Module: Msf::Exploit::Remote::SMB::Server::Share::Command::ReadAndx

Included in:
Msf::Exploit::Remote::SMB::Server::Share
Defined in:
lib/msf/core/exploit/remote/smb/server/share/command/read_andx.rb

Instance Method Summary collapse

Instance Method Details

#send_read_andx_res(c, opts = {}) ⇒ Integer

Builds and sends an SMB_COM_NT_CREATE_ANDX response.

Parameters:

  • c (Socket)

    The client to answer.

  • opts (Hash{Symbol => <Integer, String>}) (defaults to: {})

    Response custom values.

Options Hash (opts):

  • :data_len_low (Integer)

    The length of the file data sent back.

  • :byte_count (Integer)

    The length of the file data sent back.

  • :data (String)

    The bytes read from the file.

Returns:

  • (Integer)

    The number of bytes returned to the client as response.


39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
# File 'lib/msf/core/exploit/remote/smb/server/share/command/read_andx.rb', line 39

def send_read_andx_res(c, opts = {})
  data_len_low = opts[:data_len_low] || 0
  byte_count = opts[:byte_count] || 0
  data = opts[:data] || ''

  pkt = CONST::SMB_READ_RES_PKT.make_struct
  smb_set_defaults(c, pkt)

  pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_READ_ANDX
  pkt['Payload']['SMB'].v['Flags1'] = FLAGS
  pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
  pkt['Payload']['SMB'].v['WordCount'] = CONST::SMB_READ_ANDX_RES_WORD_COUNT
  pkt['Payload'].v['AndX'] = CONST::SMB_COM_NO_ANDX_COMMAND
  pkt['Payload'].v['Remaining'] = 0xffff
  pkt['Payload'].v['DataLenLow'] = data_len_low
  pkt['Payload'].v['DataOffset'] = CONST::SMB_READ_RES_HDR_PKT_LENGTH
  pkt['Payload'].v['DataLenHigh'] = 0
  pkt['Payload'].v['Reserved3'] = 0
  pkt['Payload'].v['Reserved4'] = 0x0a
  pkt['Payload'].v['ByteCount'] = byte_count
  pkt['Payload'].v['Payload'] = data
  c.put(pkt.to_s)
end

#smb_cmd_read_andx(c, buff) ⇒ Integer

Handles an SMB_COM_READ_ANDX command, used by the client to read data from a file.

Parameters:

  • c (Socket)

    The client sending the request.

  • buff (String)

    The data including the client request.

Returns:

  • (Integer)

    The number of bytes returned to the client as response.


15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# File 'lib/msf/core/exploit/remote/smb/server/share/command/read_andx.rb', line 15

def smb_cmd_read_andx(c, buff)
  pkt = CONST::SMB_READ_PKT.make_struct
  pkt.from_s(buff)

  offset = pkt['Payload'].v['Offset']
  length = pkt['Payload'].v['MaxCountLow']

  contents = get_file_contents(client: c)

  send_read_andx_res(c, {
    data_len_low: length,
    byte_count: length,
    data: contents[offset, length]
  })
end