Class: Rex::Proto::DCERPC::Response

Inherits:
Object
  • Object
show all
Defined in:
lib/rex/proto/dcerpc/response.rb

Constant Summary collapse

FLAG_FIRST_FRAG =
1 << 0
FLAG_LAST_FRAG =
1 << 1

Instance Attribute Summary collapse

Instance Method Summary collapse

Constructor Details

#initialize(data) ⇒ Response

Create a new DCERPC::Response object This can be initialized in two ways: 1) Call .new() with the first 10 bytes of packet, then call parse on the rest 2) Call .new() with the full packet contents



23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
# File 'lib/rex/proto/dcerpc/response.rb', line 23

def initialize(data)

  self.ack_result = []
  self.ack_reason = []
  self.ack_xfer_syntax_uuid = []
  self.ack_xfer_syntax_vers = []

  if (! data or data.length < 10)
    raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
  end

  if (data.length == 10)
    self.frag_len = data[8,2].unpack('v')[0]
    self.raw = data
  end

  if (data.length > 10)
    self.raw = data
    self.parse
  end
end

Instance Attribute Details

#ack_reasonObject

Returns the value of attribute ack_reason.



12
13
14
# File 'lib/rex/proto/dcerpc/response.rb', line 12

def ack_reason
  @ack_reason
end

#ack_resultObject

Returns the value of attribute ack_result.



12
13
14
# File 'lib/rex/proto/dcerpc/response.rb', line 12

def ack_result
  @ack_result
end

#ack_xfer_syntax_uuidObject

Returns the value of attribute ack_xfer_syntax_uuid.



12
13
14
# File 'lib/rex/proto/dcerpc/response.rb', line 12

def ack_xfer_syntax_uuid
  @ack_xfer_syntax_uuid
end

#ack_xfer_syntax_versObject

Returns the value of attribute ack_xfer_syntax_vers.



12
13
14
# File 'lib/rex/proto/dcerpc/response.rb', line 12

def ack_xfer_syntax_vers
  @ack_xfer_syntax_vers
end

#alloc_hintObject

Returns the value of attribute alloc_hint.



13
14
15
# File 'lib/rex/proto/dcerpc/response.rb', line 13

def alloc_hint
  @alloc_hint
end

#assoc_groupObject

Returns the value of attribute assoc_group.



10
11
12
# File 'lib/rex/proto/dcerpc/response.rb', line 10

def assoc_group
  @assoc_group
end

#auth_lenObject

Returns the value of attribute auth_len.



8
9
10
# File 'lib/rex/proto/dcerpc/response.rb', line 8

def auth_len
  @auth_len
end

#call_idObject

Returns the value of attribute call_id.



9
10
11
# File 'lib/rex/proto/dcerpc/response.rb', line 9

def call_id
  @call_id
end

#cancel_cntObject

Returns the value of attribute cancel_cnt.



13
14
15
# File 'lib/rex/proto/dcerpc/response.rb', line 13

def cancel_cnt
  @cancel_cnt
end

#context_idObject

Returns the value of attribute context_id.



13
14
15
# File 'lib/rex/proto/dcerpc/response.rb', line 13

def context_id
  @context_id
end

#data_repObject

Returns the value of attribute data_rep.



9
10
11
# File 'lib/rex/proto/dcerpc/response.rb', line 9

def data_rep
  @data_rep
end

#flagsObject

Returns the value of attribute flags.



9
10
11
# File 'lib/rex/proto/dcerpc/response.rb', line 9

def flags
  @flags
end

#frag_lenObject

Returns the value of attribute frag_len.



8
9
10
# File 'lib/rex/proto/dcerpc/response.rb', line 8

def frag_len
  @frag_len
end

#max_frag_recvObject

Returns the value of attribute max_frag_recv.



9
10
11
# File 'lib/rex/proto/dcerpc/response.rb', line 9

def max_frag_recv
  @max_frag_recv
end

#max_frag_xmitObject

Returns the value of attribute max_frag_xmit.



9
10
11
# File 'lib/rex/proto/dcerpc/response.rb', line 9

def max_frag_xmit
  @max_frag_xmit
end

#nack_reasonObject

Returns the value of attribute nack_reason.



11
12
13
# File 'lib/rex/proto/dcerpc/response.rb', line 11

def nack_reason
  @nack_reason
end

#num_resultsObject

Returns the value of attribute num_results.



10
11
12
# File 'lib/rex/proto/dcerpc/response.rb', line 10

def num_results
  @num_results
end

#rawObject

Returns the value of attribute raw.



14
15
16
# File 'lib/rex/proto/dcerpc/response.rb', line 14

def raw
  @raw
end

#sec_addrObject

Returns the value of attribute sec_addr.



10
11
12
# File 'lib/rex/proto/dcerpc/response.rb', line 10

def sec_addr
  @sec_addr
end

#sec_addr_lenObject

Returns the value of attribute sec_addr_len.



10
11
12
# File 'lib/rex/proto/dcerpc/response.rb', line 10

def sec_addr_len
  @sec_addr_len
end

#statusObject

Returns the value of attribute status.



13
14
15
# File 'lib/rex/proto/dcerpc/response.rb', line 13

def status
  @status
end

#stub_dataObject

Returns the value of attribute stub_data.



13
14
15
# File 'lib/rex/proto/dcerpc/response.rb', line 13

def stub_data
  @stub_data
end

#typeObject

Returns the value of attribute type.



8
9
10
# File 'lib/rex/proto/dcerpc/response.rb', line 8

def type
  @type
end

#vers_majorObject

Returns the value of attribute vers_major.



8
9
10
# File 'lib/rex/proto/dcerpc/response.rb', line 8

def vers_major
  @vers_major
end

#vers_minorObject

Returns the value of attribute vers_minor.



8
9
10
# File 'lib/rex/proto/dcerpc/response.rb', line 8

def vers_minor
  @vers_minor
end

#xfer_syntax_uuidObject

Returns the value of attribute xfer_syntax_uuid.



11
12
13
# File 'lib/rex/proto/dcerpc/response.rb', line 11

def xfer_syntax_uuid
  @xfer_syntax_uuid
end

#xfer_syntax_versObject

Returns the value of attribute xfer_syntax_vers.



11
12
13
# File 'lib/rex/proto/dcerpc/response.rb', line 11

def xfer_syntax_vers
  @xfer_syntax_vers
end

Instance Method Details

#parse(body = '') ⇒ Object

Parse the contents of a DCERPC response packet and fill out all the fields



46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
# File 'lib/rex/proto/dcerpc/response.rb', line 46

def parse(body = '')
  self.raw = self.raw + body
  self.type = self.raw[2,1].unpack('C')[0]

  uuid = Rex::Proto::DCERPC::UUID
  data = self.raw

  if(not data)
    raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
  end

  # BIND_ACK == 12, ALTER_CONTEXT_RESP == 15
  if (self.type == 12 or self.type == 15)

    # Decode most of the DCERPC header
    self.vers_major,
    self.vers_minor,
    trash,
    self.flags,
    self.data_rep,
    self.frag_len,
    self.auth_len,
    self.call_id,
    self.max_frag_xmit,
    self.max_frag_recv,
    self.assoc_group,
    self.sec_addr_len = data.unpack('CCCCNvvVvvVv')


    if(not self.frag_len or data.length < self.frag_len)
      raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
    end

    # Keep an offset into the packet handy
    x = 0

    # XXX This is still somewhat broken (4 digit ports)
    self.sec_addr = data[26, self.sec_addr_len]

    # Move the pointer into the packet forward
    x += 26 + self.sec_addr_len

    # Align the pointer on a dword boundary
    while (x % 4 != 0)
      x += 1
    end

    # Figure out how many results we have (multiple-context binds)
    self.num_results = data[ x, 4 ].unpack('V')[0]

    # Move the pointer to the ack_result[0] offset
    x += 4

    # Initialize the ack_result index
    ack = 0

    # Scan through all results and add them to the result arrays
    while ack < self.num_results
      self.ack_result[ack] = data[ x + 0, 2 ].unpack('v')[0]
      self.ack_reason[ack] = data[ x + 2, 2 ].unpack('v')[0]
      self.ack_xfer_syntax_uuid[ack] = uuid.uuid_unpack(data[ x + 4, 16 ])
      self.ack_xfer_syntax_vers[ack] = data[ x + 20, 4 ].unpack('V')[0]
      x += 24
      ack += 1
    end

    # End of BIND_ACK || ALTER_CONTEXT_RESP
  end

  # BIND_NACK == 13
  if (self.type == 13)

    # Decode most of the DCERPC header
    self.vers_major,
    self.vers_minor,
    trash,
    self.flags,
    self.data_rep,
    self.frag_len,
    self.auth_len,
    self.call_id,
    self.nack_reason = data.unpack('CCCCNvvVv')
  end

  # RESPONSE == 2
  if (self.type == 2)

    # Decode the DCERPC response header
    self.vers_major,
    self.vers_minor,
    trash,
    self.flags,
    self.data_rep,
    self.frag_len,
    self.auth_len,
    self.call_id,
    self.alloc_hint,
    self.context_id,
    self.cancel_cnt = data.unpack('CCCCNvvVVvC')

    stub_offset = 24
    # Error out if the whole header was not read
    if !(self.alloc_hint and self.context_id and self.cancel_cnt)
      raise Rex::Proto::DCERPC::Exceptions::InvalidPacket, 'DCERPC response packet is incomplete'
    end

    # Put the application data into self.stub_data
    self.stub_data = data[stub_offset..self.frag_len - self.auth_len]
    # End of RESPONSE
  end

  # FAULT == 3
  if (self.type == 3)

    # Decode the DCERPC response header
    self.vers_major,
    self.vers_minor,
    trash,
    self.flags,
    self.data_rep,
    self.frag_len,
    self.auth_len,
    self.call_id,
    self.alloc_hint,
    self.context_id,
    self.cancel_cnt,
    trash,
    self.status = data.unpack('CCCCNvvVVvCCV')

    # Put the application data into self.stub_data
    self.stub_data = data[data.length - self.alloc_hint, 0xffff]
    # End of FAULT
  end

end