1
0
mirror of https://github.com/samba-team/samba.git synced 2025-01-25 06:04:04 +03:00
Stefan Metzmacher bb8ad1f229 RawDCERPCTest: add some more auth_length related asserts
BUG: https://bugzilla.samba.org/show_bug.cgi?id=14356

Signed-off-by: Stefan Metzmacher <metze@samba.org>
Reviewed-by: Andreas Schneider <asn@samba.org>
2024-10-10 14:01:04 +00:00

1206 lines
48 KiB
Python

# Unix SMB/CIFS implementation.
# Copyright (C) Jelmer Vernooij <jelmer@samba.org> 2007-2010
# Copyright (C) Stefan Metzmacher 2014,2015
#
# This program is free software; you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation; either version 3 of the License, or
# (at your option) any later version.
#
# This program is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with this program. If not, see <http://www.gnu.org/licenses/>.
#
import sys
import socket
import samba.dcerpc.dcerpc as dcerpc
import samba.dcerpc.base
import samba.dcerpc.epmapper
import samba.dcerpc.security as security
import samba.tests
from samba import gensec
from samba.credentials import Credentials
from samba.tests import TestCase
from samba.ndr import ndr_pack, ndr_unpack, ndr_unpack_out
from samba.ntstatus import (
NT_STATUS_CONNECTION_DISCONNECTED,
NT_STATUS_PIPE_DISCONNECTED,
NT_STATUS_IO_TIMEOUT
)
from samba import NTSTATUSError
from samba.samba3 import param as s3param
from samba.samba3 import libsmb_samba_internal as libsmb
from samba.credentials import SMB_SIGNING_REQUIRED
class smb_pipe_socket(object):
def __init__(self, target_hostname, pipename, creds, impersonation_level, lp):
lp3 = s3param.get_context()
lp3.load(lp.configfile)
saved_signing_state = creds.get_smb_ipc_signing()
creds.set_smb_ipc_signing(SMB_SIGNING_REQUIRED)
self.smbconn = libsmb.Conn(target_hostname, 'IPC$', lp3,
creds=creds, ipc=True)
creds.set_smb_ipc_signing(saved_signing_state)
self.smbfid = self.smbconn.create(pipename,
DesiredAccess=0x12019f,
ShareAccess=0x7,
CreateDisposition=1,
CreateOptions=0x400040,
ImpersonationLevel=impersonation_level)
return
def close(self):
try:
self.smbconn.close(self.smbfid)
except NTSTATUSError as e:
if e.args[0] == NT_STATUS_CONNECTION_DISCONNECTED:
pass
elif e.args[0] == NT_STATUS_PIPE_DISCONNECTED:
pass
elif e.args[0] == NT_STATUS_IO_TIMEOUT:
pass
else:
raise e
del self.smbconn
def settimeout(self, timeo):
# The socket module we simulate there
# specifies the timeo as seconds as float.
msecs = int(timeo * 1000)
assert msecs >= 0
self.smbconn.settimeout(msecs)
return
def send(self, buf, flags=0):
return self.smbconn.write(self.smbfid, buffer=buf, offset=0, mode=8)
def recv(self, len, flags=0):
try:
return self.smbconn.read(self.smbfid, offset=0, size=len)
except NTSTATUSError as e:
if e.args[0] == NT_STATUS_CONNECTION_DISCONNECTED:
return b'\0' * 0
if e.args[0] == NT_STATUS_PIPE_DISCONNECTED:
return b'\0' * 0
if e.args[0] == NT_STATUS_IO_TIMEOUT:
raise socket.timeout(str(e))
raise e
class RawDCERPCTest(TestCase):
"""A raw DCE/RPC Test case."""
def _disconnect(self, reason):
if self.s is None:
return
self.s.close()
self.s = None
if self.do_hexdump:
sys.stderr.write("disconnect[%s]\n" % reason)
def _connect_tcp(self):
tcp_port = int(self.primary_address)
try:
self.a = socket.getaddrinfo(self.host, tcp_port, socket.AF_UNSPEC,
socket.SOCK_STREAM, socket.SOL_TCP,
0)
self.s = socket.socket(self.a[0][0], self.a[0][1], self.a[0][2])
self.s.settimeout(10)
self.s.connect(self.a[0][4])
except socket.error as e:
self.s.close()
raise
except IOError as e:
self.s.close()
raise
except Exception as e:
raise
finally:
pass
self.max_xmit_frag = 5840
self.max_recv_frag = 5840
if self.secondary_address is None:
self.secondary_address = self.primary_address
# compat for older tests
self.tcp_port = tcp_port
def _connect_smb(self):
a = self.primary_address.split('\\')
self.assertEqual(len(a), 3)
self.assertEqual(a[0], "")
self.assertEqual(a[1], "pipe")
pipename = a[2]
self.s = smb_pipe_socket(self.target_hostname,
pipename,
self.transport_creds,
self.transport_impersonation,
self.lp_ctx)
self.max_xmit_frag = 4280
self.max_recv_frag = 4280
if self.secondary_address is None:
self.secondary_address = self.primary_address
def connect(self):
self.assertNotConnected()
if self.primary_address.startswith("\\pipe\\"):
self._connect_smb()
else:
self._connect_tcp()
if self.secondary_address is None:
self.secondary_address = self.primary_address
return
def setUp(self):
super().setUp()
self.do_ndr_print = False
self.do_hexdump = False
self.ignore_random_pad = samba.tests.env_get_var_value('IGNORE_RANDOM_PAD',
allow_missing=True)
self.auth_level_connect_lsa = samba.tests.env_get_var_value('AUTH_LEVEL_CONNECT_LSA',
allow_missing=True)
self.allow_bind_auth_pad = samba.tests.env_get_var_value('ALLOW_BIND_AUTH_PAD',
allow_missing=True)
self.legacy_bind_nak_no_reason = samba.tests.env_get_var_value('LEGACY_BIND_NACK_NO_REASON',
allow_missing=True)
self.host = samba.tests.env_get_var_value('SERVER')
self.target_hostname = samba.tests.env_get_var_value('TARGET_HOSTNAME', allow_missing=True)
if self.target_hostname is None:
self.target_hostname = self.host
self.primary_address = "135"
self.secondary_address = None
self.transport_creds = self.get_anon_creds()
self.transport_impersonation = 0x2
self.settings = {}
self.settings["lp_ctx"] = self.lp_ctx = samba.tests.env_loadparm()
self.settings["target_hostname"] = self.target_hostname
self.s = None
self.connect()
def tearDown(self):
self._disconnect("tearDown")
super().tearDown()
def noop(self):
return
def reconnect_smb_pipe(self, primary_address, secondary_address=None,
transport_creds=None, transport_impersonation=None):
self._disconnect("reconnect_smb_pipe")
self.assertIsNotNone(primary_address)
self.primary_address = primary_address
if secondary_address is not None:
self.secondary_address = secondary_address
else:
self.secondary_address = None
if transport_creds is not None:
self.transport_creds = transport_creds
if transport_impersonation is not None:
self.transport_impersonation = transport_impersonation
self.connect()
return
def second_connection(self, primary_address=None, secondary_address=None,
transport_creds=None, transport_impersonation=None):
c = RawDCERPCTest(methodName='noop')
c.do_ndr_print = self.do_ndr_print
c.do_hexdump = self.do_hexdump
c.ignore_random_pad = self.ignore_random_pad
c.host = self.host
c.target_hostname = self.target_hostname
if primary_address is not None:
c.primary_address = primary_address
if secondary_address is not None:
c.secondary_address = secondary_address
else:
c.secondary_address = None
else:
self.assertIsNone(secondary_address)
c.primary_address = self.primary_address
c.secondary_address = self.secondary_address
if transport_creds is not None:
c.transport_creds = transport_creds
else:
c.transport_creds = self.transport_creds
if transport_impersonation is not None:
c.transport_impersonation = transport_impersonation
else:
c.transport_impersonation = self.transport_impersonation
c.lp_ctx = self.lp_ctx
c.settings = self.settings
c.s = None
c.connect()
return c
def get_user_creds(self):
c = Credentials()
c.guess()
domain = samba.tests.env_get_var_value('DOMAIN')
realm = samba.tests.env_get_var_value('REALM')
username = samba.tests.env_get_var_value('USERNAME')
password = samba.tests.env_get_var_value('PASSWORD')
c.set_domain(domain)
c.set_realm(realm)
c.set_username(username)
c.set_password(password)
return c
def get_anon_creds(self):
c = Credentials()
c.set_anonymous()
return c
def get_auth_context_creds(self, creds, auth_type, auth_level,
auth_context_id,
g_auth_level=None,
hdr_signing=False):
if g_auth_level is None:
g_auth_level = auth_level
g = gensec.Security.start_client(self.settings)
g.set_credentials(creds)
g.want_feature(gensec.FEATURE_DCE_STYLE)
g.start_mech_by_authtype(auth_type, g_auth_level)
if auth_type == dcerpc.DCERPC_AUTH_TYPE_KRB5:
expect_3legs = True
elif auth_type == dcerpc.DCERPC_AUTH_TYPE_NTLMSSP:
expect_3legs = True
else:
expect_3legs = False
auth_context = {}
auth_context["auth_type"] = auth_type
auth_context["auth_level"] = auth_level
auth_context["auth_context_id"] = auth_context_id
auth_context["g_auth_level"] = g_auth_level
auth_context["gensec"] = g
auth_context["hdr_signing"] = hdr_signing
auth_context["expect_3legs"] = expect_3legs
return auth_context
def do_generic_bind(self, ctx, auth_context=None,
pfc_flags=samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
assoc_group_id=0, call_id=0,
nak_reason=None, alter_fault=None,
start_with_alter=False,
pfc_flags_2nd=samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
use_auth3=False):
ctx_list = [ctx]
if auth_context is not None:
if auth_context['hdr_signing']:
pfc_flags |= dcerpc.DCERPC_PFC_FLAG_SUPPORT_HEADER_SIGN
expect_3legs = auth_context["expect_3legs"]
from_server = b""
(finished, to_server) = auth_context["gensec"].update(from_server)
self.assertFalse(finished)
auth_info = self.generate_auth(auth_type=auth_context["auth_type"],
auth_level=auth_context["auth_level"],
auth_context_id=auth_context["auth_context_id"],
auth_blob=to_server)
else:
auth_info = b""
if start_with_alter:
req = self.generate_alter(call_id=call_id,
pfc_flags=pfc_flags,
ctx_list=ctx_list,
assoc_group_id=0xffffffff - assoc_group_id,
auth_info=auth_info)
self.send_pdu(req)
rep = self.recv_pdu()
if alter_fault is not None:
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_FAULT, req.call_id,
pfc_flags=req.pfc_flags |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
auth_length=0)
self.assertNotEqual(rep.u.alloc_hint, 0)
self.assertEqual(rep.u.context_id, 0)
self.assertEqual(rep.u.cancel_count, 0)
self.assertEqual(rep.u.flags, 0)
self.assertEqual(rep.u.status, alter_fault)
self.assertEqual(rep.u.reserved, 0)
self.assertEqual(len(rep.u.error_and_verifier), 0)
return None
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
pfc_flags=req.pfc_flags)
self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
self.assertEqual(rep.u.assoc_group_id, assoc_group_id)
self.assertEqual(rep.u.secondary_address_size, 0)
self.assertEqual(rep.u.secondary_address, '')
self.assertPadding(rep.u._pad1, 2)
else:
req = self.generate_bind(call_id=call_id,
pfc_flags=pfc_flags,
ctx_list=ctx_list,
assoc_group_id=assoc_group_id,
auth_info=auth_info)
self.send_pdu(req)
rep = self.recv_pdu()
if nak_reason is not None:
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_BIND_NAK, req.call_id,
auth_length=0)
self.assertEqual(rep.u.reject_reason, nak_reason)
self.assertEqual(rep.u.num_versions, 1)
self.assertEqual(rep.u.versions[0].rpc_vers, req.rpc_vers)
self.assertEqual(rep.u.versions[0].rpc_vers_minor, req.rpc_vers_minor)
self.assertPadding(rep.u._pad, 3)
return
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_BIND_ACK, req.call_id,
pfc_flags=pfc_flags)
self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
if assoc_group_id != 0:
self.assertEqual(rep.u.assoc_group_id, assoc_group_id)
else:
self.assertNotEqual(rep.u.assoc_group_id, 0)
assoc_group_id = rep.u.assoc_group_id
sda_str = self.secondary_address
sda_len = len(sda_str) + 1
mod_len = (2 + sda_len) % 4
if mod_len != 0:
sda_pad = 4 - mod_len
else:
sda_pad = 0
self.assertEqual(rep.u.secondary_address_size, sda_len)
self.assertEqual(rep.u.secondary_address, sda_str)
self.assertPadding(rep.u._pad1, sda_pad)
self.assertEqual(rep.u.num_results, 1)
self.assertEqual(rep.u.ctx_list[0].result,
samba.dcerpc.dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
self.assertEqual(rep.u.ctx_list[0].reason,
samba.dcerpc.dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ctx.transfer_syntaxes[0])
ack = rep
if auth_context is None:
self.assertEqual(rep.auth_length, 0)
self.assertEqual(len(rep.u.auth_info), 0)
return ack
self.assertNotEqual(rep.auth_length, 0)
self.assertGreater(len(rep.u.auth_info), samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH)
self.assertEqual(rep.auth_length, len(rep.u.auth_info) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH)
a = self.parse_auth(rep.u.auth_info, auth_context=auth_context)
from_server = a.credentials
(finished, to_server) = auth_context["gensec"].update(from_server)
if expect_3legs:
self.assertTrue(finished)
if auth_context['hdr_signing']:
auth_context["gensec"].want_feature(gensec.FEATURE_SIGN_PKT_HEADER)
else:
self.assertFalse(use_auth3)
self.assertFalse(finished)
auth_info = self.generate_auth(auth_type=auth_context["auth_type"],
auth_level=auth_context["auth_level"],
auth_context_id=auth_context["auth_context_id"],
auth_blob=to_server)
if use_auth3:
req = self.generate_auth3(call_id=call_id,
pfc_flags=pfc_flags_2nd,
auth_info=auth_info)
self.send_pdu(req)
rep = self.recv_pdu(timeout=0.01)
self.assertIsNone(rep)
self.assertIsConnected()
return ack
req = self.generate_alter(call_id=call_id,
ctx_list=ctx_list,
pfc_flags=pfc_flags_2nd,
assoc_group_id=0xffffffff - assoc_group_id,
auth_info=auth_info)
self.send_pdu(req)
rep = self.recv_pdu()
if alter_fault is not None:
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_FAULT, req.call_id,
pfc_flags=req.pfc_flags |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_DID_NOT_EXECUTE,
auth_length=0)
self.assertNotEqual(rep.u.alloc_hint, 0)
self.assertEqual(rep.u.context_id, 0)
self.assertEqual(rep.u.cancel_count, 0)
self.assertEqual(rep.u.flags, 0)
self.assertEqual(rep.u.status, alter_fault)
self.assertEqual(rep.u.reserved, 0)
self.assertEqual(len(rep.u.error_and_verifier), 0)
return None
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_ALTER_RESP, req.call_id,
pfc_flags=req.pfc_flags)
self.assertEqual(rep.u.max_xmit_frag, req.u.max_xmit_frag)
self.assertEqual(rep.u.max_recv_frag, req.u.max_recv_frag)
self.assertEqual(rep.u.assoc_group_id, assoc_group_id)
self.assertEqual(rep.u.secondary_address_size, 0)
self.assertEqual(rep.u.secondary_address, '')
self.assertPadding(rep.u._pad1, 2)
self.assertEqual(rep.u.num_results, 1)
self.assertEqual(rep.u.ctx_list[0].result,
samba.dcerpc.dcerpc.DCERPC_BIND_ACK_RESULT_ACCEPTANCE)
self.assertEqual(rep.u.ctx_list[0].reason,
samba.dcerpc.dcerpc.DCERPC_BIND_ACK_REASON_NOT_SPECIFIED)
self.assertNDRSyntaxEquals(rep.u.ctx_list[0].syntax, ctx.transfer_syntaxes[0])
if finished:
self.assertEqual(rep.auth_length, 0)
else:
self.assertNotEqual(rep.auth_length, 0)
self.assertGreaterEqual(len(rep.u.auth_info), samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH)
self.assertEqual(rep.auth_length, len(rep.u.auth_info) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH)
a = self.parse_auth(rep.u.auth_info, auth_context=auth_context)
if finished:
return ack
from_server = a.credentials
(finished, to_server) = auth_context["gensec"].update(from_server)
self.assertTrue(finished)
if auth_context['hdr_signing']:
auth_context["gensec"].want_feature(gensec.FEATURE_SIGN_PKT_HEADER)
return ack
def prepare_presentation(self, abstract, transfer, object=None,
context_id=0xffff, epmap=False, auth_context=None,
pfc_flags=samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST,
assoc_group_id=0,
return_ack=False):
if epmap:
self.epmap_reconnect(abstract, transfer=transfer, object=object)
tsf1_list = [transfer]
ctx = samba.dcerpc.dcerpc.ctx_list()
ctx.context_id = context_id
ctx.num_transfer_syntaxes = len(tsf1_list)
ctx.abstract_syntax = abstract
ctx.transfer_syntaxes = tsf1_list
ack = self.do_generic_bind(ctx=ctx,
auth_context=auth_context,
pfc_flags=pfc_flags,
assoc_group_id=assoc_group_id)
if ack is None:
ctx = None
if return_ack:
return (ctx, ack)
return ctx
def do_single_request(self, call_id, ctx, io,
auth_context=None,
object=None,
bigendian=False, ndr64=False,
allow_remaining=False,
send_req=True,
recv_rep=True,
fault_pfc_flags=(
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
fault_status=None,
fault_context_id=None,
timeout=None,
ndr_print=None,
hexdump=None):
if fault_context_id is None:
fault_context_id = ctx.context_id
if ndr_print is None:
ndr_print = self.do_ndr_print
if hexdump is None:
hexdump = self.do_hexdump
if send_req:
if ndr_print:
sys.stderr.write("in: %s" % samba.ndr.ndr_print_in(io))
stub_in = samba.ndr.ndr_pack_in(io, bigendian=bigendian, ndr64=ndr64)
if hexdump:
sys.stderr.write("stub_in: %d\n%s" % (len(stub_in), self.hexdump(stub_in)))
pfc_flags = samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST
pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST
if object is not None:
pfc_flags |= samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_OBJECT_UUID
req = self.generate_request_auth(call_id=call_id,
context_id=ctx.context_id,
pfc_flags=pfc_flags,
object=object,
opnum=io.opnum(),
stub=stub_in,
auth_context=auth_context)
self.send_pdu(req, ndr_print=ndr_print, hexdump=hexdump)
if recv_rep:
(rep, rep_blob) = self.recv_pdu_raw(timeout=timeout,
ndr_print=ndr_print,
hexdump=hexdump)
if fault_status:
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_FAULT, call_id,
pfc_flags=fault_pfc_flags, auth_length=0)
self.assertNotEqual(rep.u.alloc_hint, 0)
self.assertEqual(rep.u.context_id, fault_context_id)
self.assertEqual(rep.u.cancel_count, 0)
self.assertEqual(rep.u.flags, 0)
self.assertEqual(rep.u.status, fault_status)
self.assertEqual(rep.u.reserved, 0)
self.assertEqual(len(rep.u.error_and_verifier), 0)
return
expected_auth_length = 0
if auth_context is not None and \
auth_context["auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PACKET:
if send_req:
expected_auth_length = req.auth_length
else:
expected_auth_length = rep.auth_length
self.verify_pdu(rep, samba.dcerpc.dcerpc.DCERPC_PKT_RESPONSE, call_id,
auth_length=expected_auth_length)
self.assertNotEqual(rep.u.alloc_hint, 0)
self.assertEqual(rep.u.context_id, ctx.context_id & 0xff)
self.assertEqual(rep.u.cancel_count, 0)
self.assertGreaterEqual(len(rep.u.stub_and_verifier), rep.u.alloc_hint)
stub_out = self.check_response_auth(rep, rep_blob, auth_context)
self.assertEqual(len(stub_out), rep.u.alloc_hint)
if hexdump:
sys.stderr.write("stub_out: %d\n%s" % (len(stub_out), self.hexdump(stub_out)))
ndr_unpack_out(io, stub_out, bigendian=bigendian, ndr64=ndr64,
allow_remaining=allow_remaining)
if ndr_print:
sys.stderr.write("out: %s" % samba.ndr.ndr_print_out(io))
def epmap_reconnect(self, abstract, transfer=None, object=None):
ndr32 = samba.dcerpc.base.transfer_syntax_ndr()
if transfer is None:
transfer = ndr32
if object is None:
object = samba.dcerpc.misc.GUID()
ctx = self.prepare_presentation(samba.dcerpc.epmapper.abstract_syntax(),
transfer, context_id=0)
data1 = ndr_pack(abstract)
lhs1 = samba.dcerpc.epmapper.epm_lhs()
lhs1.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_UUID
lhs1.lhs_data = data1[:18]
rhs1 = samba.dcerpc.epmapper.epm_rhs_uuid()
rhs1.unknown = data1[18:]
floor1 = samba.dcerpc.epmapper.epm_floor()
floor1.lhs = lhs1
floor1.rhs = rhs1
data2 = ndr_pack(transfer)
lhs2 = samba.dcerpc.epmapper.epm_lhs()
lhs2.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_UUID
lhs2.lhs_data = data2[:18]
rhs2 = samba.dcerpc.epmapper.epm_rhs_uuid()
rhs2.unknown = data1[18:]
floor2 = samba.dcerpc.epmapper.epm_floor()
floor2.lhs = lhs2
floor2.rhs = rhs2
lhs3 = samba.dcerpc.epmapper.epm_lhs()
lhs3.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_NCACN
lhs3.lhs_data = b""
floor3 = samba.dcerpc.epmapper.epm_floor()
floor3.lhs = lhs3
floor3.rhs.minor_version = 0
lhs4 = samba.dcerpc.epmapper.epm_lhs()
lhs4.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_TCP
lhs4.lhs_data = b""
floor4 = samba.dcerpc.epmapper.epm_floor()
floor4.lhs = lhs4
floor4.rhs.port = int(self.primary_address)
lhs5 = samba.dcerpc.epmapper.epm_lhs()
lhs5.protocol = samba.dcerpc.epmapper.EPM_PROTOCOL_IP
lhs5.lhs_data = b""
floor5 = samba.dcerpc.epmapper.epm_floor()
floor5.lhs = lhs5
floor5.rhs.ipaddr = "0.0.0.0"
floors = [floor1, floor2, floor3, floor4, floor5]
req_tower = samba.dcerpc.epmapper.epm_tower()
req_tower.num_floors = len(floors)
req_tower.floors = floors
req_twr = samba.dcerpc.epmapper.epm_twr_t()
req_twr.tower = req_tower
epm_map = samba.dcerpc.epmapper.epm_Map()
epm_map.in_object = object
epm_map.in_map_tower = req_twr
epm_map.in_entry_handle = samba.dcerpc.misc.policy_handle()
epm_map.in_max_towers = 4
self.do_single_request(call_id=2, ctx=ctx, io=epm_map)
self.assertGreaterEqual(epm_map.out_num_towers, 1)
rep_twr = epm_map.out_towers[0].twr
self.assertIsNotNone(rep_twr)
self.assertEqual(rep_twr.tower_length, 75)
self.assertEqual(rep_twr.tower.num_floors, 5)
self.assertEqual(len(rep_twr.tower.floors), 5)
self.assertEqual(rep_twr.tower.floors[3].lhs.protocol,
samba.dcerpc.epmapper.EPM_PROTOCOL_TCP)
self.assertEqual(rep_twr.tower.floors[3].lhs.protocol,
samba.dcerpc.epmapper.EPM_PROTOCOL_TCP)
# reconnect to the given port
self._disconnect("epmap_reconnect")
self.primary_address = "%d" % rep_twr.tower.floors[3].rhs.port
self.secondary_address = None
self.connect()
def prepare_pdu(self, req, ndr_print=None, hexdump=None):
if ndr_print is None:
ndr_print = self.do_ndr_print
if hexdump is None:
hexdump = self.do_hexdump
req_pdu = ndr_pack(req)
if ndr_print:
sys.stderr.write("prepare_pdu: %s" % samba.ndr.ndr_print(req))
if hexdump:
sys.stderr.write("prepare_pdu: %d\n%s" % (len(req_pdu), self.hexdump(req_pdu)))
return req_pdu
def send_pdu_blob(self, req_pdu, hexdump=None):
if hexdump is None:
hexdump = self.do_hexdump
try:
if hexdump:
sys.stderr.write("send_pdu_blob: %d\n%s" % (len(req_pdu), self.hexdump(req_pdu)))
while True:
sent = self.s.send(req_pdu, 0)
if sent == len(req_pdu):
break
req_pdu = req_pdu[sent:]
except socket.error as e:
self._disconnect("send_pdu_blob: %s" % e)
raise
except IOError as e:
self._disconnect("send_pdu_blob: %s" % e)
raise
except NTSTATUSError as e:
self._disconnect("send_pdu_blob: %s" % e)
raise
finally:
pass
def send_pdu(self, req, ndr_print=None, hexdump=None):
req_pdu = self.prepare_pdu(req, ndr_print=ndr_print, hexdump=False)
return self.send_pdu_blob(req_pdu, hexdump=hexdump)
def recv_raw(self, hexdump=None, timeout=None):
rep_pdu = None
if hexdump is None:
hexdump = self.do_hexdump
try:
if timeout is not None:
self.s.settimeout(timeout)
rep_pdu = self.s.recv(0xffff, 0)
self.s.settimeout(10)
if len(rep_pdu) == 0:
self._disconnect("recv_raw: EOF")
return None
if hexdump:
sys.stderr.write("recv_raw: %d\n%s" % (len(rep_pdu), self.hexdump(rep_pdu)))
except socket.timeout as e:
self.s.settimeout(10)
sys.stderr.write("recv_raw: TIMEOUT\n")
pass
except socket.error as e:
self._disconnect("recv_raw: %s" % e)
raise
except IOError as e:
self._disconnect("recv_raw: %s" % e)
raise
finally:
pass
return rep_pdu
def recv_pdu_raw(self, ndr_print=None, hexdump=None, timeout=None):
rep_pdu = None
rep = None
if ndr_print is None:
ndr_print = self.do_ndr_print
if hexdump is None:
hexdump = self.do_hexdump
try:
rep_pdu = self.recv_raw(hexdump=hexdump, timeout=timeout)
if rep_pdu is None:
return (None, None)
rep = ndr_unpack(samba.dcerpc.dcerpc.ncacn_packet, rep_pdu, allow_remaining=True)
if ndr_print:
sys.stderr.write("recv_pdu: %s" % samba.ndr.ndr_print(rep))
self.assertEqual(rep.frag_length, len(rep_pdu))
finally:
pass
return (rep, rep_pdu)
def recv_pdu(self, ndr_print=None, hexdump=None, timeout=None):
(rep, rep_pdu) = self.recv_pdu_raw(ndr_print=ndr_print,
hexdump=hexdump,
timeout=timeout)
return rep
def generate_auth(self,
auth_type=None,
auth_level=None,
auth_pad_length=0,
auth_context_id=None,
auth_blob=None,
ndr_print=None, hexdump=None):
if ndr_print is None:
ndr_print = self.do_ndr_print
if hexdump is None:
hexdump = self.do_hexdump
if auth_type is not None:
a = samba.dcerpc.dcerpc.auth()
a.auth_type = auth_type
a.auth_level = auth_level
a.auth_pad_length = auth_pad_length
a.auth_context_id = auth_context_id
a.credentials = auth_blob
ai = ndr_pack(a)
if ndr_print:
sys.stderr.write("generate_auth: %s" % samba.ndr.ndr_print(a))
if hexdump:
sys.stderr.write("generate_auth: %d\n%s" % (len(ai), self.hexdump(ai)))
else:
ai = b""
return ai
def parse_auth(self, auth_info, ndr_print=None, hexdump=None,
auth_context=None, stub_len=0):
if ndr_print is None:
ndr_print = self.do_ndr_print
if hexdump is None:
hexdump = self.do_hexdump
if (len(auth_info) <= samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH):
return None
if hexdump:
sys.stderr.write("parse_auth: %d\n%s" % (len(auth_info), self.hexdump(auth_info)))
a = ndr_unpack(samba.dcerpc.dcerpc.auth, auth_info, allow_remaining=True)
if ndr_print:
sys.stderr.write("parse_auth: %s" % samba.ndr.ndr_print(a))
if auth_context is not None:
self.assertEqual(a.auth_type, auth_context["auth_type"])
self.assertEqual(a.auth_level, auth_context["auth_level"])
self.assertEqual(a.auth_reserved, 0)
self.assertEqual(a.auth_context_id, auth_context["auth_context_id"])
self.assertLessEqual(a.auth_pad_length, dcerpc.DCERPC_AUTH_PAD_ALIGNMENT)
self.assertLessEqual(a.auth_pad_length, stub_len)
return a
def check_response_auth(self, rep, rep_blob, auth_context=None,
auth_pad_length=None):
if auth_context is None:
self.assertEqual(rep.auth_length, 0)
return rep.u.stub_and_verifier
if auth_context["auth_level"] == dcerpc.DCERPC_AUTH_LEVEL_CONNECT:
self.assertEqual(rep.auth_length, 0)
return rep.u.stub_and_verifier
self.assertGreater(rep.auth_length, 0)
ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
ofs_sig = rep.frag_length - rep.auth_length
ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
rep_data = rep_blob[ofs_stub:ofs_trailer]
rep_whole = rep_blob[0:ofs_sig]
rep_sig = rep_blob[ofs_sig:]
rep_auth_info_blob = rep_blob[ofs_trailer:]
rep_auth_info = self.parse_auth(rep_auth_info_blob,
auth_context=auth_context,
stub_len=len(rep_data))
if auth_pad_length is not None:
self.assertEqual(rep_auth_info.auth_pad_length, auth_pad_length)
self.assertEqual(rep_auth_info.credentials, rep_sig)
if auth_context["auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PRIVACY:
# TODO: not yet supported here
self.assertTrue(False)
elif auth_context["auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PACKET:
auth_context["gensec"].check_packet(rep_data, rep_whole, rep_sig)
stub_out = rep_data[0:len(rep_data)-rep_auth_info.auth_pad_length]
return stub_out
def generate_pdu(self, ptype, call_id, payload,
rpc_vers=5,
rpc_vers_minor=0,
pfc_flags=(samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
drep=None,
ndr_print=None, hexdump=None):
if drep is None:
drep = [samba.dcerpc.dcerpc.DCERPC_DREP_LE, 0, 0, 0]
if getattr(payload, 'auth_info', None):
ai = payload.auth_info
else:
ai = b""
p = samba.dcerpc.dcerpc.ncacn_packet()
p.rpc_vers = rpc_vers
p.rpc_vers_minor = rpc_vers_minor
p.ptype = ptype
p.pfc_flags = pfc_flags
p.drep = drep
p.frag_length = 0
if len(ai) > samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH:
p.auth_length = len(ai) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH
else:
self.assertEqual(len(ai), 0)
p.auth_length = 0
p.call_id = call_id
p.u = payload
pdu = ndr_pack(p)
p.frag_length = len(pdu)
return p
def generate_request_auth(self, call_id,
pfc_flags=(dcerpc.DCERPC_PFC_FLAG_FIRST |
dcerpc.DCERPC_PFC_FLAG_LAST),
alloc_hint=None,
context_id=None,
opnum=None,
object=None,
stub=None,
auth_context=None,
ndr_print=None, hexdump=None):
if stub is None:
stub = b""
sig_size = 0
if auth_context is not None:
mod_len = len(stub) % dcerpc.DCERPC_AUTH_PAD_ALIGNMENT
auth_pad_length = 0
if mod_len > 0:
auth_pad_length = dcerpc.DCERPC_AUTH_PAD_ALIGNMENT - mod_len
stub += b'\x00' * auth_pad_length
if auth_context["g_auth_level"] >= samba.dcerpc.dcerpc.DCERPC_AUTH_LEVEL_PACKET:
sig_size = auth_context["gensec"].sig_size(len(stub))
else:
sig_size = 16
zero_sig = b"\x00" * sig_size
auth_info = self.generate_auth(auth_type=auth_context["auth_type"],
auth_level=auth_context["auth_level"],
auth_pad_length=auth_pad_length,
auth_context_id=auth_context["auth_context_id"],
auth_blob=zero_sig)
else:
auth_info = b""
req = self.generate_request(call_id=call_id,
pfc_flags=pfc_flags,
alloc_hint=alloc_hint,
context_id=context_id,
opnum=opnum,
object=object,
stub=stub,
auth_info=auth_info,
ndr_print=ndr_print,
hexdump=hexdump)
if auth_context is None:
return req
req_blob = samba.ndr.ndr_pack(req)
ofs_stub = dcerpc.DCERPC_REQUEST_LENGTH
ofs_sig = len(req_blob) - req.auth_length
ofs_trailer = ofs_sig - dcerpc.DCERPC_AUTH_TRAILER_LENGTH
req_data = req_blob[ofs_stub:ofs_trailer]
req_whole = req_blob[0:ofs_sig]
if auth_context["g_auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PRIVACY:
# TODO: not yet supported here
self.assertTrue(False)
elif auth_context["g_auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_PACKET:
req_sig = auth_context["gensec"].sign_packet(req_data, req_whole)
elif auth_context["g_auth_level"] >= dcerpc.DCERPC_AUTH_LEVEL_CONNECT:
self.assertEqual(auth_context["auth_type"],
dcerpc.DCERPC_AUTH_TYPE_NTLMSSP)
req_sig = b"\x01" +b"\x00" *15
else:
return req
self.assertEqual(len(req_sig), req.auth_length)
self.assertEqual(len(req_sig), sig_size)
stub_sig_ofs = len(req.u.stub_and_verifier) - sig_size
stub = req.u.stub_and_verifier[0:stub_sig_ofs] + req_sig
req.u.stub_and_verifier = stub
return req
def verify_pdu(self, p, ptype, call_id,
rpc_vers=5,
rpc_vers_minor=0,
pfc_flags=(samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
drep=None,
auth_length=None):
if drep is None:
drep = [samba.dcerpc.dcerpc.DCERPC_DREP_LE, 0, 0, 0]
self.assertIsNotNone(p, "No valid pdu")
if getattr(p.u, 'auth_info', None):
ai = p.u.auth_info
else:
ai = b""
self.assertEqual(p.rpc_vers, rpc_vers)
self.assertEqual(p.rpc_vers_minor, rpc_vers_minor)
self.assertEqual(p.ptype, ptype)
self.assertEqual(p.pfc_flags, pfc_flags)
self.assertEqual(p.drep, drep)
self.assertGreaterEqual(p.frag_length,
samba.dcerpc.dcerpc.DCERPC_NCACN_PAYLOAD_OFFSET)
if len(ai) > samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH:
self.assertEqual(p.auth_length,
len(ai) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH)
elif auth_length is None:
self.assertEqual(p.auth_length, 0)
if auth_length is not None:
self.assertEqual(p.auth_length, auth_length)
self.assertEqual(p.call_id, call_id)
return
def generate_bind(self, call_id,
pfc_flags=(samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
max_xmit_frag=None,
max_recv_frag=None,
assoc_group_id=0,
ctx_list=None,
auth_info=b"",
ndr_print=None, hexdump=None):
if ctx_list is None:
ctx_list = []
if max_xmit_frag is None:
max_xmit_frag=self.max_xmit_frag
if max_recv_frag is None:
max_recv_frag=self.max_recv_frag
b = samba.dcerpc.dcerpc.bind()
b.max_xmit_frag = max_xmit_frag
b.max_recv_frag = max_recv_frag
b.assoc_group_id = assoc_group_id
b.num_contexts = len(ctx_list)
b.ctx_list = ctx_list
b.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_BIND,
pfc_flags=pfc_flags,
call_id=call_id,
payload=b,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_alter(self, call_id,
pfc_flags=(samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
max_xmit_frag=None,
max_recv_frag=None,
assoc_group_id=0,
ctx_list=None,
auth_info=b"",
ndr_print=None, hexdump=None):
if ctx_list is None:
ctx_list = []
if max_xmit_frag is None:
max_xmit_frag=self.max_xmit_frag
if max_recv_frag is None:
max_recv_frag=self.max_recv_frag
a = samba.dcerpc.dcerpc.bind()
a.max_xmit_frag = max_xmit_frag
a.max_recv_frag = max_recv_frag
a.assoc_group_id = assoc_group_id
a.num_contexts = len(ctx_list)
a.ctx_list = ctx_list
a.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_ALTER,
pfc_flags=pfc_flags,
call_id=call_id,
payload=a,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_auth3(self, call_id,
pfc_flags=(samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
auth_info=b"",
ndr_print=None, hexdump=None):
a = samba.dcerpc.dcerpc.auth3()
a.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_AUTH3,
pfc_flags=pfc_flags,
call_id=call_id,
payload=a,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_request(self, call_id,
pfc_flags=(samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
alloc_hint=None,
context_id=None,
opnum=None,
object=None,
stub=None,
auth_info=b"",
ndr_print=None, hexdump=None):
if alloc_hint is None:
alloc_hint = len(stub)
r = samba.dcerpc.dcerpc.request()
r.alloc_hint = alloc_hint
r.context_id = context_id
r.opnum = opnum
if object is not None:
r.object = object
r.stub_and_verifier = stub + auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_REQUEST,
pfc_flags=pfc_flags,
call_id=call_id,
payload=r,
ndr_print=ndr_print, hexdump=hexdump)
if len(auth_info) > samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH:
p.auth_length = len(auth_info) - samba.dcerpc.dcerpc.DCERPC_AUTH_TRAILER_LENGTH
return p
def generate_co_cancel(self, call_id,
pfc_flags=(samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
auth_info=b"",
ndr_print=None, hexdump=None):
c = samba.dcerpc.dcerpc.co_cancel()
c.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_CO_CANCEL,
pfc_flags=pfc_flags,
call_id=call_id,
payload=c,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_orphaned(self, call_id,
pfc_flags=(samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
auth_info=b"",
ndr_print=None, hexdump=None):
o = samba.dcerpc.dcerpc.orphaned()
o.auth_info = auth_info
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_ORPHANED,
pfc_flags=pfc_flags,
call_id=call_id,
payload=o,
ndr_print=ndr_print, hexdump=hexdump)
return p
def generate_shutdown(self, call_id,
pfc_flags=(samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_FIRST |
samba.dcerpc.dcerpc.DCERPC_PFC_FLAG_LAST),
ndr_print=None, hexdump=None):
s = samba.dcerpc.dcerpc.shutdown()
p = self.generate_pdu(ptype=samba.dcerpc.dcerpc.DCERPC_PKT_SHUTDOWN,
pfc_flags=pfc_flags,
call_id=call_id,
payload=s,
ndr_print=ndr_print, hexdump=hexdump)
return p
def assertIsConnected(self):
self.assertIsNotNone(self.s, msg="Not connected")
return
def assertNotConnected(self):
self.assertIsNone(self.s, msg="Is connected")
return
def assertNDRSyntaxEquals(self, s1, s2):
self.assertEqual(s1.uuid, s2.uuid)
self.assertEqual(s1.if_version, s2.if_version)
return
def assertPadding(self, pad, length):
self.assertEqual(len(pad), length)
#
# sometimes windows sends random bytes
#
# we have IGNORE_RANDOM_PAD=1 to
# disable the check
#
if self.ignore_random_pad:
return
zero_pad = b'\0' * length
self.assertEqual(pad, zero_pad)
def assertEqualsStrLower(self, s1, s2):
self.assertEqual(str(s1).lower(), str(s2).lower())