예제 #1
0
파일: SMB_Core.py 프로젝트: zshell/SMBetray
    def splitSMBChainedMessages(self, data):
        try:
            smbMessages = []
            # SMB v1
            if (data[4:8] == '\xff\x53\x4d\x42'):
                z = 4
                nx = data.find('\xff\x53\x4d\x42', z + 1)
                while nx > -1:
                    smbMessages.append(NewSMBPacket(data=data[z:nx]))
                    z = nx
                    nx = data.find('\xff\x53\x4d\x42', z + 1)
                # Required after the last iteration to get the remaining data
                smbMessages.append(NewSMBPacket(data=copy.deepcopy(data[z:])))
                return smbMessages

            # SMB v2
            elif (data[4:8] == '\xfe\x53\x4d\x42'):
                z = 4
                nx = data.find('\xfe\x53\x4d\x42', z + 1)
                while nx > -1:
                    smbMessages.append(
                        SMB2Packet(data=copy.deepcopy(data[z:nx])))
                    z = nx
                    nx = data.find('\xfe\x53\x4d\x42', z + 1)
                # Required after the last iteration to get the remaining data
                smbMessages.append(SMB2Packet(data=copy.deepcopy(data[z:])))
                return smbMessages
        except Exception, e:
            logging.error("[SMB_Core::splitSMBChainedMessages] " +
                          str(traceback.format_exc()))
            return data
예제 #2
0
    def create_smb(
        smb_client,
        treeId,
        fileName,
        desiredAccess,
        shareMode,
        creationOptions,
        creationDisposition,
        fileAttributes,
        impersonationLevel=SMB2_IL_IMPERSONATION,
        oplockLevel=SMB2_OPLOCK_LEVEL_NONE,
        createContexts=None,
    ):

        packet = smb_client.getSMBServer().SMB_PACKET()
        packet["Command"] = SMB2_CREATE
        packet["TreeID"] = treeId
        if smb_client._SMBConnection._Session["TreeConnectTable"][treeId][
                "IsDfsShare"] is True:
            packet["Flags"] = SMB2_FLAGS_DFS_OPERATIONS

        smb2Create = SMB2Create()
        smb2Create["SecurityFlags"] = 0
        smb2Create["RequestedOplockLevel"] = oplockLevel
        smb2Create["ImpersonationLevel"] = impersonationLevel
        smb2Create["DesiredAccess"] = desiredAccess
        smb2Create["FileAttributes"] = fileAttributes
        smb2Create["ShareAccess"] = shareMode
        smb2Create["CreateDisposition"] = creationDisposition
        smb2Create["CreateOptions"] = creationOptions

        smb2Create["NameLength"] = len(fileName) * 2
        if fileName != "":
            smb2Create["Buffer"] = fileName.encode("utf-16le")
        else:
            smb2Create["Buffer"] = b"\x00"

        if createContexts is not None:
            smb2Create["Buffer"] += createContexts
            smb2Create["CreateContextsOffset"] = (len(SMB2Packet()) +
                                                  SMB2Create.SIZE +
                                                  smb2Create["NameLength"])
            smb2Create["CreateContextsLength"] = len(createContexts)
        else:
            smb2Create["CreateContextsOffset"] = 0
            smb2Create["CreateContextsLength"] = 0

        packet["Data"] = smb2Create

        packetID = smb_client.getSMBServer().sendSMB(packet)
        ans = smb_client.getSMBServer().recvSMB(packetID)
        if ans.isValidAnswer(STATUS_SUCCESS):
            createResponse = SMB2Create_Response(ans["Data"])

            # The client MUST generate a handle for the Open, and it MUST
            # return success and the generated handle to the calling application.
            # In our case, str(FileID)
            return str(createResponse["FileID"])
    def create(self,
               treeId,
               fileName,
               desiredAccess,
               shareMode,
               creationOptions,
               creationDisposition,
               fileAttributes,
               impersonationLevel=SMB2_IL_IMPERSONATION,
               securityFlags=0,
               oplockLevel=SMB2_OPLOCK_LEVEL_NONE,
               createContexts=None):

        packet = self.__smbClient.getSMBServer().SMB_PACKET()
        packet['Command'] = SMB2_CREATE
        packet['TreeID'] = treeId
        if self.__smbClient._SMBConnection._Session['TreeConnectTable'][
                treeId]['IsDfsShare'] is True:
            packet['Flags'] = SMB2_FLAGS_DFS_OPERATIONS

        smb2Create = SMB2Create()
        smb2Create['SecurityFlags'] = 0
        smb2Create['RequestedOplockLevel'] = oplockLevel
        smb2Create['ImpersonationLevel'] = impersonationLevel
        smb2Create['DesiredAccess'] = desiredAccess
        smb2Create['FileAttributes'] = fileAttributes
        smb2Create['ShareAccess'] = shareMode
        smb2Create['CreateDisposition'] = creationDisposition
        smb2Create['CreateOptions'] = creationOptions

        smb2Create['NameLength'] = len(fileName) * 2
        if fileName != '':
            smb2Create['Buffer'] = fileName.encode('utf-16le')
        else:
            smb2Create['Buffer'] = b'\x00'

        if createContexts is not None:
            smb2Create['Buffer'] += createContexts
            smb2Create['CreateContextsOffset'] = len(
                SMB2Packet()) + SMB2Create.SIZE + smb2Create['NameLength']
            smb2Create['CreateContextsLength'] = len(createContexts)
        else:
            smb2Create['CreateContextsOffset'] = 0
            smb2Create['CreateContextsLength'] = 0

        packet['Data'] = smb2Create

        packetID = self.__smbClient.getSMBServer().sendSMB(packet)
        ans = self.__smbClient.getSMBServer().recvSMB(packetID)
        if ans.isValidAnswer(STATUS_SUCCESS):
            createResponse = SMB2Create_Response(ans['Data'])

            # The client MUST generate a handle for the Open, and it MUST
            # return success and the generated handle to the calling application.
            # In our case, str(FileID)
            return str(createResponse['FileID'])
예제 #4
0
    def negotiateSession(self, preferredDialect=None,
                         flags1=smb.SMB.FLAGS1_PATHCASELESS | smb.SMB.FLAGS1_CANONICALIZED_PATHS,
                         flags2=smb.SMB.FLAGS2_EXTENDED_SECURITY | smb.SMB.FLAGS2_NT_STATUS | smb.SMB.FLAGS2_LONG_NAMES,
                         negoData='\x02NT LM 0.12\x00\x02SMB 2.002\x00\x02SMB 2.???\x00'):
        """
        Perform protocol negotiation

        :param string preferredDialect: the dialect desired to talk with the target server. If None is specified the highest one available will be used
        :param string flags1: the SMB FLAGS capabilities
        :param string flags2: the SMB FLAGS2 capabilities
        :param string negoData: data to be sent as part of the nego handshake

        :return: True, raises a Session Error if error.
        """

        # If port 445 and the name sent is *SMBSERVER we're setting the name to the IP. This is to help some old
        # applications still believing
        # *SMSBSERVER will work against modern OSes. If port is NETBIOS_SESSION_PORT the user better know about i
        # *SMBSERVER's limitations
        if self._sess_port == nmb.SMB_SESSION_PORT and self._remoteName == '*SMBSERVER':
            self._remoteName = self._remoteHost
        elif self._sess_port == nmb.NETBIOS_SESSION_PORT and self._remoteName == '*SMBSERVER':
            # If remote name is *SMBSERVER let's try to query its name.. if can't be guessed, continue and hope for the best
            nb = nmb.NetBIOS()
            try:
                res = nb.getnetbiosname(self._remoteHost)
            except:
                pass
            else:
                self._remoteName = res

        hostType = nmb.TYPE_SERVER
        if preferredDialect is None:
            # If no preferredDialect sent, we try the highest available one.
            packet = self.negotiateSessionWildcard(self._myName, self._remoteName, self._remoteHost, self._sess_port,
                                                   self._timeout, True, flags1=flags1, flags2=flags2, data=negoData)
            if packet[0:1] == b'\xfe':
                # Answer is SMB2 packet
                self._SMBConnection = smb3.SMB3(self._remoteName, self._remoteHost, self._myName, hostType,
                                                self._sess_port, self._timeout, session=self._nmbSession,
                                                negSessionResponse=SMB2Packet(packet))
            else:
                # Answer is SMB packet, sticking to SMBv1
                self._SMBConnection = smb.SMB(self._remoteName, self._remoteHost, self._myName, hostType,
                                              self._sess_port, self._timeout, session=self._nmbSession,
                                              negPacket=packet)
        else:
            if preferredDialect == smb.SMB_DIALECT:
                self._SMBConnection = smb.SMB(self._remoteName, self._remoteHost, self._myName, hostType,
                                              self._sess_port, self._timeout)
            elif preferredDialect in [SMB2_DIALECT_002, SMB2_DIALECT_21, SMB2_DIALECT_30]:
                self._SMBConnection = smb3.SMB3(self._remoteName, self._remoteHost, self._myName, hostType,
                                                self._sess_port, self._timeout, preferredDialect=preferredDialect)
            else:
                raise Exception("Unknown dialect %s")

        # propagate flags to the smb sub-object, except for Unicode (if server supports)
        # does not affect smb3 objects
        if isinstance(self._SMBConnection, smb.SMB):
            if self._SMBConnection.get_flags()[1] & smb.SMB.FLAGS2_UNICODE:
                flags2 |= smb.SMB.FLAGS2_UNICODE
            self._SMBConnection.set_flags(flags1=flags1, flags2=flags2)

        return True
예제 #5
0
파일: SMB_Core.py 프로젝트: zshell/SMBetray
            client.sendall(rpkt)
            response = client.recv(999999)
            client.close()
            del (client)
        except Exception, e:
            # It's not supported, bummer
            dialects.remove(SMB_DIALECT)
        else:
            # SMB1 is supported, cool
            pass

        # Check SMB 2.0.2
        try:
            # Generic smb2 packet
            smbHeader = SMB2Packet(
                unhexlify(
                    "fe534d42400001000000000000001f0000000000000000000000000000000000fffe000000000000000000000000000000000000000000000000000000000000"
                ))

            # Here's a generic negotiate protocol request
            # - just modify the client GUID to prevent
            # AV/IDS fingerprinting
            negProto = SMB2Negotiate(
                unhexlify(
                    "24000500010000007f000000cb78cd146438e7119168000c291232a370000000020000000202100200030203110300000100260000000000010020000100c8c31f28d43563c829b9070423e96a98701ac3ec788a3ac01573ee03d07d942600000200060000000000020002000100"
                ))

            negProto['Dialects'] = [SMB2_DIALECT_002, 0, 0, 0, 0, 0]
            negProto['ClientGuid'] = ''.join(
                random.choice(string.ascii_uppercase + string.digits)
                for _ in range(8))
            rawData = str(smbHeader) + str(negProto)