search

rapid7 / ruby_smb

A native Ruby implementation of the SMB Protocol Family
Other
79 stars 82 forks source link

Fix the security_blob length #210

Closed zeroSteiner closed 2 years ago

zeroSteiner commented 2 years ago

This decouples the strong correlation of the #security_blob field with it's length parameter in SMB1::SessionSetupRequest. The result allows the contents of the #security_blob field to be set, while the length is 0. This is helpful in some exploitation scenarios.

These changes won't have any effect on parsing incoming requests that are correctly formed. You can see the differences between length and read_length documented in the BinData wiki.

Testing

gwillcox-r7 commented 2 years ago

Seems to be working fine :)

 ~/git/ruby_smb │ land-pr210:pr/210  sudo ruby examples/file_server.rb --path /var/public --share public --username test --password test
D, [2022-04-11T16:08:25.710286 #20069] DEBUG -- : Adding disk share: public
server is running
received connection
I, [2022-04-11T16:08:49.563360 #20069]  INFO -- : Negotiated dialect: SMB v1 (NT LM 0.12)
D, [2022-04-11T16:08:49.565471 #20069] DEBUG -- : Dispatching request to do_session_setup_andx_smb1 (session: nil)
D, [2022-04-11T16:08:49.576097 #20069] DEBUG -- : Dispatching request to do_session_setup_andx_smb1 (session: #<Session id: 49874, user_id: nil, state: :in_progress>)
D, [2022-04-11T16:08:49.576553 #20069] DEBUG -- : NTLM authentication request received for .\test
I, [2022-04-11T16:08:49.576790 #20069]  INFO -- : NTLM authentication request succeeded for .\test
D, [2022-04-11T16:08:49.587185 #20069] DEBUG -- : Dispatching request to do_tree_connect_smb1 (session: #<Session id: 49874, user_id: "WORKGROUP\\test", state: :valid>)
D, [2022-04-11T16:08:49.587544 #20069] DEBUG -- : Received TREE_CONNECT request for share: public
D, [2022-04-11T16:08:49.601116 #20069] DEBUG -- : Dispatching request to do_tree_disconnect_smb1 (session: #<Session id: 49874, user_id: "WORKGROUP\\test", state: :valid>)
D, [2022-04-11T16:08:49.601206 #20069] DEBUG -- : Received TREE_DISCONNECT request for share: public

And on the client side:

 ~/git/ruby_smb │ land-pr210:pr/210  ruby examples/tree_connect.rb --no-smbv2 --no-smbv3 --username test --password test 127.0.0.1 public
SMB1 : (0x00000000) STATUS_SUCCESS: The operation completed successfully.
Connected to \\127.0.0.1\public successfully!
 ~/git/ruby_smb │ land-pr210:pr/210
gwillcox-r7 commented 2 years ago

LGTM will land this now