# Copyright (c) 2003-2016 CORE Security Technologies # # This software is provided under under a slightly modified version # of the Apache Software License. See the accompanying LICENSE file # for more information. # # Author: Alberto Solino (@agsolino) # # TODO: # [-] Functions should return NT error codes # [-] Handling errors in all situations, right now it's just raising exceptions. # [*] Standard authentication support # [ ] Organize the connectionData stuff # [*] Add capability to send a bad user ID if the user is not authenticated, # right now you can ask for any command without actually being authenticated # [ ] PATH TRAVERSALS EVERYWHERE.. BE WARNED! # [ ] Check the credentials.. now we're just letting everybody to log in. # [ ] Check error situation (now many places assume the right data is coming) # [ ] Implement IPC to the main process so the connectionData is on a single place # [ ] Hence.. implement locking # estamos en la B from __future__ import with_statement import calendar import socket import time import datetime import struct import ConfigParser import SocketServer import threading import logging import logging.config import ntpath import os import fnmatch import errno import sys import random import shutil from binascii import hexlify # For signing from impacket import smb, nmb, ntlm, uuid, LOG from impacket import smb3structs as smb2 from impacket.spnego import SPNEGO_NegTokenInit, TypesMech, MechTypes, SPNEGO_NegTokenResp, ASN1_AID, ASN1_SUPPORTED_MECH from impacket.nt_errors import STATUS_NO_MORE_FILES, STATUS_NETWORK_NAME_DELETED, STATUS_INVALID_PARAMETER, \ STATUS_FILE_CLOSED, STATUS_MORE_PROCESSING_REQUIRED, STATUS_OBJECT_PATH_NOT_FOUND, STATUS_DIRECTORY_NOT_EMPTY, \ STATUS_FILE_IS_A_DIRECTORY, STATUS_NOT_IMPLEMENTED, STATUS_INVALID_HANDLE, STATUS_OBJECT_NAME_COLLISION, \ STATUS_NO_SUCH_FILE, STATUS_CANCELLED, STATUS_OBJECT_NAME_NOT_FOUND, STATUS_SUCCESS, STATUS_ACCESS_DENIED, \ STATUS_NOT_SUPPORTED, STATUS_INVALID_DEVICE_REQUEST, STATUS_FS_DRIVER_REQUIRED, STATUS_INVALID_INFO_CLASS # These ones not defined in nt_errors STATUS_SMB_BAD_UID = 0x005B0002 STATUS_SMB_BAD_TID = 0x00050002 try: unicode # Python 2 except NameError: unicode = str # Python 3 # Utility functions # and general functions. # There are some common functions that can be accessed from more than one SMB # command (or either TRANSACTION). That's why I'm putting them here # TODO: Return NT ERROR Codes def outputToJohnFormat(challenge, username, domain, lmresponse, ntresponse): # We don't want to add a possible failure here, since this is an # extra bonus. We try, if it fails, returns nothing ret_value = '' try: if len(ntresponse) > 24: # Extended Security - NTLMv2 ret_value = {'hash_string':'%s::%s:%s:%s:%s' % (username.decode('utf-16le'), domain.decode('utf-16le'), hexlify(challenge), hexlify(ntresponse)[:32], hexlify(ntresponse)[32:]), 'hash_version':'ntlmv2'} else: # NTLMv1 ret_value = {'hash_string':'%s::%s:%s:%s:%s' % (username.decode('utf-16le'), domain.decode('utf-16le'), hexlify(lmresponse), hexlify(ntresponse), hexlify(challenge)), 'hash_version':'ntlm'} except: # Let's try w/o decoding Unicode try: if len(ntresponse) > 24: # Extended Security - NTLMv2 ret_value = {'hash_string':'%s::%s:%s:%s:%s' % (username, domain, hexlify(challenge), hexlify(ntresponse)[:32], hexlify(ntresponse)[32:]), 'hash_version':'ntlmv2'} else: # NTLMv1 ret_value = {'hash_string':'%s::%s:%s:%s:%s' % (username, domain, hexlify(lmresponse), hexlify(ntresponse), hexlify(challenge)), 'hash_version':'ntlm'} except Exception as e: LOG.error("outputToJohnFormat: %s" % e) pass return ret_value def writeJohnOutputToFile(hash_string, hash_version, file_name): fn_data = os.path.splitext(file_name) if hash_version == "ntlmv2": output_filename = fn_data[0] + "_ntlmv2" + fn_data[1] else: output_filename = fn_data[0] + "_ntlm" + fn_data[1] with open(output_filename,"a") as f: f.write(hash_string) f.write('\n') def decodeSMBString( flags, text ): if flags & smb.SMB.FLAGS2_UNICODE: return text.decode('utf-16le') else: return text def encodeSMBString( flags, text ): if flags & smb.SMB.FLAGS2_UNICODE: return (text).encode('utf-16le') else: return text def getFileTime(t): t *= 10000000 t += 116444736000000000 return t def getUnixTime(t): t -= 116444736000000000 t /= 10000000 return t def getSMBDate(t): # TODO: Fix this :P d = datetime.date.fromtimestamp(t) year = d.year - 1980 ret = (year << 8) + (d.month << 4) + d.day return ret def getSMBTime(t): # TODO: Fix this :P d = datetime.datetime.fromtimestamp(t) return (d.hour << 8) + (d.minute << 4) + d.second def getShares(connId, smbServer): config = smbServer.getServerConfig() sections = config.sections() # Remove the global one del(sections[sections.index('global')]) shares = {} for i in sections: shares[i] = dict(config.items(i)) return shares def searchShare(connId, share, smbServer): config = smbServer.getServerConfig() if config.has_section(share): return dict(config.items(share)) else: return None def openFile(path,fileName, accessMode, fileAttributes, openMode): fileName = os.path.normpath(fileName.replace('\\','/')) errorCode = 0 if len(fileName) > 0 and (fileName[0] == '/' or fileName[0] == '\\'): # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) mode = 0 # Check the Open Mode if openMode & 0x10: # If the file does not exist, create it. mode = os.O_CREAT else: # If file does not exist, return an error if os.path.exists(pathName) is not True: errorCode = STATUS_NO_SUCH_FILE return 0,mode, pathName, errorCode if os.path.isdir(pathName) and (fileAttributes & smb.ATTR_DIRECTORY) == 0: # Request to open a normal file and this is actually a directory errorCode = STATUS_FILE_IS_A_DIRECTORY return 0, mode, pathName, errorCode # Check the Access Mode if accessMode & 0x7 == 1: mode |= os.O_WRONLY elif accessMode & 0x7 == 2: mode |= os.O_RDWR else: mode = os.O_RDONLY try: if sys.platform == 'win32': mode |= os.O_BINARY fid = os.open(pathName, mode) except Exception as e: LOG.error("openFile: %s,%s" % (pathName, mode) ,e) fid = 0 errorCode = STATUS_ACCESS_DENIED return fid, mode, pathName, errorCode def queryFsInformation(path, filename, level=0): if isinstance(filename,unicode): encoding = 'utf-16le' flags = smb.SMB.FLAGS2_UNICODE else: encoding = 'ascii' flags = 0 fileName = os.path.normpath(filename.replace('\\','/')) if len(fileName) > 0 and (fileName[0] == '/' or fileName[0] == '\\'): # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) fileSize = os.path.getsize(pathName) (mode, ino, dev, nlink, uid, gid, size, atime, mtime, ctime) = os.stat(pathName) if level == smb.SMB_QUERY_FS_ATTRIBUTE_INFO or level == smb2.SMB2_FILESYSTEM_ATTRIBUTE_INFO: data = smb.SMBQueryFsAttributeInfo() data['FileSystemAttributes'] = smb.FILE_CASE_SENSITIVE_SEARCH | smb.FILE_CASE_PRESERVED_NAMES data['MaxFilenNameLengthInBytes'] = 255 data['LengthOfFileSystemName'] = len('XTFS')*2 data['FileSystemName'] = 'XTFS'.encode('utf-16le') return data.getData() elif level == smb.SMB_INFO_VOLUME: data = smb.SMBQueryFsInfoVolume( flags = flags ) data['VolumeLabel'] = 'SHARE'.encode(encoding) return data.getData() elif level == smb.SMB_QUERY_FS_VOLUME_INFO or level == smb2.SMB2_FILESYSTEM_VOLUME_INFO: data = smb.SMBQueryFsVolumeInfo() data['VolumeLabel'] = '' data['VolumeCreationTime'] = getFileTime(ctime) return data.getData() elif level == smb.SMB_QUERY_FS_SIZE_INFO: data = smb.SMBQueryFsSizeInfo() return data.getData() elif level == smb.FILE_FS_FULL_SIZE_INFORMATION: data = smb.SMBFileFsFullSizeInformation() return data.getData() elif level == smb.FILE_FS_SIZE_INFORMATION: data = smb.FileFsSizeInformation() return data.getData() else: lastWriteTime = mtime attribs = 0 if os.path.isdir(pathName): attribs |= smb.SMB_FILE_ATTRIBUTE_DIRECTORY if os.path.isfile(pathName): attribs |= smb.SMB_FILE_ATTRIBUTE_NORMAL fileAttributes = attribs return fileSize, lastWriteTime, fileAttributes def findFirst2(path, fileName, level, searchAttributes, isSMB2 = False): # TODO: Depending on the level, this could be done much simpler #print "FindFirs2 path:%s, filename:%s" % (path, fileName) fileName = os.path.normpath(fileName.replace('\\','/')) # Let's choose the right encoding depending on the request if isinstance(fileName,unicode): encoding = 'utf-16le' flags = smb.SMB.FLAGS2_UNICODE else: encoding = 'ascii' flags = 0 if len(fileName) > 0 and (fileName[0] == '/' or fileName[0] == '\\'): # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) files = [] if pathName.find('*') == -1 and pathName.find('?') == -1: # No search patterns pattern = '' else: pattern = os.path.basename(pathName) dirName = os.path.dirname(pathName) # Always add . and .. Not that important for Windows, but Samba whines if # not present (for * search only) if pattern == '*': files.append(os.path.join(dirName,'.')) files.append(os.path.join(dirName,'..')) if pattern != '': for file in os.listdir(dirName): if fnmatch.fnmatch(file.lower(),pattern.lower()): entry = os.path.join(dirName, file) if os.path.isdir(entry): if searchAttributes & smb.ATTR_DIRECTORY: files.append(entry) else: files.append(entry) else: if os.path.exists(pathName): files.append(pathName) searchResult = [] searchCount = len(files) errorCode = STATUS_SUCCESS for i in files: if level == smb.SMB_FIND_FILE_BOTH_DIRECTORY_INFO or level == smb2.SMB2_FILE_BOTH_DIRECTORY_INFO: item = smb.SMBFindFileBothDirectoryInfo( flags = flags ) elif level == smb.SMB_FIND_FILE_DIRECTORY_INFO or level == smb2.SMB2_FILE_DIRECTORY_INFO: item = smb.SMBFindFileDirectoryInfo( flags = flags ) elif level == smb.SMB_FIND_FILE_FULL_DIRECTORY_INFO or level == smb2.SMB2_FULL_DIRECTORY_INFO: item = smb.SMBFindFileFullDirectoryInfo( flags = flags ) elif level == smb.SMB_FIND_INFO_STANDARD: item = smb.SMBFindInfoStandard( flags = flags ) elif level == smb.SMB_FIND_FILE_ID_FULL_DIRECTORY_INFO or level == smb2.SMB2_FILE_ID_FULL_DIRECTORY_INFO: item = smb.SMBFindFileIdFullDirectoryInfo( flags = flags ) elif level == smb.SMB_FIND_FILE_ID_BOTH_DIRECTORY_INFO or level == smb2.SMB2_FILE_ID_BOTH_DIRECTORY_INFO: item = smb.SMBFindFileIdBothDirectoryInfo( flags = flags ) elif level == smb.SMB_FIND_FILE_NAMES_INFO or level == smb2.SMB2_FILE_NAMES_INFO: item = smb.SMBFindFileNamesInfo( flags = flags ) else: LOG.error("Wrong level %d!" % level) return searchResult, searchCount, STATUS_NOT_SUPPORTED (mode, ino, dev, nlink, uid, gid, size, atime, mtime, ctime) = os.stat(i) if os.path.isdir(i): item['ExtFileAttributes'] = smb.ATTR_DIRECTORY else: item['ExtFileAttributes'] = smb.ATTR_NORMAL | smb.ATTR_ARCHIVE item['FileName'] = os.path.basename(i).encode(encoding) if level == smb.SMB_FIND_FILE_BOTH_DIRECTORY_INFO or level == smb.SMB_FIND_FILE_ID_BOTH_DIRECTORY_INFO or level == smb2.SMB2_FILE_ID_BOTH_DIRECTORY_INFO or level == smb2.SMB2_FILE_BOTH_DIRECTORY_INFO: item['EaSize'] = 0 item['EndOfFile'] = size item['AllocationSize'] = size item['CreationTime'] = getFileTime(ctime) item['LastAccessTime'] = getFileTime(atime) item['LastWriteTime'] = getFileTime(mtime) item['LastChangeTime'] = getFileTime(mtime) item['ShortName'] = '\x00'*24 item['FileName'] = os.path.basename(i).encode(encoding) padLen = (8-(len(item) % 8)) % 8 item['NextEntryOffset'] = len(item) + padLen elif level == smb.SMB_FIND_FILE_DIRECTORY_INFO: item['EndOfFile'] = size item['AllocationSize'] = size item['CreationTime'] = getFileTime(ctime) item['LastAccessTime'] = getFileTime(atime) item['LastWriteTime'] = getFileTime(mtime) item['LastChangeTime'] = getFileTime(mtime) item['FileName'] = os.path.basename(i).encode(encoding) padLen = (8-(len(item) % 8)) % 8 item['NextEntryOffset'] = len(item) + padLen elif level == smb.SMB_FIND_FILE_FULL_DIRECTORY_INFO or level == smb.SMB_FIND_FILE_ID_FULL_DIRECTORY_INFO or level == smb2.SMB2_FULL_DIRECTORY_INFO: item['EaSize'] = 0 item['EndOfFile'] = size item['AllocationSize'] = size item['CreationTime'] = getFileTime(ctime) item['LastAccessTime'] = getFileTime(atime) item['LastWriteTime'] = getFileTime(mtime) item['LastChangeTime'] = getFileTime(mtime) padLen = (8-(len(item) % 8)) % 8 item['NextEntryOffset'] = len(item) + padLen elif level == smb.SMB_FIND_INFO_STANDARD: item['EaSize'] = size item['CreationDate'] = getSMBDate(ctime) item['CreationTime'] = getSMBTime(ctime) item['LastAccessDate'] = getSMBDate(atime) item['LastAccessTime'] = getSMBTime(atime) item['LastWriteDate'] = getSMBDate(mtime) item['LastWriteTime'] = getSMBTime(mtime) searchResult.append(item) # No more files if (level >= smb.SMB_FIND_FILE_DIRECTORY_INFO or isSMB2 == True) and searchCount > 0: searchResult[-1]['NextEntryOffset'] = 0 return searchResult, searchCount, errorCode def queryFileInformation(path, filename, level): #print "queryFileInfo path: %s, filename: %s, level:0x%x" % (path,filename,level) return queryPathInformation(path,filename, level) def queryPathInformation(path, filename, level): # TODO: Depending on the level, this could be done much simpler #print "queryPathInfo path: %s, filename: %s, level:0x%x" % (path,filename,level) try: errorCode = 0 fileName = os.path.normpath(filename.replace('\\','/')) if len(fileName) > 0 and (fileName[0] == '/' or fileName[0] == '\\') and path != '': # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) if os.path.exists(pathName): (mode, ino, dev, nlink, uid, gid, size, atime, mtime, ctime) = os.stat(pathName) if level == smb.SMB_QUERY_FILE_BASIC_INFO: infoRecord = smb.SMBQueryFileBasicInfo() infoRecord['CreationTime'] = getFileTime(ctime) infoRecord['LastAccessTime'] = getFileTime(atime) infoRecord['LastWriteTime'] = getFileTime(mtime) infoRecord['LastChangeTime'] = getFileTime(mtime) if os.path.isdir(pathName): infoRecord['ExtFileAttributes'] = smb.ATTR_DIRECTORY else: infoRecord['ExtFileAttributes'] = smb.ATTR_NORMAL | smb.ATTR_ARCHIVE elif level == smb.SMB_QUERY_FILE_STANDARD_INFO: infoRecord = smb.SMBQueryFileStandardInfo() infoRecord['AllocationSize'] = size infoRecord['EndOfFile'] = size if os.path.isdir(pathName): infoRecord['Directory'] = 1 else: infoRecord['Directory'] = 0 elif level == smb.SMB_QUERY_FILE_ALL_INFO or level == smb2.SMB2_FILE_ALL_INFO: infoRecord = smb.SMBQueryFileAllInfo() infoRecord['CreationTime'] = getFileTime(ctime) infoRecord['LastAccessTime'] = getFileTime(atime) infoRecord['LastWriteTime'] = getFileTime(mtime) infoRecord['LastChangeTime'] = getFileTime(mtime) if os.path.isdir(pathName): infoRecord['ExtFileAttributes'] = smb.ATTR_DIRECTORY else: infoRecord['ExtFileAttributes'] = smb.ATTR_NORMAL | smb.ATTR_ARCHIVE infoRecord['AllocationSize'] = size infoRecord['EndOfFile'] = size if os.path.isdir(pathName): infoRecord['Directory'] = 1 else: infoRecord['Directory'] = 0 infoRecord['FileName'] = filename.encode('utf-16le') elif level == smb2.SMB2_FILE_NETWORK_OPEN_INFO: infoRecord = smb.SMBFileNetworkOpenInfo() infoRecord['CreationTime'] = getFileTime(ctime) infoRecord['LastAccessTime'] = getFileTime(atime) infoRecord['LastWriteTime'] = getFileTime(mtime) infoRecord['ChangeTime'] = getFileTime(mtime) infoRecord['AllocationSize'] = size infoRecord['EndOfFile'] = size if os.path.isdir(pathName): infoRecord['FileAttributes'] = smb.ATTR_DIRECTORY else: infoRecord['FileAttributes'] = smb.ATTR_NORMAL | smb.ATTR_ARCHIVE elif level == smb.SMB_QUERY_FILE_EA_INFO or level == smb2.SMB2_FILE_EA_INFO: infoRecord = smb.SMBQueryFileEaInfo() elif level == smb2.SMB2_FILE_STREAM_INFO: infoRecord = smb.SMBFileStreamInformation() else: LOG.error('Unknown level for query path info! 0x%x' % level) # UNSUPPORTED return None, STATUS_NOT_SUPPORTED return infoRecord, errorCode else: # NOT FOUND return None, STATUS_OBJECT_NAME_NOT_FOUND except Exception as e: LOG.error('queryPathInfo: %s' % e) raise def queryDiskInformation(path): # TODO: Do something useful here :) # For now we just return fake values totalUnits = 65535 freeUnits = 65535 return totalUnits, freeUnits # Here we implement the NT transaction handlers class NTTRANSCommands: def default(self, connId, smbServer, recvPacket, parameters, data, maxDataCount = 0): pass # Here we implement the NT transaction handlers class TRANSCommands: @staticmethod def lanMan(connId, smbServer, recvPacket, parameters, data, maxDataCount = 0): # Minimal [MS-RAP] implementation, just to return the shares connData = smbServer.getConnectionData(connId) respSetup = '' respParameters = '' respData = '' errorCode = STATUS_SUCCESS if struct.unpack('<H',parameters[:2])[0] == 0: # NetShareEnum Request netShareEnum = smb.SMBNetShareEnum(parameters) if netShareEnum['InfoLevel'] == 1: shares = getShares(connId, smbServer) respParameters = smb.SMBNetShareEnumResponse() respParameters['EntriesReturned'] = len(shares) respParameters['EntriesAvailable'] = len(shares) tailData = '' for i in shares: # NetShareInfo1 len == 20 entry = smb.NetShareInfo1() entry['NetworkName'] = i + '\x00'*(13-len(i)) entry['Type'] = int(shares[i]['share type']) # (beto) If offset == 0 it crashes explorer.exe on windows 7 entry['RemarkOffsetLow'] = 20 * len(shares) + len(tailData) respData += entry.getData() if 'comment' in shares[i]: tailData += shares[i]['comment'] + '\x00' else: tailData += '\x00' respData += tailData else: # We don't support other info levels errorCode = STATUS_NOT_SUPPORTED elif struct.unpack('<H',parameters[:2])[0] == 13: # NetrServerGetInfo Request respParameters = smb.SMBNetServerGetInfoResponse() netServerInfo = smb.SMBNetServerInfo1() netServerInfo['ServerName'] = smbServer.getServerName() respData = str(netServerInfo) respParameters['TotalBytesAvailable'] = len(respData) elif struct.unpack('<H',parameters[:2])[0] == 1: # NetrShareGetInfo Request request = smb.SMBNetShareGetInfo(parameters) respParameters = smb.SMBNetShareGetInfoResponse() shares = getShares(connId, smbServer) share = shares[request['ShareName'].upper()] shareInfo = smb.NetShareInfo1() shareInfo['NetworkName'] = request['ShareName'].upper() + '\x00' shareInfo['Type'] = int(share['share type']) respData = shareInfo.getData() if 'comment' in share: shareInfo['RemarkOffsetLow'] = len(respData) respData += share['comment'] + '\x00' respParameters['TotalBytesAvailable'] = len(respData) else: # We don't know how to handle anything else errorCode = STATUS_NOT_SUPPORTED smbServer.setConnectionData(connId, connData) return respSetup, respParameters, respData, errorCode @staticmethod def transactNamedPipe(connId, smbServer, recvPacket, parameters, data, maxDataCount = 0): connData = smbServer.getConnectionData(connId) respSetup = '' respParameters = '' respData = '' errorCode = STATUS_SUCCESS SMBCommand = smb.SMBCommand(recvPacket['Data'][0]) transParameters= smb.SMBTransaction_Parameters(SMBCommand['Parameters']) # Extract the FID fid = struct.unpack('<H', transParameters['Setup'][2:])[0] if fid in connData['OpenedFiles']: fileHandle = connData['OpenedFiles'][fid]['FileHandle'] if fileHandle != PIPE_FILE_DESCRIPTOR: os.write(fileHandle,data) respData = os.read(fileHandle,data) else: sock = connData['OpenedFiles'][fid]['Socket'] sock.send(data) respData = sock.recv(maxDataCount) else: errorCode = STATUS_INVALID_HANDLE smbServer.setConnectionData(connId, connData) return respSetup, respParameters, respData, errorCode # Here we implement the transaction2 handlers class TRANS2Commands: # All these commands return setup, parameters, data, errorCode @staticmethod def setPathInformation(connId, smbServer, recvPacket, parameters, data, maxDataCount = 0): connData = smbServer.getConnectionData(connId) respSetup = '' respParameters = '' respData = '' errorCode = STATUS_SUCCESS setPathInfoParameters = smb.SMBSetPathInformation_Parameters(flags = recvPacket['Flags2'], data = parameters) if recvPacket['Tid'] in connData['ConnectedShares']: path = connData['ConnectedShares'][recvPacket['Tid']]['path'] fileName = decodeSMBString(recvPacket['Flags2'], setPathInfoParameters['FileName']) fileName = os.path.normpath(fileName.replace('\\','/')) if len(fileName) > 0 and (fileName[0] == '/' or fileName[0] == '\\') and path != '': # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) if os.path.exists(pathName): informationLevel = setPathInfoParameters['InformationLevel'] if informationLevel == smb.SMB_SET_FILE_BASIC_INFO: infoRecord = smb.SMBSetFileBasicInfo(data) # Creation time won't be set, the other ones we play with. atime = infoRecord['LastAccessTime'] if atime == 0: atime = -1 else: atime = getUnixTime(atime) mtime = infoRecord['LastWriteTime'] if mtime == 0: mtime = -1 else: mtime = getUnixTime(mtime) if mtime != -1 or atime != -1: os.utime(pathName,(atime,mtime)) else: smbServer.log('Unknown level for set path info! 0x%x' % setPathInfoParameters['InformationLevel'], logging.ERROR) # UNSUPPORTED errorCode = STATUS_NOT_SUPPORTED else: errorCode = STATUS_OBJECT_NAME_NOT_FOUND if errorCode == STATUS_SUCCESS: respParameters = smb.SMBSetPathInformationResponse_Parameters() else: errorCode = STATUS_SMB_BAD_TID smbServer.setConnectionData(connId, connData) return respSetup, respParameters, respData, errorCode @staticmethod def setFileInformation(connId, smbServer, recvPacket, parameters, data, maxDataCount = 0): connData = smbServer.getConnectionData(connId) respSetup = '' respParameters = '' respData = '' errorCode = STATUS_SUCCESS setFileInfoParameters = smb.SMBSetFileInformation_Parameters(parameters) if recvPacket['Tid'] in connData['ConnectedShares']: if setFileInfoParameters['FID'] in connData['OpenedFiles']: fileName = connData['OpenedFiles'][setFileInfoParameters['FID']]['FileName'] informationLevel = setFileInfoParameters['InformationLevel'] if informationLevel == smb.SMB_SET_FILE_DISPOSITION_INFO: infoRecord = smb.SMBSetFileDispositionInfo(parameters) if infoRecord['DeletePending'] > 0: # Mark this file for removal after closed connData['OpenedFiles'][setFileInfoParameters['FID']]['DeleteOnClose'] = True respParameters = smb.SMBSetFileInformationResponse_Parameters() elif informationLevel == smb.SMB_SET_FILE_BASIC_INFO: infoRecord = smb.SMBSetFileBasicInfo(data) # Creation time won't be set, the other ones we play with. atime = infoRecord['LastAccessTime'] if atime == 0: atime = -1 else: atime = getUnixTime(atime) mtime = infoRecord['LastWriteTime'] if mtime == 0: mtime = -1 else: mtime = getUnixTime(mtime) os.utime(fileName,(atime,mtime)) elif informationLevel == smb.SMB_SET_FILE_END_OF_FILE_INFO: fileHandle = connData['OpenedFiles'][setFileInfoParameters['FID']]['FileHandle'] infoRecord = smb.SMBSetFileEndOfFileInfo(data) if infoRecord['EndOfFile'] > 0: os.lseek(fileHandle, infoRecord['EndOfFile']-1, 0) os.write(fileHandle, '\x00') else: smbServer.log('Unknown level for set file info! 0x%x' % setFileInfoParameters['InformationLevel'], logging.ERROR) # UNSUPPORTED errorCode = STATUS_NOT_SUPPORTED else: errorCode = STATUS_NO_SUCH_FILE if errorCode == STATUS_SUCCESS: respParameters = smb.SMBSetFileInformationResponse_Parameters() else: errorCode = STATUS_SMB_BAD_TID smbServer.setConnectionData(connId, connData) return respSetup, respParameters, respData, errorCode @staticmethod def queryFileInformation(connId, smbServer, recvPacket, parameters, data, maxDataCount = 0): connData = smbServer.getConnectionData(connId) respSetup = '' respParameters = '' respData = '' queryFileInfoParameters = smb.SMBQueryFileInformation_Parameters(parameters) if recvPacket['Tid'] in connData['ConnectedShares']: if queryFileInfoParameters['FID'] in connData['OpenedFiles']: fileName = connData['OpenedFiles'][queryFileInfoParameters['FID']]['FileName'] infoRecord, errorCode = queryFileInformation('', fileName, queryFileInfoParameters['InformationLevel']) if infoRecord is not None: respParameters = smb.SMBQueryFileInformationResponse_Parameters() respData = infoRecord else: errorCode = STATUS_INVALID_HANDLE else: errorCode = STATUS_SMB_BAD_TID smbServer.setConnectionData(connId, connData) return respSetup, respParameters, respData, errorCode @staticmethod def queryPathInformation(connId, smbServer, recvPacket, parameters, data, maxDataCount = 0): connData = smbServer.getConnectionData(connId) respSetup = '' respParameters = '' respData = '' errorCode = 0 queryPathInfoParameters = smb.SMBQueryPathInformation_Parameters(flags = recvPacket['Flags2'], data = parameters) if recvPacket['Tid'] in connData['ConnectedShares']: path = connData['ConnectedShares'][recvPacket['Tid']]['path'] try: infoRecord, errorCode = queryPathInformation(path, decodeSMBString(recvPacket['Flags2'], queryPathInfoParameters['FileName']), queryPathInfoParameters['InformationLevel']) except Exception as e: smbServer.log("queryPathInformation: %s" % e,logging.ERROR) if infoRecord is not None: respParameters = smb.SMBQueryPathInformationResponse_Parameters() respData = infoRecord else: errorCode = STATUS_SMB_BAD_TID smbServer.setConnectionData(connId, connData) return respSetup, respParameters, respData, errorCode @staticmethod def queryFsInformation(connId, smbServer, recvPacket, parameters, data, maxDataCount = 0): connData = smbServer.getConnectionData(connId) errorCode = 0 # Get the Tid associated if recvPacket['Tid'] in connData['ConnectedShares']: data = queryFsInformation(connData['ConnectedShares'][recvPacket['Tid']]['path'], '', struct.unpack('<H',parameters)[0]) smbServer.setConnectionData(connId, connData) return '','', data, errorCode @staticmethod def findNext2(connId, smbServer, recvPacket, parameters, data, maxDataCount): connData = smbServer.getConnectionData(connId) respSetup = '' respParameters = '' respData = '' errorCode = STATUS_SUCCESS findNext2Parameters = smb.SMBFindNext2_Parameters(flags = recvPacket['Flags2'], data = parameters) sid = findNext2Parameters['SID'] if recvPacket['Tid'] in connData['ConnectedShares']: if sid in connData['SIDs']: searchResult = connData['SIDs'][sid] respParameters = smb.SMBFindNext2Response_Parameters() endOfSearch = 1 searchCount = 1 totalData = 0 for i in enumerate(searchResult): data = i[1].getData() lenData = len(data) if (totalData+lenData) >= maxDataCount or (i[0]+1) >= findNext2Parameters['SearchCount']: # We gotta stop here and continue on a find_next2 endOfSearch = 0 connData['SIDs'][sid] = searchResult[i[0]:] respParameters['LastNameOffset'] = totalData break else: searchCount +=1 respData += data totalData += lenData # Have we reached the end of the search or still stuff to send? if endOfSearch > 0: # Let's remove the SID from our ConnData del(connData['SIDs'][sid]) respParameters['EndOfSearch'] = endOfSearch respParameters['SearchCount'] = searchCount else: errorCode = STATUS_INVALID_HANDLE else: errorCode = STATUS_SMB_BAD_TID smbServer.setConnectionData(connId, connData) return respSetup, respParameters, respData, errorCode @staticmethod def findFirst2(connId, smbServer, recvPacket, parameters, data, maxDataCount): connData = smbServer.getConnectionData(connId) respSetup = '' respParameters = '' respData = '' findFirst2Parameters = smb.SMBFindFirst2_Parameters( recvPacket['Flags2'], data = parameters) if recvPacket['Tid'] in connData['ConnectedShares']: path = connData['ConnectedShares'][recvPacket['Tid']]['path'] searchResult, searchCount, errorCode = findFirst2(path, decodeSMBString( recvPacket['Flags2'], findFirst2Parameters['FileName'] ), findFirst2Parameters['InformationLevel'], findFirst2Parameters['SearchAttributes'] ) respParameters = smb.SMBFindFirst2Response_Parameters() endOfSearch = 1 sid = 0x80 # default SID searchCount = 0 totalData = 0 for i in enumerate(searchResult): #i[1].dump() data = i[1].getData() lenData = len(data) if (totalData+lenData) >= maxDataCount or (i[0]+1) > findFirst2Parameters['SearchCount']: # We gotta stop here and continue on a find_next2 endOfSearch = 0 # Simple way to generate a fid if len(connData['SIDs']) == 0: sid = 1 else: sid = connData['SIDs'].keys()[-1] + 1 # Store the remaining search results in the ConnData SID connData['SIDs'][sid] = searchResult[i[0]:] respParameters['LastNameOffset'] = totalData break else: searchCount +=1 respData += data padLen = (8-(lenData % 8)) %8 respData += '\xaa'*padLen totalData += lenData + padLen respParameters['SID'] = sid respParameters['EndOfSearch'] = endOfSearch respParameters['SearchCount'] = searchCount else: errorCode = STATUS_SMB_BAD_TID smbServer.setConnectionData(connId, connData) return respSetup, respParameters, respData, errorCode # Here we implement the commands handlers class SMBCommands: @staticmethod def smbTransaction(connId, smbServer, SMBCommand, recvPacket, transCommands): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(recvPacket['Command']) transParameters= smb.SMBTransaction_Parameters(SMBCommand['Parameters']) # Do the stuff if transParameters['ParameterCount'] != transParameters['TotalParameterCount']: # TODO: Handle partial parameters raise Exception("Unsupported partial parameters in TRANSACT2!") else: transData = smb.SMBTransaction_SData(flags = recvPacket['Flags2']) # Standard says servers shouldn't trust Parameters and Data comes # in order, so we have to parse the offsets, ugly paramCount = transParameters['ParameterCount'] transData['Trans_ParametersLength'] = paramCount dataCount = transParameters['DataCount'] transData['Trans_DataLength'] = dataCount transData.fromString(SMBCommand['Data']) if transParameters['ParameterOffset'] > 0: paramOffset = transParameters['ParameterOffset'] - 63 - transParameters['SetupLength'] transData['Trans_Parameters'] = SMBCommand['Data'][paramOffset:paramOffset+paramCount] else: transData['Trans_Parameters'] = '' if transParameters['DataOffset'] > 0: dataOffset = transParameters['DataOffset'] - 63 - transParameters['SetupLength'] transData['Trans_Data'] = SMBCommand['Data'][dataOffset:dataOffset + dataCount] else: transData['Trans_Data'] = '' # Call the handler for this TRANSACTION if transParameters['SetupCount'] == 0: # No subcommand, let's play with the Name command = decodeSMBString(recvPacket['Flags2'],transData['Name']) else: command = struct.unpack('<H', transParameters['Setup'][:2])[0] if command in transCommands: # Call the TRANS subcommand setup = '' parameters = '' data = '' try: setup, parameters, data, errorCode = transCommands[command](connId, smbServer, recvPacket, transData['Trans_Parameters'], transData['Trans_Data'], transParameters['MaxDataCount']) except Exception as e: #print 'Transaction: %s' % e,e smbServer.log('Transaction: (%r,%s)' % (command, e), logging.ERROR) errorCode = STATUS_ACCESS_DENIED #raise if setup == '' and parameters == '' and data == '': # Something wen't wrong respParameters = '' respData = '' else: # Build the answer data = str(data) remainingData = len(data) parameters = str(parameters) remainingParameters = len(parameters) commands = [] dataDisplacement = 0 while remainingData > 0 or remainingParameters > 0: respSMBCommand = smb.SMBCommand(recvPacket['Command']) respParameters = smb.SMBTransactionResponse_Parameters() respData = smb.SMBTransaction2Response_Data() respParameters['TotalParameterCount'] = len(parameters) respParameters['ParameterCount'] = len(parameters) respData['Trans_ParametersLength'] = len(parameters) respParameters['TotalDataCount'] = len(data) respParameters['DataDisplacement'] = dataDisplacement # TODO: Do the same for parameters if len(data) > transParameters['MaxDataCount']: # Answer doesn't fit in this packet LOG.debug("Lowering answer from %d to %d" % (len(data),transParameters['MaxDataCount']) ) respParameters['DataCount'] = transParameters['MaxDataCount'] else: respParameters['DataCount'] = len(data) respData['Trans_DataLength'] = respParameters['DataCount'] respParameters['SetupCount'] = len(setup) respParameters['Setup'] = setup # TODO: Make sure we're calculating the pad right if len(parameters) > 0: #padLen = 4 - (55 + len(setup)) % 4 padLen = (4 - (55 + len(setup)) % 4 ) % 4 padBytes = '\xFF' * padLen respData['Pad1'] = padBytes respParameters['ParameterOffset'] = 55 + len(setup) + padLen else: padLen = 0 respParameters['ParameterOffset'] = 0 respData['Pad1'] = '' if len(data) > 0: #pad2Len = 4 - (55 + len(setup) + padLen + len(parameters)) % 4 pad2Len = (4 - (55 + len(setup) + padLen + len(parameters)) % 4) % 4 respData['Pad2'] = '\xFF' * pad2Len respParameters['DataOffset'] = 55 + len(setup) + padLen + len(parameters) + pad2Len else: respParameters['DataOffset'] = 0 respData['Pad2'] = '' respData['Trans_Parameters'] = parameters[:respParameters['ParameterCount']] respData['Trans_Data'] = data[:respParameters['DataCount']] respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData data = data[respParameters['DataCount']:] remainingData -= respParameters['DataCount'] dataDisplacement += respParameters['DataCount'] + 1 parameters = parameters[respParameters['ParameterCount']:] remainingParameters -= respParameters['ParameterCount'] commands.append(respSMBCommand) smbServer.setConnectionData(connId, connData) return commands, None, errorCode else: smbServer.log("Unsupported Transact command %r" % command, logging.ERROR) respParameters = '' respData = '' errorCode = STATUS_NOT_IMPLEMENTED respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbNTTransact(connId, smbServer, SMBCommand, recvPacket, transCommands): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(recvPacket['Command']) NTTransParameters= smb.SMBNTTransaction_Parameters(SMBCommand['Parameters']) # Do the stuff if NTTransParameters['ParameterCount'] != NTTransParameters['TotalParameterCount']: # TODO: Handle partial parameters raise Exception("Unsupported partial parameters in NTTrans!") else: NTTransData = smb.SMBNTTransaction_Data() # Standard says servers shouldn't trust Parameters and Data comes # in order, so we have to parse the offsets, ugly paramCount = NTTransParameters['ParameterCount'] NTTransData['NT_Trans_ParametersLength'] = paramCount dataCount = NTTransParameters['DataCount'] NTTransData['NT_Trans_DataLength'] = dataCount if NTTransParameters['ParameterOffset'] > 0: paramOffset = NTTransParameters['ParameterOffset'] - 73 - NTTransParameters['SetupLength'] NTTransData['NT_Trans_Parameters'] = SMBCommand['Data'][paramOffset:paramOffset+paramCount] else: NTTransData['NT_Trans_Parameters'] = '' if NTTransParameters['DataOffset'] > 0: dataOffset = NTTransParameters['DataOffset'] - 73 - NTTransParameters['SetupLength'] NTTransData['NT_Trans_Data'] = SMBCommand['Data'][dataOffset:dataOffset + dataCount] else: NTTransData['NT_Trans_Data'] = '' # Call the handler for this TRANSACTION command = NTTransParameters['Function'] if command in transCommands: # Call the NT TRANS subcommand setup = '' parameters = '' data = '' try: setup, parameters, data, errorCode = transCommands[command](connId, smbServer, recvPacket, NTTransData['NT_Trans_Parameters'], NTTransData['NT_Trans_Data'], NTTransParameters['MaxDataCount']) except Exception as e: smbServer.log('NTTransaction: (0x%x,%s)' % (command, e), logging.ERROR) errorCode = STATUS_ACCESS_DENIED #raise if setup == '' and parameters == '' and data == '': # Something wen't wrong respParameters = '' respData = '' if errorCode == STATUS_SUCCESS: errorCode = STATUS_ACCESS_DENIED else: # Build the answer data = str(data) remainingData = len(data) parameters = str(parameters) remainingParameters = len(parameters) commands = [] dataDisplacement = 0 while remainingData > 0 or remainingParameters > 0: respSMBCommand = smb.SMBCommand(recvPacket['Command']) respParameters = smb.SMBNTTransactionResponse_Parameters() respData = smb.SMBNTTransactionResponse_Data() respParameters['TotalParameterCount'] = len(parameters) respParameters['ParameterCount'] = len(parameters) respData['Trans_ParametersLength'] = len(parameters) respParameters['TotalDataCount'] = len(data) respParameters['DataDisplacement'] = dataDisplacement # TODO: Do the same for parameters if len(data) > NTTransParameters['MaxDataCount']: # Answer doesn't fit in this packet LOG.debug("Lowering answer from %d to %d" % (len(data),NTTransParameters['MaxDataCount']) ) respParameters['DataCount'] = NTTransParameters['MaxDataCount'] else: respParameters['DataCount'] = len(data) respData['NT_Trans_DataLength'] = respParameters['DataCount'] respParameters['SetupCount'] = len(setup) respParameters['Setup'] = setup # TODO: Make sure we're calculating the pad right if len(parameters) > 0: #padLen = 4 - (71 + len(setup)) % 4 padLen = (4 - (73 + len(setup)) % 4 ) % 4 padBytes = '\xFF' * padLen respData['Pad1'] = padBytes respParameters['ParameterOffset'] = 73 + len(setup) + padLen else: padLen = 0 respParameters['ParameterOffset'] = 0 respData['Pad1'] = '' if len(data) > 0: #pad2Len = 4 - (71 + len(setup) + padLen + len(parameters)) % 4 pad2Len = (4 - (73 + len(setup) + padLen + len(parameters)) % 4) % 4 respData['Pad2'] = '\xFF' * pad2Len respParameters['DataOffset'] = 73 + len(setup) + padLen + len(parameters) + pad2Len else: respParameters['DataOffset'] = 0 respData['Pad2'] = '' respData['NT_Trans_Parameters'] = parameters[:respParameters['ParameterCount']] respData['NT_Trans_Data'] = data[:respParameters['DataCount']] respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData data = data[respParameters['DataCount']:] remainingData -= respParameters['DataCount'] dataDisplacement += respParameters['DataCount'] + 1 parameters = parameters[respParameters['ParameterCount']:] remainingParameters -= respParameters['ParameterCount'] commands.append(respSMBCommand) smbServer.setConnectionData(connId, connData) return commands, None, errorCode else: #smbServer.log("Unsupported NTTransact command 0x%x" % command, logging.ERROR) respParameters = '' respData = '' errorCode = STATUS_NOT_IMPLEMENTED respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbTransaction2(connId, smbServer, SMBCommand, recvPacket, transCommands): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(recvPacket['Command']) trans2Parameters= smb.SMBTransaction2_Parameters(SMBCommand['Parameters']) # Do the stuff if trans2Parameters['ParameterCount'] != trans2Parameters['TotalParameterCount']: # TODO: Handle partial parameters #print "Unsupported partial parameters in TRANSACT2!" raise Exception("Unsupported partial parameters in TRANSACT2!") else: trans2Data = smb.SMBTransaction2_Data() # Standard says servers shouldn't trust Parameters and Data comes # in order, so we have to parse the offsets, ugly paramCount = trans2Parameters['ParameterCount'] trans2Data['Trans_ParametersLength'] = paramCount dataCount = trans2Parameters['DataCount'] trans2Data['Trans_DataLength'] = dataCount if trans2Parameters['ParameterOffset'] > 0: paramOffset = trans2Parameters['ParameterOffset'] - 63 - trans2Parameters['SetupLength'] trans2Data['Trans_Parameters'] = SMBCommand['Data'][paramOffset:paramOffset+paramCount] else: trans2Data['Trans_Parameters'] = '' if trans2Parameters['DataOffset'] > 0: dataOffset = trans2Parameters['DataOffset'] - 63 - trans2Parameters['SetupLength'] trans2Data['Trans_Data'] = SMBCommand['Data'][dataOffset:dataOffset + dataCount] else: trans2Data['Trans_Data'] = '' # Call the handler for this TRANSACTION command = struct.unpack('<H', trans2Parameters['Setup'])[0] if command in transCommands: # Call the TRANS2 subcommand try: setup, parameters, data, errorCode = transCommands[command](connId, smbServer, recvPacket, trans2Data['Trans_Parameters'], trans2Data['Trans_Data'], trans2Parameters['MaxDataCount']) except Exception as e: smbServer.log('Transaction2: (0x%x,%s)' % (command, e), logging.ERROR) #import traceback #traceback.print_exc() raise if setup == '' and parameters == '' and data == '': # Something wen't wrong respParameters = '' respData = '' else: # Build the answer data = str(data) remainingData = len(data) parameters = str(parameters) remainingParameters = len(parameters) commands = [] dataDisplacement = 0 while remainingData > 0 or remainingParameters > 0: respSMBCommand = smb.SMBCommand(recvPacket['Command']) respParameters = smb.SMBTransaction2Response_Parameters() respData = smb.SMBTransaction2Response_Data() respParameters['TotalParameterCount'] = len(parameters) respParameters['ParameterCount'] = len(parameters) respData['Trans_ParametersLength'] = len(parameters) respParameters['TotalDataCount'] = len(data) respParameters['DataDisplacement'] = dataDisplacement # TODO: Do the same for parameters if len(data) > trans2Parameters['MaxDataCount']: # Answer doesn't fit in this packet LOG.debug("Lowering answer from %d to %d" % (len(data),trans2Parameters['MaxDataCount']) ) respParameters['DataCount'] = trans2Parameters['MaxDataCount'] else: respParameters['DataCount'] = len(data) respData['Trans_DataLength'] = respParameters['DataCount'] respParameters['SetupCount'] = len(setup) respParameters['Setup'] = setup # TODO: Make sure we're calculating the pad right if len(parameters) > 0: #padLen = 4 - (55 + len(setup)) % 4 padLen = (4 - (55 + len(setup)) % 4 ) % 4 padBytes = '\xFF' * padLen respData['Pad1'] = padBytes respParameters['ParameterOffset'] = 55 + len(setup) + padLen else: padLen = 0 respParameters['ParameterOffset'] = 0 respData['Pad1'] = '' if len(data) > 0: #pad2Len = 4 - (55 + len(setup) + padLen + len(parameters)) % 4 pad2Len = (4 - (55 + len(setup) + padLen + len(parameters)) % 4) % 4 respData['Pad2'] = '\xFF' * pad2Len respParameters['DataOffset'] = 55 + len(setup) + padLen + len(parameters) + pad2Len else: respParameters['DataOffset'] = 0 respData['Pad2'] = '' respData['Trans_Parameters'] = parameters[:respParameters['ParameterCount']] respData['Trans_Data'] = data[:respParameters['DataCount']] respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData data = data[respParameters['DataCount']:] remainingData -= respParameters['DataCount'] dataDisplacement += respParameters['DataCount'] + 1 parameters = parameters[respParameters['ParameterCount']:] remainingParameters -= respParameters['ParameterCount'] commands.append(respSMBCommand) smbServer.setConnectionData(connId, connData) return commands, None, errorCode else: smbServer.log("Unsupported Transact/2 command 0x%x" % command, logging.ERROR) respParameters = '' respData = '' errorCode = STATUS_NOT_IMPLEMENTED respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComLockingAndX(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_LOCKING_ANDX) respParameters = '' respData = '' # I'm actually doing nothing.. just make MacOS happy ;) errorCode = STATUS_SUCCESS respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComClose(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_CLOSE) respParameters = '' respData = '' comClose = smb.SMBClose_Parameters(SMBCommand['Parameters']) if comClose['FID'] in connData['OpenedFiles']: errorCode = STATUS_SUCCESS fileHandle = connData['OpenedFiles'][comClose['FID']]['FileHandle'] try: if fileHandle == PIPE_FILE_DESCRIPTOR: connData['OpenedFiles'][comClose['FID']]['Socket'].close() elif fileHandle != VOID_FILE_DESCRIPTOR: os.close(fileHandle) except Exception as e: smbServer.log("comClose %s" % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: # Check if the file was marked for removal if connData['OpenedFiles'][comClose['FID']]['DeleteOnClose'] is True: try: os.remove(connData['OpenedFiles'][comClose['FID']]['FileName']) except Exception as e: smbServer.log("comClose %s" % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED del(connData['OpenedFiles'][comClose['FID']]) else: errorCode = STATUS_INVALID_HANDLE if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComWrite(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_WRITE) respParameters = smb.SMBWriteResponse_Parameters() respData = '' comWriteParameters = smb.SMBWrite_Parameters(SMBCommand['Parameters']) comWriteData = smb.SMBWrite_Data(SMBCommand['Data']) if comWriteParameters['Fid'] in connData['OpenedFiles']: fileHandle = connData['OpenedFiles'][comWriteParameters['Fid']]['FileHandle'] errorCode = STATUS_SUCCESS try: if fileHandle != PIPE_FILE_DESCRIPTOR: # TODO: Handle big size files # If we're trying to write past the file end we just skip the write call (Vista does this) if os.lseek(fileHandle, 0, 2) >= comWriteParameters['Offset']: os.lseek(fileHandle,comWriteParameters['Offset'],0) os.write(fileHandle,comWriteData['Data']) else: sock = connData['OpenedFiles'][comWriteParameters['Fid']]['Socket'] sock.send(comWriteData['Data']) respParameters['Count'] = comWriteParameters['Count'] except Exception as e: smbServer.log('smbComWrite: %s' % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_INVALID_HANDLE if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComFlush(connId, smbServer, SMBCommand,recvPacket ): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_FLUSH) respParameters = '' respData = '' comFlush = smb.SMBFlush_Parameters(SMBCommand['Parameters']) if comFlush['FID'] in connData['OpenedFiles']: errorCode = STATUS_SUCCESS fileHandle = connData['OpenedFiles'][comFlush['FID']]['FileHandle'] try: os.fsync(fileHandle) except Exception as e: smbServer.log("comFlush %s" % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_INVALID_HANDLE if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComCreateDirectory(connId, smbServer, SMBCommand,recvPacket ): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_CREATE_DIRECTORY) respParameters = '' respData = '' comCreateDirectoryData= smb.SMBCreateDirectory_Data(flags = recvPacket['Flags2'], data = SMBCommand['Data']) # Get the Tid associated if recvPacket['Tid'] in connData['ConnectedShares']: errorCode = STATUS_SUCCESS path = connData['ConnectedShares'][recvPacket['Tid']]['path'] fileName = os.path.normpath(decodeSMBString(recvPacket['Flags2'],comCreateDirectoryData['DirectoryName']).replace('\\','/')) if len(fileName) > 0: if fileName[0] == '/' or fileName[0] == '\\': # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) if os.path.exists(pathName): errorCode = STATUS_OBJECT_NAME_COLLISION # TODO: More checks here in the future.. Specially when we support # user access else: try: os.mkdir(pathName) except Exception as e: smbServer.log("smbComCreateDirectory: %s" % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_SMB_BAD_TID if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComRename(connId, smbServer, SMBCommand, recvPacket ): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_RENAME) respParameters = '' respData = '' comRenameData = smb.SMBRename_Data(flags = recvPacket['Flags2'], data = SMBCommand['Data']) # Get the Tid associated if recvPacket['Tid'] in connData['ConnectedShares']: errorCode = STATUS_SUCCESS path = connData['ConnectedShares'][recvPacket['Tid']]['path'] oldFileName = os.path.normpath(decodeSMBString(recvPacket['Flags2'],comRenameData['OldFileName']).replace('\\','/')) newFileName = os.path.normpath(decodeSMBString(recvPacket['Flags2'],comRenameData['NewFileName']).replace('\\','/')) if len(oldFileName) > 0 and (oldFileName[0] == '/' or oldFileName[0] == '\\'): # strip leading '/' oldFileName = oldFileName[1:] oldPathName = os.path.join(path,oldFileName) if len(newFileName) > 0 and (newFileName[0] == '/' or newFileName[0] == '\\'): # strip leading '/' newFileName = newFileName[1:] newPathName = os.path.join(path,newFileName) if os.path.exists(oldPathName) is not True: errorCode = STATUS_NO_SUCH_FILE # TODO: More checks here in the future.. Specially when we support # user access else: try: os.rename(oldPathName,newPathName) except OSError as e: smbServer.log("smbComRename: %s" % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_SMB_BAD_TID if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComDelete(connId, smbServer, SMBCommand, recvPacket ): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_DELETE) respParameters = '' respData = '' comDeleteData = smb.SMBDelete_Data(flags = recvPacket['Flags2'], data = SMBCommand['Data']) # Get the Tid associated if recvPacket['Tid'] in connData['ConnectedShares']: errorCode = STATUS_SUCCESS path = connData['ConnectedShares'][recvPacket['Tid']]['path'] fileName = os.path.normpath(decodeSMBString(recvPacket['Flags2'],comDeleteData['FileName']).replace('\\','/')) if len(fileName) > 0 and (fileName[0] == '/' or fileName[0] == '\\'): # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) if os.path.exists(pathName) is not True: errorCode = STATUS_NO_SUCH_FILE # TODO: More checks here in the future.. Specially when we support # user access else: try: os.remove(pathName) except OSError as e: smbServer.log("smbComDelete: %s" % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_SMB_BAD_TID if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComDeleteDirectory(connId, smbServer, SMBCommand, recvPacket ): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_DELETE_DIRECTORY) respParameters = '' respData = '' comDeleteDirectoryData= smb.SMBDeleteDirectory_Data(flags = recvPacket['Flags2'], data = SMBCommand['Data']) # Get the Tid associated if recvPacket['Tid'] in connData['ConnectedShares']: errorCode = STATUS_SUCCESS path = connData['ConnectedShares'][recvPacket['Tid']]['path'] fileName = os.path.normpath(decodeSMBString(recvPacket['Flags2'],comDeleteDirectoryData['DirectoryName']).replace('\\','/')) if len(fileName) > 0 and (fileName[0] == '/' or fileName[0] == '\\'): # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) if os.path.exists(pathName) is not True: errorCode = STATUS_NO_SUCH_FILE # TODO: More checks here in the future.. Specially when we support # user access else: try: os.rmdir(pathName) except OSError as e: smbServer.log("smbComDeleteDirectory: %s" % e,logging.ERROR) if e.errno == errno.ENOTEMPTY: errorCode = STATUS_DIRECTORY_NOT_EMPTY else: errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_SMB_BAD_TID if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComWriteAndX(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_WRITE_ANDX) respParameters = smb.SMBWriteAndXResponse_Parameters() respData = '' if SMBCommand['WordCount'] == 0x0C: writeAndX = smb.SMBWriteAndX_Parameters_Short(SMBCommand['Parameters']) writeAndXData = smb.SMBWriteAndX_Data_Short() else: writeAndX = smb.SMBWriteAndX_Parameters(SMBCommand['Parameters']) writeAndXData = smb.SMBWriteAndX_Data() writeAndXData['DataLength'] = writeAndX['DataLength'] writeAndXData['DataOffset'] = writeAndX['DataOffset'] writeAndXData.fromString(SMBCommand['Data']) if writeAndX['Fid'] in connData['OpenedFiles']: fileHandle = connData['OpenedFiles'][writeAndX['Fid']]['FileHandle'] errorCode = STATUS_SUCCESS try: if fileHandle != PIPE_FILE_DESCRIPTOR: offset = writeAndX['Offset'] if 'HighOffset' in writeAndX.fields: offset += (writeAndX['HighOffset'] << 32) # If we're trying to write past the file end we just skip the write call (Vista does this) if os.lseek(fileHandle, 0, 2) >= offset: os.lseek(fileHandle,offset,0) os.write(fileHandle,writeAndXData['Data']) else: sock = connData['OpenedFiles'][writeAndX['Fid']]['Socket'] sock.send(writeAndXData['Data']) respParameters['Count'] = writeAndX['DataLength'] respParameters['Available']= 0xff except Exception as e: smbServer.log('smbComWriteAndx: %s' % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_INVALID_HANDLE if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComRead(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_READ) respParameters = smb.SMBReadResponse_Parameters() respData = smb.SMBReadResponse_Data() comReadParameters = smb.SMBRead_Parameters(SMBCommand['Parameters']) if comReadParameters['Fid'] in connData['OpenedFiles']: fileHandle = connData['OpenedFiles'][comReadParameters['Fid']]['FileHandle'] errorCode = STATUS_SUCCESS try: if fileHandle != PIPE_FILE_DESCRIPTOR: # TODO: Handle big size files os.lseek(fileHandle,comReadParameters['Offset'],0) content = os.read(fileHandle,comReadParameters['Count']) else: sock = connData['OpenedFiles'][comReadParameters['Fid']]['Socket'] content = sock.recv(comReadParameters['Count']) respParameters['Count'] = len(content) respData['DataLength'] = len(content) respData['Data'] = content except Exception as e: smbServer.log('smbComRead: %s ' % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_INVALID_HANDLE if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComReadAndX(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_READ_ANDX) respParameters = smb.SMBReadAndXResponse_Parameters() respData = '' if SMBCommand['WordCount'] == 0x0A: readAndX = smb.SMBReadAndX_Parameters2(SMBCommand['Parameters']) else: readAndX = smb.SMBReadAndX_Parameters(SMBCommand['Parameters']) if readAndX['Fid'] in connData['OpenedFiles']: fileHandle = connData['OpenedFiles'][readAndX['Fid']]['FileHandle'] errorCode = 0 try: if fileHandle != PIPE_FILE_DESCRIPTOR: offset = readAndX['Offset'] if 'HighOffset' in readAndX.fields: offset += (readAndX['HighOffset'] << 32) os.lseek(fileHandle,offset,0) content = os.read(fileHandle,readAndX['MaxCount']) else: sock = connData['OpenedFiles'][readAndX['Fid']]['Socket'] content = sock.recv(readAndX['MaxCount']) respParameters['Remaining'] = 0xffff respParameters['DataCount'] = len(content) respParameters['DataOffset'] = 59 respParameters['DataCount_Hi'] = 0 respData = content except Exception as e: smbServer.log('smbComReadAndX: %s ' % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_INVALID_HANDLE if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbQueryInformation(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_QUERY_INFORMATION) respParameters = smb.SMBQueryInformationResponse_Parameters() respData = '' queryInformation= smb.SMBQueryInformation_Data(flags = recvPacket['Flags2'], data = SMBCommand['Data']) # Get the Tid associated if recvPacket['Tid'] in connData['ConnectedShares']: fileSize, lastWriteTime, fileAttributes = queryFsInformation( connData['ConnectedShares'][recvPacket['Tid']]['path'], decodeSMBString(recvPacket['Flags2'],queryInformation['FileName'])) respParameters['FileSize'] = fileSize respParameters['LastWriteTime'] = lastWriteTime respParameters['FileAttributes'] = fileAttributes errorCode = STATUS_SUCCESS else: # STATUS_SMB_BAD_TID errorCode = STATUS_SMB_BAD_TID respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbQueryInformationDisk(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_QUERY_INFORMATION_DISK) respParameters = smb.SMBQueryInformationDiskResponse_Parameters() respData = '' # Get the Tid associated if recvPacket['Tid'] in connData['ConnectedShares']: totalUnits, freeUnits = queryDiskInformation( connData['ConnectedShares'][recvPacket['Tid']]['path']) respParameters['TotalUnits'] = totalUnits respParameters['BlocksPerUnit'] = 1 respParameters['BlockSize'] = 1 respParameters['FreeUnits'] = freeUnits errorCode = STATUS_SUCCESS else: # STATUS_SMB_BAD_TID respData = '' respParameters = '' errorCode = STATUS_SMB_BAD_TID respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComEcho(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_ECHO) respParameters = smb.SMBEchoResponse_Parameters() respData = smb.SMBEchoResponse_Data() echoData = smb.SMBEcho_Data(SMBCommand['Data']) respParameters['SequenceNumber'] = 1 respData['Data'] = echoData['Data'] respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData errorCode = STATUS_SUCCESS smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComTreeDisconnect(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_TREE_DISCONNECT) # Check if the Tid matches the Tid trying to disconnect respParameters = '' respData = '' if recvPacket['Tid'] in connData['ConnectedShares']: smbServer.log("Disconnecting Share(%d:%s)" % (recvPacket['Tid'],connData['ConnectedShares'][recvPacket['Tid']]['shareName'])) del(connData['ConnectedShares'][recvPacket['Tid']]) errorCode = STATUS_SUCCESS else: # STATUS_SMB_BAD_TID errorCode = STATUS_SMB_BAD_TID respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComLogOffAndX(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_LOGOFF_ANDX) # Check if the Uid matches the user trying to logoff respParameters = '' respData = '' if recvPacket['Uid'] != connData['Uid']: # STATUS_SMB_BAD_UID errorCode = STATUS_SMB_BAD_UID else: errorCode = STATUS_SUCCESS respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData connData['Uid'] = 0 smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComQueryInformation2(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_QUERY_INFORMATION2) respParameters = smb.SMBQueryInformation2Response_Parameters() respData = '' queryInformation2 = smb.SMBQueryInformation2_Parameters(SMBCommand['Parameters']) errorCode = 0xFF if queryInformation2['Fid'] in connData['OpenedFiles']: errorCode = STATUS_SUCCESS pathName = connData['OpenedFiles'][queryInformation2['Fid']]['FileName'] try: (mode, ino, dev, nlink, uid, gid, size, atime, mtime, ctime) = os.stat(pathName) respParameters['CreateDate'] = getSMBDate(ctime) respParameters['CreationTime'] = getSMBTime(ctime) respParameters['LastAccessDate'] = getSMBDate(atime) respParameters['LastAccessTime'] = getSMBTime(atime) respParameters['LastWriteDate'] = getSMBDate(mtime) respParameters['LastWriteTime'] = getSMBTime(mtime) respParameters['FileDataSize'] = size respParameters['FileAllocationSize'] = size attribs = 0 if os.path.isdir(pathName): attribs = smb.SMB_FILE_ATTRIBUTE_DIRECTORY if os.path.isfile(pathName): attribs = smb.SMB_FILE_ATTRIBUTE_NORMAL respParameters['FileAttributes'] = attribs except Exception as e: smbServer.log('smbComQueryInformation2 %s' % e,logging.ERROR) errorCode = STATUS_ACCESS_DENIED if errorCode > 0: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComNtCreateAndX(connId, smbServer, SMBCommand, recvPacket): # TODO: Fully implement this connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_NT_CREATE_ANDX) respParameters = smb.SMBNtCreateAndXResponse_Parameters() respData = '' ntCreateAndXParameters = smb.SMBNtCreateAndX_Parameters(SMBCommand['Parameters']) ntCreateAndXData = smb.SMBNtCreateAndX_Data( flags = recvPacket['Flags2'], data = SMBCommand['Data']) #if ntCreateAndXParameters['CreateFlags'] & 0x10: # NT_CREATE_REQUEST_EXTENDED_RESPONSE # respParameters = smb.SMBNtCreateAndXExtendedResponse_Parameters() # respParameters['VolumeGUID'] = '\x00' # Get the Tid associated if recvPacket['Tid'] in connData['ConnectedShares']: # If we have a rootFid, the path is relative to that fid errorCode = STATUS_SUCCESS if ntCreateAndXParameters['RootFid'] > 0: path = connData['OpenedFiles'][ntCreateAndXParameters['RootFid']]['FileName'] LOG.debug("RootFid present %s!" % path) else: if 'path' in connData['ConnectedShares'][recvPacket['Tid']]: path = connData['ConnectedShares'][recvPacket['Tid']]['path'] else: path = 'NONE' errorCode = STATUS_ACCESS_DENIED deleteOnClose = False fileName = os.path.normpath(decodeSMBString(recvPacket['Flags2'],ntCreateAndXData['FileName']).replace('\\','/')) if len(fileName) > 0 and (fileName[0] == '/' or fileName[0] == '\\'): # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) createDisposition = ntCreateAndXParameters['Disposition'] mode = 0 if createDisposition == smb.FILE_SUPERSEDE: mode |= os.O_TRUNC | os.O_CREAT elif createDisposition & smb.FILE_OVERWRITE_IF == smb.FILE_OVERWRITE_IF: mode |= os.O_TRUNC | os.O_CREAT elif createDisposition & smb.FILE_OVERWRITE == smb.FILE_OVERWRITE: if os.path.exists(pathName) is True: mode |= os.O_TRUNC else: errorCode = STATUS_NO_SUCH_FILE elif createDisposition & smb.FILE_OPEN_IF == smb.FILE_OPEN_IF: if os.path.exists(pathName) is True: mode |= os.O_TRUNC else: mode |= os.O_TRUNC | os.O_CREAT elif createDisposition & smb.FILE_CREATE == smb.FILE_CREATE: if os.path.exists(pathName) is True: errorCode = STATUS_OBJECT_NAME_COLLISION else: mode |= os.O_CREAT elif createDisposition & smb.FILE_OPEN == smb.FILE_OPEN: if os.path.exists(pathName) is not True and (unicode(pathName) in smbServer.getRegisteredNamedPipes()) is not True: errorCode = STATUS_NO_SUCH_FILE if errorCode == STATUS_SUCCESS: desiredAccess = ntCreateAndXParameters['AccessMask'] if (desiredAccess & smb.FILE_READ_DATA) or (desiredAccess & smb.GENERIC_READ): mode |= os.O_RDONLY if (desiredAccess & smb.FILE_WRITE_DATA) or (desiredAccess & smb.GENERIC_WRITE): if (desiredAccess & smb.FILE_READ_DATA) or (desiredAccess & smb.GENERIC_READ): mode |= os.O_RDWR #| os.O_APPEND else: mode |= os.O_WRONLY #| os.O_APPEND if desiredAccess & smb.GENERIC_ALL: mode |= os.O_RDWR #| os.O_APPEND createOptions = ntCreateAndXParameters['CreateOptions'] if mode & os.O_CREAT == os.O_CREAT: if createOptions & smb.FILE_DIRECTORY_FILE == smb.FILE_DIRECTORY_FILE: try: # Let's create the directory os.mkdir(pathName) mode = os.O_RDONLY except Exception as e: smbServer.log("NTCreateAndX: %s,%s,%s" % (pathName,mode,e),logging.ERROR) errorCode = STATUS_ACCESS_DENIED if createOptions & smb.FILE_NON_DIRECTORY_FILE == smb.FILE_NON_DIRECTORY_FILE: # If the file being opened is a directory, the server MUST fail the request with # STATUS_FILE_IS_A_DIRECTORY in the Status field of the SMB Header in the server # response. if os.path.isdir(pathName) is True: errorCode = STATUS_FILE_IS_A_DIRECTORY if createOptions & smb.FILE_DELETE_ON_CLOSE == smb.FILE_DELETE_ON_CLOSE: deleteOnClose = True if errorCode == STATUS_SUCCESS: try: if os.path.isdir(pathName) and sys.platform == 'win32': fid = VOID_FILE_DESCRIPTOR else: if sys.platform == 'win32': mode |= os.O_BINARY if unicode(pathName) in smbServer.getRegisteredNamedPipes(): fid = PIPE_FILE_DESCRIPTOR sock = socket.socket() sock.connect(smbServer.getRegisteredNamedPipes()[unicode(pathName)]) else: fid = os.open(pathName, mode) except Exception as e: smbServer.log("NTCreateAndX: %s,%s,%s" % (pathName,mode,e),logging.ERROR) #print e fid = 0 errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_SMB_BAD_TID if errorCode == STATUS_SUCCESS: # Simple way to generate a fid if len(connData['OpenedFiles']) == 0: fakefid = 1 else: fakefid = connData['OpenedFiles'].keys()[-1] + 1 respParameters['Fid'] = fakefid respParameters['CreateAction'] = createDisposition if fid == PIPE_FILE_DESCRIPTOR: respParameters['FileAttributes'] = 0x80 respParameters['IsDirectory'] = 0 respParameters['CreateTime'] = 0 respParameters['LastAccessTime'] = 0 respParameters['LastWriteTime'] = 0 respParameters['LastChangeTime'] = 0 respParameters['AllocationSize'] = 4096 respParameters['EndOfFile'] = 0 respParameters['FileType'] = 2 respParameters['IPCState'] = 0x5ff else: if os.path.isdir(pathName): respParameters['FileAttributes'] = smb.SMB_FILE_ATTRIBUTE_DIRECTORY respParameters['IsDirectory'] = 1 else: respParameters['IsDirectory'] = 0 respParameters['FileAttributes'] = ntCreateAndXParameters['FileAttributes'] # Let's get this file's information respInfo, errorCode = queryPathInformation('',pathName,level= smb.SMB_QUERY_FILE_ALL_INFO) if errorCode == STATUS_SUCCESS: respParameters['CreateTime'] = respInfo['CreationTime'] respParameters['LastAccessTime'] = respInfo['LastAccessTime'] respParameters['LastWriteTime'] = respInfo['LastWriteTime'] respParameters['LastChangeTime'] = respInfo['LastChangeTime'] respParameters['FileAttributes'] = respInfo['ExtFileAttributes'] respParameters['AllocationSize'] = respInfo['AllocationSize'] respParameters['EndOfFile'] = respInfo['EndOfFile'] else: respParameters = '' respData = '' if errorCode == STATUS_SUCCESS: # Let's store the fid for the connection # smbServer.log('Create file %s, mode:0x%x' % (pathName, mode)) connData['OpenedFiles'][fakefid] = {} connData['OpenedFiles'][fakefid]['FileHandle'] = fid connData['OpenedFiles'][fakefid]['FileName'] = pathName connData['OpenedFiles'][fakefid]['DeleteOnClose'] = deleteOnClose if fid == PIPE_FILE_DESCRIPTOR: connData['OpenedFiles'][fakefid]['Socket'] = sock else: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComOpenAndX(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_OPEN_ANDX) respParameters = smb.SMBOpenAndXResponse_Parameters() respData = '' openAndXParameters = smb.SMBOpenAndX_Parameters(SMBCommand['Parameters']) openAndXData = smb.SMBOpenAndX_Data( flags = recvPacket['Flags2'], data = SMBCommand['Data']) # Get the Tid associated if recvPacket['Tid'] in connData['ConnectedShares']: path = connData['ConnectedShares'][recvPacket['Tid']]['path'] openedFile, mode, pathName, errorCode = openFile(path, decodeSMBString(recvPacket['Flags2'],openAndXData['FileName']), openAndXParameters['DesiredAccess'], openAndXParameters['FileAttributes'], openAndXParameters['OpenMode']) else: errorCode = STATUS_SMB_BAD_TID if errorCode == STATUS_SUCCESS: # Simple way to generate a fid fid = len(connData['OpenedFiles']) + 1 if len(connData['OpenedFiles']) == 0: fid = 1 else: fid = connData['OpenedFiles'].keys()[-1] + 1 respParameters['Fid'] = fid if mode & os.O_CREAT: # File did not exist and was created respParameters['Action'] = 0x2 elif mode & os.O_RDONLY: # File existed and was opened respParameters['Action'] = 0x1 elif mode & os.O_APPEND: # File existed and was opened respParameters['Action'] = 0x1 else: # File existed and was truncated respParameters['Action'] = 0x3 # Let's store the fid for the connection #smbServer.log('Opening file %s' % pathName) connData['OpenedFiles'][fid] = {} connData['OpenedFiles'][fid]['FileHandle'] = openedFile connData['OpenedFiles'][fid]['FileName'] = pathName connData['OpenedFiles'][fid]['DeleteOnClose'] = False else: respParameters = '' respData = '' respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComTreeConnectAndX(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId) resp = smb.NewSMBPacket() resp['Flags1'] = smb.SMB.FLAGS1_REPLY resp['Flags2'] = smb.SMB.FLAGS2_EXTENDED_SECURITY | smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_LONG_NAMES | recvPacket['Flags2'] & smb.SMB.FLAGS2_UNICODE resp['Tid'] = recvPacket['Tid'] resp['Mid'] = recvPacket['Mid'] resp['Pid'] = connData['Pid'] respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_TREE_CONNECT_ANDX) respParameters = smb.SMBTreeConnectAndXResponse_Parameters() respData = smb.SMBTreeConnectAndXResponse_Data() treeConnectAndXParameters = smb.SMBTreeConnectAndX_Parameters(SMBCommand['Parameters']) if treeConnectAndXParameters['Flags'] & 0x8: respParameters = smb.SMBTreeConnectAndXExtendedResponse_Parameters() treeConnectAndXData = smb.SMBTreeConnectAndX_Data( flags = recvPacket['Flags2'] ) treeConnectAndXData['_PasswordLength'] = treeConnectAndXParameters['PasswordLength'] treeConnectAndXData.fromString(SMBCommand['Data']) errorCode = STATUS_SUCCESS ## Process here the request, does the share exist? UNCOrShare = decodeSMBString(recvPacket['Flags2'], treeConnectAndXData['Path']) # Is this a UNC? if ntpath.ismount(UNCOrShare): path = UNCOrShare.split('\\')[3] else: path = ntpath.basename(UNCOrShare) share = searchShare(connId, path, smbServer) if share is not None: # Simple way to generate a Tid if len(connData['ConnectedShares']) == 0: tid = 1 else: tid = connData['ConnectedShares'].keys()[-1] + 1 connData['ConnectedShares'][tid] = share connData['ConnectedShares'][tid]['shareName'] = path resp['Tid'] = tid #smbServer.log("Connecting Share(%d:%s)" % (tid,path)) else: smbServer.log("TreeConnectAndX not found %s" % path, logging.ERROR) errorCode = STATUS_OBJECT_PATH_NOT_FOUND resp['ErrorCode'] = errorCode >> 16 resp['ErrorClass'] = errorCode & 0xff ## respParameters['OptionalSupport'] = smb.SMB.SMB_SUPPORT_SEARCH_BITS if path == 'IPC$': respData['Service'] = 'IPC' else: respData['Service'] = path respData['PadLen'] = 0 respData['NativeFileSystem'] = encodeSMBString(recvPacket['Flags2'], 'NTFS' ) respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData resp['Uid'] = connData['Uid'] resp.addCommand(respSMBCommand) smbServer.setConnectionData(connId, connData) return None, [resp], errorCode @staticmethod def smbComSessionSetupAndX(connId, smbServer, SMBCommand, recvPacket): connData = smbServer.getConnectionData(connId, checkStatus = False) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_SESSION_SETUP_ANDX) # From [MS-SMB] # When extended security is being used (see section 3.2.4.2.4), the # request MUST take the following form # [..] # WordCount (1 byte): The value of this field MUST be 0x0C. if SMBCommand['WordCount'] == 12: # Extended security. Here we deal with all SPNEGO stuff respParameters = smb.SMBSessionSetupAndX_Extended_Response_Parameters() respData = smb.SMBSessionSetupAndX_Extended_Response_Data(flags = recvPacket['Flags2']) sessionSetupParameters = smb.SMBSessionSetupAndX_Extended_Parameters(SMBCommand['Parameters']) sessionSetupData = smb.SMBSessionSetupAndX_Extended_Data() sessionSetupData['SecurityBlobLength'] = sessionSetupParameters['SecurityBlobLength'] sessionSetupData.fromString(SMBCommand['Data']) connData['Capabilities'] = sessionSetupParameters['Capabilities'] rawNTLM = False if struct.unpack('B',sessionSetupData['SecurityBlob'][0])[0] == ASN1_AID: # NEGOTIATE packet blob = SPNEGO_NegTokenInit(sessionSetupData['SecurityBlob']) token = blob['MechToken'] if len(blob['MechTypes'][0]) > 0: # Is this GSSAPI NTLM or something else we don't support? mechType = blob['MechTypes'][0] if mechType != TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']: # Nope, do we know it? if mechType in MechTypes: mechStr = MechTypes[mechType] else: mechStr = hexlify(mechType) smbServer.log("Unsupported MechType '%s'" % mechStr, logging.CRITICAL) # We don't know the token, we answer back again saying # we just support NTLM. # ToDo: Build this into a SPNEGO_NegTokenResp() respToken = '\xa1\x15\x30\x13\xa0\x03\x0a\x01\x03\xa1\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a' respParameters['SecurityBlobLength'] = len(respToken) respData['SecurityBlobLength'] = respParameters['SecurityBlobLength'] respData['SecurityBlob'] = respToken respData['NativeOS'] = encodeSMBString(recvPacket['Flags2'], smbServer.getServerOS()) respData['NativeLanMan'] = encodeSMBString(recvPacket['Flags2'], smbServer.getServerOS()) respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData return [respSMBCommand], None, STATUS_MORE_PROCESSING_REQUIRED elif struct.unpack('B',sessionSetupData['SecurityBlob'][0])[0] == ASN1_SUPPORTED_MECH: # AUTH packet blob = SPNEGO_NegTokenResp(sessionSetupData['SecurityBlob']) token = blob['ResponseToken'] else: # No GSSAPI stuff, raw NTLMSSP rawNTLM = True token = sessionSetupData['SecurityBlob'] # Here we only handle NTLMSSP, depending on what stage of the # authentication we are, we act on it messageType = struct.unpack('<L',token[len('NTLMSSP\x00'):len('NTLMSSP\x00')+4])[0] if messageType == 0x01: # NEGOTIATE_MESSAGE negotiateMessage = ntlm.NTLMAuthNegotiate() negotiateMessage.fromString(token) # Let's store it in the connection data connData['NEGOTIATE_MESSAGE'] = negotiateMessage # Let's build the answer flags # TODO: Parse all the flags. With this we're leaving some clients out ansFlags = 0 if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_56: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_56 if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_128: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_128 if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_UNICODE if negotiateMessage['flags'] & ntlm.NTLM_NEGOTIATE_OEM: ansFlags |= ntlm.NTLM_NEGOTIATE_OEM ansFlags |= ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_TARGET_INFO | ntlm.NTLMSSP_TARGET_TYPE_SERVER | ntlm.NTLMSSP_NEGOTIATE_NTLM | ntlm.NTLMSSP_REQUEST_TARGET # Generate the AV_PAIRS av_pairs = ntlm.AV_PAIRS() # TODO: Put the proper data from SMBSERVER config av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] = av_pairs[ntlm.NTLMSSP_AV_DNS_HOSTNAME] = smbServer.getServerName().encode('utf-16le') av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME] = av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME] = smbServer.getServerDomain().encode('utf-16le') av_pairs[ntlm.NTLMSSP_AV_TIME] = struct.pack('<q', (116444736000000000 + calendar.timegm(time.gmtime()) * 10000000) ) challengeMessage = ntlm.NTLMAuthChallenge() challengeMessage['flags'] = ansFlags challengeMessage['domain_len'] = len(smbServer.getServerDomain().encode('utf-16le')) challengeMessage['domain_max_len'] = challengeMessage['domain_len'] challengeMessage['domain_offset'] = 40 + 16 challengeMessage['challenge'] = smbServer.getSMBChallenge() challengeMessage['domain_name'] = smbServer.getServerDomain().encode('utf-16le') challengeMessage['TargetInfoFields_len'] = len(av_pairs) challengeMessage['TargetInfoFields_max_len'] = len(av_pairs) challengeMessage['TargetInfoFields'] = av_pairs challengeMessage['TargetInfoFields_offset'] = 40 + 16 + len(challengeMessage['domain_name']) challengeMessage['Version'] = '\xff'*8 challengeMessage['VersionLen'] = 8 if rawNTLM is False: respToken = SPNEGO_NegTokenResp() # accept-incomplete. We want more data respToken['NegResult'] = '\x01' respToken['SupportedMech'] = TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider'] respToken['ResponseToken'] = challengeMessage.getData() else: respToken = challengeMessage # Setting the packet to STATUS_MORE_PROCESSING errorCode = STATUS_MORE_PROCESSING_REQUIRED # Let's set up an UID for this connection and store it # in the connection's data # Picking a fixed value # TODO: Manage more UIDs for the same session connData['Uid'] = 10 # Let's store it in the connection data connData['CHALLENGE_MESSAGE'] = challengeMessage elif messageType == 0x02: # CHALLENGE_MESSAGE raise Exception('Challenge Message raise, not implemented!') elif messageType == 0x03: # AUTHENTICATE_MESSAGE, here we deal with authentication authenticateMessage = ntlm.NTLMAuthChallengeResponse() authenticateMessage.fromString(token) smbServer.log("AUTHENTICATE_MESSAGE (%s\\%s,%s)" % (authenticateMessage['domain_name'], authenticateMessage['user_name'], authenticateMessage['host_name'])) # TODO: Check the credentials! Now granting permissions respToken = SPNEGO_NegTokenResp() # accept-completed respToken['NegResult'] = '\x00' # Status SUCCESS errorCode = STATUS_SUCCESS smbServer.log('User %s\\%s authenticated successfully' % (authenticateMessage['user_name'], authenticateMessage['host_name'])) # Let's store it in the connection data connData['AUTHENTICATE_MESSAGE'] = authenticateMessage try: jtr_dump_path = smbServer.getJTRdumpPath() ntlm_hash_data = outputToJohnFormat( connData['CHALLENGE_MESSAGE']['challenge'], authenticateMessage['user_name'], authenticateMessage['domain_name'], authenticateMessage['lanman'], authenticateMessage['ntlm'] ) smbServer.log(ntlm_hash_data['hash_string']) if jtr_dump_path is not '': writeJohnOutputToFile(ntlm_hash_data['hash_string'], ntlm_hash_data['hash_version'], jtr_dump_path) except: smbServer.log("Could not write NTLM Hashes to the specified JTR_Dump_Path %s" % jtr_dump_path) else: raise Exception("Unknown NTLMSSP MessageType %d" % messageType) respParameters['SecurityBlobLength'] = len(respToken) respData['SecurityBlobLength'] = respParameters['SecurityBlobLength'] respData['SecurityBlob'] = respToken.getData() else: # Process Standard Security respParameters = smb.SMBSessionSetupAndXResponse_Parameters() respData = smb.SMBSessionSetupAndXResponse_Data() sessionSetupParameters = smb.SMBSessionSetupAndX_Parameters(SMBCommand['Parameters']) sessionSetupData = smb.SMBSessionSetupAndX_Data() sessionSetupData['AnsiPwdLength'] = sessionSetupParameters['AnsiPwdLength'] sessionSetupData['UnicodePwdLength'] = sessionSetupParameters['UnicodePwdLength'] sessionSetupData.fromString(SMBCommand['Data']) connData['Capabilities'] = sessionSetupParameters['Capabilities'] # Do the verification here, for just now we grant access # TODO: Manage more UIDs for the same session errorCode = STATUS_SUCCESS connData['Uid'] = 10 respParameters['Action'] = 0 smbServer.log('User %s\\%s authenticated successfully (basic)' % (sessionSetupData['PrimaryDomain'], sessionSetupData['Account'])) try: jtr_dump_path = smbServer.getJTRdumpPath() ntlm_hash_data = outputToJohnFormat( '', sessionSetupData['Account'], sessionSetupData['PrimaryDomain'], sessionSetupData['AnsiPwd'], sessionSetupData['UnicodePwd'] ) smbServer.log(ntlm_hash_data['hash_string']) if jtr_dump_path is not '': writeJohnOutputToFile(ntlm_hash_data['hash_string'], ntlm_hash_data['hash_version'], jtr_dump_path) except: smbServer.log("Could not write NTLM Hashes to the specified JTR_Dump_Path %s" % jtr_dump_path) respData['NativeOS'] = encodeSMBString(recvPacket['Flags2'], smbServer.getServerOS()) respData['NativeLanMan'] = encodeSMBString(recvPacket['Flags2'], smbServer.getServerOS()) respSMBCommand['Parameters'] = respParameters respSMBCommand['Data'] = respData # From now on, the client can ask for other commands connData['Authenticated'] = True # For now, just switching to nobody #os.setregid(65534,65534) #os.setreuid(65534,65534) smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smbComNegotiate(connId, smbServer, SMBCommand, recvPacket ): connData = smbServer.getConnectionData(connId, checkStatus = False) connData['Pid'] = recvPacket['Pid'] SMBCommand = smb.SMBCommand(recvPacket['Data'][0]) respSMBCommand = smb.SMBCommand(smb.SMB.SMB_COM_NEGOTIATE) resp = smb.NewSMBPacket() resp['Flags1'] = smb.SMB.FLAGS1_REPLY resp['Pid'] = connData['Pid'] resp['Tid'] = recvPacket['Tid'] resp['Mid'] = recvPacket['Mid'] # TODO: We support more dialects, and parse them accordingly dialects = SMBCommand['Data'].split('\x02') try: index = dialects.index('NT LM 0.12\x00') - 1 # Let's fill the data for NTLM if recvPacket['Flags2'] & smb.SMB.FLAGS2_EXTENDED_SECURITY: resp['Flags2'] = smb.SMB.FLAGS2_EXTENDED_SECURITY | smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_UNICODE #resp['Flags2'] = smb.SMB.FLAGS2_EXTENDED_SECURITY | smb.SMB.FLAGS2_NT_STATUS _dialects_data = smb.SMBExtended_Security_Data() _dialects_data['ServerGUID'] = 'A'*16 blob = SPNEGO_NegTokenInit() blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']] _dialects_data['SecurityBlob'] = blob.getData() _dialects_parameters = smb.SMBExtended_Security_Parameters() _dialects_parameters['Capabilities'] = smb.SMB.CAP_EXTENDED_SECURITY | smb.SMB.CAP_USE_NT_ERRORS | smb.SMB.CAP_NT_SMBS | smb.SMB.CAP_UNICODE _dialects_parameters['ChallengeLength'] = 0 else: resp['Flags2'] = smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_UNICODE _dialects_parameters = smb.SMBNTLMDialect_Parameters() _dialects_data= smb.SMBNTLMDialect_Data() _dialects_data['Payload'] = '' if 'EncryptionKey' in connData: _dialects_data['Challenge'] = connData['EncryptionKey'] _dialects_parameters['ChallengeLength'] = len(str(_dialects_data)) else: # TODO: Handle random challenges, now one that can be used with rainbow tables _dialects_data['Challenge'] = '\x11\x22\x33\x44\x55\x66\x77\x88' _dialects_parameters['ChallengeLength'] = 8 _dialects_parameters['Capabilities'] = smb.SMB.CAP_USE_NT_ERRORS | smb.SMB.CAP_NT_SMBS # Let's see if we need to support RPC_REMOTE_APIS config = smbServer.getServerConfig() if config.has_option('global','rpc_apis'): if config.getboolean('global', 'rpc_apis') is True: _dialects_parameters['Capabilities'] |= smb.SMB.CAP_RPC_REMOTE_APIS _dialects_parameters['DialectIndex'] = index _dialects_parameters['SecurityMode'] = smb.SMB.SECURITY_AUTH_ENCRYPTED | smb.SMB.SECURITY_SHARE_USER _dialects_parameters['MaxMpxCount'] = 1 _dialects_parameters['MaxNumberVcs'] = 1 _dialects_parameters['MaxBufferSize'] = 64000 _dialects_parameters['MaxRawSize'] = 65536 _dialects_parameters['SessionKey'] = 0 _dialects_parameters['LowDateTime'] = 0 _dialects_parameters['HighDateTime'] = 0 _dialects_parameters['ServerTimeZone'] = 0 respSMBCommand['Data'] = _dialects_data respSMBCommand['Parameters'] = _dialects_parameters connData['_dialects_data'] = _dialects_data connData['_dialects_parameters'] = _dialects_parameters except Exception as e: # No NTLM throw an error smbServer.log('smbComNegotiate: %s' % e, logging.ERROR) respSMBCommand['Data'] = struct.pack('<H',0xffff) smbServer.setConnectionData(connId, connData) resp.addCommand(respSMBCommand) return None, [resp], STATUS_SUCCESS @staticmethod def default(connId, smbServer, SMBCommand, recvPacket): # By default we return an SMB Packet with error not implemented smbServer.log("Not implemented command: 0x%x" % recvPacket['Command'],logging.DEBUG) packet = smb.NewSMBPacket() packet['Flags1'] = smb.SMB.FLAGS1_REPLY packet['Flags2'] = smb.SMB.FLAGS2_NT_STATUS packet['Command'] = recvPacket['Command'] packet['Pid'] = recvPacket['Pid'] packet['Tid'] = recvPacket['Tid'] packet['Mid'] = recvPacket['Mid'] packet['Uid'] = recvPacket['Uid'] packet['Data'] = '\x00\x00\x00' errorCode = STATUS_NOT_IMPLEMENTED packet['ErrorCode'] = errorCode >> 16 packet['ErrorClass'] = errorCode & 0xff return None, [packet], errorCode class SMB2Commands: @staticmethod def smb2Negotiate(connId, smbServer, recvPacket, isSMB1 = False): connData = smbServer.getConnectionData(connId, checkStatus = False) respPacket = smb2.SMB2Packet() respPacket['Flags'] = smb2.SMB2_FLAGS_SERVER_TO_REDIR respPacket['Status'] = STATUS_SUCCESS respPacket['CreditRequestResponse'] = 1 respPacket['Command'] = smb2.SMB2_NEGOTIATE respPacket['SessionID'] = 0 if isSMB1 is False: respPacket['MessageID'] = recvPacket['MessageID'] else: respPacket['MessageID'] = 0 respPacket['TreeID'] = 0 respSMBCommand = smb2.SMB2Negotiate_Response() respSMBCommand['SecurityMode'] = 1 if isSMB1 is True: # Let's first parse the packet to see if the client supports SMB2 SMBCommand = smb.SMBCommand(recvPacket['Data'][0]) dialects = SMBCommand['Data'].split('\x02') if 'SMB 2.002\x00' in dialects or 'SMB 2.???\x00' in dialects: respSMBCommand['DialectRevision'] = smb2.SMB2_DIALECT_002 else: # Client does not support SMB2 fallbacking raise Exception('SMB2 not supported, fallbacking') else: respSMBCommand['DialectRevision'] = smb2.SMB2_DIALECT_002 respSMBCommand['ServerGuid'] = 'A'*16 respSMBCommand['Capabilities'] = 0 respSMBCommand['MaxTransactSize'] = 65536 respSMBCommand['MaxReadSize'] = 65536 respSMBCommand['MaxWriteSize'] = 65536 respSMBCommand['SystemTime'] = getFileTime(calendar.timegm(time.gmtime())) respSMBCommand['ServerStartTime'] = getFileTime(calendar.timegm(time.gmtime())) respSMBCommand['SecurityBufferOffset'] = 0x80 blob = SPNEGO_NegTokenInit() blob['MechTypes'] = [TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']] respSMBCommand['Buffer'] = blob.getData() respSMBCommand['SecurityBufferLength'] = len(respSMBCommand['Buffer']) respPacket['Data'] = respSMBCommand smbServer.setConnectionData(connId, connData) return None, [respPacket], STATUS_SUCCESS @staticmethod def smb2SessionSetup(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId, checkStatus = False) respSMBCommand = smb2.SMB2SessionSetup_Response() sessionSetupData = smb2.SMB2SessionSetup(recvPacket['Data']) connData['Capabilities'] = sessionSetupData['Capabilities'] securityBlob = sessionSetupData['Buffer'] rawNTLM = False if struct.unpack('B',securityBlob[0])[0] == ASN1_AID: # NEGOTIATE packet blob = SPNEGO_NegTokenInit(securityBlob) token = blob['MechToken'] if len(blob['MechTypes'][0]) > 0: # Is this GSSAPI NTLM or something else we don't support? mechType = blob['MechTypes'][0] if mechType != TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider']: # Nope, do we know it? if mechType in MechTypes: mechStr = MechTypes[mechType] else: mechStr = hexlify(mechType) smbServer.log("Unsupported MechType '%s'" % mechStr, logging.CRITICAL) # We don't know the token, we answer back again saying # we just support NTLM. # ToDo: Build this into a SPNEGO_NegTokenResp() respToken = '\xa1\x15\x30\x13\xa0\x03\x0a\x01\x03\xa1\x0c\x06\x0a\x2b\x06\x01\x04\x01\x82\x37\x02\x02\x0a' respSMBCommand['SecurityBufferOffset'] = 0x48 respSMBCommand['SecurityBufferLength'] = len(respToken) respSMBCommand['Buffer'] = respToken return [respSMBCommand], None, STATUS_MORE_PROCESSING_REQUIRED elif struct.unpack('B',securityBlob[0])[0] == ASN1_SUPPORTED_MECH: # AUTH packet blob = SPNEGO_NegTokenResp(securityBlob) token = blob['ResponseToken'] else: # No GSSAPI stuff, raw NTLMSSP rawNTLM = True token = securityBlob # Here we only handle NTLMSSP, depending on what stage of the # authentication we are, we act on it messageType = struct.unpack('<L',token[len('NTLMSSP\x00'):len('NTLMSSP\x00')+4])[0] if messageType == 0x01: # NEGOTIATE_MESSAGE negotiateMessage = ntlm.NTLMAuthNegotiate() negotiateMessage.fromString(token) # Let's store it in the connection data connData['NEGOTIATE_MESSAGE'] = negotiateMessage # Let's build the answer flags # TODO: Parse all the flags. With this we're leaving some clients out ansFlags = 0 if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_56: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_56 if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_128: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_128 if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_KEY_EXCH if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_EXTENDED_SESSIONSECURITY if negotiateMessage['flags'] & ntlm.NTLMSSP_NEGOTIATE_UNICODE: ansFlags |= ntlm.NTLMSSP_NEGOTIATE_UNICODE if negotiateMessage['flags'] & ntlm.NTLM_NEGOTIATE_OEM: ansFlags |= ntlm.NTLM_NEGOTIATE_OEM ansFlags |= ntlm.NTLMSSP_NEGOTIATE_VERSION | ntlm.NTLMSSP_NEGOTIATE_TARGET_INFO | ntlm.NTLMSSP_TARGET_TYPE_SERVER | ntlm.NTLMSSP_NEGOTIATE_NTLM | ntlm.NTLMSSP_REQUEST_TARGET # Generate the AV_PAIRS av_pairs = ntlm.AV_PAIRS() # TODO: Put the proper data from SMBSERVER config av_pairs[ntlm.NTLMSSP_AV_HOSTNAME] = av_pairs[ntlm.NTLMSSP_AV_DNS_HOSTNAME] = smbServer.getServerName().encode('utf-16le') av_pairs[ntlm.NTLMSSP_AV_DOMAINNAME] = av_pairs[ntlm.NTLMSSP_AV_DNS_DOMAINNAME] = smbServer.getServerDomain().encode('utf-16le') av_pairs[ntlm.NTLMSSP_AV_TIME] = struct.pack('<q', (116444736000000000 + calendar.timegm(time.gmtime()) * 10000000) ) challengeMessage = ntlm.NTLMAuthChallenge() challengeMessage['flags'] = ansFlags challengeMessage['domain_len'] = len(smbServer.getServerDomain().encode('utf-16le')) challengeMessage['domain_max_len'] = challengeMessage['domain_len'] challengeMessage['domain_offset'] = 40 + 16 challengeMessage['challenge'] = smbServer.getSMBChallenge() challengeMessage['domain_name'] = smbServer.getServerDomain().encode('utf-16le') challengeMessage['TargetInfoFields_len'] = len(av_pairs) challengeMessage['TargetInfoFields_max_len'] = len(av_pairs) challengeMessage['TargetInfoFields'] = av_pairs challengeMessage['TargetInfoFields_offset'] = 40 + 16 + len(challengeMessage['domain_name']) challengeMessage['Version'] = '\xff'*8 challengeMessage['VersionLen'] = 8 if rawNTLM is False: respToken = SPNEGO_NegTokenResp() # accept-incomplete. We want more data respToken['NegResult'] = '\x01' respToken['SupportedMech'] = TypesMech['NTLMSSP - Microsoft NTLM Security Support Provider'] respToken['ResponseToken'] = challengeMessage.getData() else: respToken = challengeMessage # Setting the packet to STATUS_MORE_PROCESSING errorCode = STATUS_MORE_PROCESSING_REQUIRED # Let's set up an UID for this connection and store it # in the connection's data # Picking a fixed value # TODO: Manage more UIDs for the same session connData['Uid'] = random.randint(1,0xffffffff) # Let's store it in the connection data connData['CHALLENGE_MESSAGE'] = challengeMessage elif messageType == 0x02: # CHALLENGE_MESSAGE raise Exception('Challenge Message raise, not implemented!') elif messageType == 0x03: # AUTHENTICATE_MESSAGE, here we deal with authentication authenticateMessage = ntlm.NTLMAuthChallengeResponse() authenticateMessage.fromString(token) smbServer.log("AUTHENTICATE_MESSAGE (%s\\%s,%s)" % (authenticateMessage['domain_name'], authenticateMessage['user_name'], authenticateMessage['host_name'])) # TODO: Check the credentials! Now granting permissions respToken = SPNEGO_NegTokenResp() # accept-completed respToken['NegResult'] = '\x00' # Status SUCCESS errorCode = STATUS_SUCCESS smbServer.log('User %s\\%s authenticated successfully' % (authenticateMessage['user_name'], authenticateMessage['host_name'])) # Let's store it in the connection data connData['AUTHENTICATE_MESSAGE'] = authenticateMessage try: jtr_dump_path = smbServer.getJTRdumpPath() ntlm_hash_data = outputToJohnFormat( connData['CHALLENGE_MESSAGE']['challenge'], authenticateMessage['user_name'], authenticateMessage['domain_name'], authenticateMessage['lanman'], authenticateMessage['ntlm'] ) smbServer.log(ntlm_hash_data['hash_string']) if jtr_dump_path is not '': writeJohnOutputToFile(ntlm_hash_data['hash_string'], ntlm_hash_data['hash_version'], jtr_dump_path) except: smbServer.log("Could not write NTLM Hashes to the specified JTR_Dump_Path %s" % jtr_dump_path) respSMBCommand['SessionFlags'] = 1 else: raise Exception("Unknown NTLMSSP MessageType %d" % messageType) respSMBCommand['SecurityBufferOffset'] = 0x48 respSMBCommand['SecurityBufferLength'] = len(respToken) respSMBCommand['Buffer'] = respToken.getData() # From now on, the client can ask for other commands connData['Authenticated'] = True # For now, just switching to nobody #os.setregid(65534,65534) #os.setreuid(65534,65534) smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2TreeConnect(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respPacket = smb2.SMB2Packet() respPacket['Flags'] = smb2.SMB2_FLAGS_SERVER_TO_REDIR respPacket['Status'] = STATUS_SUCCESS respPacket['CreditRequestResponse'] = 1 respPacket['Command'] = recvPacket['Command'] respPacket['SessionID'] = connData['Uid'] respPacket['Reserved'] = recvPacket['Reserved'] respPacket['MessageID'] = recvPacket['MessageID'] respPacket['TreeID'] = recvPacket['TreeID'] respSMBCommand = smb2.SMB2TreeConnect_Response() treeConnectRequest = smb2.SMB2TreeConnect(recvPacket['Data']) errorCode = STATUS_SUCCESS ## Process here the request, does the share exist? path = str(recvPacket)[treeConnectRequest['PathOffset']:][:treeConnectRequest['PathLength']] UNCOrShare = path.decode('utf-16le') # Is this a UNC? if ntpath.ismount(UNCOrShare): path = UNCOrShare.split('\\')[3] else: path = ntpath.basename(UNCOrShare) share = searchShare(connId, path.upper(), smbServer) if share is not None: # Simple way to generate a Tid if len(connData['ConnectedShares']) == 0: tid = 1 else: tid = connData['ConnectedShares'].keys()[-1] + 1 connData['ConnectedShares'][tid] = share connData['ConnectedShares'][tid]['shareName'] = path respPacket['TreeID'] = tid smbServer.log("Connecting Share(%d:%s)" % (tid,path)) else: smbServer.log("SMB2_TREE_CONNECT not found %s" % path, logging.ERROR) errorCode = STATUS_OBJECT_PATH_NOT_FOUND respPacket['Status'] = errorCode ## if path == 'IPC$': respSMBCommand['ShareType'] = smb2.SMB2_SHARE_TYPE_PIPE respSMBCommand['ShareFlags'] = 0x30 else: respSMBCommand['ShareType'] = smb2.SMB2_SHARE_TYPE_DISK respSMBCommand['ShareFlags'] = 0x0 respSMBCommand['Capabilities'] = 0 respSMBCommand['MaximalAccess'] = 0x000f01ff respPacket['Data'] = respSMBCommand smbServer.setConnectionData(connId, connData) return None, [respPacket], errorCode @staticmethod def smb2Create(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2Create_Response() ntCreateRequest = smb2.SMB2Create(recvPacket['Data']) respSMBCommand['Buffer'] = '\x00' # Get the Tid associated if recvPacket['TreeID'] in connData['ConnectedShares']: # If we have a rootFid, the path is relative to that fid errorCode = STATUS_SUCCESS if 'path' in connData['ConnectedShares'][recvPacket['TreeID']]: path = connData['ConnectedShares'][recvPacket['TreeID']]['path'] else: path = 'NONE' errorCode = STATUS_ACCESS_DENIED deleteOnClose = False fileName = os.path.normpath(ntCreateRequest['Buffer'][:ntCreateRequest['NameLength']].decode('utf-16le').replace('\\','/')) if len(fileName) > 0 and (fileName[0] == '/' or fileName[0] == '\\'): # strip leading '/' fileName = fileName[1:] pathName = os.path.join(path,fileName) createDisposition = ntCreateRequest['CreateDisposition'] mode = 0 if createDisposition == smb2.FILE_SUPERSEDE: mode |= os.O_TRUNC | os.O_CREAT elif createDisposition & smb2.FILE_OVERWRITE_IF == smb2.FILE_OVERWRITE_IF: mode |= os.O_TRUNC | os.O_CREAT elif createDisposition & smb2.FILE_OVERWRITE == smb2.FILE_OVERWRITE: if os.path.exists(pathName) is True: mode |= os.O_TRUNC else: errorCode = STATUS_NO_SUCH_FILE elif createDisposition & smb2.FILE_OPEN_IF == smb2.FILE_OPEN_IF: if os.path.exists(pathName) is True: mode |= os.O_TRUNC else: mode |= os.O_TRUNC | os.O_CREAT elif createDisposition & smb2.FILE_CREATE == smb2.FILE_CREATE: if os.path.exists(pathName) is True: errorCode = STATUS_OBJECT_NAME_COLLISION else: mode |= os.O_CREAT elif createDisposition & smb2.FILE_OPEN == smb2.FILE_OPEN: if os.path.exists(pathName) is not True and (unicode(pathName) in smbServer.getRegisteredNamedPipes()) is not True: errorCode = STATUS_NO_SUCH_FILE if errorCode == STATUS_SUCCESS: desiredAccess = ntCreateRequest['DesiredAccess'] if (desiredAccess & smb2.FILE_READ_DATA) or (desiredAccess & smb2.GENERIC_READ): mode |= os.O_RDONLY if (desiredAccess & smb2.FILE_WRITE_DATA) or (desiredAccess & smb2.GENERIC_WRITE): if (desiredAccess & smb2.FILE_READ_DATA) or (desiredAccess & smb2.GENERIC_READ): mode |= os.O_RDWR #| os.O_APPEND else: mode |= os.O_WRONLY #| os.O_APPEND if desiredAccess & smb2.GENERIC_ALL: mode |= os.O_RDWR #| os.O_APPEND createOptions = ntCreateRequest['CreateOptions'] if mode & os.O_CREAT == os.O_CREAT: if createOptions & smb2.FILE_DIRECTORY_FILE == smb2.FILE_DIRECTORY_FILE: try: # Let's create the directory os.mkdir(pathName) mode = os.O_RDONLY except Exception as e: smbServer.log("SMB2_CREATE: %s,%s,%s" % (pathName,mode,e),logging.ERROR) errorCode = STATUS_ACCESS_DENIED if createOptions & smb2.FILE_NON_DIRECTORY_FILE == smb2.FILE_NON_DIRECTORY_FILE: # If the file being opened is a directory, the server MUST fail the request with # STATUS_FILE_IS_A_DIRECTORY in the Status field of the SMB Header in the server # response. if os.path.isdir(pathName) is True: errorCode = STATUS_FILE_IS_A_DIRECTORY if createOptions & smb2.FILE_DELETE_ON_CLOSE == smb2.FILE_DELETE_ON_CLOSE: deleteOnClose = True if errorCode == STATUS_SUCCESS: try: if os.path.isdir(pathName) and sys.platform == 'win32': fid = VOID_FILE_DESCRIPTOR else: if sys.platform == 'win32': mode |= os.O_BINARY if unicode(pathName) in smbServer.getRegisteredNamedPipes(): fid = PIPE_FILE_DESCRIPTOR sock = socket.socket() sock.connect(smbServer.getRegisteredNamedPipes()[unicode(pathName)]) else: fid = os.open(pathName, mode) except Exception as e: smbServer.log("SMB2_CREATE: %s,%s,%s" % (pathName,mode,e),logging.ERROR) #print e fid = 0 errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_SMB_BAD_TID if errorCode == STATUS_SUCCESS: # Simple way to generate a fid fakefid = uuid.generate() respSMBCommand['FileID'] = fakefid respSMBCommand['CreateAction'] = createDisposition if fid == PIPE_FILE_DESCRIPTOR: respSMBCommand['CreationTime'] = 0 respSMBCommand['LastAccessTime'] = 0 respSMBCommand['LastWriteTime'] = 0 respSMBCommand['ChangeTime'] = 0 respSMBCommand['AllocationSize'] = 4096 respSMBCommand['EndOfFile'] = 0 respSMBCommand['FileAttributes'] = 0x80 else: if os.path.isdir(pathName): respSMBCommand['FileAttributes'] = smb.SMB_FILE_ATTRIBUTE_DIRECTORY else: respSMBCommand['FileAttributes'] = ntCreateRequest['FileAttributes'] # Let's get this file's information respInfo, errorCode = queryPathInformation('',pathName,level= smb.SMB_QUERY_FILE_ALL_INFO) if errorCode == STATUS_SUCCESS: respSMBCommand['CreationTime'] = respInfo['CreationTime'] respSMBCommand['LastAccessTime'] = respInfo['LastAccessTime'] respSMBCommand['LastWriteTime'] = respInfo['LastWriteTime'] respSMBCommand['LastChangeTime'] = respInfo['LastChangeTime'] respSMBCommand['FileAttributes'] = respInfo['ExtFileAttributes'] respSMBCommand['AllocationSize'] = respInfo['AllocationSize'] respSMBCommand['EndOfFile'] = respInfo['EndOfFile'] if errorCode == STATUS_SUCCESS: # Let's store the fid for the connection # smbServer.log('Create file %s, mode:0x%x' % (pathName, mode)) connData['OpenedFiles'][fakefid] = {} connData['OpenedFiles'][fakefid]['FileHandle'] = fid connData['OpenedFiles'][fakefid]['FileName'] = pathName connData['OpenedFiles'][fakefid]['DeleteOnClose'] = deleteOnClose connData['OpenedFiles'][fakefid]['Open'] = {} connData['OpenedFiles'][fakefid]['Open']['EnumerationLocation'] = 0 connData['OpenedFiles'][fakefid]['Open']['EnumerationSearchPattern'] = '' if fid == PIPE_FILE_DESCRIPTOR: connData['OpenedFiles'][fakefid]['Socket'] = sock else: respSMBCommand = smb2.SMB2Error() if errorCode == STATUS_SUCCESS: connData['LastRequest']['SMB2_CREATE'] = respSMBCommand smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2Close(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2Close_Response() closeRequest = smb2.SMB2Close(recvPacket['Data']) if str(closeRequest['FileID']) == '\xff'*16: # Let's take the data from the lastRequest if 'SMB2_CREATE' in connData['LastRequest']: fileID = connData['LastRequest']['SMB2_CREATE']['FileID'] else: fileID = str(closeRequest['FileID']) else: fileID = str(closeRequest['FileID']) if fileID in connData['OpenedFiles']: errorCode = STATUS_SUCCESS fileHandle = connData['OpenedFiles'][fileID]['FileHandle'] pathName = connData['OpenedFiles'][fileID]['FileName'] infoRecord = None try: if fileHandle == PIPE_FILE_DESCRIPTOR: connData['OpenedFiles'][fileID]['Socket'].close() elif fileHandle != VOID_FILE_DESCRIPTOR: os.close(fileHandle) infoRecord, errorCode = queryFileInformation(os.path.dirname(pathName), os.path.basename(pathName), smb2.SMB2_FILE_NETWORK_OPEN_INFO) except Exception as e: smbServer.log("SMB2_CLOSE %s" % e, logging.ERROR) errorCode = STATUS_INVALID_HANDLE else: # Check if the file was marked for removal if connData['OpenedFiles'][fileID]['DeleteOnClose'] is True: try: if os.path.isdir(pathName): shutil.rmtree(connData['OpenedFiles'][fileID]['FileName']) else: os.remove(connData['OpenedFiles'][fileID]['FileName']) except Exception as e: smbServer.log("SMB2_CLOSE %s" % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED # Now fill out the response if infoRecord is not None: respSMBCommand['CreationTime'] = infoRecord['CreationTime'] respSMBCommand['LastAccessTime'] = infoRecord['LastAccessTime'] respSMBCommand['LastWriteTime'] = infoRecord['LastWriteTime'] respSMBCommand['ChangeTime'] = infoRecord['ChangeTime'] respSMBCommand['AllocationSize'] = infoRecord['AllocationSize'] respSMBCommand['EndofFile'] = infoRecord['EndOfFile'] respSMBCommand['FileAttributes'] = infoRecord['FileAttributes'] if errorCode == STATUS_SUCCESS: del(connData['OpenedFiles'][fileID]) else: errorCode = STATUS_INVALID_HANDLE smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2QueryInfo(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2QueryInfo_Response() queryInfo = smb2.SMB2QueryInfo(recvPacket['Data']) errorCode = STATUS_SUCCESS respSMBCommand['OutputBufferOffset'] = 0x48 respSMBCommand['Buffer'] = '\x00' if str(queryInfo['FileID']) == '\xff'*16: # Let's take the data from the lastRequest if 'SMB2_CREATE' in connData['LastRequest']: fileID = connData['LastRequest']['SMB2_CREATE']['FileID'] else: fileID = str(queryInfo['FileID']) else: fileID = str(queryInfo['FileID']) if recvPacket['TreeID'] in connData['ConnectedShares']: if fileID in connData['OpenedFiles']: fileName = connData['OpenedFiles'][fileID]['FileName'] if queryInfo['InfoType'] == smb2.SMB2_0_INFO_FILE: if queryInfo['FileInfoClass'] == smb2.SMB2_FILE_INTERNAL_INFO: # No need to call queryFileInformation, we have the data here infoRecord = smb2.FileInternalInformation() infoRecord['IndexNumber'] = fileID else: infoRecord, errorCode = queryFileInformation(os.path.dirname(fileName), os.path.basename(fileName), queryInfo['FileInfoClass']) elif queryInfo['InfoType'] == smb2.SMB2_0_INFO_FILESYSTEM: infoRecord = queryFsInformation(os.path.dirname(fileName), os.path.basename(fileName), queryInfo['FileInfoClass']) elif queryInfo['InfoType'] == smb2.SMB2_0_INFO_SECURITY: # Failing for now, until we support it infoRecord = None errorCode = STATUS_ACCESS_DENIED else: smbServer.log("queryInfo not supported (%x)" % queryInfo['InfoType'], logging.ERROR) if infoRecord is not None: respSMBCommand['OutputBufferLength'] = len(infoRecord) respSMBCommand['Buffer'] = infoRecord else: errorCode = STATUS_INVALID_HANDLE else: errorCode = STATUS_SMB_BAD_TID smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2SetInfo(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2SetInfo_Response() setInfo = smb2.SMB2SetInfo(recvPacket['Data']) errorCode = STATUS_SUCCESS if str(setInfo['FileID']) == '\xff'*16: # Let's take the data from the lastRequest if 'SMB2_CREATE' in connData['LastRequest']: fileID = connData['LastRequest']['SMB2_CREATE']['FileID'] else: fileID = str(setInfo['FileID']) else: fileID = str(setInfo['FileID']) if recvPacket['TreeID'] in connData['ConnectedShares']: path = connData['ConnectedShares'][recvPacket['TreeID']]['path'] if fileID in connData['OpenedFiles']: pathName = connData['OpenedFiles'][fileID]['FileName'] if setInfo['InfoType'] == smb2.SMB2_0_INFO_FILE: # The file information is being set informationLevel = setInfo['FileInfoClass'] if informationLevel == smb2.SMB2_FILE_DISPOSITION_INFO: infoRecord = smb.SMBSetFileDispositionInfo(setInfo['Buffer']) if infoRecord['DeletePending'] > 0: # Mark this file for removal after closed connData['OpenedFiles'][fileID]['DeleteOnClose'] = True elif informationLevel == smb2.SMB2_FILE_BASIC_INFO: infoRecord = smb.SMBSetFileBasicInfo(setInfo['Buffer']) # Creation time won't be set, the other ones we play with. atime = infoRecord['LastWriteTime'] if atime == 0: atime = -1 else: atime = getUnixTime(atime) mtime = infoRecord['ChangeTime'] if mtime == 0: mtime = -1 else: mtime = getUnixTime(mtime) if atime > 0 and mtime > 0: os.utime(pathName,(atime,mtime)) elif informationLevel == smb2.SMB2_FILE_END_OF_FILE_INFO: fileHandle = connData['OpenedFiles'][fileID]['FileHandle'] infoRecord = smb.SMBSetFileEndOfFileInfo(setInfo['Buffer']) if infoRecord['EndOfFile'] > 0: os.lseek(fileHandle, infoRecord['EndOfFile']-1, 0) os.write(fileHandle, '\x00') elif informationLevel == smb2.SMB2_FILE_RENAME_INFO: renameInfo = smb2.FILE_RENAME_INFORMATION_TYPE_2(setInfo['Buffer']) newPathName = os.path.join(path,renameInfo['FileName'].decode('utf-16le').replace('\\', '/')) if renameInfo['ReplaceIfExists'] == 0 and os.path.exists(newPathName): return [smb2.SMB2Error()], None, STATUS_OBJECT_NAME_COLLISION try: os.rename(pathName,newPathName) connData['OpenedFiles'][fileID]['FileName'] = newPathName except Exception as e: smbServer.log("smb2SetInfo: %s" % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: smbServer.log('Unknown level for set file info! 0x%x' % informationLevel, logging.ERROR) # UNSUPPORTED errorCode = STATUS_NOT_SUPPORTED #elif setInfo['InfoType'] == smb2.SMB2_0_INFO_FILESYSTEM: # # The underlying object store information is being set. # setInfo = queryFsInformation('/', fileName, queryInfo['FileInfoClass']) #elif setInfo['InfoType'] == smb2.SMB2_0_INFO_SECURITY: # # The security information is being set. # # Failing for now, until we support it # infoRecord = None # errorCode = STATUS_ACCESS_DENIED #elif setInfo['InfoType'] == smb2.SMB2_0_INFO_QUOTA: # # The underlying object store quota information is being set. # setInfo = queryFsInformation('/', fileName, queryInfo['FileInfoClass']) else: smbServer.log("setInfo not supported (%x)" % setInfo['InfoType'], logging.ERROR) else: errorCode = STATUS_INVALID_HANDLE else: errorCode = STATUS_SMB_BAD_TID smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2Write(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2Write_Response() writeRequest = smb2.SMB2Write(recvPacket['Data']) respSMBCommand['Buffer'] = '\x00' if str(writeRequest['FileID']) == '\xff'*16: # Let's take the data from the lastRequest if 'SMB2_CREATE' in connData['LastRequest']: fileID = connData['LastRequest']['SMB2_CREATE']['FileID'] else: fileID = str(writeRequest['FileID']) else: fileID = str(writeRequest['FileID']) if fileID in connData['OpenedFiles']: fileHandle = connData['OpenedFiles'][fileID]['FileHandle'] errorCode = STATUS_SUCCESS try: if fileHandle != PIPE_FILE_DESCRIPTOR: offset = writeRequest['Offset'] # If we're trying to write past the file end we just skip the write call (Vista does this) if os.lseek(fileHandle, 0, 2) >= offset: os.lseek(fileHandle,offset,0) os.write(fileHandle,writeRequest['Buffer']) else: sock = connData['OpenedFiles'][fileID]['Socket'] sock.send(writeRequest['Buffer']) respSMBCommand['Count'] = writeRequest['Length'] respSMBCommand['Remaining']= 0xff except Exception as e: smbServer.log('SMB2_WRITE: %s' % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_INVALID_HANDLE smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2Read(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2Read_Response() readRequest = smb2.SMB2Read(recvPacket['Data']) respSMBCommand['Buffer'] = '\x00' if str(readRequest['FileID']) == '\xff'*16: # Let's take the data from the lastRequest if 'SMB2_CREATE' in connData['LastRequest']: fileID = connData['LastRequest']['SMB2_CREATE']['FileID'] else: fileID = str(readRequest['FileID']) else: fileID = str(readRequest['FileID']) if fileID in connData['OpenedFiles']: fileHandle = connData['OpenedFiles'][fileID]['FileHandle'] errorCode = 0 try: if fileHandle != PIPE_FILE_DESCRIPTOR: offset = readRequest['Offset'] os.lseek(fileHandle,offset,0) content = os.read(fileHandle,readRequest['Length']) else: sock = connData['OpenedFiles'][fileID]['Socket'] content = sock.recv(readRequest['Length']) respSMBCommand['DataOffset'] = 0x50 respSMBCommand['DataLength'] = len(content) respSMBCommand['DataRemaining']= 0 respSMBCommand['Buffer'] = content except Exception as e: smbServer.log('SMB2_READ: %s ' % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_INVALID_HANDLE smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2Flush(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2Flush_Response() flushRequest = smb2.SMB2Flush(recvPacket['Data']) if str(flushRequest['FileID']) in connData['OpenedFiles']: fileHandle = connData['OpenedFiles'][str(flushRequest['FileID'])]['FileHandle'] errorCode = STATUS_SUCCESS try: os.fsync(fileHandle) except Exception as e: smbServer.log("SMB2_FLUSH %s" % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_INVALID_HANDLE smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2QueryDirectory(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2QueryDirectory_Response() queryDirectoryRequest = smb2.SMB2QueryDirectory(recvPacket['Data']) respSMBCommand['Buffer'] = '\x00' # The server MUST locate the tree connection, as specified in section 3.3.5.2.11. if (recvPacket['TreeID'] in connData['ConnectedShares']) is False: return [smb2.SMB2Error()], None, STATUS_NETWORK_NAME_DELETED # Next, the server MUST locate the open for the directory to be queried # If no open is found, the server MUST fail the request with STATUS_FILE_CLOSED if str(queryDirectoryRequest['FileID']) == '\xff'*16: # Let's take the data from the lastRequest if 'SMB2_CREATE' in connData['LastRequest']: fileID = connData['LastRequest']['SMB2_CREATE']['FileID'] else: fileID = str(queryDirectoryRequest['FileID']) else: fileID = str(queryDirectoryRequest['FileID']) if (fileID in connData['OpenedFiles']) is False: return [smb2.SMB2Error()], None, STATUS_FILE_CLOSED # If the open is not an open to a directory, the request MUST be failed # with STATUS_INVALID_PARAMETER. if os.path.isdir(connData['OpenedFiles'][fileID]['FileName']) is False: return [smb2.SMB2Error()], None, STATUS_INVALID_PARAMETER # If any other information class is specified in the FileInformationClass # field of the SMB2 QUERY_DIRECTORY Request, the server MUST fail the # operation with STATUS_INVALID_INFO_CLASS. if queryDirectoryRequest['FileInformationClass'] not in ( smb2.FILE_DIRECTORY_INFORMATION, smb2.FILE_FULL_DIRECTORY_INFORMATION, smb2.FILEID_FULL_DIRECTORY_INFORMATION, smb2.FILE_BOTH_DIRECTORY_INFORMATION, smb2.FILEID_BOTH_DIRECTORY_INFORMATION, smb2.FILENAMES_INFORMATION): return [smb2.SMB2Error()], None, STATUS_INVALID_INFO_CLASS # If SMB2_REOPEN is set in the Flags field of the SMB2 QUERY_DIRECTORY # Request, the server SHOULD<326> set Open.EnumerationLocation to 0 # and Open.EnumerationSearchPattern to an empty string. if queryDirectoryRequest['Flags'] & smb2.SMB2_REOPEN: connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'] = 0 connData['OpenedFiles'][fileID]['Open']['EnumerationSearchPattern'] = '' # If SMB2_RESTART_SCANS is set in the Flags field of the SMB2 # QUERY_DIRECTORY Request, the server MUST set # Open.EnumerationLocation to 0. if queryDirectoryRequest['Flags'] & smb2.SMB2_RESTART_SCANS: connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'] = 0 # If Open.EnumerationLocation is 0 and Open.EnumerationSearchPattern # is an empty string, then Open.EnumerationSearchPattern MUST be set # to the search pattern specified in the SMB2 QUERY_DIRECTORY by # FileNameOffset and FileNameLength. If FileNameLength is 0, the server # SHOULD<327> set Open.EnumerationSearchPattern as "*" to search all entries. pattern = queryDirectoryRequest['Buffer'].decode('utf-16le') if connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'] == 0 and \ connData['OpenedFiles'][fileID]['Open']['EnumerationSearchPattern'] == '': if pattern == '': pattern = '*' connData['OpenedFiles'][fileID]['Open']['EnumerationSearchPattern'] = pattern # If SMB2_INDEX_SPECIFIED is set and FileNameLength is not zero, # the server MUST set Open.EnumerationSearchPattern to the search pattern # specified in the request by FileNameOffset and FileNameLength. if queryDirectoryRequest['Flags'] & smb2.SMB2_INDEX_SPECIFIED and \ queryDirectoryRequest['FileNameLength'] > 0: connData['OpenedFiles'][fileID]['Open']['EnumerationSearchPattern'] = pattern pathName = os.path.join(os.path.normpath(connData['OpenedFiles'][fileID]['FileName']),pattern) searchResult, searchCount, errorCode = findFirst2(os.path.dirname(pathName), os.path.basename(pathName), queryDirectoryRequest['FileInformationClass'], smb.ATTR_DIRECTORY, isSMB2 = True ) if errorCode != STATUS_SUCCESS: return [smb2.SMB2Error()], None, errorCode if searchCount > 2 and pattern == '*': # strip . and .. searchCount -= 2 searchResult = searchResult[2:] if searchCount == 0 and connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'] == 0: return [smb2.SMB2Error()], None, STATUS_NO_SUCH_FILE if connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'] < 0: return [smb2.SMB2Error()], None, STATUS_NO_MORE_FILES totalData = 0 respData = '' for nItem in range(connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'], searchCount): connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'] += 1 if queryDirectoryRequest['Flags'] & smb2.SL_RETURN_SINGLE_ENTRY: # If single entry is requested we must clear the NextEntryOffset searchResult[nItem]['NextEntryOffset'] = 0 data = searchResult[nItem].getData() lenData = len(data) padLen = (8-(lenData % 8)) %8 if (totalData+lenData) >= queryDirectoryRequest['OutputBufferLength']: connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'] -= 1 break else: respData += data + '\x00'*padLen totalData += lenData + padLen if queryDirectoryRequest['Flags'] & smb2.SL_RETURN_SINGLE_ENTRY: break if connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'] >= searchCount: connData['OpenedFiles'][fileID]['Open']['EnumerationLocation'] = -1 respSMBCommand['OutputBufferOffset'] = 0x48 respSMBCommand['OutputBufferLength'] = totalData respSMBCommand['Buffer'] = respData smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2ChangeNotify(connId, smbServer, recvPacket): return [smb2.SMB2Error()], None, STATUS_NOT_SUPPORTED @staticmethod def smb2Echo(connId, smbServer, recvPacket): respSMBCommand = smb2.SMB2Echo_Response() return [respSMBCommand], None, STATUS_SUCCESS @staticmethod def smb2TreeDisconnect(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2TreeDisconnect_Response() if recvPacket['TreeID'] in connData['ConnectedShares']: smbServer.log("Disconnecting Share(%d:%s)" % (recvPacket['TreeID'],connData['ConnectedShares'][recvPacket['TreeID']]['shareName'])) del(connData['ConnectedShares'][recvPacket['TreeID']]) errorCode = STATUS_SUCCESS else: # STATUS_SMB_BAD_TID errorCode = STATUS_SMB_BAD_TID smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2Logoff(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2Logoff_Response() if recvPacket['SessionID'] != connData['Uid']: # STATUS_SMB_BAD_UID errorCode = STATUS_SMB_BAD_UID else: errorCode = STATUS_SUCCESS connData['Uid'] = 0 smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2Ioctl(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2Ioctl_Response() ioctlRequest = smb2.SMB2Ioctl(recvPacket['Data']) ioctls = smbServer.getIoctls() if ioctlRequest['CtlCode'] in ioctls: outputData, errorCode = ioctls[ioctlRequest['CtlCode']](connId, smbServer, ioctlRequest) if errorCode == STATUS_SUCCESS: respSMBCommand['CtlCode'] = ioctlRequest['CtlCode'] respSMBCommand['FileID'] = ioctlRequest['FileID'] respSMBCommand['InputOffset'] = 0 respSMBCommand['InputCount'] = 0 respSMBCommand['OutputOffset'] = 0x70 respSMBCommand['OutputCount'] = len(outputData) respSMBCommand['Flags'] = 0 respSMBCommand['Buffer'] = outputData else: respSMBCommand = outputData else: smbServer.log("Ioctl not implemented command: 0x%x" % ioctlRequest['CtlCode'],logging.DEBUG) errorCode = STATUS_INVALID_DEVICE_REQUEST respSMBCommand = smb2.SMB2Error() smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2Lock(connId, smbServer, recvPacket): connData = smbServer.getConnectionData(connId) respSMBCommand = smb2.SMB2Lock_Response() # I'm actually doing nothing.. just make MacOS happy ;) errorCode = STATUS_SUCCESS smbServer.setConnectionData(connId, connData) return [respSMBCommand], None, errorCode @staticmethod def smb2Cancel(connId, smbServer, recvPacket): # I'm actually doing nothing return [smb2.SMB2Error()], None, STATUS_CANCELLED @staticmethod def default(connId, smbServer, recvPacket): # By default we return an SMB Packet with error not implemented smbServer.log("Not implemented command: 0x%x" % recvPacket['Command'],logging.DEBUG) return [smb2.SMB2Error()], None, STATUS_NOT_SUPPORTED class Ioctls: @staticmethod def fsctlDfsGetReferrals(connId, smbServer, ioctlRequest): return smb2.SMB2Error(), STATUS_FS_DRIVER_REQUIRED @staticmethod def fsctlPipeTransceive(connId, smbServer, ioctlRequest): connData = smbServer.getConnectionData(connId) ioctlResponse = '' if str(ioctlRequest['FileID']) in connData['OpenedFiles']: fileHandle = connData['OpenedFiles'][str(ioctlRequest['FileID'])]['FileHandle'] errorCode = STATUS_SUCCESS try: if fileHandle != PIPE_FILE_DESCRIPTOR: errorCode = STATUS_INVALID_DEVICE_REQUEST else: sock = connData['OpenedFiles'][str(ioctlRequest['FileID'])]['Socket'] sock.sendall(ioctlRequest['Buffer']) ioctlResponse = sock.recv(ioctlRequest['MaxOutputResponse']) except Exception as e: smbServer.log('fsctlPipeTransceive: %s ' % e, logging.ERROR) errorCode = STATUS_ACCESS_DENIED else: errorCode = STATUS_INVALID_DEVICE_REQUEST smbServer.setConnectionData(connId, connData) return ioctlResponse, errorCode @staticmethod def fsctlValidateNegotiateInfo(connId, smbServer, ioctlRequest): connData = smbServer.getConnectionData(connId) errorCode = STATUS_SUCCESS validateNegotiateInfo = smb2.VALIDATE_NEGOTIATE_INFO(ioctlRequest['Buffer']) validateNegotiateInfo['Capabilities'] = 0 validateNegotiateInfo['Guid'] = 'A'*16 validateNegotiateInfo['SecurityMode'] = 1 validateNegotiateInfo['Dialects'] = (smb2.SMB2_DIALECT_002,) smbServer.setConnectionData(connId, connData) return validateNegotiateInfo.getData(), errorCode class SMBSERVERHandler(SocketServer.BaseRequestHandler): def __init__(self, request, client_address, server, select_poll = False): self.__SMB = server self.__ip, self.__port = client_address self.__request = request self.__connId = threading.currentThread().getName() self.__timeOut = 60*5 self.__select_poll = select_poll #self.__connId = os.getpid() SocketServer.BaseRequestHandler.__init__(self, request, client_address, server) def handle(self): self.__SMB.log("Incoming connection (%s,%d)" % (self.__ip, self.__port)) self.__SMB.addConnection(self.__connId, self.__ip, self.__port) while True: try: # Firt of all let's get the NETBIOS packet session = nmb.NetBIOSTCPSession(self.__SMB.getServerName(),'HOST', self.__ip, sess_port = self.__port, sock = self.__request, select_poll = self.__select_poll) try: p = session.recv_packet(self.__timeOut) except nmb.NetBIOSTimeout: raise except nmb.NetBIOSError: break if p.get_type() == nmb.NETBIOS_SESSION_REQUEST: # Someone is requesting a session, we're gonna accept them all :) _, rn, my = p.get_trailer().split(' ') remote_name = nmb.decode_name('\x20'+rn) myname = nmb.decode_name('\x20'+my) self.__SMB.log("NetBIOS Session request (%s,%s,%s)" % (self.__ip, remote_name[1].strip(), myname[1])) r = nmb.NetBIOSSessionPacket() r.set_type(nmb.NETBIOS_SESSION_POSITIVE_RESPONSE) r.set_trailer(p.get_trailer()) self.__request.send(r.rawData()) else: resp = self.__SMB.processRequest(self.__connId, p.get_trailer()) # Send all the packets recevied. Except for big transactions this should be # a single packet for i in resp: session.send_packet(str(i)) except Exception as e: self.__SMB.log("Handle: %s" % e) #import traceback #traceback.print_exc() break def finish(self): # Thread/process is dying, we should tell the main SMB thread to remove all this thread data self.__SMB.log("Closing down connection (%s,%d)" % (self.__ip, self.__port)) self.__SMB.removeConnection(self.__connId) return SocketServer.BaseRequestHandler.finish(self) class SMBSERVER(SocketServer.ThreadingMixIn, SocketServer.TCPServer): #class SMBSERVER(SocketServer.ForkingMixIn, SocketServer.TCPServer): def __init__(self, server_address, handler_class=SMBSERVERHandler, config_parser = None): SocketServer.TCPServer.allow_reuse_address = True SocketServer.TCPServer.__init__(self, server_address, handler_class) # Server name and OS to be presented whenever is necessary self.__serverName = '' self.__serverOS = '' self.__serverDomain = '' self.__challenge = '' self.__log = None # Our ConfigParser data self.__serverConfig = config_parser # Our credentials to be used during the server's lifetime self.__credentials = {} # Our log file self.__logFile = '' # Registered Named Pipes, format is PipeName,Socket self.__registeredNamedPipes = {} # JTR dump path self.__jtr_dump_path = '' # SMB2 Support flag = default not active self.__SMB2Support = False # Our list of commands we will answer, by default the NOT IMPLEMENTED one self.__smbCommandsHandler = SMBCommands() self.__smbTrans2Handler = TRANS2Commands() self.__smbTransHandler = TRANSCommands() self.__smbNTTransHandler = NTTRANSCommands() self.__smb2CommandsHandler = SMB2Commands() self.__IoctlHandler = Ioctls() self.__smbNTTransCommands = { # NT IOCTL, can't find doc for this 0xff :self.__smbNTTransHandler.default } self.__smbTransCommands = { '\\PIPE\\LANMAN' :self.__smbTransHandler.lanMan, smb.SMB.TRANS_TRANSACT_NMPIPE :self.__smbTransHandler.transactNamedPipe, } self.__smbTrans2Commands = { smb.SMB.TRANS2_FIND_FIRST2 :self.__smbTrans2Handler.findFirst2, smb.SMB.TRANS2_FIND_NEXT2 :self.__smbTrans2Handler.findNext2, smb.SMB.TRANS2_QUERY_FS_INFORMATION :self.__smbTrans2Handler.queryFsInformation, smb.SMB.TRANS2_QUERY_PATH_INFORMATION :self.__smbTrans2Handler.queryPathInformation, smb.SMB.TRANS2_QUERY_FILE_INFORMATION :self.__smbTrans2Handler.queryFileInformation, smb.SMB.TRANS2_SET_FILE_INFORMATION :self.__smbTrans2Handler.setFileInformation, smb.SMB.TRANS2_SET_PATH_INFORMATION :self.__smbTrans2Handler.setPathInformation } self.__smbCommands = { #smb.SMB.SMB_COM_FLUSH: self.__smbCommandsHandler.smbComFlush, smb.SMB.SMB_COM_CREATE_DIRECTORY: self.__smbCommandsHandler.smbComCreateDirectory, smb.SMB.SMB_COM_DELETE_DIRECTORY: self.__smbCommandsHandler.smbComDeleteDirectory, smb.SMB.SMB_COM_RENAME: self.__smbCommandsHandler.smbComRename, smb.SMB.SMB_COM_DELETE: self.__smbCommandsHandler.smbComDelete, smb.SMB.SMB_COM_NEGOTIATE: self.__smbCommandsHandler.smbComNegotiate, smb.SMB.SMB_COM_SESSION_SETUP_ANDX: self.__smbCommandsHandler.smbComSessionSetupAndX, smb.SMB.SMB_COM_LOGOFF_ANDX: self.__smbCommandsHandler.smbComLogOffAndX, smb.SMB.SMB_COM_TREE_CONNECT_ANDX: self.__smbCommandsHandler.smbComTreeConnectAndX, smb.SMB.SMB_COM_TREE_DISCONNECT: self.__smbCommandsHandler.smbComTreeDisconnect, smb.SMB.SMB_COM_ECHO: self.__smbCommandsHandler.smbComEcho, smb.SMB.SMB_COM_QUERY_INFORMATION: self.__smbCommandsHandler.smbQueryInformation, smb.SMB.SMB_COM_TRANSACTION2: self.__smbCommandsHandler.smbTransaction2, smb.SMB.SMB_COM_TRANSACTION: self.__smbCommandsHandler.smbTransaction, # Not needed for now smb.SMB.SMB_COM_NT_TRANSACT: self.__smbCommandsHandler.smbNTTransact, smb.SMB.SMB_COM_QUERY_INFORMATION_DISK: self.__smbCommandsHandler.smbQueryInformationDisk, smb.SMB.SMB_COM_OPEN_ANDX: self.__smbCommandsHandler.smbComOpenAndX, smb.SMB.SMB_COM_QUERY_INFORMATION2: self.__smbCommandsHandler.smbComQueryInformation2, smb.SMB.SMB_COM_READ_ANDX: self.__smbCommandsHandler.smbComReadAndX, smb.SMB.SMB_COM_READ: self.__smbCommandsHandler.smbComRead, smb.SMB.SMB_COM_WRITE_ANDX: self.__smbCommandsHandler.smbComWriteAndX, smb.SMB.SMB_COM_WRITE: self.__smbCommandsHandler.smbComWrite, smb.SMB.SMB_COM_CLOSE: self.__smbCommandsHandler.smbComClose, smb.SMB.SMB_COM_LOCKING_ANDX: self.__smbCommandsHandler.smbComLockingAndX, smb.SMB.SMB_COM_NT_CREATE_ANDX: self.__smbCommandsHandler.smbComNtCreateAndX, 0xFF: self.__smbCommandsHandler.default } self.__smb2Ioctls = { smb2.FSCTL_DFS_GET_REFERRALS: self.__IoctlHandler.fsctlDfsGetReferrals, # smb2.FSCTL_PIPE_PEEK: self.__IoctlHandler.fsctlPipePeek, # smb2.FSCTL_PIPE_WAIT: self.__IoctlHandler.fsctlPipeWait, smb2.FSCTL_PIPE_TRANSCEIVE: self.__IoctlHandler.fsctlPipeTransceive, # smb2.FSCTL_SRV_COPYCHUNK: self.__IoctlHandler.fsctlSrvCopyChunk, # smb2.FSCTL_SRV_ENUMERATE_SNAPSHOTS: self.__IoctlHandler.fsctlSrvEnumerateSnapshots, # smb2.FSCTL_SRV_REQUEST_RESUME_KEY: self.__IoctlHandler.fsctlSrvRequestResumeKey, # smb2.FSCTL_SRV_READ_HASH: self.__IoctlHandler.fsctlSrvReadHash, # smb2.FSCTL_SRV_COPYCHUNK_WRITE: self.__IoctlHandler.fsctlSrvCopyChunkWrite, # smb2.FSCTL_LMR_REQUEST_RESILIENCY: self.__IoctlHandler.fsctlLmrRequestResiliency, # smb2.FSCTL_QUERY_NETWORK_INTERFACE_INFO: self.__IoctlHandler.fsctlQueryNetworkInterfaceInfo, # smb2.FSCTL_SET_REPARSE_POINT: self.__IoctlHandler.fsctlSetReparsePoint, # smb2.FSCTL_DFS_GET_REFERRALS_EX: self.__IoctlHandler.fsctlDfsGetReferralsEx, # smb2.FSCTL_FILE_LEVEL_TRIM: self.__IoctlHandler.fsctlFileLevelTrim, smb2.FSCTL_VALIDATE_NEGOTIATE_INFO: self.__IoctlHandler.fsctlValidateNegotiateInfo, } self.__smb2Commands = { smb2.SMB2_NEGOTIATE: self.__smb2CommandsHandler.smb2Negotiate, smb2.SMB2_SESSION_SETUP: self.__smb2CommandsHandler.smb2SessionSetup, smb2.SMB2_LOGOFF: self.__smb2CommandsHandler.smb2Logoff, smb2.SMB2_TREE_CONNECT: self.__smb2CommandsHandler.smb2TreeConnect, smb2.SMB2_TREE_DISCONNECT: self.__smb2CommandsHandler.smb2TreeDisconnect, smb2.SMB2_CREATE: self.__smb2CommandsHandler.smb2Create, smb2.SMB2_CLOSE: self.__smb2CommandsHandler.smb2Close, smb2.SMB2_FLUSH: self.__smb2CommandsHandler.smb2Flush, smb2.SMB2_READ: self.__smb2CommandsHandler.smb2Read, smb2.SMB2_WRITE: self.__smb2CommandsHandler.smb2Write, smb2.SMB2_LOCK: self.__smb2CommandsHandler.smb2Lock, smb2.SMB2_IOCTL: self.__smb2CommandsHandler.smb2Ioctl, smb2.SMB2_CANCEL: self.__smb2CommandsHandler.smb2Cancel, smb2.SMB2_ECHO: self.__smb2CommandsHandler.smb2Echo, smb2.SMB2_QUERY_DIRECTORY: self.__smb2CommandsHandler.smb2QueryDirectory, smb2.SMB2_CHANGE_NOTIFY: self.__smb2CommandsHandler.smb2ChangeNotify, smb2.SMB2_QUERY_INFO: self.__smb2CommandsHandler.smb2QueryInfo, smb2.SMB2_SET_INFO: self.__smb2CommandsHandler.smb2SetInfo, # smb2.SMB2_OPLOCK_BREAK: self.__smb2CommandsHandler.smb2SessionSetup, 0xFF: self.__smb2CommandsHandler.default } # List of active connections self.__activeConnections = {} def getIoctls(self): return self.__smb2Ioctls def getCredentials(self): return self.__credentials def removeConnection(self, name): try: del(self.__activeConnections[name]) except: pass self.log("Remaining connections %s" % self.__activeConnections.keys()) def addConnection(self, name, ip, port): self.__activeConnections[name] = {} # Let's init with some know stuff we will need to have # TODO: Document what's in there #print "Current Connections", self.__activeConnections.keys() self.__activeConnections[name]['PacketNum'] = 0 self.__activeConnections[name]['ClientIP'] = ip self.__activeConnections[name]['ClientPort'] = port self.__activeConnections[name]['Uid'] = 0 self.__activeConnections[name]['ConnectedShares'] = {} self.__activeConnections[name]['OpenedFiles'] = {} # SID results for findfirst2 self.__activeConnections[name]['SIDs'] = {} self.__activeConnections[name]['LastRequest'] = {} def getActiveConnections(self): return self.__activeConnections def setConnectionData(self, connId, data): self.__activeConnections[connId] = data #print "setConnectionData" #print self.__activeConnections def getConnectionData(self, connId, checkStatus = True): conn = self.__activeConnections[connId] if checkStatus is True: if ('Authenticated' in conn) is not True: # Can't keep going further raise Exception("User not Authenticated!") return conn def getRegisteredNamedPipes(self): return self.__registeredNamedPipes def registerNamedPipe(self, pipeName, address): self.__registeredNamedPipes[unicode(pipeName)] = address return True def unregisterNamedPipe(self, pipeName): if pipeName in self.__registeredNamedPipes: del(self.__registeredNamedPipes[unicode(pipeName)]) return True return False def unregisterTransaction(self, transCommand): if transCommand in self.__smbTransCommands: del(self.__smbTransCommands[transCommand]) def hookTransaction(self, transCommand, callback): # If you call this function, callback will replace # the current Transaction sub command. # (don't get confused with the Transaction smbCommand) # If the transaction sub command doesn't not exist, it is added # If the transaction sub command exists, it returns the original function # replaced # # callback MUST be declared as: # callback(connId, smbServer, recvPacket, parameters, data, maxDataCount=0) # # WHERE: # # connId : the connection Id, used to grab/update information about # the current connection # smbServer : the SMBServer instance available for you to ask # configuration data # recvPacket : the full SMBPacket that triggered this command # parameters : the transaction parameters # data : the transaction data # maxDataCount: the max amount of data that can be transfered agreed # with the client # # and MUST return: # respSetup, respParameters, respData, errorCode # # WHERE: # # respSetup: the setup response of the transaction # respParameters: the parameters response of the transaction # respData: the data reponse of the transaction # errorCode: the NT error code if transCommand in self.__smbTransCommands: originalCommand = self.__smbTransCommands[transCommand] else: originalCommand = None self.__smbTransCommands[transCommand] = callback return originalCommand def unregisterTransaction2(self, transCommand): if transCommand in self.__smbTrans2Commands: del(self.__smbTrans2Commands[transCommand]) def hookTransaction2(self, transCommand, callback): # Here we should add to __smbTrans2Commands # Same description as Transaction if transCommand in self.__smbTrans2Commands: originalCommand = self.__smbTrans2Commands[transCommand] else: originalCommand = None self.__smbTrans2Commands[transCommand] = callback return originalCommand def unregisterNTTransaction(self, transCommand): if transCommand in self.__smbNTTransCommands: del(self.__smbNTTransCommands[transCommand]) def hookNTTransaction(self, transCommand, callback): # Here we should add to __smbNTTransCommands # Same description as Transaction if transCommand in self.__smbNTTransCommands: originalCommand = self.__smbNTTransCommands[transCommand] else: originalCommand = None self.__smbNTTransCommands[transCommand] = callback return originalCommand def unregisterSmbCommand(self, smbCommand): if smbCommand in self.__smbCommands: del(self.__smbCommands[smbCommand]) def hookSmbCommand(self, smbCommand, callback): # Here we should add to self.__smbCommands # If you call this function, callback will replace # the current smbCommand. # If smbCommand doesn't not exist, it is added # If SMB command exists, it returns the original function replaced # # callback MUST be declared as: # callback(connId, smbServer, SMBCommand, recvPacket) # # WHERE: # # connId : the connection Id, used to grab/update information about # the current connection # smbServer : the SMBServer instance available for you to ask # configuration data # SMBCommand: the SMBCommand itself, with its data and parameters. # Check smb.py:SMBCommand() for a reference # recvPacket: the full SMBPacket that triggered this command # # and MUST return: # <list of respSMBCommands>, <list of packets>, errorCode # <list of packets> has higher preference over commands, in case you # want to change the whole packet # errorCode: the NT error code # # For SMB_COM_TRANSACTION2, SMB_COM_TRANSACTION and SMB_COM_NT_TRANSACT # the callback function is slightly different: # # callback(connId, smbServer, SMBCommand, recvPacket, transCommands) # # WHERE: # # transCommands: a list of transaction subcommands already registered # if smbCommand in self.__smbCommands: originalCommand = self.__smbCommands[smbCommand] else: originalCommand = None self.__smbCommands[smbCommand] = callback return originalCommand def unregisterSmb2Command(self, smb2Command): if smb2Command in self.__smb2Commands: del(self.__smb2Commands[smb2Command]) def hookSmb2Command(self, smb2Command, callback): if smb2Command in self.__smb2Commands: originalCommand = self.__smb2Commands[smb2Command] else: originalCommand = None self.__smb2Commands[smb2Command] = callback return originalCommand def log(self, msg, level=logging.INFO): self.__log.log(level,msg) def getServerName(self): return self.__serverName def getServerOS(self): return self.__serverOS def getServerDomain(self): return self.__serverDomain def getSMBChallenge(self): return self.__challenge def getServerConfig(self): return self.__serverConfig def setServerConfig(self, config): self.__serverConfig = config def getJTRdumpPath(self): return self.__jtr_dump_path def verify_request(self, request, client_address): # TODO: Control here the max amount of processes we want to launch # returning False, closes the connection return True def processRequest(self, connId, data): # TODO: Process batched commands. isSMB2 = False SMBCommand = None try: packet = smb.NewSMBPacket(data = data) SMBCommand = smb.SMBCommand(packet['Data'][0]) except: # Maybe a SMB2 packet? packet = smb2.SMB2Packet(data = data) isSMB2 = True # We might have compound requests compoundedPacketsResponse = [] compoundedPackets = [] try: # Search out list of implemented commands # We provide them with: # connId : representing the data for this specific connection # self : the SMBSERVER if they want to ask data to it # SMBCommand : the SMBCommand they are expecting to process # packet : the received packet itself, in case they need more data than the actual command # Only for Transactions # transCommand: a list of transaction subcommands # We expect to get: # respCommands: a list of answers for the commands processed # respPacket : if the commands chose to directly craft packet/s, we use this and not the previous # this MUST be a list # errorCode : self explanatory if isSMB2 is False: if packet['Command'] == smb.SMB.SMB_COM_TRANSACTION2: respCommands, respPackets, errorCode = self.__smbCommands[packet['Command']]( connId, self, SMBCommand, packet, self.__smbTrans2Commands) elif packet['Command'] == smb.SMB.SMB_COM_NT_TRANSACT: respCommands, respPackets, errorCode = self.__smbCommands[packet['Command']]( connId, self, SMBCommand, packet, self.__smbNTTransCommands) elif packet['Command'] == smb.SMB.SMB_COM_TRANSACTION: respCommands, respPackets, errorCode = self.__smbCommands[packet['Command']]( connId, self, SMBCommand, packet, self.__smbTransCommands) else: if packet['Command'] in self.__smbCommands: if self.__SMB2Support is True: if packet['Command'] == smb.SMB.SMB_COM_NEGOTIATE: try: respCommands, respPackets, errorCode = self.__smb2Commands[smb2.SMB2_NEGOTIATE](connId, self, packet, True) isSMB2 = True except Exception as e: self.log('SMB2_NEGOTIATE: %s' % e, logging.ERROR) # If something went wrong, let's fallback to SMB1 respCommands, respPackets, errorCode = self.__smbCommands[packet['Command']]( connId, self, SMBCommand, packet) #self.__SMB2Support = False pass else: respCommands, respPackets, errorCode = self.__smbCommands[packet['Command']]( connId, self, SMBCommand, packet) else: respCommands, respPackets, errorCode = self.__smbCommands[packet['Command']]( connId, self, SMBCommand, packet) else: respCommands, respPackets, errorCode = self.__smbCommands[255](connId, self, SMBCommand, packet) compoundedPacketsResponse.append((respCommands, respPackets, errorCode)) compoundedPackets.append(packet) else: done = False while not done: if packet['Command'] in self.__smb2Commands: if self.__SMB2Support is True: respCommands, respPackets, errorCode = self.__smb2Commands[packet['Command']]( connId, self, packet) else: respCommands, respPackets, errorCode = self.__smb2Commands[255](connId, self, packet) else: respCommands, respPackets, errorCode = self.__smb2Commands[255](connId, self, packet) # Let's store the result for this compounded packet compoundedPacketsResponse.append((respCommands, respPackets, errorCode)) compoundedPackets.append(packet) if packet['NextCommand'] != 0: data = data[packet['NextCommand']:] packet = smb2.SMB2Packet(data = data) else: done = True except Exception as e: #import traceback #traceback.print_exc() # Something wen't wrong, defaulting to Bad user ID self.log('processRequest (0x%x,%s)' % (packet['Command'],e), logging.ERROR) raise # We prepare the response packet to commands don't need to bother about that. connData = self.getConnectionData(connId, False) # Force reconnection loop.. This is just a test.. client will send me back credentials :) #connData['PacketNum'] += 1 #if connData['PacketNum'] == 15: # connData['PacketNum'] = 0 # # Something wen't wrong, defaulting to Bad user ID # self.log('Sending BAD USER ID!', logging.ERROR) # #raise # packet['Flags1'] |= smb.SMB.FLAGS1_REPLY # packet['Flags2'] = 0 # errorCode = STATUS_SMB_BAD_UID # packet['ErrorCode'] = errorCode >> 16 # packet['ErrorClass'] = errorCode & 0xff # return [packet] self.setConnectionData(connId, connData) packetsToSend = [] for packetNum in range(len(compoundedPacketsResponse)): respCommands, respPackets, errorCode = compoundedPacketsResponse[packetNum] packet = compoundedPackets[packetNum] if respPackets is None: for respCommand in respCommands: if isSMB2 is False: respPacket = smb.NewSMBPacket() respPacket['Flags1'] = smb.SMB.FLAGS1_REPLY # TODO this should come from a per session configuration respPacket['Flags2'] = smb.SMB.FLAGS2_EXTENDED_SECURITY | smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_LONG_NAMES | packet['Flags2'] & smb.SMB.FLAGS2_UNICODE #respPacket['Flags2'] = smb.SMB.FLAGS2_EXTENDED_SECURITY | smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_LONG_NAMES #respPacket['Flags1'] = 0x98 #respPacket['Flags2'] = 0xc807 respPacket['Tid'] = packet['Tid'] respPacket['Mid'] = packet['Mid'] respPacket['Pid'] = packet['Pid'] respPacket['Uid'] = connData['Uid'] respPacket['ErrorCode'] = errorCode >> 16 respPacket['_reserved'] = errorCode >> 8 & 0xff respPacket['ErrorClass'] = errorCode & 0xff respPacket.addCommand(respCommand) packetsToSend.append(respPacket) else: respPacket = smb2.SMB2Packet() respPacket['Flags'] = smb2.SMB2_FLAGS_SERVER_TO_REDIR if packetNum > 0: respPacket['Flags'] |= smb2.SMB2_FLAGS_RELATED_OPERATIONS respPacket['Status'] = errorCode respPacket['CreditRequestResponse'] = packet['CreditRequestResponse'] respPacket['Command'] = packet['Command'] respPacket['CreditCharge'] = packet['CreditCharge'] #respPacket['CreditCharge'] = 0 respPacket['Reserved'] = packet['Reserved'] respPacket['SessionID'] = connData['Uid'] respPacket['MessageID'] = packet['MessageID'] respPacket['TreeID'] = packet['TreeID'] respPacket['Data'] = str(respCommand) packetsToSend.append(respPacket) else: # The SMBCommand took care of building the packet packetsToSend = respPackets if isSMB2 is True: # Let's build a compound answer finalData = '' i = 0 for i in range(len(packetsToSend)-1): packet = packetsToSend[i] # Align to 8-bytes padLen = (8 - (len(packet) % 8) ) % 8 packet['NextCommand'] = len(packet) + padLen finalData += str(packet) + padLen*'\x00' # Last one finalData += str(packetsToSend[len(packetsToSend)-1]) packetsToSend = [finalData] # We clear the compound requests connData['LastRequest'] = {} return packetsToSend def processConfigFile(self, configFile = None): # TODO: Do a real config parser if self.__serverConfig is None: if configFile is None: configFile = 'smb.conf' self.__serverConfig = ConfigParser.ConfigParser() self.__serverConfig.read(configFile) self.__serverName = self.__serverConfig.get('global','server_name') self.__serverOS = self.__serverConfig.get('global','server_os') self.__serverDomain = self.__serverConfig.get('global','server_domain') self.__logFile = self.__serverConfig.get('global','log_file') if self.__serverConfig.has_option('global', 'challenge'): self.__challenge = self.__serverConfig.get('global', 'challenge') else: self.__challenge = 'A'*8 if self.__serverConfig.has_option("global", "jtr_dump_path"): self.__jtr_dump_path = self.__serverConfig.get("global", "jtr_dump_path") if self.__serverConfig.has_option("global", "SMB2Support"): self.__SMB2Support = self.__serverConfig.getboolean("global","SMB2Support") else: self.__SMB2Support = False if self.__logFile != 'None': logging.basicConfig(filename = self.__logFile, level = logging.DEBUG, format="%(asctime)s: %(levelname)s: %(message)s", datefmt = '%m/%d/%Y %I:%M:%S %p') self.__log = LOG # Process the credentials credentials_fname = self.__serverConfig.get('global','credentials_file') if credentials_fname is not "": cred = open(credentials_fname) line = cred.readline() while line: name, domain, lmhash, nthash = line.split(':') self.__credentials[name] = (domain, lmhash, nthash.strip('\r\n')) line = cred.readline() cred.close() self.log('Config file parsed') # For windows platforms, opening a directory is not an option, so we set a void FD VOID_FILE_DESCRIPTOR = -1 PIPE_FILE_DESCRIPTOR = -2