SMBv2

rfl890 · Jun 11, 2018 · b72e8ab · b72e8ab
1 parent ee2f0a8
commit b72e8ab
Show file tree

Hide file tree

Showing 21 changed files with 2,426 additions and 371 deletions.
diff --git a/src/proto-banner1.h b/src/proto-banner1.h
@@ -6,6 +6,7 @@
 #include "masscan-app.h"
 #include "proto-banout.h"
 #include "proto-x509.h"
+#include "proto-spnego.h"
 
 struct InteractiveData;
 struct Banner1;
@@ -139,39 +140,70 @@ struct Smb72_Negotiate {
     uint16_t DialectIndex;
     uint16_t SecurityMode;
     uint64_t SystemTime;
+    uint32_t SessionKey;
     uint32_t Capabilities;
     uint16_t ServerTimeZone;
     uint8_t  ChallengeLength;
     uint8_t  ChallengeOffset;
 };
 
+struct Smb73_Setup {
+    uint16_t BlobLength;
+    uint16_t BlobOffset;
+};
+
 struct SMBSTUFF {
+    unsigned nbt_state;
     unsigned char nbt_type;
     unsigned char nbt_flags;
-    unsigned length;
+    unsigned is_printed_ver:1;
+    unsigned is_printed_guid:1;
+    unsigned is_printed_time:1;
+    unsigned nbt_length;
     unsigned nbt_err;
 
-    struct {
-        unsigned char   command;
-        unsigned        status;
-        unsigned char   flags1;
-        unsigned short  flags2;
-        unsigned        pid;
-        unsigned char   signature[8];
-        unsigned short  tid;
-        unsigned short  uid;
-        unsigned short  mid;
-        unsigned short  param_length;
-        unsigned short  param_offset;
-        unsigned short  byte_count;
-        unsigned short  byte_offset;
-        unsigned short  byte_state;
-        unsigned short  unicode_char;
-    } smb1;
+    union {
+        struct {
+            unsigned char   command;
+            unsigned        status;
+            unsigned char   flags1;
+            unsigned short  flags2;
+            unsigned        pid;
+            unsigned char   signature[8];
+            unsigned short  tid;
+            unsigned short  uid;
+            unsigned short  mid;
+            unsigned short  param_length;
+            unsigned short  param_offset;
+            unsigned short  byte_count;
+            unsigned short  byte_offset;
+            unsigned short  byte_state;
+            unsigned short  unicode_char;
+        } smb1;
+        struct {
+            unsigned seqno;
+            unsigned short header_length;
+            unsigned short offset;
+            unsigned short state;
+            unsigned short opcode;
+            unsigned short struct_length;
+            unsigned is_dynamic:1;
+            unsigned char flags;
+            unsigned ntstatus;
+            unsigned number;
+            unsigned short blob_offset;
+            unsigned short blob_length;
+        } smb2;
+    } hdr;
     union {
         struct Smb72_Negotiate negotiate;
-    } parms1;
-
+        struct Smb73_Setup setup;
+        struct {
+            uint64_t current_time;
+            uint64_t boot_time;
+        } negotiate2;
+    } parms;
+    struct SpnegoDecode spnego;
 };
 
 struct ProtocolState {
@@ -217,6 +249,7 @@ struct ProtocolParserStream {
         const unsigned char *px, size_t length,
         struct BannerOutput *banout,
         struct InteractiveData *more);
+    void (*cleanup)(struct ProtocolState *stream_state);
 };
 
 

diff --git a/src/proto-banout.c b/src/proto-banout.c
@@ -177,6 +177,68 @@ banout_append_char(struct BannerOutput *banout, unsigned proto, int c)
     banout_append(banout, proto, &cc, 1);
 }
 
+/***************************************************************************
+ ***************************************************************************/
+void
+banout_append_hexint(struct BannerOutput *banout, unsigned proto, unsigned long long number, int digits)
+{
+    if (digits == 0) {
+        for (digits=16; digits>0; digits--)
+            if (number>>((digits-1)*4) & 0xF)
+                break;
+    }
+
+    for (;digits>0; digits--) {
+        char c = "0123456789abcdef"[(number>>(unsigned long long)((digits-1)*4)) & 0xF];
+        banout_append_char(banout, proto, c);
+    }
+}
+
+/***************************************************************************
+ * Output either a normal character, or the hex form of a UTF-8 string
+ ***************************************************************************/
+void
+banout_append_unicode(struct BannerOutput *banout, unsigned proto, unsigned c)
+{
+    if (c & ~0xFFFF) {
+        unsigned c2;
+        c2 = 0xF0 | ((c>>18)&0x03);
+        banout_append(banout, proto, "\\x", 2);
+        banout_append_hexint(banout, proto, c2, 2);
+        c2 = 0x80 | ((c>>12)&0x3F);
+        banout_append(banout, proto, "\\x", 2);
+        banout_append_hexint(banout, proto, c2, 2);
+        c2 = 0x80 | ((c>> 6)&0x3F);
+        banout_append(banout, proto, "\\x", 2);
+        banout_append_hexint(banout, proto, c2, 2);
+        c2 = 0x80 | ((c>> 0)&0x3F);
+        banout_append(banout, proto, "\\x", 2);
+        banout_append_hexint(banout, proto, c2, 2);
+    } else if (c & ~0x7FF) {
+        unsigned c2;
+        c2 = 0xE0 | ((c>>12)&0x0F);
+        banout_append(banout, proto, "\\x", 2);
+        banout_append_hexint(banout, proto, c2, 2);
+        c2 = 0x80 | ((c>> 6)&0x3F);
+        banout_append(banout, proto, "\\x", 2);
+        banout_append_hexint(banout, proto, c2, 2);
+        c2 = 0x80 | ((c>> 0)&0x3F);
+        banout_append(banout, proto, "\\x", 2);
+        banout_append_hexint(banout, proto, c2, 2);
+    } else if (c & ~0x7f) {
+        unsigned c2;
+        c2 = 0xc0 | ((c>> 6)&0x1F);
+        banout_append(banout, proto, "\\x", 2);
+        banout_append_hexint(banout, proto, c2, 2);
+        c2 = 0x80 | ((c>> 0)&0x3F);
+        banout_append(banout, proto, "\\x", 2);
+        banout_append_hexint(banout, proto, c2, 2);
+    } else
+        banout_append_char(banout, proto, c);
+}
+
+
+
 /***************************************************************************
  ***************************************************************************/
 static struct BannerOutput *
@@ -270,7 +332,6 @@ banout_append(struct BannerOutput *banout, unsigned proto,
     memcpy(p->banner + p->length, px, length);
     p->length = (unsigned)(p->length + length);
 
-
 }
 
 /*****************************************************************************

diff --git a/src/proto-banout.h b/src/proto-banout.h
@@ -65,6 +65,16 @@ banout_append(struct BannerOutput *banout, unsigned proto, const void *px, size_
 void
 banout_append_char(struct BannerOutput *banout, unsigned proto, int c);
 
+/**
+ * Append an integer, with hex digits, with the specified number of
+ * digits
+ */
+void
+banout_append_hexint(struct BannerOutput *banout, unsigned proto, unsigned long long number, int digits);
+
+void
+banout_append_unicode(struct BannerOutput *banout, unsigned proto, unsigned c);
+
 /**
  * Select a specific string (of the specified protocol).
  */

diff --git a/src/proto-ftp.c b/src/proto-ftp.c
@@ -68,8 +68,7 @@ ftp_parse(  const struct Banner1 *banner1,
                     continue;
                 else if (px[i] == '\n') {
                     if (ftp->is_last) {
-                        more->payload = "AUTH TLS\r\n";
-                        more->length = 10;
+                        tcp_transmit(more, "AUTH TLS\r\n", 10, 0);
                         state = 100;
                         banout_append_char(banout, PROTO_FTP, px[i]);
                     } else {
@@ -98,8 +97,7 @@ ftp_parse(  const struct Banner1 *banner1,
                         pstate->port = (unsigned short)port;
                         state = 0;
 
-                        more->payload = banner_ssl.hello;
-                        more->length = (unsigned)banner_ssl.hello_length;
+                        tcp_transmit(more, banner_ssl.hello, banner_ssl.hello_length, 0);
 
                     } else {
                         state = STATE_DONE;

diff --git a/src/proto-imap4.c b/src/proto-imap4.c
@@ -81,7 +81,7 @@ imap4_parse(  const struct Banner1 *banner1,
             case 5:
                 banout_append_char(banout, PROTO_IMAP4, px[i]);
                 if (px[i] == '\n') {
-                    tcp_transmit(more, "a001 CAPABILITY\r\n", 17); 
+                    tcp_transmit(more, "a001 CAPABILITY\r\n", 17, 0);
                     state = 100;
                 }
                 break;
@@ -136,7 +136,7 @@ imap4_parse(  const struct Banner1 *banner1,
             case 105:
                 banout_append_char(banout, PROTO_IMAP4, px[i]);
                 if (px[i] == '\n') {
-                    tcp_transmit(more, "a002 STARTTLS\r\n", 15);
+                    tcp_transmit(more, "a002 STARTTLS\r\n", 15, 0);
                     state = 300;
                 }
                 break;
@@ -158,8 +158,7 @@ imap4_parse(  const struct Banner1 *banner1,
                     pstate->port = (unsigned short)port;
                     state = 0;
 
-                    more->payload = banner_ssl.hello;
-                    more->length = (unsigned)banner_ssl.hello_length;
+                    tcp_transmit(more, banner_ssl.hello, banner_ssl.hello_length, 0);
                     break;
                 }
                 break;

diff --git a/src/proto-interactive.c b/src/proto-interactive.c
@@ -1,8 +1,11 @@
 #include "proto-interactive.h"
 
 void
-tcp_transmit(struct InteractiveData *more, const void *payload, size_t length)
+tcp_transmit(struct InteractiveData *more, const void *payload, size_t length, unsigned flags)
 {
-    more->payload = payload;
-    more->length = (unsigned)length;
+    more->m_payload = payload;
+    more->m_length = (unsigned)length;
+
+    if (flags & TCPTRAN_DYNAMIC)
+        more->is_payload_dynamic = 1;
 }
diff --git a/src/proto-interactive.h b/src/proto-interactive.h
@@ -3,11 +3,14 @@
 #include <stdio.h>
 
 struct InteractiveData {
-    const void *payload;
-    unsigned length;
+    const void *m_payload;
+    unsigned m_length;
+    unsigned is_payload_dynamic:1;
+};
+enum {
+    TCPTRAN_DYNAMIC = 0x0001,
 };
-
 void
-tcp_transmit(struct InteractiveData *more, const void *data, size_t length);
+tcp_transmit(struct InteractiveData *more, const void *data, size_t length, unsigned flags);
 
 #endif