int smbbuffergetstring(SmbBuffer *b, SmbHeader *h, ulong flags, char **sp) { if (flags & SMB_STRING_UNICODE) return smbbuffergetucs2(b, flags, sp); else if (flags & SMB_STRING_ASCII) return smbbuffergetstr(b, flags, sp); else if (h->flags2 & SMB_FLAGS2_UNICODE) return smbbuffergetucs2(b, flags, sp); else return smbbuffergetstr(b, flags, sp); }
static SmbProcessResult netserverenum2(SmbBuffer *inparam, SmbBuffer *outparam, SmbBuffer *outdata) { uint16_t level, rbl; char *domain; uint32_t servertype; SmbProcessResult pr; SmbServerInfo *si[3]; SmbServerInfo domainsi; int entries; /* WrLehDz * ushort sLevel, RCVBUF pbBuffer, RCVBUFLEN cbBuffer, ENTCOUNT pcEntriesRead, ushort *pcTotalAvail, * ulong fServerType, char *pszDomain */ if (!smbbuffergets(inparam, &level) || !smbbuffergets(inparam, &rbl) || !smbbuffergetl(inparam, &servertype) || !smbbuffergetstr(inparam, 0, &domain)) { fmtfail: pr = SmbProcessResultFormat; goto done; } smblogprintif(smbglobals.log.rap2, "netserverenum2(%lud, %lud, 0x%.8lux, %s)\n", level, smbbufferwritespace(outdata), servertype, domain); if (level > 1) goto fmtfail; if (servertype == 0xffffffff) servertype &= ~(SV_TYPE_DOMAIN_ENUM | SV_TYPE_LOCAL_LIST_ONLY); if ((servertype & SV_TYPE_LOCAL_LIST_ONLY) != 0 && (servertype & SV_TYPE_DOMAIN_ENUM) == 0) servertype = SV_TYPE_ALL & ~(SV_TYPE_DOMAIN_ENUM); entries = 0; if ((servertype & SV_TYPE_SERVER) != 0 && (domain[0] == 0 || cistrcmp(domain, smbglobals.primarydomain) == 0)) { si[entries++] = &smbglobals.serverinfo; } if ((servertype & SV_TYPE_DOMAIN_ENUM) != 0) { /* there's only one that I know about */ memset(&domainsi, 0, sizeof(domainsi)); domainsi.name = smbglobals.primarydomain; domainsi.stype = SV_TYPE_DOMAIN_ENUM; si[entries++] = &domainsi; } si[entries] = 0; pr = thingfill(outparam, outdata, &serverinfo, level, si); done: free(domain); return pr; }
SmbProcessResult smbnegotiate(SmbSession *s, SmbHeader *h, uchar *, SmbBuffer *b) { ushort index; int i; uchar bufferformat; if (!smbcheckwordcount("negotiate", h, 0)) return SmbProcessResultFormat; if (s->state != SmbSessionNeedNegotiate) { /* this acts as a complete session reset */ smblogprint(-1, "smbnegotiate: called when already negotiated\n"); return SmbProcessResultUnimp; } i = 0; index = 0xffff; while (smbbuffergetb(b, &bufferformat)) { char *s; if (bufferformat != 0x02) { smblogprint(-1, "smbnegotiate: unrecognised buffer format 0x%.2ux\n", bufferformat); return SmbProcessResultFormat; } if (!smbbuffergetstr(b, 0, &s)) { smblogprint(-1, "smbnegotiate: no null found\n"); return SmbProcessResultFormat; } smblogprint(h->command, "smbnegotiate: '%s'\n", s); if (index == 0xffff && strcmp(s, "NT LM 0.12") == 0) index = i; i++; free(s); } if (index != 0xffff) { Tm *tm; ulong capabilities; ulong bytecountfixupoffset; h->wordcount = 17; if (!smbbufferputheader(s->response, h, nil) || !smbbufferputs(s->response, index) || !smbbufferputb(s->response, 3) /* user security, encrypted */ || !smbbufferputs(s->response, 1) /* max mux */ || !smbbufferputs(s->response, 1) /* max vc */ || !smbbufferputl(s->response, smbglobals.maxreceive) /* max buffer size */ || !smbbufferputl(s->response, 0x10000) /* max raw */ || !smbbufferputl(s->response, threadid())) /* session key */ goto die; /* <= Win2k insist upon this being set to ensure that they observe the prototol (!) */ capabilities = CAP_NT_SMBS; if (smbglobals.unicode) capabilities |= CAP_UNICODE; tm = localtime(time(nil)); s->tzoff = tm->tzoff; if (!smbbufferputl(s->response, capabilities) || !smbbufferputv(s->response, nsec() / 100 + (vlong)10000000 * 11644473600LL) || !smbbufferputs(s->response, -s->tzoff / 60) || !smbbufferputb(s->response, 8)) /* crypt len */ goto die; bytecountfixupoffset = smbbufferwriteoffset(s->response); if (!smbbufferputs(s->response, 0)) goto die; s->cs = auth_challenge("proto=mschap role=server"); if (s->cs == nil) { smblogprint(h->command, "smbnegotiate: couldn't get mschap challenge\n"); return SmbProcessResultMisc; } if (s->cs->nchal != 8) { smblogprint(h->command, "smbnegotiate: nchal %d\n", s->cs->nchal); return SmbProcessResultMisc; } if (!smbbufferputbytes(s->response, s->cs->chal, s->cs->nchal) || !smbbufferputstring(s->response, nil, SMB_STRING_UNICODE, smbglobals.primarydomain) || !smbbufferfixuprelatives(s->response, bytecountfixupoffset)) goto die; } else { h->wordcount = 1; if (!smbbufferputheader(s->response, h, nil) || !smbbufferputs(s->response, index) || !smbbufferputs(s->response, 0)) goto die; } s->state = SmbSessionNeedSetup; return SmbProcessResultReply; die: return SmbProcessResultDie; }
SmbProcessResult smbcomtreeconnectandx(SmbSession *s, SmbHeader *h, uint8_t *pdata, SmbBuffer *b) { uint8_t andxcommand; uint16_t andxoffset; char *path = nil; char *service = nil; uint16_t flags; uint16_t passwordlength; // ushort bytecount; uint8_t errclass; uint16_t error; SmbService *serv; SmbTree *tree; uint32_t andxfixupoffset, bytecountfixup; SmbProcessResult pr; if (!smbcheckwordcount("comtreeconnectandx", h, 4)) { fmtfail: pr = SmbProcessResultFormat; goto done; } switch (s->state) { case SmbSessionNeedNegotiate: smblogprint(-1, "smbcomtreeconnectandx: called when negotiate expected\n"); return SmbProcessResultUnimp; case SmbSessionNeedSetup: smbseterror(s, ERRDOS, ERRbadpw); return SmbProcessResultError; } andxcommand = *pdata++; switch (andxcommand) { case SMB_COM_OPEN: case SMB_COM_CREATE_NEW: case SMB_COM_DELETE_DIRECTORY: case SMB_COM_FIND_UNIQUE: case SMB_COM_CHECK_DIRECTORY: case SMB_COM_GET_PRINT_QUEUE: case SMB_COM_TRANSACTION: case SMB_COM_SET_INFORMATION: case SMB_COM_OPEN_ANDX: case SMB_COM_CREATE_DIRECTORY: case SMB_COM_FIND: case SMB_COM_RENAME: case SMB_COM_QUERY_INFORMATION: case SMB_COM_OPEN_PRINT_FILE: case SMB_COM_NO_ANDX_COMMAND: case SMB_COM_NT_RENAME: case SMB_COM_CREATE: case SMB_COM_DELETE: case SMB_COM_COPY: break; default: smblogprint(h->command, "smbcomtreeconnectandx: invalid andxcommand %s (0x%.2ux)\n", smboptable[andxcommand].name, andxcommand); goto fmtfail; } pdata++; andxoffset = smbnhgets(pdata); pdata += 2; flags = smbnhgets(pdata); pdata += 2; passwordlength = smbnhgets(pdata); //pdata += 2; // bytecount = smbnhgets(pdata); pdata += 2; smblogprint(h->command, "passwordlength: %ud\n", passwordlength); smblogprint(h->command, "flags: 0x%.4ux\n", flags); if (!smbbuffergetbytes(b, nil, passwordlength)) { smblogprint(h->command, "smbcomtreeconnectandx: not enough bytes for password\n"); goto fmtfail; } smblogprint(h->command, "offset %lud limit %lud\n", smbbufferreadoffset(b), smbbufferwriteoffset(b)); if (!smbbuffergetstring(b, h, SMB_STRING_PATH, &path) || !smbbuffergetstr(b, 0, &service)) { smblogprint(h->command, "smbcomtreeconnectandx: not enough bytes for strings\n"); goto fmtfail; } smblogprint(h->command, "path: %s\n", path); smblogprint(h->command, "service: %s\n", service); if (flags & 1) smbtreedisconnectbyid(s, h->tid); serv = smbservicefind(s, path, service, &errclass, &error); if (serv == nil) { pr = SmbProcessResultError; smbseterror(s, errclass, error); goto done; } tree = smbtreeconnect(s, serv); h->tid = tree->id; h->wordcount = 3; if (!smbresponseputandxheader(s, h, andxcommand, &andxfixupoffset) || !smbresponseputs(s, 1)) { misc: pr = SmbProcessResultMisc; goto done; } bytecountfixup = smbresponseoffset(s); if (!smbresponseputs(s, 0) || !smbresponseputstr(s, serv->type) || !smbresponseputstring(s, 1, s9p2000)) goto misc; if (!smbbufferfixuprelatives(s->response, bytecountfixup)) goto misc; if (andxcommand != SMB_COM_NO_ANDX_COMMAND) { pr = smbchaincommand(s, h, andxfixupoffset, andxcommand, andxoffset, b); } else pr = SmbProcessResultReply; done: free(path); free(service); return pr; }