smb_file *smb_session_file_remove(smb_session *s, smb_fd fd)
{
smb_share *share;
smb_file *iter, *keep;
assert(s != NULL && fd);
if ((share = smb_session_share_get(s, SMB_FD_TID(fd))) == NULL)
return (NULL);
iter = share->files;
if (iter == NULL)
return (NULL);
if (iter->fid == SMB_FD_FID(fd))
{
share->files = iter->next;
return (iter);
}
while(iter->next != NULL && iter->next->fid != SMB_FD_TID(fd))
iter = iter->next;
if (iter->next != NULL)
{
keep = iter->next;
iter->next = iter->next->next;
return (keep);
}
else
return (NULL);
}
smb_file *smb_session_file_get(smb_session *s, smb_fd fd)
{
smb_share *share;
smb_file *iter;
assert(s != NULL && fd);
if ((share = smb_session_share_get(s, SMB_FD_TID(fd))) == NULL)
return (NULL);
iter = share->files;
while(iter != NULL && iter->fid != SMB_FD_FID(fd))
iter = iter->next;
return (iter);
}
void smb_fclose(smb_session *s, smb_fd fd)
{
smb_file *file;
smb_message *msg;
smb_close_req req;
assert(s != NULL);
if (!fd)
return;
// XXX Memory leak, destroy the file after removing it
if ((file = smb_session_file_remove(s, fd)) == NULL)
return;
msg = smb_message_new(SMB_CMD_CLOSE);
if (!msg) {
free(file->name);
free(file);
return;
}
msg->packet->header.tid = SMB_FD_TID(fd);
SMB_MSG_INIT_PKT(req);
req.wct = 3;
req.fid = SMB_FD_FID(fd);
req.last_write = ~0;
req.bct = 0;
SMB_MSG_PUT_PKT(msg, req);
// We don't check for succes or failure, since we actually don't really
// care about creating a potentiel leak server side.
smb_session_send_msg(s, msg);
smb_session_recv_msg(s, 0);
smb_message_destroy(msg);
free(file->name);
free(file);
}
// We should normally implement SCERPC and SRVSVC to perform a share list. But
// since these two protocols have no other use for us, we'll do it the trash way
// PS: Worst function _EVER_. I don't understand a bit myself
int smb_share_get_list(smb_session *s, smb_share_list *list, size_t *pcount)
{
smb_message *req, resp;
smb_trans_req trans;
smb_tid ipc_tid;
smb_fd srvscv_fd;
uint16_t rpc_len;
size_t res, frag_len_cursor;
ssize_t count;
int ret;
assert(s != NULL && list != NULL);
if(s != NULL && list != NULL) {
*list = NULL;
if ((ret = smb_tree_connect(s, "IPC$", &ipc_tid)) != DSM_SUCCESS)
return ret;
if ((ret = smb_fopen(s, ipc_tid, "\\srvsvc", SMB_MOD_READ | SMB_MOD_WRITE,
&srvscv_fd)) != DSM_SUCCESS)
return ret;
//// Phase 1:
// We bind a context or whatever for DCE/RPC
req = smb_message_new(SMD_CMD_TRANS);
if (!req)
{
ret = DSM_ERROR_GENERIC;
goto error;
}
req->packet->header.tid = ipc_tid;
rpc_len = 0xffff;
SMB_MSG_INIT_PKT(trans);
trans.wct = 16;
trans.total_data_count = 72;
trans.max_data_count = rpc_len;
trans.param_offset = 84;
trans.data_count = 72;
trans.data_offset = 84;
trans.setup_count = 2;
trans.pipe_function = 0x26;
trans.fid = SMB_FD_FID(srvscv_fd);
trans.bct = 89;
SMB_MSG_PUT_PKT(req, trans);
smb_message_put8(req, 0); // Padding
smb_message_put_utf16(req, "\\PIPE\\", strlen("\\PIPE\\") + 1);
smb_message_put16(req, 0); // Padding to be aligned with wtf boundary :-/
// Now we'll 'build' the DCE/RPC Packet. This basically a copycat
// from wireshark values.
smb_message_put8(req, 5); // version major
smb_message_put8(req, 0); // minor
smb_message_put8(req, 0x0b); // Packet type = 'bind'
smb_message_put8(req, 0x03); // Packet flags = ??
smb_message_put32(req, 0x10); // Representation = little endian/ASCII. Damn
smb_message_put16(req, 72); // Data len again
smb_message_put16(req, 0); // Auth len ?
smb_message_put32(req, 19); // Call ID ?
smb_message_put16(req, rpc_len); // Max Xmit size
smb_message_put16(req, rpc_len); // Max Recv size
smb_message_put32(req, 0); // Assoc group ?
smb_message_put32(req, 1); // Num Ctx Item
// Adding the CtxItem, whatever could that be
smb_message_put16(req, 0); // ContextID
smb_message_put16(req, 1); // Num Trans Item
// SRVSVC UUID
const uint8_t uuid_e[8] = {0x12, 0x78, 0x5a, 0x47, 0xbf, 0x6e, 0xe1, 0x88};
smb_message_put_uuid(req, 0x4b324fc8, 0x1670, 0x01d3, uuid_e);
smb_message_put16(req, 3); // Version
smb_message_put16(req, 0); // Minor
// Another UUID
const uint8_t uuid_e2[8] = {0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60};
smb_message_put_uuid(req, 0x8a885d04, 0x1ceb, 0x11c9, uuid_e2);
smb_message_put32(req, 2); // Another version
// Let's send this ugly pile of shit over the network !
res = smb_session_send_msg(s, req);
smb_message_destroy(req);
if (!res)
{
ret = DSM_ERROR_NETWORK;
goto error;
}
// Is the server throwing pile of shit back at me ?
res = smb_session_recv_msg(s, &resp);
if (!res || resp.packet->payload[68])
{
BDSM_dbg("Bind call failed: 0x%hhx (reason = 0x%hhx)\n",
resp.packet->payload[68], resp.packet->payload[70]);
ret = DSM_ERROR_NETWORK;
goto error;
}
//// Phase 2:
// Now we have the 'bind' done (regarless of what it is), we'll call
// NetShareEnumAll
req = smb_message_new(SMD_CMD_TRANS);
if (!req)
{
ret = DSM_ERROR_GENERIC;
goto error;
}
req->packet->header.tid = ipc_tid;
// this struct will be set at the end when we know the data size
SMB_MSG_ADVANCE_PKT(req, smb_trans_req);
smb_message_put8(req, 0); // Padding
smb_message_put_utf16(req, "\\PIPE\\", strlen("\\PIPE\\") + 1);
smb_message_put16(req, 0); // Padding
// Now we'll 'build' the DCE/RPC Packet. This basically a copycat
// from wireshark values.
smb_message_put8(req, 5); // version major
smb_message_put8(req, 0); // minor
smb_message_put8(req, 0); // Packet type = 'request'
smb_message_put8(req, 0x03); // Packet flags = ??
smb_message_put32(req, 0x10); // Representation = little endian/ASCII. Damn
// Let's save the cursor here to update that later
frag_len_cursor = req->cursor;
smb_message_put16(req, 0); // Data len again (frag length)
smb_message_put16(req, 0); // Auth len ?
smb_message_put32(req, 12); // Call ID ?
smb_message_put32(req, 64); // Alloc hint ?
smb_message_put16(req, 0); // Context ID ?
smb_message_put16(req, 15); // OpNum = NetShareEnumAll
// Pointer to server UNC
smb_message_put32(req, 0x00020000); // Referent ID ?
smb_message_put32(req, strlen(s->srv.name) + 1); // Max count
smb_message_put32(req, 0); // Offset
smb_message_put32(req, strlen(s->srv.name) + 1); // Actual count
// The server name, supposed to be downcased
smb_message_put_utf16(req, s->srv.name, strlen(s->srv.name) + 1);
if ((strlen(s->srv.name) % 2) == 0) // It won't be aligned with the terminating byte
smb_message_put16(req, 0);
smb_message_put32(req, 1); // Level 1 ?
smb_message_put32(req, 1); // Ctr ?
smb_message_put32(req, 0x00020004); // Referent ID ?
smb_message_put64(req, 0); // Count/Null Pointer to NetShareInfo1
smb_message_put32(req, 0xffffffff); // Max Buffer (0xffffffff required by smbX)
smb_message_put32(req, 0x00020008); // Referent ID ?
smb_message_put32(req, 0); // Resume ?
// fill trans pkt at the end since we know the size at the end
SMB_MSG_INIT_PKT(trans);
trans.wct = 16;
trans.max_data_count = 4280;
trans.setup_count = 2;
trans.pipe_function = 0x26; // TransactNmPipe;
trans.fid = SMB_FD_FID(srvscv_fd);
trans.bct = req->cursor - sizeof(smb_trans_req);
trans.data_count = trans.bct - 17; // 17 -> padding + \PIPE\ + padding
trans.total_data_count = trans.data_count;
trans.data_offset = 84;
trans.param_offset = 84;
// but insert it at the begining
SMB_MSG_INSERT_PKT(req, 0, trans);
req->packet->payload[frag_len_cursor] = trans.data_count; // (data_count SHOULD stay < 256)
// Let's send this ugly pile of shit over the network !
res = smb_session_send_msg(s, req);
smb_message_destroy(req);
if (!res)
{
ret = DSM_ERROR_NETWORK;
goto error;
}
// Is the server throwing pile of shit back at me ?
res = smb_session_recv_msg(s, &resp);
if (!res && (uint32_t)resp.packet->payload[resp.payload_size - 4])
{
BDSM_dbg("NetShareEnumAll call failed.\n");
ret = DSM_ERROR_NETWORK;
goto error;
}
//// Phase 3
// We parse the list of Share (finally !) and build function response
count = smb_share_parse_enum(&resp, list);
if (count == -1)
{
ret = DSM_ERROR_GENERIC;
goto error;
}
if (pcount != NULL)
*pcount = count;
ret = DSM_SUCCESS;
error:
// Close the pipe
smb_fclose(s, srvscv_fd);
return ret;
}
ret = DSM_ERROR_GENERIC;
}