📄 dcerpc.c
字号:
if ( _dcerpc->dcerpc_req_buf_len < _dcerpc->dcerpc_req_buf_size ) { if ( _dcerpc->dcerpc_req_buf_len + dcerpc_len > _dcerpc->dcerpc_req_buf_size ) { dcerpc_len = _dcerpc->dcerpc_req_buf_size - _dcerpc->dcerpc_req_buf_len; } ret = SafeMemcpy(_dcerpc->dcerpc_req_buf + _dcerpc->dcerpc_req_buf_len, data + sizeof(DCERPC_REQ), dcerpc_len, _dcerpc->dcerpc_req_buf, _dcerpc->dcerpc_req_buf + _dcerpc->dcerpc_req_buf_size); if (ret == 0) { DCERPC_FragFree(_dcerpc->dcerpc_req_buf, 0); _dcerpc->dcerpc_req_buf_len = 0; _dcerpc->dcerpc_req_buf_size = 0; _dcerpc->dcerpc_req_buf = NULL; _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION; return 0; } _dcerpc->dcerpc_req_buf_len += dcerpc_len; if ( _debug_print ) PrintBuffer("DCE/RPC fragment", data + sizeof(DCERPC_REQ), dcerpc_len); } } } else { /* Check for DCE/RPC fragmentation */ if ( (dcerpc_hdr->flags & DCERPC_FIRST_FRAG) && !(dcerpc_hdr->flags & DCERPC_LAST_FRAG) ) { u_int16_t alloc_size = DCERPC_FRAG_ALLOC; _dcerpc->dcerpc_req_buf_len = frag_length - sizeof(DCERPC_REQ); if ( _dcerpc->dcerpc_req_buf_len > (data_size - sizeof(DCERPC_REQ)) ) { _dcerpc->dcerpc_req_buf_len = data_size - sizeof(DCERPC_REQ); } if ( _dcerpc->dcerpc_req_buf_len > DCERPC_FRAG_ALLOC ) { alloc_size = _dcerpc->dcerpc_req_buf_len; } _dcerpc->dcerpc_req_buf = (u_int8_t *) DCERPC_FragAlloc(NULL, 0, &alloc_size); if ( alloc_size == 0 ) { DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Memcap reached, ignoring DCE/RPC fragmentation reassembly.\n");); DCERPC_FragFree(_dcerpc->dcerpc_req_buf, 0); _dcerpc->dcerpc_req_buf_len = 0; _dcerpc->dcerpc_req_buf_size = 0; _dcerpc->dcerpc_req_buf = NULL; _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION; return 0; } if ( !_dcerpc->dcerpc_req_buf ) DynamicPreprocessorFatalMessage("Failed to allocate space for first DCE/RPC fragmented request\n"); if ( _dcerpc->dcerpc_req_buf_len > alloc_size ) { _dcerpc->dcerpc_req_buf_len = alloc_size; } _dcerpc->dcerpc_req_buf_size = alloc_size; ret = SafeMemcpy(_dcerpc->dcerpc_req_buf, data + sizeof(DCERPC_REQ), _dcerpc->dcerpc_req_buf_len, _dcerpc->dcerpc_req_buf, _dcerpc->dcerpc_req_buf + _dcerpc->dcerpc_req_buf_size); if (ret == 0) { DCERPC_FragFree(_dcerpc->dcerpc_req_buf, 0); _dcerpc->dcerpc_req_buf_len = 0; _dcerpc->dcerpc_req_buf_size = 0; _dcerpc->dcerpc_req_buf = NULL; _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION; return 0; } _dcerpc->fragmentation |= RPC_FRAGMENTATION; if ( _debug_print ) PrintBuffer("DCE/RPC fragment", data + sizeof(DCERPC_REQ), _dcerpc->dcerpc_req_buf_len); } else { return 0; } } } /* Check for last frag */ if ( (_dcerpc->fragmentation & RPC_FRAGMENTATION) && dcerpc_hdr->flags & DCERPC_LAST_FRAG ) { return 1; } } return 0;}void ReassembleDCERPCRequest(const u_int8_t *smb_hdr, u_int16_t smb_hdr_len, const u_int8_t *data){ int pkt_len; DCERPC_REQ fake_req; unsigned int dcerpc_req_len = sizeof(DCERPC_REQ); int status; u_int16_t data_len = 0; /* Make sure we have room to fit into buffer */ if (smb_hdr != NULL) { pkt_len = sizeof(NBT_HDR) + smb_hdr_len + dcerpc_req_len + _dcerpc->dcerpc_req_buf_len; } else { pkt_len = dcerpc_req_len + _dcerpc->dcerpc_req_buf_len; } if (pkt_len > dce_reassembly_buf_size) { DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Reassembled DCE/RPC packet " "greater than %d bytes, skipping.\n", dce_reassembly_buf_size)); /* just shorten it - don't want to lose all of * this information */ _dcerpc->dcerpc_req_buf_len = dce_reassembly_buf_size - (pkt_len - _dcerpc->dcerpc_req_buf_len); } /* Mock up header */ status = SafeMemcpy(&fake_req, data, dcerpc_req_len, &fake_req, (u_int8_t *)&fake_req + dcerpc_req_len); if (status != SAFEMEM_SUCCESS) { DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, " "skipping DCERPC reassembly.\n")); goto dcerpc_frag_free; } fake_req.dcerpc_hdr.frag_length = dcerpc_htons(fake_req.dcerpc_hdr.byte_order, dcerpc_req_len + _dcerpc->dcerpc_req_buf_len); fake_req.dcerpc_hdr.flags |= (DCERPC_FIRST_FRAG | DCERPC_LAST_FRAG); fake_req.alloc_hint = dcerpc_htonl(fake_req.dcerpc_hdr.byte_order, _dcerpc->dcerpc_req_buf_len); if (smb_hdr != NULL) { status = SafeMemcpy(dce_reassembly_buf, _dcerpc_pkt->payload, sizeof(NBT_HDR), dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); if (status != SAFEMEM_SUCCESS) { DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, " "skipping DCERPC reassembly.\n");); goto dcerpc_frag_free; } data_len = sizeof(NBT_HDR); status = SafeMemcpy(dce_reassembly_buf + data_len, smb_hdr, smb_hdr_len, dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); if (status != SAFEMEM_SUCCESS) { DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, " "skipping DCERPC reassembly.\n");); goto dcerpc_frag_free; } data_len += smb_hdr_len; } status = SafeMemcpy(dce_reassembly_buf + data_len, &fake_req, dcerpc_req_len, dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); if (status != SAFEMEM_SUCCESS) { DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC header, " "skipping DCERPC reassembly.\n");); goto dcerpc_frag_free; } data_len += dcerpc_req_len; /* Copy data into buffer */ status = SafeMemcpy(dce_reassembly_buf + data_len, _dcerpc->dcerpc_req_buf, _dcerpc->dcerpc_req_buf_len, dce_reassembly_buf, dce_reassembly_buf + dce_reassembly_buf_size); if (status != SAFEMEM_SUCCESS) { DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Failed to copy DCERPC data, " "skipping DCERPC reassembly.\n");); goto dcerpc_frag_free; } data_len += _dcerpc->dcerpc_req_buf_len; if (_debug_print) { PrintBuffer("DCE/RPC reassembled fragment", (u_int8_t *)dce_reassembly_buf, data_len); } /* create pseudo packet */ real_dce_mock_pkt = DCERPC_SetPseudoPacket(_dcerpc_pkt, dce_reassembly_buf, data_len); if (real_dce_mock_pkt == NULL) goto dcerpc_frag_free;dcerpc_frag_free: /* Get ready for next write */ DCERPC_FragFree(_dcerpc->dcerpc_req_buf, _dcerpc->dcerpc_req_buf_size); _dcerpc->dcerpc_req_buf = NULL; _dcerpc->dcerpc_req_buf_len = 0; _dcerpc->dcerpc_req_buf_size = 0; _dcerpc->fragmentation &= ~RPC_FRAGMENTATION; _dcerpc->fragmentation &= ~SUSPEND_FRAGMENTATION;}⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -