search

rapid7 / ruby_smb

A native Ruby implementation of the SMB Protocol Family
Other
80 stars 80 forks source link

Adding dsrgetdcnameex2 implementation #269

Closed sud0Ru closed 1 month ago

sud0Ru commented 2 months ago

I need this DCERPC call for my Metasploit module. I successfully implemented the request, but when it came to implementing the response, I always encountered problems with fields pointing to incorrect data. For my module, it's sufficient to implement only the request. However, with some assistance from you, perhaps we can also implement the response. Here is the response's code which should be in file called dsr_get_dc_name_ex2_resoponse.rb:


module RubySMB
  module Dcerpc
    module Netlogon

      # [3.5.4.3.1 DsrGetDCNameEx2 (Opnum 34)](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/fb8e1146-a045-4c31-98d1-c68507ad5620)
      class DsrGetDCNameEx2Response < BinData::Record
        attr_reader :opnum

        endian :little

        pdomain_controller_info_w :domain_info
        ndr_uint32             :error_status

        def initialize_instance
          super
          @opnum =  DSR_GET_DC_NAME_EX2
        end
      end
    end
  end
end

Inside netlogin.rb there is the implementation for this struct :

      class DomainControllerInfoW < Ndr::NdrStruct
        default_parameter byte_align: 4
        endian :little

        ndr_wide_stringz_ptr :dc_name
        ndr_wide_stringz_ptr :dc_address
        ndr_uint32 :dc_address_type
        uuid_ptr :domain_guid
        ndr_wide_stringz_ptr :domain_name
        ndr_wide_stringz_ptr :domain_forrest
        ndr_uint32 :flags
        ndr_wide_stringz_ptr :dc_site_name
        ndr_wide_stringz_ptr :client_site_name
      end

      class PdomainControllerInfoW < DomainControllerInfoW
        extend Ndr::PointerClassPlugin
      end

If I want to access for example dc_address I will get the data that related to dc_name for dc_name I will get some non-printable bytes which located some where in the beginning of the response

smcintyre-r7 commented 1 month ago

I sent a PR to your branch for you to test and review with the response class implemented in sud0Ru#1. The changes you have here all look good. I just tweaked the whitespace so things are alinged and changed DC to Dc to match the docs.

Once you merge my changes, I'll merge this and get the changes released in a gem bump. After that, I'll walk you through updating your Metasploit module.

Thanks for taking the time to put this in RubySMB!

sud0Ru commented 1 month ago

Thank you for the review. I will check the PR.

From a quick look at your commits, it seems the issue in my code was using uuid_ptr instead of uuid in the DomainControllerInfoWstruct struct, correct? :)

smcintyre-r7 commented 1 month ago

From a quick look at your commits, it seems the issue in my code was using uuid_ptr instead of uuid in the DomainControllerInfoWstruct struct, correct? :)

I think that's correct, it sounds about right.

I've gone ahead and merged this. I'll get it released in a new version shortly which will be 3.3.9.