Module: Msf::Exploit::Remote::SMB::Server::Share::Command::Negotiate

Included in:

Msf::Exploit::Remote::SMB::Server::Share

Defined in:

lib/msf/core/exploit/remote/smb/server/share/command/negotiate.rb

Instance Method Summary

• #send_negotitate_res(c, opts = {}) ⇒ Integer

  Builds and sends an SMB_COM_CLOSE response.

• #smb_cmd_negotiate(c, buff) ⇒ Integer

  Handles an SMB_COM_NEGOTIATE command, used by the client to initiate an SMB connection between the client and the server.

Instance Method Details

#send_negotitate_res(c, opts = {}) ⇒ Integer

Builds and sends an SMB_COM_CLOSE response.

Parameters:

• c (Socket) —

  The client to answer.

• opts (Hash{Symbol => <String, Integer>}) (defaults to: {}) —

  Response custom values.

Options Hash (opts):

• :dialect (Integer) —

  The index of the dialect selected by the server from the request.

• :security_mode (Integer) —

  Security modes supported or required by the server.

• :max_mpx (Integer) —

  The maximum number of outstanding SMB operations that the server supports.

• :max_vcs (Integer) —

  The maximum number of virtual circuits between the client and the server.

• :max_buff (Integer) —

  Largest SMB message that the server can handle.

• :max_raw (Integer) —

  Max size for SMB_COM_WRITE_RAW requests and SMB_COM_READ_RAW responses.

• :server_time_zone (Integer) —

  The server's time zone.

• :capabilities (Integer) —

  The server capability indicators.

• :key_length (Integer) —

  The challenge length.

• :key (String) —

  The challenge.

Returns:

• (Integer) —

  The number of bytes returned to the client as response.

# File 'lib/msf/core/exploit/remote/smb/server/share/command/negotiate.rb', line 51

def send_negotitate_res(c, opts = {})
  dialect = opts[:dialect] || 0
  security_mode = opts[:security_mode] || 0
  max_mpx = opts[:max_mpx] || 0
  max_vcs = opts[:max_vcs] || 0
  max_buff = opts[:max_buff] || 0
  max_raw = opts[:max_raw] || 0
  server_time_zone = opts[:server_time_zone] || 0
  capabilities = opts[:capabilities] || 0
  key_length = opts[:key_length] || 0
  key = opts[:key] || ''

  pkt = CONST::SMB_NEG_RES_NT_PKT.make_struct
  smb_set_defaults(c, pkt)

  pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_NEGOTIATE
  pkt['Payload']['SMB'].v['Flags1'] = FLAGS
  pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
  pkt['Payload']['SMB'].v['WordCount'] = CONST::SMB_NEGOTIATE_RES_WORD_COUNT
  pkt['Payload'].v['Dialect'] = dialect
  pkt['Payload'].v['SecurityMode'] = security_mode
  pkt['Payload'].v['MaxMPX'] = max_mpx
  pkt['Payload'].v['MaxVCS'] = max_vcs
  pkt['Payload'].v['MaxBuff'] = max_buff
  pkt['Payload'].v['MaxRaw'] = max_raw
  pkt['Payload'].v['SystemTimeLow'] = lo
  pkt['Payload'].v['SystemTimeHigh'] = hi
  pkt['Payload'].v['ServerTimeZone'] = server_time_zone
  pkt['Payload'].v['SessionKey'] = 0
  pkt['Payload'].v['Capabilities'] = capabilities
  pkt['Payload'].v['KeyLength'] = key_length
  pkt['Payload'].v['Payload'] = key

  c.put(pkt.to_s)
end

#smb_cmd_negotiate(c, buff) ⇒ Integer

Handles an SMB_COM_NEGOTIATE command, used by the client to initiate an SMB connection between the client and the server.

Parameters:

• c (Socket) —

  The client sending the request.

• buff (String) —

  The data including the client request.

Returns:

• (Integer) —

  The number of bytes returned to the client as response.

# File 'lib/msf/core/exploit/remote/smb/server/share/command/negotiate.rb', line 15

def smb_cmd_negotiate(c, buff)
  pkt = CONST::SMB_NEG_PKT.make_struct
  pkt.from_s(buff)

  dialects = pkt['Payload'].v['Payload'].gsub(/\x00/, '').split(/\x02/).grep(/^\w+/)
  dialect = dialects.index("NT LM 0.12") || dialects.length-1

  send_negotitate_res(c, {
    dialect: dialect,
    security_mode: CONST::NEG_SECURITY_PASSWORD,
    max_mpx: 50,
    max_vcs: 1,
    max_buff: 4356,
    max_raw: 65536,
    server_time_zone: 0,
    capabilities: CAPABILITIES,
    key_length: 8,
    key: Rex::Text.rand_text_hex(8)
  })
end