sin/samba-mirror
1
0
Fork 0
mirror of https://github.com/samba-team/samba.git synced 2025-01-11 05:18:09 +03:00
Code

dce/rpc

Browse Source
This commit is contained in:
Luke Leighton 0001-01-01 00:00:00 +00:00
parent 361c1b7ea9
commit 6677b888bd
12 changed files with 655 additions and 331 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
source/include/ntdomain.h
View File

@ -67,6 +67,7 @@ typedef struct pipes_struct
prs_struct rhdr; /* output header */
prs_struct rdata; /* output data */
prs_struct rauth; /* output authentication verifier */
prs_struct rverf; /* output verifier */
prs_struct rntlm; /* output ntlmssp */
RPC_HDR hdr;
@ -74,12 +75,17 @@ typedef struct pipes_struct
RPC_HDR_RB hdr_rb;
RPC_HDR_REQ hdr_req;
RPC_HDR_RESP hdr_resp;
RPC_HDR_AUTH auth_info;
RPC_HDR_AUTHA autha_info;
RPC_AUTH_VERIFIER auth_verifier;
RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal;
RPC_AUTH_NTLMSSP_RESP ntlmssp_resp;
BOOL ntlmssp_auth;
unsigned char ntlmssp_hash[256];
uint32 file_offset;
uint32 hdr_offsets;
uint32 frag_len_left;

17
source/include/proto.h
View File

@ -496,6 +496,8 @@ void E_old_pw_hash( unsigned char *p14, unsigned char *in, unsigned char *out);
void cred_hash1(unsigned char *out,unsigned char *in,unsigned char *key);
void cred_hash2(unsigned char *out,unsigned char *in,unsigned char *key);
void cred_hash3(unsigned char *out,unsigned char *in,unsigned char *key, int forw);
void NTLMSSPhash( unsigned char hash[256], unsigned char const key[5]);
void NTLMSSPcalc( unsigned char hash[256], unsigned char *data, int len);
void SamOEMhash( unsigned char *data, unsigned char *key, int val);
/*The following definitions come from libsmb/smbencrypt.c */
@ -504,6 +506,7 @@ void SMBencrypt(uchar *passwd, uchar *c8, uchar *p24);
void E_md4hash(uchar *passwd, uchar *p16);
void nt_lm_owf_gen(char *pwd, uchar nt_p16[16], uchar p16[16]);
void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24]);
void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24]);
void SMBNTencrypt(uchar *passwd, uchar *c8, uchar *p24);
/*The following definitions come from libsmb/smberr.c */
@ -1489,7 +1492,7 @@ void prs_init(prs_struct *ps, uint32 size,
uint8 align, uint32 margin,
BOOL io);
void prs_mem_free(prs_struct *ps);
void prs_link(prs_struct *ps, prs_struct const *const to);
void prs_link(prs_struct *prev, prs_struct *ps, prs_struct *next);
void prs_align(prs_struct *ps);
BOOL prs_grow(prs_struct *ps);
BOOL prs_uint8(char *name, prs_struct *ps, int depth, uint8 *data8);
@ -1539,13 +1542,20 @@ void smb_io_rpc_hdr_ba(char *desc, RPC_HDR_BA *rpc, prs_struct *ps, int depth);
void make_rpc_hdr_req(RPC_HDR_REQ *hdr, uint32 data_len, uint16 opnum);
void smb_io_rpc_hdr_req(char *desc, RPC_HDR_REQ *rpc, prs_struct *ps, int depth);
void smb_io_rpc_hdr_resp(char *desc, RPC_HDR_RESP *rpc, prs_struct *ps, int depth);
void make_rpc_hdr_autha(RPC_HDR_AUTHA *rai,
uint16 max_tsize, uint16 max_rsize,
uint8 auth_type, uint8 auth_level,
uint8 stub_type_len);
void smb_io_rpc_hdr_autha(char *desc, RPC_HDR_AUTHA *rai, prs_struct *ps, int depth);
void make_rpc_hdr_auth(RPC_HDR_AUTH *rai,
uint8 auth_type, uint8 auth_level,
uint8 stub_type_len);
void smb_io_rpc_hdr_auth(char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, int depth);
void make_rpc_auth_ntlmssp_neg(RPC_AUTH_NTLMSSP_NEG *neg,
uint32 neg_flgs,
fstring myname, fstring domain);
void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_struct *ps, int depth);
void make_rpc_auth_verifier(RPC_AUTH_VERIFIER *rav,
uint8 auth_type, uint8 auth_level,
uint8 stub_type_len,
char *signature, uint32 msg_type);
void smb_io_rpc_auth_verifier(char *desc, RPC_AUTH_VERIFIER *rav, prs_struct *ps, int depth);
void make_rpc_auth_ntlmssp_chal(RPC_AUTH_NTLMSSP_CHAL *chl,
@ -1852,6 +1862,7 @@ BOOL api_srvsvc_rpc(pipes_struct *p, prs_struct *data);
int make_dom_gids(char *gids_str, DOM_GID **ppgids);
BOOL create_rpc_reply(pipes_struct *p,
uint32 data_start, uint32 data_end);
BOOL rpc_command(pipes_struct *p, prs_struct *pd);
BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds,
prs_struct *data);
void get_domain_user_groups(char *domain_groups, char *user);

40
source/include/rpc_dce.h
View File

@ -34,7 +34,8 @@ enum RPC_PKT_TYPE
RPC_REQUEST = 0x00,
RPC_RESPONSE = 0x02,
RPC_BIND = 0x0B,
RPC_BINDACK = 0x0C
RPC_BINDACK = 0x0C,
RPC_BINDRESP = 0x10 /* not the real name! this is undocumented! */
};
/* DCE/RPC flags */
@ -140,6 +141,33 @@ typedef struct rpc_hdr_bba_info
} RPC_HDR_BBA;
/* RPC_HDR_AUTHA */
typedef struct rpc_hdr_autha_info
{
uint16 max_tsize; /* maximum transmission fragment size (0x1630) */
uint16 max_rsize; /* max receive fragment size (0x1630) */
uint8 auth_type; /* 0x0a */
uint8 auth_level; /* 0x06 */
uint8 stub_type_len; /* don't know */
uint8 padding; /* padding */
uint32 unknown; /* 0x0014a0c0 */
} RPC_HDR_AUTHA;
/* RPC_HDR_AUTH */
typedef struct rpc_hdr_auth_info
{
uint8 auth_type; /* 0x0a */
uint8 auth_level; /* 0x06 */
uint8 stub_type_len; /* don't know */
uint8 padding; /* padding */
uint32 unknown; /* 0x0014a0c0 */
} RPC_HDR_AUTH;
/* RPC_BIND_REQ - ms req bind */
typedef struct rpc_bind_req_info
{
@ -179,17 +207,9 @@ typedef struct rpc_hdr_ba_info
} RPC_HDR_BA;
/* this is TEMPORARY */
/* RPC_AUTH_VERIFIER */
typedef struct rpc_auth_verif_info
{
uint8 auth_type; /* 0x0a */
uint8 auth_level; /* 0x06 */
uint8 stub_type_len; /* don't know */
uint8 padding; /* padding */
uint32 ptr_0; /* non-zero pointer to something */
fstring signature; /* "NTLMSSP" */
uint32 msg_type; /* NTLMSSP_MESSAGE_TYPE (1,2,3) */
@ -220,9 +240,7 @@ typedef struct rpc_auth_ntlmssp_chal_info
uint32 neg_flags; /* 0x0000 82b1 */
uint8 challenge[8]; /* ntlm challenge */
#if 0
uint8 reserved [8]; /* zeros */
#endif
} RPC_AUTH_NTLMSSP_CHAL;

55
source/libsmb/smbdes.c
View File

@ -357,6 +357,58 @@ void cred_hash3(unsigned char *out,unsigned char *in,unsigned char *key, int for
smbhash(out + 8, in + 8, key2, forw);
}
void NTLMSSPhash( unsigned char hash[256], unsigned char const key[5])
{
unsigned char j = 0;
int ind;
unsigned char k2[8];
memcpy(k2, key, sizeof(key));
k2[5] = 0xe5;
k2[6] = 0xb8;
k2[6] = 0xb0;
for (ind = 0; ind < 256; ind++)
{
hash[ind] = (unsigned char)ind;
}
for( ind = 0; ind < 256; ind++)
{
unsigned char tc;
j += (hash[ind] + k2[ind%8]);
tc = hash[ind];
hash[ind] = hash[j];
hash[j] = tc;
}
}
void NTLMSSPcalc( unsigned char hash[256], unsigned char *data, int len)
{
unsigned char index_i = 0;
unsigned char index_j = 0;
int ind;
for( ind = 0; ind < len; ind++)
{
unsigned char tc;
unsigned char t;
index_i++;
index_j += hash[index_i];
tc = hash[index_i];
hash[index_i] = hash[index_j];
hash[index_j] = tc;
t = hash[index_i] + hash[index_j];
data[ind] ^= hash[t];
}
}
void SamOEMhash( unsigned char *data, unsigned char *key, int val)
{
unsigned char s_box[256];
@ -380,8 +432,7 @@ void SamOEMhash( unsigned char *data, unsigned char *key, int val)
s_box[ind] = s_box[j];
s_box[j] = tc;
}
for( ind = 0; ind < (val ? 516 : 16); ind++)
for( ind = 0; ind < val ? 516 : 8; ind++)
{
unsigned char tc;
unsigned char t;

12
source/libsmb/smbencrypt.c
View File

@ -152,6 +152,18 @@ void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24])
E_P24(p21, c8, p24);
}
/* Does the des encryption from the FIRST 8 BYTES of the NT or LM MD4 hash. */
void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24])
{
uchar p21[21];
memset(p21,'\0',21);
memcpy(p21, passwd, 8);
memset(p21 + 8, 0xbd, 8);
E_P24(p21, ntlmchalresp, p24);
}
/* Does the NT MD4 hash then des encryption. */

87
source/rpc_client/cli_pipe.c
View File

@ -289,12 +289,15 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd,
static BOOL create_rpc_bind_req(prs_struct *rhdr,
prs_struct *rhdr_rb,
prs_struct *rhdr_auth,
prs_struct *auth_req,
prs_struct *auth_ntlm,
RPC_IFACE *abstract, RPC_IFACE *transfer,
char *my_name, char *domain)
{
RPC_HDR_RB hdr_rb;
RPC_HDR hdr;
RPC_HDR_AUTH hdr_auth;
RPC_AUTH_VERIFIER auth_verifier;
RPC_AUTH_NTLMSSP_NEG ntlmssp_neg;
@ -306,10 +309,13 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr,
smb_io_rpc_hdr_rb("", &hdr_rb, rhdr_rb, 0);
mem_realloc_data(rhdr_rb->data, rhdr_rb->offset);
if (auth_req != NULL)
if (auth_req != NULL && rhdr_auth != NULL && auth_ntlm != NULL)
{
make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00);
smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rhdr_auth, 0);
mem_realloc_data(rhdr_auth->data, rhdr_auth->offset);
make_rpc_auth_verifier(&auth_verifier,
0x0a, 0x06, 0x00,
"NTLMSSP", NTLMSSP_NEGOTIATE);
smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, auth_req, 0);
@ -325,7 +331,8 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr,
/* create the request RPC_HDR */
make_rpc_hdr(&hdr, RPC_BIND, 0x0, get_rpc_call_id(),
rhdr_rb->offset + 0x10,
auth_req != NULL ? auth_req->offset : 0);
auth_req != NULL ? auth_req ->offset : 0 +
auth_ntlm != NULL ? auth_ntlm->offset : 0);
smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0);
mem_realloc_data(rhdr->data, rhdr->offset);
@ -336,25 +343,18 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr,
/*** link rpc header, bind acknowledgment and authentication responses ***/
/***/
rhdr->data->offset.start = 0;
rhdr->data->offset.end = rhdr->offset;
rhdr->data->next = rhdr_rb->data;
if (auth_req != NULL)
{
rhdr_rb->data->offset.start = rhdr->offset;
rhdr_rb->data->offset.end = rhdr->offset + rhdr_rb->offset;
rhdr_rb->data->next = auth_req->data;
auth_req->data->offset.start = rhdr->offset + rhdr_rb->offset;
auth_req->data->offset.end = rhdr->offset + auth_req->offset + rhdr_rb->offset;
auth_req->data->next = NULL;
prs_link(NULL , rhdr , rhdr_rb );
prs_link(rhdr , rhdr_rb , rhdr_auth);
prs_link(rhdr_rb , rhdr_auth , auth_req );
prs_link(rhdr_auth, auth_req , auth_ntlm);
prs_link(auth_req , auth_ntlm , NULL );
}
else
{
rhdr_rb->data->offset.start = rhdr->offset;
rhdr_rb->data->offset.end = rhdr->offset + rhdr_rb->offset;
rhdr_rb->data->next = NULL;
prs_link(NULL, rhdr , rhdr_rb);
prs_link(rhdr, rhdr_rb, NULL );
}
return True;
@ -578,7 +578,9 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
{
prs_struct hdr;
prs_struct hdr_rb;
prs_struct hdr_auth;
prs_struct auth_req;
prs_struct auth_ntlm;
prs_struct data;
prs_struct rdata;
prs_struct rparam;
@ -592,15 +594,20 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
if (!valid_pipe_name(pipe_name, abstract, transfer)) return False;
prs_init(&hdr , 0x10 , 4, 0x0 , False);
prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False);
prs_init(&auth_req, ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False);
prs_init(&hdr , 0x10 , 4, 0x0 , False);
prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False);
prs_init(&hdr_auth , ntlmssp_auth ? 8 : 0, 4, SAFETY_MARGIN, False);
prs_init(&auth_req , ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False);
prs_init(&auth_ntlm, ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False);
prs_init(&rdata , 0 , 4, SAFETY_MARGIN, True );
prs_init(&rparam, 0 , 4, SAFETY_MARGIN, True );
create_rpc_bind_req(&hdr, &hdr_rb, ntlmssp_auth ? &auth_req : NULL,
abstract, transfer, global_myname, global_myworkgroup);
create_rpc_bind_req(&hdr, &hdr_rb,
ntlmssp_auth ? &hdr_auth : NULL,
ntlmssp_auth ? &auth_req : NULL,
ntlmssp_auth ? &auth_ntlm : NULL,
abstract, transfer, global_myname, global_myworkgroup);
/* this is a hack due to limitations in rpc_api_pipe */
prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False);
@ -609,7 +616,10 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
/* send data on \PIPE\. receive a response */
if (rpc_api_pipe(cli, 0x0026, NULL, &data, &rparam, &rdata))
{
RPC_HDR_BA hdr_ba;
RPC_HDR_BA hdr_ba;
RPC_HDR_AUTH rhdr_auth;
RPC_AUTH_VERIFIER rhdr_verf;
RPC_AUTH_NTLMSSP_CHAL rhdr_chal;
DEBUG(5, ("rpc_api_pipe: return OK\n"));
@ -619,14 +629,33 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name,
{
valid_ack = check_bind_response(&hdr_ba, pipe_name, transfer);
}
if (valid_ack && ntlmssp_auth)
{
smb_io_rpc_hdr_auth("", &rhdr_auth, &rdata, 0);
if (rdata.offset == 0) valid_ack = False;
}
if (valid_ack && ntlmssp_auth)
{
smb_io_rpc_auth_verifier("", &rhdr_verf, &rdata, 0);
if (rdata.offset == 0) valid_ack = False;
}
if (valid_ack && ntlmssp_auth)
{
smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, &rdata, 0);
if (rdata.offset == 0) valid_ack = False;
}
}
prs_mem_free(&data );
prs_mem_free(&hdr );
prs_mem_free(&hdr_rb );
prs_mem_free(&auth_req);
prs_mem_free(&rdata );
prs_mem_free(&rparam );
prs_mem_free(&data );
prs_mem_free(&hdr );
prs_mem_free(&hdr_rb );
prs_mem_free(&hdr_auth );
prs_mem_free(&auth_req );
prs_mem_free(&auth_ntlm);
prs_mem_free(&rdata );
prs_mem_free(&rparam );
return valid_ack;
}

10
source/rpc_parse/parse_prs.c
View File

@ -69,9 +69,11 @@ void prs_mem_free(prs_struct *ps)
/*******************************************************************
link one parsing structure to another
********************************************************************/
void prs_link(prs_struct *ps, prs_struct const *const to)
void prs_link(prs_struct *prev, prs_struct *ps, prs_struct *next)
{
DEBUG(0,("NOT IMPLEMENTED\n"));
ps->data->offset.start = prev != NULL ? prev->data->offset.end : 0;
ps->data->offset.end = ps->data->offset.start + ps->offset;
ps->data->next = next != NULL ? next->data : NULL;
}
/*******************************************************************
@ -236,7 +238,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str)
ps->offset += i*2;
dump_data(5+depth, (char *)start, ps->offset);
dump_data(5+depth, (char *)start, i * 2);
return True;
}
@ -277,7 +279,7 @@ BOOL prs_string(char *name, prs_struct *ps, int depth, char *str, uint16 len, ui
ps->offset += i+1;
dump_data(5+depth, (char *)start, ps->offset);
dump_data(5+depth, (char *)start, i);
return True;
}

206
source/rpc_parse/parse_rpc.c
View File

@ -415,6 +415,83 @@ void smb_io_rpc_hdr_resp(char *desc, RPC_HDR_RESP *rpc, prs_struct *ps, int dep
prs_uint8 ("reserved ", ps, depth, &(rpc->reserved));
}
/*******************************************************************
creates an RPC_HDR_AUTHA structure.
********************************************************************/
void make_rpc_hdr_autha(RPC_HDR_AUTHA *rai,
uint16 max_tsize, uint16 max_rsize,
uint8 auth_type, uint8 auth_level,
uint8 stub_type_len)
{
if (rai == NULL) return;
rai->max_tsize = max_tsize; /* maximum transmission fragment size (0x1630) */
rai->max_rsize = max_rsize; /* max receive fragment size (0x1630) */
rai->auth_type = auth_type; /* nt lm ssp 0x0a */
rai->auth_level = auth_level; /* 0x06 */
rai->stub_type_len = stub_type_len; /* 0x00 */
rai->padding = 0; /* padding 0x00 */
rai->unknown = 0x0014a0c0; /* non-zero pointer to something */
}
/*******************************************************************
reads or writes an RPC_HDR_AUTHA structure.
********************************************************************/
void smb_io_rpc_hdr_autha(char *desc, RPC_HDR_AUTHA *rai, prs_struct *ps, int depth)
{
if (rai == NULL) return;
prs_debug(ps, depth, desc, "smb_io_rpc_hdr_autha");
depth++;
prs_uint16("max_tsize ", ps, depth, &(rai->max_tsize));
prs_uint16("max_rsize ", ps, depth, &(rai->max_rsize));
prs_uint8 ("auth_type ", ps, depth, &(rai->auth_type )); /* 0x0a nt lm ssp */
prs_uint8 ("auth_level ", ps, depth, &(rai->auth_level ));/* 0x06 */
prs_uint8 ("stub_type_len", ps, depth, &(rai->stub_type_len));
prs_uint8 ("padding ", ps, depth, &(rai->padding ));
prs_uint32("unknown ", ps, depth, &(rai->unknown )); /* 0x0014a0c0 */
}
/*******************************************************************
creates an RPC_HDR_AUTH structure.
********************************************************************/
void make_rpc_hdr_auth(RPC_HDR_AUTH *rai,
uint8 auth_type, uint8 auth_level,
uint8 stub_type_len)
{
if (rai == NULL) return;
rai->auth_type = auth_type; /* nt lm ssp 0x0a */
rai->auth_level = auth_level; /* 0x06 */
rai->stub_type_len = stub_type_len; /* 0x00 */
rai->padding = 0; /* padding 0x00 */
rai->unknown = 0x0014a0c0; /* non-zero pointer to something */
}
/*******************************************************************
reads or writes an RPC_HDR_AUTH structure.
********************************************************************/
void smb_io_rpc_hdr_auth(char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, int depth)
{
if (rai == NULL) return;
prs_debug(ps, depth, desc, "smb_io_rpc_hdr_auth");
depth++;
prs_uint8 ("auth_type ", ps, depth, &(rai->auth_type )); /* 0x0a nt lm ssp */
prs_uint8 ("auth_level ", ps, depth, &(rai->auth_level ));/* 0x06 */
prs_uint8 ("stub_type_len", ps, depth, &(rai->stub_type_len));
prs_uint8 ("padding ", ps, depth, &(rai->padding ));
prs_uint32("unknown ", ps, depth, &(rai->unknown )); /* 0x0014a0c0 */
}
/*******************************************************************
creates an RPC_AUTH_NTLMSSP_NEG structure.
********************************************************************/
@ -459,19 +536,10 @@ void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_stru
creates an RPC_AUTH_VERIFIER structure.
********************************************************************/
void make_rpc_auth_verifier(RPC_AUTH_VERIFIER *rav,
uint8 auth_type, uint8 auth_level,
uint8 stub_type_len,
char *signature, uint32 msg_type)
{
if (rav == NULL) return;
rav->auth_type = auth_type; /* nt lm ssp 0x0a */
rav->auth_level = auth_level; /* 0x06 */
rav->stub_type_len = stub_type_len; /* 0x00 */
rav->padding = 0; /* padding 0x00 */
rav->ptr_0 = 0x0014a0c0; /* non-zero pointer to something */
fstrcpy(rav->signature, signature); /* "NTLMSSP" */
rav->msg_type = msg_type; /* NTLMSSP_MESSAGE_TYPE */
}
@ -486,13 +554,6 @@ void smb_io_rpc_auth_verifier(char *desc, RPC_AUTH_VERIFIER *rav, prs_struct *ps
prs_debug(ps, depth, desc, "smb_io_rpc_auth_verifier");
depth++;
prs_uint8("auth_type ", ps, depth, &(rav->auth_type)); /* nt lm ssp 0x0a */
prs_uint8("auth_level ", ps, depth, &(rav->auth_level));/* 0x06 */
prs_uint8("stub_type_len", ps, depth, &(rav->stub_type_len));
prs_uint8("padding ", ps, depth, &(rav->padding));
prs_uint32("ptr_0", ps, depth, &(rav->ptr_0 )); /* non-zero pointer to something */
prs_string("signature", ps, depth, rav->signature, 0, sizeof(rav->signature)); /* "NTLMSSP" */
prs_uint32("msg_type ", ps, depth, &(rav->msg_type )); /* NTLMSSP_MESSAGE_TYPE */
}
@ -511,9 +572,7 @@ void make_rpc_auth_ntlmssp_chal(RPC_AUTH_NTLMSSP_CHAL *chl,
chl->neg_flags = neg_flags; /* 0x0082b1 */
memcpy(chl->challenge, challenge, sizeof(chl->challenge));
/*
bzero (chl->reserved , sizeof(chl->reserved));
*/
}
/*******************************************************************
@ -531,19 +590,22 @@ void smb_io_rpc_auth_ntlmssp_chal(char *desc, RPC_AUTH_NTLMSSP_CHAL *chl, prs_st
prs_uint32("neg_flags", ps, depth, &(chl->neg_flags)); /* 0x0000 82b1 */
prs_uint8s (False, "challenge", ps, depth, chl->challenge, sizeof(chl->challenge));
/*
prs_uint8s (False, "reserved ", ps, depth, chl->reserved , sizeof(chl->reserved ));
*/
}
/*******************************************************************
creates an RPC_AUTH_NTLMSSP_RESP structure.
*** lkclXXXX FUDGE! HAVE TO MANUALLY SPECIFY OFFSET HERE (0x1c bytes) ***
*** lkclXXXX the actual offset is at the start of the auth verifier ***
********************************************************************/
void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp,
uchar lm_resp[24], uchar nt_resp[24],
char *domain, char *user, char *wks,
uint32 neg_flags)
{
uint32 offset;
int dom_len = strlen(domain) * 2;
int wks_len = strlen(wks ) * 2;
int usr_len = strlen(user ) * 2;
@ -552,12 +614,24 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp,
if (rsp == NULL) return;
make_str_hdr(&rsp->hdr_lm_resp, lm_len, lm_len, 1);
make_str_hdr(&rsp->hdr_nt_resp, nt_len, nt_len, 1);
make_str_hdr(&rsp->hdr_domain , dom_len, dom_len, 1);
make_str_hdr(&rsp->hdr_usr , usr_len, usr_len, 1);
make_str_hdr(&rsp->hdr_wks , wks_len, wks_len, 1);
make_str_hdr(&rsp->hdr_sess_key, 0, 0, 1);
offset = 0x40;
make_str_hdr(&rsp->hdr_lm_resp, lm_len, lm_len, offset);
offset += lm_len * 2;
make_str_hdr(&rsp->hdr_nt_resp, nt_len, nt_len, offset);
offset += nt_len * 2;
make_str_hdr(&rsp->hdr_domain , dom_len, dom_len, offset);
offset += dom_len * 2;
make_str_hdr(&rsp->hdr_usr , usr_len, usr_len, offset);
offset += usr_len * 2;
make_str_hdr(&rsp->hdr_wks , wks_len, wks_len, offset);
offset += wks_len * 2;
make_str_hdr(&rsp->hdr_sess_key, 0, 0, offset);
rsp->neg_flags = neg_flags;
@ -573,6 +647,10 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp,
/*******************************************************************
reads or writes an RPC_AUTH_NTLMSSP_RESP structure.
*** lkclXXXX FUDGE! HAVE TO MANUALLY SPECIFY OFFSET HERE (0x1c bytes) ***
*** lkclXXXX the actual offset is at the start of the auth verifier ***
********************************************************************/
void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_struct *ps, int depth)
{
@ -581,21 +659,71 @@ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_st
prs_debug(ps, depth, desc, "smb_io_rpc_auth_ntlmssp_resp");
depth++;
smb_io_strhdr("hdr_lm_resp ", &rsp->hdr_lm_resp , ps, depth);
smb_io_strhdr("hdr_nt_resp ", &rsp->hdr_nt_resp , ps, depth);
smb_io_strhdr("hdr_domain ", &rsp->hdr_domain , ps, depth);
smb_io_strhdr("hdr_user ", &rsp->hdr_usr , ps, depth);
smb_io_strhdr("hdr_wks ", &rsp->hdr_wks , ps, depth);
smb_io_strhdr("hdr_sess_key", &rsp->hdr_sess_key, ps, depth);
ZERO_STRUCTP(rsp);
prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */
if (ps->io)
{
uint32 old_offset;
/* reading */
smb_io_strhdr("hdr_lm_resp ", &rsp->hdr_lm_resp , ps, depth);
smb_io_strhdr("hdr_nt_resp ", &rsp->hdr_nt_resp , ps, depth);
smb_io_strhdr("hdr_domain ", &rsp->hdr_domain , ps, depth);
smb_io_strhdr("hdr_user ", &rsp->hdr_usr , ps, depth);
smb_io_strhdr("hdr_wks ", &rsp->hdr_wks , ps, depth);
smb_io_strhdr("hdr_sess_key", &rsp->hdr_sess_key, ps, depth);
prs_string("sess_key", ps, depth, rsp->sess_key, rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key));
prs_string("wks ", ps, depth, rsp->wks , rsp->hdr_wks .str_str_len, sizeof(rsp->wks ));
prs_string("user ", ps, depth, rsp->user , rsp->hdr_usr .str_str_len, sizeof(rsp->user ));
prs_string("domain ", ps, depth, rsp->domain , rsp->hdr_domain .str_str_len, sizeof(rsp->domain ));
prs_string("nt_resp ", ps, depth, rsp->nt_resp , rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp ));
prs_string("lm_resp ", ps, depth, rsp->lm_resp , rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp ));
prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */
old_offset = ps->offset;
ps->offset = rsp->hdr_lm_resp .buffer + 0x1c;
prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp )));
old_offset += rsp->hdr_lm_resp .str_str_len;
ps->offset = rsp->hdr_nt_resp .buffer + 0x1c;
prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp )));
old_offset += rsp->hdr_nt_resp .str_str_len;
ps->offset = rsp->hdr_domain .buffer + 0x1c;
prs_uint8s(True , "domain ", ps, depth, rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain )));
old_offset += rsp->hdr_domain .str_str_len;
ps->offset = rsp->hdr_usr .buffer + 0x1c;
prs_uint8s(True , "user ", ps, depth, rsp->user , MIN(rsp->hdr_usr .str_str_len, sizeof(rsp->user )));
old_offset += rsp->hdr_usr .str_str_len;
ps->offset = rsp->hdr_wks .buffer + 0x1c;
prs_uint8s(True , "wks ", ps, depth, rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks )));
old_offset += rsp->hdr_wks .str_str_len;
if (rsp->hdr_sess_key.str_str_len != 0)
{
ps->offset = rsp->hdr_sess_key.buffer + 0x1c;
old_offset += rsp->hdr_sess_key.str_str_len;
prs_uint8s(False, "sess_key", ps, depth, rsp->sess_key, MIN(rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key)));
}
ps->offset = old_offset;
}
else
{
/* writing */
smb_io_strhdr("hdr_lm_resp ", &rsp->hdr_lm_resp , ps, depth);
smb_io_strhdr("hdr_nt_resp ", &rsp->hdr_nt_resp , ps, depth);
smb_io_strhdr("hdr_domain ", &rsp->hdr_domain , ps, depth);
smb_io_strhdr("hdr_user ", &rsp->hdr_usr , ps, depth);
smb_io_strhdr("hdr_wks ", &rsp->hdr_wks , ps, depth);
smb_io_strhdr("hdr_sess_key", &rsp->hdr_sess_key, ps, depth);
prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */
prs_uint8s(False, "sess_key", ps, depth, rsp->sess_key, MIN(rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key)));
prs_uint8s(True , "wks ", ps, depth, rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks )));
prs_uint8s(True , "user ", ps, depth, rsp->user , MIN(rsp->hdr_usr .str_str_len, sizeof(rsp->user )));
prs_uint8s(True , "domain ", ps, depth, rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain )));
prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp )));
prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp )));
}
}
#if 0

20
source/rpc_server/srv_pipe_hnd.c
View File

@ -155,15 +155,33 @@ pipes_struct *open_rpc_pipe_p(char *pipe_name,
/****************************************************************************
writes data to a pipe.
SERIOUSLY ALPHA CODE!
****************************************************************************/
int write_pipe(pipes_struct *p, char *data, int n)
{
prs_struct pd;
struct mem_buf data_buf;
DEBUG(6,("write_pipe: %x", p->pnum));
DEBUG(6,("name: %s open: %s len: %d",
p->name, BOOLSTR(p->open), n));
return -1;
dump_data(50, data, n);
/* fake up a data buffer from the write_pipe data parameters */
mem_create(&data_buf, data, n, 0, False);
data_buf.offset.start = 0;
data_buf.offset.end = n;
/* fake up a parsing structure */
pd.data = &data_buf;
pd.align = 4;
pd.io = True;
pd.offset = 0;
return rpc_command(p, &pd) ? n : -1;
}

280
source/rpc_server/srv_util.c
View File

@ -209,6 +209,284 @@ BOOL create_rpc_reply(pipes_struct *p,
}
static BOOL api_pipe_ntlmssp(pipes_struct *p, prs_struct *pd)
{
/* receive a negotiate; send a challenge; receive a response */
switch (p->auth_verifier.msg_type)
{
case NTLMSSP_NEGOTIATE:
{
smb_io_rpc_auth_ntlmssp_neg("", &p->ntlmssp_neg, pd, 0);
break;
}
case NTLMSSP_AUTH:
{
smb_io_rpc_auth_ntlmssp_resp("", &p->ntlmssp_resp, pd, 0);
break;
}
default:
{
/* NTLMSSP expected: unexpected message type */
DEBUG(3,("unexpected message type in NTLMSSP %d\n",
p->auth_verifier.msg_type));
return False;
}
}
return (pd->offset != 0);
}
struct api_cmd
{
char * pipe_clnt_name;
char * pipe_srv_name;
BOOL (*fn) (pipes_struct *, prs_struct *);
};
static struct api_cmd api_fd_commands[] =
{
{ "lsarpc", "lsass", api_ntlsa_rpc },
{ "samr", "lsass", api_samr_rpc },
{ "srvsvc", "ntsvcs", api_srvsvc_rpc },
{ "wkssvc", "ntsvcs", api_wkssvc_rpc },
{ "NETLOGON", "lsass", api_netlog_rpc },
{ "winreg", "winreg", api_reg_rpc },
{ NULL, NULL, NULL }
};
static BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *pd)
{
p->ntlmssp_auth = False;
DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__));
if (p->hdr.auth_len != 0)
{
/* decode the authentication verifier response */
smb_io_rpc_hdr_autha("", &p->autha_info, pd, 0);
if (pd->offset == 0) return False;
p->ntlmssp_auth = p->auth_info.auth_type = 0x0a;
if (p->ntlmssp_auth)
{
smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0);
if (pd->offset == 0) return False;
p->ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP");
}
if (p->ntlmssp_auth)
{
if (!api_pipe_ntlmssp(p, pd)) return False;
}
}
return p->ntlmssp_auth;
}
static BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *pd)
{
uint16 assoc_gid;
fstring ack_pipe_name;
int i = 0;
p->ntlmssp_auth = False;
DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
{
if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
api_fd_commands[i].fn != NULL)
{
DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
api_fd_commands[i].pipe_clnt_name,
api_fd_commands[i].pipe_srv_name));
fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
break;
}
}
if (api_fd_commands[i].fn == NULL) return False;
/* decode the bind request */
smb_io_rpc_hdr_rb("", &p->hdr_rb, pd, 0);
if (pd->offset == 0) return False;
if (p->hdr.auth_len != 0)
{
/* decode the authentication verifier */
smb_io_rpc_hdr_auth ("", &p->auth_info , pd, 0);
if (pd->offset == 0) return False;
p->ntlmssp_auth = p->auth_info.auth_type = 0x0a;
if (p->ntlmssp_auth)
{
smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0);
if (pd->offset == 0) return False;
p->ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP");
}
if (p->ntlmssp_auth)
{
if (!api_pipe_ntlmssp(p, pd)) return False;
}
}
/* name has to be \PIPE\xxxxx */
fstrcpy(ack_pipe_name, "\\PIPE\\");
fstrcat(ack_pipe_name, p->pipe_srv_name);
DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
prs_init(&(p->rdata), 1024, 4, 0, False);
prs_init(&(p->rhdr ), 0x10, 4, 0, False);
prs_init(&(p->rauth), 1024, 4, 0, False);
prs_init(&(p->rverf), 0x08, 4, 0, False);
prs_init(&(p->rntlm), 1024, 4, 0, False);
/***/
/*** do the bind ack first ***/
/***/
if (p->ntlmssp_auth)
{
assoc_gid = 0x7a77;
}
else
{
assoc_gid = p->hdr_rb.bba.assoc_gid;
}
make_rpc_hdr_ba(&p->hdr_ba,
p->hdr_rb.bba.max_tsize,
p->hdr_rb.bba.max_rsize,
assoc_gid,
ack_pipe_name,
0x1, 0x0, 0x0,
&(p->hdr_rb.transfer));
smb_io_rpc_hdr_ba("", &p->hdr_ba, &p->rdata, 0);
mem_realloc_data(p->rdata.data, p->rdata.offset);
/***/
/*** now the authentication ***/
/***/
if (p->ntlmssp_auth)
{
uint8 challenge[8];
generate_random_buffer(challenge, 8, False);
/*** authentication info ***/
make_rpc_hdr_auth(&p->auth_info,
0x0a, 0x06, 0);
smb_io_rpc_hdr_auth("", &p->auth_info, &p->rverf, 0);
mem_realloc_data(p->rverf.data, p->rverf.offset);
/*** NTLMSSP verifier ***/
make_rpc_auth_verifier(&p->auth_verifier,
"NTLMSSP", NTLMSSP_CHALLENGE);
smb_io_rpc_auth_verifier("", &p->auth_verifier, &p->rauth, 0);
mem_realloc_data(p->rauth.data, p->rauth.offset);
/* NTLMSSP challenge ***/
make_rpc_auth_ntlmssp_chal(&p->ntlmssp_chal,
0x000082b1, challenge);
smb_io_rpc_auth_ntlmssp_chal("", &p->ntlmssp_chal, &p->rntlm, 0);
mem_realloc_data(p->rntlm.data, p->rntlm.offset);
}
/***/
/*** then do the header, now we know the length ***/
/***/
make_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
p->hdr.call_id,
p->rdata.offset + p->rverf.offset + p->rauth.offset + p->rntlm.offset + 0x10,
p->rauth.offset + p->rntlm.offset);
smb_io_rpc_hdr("", &p->hdr, &p->rhdr, 0);
mem_realloc_data(p->rhdr.data, p->rdata.offset);
/***/
/*** link rpc header, bind acknowledgment and authentication responses ***/
/***/
if (p->ntlmssp_auth)
{
prs_link(NULL , &p->rhdr , &p->rdata);
prs_link(&p->rhdr , &p->rdata, &p->rverf);
prs_link(&p->rdata, &p->rverf, &p->rauth);
prs_link(&p->rverf, &p->rauth, &p->rntlm);
prs_link(&p->rauth, &p->rntlm, NULL );
}
else
{
prs_link(NULL , &p->rhdr , &p->rdata);
prs_link(&p->rhdr, &p->rdata, NULL );
}
return True;
}
static BOOL api_pipe_request(pipes_struct *p, prs_struct *pd)
{
int i = 0;
for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
{
if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
api_fd_commands[i].fn != NULL)
{
DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
return api_fd_commands[i].fn(p, pd);
}
}
return False;
}
BOOL rpc_command(pipes_struct *p, prs_struct *pd)
{
BOOL reply = False;
if (pd->data == NULL) return False;
/* process the rpc header */
smb_io_rpc_hdr("", &p->hdr, pd, 0);
if (pd->offset == 0) return False;
switch (p->hdr.pkt_type)
{
case RPC_BIND :
{
reply = api_pipe_bind_req(p, pd);
break;
}
case RPC_REQUEST:
{
reply = api_pipe_request (p, pd);
break;
}
case RPC_BINDRESP: /* not the real name! */
{
reply = api_pipe_bind_auth_resp(p, pd);
break;
}
}
return reply;
}
/*******************************************************************
receives a netlogon pipe and responds.
********************************************************************/
@ -256,7 +534,7 @@ static BOOL api_rpc_command(pipes_struct *p,
mem_realloc_data(p->rdata.data, p->rdata.offset);
DEBUG(10,("called %s\n", rpc_name));
DEBUG(10,("called %s\n", rpc_name));
return True;
}

251
source/smbd/ipc.c
View File

@ -3110,251 +3110,18 @@ static BOOL api_WPrintPortEnum(connection_struct *conn,uint16 vuid, char *param,
return(True);
}
static BOOL api_pipe_ntlmssp(pipes_struct *p, prs_struct *pd)
{
/* receive a negotiate; send a challenge; receive a response */
switch (p->auth_verifier.msg_type)
{
case NTLMSSP_NEGOTIATE:
{
smb_io_rpc_auth_ntlmssp_neg("", &p->ntlmssp_neg, pd, 0);
break;
}
case NTLMSSP_AUTH:
{
smb_io_rpc_auth_ntlmssp_resp("", &p->ntlmssp_resp, pd, 0);
break;
}
default:
{
/* NTLMSSP expected: unexpected message type */
DEBUG(3,("unexpected message type in NTLMSSP %d\n",
p->auth_verifier.msg_type));
return False;
}
}
return (pd->offset != 0);
}
struct api_cmd
{
char * pipe_clnt_name;
char * pipe_srv_name;
BOOL (*fn) (pipes_struct *, prs_struct *);
};
static struct api_cmd api_fd_commands[] =
{
{ "lsarpc", "lsass", api_ntlsa_rpc },
{ "samr", "lsass", api_samr_rpc },
{ "srvsvc", "ntsvcs", api_srvsvc_rpc },
{ "wkssvc", "ntsvcs", api_wkssvc_rpc },
{ "NETLOGON", "lsass", api_netlog_rpc },
{ "winreg", "winreg", api_reg_rpc },
{ NULL, NULL, NULL }
};
static BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *pd)
{
BOOL ntlmssp_auth = False;
uint16 assoc_gid;
fstring ack_pipe_name;
int i = 0;
DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__));
for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
{
if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
api_fd_commands[i].fn != NULL)
{
DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n",
api_fd_commands[i].pipe_clnt_name,
api_fd_commands[i].pipe_srv_name));
fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name);
break;
}
}
if (api_fd_commands[i].fn == NULL) return False;
/* decode the bind request */
smb_io_rpc_hdr_rb("", &p->hdr_rb, pd, 0);
if (pd->offset == 0) return False;
if (p->hdr.auth_len != 0)
{
/* decode the authentication verifier */
smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0);
if (pd->offset == 0) return False;
ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP");
if (ntlmssp_auth)
{
if (!api_pipe_ntlmssp(p, pd)) return False;
}
}
/* name has to be \PIPE\xxxxx */
fstrcpy(ack_pipe_name, "\\PIPE\\");
fstrcat(ack_pipe_name, p->pipe_srv_name);
DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__));
prs_init(&(p->rdata), 1024, 4, 0, False);
prs_init(&(p->rhdr ), 0x10, 4, 0, False);
prs_init(&(p->rauth), 1024, 4, 0, False);
prs_init(&(p->rntlm), 1024, 4, 0, False);
/***/
/*** do the bind ack first ***/
/***/
if (ntlmssp_auth)
{
assoc_gid = 0x7a77;
}
else
{
assoc_gid = p->hdr_rb.bba.assoc_gid;
}
make_rpc_hdr_ba(&p->hdr_ba,
p->hdr_rb.bba.max_tsize,
p->hdr_rb.bba.max_rsize,
assoc_gid,
ack_pipe_name,
0x1, 0x0, 0x0,
&(p->hdr_rb.transfer));
smb_io_rpc_hdr_ba("", &p->hdr_ba, &p->rdata, 0);
mem_realloc_data(p->rdata.data, p->rdata.offset);
/***/
/*** now the authentication ***/
/***/
if (ntlmssp_auth)
{
uint8 challenge[8];
generate_random_buffer(challenge, 8, False);
make_rpc_auth_verifier(&p->auth_verifier,
0x0a, 0x06, 0,
"NTLMSSP", NTLMSSP_CHALLENGE);
smb_io_rpc_auth_verifier("", &p->auth_verifier, &p->rauth, 0);
mem_realloc_data(p->rauth.data, p->rauth.offset);
make_rpc_auth_ntlmssp_chal(&p->ntlmssp_chal,
0x000082b1, challenge);
smb_io_rpc_auth_ntlmssp_chal("", &p->ntlmssp_chal, &p->rntlm, 0);
mem_realloc_data(p->rntlm.data, p->rntlm.offset);
}
/***/
/*** then do the header, now we know the length ***/
/***/
make_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST,
p->hdr.call_id,
p->rdata.offset + p->rauth.offset + p->rntlm.offset + 0x10,
p->rauth.offset + p->rntlm.offset);
smb_io_rpc_hdr("", &p->hdr, &p->rhdr, 0);
mem_realloc_data(p->rhdr.data, p->rdata.offset);
/***/
/*** link rpc header, bind acknowledgment and authentication responses ***/
/***/
p->rhdr.data->offset.start = 0;
p->rhdr.data->offset.end = p->rhdr.offset;
p->rhdr.data->next = p->rdata.data;
if (ntlmssp_auth)
{
p->rdata.data->offset.start = p->rhdr.offset;
p->rdata.data->offset.end = p->rhdr.offset + p->rdata.offset;
p->rdata.data->next = p->rauth.data;
p->rauth.data->offset.start = p->rhdr.offset + p->rdata.offset;
p->rauth.data->offset.end = p->rhdr.offset + p->rdata.offset + p->rauth.offset;
p->rauth.data->next = p->rntlm.data;
p->rntlm.data->offset.start = p->rhdr.offset + p->rdata.offset + p->rauth.offset;
p->rntlm.data->offset.end = p->rhdr.offset + p->rdata.offset + p->rauth.offset + p->rntlm.offset;
p->rntlm.data->next = NULL;
}
else
{
p->rdata.data->offset.start = p->rhdr.offset;
p->rdata.data->offset.end = p->rhdr.offset + p->rdata.offset;
p->rdata.data->next = NULL;
}
return True;
}
static BOOL api_pipe_request(pipes_struct *p, prs_struct *pd)
{
int i = 0;
for (i = 0; api_fd_commands[i].pipe_clnt_name; i++)
{
if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) &&
api_fd_commands[i].fn != NULL)
{
DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name));
return api_fd_commands[i].fn(p, pd);
}
}
return False;
}
static BOOL api_dce_rpc_command(char *outbuf,
static void api_rpc_trans_reply(char *outbuf,
pipes_struct *p,
prs_struct *pd)
{
BOOL reply = False;
if (pd->data == NULL) return False;
send_trans_reply(outbuf, p->rhdr.data, NULL, NULL, 0, p->file_offset);
/* process the rpc header */
smb_io_rpc_hdr("", &p->hdr, pd, 0);
if (pd->offset == 0) return False;
switch (p->hdr.pkt_type)
if (mem_buf_len(p->rhdr.data) <= p->file_offset)
{
case RPC_BIND :
{
reply = api_pipe_bind_req(p, pd);
break;
}
case RPC_REQUEST:
{
reply = api_pipe_request (p, pd);
break;
}
/* all of data was sent: no need to wait for SMBreadX calls */
mem_free_data(p->rhdr .data);
mem_free_data(p->rdata.data);
}
if (reply)
{
/* now send the reply */
send_trans_reply(outbuf, p->rhdr.data, NULL, NULL, 0, p->file_offset);
if (mem_buf_len(p->rhdr.data) <= p->file_offset)
{
/* all of data was sent: no need to wait for SMBreadX calls */
mem_free_data(p->rhdr .data);
mem_free_data(p->rdata.data);
}
}
return reply;
}
/****************************************************************************
@ -3463,7 +3230,11 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf,
case 0x26:
{
/* dce/rpc command */
reply = api_dce_rpc_command(outbuf, p, &pd);
reply = rpc_command(p, &pd);
if (reply)
{
api_rpc_trans_reply(outbuf, p, &pd);
}
break;
}
case 0x01:

2
source/smbd/pipes.c
View File

@ -123,7 +123,7 @@ int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize)
if (!p) return(ERROR(ERRDOS,ERRbadfid));
data = smb_buf(inbuf) + smb_doff;
data = smb_base(inbuf) + smb_doff;
if (numtowrite == 0)
{