smb_cifs.inc

漏洞扫描源码,可以扫描linux,windows,交换机路由器

 if (protocol[dialect] == "NT LM 0.12")
 {
  if (isnull (extended))
  {
   if (password || ntlm_hash)
     packet = smb_session_setup_andx_ntlm_core (session_key:session_key,
                                              login:login,
 	 				      domain:domain,
 					      password:password,
					      lm_hash:lm_hash,
					      ntlm_hash:ntlm_hash,
					      mode:mode,
					      challenge:challenge,
					      version:2);
   else
     packet = NULL;

   if (! packet )
   {
    if (onlyv2) return NULL;

    packet = smb_session_setup_andx_ntlm_core (session_key:session_key,
                                              login:login,
 	 				      domain:domain,
					      password:password,
					      lm_hash:lm_hash,
					      ntlm_hash:ntlm_hash,
 					      mode:mode,
					      challenge:challenge,
					      version:1);
   }
   return packet;
  }
  else
  {
   if ((extended == 2) && defined_func ("open_sock_kdc") && login && password)
   {
    # If Kerberos
    packet = smb_session_setup_andx_kerberos_core (session_key:session_key,
    						   login:login,
						   password:password,
						   host:host,
						   realm:realm,
                                                   mode:mode);

    if (!isnull (packet))
      return packet;
   }
   
   # If NTLMSSP or if Kerberos failed
   packet = smb_session_setup_andx_ntlmssp_core (session_key:session_key,
   						 login:login,
						 password:password,
						 hash:ntlm_hash,
						 domain:domain,
                                                 mode:mode);
   return packet;
  }
 }
}




#---------------------------------------------------------#
# Function    : smb_login                                 #
# Description : Negotiate authentication  with remote     #
#               host.                                     #
# Return      : Return 1 on success , 0 on failure        #
#---------------------------------------------------------#

function smb_login (login,password,domain,lm_hash,ntlm_hash)
{
 local_var ret, code, flags2, header, parameters, data, unicode, SecurityBlob, ServerGUID;
 local_var DialectIndex, SecurityMode, MaxBufferSize, SessionKey, Capabilities, EncryptionKeyLength, EncryptionKey, Extended;
 local_var realm,host, ext;
 local_var spnego, michlist, DomainName, next, ServerName;

 host = realm = NULL;

 #
 # First step : Protocol negotiation 
 #

 if (isnull(password) && isnull(ntlm_hash) && !isnull(lm_hash))
   ext = FALSE;
 else
   ext = TRUE;

 ret = smb_negotiate_protocol (extended:ext);
 if (!ret)
   return NULL;
 
 # Some checks in the header first
 header = get_smb_header (smbblob:ret);
 if (!header)
   return NULL;

 flags2 = get_header_flags2 (header:header);
 if (flags2 & SMB_FLAGS2_32BIT_STATUS)
 {
  code = get_header_nt_error_code (header:header);
  if (code != STATUS_SUCCESS)
    return code;
 }
 else
 {
  code = get_header_dos_error_code (header:header);
  if (code != NO_ERROR)
    return code;
 }

 code = get_header_command_code (header:header);
 if (code != SMB_COM_NEGOTIATE)
   return ERROR_BAD_COMMAND;

 # We must get unicode or not here
 unicode = flags2 & SMB_FLAGS2_UNICODE_STRINGS;

 # We now parse/take information in SMB parameters
 parameters = get_smb_parameters (smbblob:ret);
 if (!parameters)
   return NULL;
 
 # Negotiate protocol response parameters
 # NT LM 0.12                        LANMAN2.1
 # WORD  DialectIndex;               WORD  DialectIndex;
 # BYTE  SecurityMode;               WORD  SecurityMode;
 # WORD  MaxMpxCount;                WORD  MaxBufferSize;
 # WORD  MaxNumberVCs;               WORD  MaxMpxCount;
 # DWORD MaxBufferSize;              BYTE  MaxNumberVCs;
 # DWORD MaxRawSize;                 WORD  RawMode;
 # DWORD SessionKey;                 DWORD SessionKey;
 # DWORD Capabilities;               WORD  ServerTime;
 # DWORD SystemTimeLow;              WORD  ServerDate;
 # DWORD SystemTimeHigh;             WORD  ServerTimeZone;
 # WORD  ServerTimeZone;             WORD  EncryptionKeyLength;
 # BYTE  EncryptionKeyLength;        WORD  Reserved;
 # WORD  Reserved; 

 DialectIndex = get_word (blob:parameters, pos:0);

 if (DialectIndex > (supported_protocol-1))
 {
   # Bad server's response. Because it asks for an unsupported protocol
   return NULL;
 }

 Extended = NULL;

 if (protocol[DialectIndex] == "NT LM 0.12")
 {
  SecurityMode = get_byte (blob:parameters, pos:2);
  MaxBufferSize = get_dword (blob:parameters, pos:7);
  SessionKey = get_dword (blob:parameters, pos:15);
  Capabilities = get_dword (blob:parameters, pos:19);
  EncryptionKeyLength = get_byte (blob:parameters, pos:33);
 
  if (Capabilities & CAP_UNICODE)
    session_set_unicode (unicode:1);
  else
    session_set_unicode (unicode:0);
    
  if ((SecurityMode & NEGOTIATE_SECURITY_SIGNATURES_REQUIRED) || (SecurityMode & NEGOTIATE_SECURITY_SIGNATURES_ENABLED))
    session_add_flags2 (flag:SMB_FLAGS2_SECURITY_SIGNATURE);

  if (Capabilities & CAP_EXTENDED_SECURITY)
    session_add_flags2 (flag:SMB_FLAGS2_EXTENDED_SECURITY);
 
  # We now parse/take information in SMB parameters
  data = get_smb_data (smbblob:ret);
  if (!data)
    return NULL;
 
  # Negotiate protocol response data for NTLM
  # BYTE EncryptionKey[];
  # BYTE DomainName[]; // NULL terminated
  # BYTE ServerName[]; // NULL terminated

  if (Capabilities & CAP_EXTENDED_SECURITY)
  {
   if (strlen(data) < 16)
     return NULL;
   ServerGUID = substr (data, 0, 15);
   if ((strlen (data) > 16) && (login && password))
   {
     SecurityBlob = substr (data, 16, strlen(data) - 1);
     spnego = der_parse_spnego_init (sdata:SecurityBlob);
     if (!isnull (spnego) && (spnego[3] != NULL))
     {
       michlist = spnego[3];
       host = ereg_replace (pattern:"(.*)\$@.*", string:michlist, replace:"\1");
       realm = ereg_replace (pattern:".*\$@(.*)", string:michlist, replace:"\1");
       Extended = 2; # Kerberos
     }
     else
       Extended = 1;
   }
   else
   {
     Extended = 1; # NTLMSSP
     SecurityBlob = NULL;
   }
  }
  else
  {
   if (EncryptionKeyLength != 0)
     EncryptionKey = substr (data, 0, 7); # Allways 8 byte length
   else
     EncryptionKey = NULL;

   if (strlen(data) > 8)
     DomainName = get_string (blob:data, pos:8);
  
   next = strlen(DomainName) + null_length();
   next += strlen(EncryptionKey);
  
   if (next  < strlen(data))
     ServerName = get_string (blob:data, pos:next);
  }
 }
 
 else if (protocol[DialectIndex] == "LANMAN2.1")
 {
  #LANMAN2.1 does not support unicode
  session_set_unicode (unicode:0);
  
  SecurityMode = get_word (blob:parameters, pos:2);
  MaxBufferSize = get_word (blob:parameters, pos:4);
  SessionKey = get_dword (blob:parameters, pos:11);
  EncryptionKeyLength = get_word (blob:parameters, pos:21);
  
  # We now parse/take information in SMB parameters
  data = get_smb_data (smbblob:ret);
  if (!data)
    return NULL;
  
  # BYTE EncryptionKey[];
  if (EncryptionKeyLength != 0)
    EncryptionKey = substr (data, 0, 7); # Allways 8 byte length
  else
    EncryptionKey = NULL;
 }
 else
 {
   # Bad server's response. Because it asks for an unsupported protocol
   return NULL;
 }

 session_set_server_max_size (size:MaxBufferSize);
 if (MaxBufferSize > (session_get_buffersize() - 0x100))
   session_set_buffersize(size:MaxBufferSize+0x100);

 if (isnull(password) && isnull(ntlm_hash) && !isnull(lm_hash))
   Extended = NULL;

 ret = smb_session_setup_andx (session_key:SessionKey, dialect:DialectIndex, challenge:EncryptionKey, mode:SecurityMode, extended:Extended, login:login, password:password, domain:domain, lm_hash:lm_hash, ntlm_hash:ntlm_hash, host:host, realm:realm);

 if (isnull (ret))
   return 0;
 else 
   return 1;
}




#---------------------------------------------------------#
# Function    : smb_tree_connect_and_x                    #
# Description : Connects to a remote share                #
#---------------------------------------------------------#

function smb_tree_connect_and_x (share)
{
 local_var header, parameters, password, path, service, data, packet, ret, tid;

 header = smb_header (Command: SMB_COM_TREE_CONNECT_ANDX,
                      Status: nt_status (Status: STATUS_SUCCESS));

 parameters = raw_byte (b:255) + # no further command
              raw_byte (b:0) +
              raw_word (w:0) +
              raw_word (w:0xC) +
              raw_word (w:1); # strlen (password)
 
 parameters = smb_parameters (data:parameters);
 
 password = raw_string (0x00); # NULL password / To change for share authentication
 path = cstring (string:"\\", _null:1) + cstring (string:session_get_hostname(), _null:1) + cstring (string:"\", _null:1) + cstring (string:share);
 service = ascii (string:"?????");
 
 data = password +
        path +
	service;
 
 data = smb_data (data:data);

 packet = netbios_packet (header:header, parameters:parameters, data:data);

 ret = smb_sendrecv (data:packet); 
 if (!ret)
   return NULL;
 
 if (smb_check_success (data:ret) == FALSE)
   return NULL;

 # Some checks in the header first
 header = get_smb_header (smbblob:ret);
 if (!header)
   return NULL;

 tid = get_header_tid (header:header);
 session_set_tid (tid:tid);

 return ret;
}


#---------------------------------------------------------#
# Function    : smb_create_and_x                          #
# Description : Connects to a remote file                 #
#---------------------------------------------------------#

function smb_create_and_x (name, desired_access, flags_attributes, share_mode, create_disposition, create_options)
{
 local_var header, parameters, data, packet, ret, offset, fid, pad, filename;

 header = smb_header (Command: SMB_COM_NT_CREATE_ANDX,
                      Status: nt_status (Status: STATUS_SUCCESS));

 pad = NULL;
 if (session_is_unicode() == 1)
   pad = raw_byte (b:0);

 filename = cstring (string:name);

 parameters = raw_byte (b:255) + # no further command
              raw_byte (b:0) +
              raw_word (w:0) +
	      raw_byte (b:0) +
              raw_word (w:strlen(cstring(string:name,_null:1))) +
	      raw_dword (d:0x16)                +  # flags to change
	      raw_dword (d:0)                   +  # root fid
	      raw_dword (d:desired_access)      +  # access mask
	      raw_dword (d:0) + raw_dword (d:0) +  # allocation size
	      raw_dword (d:flags_attributes)    +  # file attributes
	      raw_dword (d:share_mode)          +  # share access
	      raw_dword (d:create_disposition)  +  # Disposition
	      raw_dword (d:create_options)      +  # create options
	      raw_dword (d:2)                   +  # impersonation
	      raw_byte  (b:3);                     # security flags
                     	      
 parameters = smb_parameters (data:parameters);
 
 data = pad + filename;
 
 data = smb_data (data:data);

 packet = netbios_packet (header:header, parameters:parameters, data:data);

 ret = smb_sendrecv (data:packet); 
 if (!ret)
   return NULL;
 
 if (smb_check_success (data:ret) == FALSE)
   return NULL;

 parameters = get_smb_parameters (smbblob:ret);
 if (!parameters || (strlen(parameters) < 63))
   return NULL;

 offset = get_word (blob:parameters, pos:2);

 ret = NULL;
 ret[0] = get_word (blob:parameters, pos:5); # FID
 ret[1] = substr (parameters, 55, 62);       # SIZE

 return ret;
}


#---------------------------------------------------------#
# Function    : smb_write_and_x                           #
# Description : writes to a remote pipe                   #
#---------------------------------------------------------#

function smb_write_and_x (fid, offset, mode, data)
{
 local_var header, parameters, dat, packet, ret, pad;

 pad = raw_byte (b:0);

 header = smb_header (Command: SMB_COM_WRITE_ANDX,
                      Status: nt_status (Status: STATUS_SUCCESS));

 parameters = raw_byte (b:255) +            # no further command
              raw_byte (b:0) +              # reserved
              raw_word (w:0) +              # andxoffset
	      raw_word (w:fid) +            # fid
	      raw_dword (d:offset) +        # offset
              raw_dword (d:0xFFFFFFFF) +    # reserved
	      raw_word (w:mode) +           # write mode
	      raw_word (w:strlen (data)) +  # remaining
	      raw_word (w:0) +              # data length high
	      raw_word (w:strlen (data)) +  # data length low
	      raw_word (w:64) +             # data offset == 64
	      raw_dword (d:0) ;             # high offset
                    	      
 parameters = smb_parameters (data:parameters);
 
 dat = pad + data;
 
 dat = smb_data (data:dat);