|
|
2
|
$packer->uint8(0); |
296
|
|
|
|
|
|
|
|
297
|
1
|
|
|
|
|
1
|
my $num_results = @{$self->contexts}; |
|
1
|
|
|
|
|
2
|
|
298
|
1
|
|
|
|
|
2
|
$packer->uint32($num_results); |
299
|
|
|
|
|
|
|
|
300
|
1
|
|
|
|
|
2
|
for (0 .. $num_results - 1) { |
301
|
3
|
100
|
|
|
|
5
|
my ($ack_result, $ack_reason, $ts_uuid, $ts_version) = |
|
|
100
|
|
|
|
|
|
302
|
|
|
|
|
|
|
$self->contexts->[$_] eq UUID_TS_64BIT_NDR |
303
|
|
|
|
|
|
|
? (0, 0, UUID_TS_64BIT_NDR, 1) : |
304
|
|
|
|
|
|
|
$self->contexts->[$_] eq UUID_TS_BIND_TIME |
305
|
|
|
|
|
|
|
? (3, 3, UUID_TS_NULL, 0) |
306
|
|
|
|
|
|
|
: (2, 2, UUID_TS_NULL, 0); |
307
|
|
|
|
|
|
|
|
308
|
3
|
|
|
|
|
6
|
$packer |
309
|
|
|
|
|
|
|
->uint16($ack_result) |
310
|
|
|
|
|
|
|
->uint16($ack_reason) |
311
|
|
|
|
|
|
|
->bytes($ts_uuid) |
312
|
|
|
|
|
|
|
->uint32($ts_version) |
313
|
|
|
|
|
|
|
; |
314
|
|
|
|
|
|
|
} |
315
|
|
|
|
|
|
|
|
316
|
1
|
|
|
|
|
2
|
$self->state(STATE_BIND_ACK); |
317
|
|
|
|
|
|
|
|
318
|
1
|
|
|
|
|
3
|
return $self->finalize_pack_common; |
319
|
|
|
|
|
|
|
} |
320
|
|
|
|
|
|
|
|
321
|
|
|
|
|
|
|
sub process_rpc_request ($$) { |
322
|
2
|
|
|
2
|
1
|
1327
|
my $self = shift; |
323
|
2
|
|
50
|
|
|
8
|
my $payload = shift // ''; |
324
|
|
|
|
|
|
|
|
325
|
2
|
50
|
66
|
|
|
6
|
return $self->error(SMB::STATUS_INVALID_SMB, "No STATE_BIND_ACK or STATE_RESPONSE on rpc_request") |
326
|
|
|
|
|
|
|
unless $self->state == STATE_BIND_ACK || $self->state == STATE_RESPONSE; |
327
|
|
|
|
|
|
|
|
328
|
2
|
50
|
|
|
|
7
|
return $self->error(SMB::STATUS_INVALID_PARAMETER, "Skipping wrong rpc_request packet") |
329
|
|
|
|
|
|
|
unless $self->parse_common($payload, PACKET_TYPE_REQUEST); |
330
|
|
|
|
|
|
|
|
331
|
2
|
|
|
|
|
5
|
my $parser = $self->parser; |
332
|
|
|
|
|
|
|
|
333
|
2
|
|
50
|
|
|
6
|
my $opnum = $self->requested_opnum // '-'; |
334
|
2
|
50
|
|
|
|
6
|
if ($opnum == $operations{NetShareGetInfo}) { |
335
|
2
|
|
|
|
|
5
|
my $referent_id = $parser->uint64; |
336
|
2
|
|
|
|
|
5
|
my $max_count = $parser->uint64; |
337
|
2
|
|
|
|
|
6
|
my $offset = $parser->uint64; |
338
|
2
|
|
|
|
|
4
|
my $count = $parser->uint64; |
339
|
2
|
|
|
|
|
6
|
my $server_unc = $parser->skip($offset)->str($count * 2); chop($server_unc); |
|
2
|
|
|
|
|
108
|
|
340
|
2
|
|
|
|
|
7
|
$parser->align(0, 8); |
341
|
2
|
|
|
|
|
4
|
$max_count = $parser->uint64; |
342
|
2
|
|
|
|
|
5
|
$offset = $parser->uint64; |
343
|
2
|
|
|
|
|
5
|
$count = $parser->uint64; |
344
|
2
|
|
|
|
|
6
|
my $share_name = $parser->skip($offset)->str($count * 2); chop($share_name); |
|
2
|
|
|
|
|
90
|
|
345
|
2
|
|
|
|
|
8
|
$parser->align(0, 4); |
346
|
2
|
|
|
|
|
7
|
my $level = $parser->uint32; |
347
|
2
|
50
|
|
|
|
7
|
return $self->error(SMB::STATUS_NOT_IMPLEMENTED, "Unsupported NetShareGetInfo level $level") |
348
|
|
|
|
|
|
|
unless $level == 1; |
349
|
2
|
|
|
|
|
11
|
$self->requested_opinfo({ |
350
|
|
|
|
|
|
|
referent_id => $referent_id, |
351
|
|
|
|
|
|
|
share_name => $share_name, |
352
|
|
|
|
|
|
|
}); |
353
|
|
|
|
|
|
|
} |
354
|
|
|
|
|
|
|
else { |
355
|
0
|
|
|
|
|
0
|
return $self->error(SMB::STATUS_NOT_IMPLEMENTED, "Unsupported rpc operation $opnum"); |
356
|
|
|
|
|
|
|
} |
357
|
|
|
|
|
|
|
|
358
|
2
|
|
|
|
|
6
|
$self->state(STATE_REQUEST); |
359
|
|
|
|
|
|
|
|
360
|
2
|
|
|
|
|
9
|
return SMB::STATUS_SUCCESS; |
361
|
|
|
|
|
|
|
} |
362
|
|
|
|
|
|
|
|
363
|
|
|
|
|
|
|
sub generate_rpc_request ($$%) { |
364
|
2
|
|
|
2
|
1
|
503
|
my $self = shift; |
365
|
2
|
|
50
|
|
|
8
|
my $opname = shift // die "No operation name"; |
366
|
2
|
|
|
|
|
8
|
my %params = @_; |
367
|
|
|
|
|
|
|
|
368
|
2
|
50
|
66
|
|
|
7
|
return $self->error(SMB::STATUS_INVALID_SMB, "No STATE_BIND_ACK or STATE_RESPONSE on rpc_request") |
369
|
|
|
|
|
|
|
unless $self->state == STATE_BIND_ACK || $self->state == STATE_RESPONSE; |
370
|
|
|
|
|
|
|
|
371
|
2
|
|
|
|
|
5
|
my $opnum = $operations{$opname}; |
372
|
2
|
50
|
|
|
|
11
|
return $self->error(SMB::STATUS_NOT_IMPLEMENTED, "Unsupported operation $opname on rpc_request") |
373
|
|
|
|
|
|
|
unless defined $opnum; |
374
|
2
|
|
|
|
|
6
|
$self->requested_opnum($opnum); |
375
|
2
|
|
50
|
|
|
11
|
$self->current_context_id($params{context_id} // 0); |
376
|
|
|
|
|
|
|
|
377
|
2
|
|
|
|
|
6
|
$self->pack_common(PACKET_TYPE_REQUEST); |
378
|
|
|
|
|
|
|
|
379
|
2
|
|
|
|
|
4
|
my $packer = $self->packer; |
380
|
|
|
|
|
|
|
|
381
|
2
|
50
|
|
|
|
5
|
if ($opnum == $operations{NetShareGetInfo}) { |
382
|
2
|
|
50
|
|
|
6
|
my $referent_id = $params{referent_id} // 0; |
383
|
2
|
|
50
|
|
|
7
|
my $server_unc = ($params{server_unc} // '127.0.0.1') . "\0"; |
384
|
2
|
|
50
|
|
|
5
|
my $share_name = ($params{share_name} // '') . "\0"; |
385
|
2
|
|
|
|
|
2
|
my $len1 = length($server_unc); |
386
|
2
|
|
|
|
|
2
|
my $len2 = length($share_name); |
387
|
2
|
|
|
|
|
4
|
$packer |
388
|
|
|
|
|
|
|
->uint64($referent_id) |
389
|
|
|
|
|
|
|
->uint64($len1) # max_count |
390
|
|
|
|
|
|
|
->uint64(0) # offset |
391
|
|
|
|
|
|
|
->uint64($len1) # count |
392
|
|
|
|
|
|
|
->str($server_unc) |
393
|
|
|
|
|
|
|
->align(0, 8) |
394
|
|
|
|
|
|
|
->uint64($len2) # max_count |
395
|
|
|
|
|
|
|
->uint64(0) # offset |
396
|
|
|
|
|
|
|
->uint64($len2) # count |
397
|
|
|
|
|
|
|
->str($share_name) |
398
|
|
|
|
|
|
|
->align(0, 4) |
399
|
|
|
|
|
|
|
->uint32(1) # level |
400
|
|
|
|
|
|
|
; |
401
|
2
|
|
|
|
|
23
|
$self->requested_opinfo({ |
402
|
|
|
|
|
|
|
referent_id => $referent_id, |
403
|
|
|
|
|
|
|
share_name => $share_name, |
404
|
|
|
|
|
|
|
}); |
405
|
|
|
|
|
|
|
} |
406
|
|
|
|
|
|
|
else { |
407
|
0
|
|
|
|
|
0
|
return $self->error(SMB::STATUS_NOT_IMPLEMENTED, "Unsupported rpc operation $opnum"); |
408
|
|
|
|
|
|
|
} |
409
|
|
|
|
|
|
|
|
410
|
2
|
|
|
|
|
6
|
$self->state(STATE_REQUEST); |
411
|
|
|
|
|
|
|
|
412
|
2
|
|
|
|
|
3
|
return $self->finalize_pack_common; |
413
|
|
|
|
|
|
|
} |
414
|
|
|
|
|
|
|
|
415
|
|
|
|
|
|
|
sub process_rpc_response ($$$) { |
416
|
2
|
|
|
2
|
1
|
1024
|
my $self = shift; |
417
|
2
|
|
50
|
|
|
7
|
my $payload = shift // ''; |
418
|
2
|
|
50
|
|
|
8
|
my $retinfo = shift // die; |
419
|
|
|
|
|
|
|
|
420
|
2
|
50
|
|
|
|
19
|
return $self->error(SMB::STATUS_INVALID_SMB, "No STATE_REQUEST on rpc_response") |
421
|
|
|
|
|
|
|
unless $self->state == STATE_REQUEST; |
422
|
|
|
|
|
|
|
|
423
|
2
|
50
|
|
|
|
8
|
return $self->error(SMB::STATUS_INVALID_PARAMETER, "Skipping wrong rpc_response packet") |
424
|
|
|
|
|
|
|
unless $self->parse_common($payload, PACKET_TYPE_RESPONSE); |
425
|
|
|
|
|
|
|
|
426
|
2
|
|
|
|
|
5
|
my $parser = $self->parser; |
427
|
|
|
|
|
|
|
|
428
|
2
|
|
50
|
|
|
3
|
my $opnum = $self->requested_opnum // '-'; |
429
|
2
|
50
|
|
|
|
6
|
if ($opnum == $operations{NetShareGetInfo}) { |
430
|
2
|
|
|
|
|
4
|
my $level = $parser->uint32(); |
431
|
2
|
50
|
|
|
|
5
|
return $self->error(SMB::STATUS_NOT_IMPLEMENTED, "Unsupported NetShareGetInfo level $level") |
432
|
|
|
|
|
|
|
unless $level == 1; |
433
|
2
|
|
|
|
|
3
|
$parser->skip(4); |
434
|
2
|
|
|
|
|
3
|
my $referent_id = $parser->uint64; |
435
|
2
|
|
|
|
|
5
|
$parser->skip(8); # share_name referent_id |
436
|
2
|
|
|
|
|
2
|
my $stype = $parser->uint32; |
437
|
2
|
|
|
|
|
4
|
$parser->skip(4); |
438
|
2
|
|
|
|
|
3
|
$parser->skip(8); # comment referent_id |
439
|
2
|
|
|
|
|
3
|
my $max_count = $parser->uint64; |
440
|
2
|
|
|
|
|
4
|
my $offset = $parser->uint64; |
441
|
2
|
|
|
|
|
4
|
my $count = $parser->uint64; |
442
|
2
|
|
|
|
|
5
|
my $share_name = $parser->skip($offset)->str($count * 2); chop($share_name); |
|
2
|
|
|
|
|
78
|
|
443
|
2
|
|
|
|
|
5
|
$parser->align(0, 8); |
444
|
2
|
|
|
|
|
3
|
$max_count = $parser->uint64; |
445
|
2
|
|
|
|
|
11
|
$offset = $parser->uint64; |
446
|
2
|
|
|
|
|
4
|
$count = $parser->uint64; |
447
|
2
|
|
|
|
|
5
|
my $comment = $parser->skip($offset)->str($count * 2); chop($comment); |
|
2
|
|
|
|
|
64
|
|
448
|
2
|
|
|
|
|
3
|
$parser->align(0, 4); |
449
|
2
|
|
|
|
|
46
|
my $winerror = $parser->uint32; |
450
|
2
|
|
|
|
|
33
|
%$retinfo = ( |
451
|
|
|
|
|
|
|
referent_id => $referent_id, |
452
|
|
|
|
|
|
|
share_name => $share_name, |
453
|
|
|
|
|
|
|
comment => $comment, |
454
|
|
|
|
|
|
|
); |
455
|
|
|
|
|
|
|
} |
456
|
|
|
|
|
|
|
else { |
457
|
0
|
|
|
|
|
0
|
return $self->error(SMB::STATUS_NOT_IMPLEMENTED, "Unsupported rpc operation $opnum"); |
458
|
|
|
|
|
|
|
} |
459
|
|
|
|
|
|
|
|
460
|
2
|
|
|
|
|
7
|
$self->state(STATE_RESPONSE); |
461
|
|
|
|
|
|
|
|
462
|
2
|
|
|
|
|
7
|
return SMB::STATUS_SUCCESS; |
463
|
|
|
|
|
|
|
} |
464
|
|
|
|
|
|
|
|
465
|
|
|
|
|
|
|
sub generate_rpc_response ($$%) { |
466
|
2
|
|
|
2
|
1
|
4
|
my $self = shift; |
467
|
2
|
|
33
|
|
|
11
|
my $opnum = shift // $self->requested_opnum; |
468
|
2
|
|
|
|
|
5
|
my %params = @_; |
469
|
|
|
|
|
|
|
|
470
|
2
|
50
|
|
|
|
7
|
return $self->error(SMB::STATUS_INVALID_SMB, "No STATE_REQUEST on rpc_response") |
471
|
|
|
|
|
|
|
unless $self->state == STATE_REQUEST; |
472
|
|
|
|
|
|
|
|
473
|
2
|
|
|
|
|
8
|
$self->pack_common(PACKET_TYPE_RESPONSE); |
474
|
|
|
|
|
|
|
|
475
|
2
|
|
|
|
|
5
|
my $packer = $self->packer; |
476
|
|
|
|
|
|
|
|
477
|
2
|
50
|
|
|
|
6
|
if ($opnum == $operations{NetShareGetInfo}) { |
478
|
2
|
|
33
|
|
|
9
|
my $referent_id = $params{referent_id} // $self->requested_opinfo->{referent_id} // 0; |
|
|
|
50
|
|
|
|
|
479
|
2
|
|
33
|
|
|
7
|
my $share_name = ($params{share_name} // $self->requested_opinfo->{share_name} // '') . "\0"; |
|
|
|
50
|
|
|
|
|
480
|
2
|
|
50
|
|
|
9
|
my $comment = ($params{comment} // '') . "\0"; |
481
|
2
|
|
|
|
|
3
|
my $len1 = length($share_name); |
482
|
2
|
|
|
|
|
3
|
my $len2 = length($comment); |
483
|
2
|
|
|
|
|
6
|
$packer |
484
|
|
|
|
|
|
|
->uint32(1) # level |
485
|
|
|
|
|
|
|
->skip(4) |
486
|
|
|
|
|
|
|
->uint64($referent_id) |
487
|
|
|
|
|
|
|
->uint64($referent_id) # share_name referent_id |
488
|
|
|
|
|
|
|
->uint32(0) # stype |
489
|
|
|
|
|
|
|
->skip(4) |
490
|
|
|
|
|
|
|
->uint64($referent_id) # comment referent_id |
491
|
|
|
|
|
|
|
->uint64($len1) # max_count |
492
|
|
|
|
|
|
|
->uint64(0) # offset |
493
|
|
|
|
|
|
|
->uint64($len1) # count |
494
|
|
|
|
|
|
|
->str($share_name) |
495
|
|
|
|
|
|
|
->align(0, 8) |
496
|
|
|
|
|
|
|
->uint64($len2) # max_count |
497
|
|
|
|
|
|
|
->uint64(0) # offset |
498
|
|
|
|
|
|
|
->uint64($len2) # count |
499
|
|
|
|
|
|
|
->str($comment) |
500
|
|
|
|
|
|
|
->align(0, 4) |
501
|
|
|
|
|
|
|
->uint32(0) # winerror |
502
|
|
|
|
|
|
|
; |
503
|
|
|
|
|
|
|
} |
504
|
|
|
|
|
|
|
else { |
505
|
0
|
|
|
|
|
0
|
return $self->error(SMB::STATUS_NOT_IMPLEMENTED, "Unsupported rpc operation $opnum"); |
506
|
|
|
|
|
|
|
} |
507
|
|
|
|
|
|
|
|
508
|
2
|
|
|
|
|
9
|
$self->state(STATE_RESPONSE); |
509
|
|
|
|
|
|
|
|
510
|
2
|
|
|
|
|
5
|
return $self->finalize_pack_common; |
511
|
|
|
|
|
|
|
} |
512
|
|
|
|
|
|
|
|
513
|
|
|
|
|
|
|
sub process_packet ($$@) { |
514
|
2
|
|
|
2
|
1
|
1879
|
my $self = shift; |
515
|
2
|
|
|
|
|
5
|
my $payload = shift; |
516
|
|
|
|
|
|
|
|
517
|
2
|
|
|
|
|
7
|
my $state = $self->state; |
518
|
|
|
|
|
|
|
|
519
|
2
|
50
|
|
|
|
8
|
return $self->process_bind_request($payload, @_) |
520
|
|
|
|
|
|
|
if $state == STATE_INITIAL; |
521
|
2
|
50
|
|
|
|
6
|
return $self->process_bind_ack_response($payload, @_) |
522
|
|
|
|
|
|
|
if $state == STATE_BIND; |
523
|
2
|
100
|
66
|
|
|
16
|
return $self->process_rpc_request($payload, @_) |
524
|
|
|
|
|
|
|
if $state == STATE_BIND_ACK || $state == STATE_RESPONSE; |
525
|
1
|
50
|
|
|
|
7
|
return $self->process_rpc_response($payload, @_) |
526
|
|
|
|
|
|
|
if $state == STATE_REQUEST; |
527
|
|
|
|
|
|
|
|
528
|
0
|
|
|
|
|
0
|
return $self->error(SMB::STATUS_INVALID_SMB, "Invalid internal DCERPC state $state"); |
529
|
|
|
|
|
|
|
} |
530
|
|
|
|
|
|
|
|
531
|
|
|
|
|
|
|
sub generate_packet ($@) { |
532
|
2
|
|
|
2
|
1
|
1074
|
my $self = shift; |
533
|
|
|
|
|
|
|
|
534
|
2
|
|
|
|
|
7
|
my $state = $self->state; |
535
|
|
|
|
|
|
|
|
536
|
2
|
50
|
|
|
|
7
|
return $self->generate_bind_request(@_) |
537
|
|
|
|
|
|
|
if $state == STATE_INITIAL; |
538
|
2
|
50
|
|
|
|
5
|
return $self->generate_bind_ack_response(@_) |
539
|
|
|
|
|
|
|
if $state == STATE_BIND; |
540
|
2
|
100
|
66
|
|
|
15
|
return $self->generate_rpc_request(@_) |
541
|
|
|
|
|
|
|
if $state == STATE_BIND_ACK || $state == STATE_RESPONSE; |
542
|
1
|
50
|
|
|
|
7
|
return $self->generate_rpc_response(@_) |
543
|
|
|
|
|
|
|
if $state == STATE_REQUEST; |
544
|
|
|
|
|
|
|
|
545
|
0
|
|
|
|
|
|
return $self->error(SMB::STATUS_INVALID_SMB, "Invalid internal DCERPC state $state"); |
546
|
|
|
|
|
|
|
} |
547
|
|
|
|
|
|
|
|
548
|
|
|
|
|
|
|
1; |
549
|
|
|
|
|
|
|
|
550
|
|
|
|
|
|
|
__END__ |