samba3rpc.c
来自「samba最新软件」· C语言 代码 · 共 2,504 行 · 第 1/5 页
C
2,504 行
attr.len = 0; attr.root_dir = NULL; attr.object_name = NULL; attr.attributes = 0; attr.sec_desc = NULL; attr.sec_qos = &qos; r.in.system_name = "\\"; r.in.attr = &attr; r.in.access_mask = SEC_FLAG_MAXIMUM_ALLOWED; r.out.handle = &handle; status = dcerpc_lsa_OpenPolicy2(p, tmp_ctx, &r); if (!NT_STATUS_IS_OK(status)) { printf("OpenPolicy2 failed - %s\n", nt_errstr(status)); talloc_free(tmp_ctx); return NULL; } sids.count = 0; sids.sids = NULL; lsa_name.string = talloc_asprintf(tmp_ctx, "%s\\%s", domain, name); l.in.handle = &handle; l.in.num_names = 1; l.in.names = &lsa_name; l.in.sids = &sids; l.in.level = 1; l.in.count = &count; l.out.count = &count; l.out.sids = &sids; status = dcerpc_lsa_LookupNames(p, tmp_ctx, &l); if (!NT_STATUS_IS_OK(status)) { printf("LookupNames of %s failed - %s\n", lsa_name.string, nt_errstr(status)); talloc_free(tmp_ctx); return NULL; } result = dom_sid_add_rid(mem_ctx, l.out.domains->domains[0].sid, l.out.sids->sids[0].rid); c.in.handle = &handle; c.out.handle = &handle; status = dcerpc_lsa_Close(p, tmp_ctx, &c); if (!NT_STATUS_IS_OK(status)) { printf("dcerpc_lsa_Close failed - %s\n", nt_errstr(status)); talloc_free(tmp_ctx); return NULL; } talloc_free(tmp_ctx); return result;}/* * Find out the user SID on this connection */static struct dom_sid *whoami(TALLOC_CTX *mem_ctx, struct loadparm_context *lp_ctx, struct smbcli_tree *tree){ struct dcerpc_pipe *lsa; struct lsa_GetUserName r; NTSTATUS status; struct lsa_StringPointer authority_name_p; struct dom_sid *result; status = pipe_bind_smb(mem_ctx, lp_ctx, tree, "\\pipe\\lsarpc", &ndr_table_lsarpc, &lsa); if (!NT_STATUS_IS_OK(status)) { d_printf("(%s) Could not bind to LSA: %s\n", __location__, nt_errstr(status)); return NULL; } r.in.system_name = "\\"; r.in.account_name = NULL; authority_name_p.string = NULL; r.in.authority_name = &authority_name_p; status = dcerpc_lsa_GetUserName(lsa, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { printf("(%s) GetUserName failed - %s\n", __location__, nt_errstr(status)); talloc_free(lsa); return NULL; } result = name2sid(mem_ctx, lsa, r.out.account_name->string, r.out.authority_name->string->string); talloc_free(lsa); return result;}static int destroy_tree(struct smbcli_tree *tree){ smb_tree_disconnect(tree); return 0;}/* * Do a tcon, given a session */NTSTATUS secondary_tcon(TALLOC_CTX *mem_ctx, struct smbcli_session *session, const char *sharename, struct smbcli_tree **res){ struct smbcli_tree *result; TALLOC_CTX *tmp_ctx; union smb_tcon tcon; NTSTATUS status; if (!(tmp_ctx = talloc_new(mem_ctx))) { return NT_STATUS_NO_MEMORY; } if (!(result = smbcli_tree_init(session, mem_ctx, false))) { talloc_free(tmp_ctx); return NT_STATUS_NO_MEMORY; } tcon.generic.level = RAW_TCON_TCONX; tcon.tconx.in.flags = 0; tcon.tconx.in.password = data_blob(NULL, 0); tcon.tconx.in.path = sharename; tcon.tconx.in.device = "?????"; status = smb_raw_tcon(result, tmp_ctx, &tcon); if (!NT_STATUS_IS_OK(status)) { d_printf("(%s) smb_raw_tcon failed: %s\n", __location__, nt_errstr(status)); talloc_free(tmp_ctx); return status; } result->tid = tcon.tconx.out.tid; result = talloc_steal(mem_ctx, result); talloc_set_destructor(result, destroy_tree); talloc_free(tmp_ctx); *res = result; return NT_STATUS_OK;}/* * Test the getusername behaviour */bool torture_samba3_rpc_getusername(struct torture_context *torture){ NTSTATUS status; struct smbcli_state *cli; TALLOC_CTX *mem_ctx; bool ret = true; struct dom_sid *user_sid; struct dom_sid *created_sid; struct cli_credentials *anon_creds; struct cli_credentials *user_creds; char *domain_name; struct smbcli_options options; if (!(mem_ctx = talloc_new(torture))) { return false; } lp_smbcli_options(torture->lp_ctx, &options); status = smbcli_full_connection( mem_ctx, &cli, torture_setting_string(torture, "host", NULL), lp_smb_ports(torture->lp_ctx), "IPC$", NULL, cmdline_credentials, lp_resolve_context(torture->lp_ctx), torture->ev, &options); if (!NT_STATUS_IS_OK(status)) { d_printf("(%s) smbcli_full_connection failed: %s\n", __location__, nt_errstr(status)); ret = false; goto done; } if (!(user_sid = whoami(mem_ctx, torture->lp_ctx, cli->tree))) { d_printf("(%s) whoami on auth'ed connection failed\n", __location__); ret = false; } talloc_free(cli); if (!(anon_creds = cli_credentials_init_anon(mem_ctx))) { d_printf("(%s) create_anon_creds failed\n", __location__); ret = false; goto done; } status = smbcli_full_connection( mem_ctx, &cli, torture_setting_string(torture, "host", NULL), lp_smb_ports(torture->lp_ctx), "IPC$", NULL, anon_creds, lp_resolve_context(torture->lp_ctx), torture->ev, &options); if (!NT_STATUS_IS_OK(status)) { d_printf("(%s) anon smbcli_full_connection failed: %s\n", __location__, nt_errstr(status)); ret = false; goto done; } if (!(user_sid = whoami(mem_ctx, torture->lp_ctx, cli->tree))) { d_printf("(%s) whoami on anon connection failed\n", __location__); ret = false; goto done; } if (!dom_sid_equal(user_sid, dom_sid_parse_talloc(mem_ctx, "s-1-5-7"))) { d_printf("(%s) Anon lsa_GetUserName returned %s, expected " "S-1-5-7", __location__, dom_sid_string(mem_ctx, user_sid)); ret = false; } if (!(user_creds = cli_credentials_init(mem_ctx))) { d_printf("(%s) cli_credentials_init failed\n", __location__); ret = false; goto done; } cli_credentials_set_conf(user_creds, torture->lp_ctx); cli_credentials_set_username(user_creds, "torture_username", CRED_SPECIFIED); cli_credentials_set_password(user_creds, generate_random_str(user_creds, 8), CRED_SPECIFIED); if (!create_user(mem_ctx, cli, torture->lp_ctx, cmdline_credentials, cli_credentials_get_username(user_creds), cli_credentials_get_password(user_creds), &domain_name, &created_sid)) { d_printf("(%s) create_user failed\n", __location__); ret = false; goto done; } cli_credentials_set_domain(user_creds, domain_name, CRED_SPECIFIED); { struct smbcli_session *session2; struct smb_composite_sesssetup setup; struct smbcli_tree *tree; session2 = smbcli_session_init(cli->transport, mem_ctx, false); if (session2 == NULL) { d_printf("(%s) smbcli_session_init failed\n", __location__); goto done; } setup.in.sesskey = cli->transport->negotiate.sesskey; setup.in.capabilities = cli->transport->negotiate.capabilities; setup.in.workgroup = ""; setup.in.credentials = user_creds; status = smb_composite_sesssetup(session2, &setup); if (!NT_STATUS_IS_OK(status)) { d_printf("(%s) session setup with new user failed: " "%s\n", __location__, nt_errstr(status)); ret = false; goto done; } session2->vuid = setup.out.vuid; if (!NT_STATUS_IS_OK(secondary_tcon(mem_ctx, session2, "IPC$", &tree))) { d_printf("(%s) secondary_tcon failed\n", __location__); ret = false; goto done; } if (!(user_sid = whoami(mem_ctx, torture->lp_ctx, tree))) { d_printf("(%s) whoami on user connection failed\n", __location__); ret = false; goto delete; } talloc_free(tree); } d_printf("Created %s, found %s\n", dom_sid_string(mem_ctx, created_sid), dom_sid_string(mem_ctx, user_sid)); if (!dom_sid_equal(created_sid, user_sid)) { ret = false; } delete: if (!delete_user(cli, torture->lp_ctx, cmdline_credentials, cli_credentials_get_username(user_creds))) { d_printf("(%s) delete_user failed\n", __location__); ret = false; } done: talloc_free(mem_ctx); return ret;}static bool test_NetShareGetInfo(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, const char *sharename){ NTSTATUS status; struct srvsvc_NetShareGetInfo r; uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007, 1501 }; int i; bool ret = true; r.in.server_unc = talloc_asprintf(mem_ctx, "\\\\%s", dcerpc_server_name(p)); r.in.share_name = sharename; for (i=0;i<ARRAY_SIZE(levels);i++) { r.in.level = levels[i]; ZERO_STRUCT(r.out); printf("testing NetShareGetInfo level %u on share '%s'\n", r.in.level, r.in.share_name); status = dcerpc_srvsvc_NetShareGetInfo(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { printf("NetShareGetInfo level %u on share '%s' failed" " - %s\n", r.in.level, r.in.share_name, nt_errstr(status)); ret = false; continue; } if (!W_ERROR_IS_OK(r.out.result)) { printf("NetShareGetInfo level %u on share '%s' failed " "- %s\n", r.in.level, r.in.share_name, win_errstr(r.out.result)); ret = false; continue; } } return ret;}static bool test_NetShareEnum(struct dcerpc_pipe *p, TALLOC_CTX *mem_ctx, const char **one_sharename){ NTSTATUS status; struct srvsvc_NetShareEnum r; struct srvsvc_NetShareCtr0 c0; uint32_t levels[] = { 0, 1, 2, 501, 502, 1004, 1005, 1006, 1007 }; int i; bool ret = true; r.in.server_unc = talloc_asprintf(mem_ctx,"\\\\%s",dcerpc_server_name(p)); r.in.ctr.ctr0 = &c0; r.in.ctr.ctr0->count = 0; r.in.ctr.ctr0->array = NULL; r.in.max_buffer = (uint32_t)-1; r.in.resume_handle = NULL; for (i=0;i<ARRAY_SIZE(levels);i++) { r.in.level = levels[i]; ZERO_STRUCT(r.out); printf("testing NetShareEnum level %u\n", r.in.level); status = dcerpc_srvsvc_NetShareEnum(p, mem_ctx, &r); if (!NT_STATUS_IS_OK(status)) { printf("NetShareEnum level %u failed - %s\n", r.in.level, nt_errstr(status)); ret = false; continue; } if (!W_ERROR_IS_OK(r.out.result)) { printf("NetShareEnum level %u failed - %s\n", r.in.level, win_errstr(r.out.result)); continue; } if (r.in.level == 0) { struct srvsvc_NetShareCtr0 *ctr = r.out.ctr.ctr0; if (ctr->count > 0) { *one_sharename = ctr->array[0].name; } } } return ret;}bool torture_samba3_rpc_srvsvc(struct torture_context *torture){ struct dcerpc_pipe *p; TALLOC_CTX *mem_ctx; bool ret = true; const char *sharename = NULL; struct smbcli_state *cli; NTSTATUS status; if (!(mem_ctx = talloc_new(torture))) { return false; } if (!(torture_open_connection_share( mem_ctx, &cli, torture, torture_setting_string(torture, "host", NULL), "IPC$", torture->ev))) { talloc_free(mem_ctx); return false; } status = pipe_bind_smb(mem_ctx, torture->lp_ctx, cli->tree, "\\pipe\\srvsvc", &ndr_table_srvsvc, &p); if (!NT_STATUS_IS_OK(status)) { d_printf("(%s) could not bind to srvsvc pipe: %s\n", __location__, nt_errstr(status)); ret = false; goto done; } ret &= test_NetShareEnum(p, mem_ctx, &sharename); if (sharename == NULL) { printf("did not get sharename\n"); } else { ret &= test_NetShareGetInfo(p, mem_ctx, sharename); } done: talloc_free(mem_ctx); return ret;}/* * Do a ReqChallenge/Auth2 with a random wks name, make sure it returns * NT_STATUS_NO_SAM_ACCOUNT */bool torture_samba3_rpc_randomauth2(struct torture_context *torture){ TALLOC_CTX *mem_ctx; struct dcerpc_pipe *net_pipe; char *wksname; bool result = false; NTSTATUS status; struct netr_ServerReqChallenge r; struct netr_Credential netr_cli_creds; struct netr_Credential netr_srv_creds; uint32_t negotiate_flags; struct netr_ServerAuthenticate2 a; struct creds_CredentialState *creds_state; struct netr_Credential netr_cred; struct samr_Password mach_pw; struct smbcli_state *cli; if (!(mem_ctx = talloc_new(torture))) { d_printf("talloc_new failed\n"); return false; } if (!(wksname = generate_random_str_list( mem_ctx, 14, "ABCDEFGHIJKLMNOPQRSTUVWXYZ0123456789"))) { d_printf("generate_random_str_list failed\n"); goto done; } if (!(torture_open_connection_share( mem_ctx, &cli, torture, torture_setting_string(torture, "host", NULL), "IPC$", torture->ev))) { d_printf("IPC$ connection failed\n"); goto done; } if (!(net_pipe = dcerpc_pipe_init( mem_ctx, cli->transport->socket->event.ctx, lp_iconv_convenience(torture->lp_ctx)))) { d_printf("dcerpc_pipe_init failed\n"); goto done; } status = dcerpc_pipe_open_smb(net_pipe, cli->tree, "\\netlogon"); if (!NT_STATUS_IS_OK(status)) { d_printf("dcerpc_pipe_open_smb failed: %s\n", nt_errstr(status));⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?