Module: Msf::Exploit::Remote::SMB::Server::Share::Command::ReadAndx

Included in:: Msf::Exploit::Remote::SMB::Server::Share

Defined in:: lib/msf/core/exploit/remote/smb/server/share/command/read_andx.rb

Instance Method Summary collapse

#send_read_andx_res(c, opts = {}) ⇒ Integer

Builds and sends an SMB_COM_NT_CREATE_ANDX response.
#smb_cmd_read_andx(c, buff) ⇒ Integer

Handles an SMB_COM_READ_ANDX command, used by the client to read data from a file.

Instance Method Details

#send_read_andx_res(c, opts = {}) ⇒ `Integer`

Builds and sends an SMB_COM_NT_CREATE_ANDX response.

Parameters:

c (Socket) —

The client to answer.
opts (Hash{Symbol => <Integer, String>}) (defaults to: {}) —

Response custom values.

Options Hash (opts):

:data_len_low (Integer) —

The length of the file data sent back.
:byte_count (Integer) —

The length of the file data sent back.
:data (String) —

The bytes read from the file.

Returns:

(Integer) —

The number of bytes returned to the client as response.

# File 'lib/msf/core/exploit/remote/smb/server/share/command/read_andx.rb', line 39

def send_read_andx_res(c, opts = {})
  data_len_low = opts[:data_len_low] || 0
  byte_count = opts[:byte_count] || 0
  data = opts[:data] || ''

  pkt = CONST::SMB_READ_RES_PKT.make_struct
  smb_set_defaults(c, pkt)

  pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_READ_ANDX
  pkt['Payload']['SMB'].v['Flags1'] = FLAGS
  pkt['Payload']['SMB'].v['Flags2'] = FLAGS2
  pkt['Payload']['SMB'].v['WordCount'] = CONST::SMB_READ_ANDX_RES_WORD_COUNT
  pkt['Payload'].v['AndX'] = CONST::SMB_COM_NO_ANDX_COMMAND
  pkt['Payload'].v['Remaining'] = 0xffff
  pkt['Payload'].v['DataLenLow'] = data_len_low
  pkt['Payload'].v['DataOffset'] = CONST::SMB_READ_RES_HDR_PKT_LENGTH
  pkt['Payload'].v['DataLenHigh'] = 0
  pkt['Payload'].v['Reserved3'] = 0
  pkt['Payload'].v['Reserved4'] = 0x0a
  pkt['Payload'].v['ByteCount'] = byte_count
  pkt['Payload'].v['Payload'] = data
  c.put(pkt.to_s)
end

#smb_cmd_read_andx(c, buff) ⇒ `Integer`

Handles an SMB_COM_READ_ANDX command, used by the client to read data from a file.

Parameters:

c (Socket) —

The client sending the request.
buff (String) —

The data including the client request.

Returns:

(Integer) —

The number of bytes returned to the client as response.

# File 'lib/msf/core/exploit/remote/smb/server/share/command/read_andx.rb', line 15

def smb_cmd_read_andx(c, buff)
  pkt = CONST::SMB_READ_PKT.make_struct
  pkt.from_s(buff)

  offset = pkt['Payload'].v['Offset']
  length = pkt['Payload'].v['MaxCountLow']

  contents = get_file_contents(client: c)

  send_read_andx_res(c, {
    data_len_low: length,
    byte_count: length,
    data: contents[offset, length]
  })
end

Module: Msf::Exploit::Remote::SMB::Server::Share::Command::ReadAndx

Instance Method Summary collapse

Instance Method Details

#send_read_andx_res(c, opts = {}) ⇒ Integer

#smb_cmd_read_andx(c, buff) ⇒ Integer

#send_read_andx_res(c, opts = {}) ⇒ `Integer`

#smb_cmd_read_andx(c, buff) ⇒ `Integer`