From 48b31ae44fb2a1961bd738b0b3e7a986259168a2 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Wed, 7 Oct 1998 21:42:24 +0000 Subject: [PATCH] dce/rpc (This used to be commit 6677b888bdb45df00646eb7cc13005b9465ff971) --- source3/include/ntdomain.h | 6 + source3/include/proto.h | 17 +- source3/include/rpc_dce.h | 40 +++-- source3/libsmb/smbdes.c | 55 +++++- source3/libsmb/smbencrypt.c | 12 ++ source3/rpc_client/cli_pipe.c | 87 ++++++---- source3/rpc_parse/parse_prs.c | 10 +- source3/rpc_parse/parse_rpc.c | 210 +++++++++++++++++----- source3/rpc_server/srv_pipe_hnd.c | 20 ++- source3/rpc_server/srv_util.c | 280 +++++++++++++++++++++++++++++- source3/smbd/ipc.c | 251 ++------------------------ source3/smbd/pipes.c | 2 +- 12 files changed, 657 insertions(+), 333 deletions(-) diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index 5fb7f8a0893..261cc3dfe36 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -67,6 +67,7 @@ typedef struct pipes_struct prs_struct rhdr; /* output header */ prs_struct rdata; /* output data */ prs_struct rauth; /* output authentication verifier */ + prs_struct rverf; /* output verifier */ prs_struct rntlm; /* output ntlmssp */ RPC_HDR hdr; @@ -74,12 +75,17 @@ typedef struct pipes_struct RPC_HDR_RB hdr_rb; RPC_HDR_REQ hdr_req; RPC_HDR_RESP hdr_resp; + RPC_HDR_AUTH auth_info; + RPC_HDR_AUTHA autha_info; RPC_AUTH_VERIFIER auth_verifier; RPC_AUTH_NTLMSSP_NEG ntlmssp_neg; RPC_AUTH_NTLMSSP_CHAL ntlmssp_chal; RPC_AUTH_NTLMSSP_RESP ntlmssp_resp; + BOOL ntlmssp_auth; + unsigned char ntlmssp_hash[256]; + uint32 file_offset; uint32 hdr_offsets; uint32 frag_len_left; diff --git a/source3/include/proto.h b/source3/include/proto.h index f7fb2a47c14..64d586f6c00 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -496,6 +496,8 @@ void E_old_pw_hash( unsigned char *p14, unsigned char *in, unsigned char *out); void cred_hash1(unsigned char *out,unsigned char *in,unsigned char *key); void cred_hash2(unsigned char *out,unsigned char *in,unsigned char *key); void cred_hash3(unsigned char *out,unsigned char *in,unsigned char *key, int forw); +void NTLMSSPhash( unsigned char hash[256], unsigned char const key[5]); +void NTLMSSPcalc( unsigned char hash[256], unsigned char *data, int len); void SamOEMhash( unsigned char *data, unsigned char *key, int val); /*The following definitions come from libsmb/smbencrypt.c */ @@ -504,6 +506,7 @@ void SMBencrypt(uchar *passwd, uchar *c8, uchar *p24); void E_md4hash(uchar *passwd, uchar *p16); void nt_lm_owf_gen(char *pwd, uchar nt_p16[16], uchar p16[16]); void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24]); +void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24]); void SMBNTencrypt(uchar *passwd, uchar *c8, uchar *p24); /*The following definitions come from libsmb/smberr.c */ @@ -1489,7 +1492,7 @@ void prs_init(prs_struct *ps, uint32 size, uint8 align, uint32 margin, BOOL io); void prs_mem_free(prs_struct *ps); -void prs_link(prs_struct *ps, prs_struct const *const to); +void prs_link(prs_struct *prev, prs_struct *ps, prs_struct *next); void prs_align(prs_struct *ps); BOOL prs_grow(prs_struct *ps); BOOL prs_uint8(char *name, prs_struct *ps, int depth, uint8 *data8); @@ -1539,13 +1542,20 @@ void smb_io_rpc_hdr_ba(char *desc, RPC_HDR_BA *rpc, prs_struct *ps, int depth); void make_rpc_hdr_req(RPC_HDR_REQ *hdr, uint32 data_len, uint16 opnum); void smb_io_rpc_hdr_req(char *desc, RPC_HDR_REQ *rpc, prs_struct *ps, int depth); void smb_io_rpc_hdr_resp(char *desc, RPC_HDR_RESP *rpc, prs_struct *ps, int depth); +void make_rpc_hdr_autha(RPC_HDR_AUTHA *rai, + uint16 max_tsize, uint16 max_rsize, + uint8 auth_type, uint8 auth_level, + uint8 stub_type_len); +void smb_io_rpc_hdr_autha(char *desc, RPC_HDR_AUTHA *rai, prs_struct *ps, int depth); +void make_rpc_hdr_auth(RPC_HDR_AUTH *rai, + uint8 auth_type, uint8 auth_level, + uint8 stub_type_len); +void smb_io_rpc_hdr_auth(char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, int depth); void make_rpc_auth_ntlmssp_neg(RPC_AUTH_NTLMSSP_NEG *neg, uint32 neg_flgs, fstring myname, fstring domain); void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_struct *ps, int depth); void make_rpc_auth_verifier(RPC_AUTH_VERIFIER *rav, - uint8 auth_type, uint8 auth_level, - uint8 stub_type_len, char *signature, uint32 msg_type); void smb_io_rpc_auth_verifier(char *desc, RPC_AUTH_VERIFIER *rav, prs_struct *ps, int depth); void make_rpc_auth_ntlmssp_chal(RPC_AUTH_NTLMSSP_CHAL *chl, @@ -1852,6 +1862,7 @@ BOOL api_srvsvc_rpc(pipes_struct *p, prs_struct *data); int make_dom_gids(char *gids_str, DOM_GID **ppgids); BOOL create_rpc_reply(pipes_struct *p, uint32 data_start, uint32 data_end); +BOOL rpc_command(pipes_struct *p, prs_struct *pd); BOOL api_rpcTNP(pipes_struct *p, char *rpc_name, struct api_struct *api_rpc_cmds, prs_struct *data); void get_domain_user_groups(char *domain_groups, char *user); diff --git a/source3/include/rpc_dce.h b/source3/include/rpc_dce.h index a599abb19ca..51a7631c4ed 100644 --- a/source3/include/rpc_dce.h +++ b/source3/include/rpc_dce.h @@ -34,7 +34,8 @@ enum RPC_PKT_TYPE RPC_REQUEST = 0x00, RPC_RESPONSE = 0x02, RPC_BIND = 0x0B, - RPC_BINDACK = 0x0C + RPC_BINDACK = 0x0C, + RPC_BINDRESP = 0x10 /* not the real name! this is undocumented! */ }; /* DCE/RPC flags */ @@ -140,6 +141,33 @@ typedef struct rpc_hdr_bba_info } RPC_HDR_BBA; +/* RPC_HDR_AUTHA */ +typedef struct rpc_hdr_autha_info +{ + uint16 max_tsize; /* maximum transmission fragment size (0x1630) */ + uint16 max_rsize; /* max receive fragment size (0x1630) */ + + uint8 auth_type; /* 0x0a */ + uint8 auth_level; /* 0x06 */ + uint8 stub_type_len; /* don't know */ + uint8 padding; /* padding */ + + uint32 unknown; /* 0x0014a0c0 */ + +} RPC_HDR_AUTHA; + +/* RPC_HDR_AUTH */ +typedef struct rpc_hdr_auth_info +{ + uint8 auth_type; /* 0x0a */ + uint8 auth_level; /* 0x06 */ + uint8 stub_type_len; /* don't know */ + uint8 padding; /* padding */ + + uint32 unknown; /* 0x0014a0c0 */ + +} RPC_HDR_AUTH; + /* RPC_BIND_REQ - ms req bind */ typedef struct rpc_bind_req_info { @@ -179,17 +207,9 @@ typedef struct rpc_hdr_ba_info } RPC_HDR_BA; -/* this is TEMPORARY */ /* RPC_AUTH_VERIFIER */ typedef struct rpc_auth_verif_info { - uint8 auth_type; /* 0x0a */ - uint8 auth_level; /* 0x06 */ - uint8 stub_type_len; /* don't know */ - uint8 padding; /* padding */ - - uint32 ptr_0; /* non-zero pointer to something */ - fstring signature; /* "NTLMSSP" */ uint32 msg_type; /* NTLMSSP_MESSAGE_TYPE (1,2,3) */ @@ -220,9 +240,7 @@ typedef struct rpc_auth_ntlmssp_chal_info uint32 neg_flags; /* 0x0000 82b1 */ uint8 challenge[8]; /* ntlm challenge */ -#if 0 uint8 reserved [8]; /* zeros */ -#endif } RPC_AUTH_NTLMSSP_CHAL; diff --git a/source3/libsmb/smbdes.c b/source3/libsmb/smbdes.c index eebe0dc54fe..e9f23295500 100644 --- a/source3/libsmb/smbdes.c +++ b/source3/libsmb/smbdes.c @@ -357,6 +357,58 @@ void cred_hash3(unsigned char *out,unsigned char *in,unsigned char *key, int for smbhash(out + 8, in + 8, key2, forw); } +void NTLMSSPhash( unsigned char hash[256], unsigned char const key[5]) +{ + unsigned char j = 0; + int ind; + + unsigned char k2[8]; + + memcpy(k2, key, sizeof(key)); + k2[5] = 0xe5; + k2[6] = 0xb8; + k2[6] = 0xb0; + + for (ind = 0; ind < 256; ind++) + { + hash[ind] = (unsigned char)ind; + } + + for( ind = 0; ind < 256; ind++) + { + unsigned char tc; + + j += (hash[ind] + k2[ind%8]); + + tc = hash[ind]; + hash[ind] = hash[j]; + hash[j] = tc; + } +} + +void NTLMSSPcalc( unsigned char hash[256], unsigned char *data, int len) +{ + unsigned char index_i = 0; + unsigned char index_j = 0; + int ind; + + for( ind = 0; ind < len; ind++) + { + unsigned char tc; + unsigned char t; + + index_i++; + index_j += hash[index_i]; + + tc = hash[index_i]; + hash[index_i] = hash[index_j]; + hash[index_j] = tc; + + t = hash[index_i] + hash[index_j]; + data[ind] ^= hash[t]; + } +} + void SamOEMhash( unsigned char *data, unsigned char *key, int val) { unsigned char s_box[256]; @@ -380,8 +432,7 @@ void SamOEMhash( unsigned char *data, unsigned char *key, int val) s_box[ind] = s_box[j]; s_box[j] = tc; } - - for( ind = 0; ind < (val ? 516 : 16); ind++) + for( ind = 0; ind < val ? 516 : 8; ind++) { unsigned char tc; unsigned char t; diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c index bf9736d7242..44dcbd5e05b 100644 --- a/source3/libsmb/smbencrypt.c +++ b/source3/libsmb/smbencrypt.c @@ -152,6 +152,18 @@ void SMBOWFencrypt(uchar passwd[16], uchar *c8, uchar p24[24]) E_P24(p21, c8, p24); } +/* Does the des encryption from the FIRST 8 BYTES of the NT or LM MD4 hash. */ +void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24]) +{ + uchar p21[21]; + + memset(p21,'\0',21); + memcpy(p21, passwd, 8); + memset(p21 + 8, 0xbd, 8); + + E_P24(p21, ntlmchalresp, p24); +} + /* Does the NT MD4 hash then des encryption. */ diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index 392877f2dcb..44440d9fba2 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -289,12 +289,15 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, static BOOL create_rpc_bind_req(prs_struct *rhdr, prs_struct *rhdr_rb, + prs_struct *rhdr_auth, prs_struct *auth_req, + prs_struct *auth_ntlm, RPC_IFACE *abstract, RPC_IFACE *transfer, char *my_name, char *domain) { RPC_HDR_RB hdr_rb; RPC_HDR hdr; + RPC_HDR_AUTH hdr_auth; RPC_AUTH_VERIFIER auth_verifier; RPC_AUTH_NTLMSSP_NEG ntlmssp_neg; @@ -306,10 +309,13 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr, smb_io_rpc_hdr_rb("", &hdr_rb, rhdr_rb, 0); mem_realloc_data(rhdr_rb->data, rhdr_rb->offset); - if (auth_req != NULL) + if (auth_req != NULL && rhdr_auth != NULL && auth_ntlm != NULL) { + make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00); + smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rhdr_auth, 0); + mem_realloc_data(rhdr_auth->data, rhdr_auth->offset); + make_rpc_auth_verifier(&auth_verifier, - 0x0a, 0x06, 0x00, "NTLMSSP", NTLMSSP_NEGOTIATE); smb_io_rpc_auth_verifier("auth_verifier", &auth_verifier, auth_req, 0); @@ -325,7 +331,8 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr, /* create the request RPC_HDR */ make_rpc_hdr(&hdr, RPC_BIND, 0x0, get_rpc_call_id(), rhdr_rb->offset + 0x10, - auth_req != NULL ? auth_req->offset : 0); + auth_req != NULL ? auth_req ->offset : 0 + + auth_ntlm != NULL ? auth_ntlm->offset : 0); smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0); mem_realloc_data(rhdr->data, rhdr->offset); @@ -336,25 +343,18 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr, /*** link rpc header, bind acknowledgment and authentication responses ***/ /***/ - rhdr->data->offset.start = 0; - rhdr->data->offset.end = rhdr->offset; - rhdr->data->next = rhdr_rb->data; - if (auth_req != NULL) { - rhdr_rb->data->offset.start = rhdr->offset; - rhdr_rb->data->offset.end = rhdr->offset + rhdr_rb->offset; - rhdr_rb->data->next = auth_req->data; - - auth_req->data->offset.start = rhdr->offset + rhdr_rb->offset; - auth_req->data->offset.end = rhdr->offset + auth_req->offset + rhdr_rb->offset; - auth_req->data->next = NULL; + prs_link(NULL , rhdr , rhdr_rb ); + prs_link(rhdr , rhdr_rb , rhdr_auth); + prs_link(rhdr_rb , rhdr_auth , auth_req ); + prs_link(rhdr_auth, auth_req , auth_ntlm); + prs_link(auth_req , auth_ntlm , NULL ); } else { - rhdr_rb->data->offset.start = rhdr->offset; - rhdr_rb->data->offset.end = rhdr->offset + rhdr_rb->offset; - rhdr_rb->data->next = NULL; + prs_link(NULL, rhdr , rhdr_rb); + prs_link(rhdr, rhdr_rb, NULL ); } return True; @@ -578,7 +578,9 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, { prs_struct hdr; prs_struct hdr_rb; + prs_struct hdr_auth; prs_struct auth_req; + prs_struct auth_ntlm; prs_struct data; prs_struct rdata; prs_struct rparam; @@ -592,15 +594,20 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, if (!valid_pipe_name(pipe_name, abstract, transfer)) return False; - prs_init(&hdr , 0x10 , 4, 0x0 , False); - prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False); - prs_init(&auth_req, ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False); + prs_init(&hdr , 0x10 , 4, 0x0 , False); + prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False); + prs_init(&hdr_auth , ntlmssp_auth ? 8 : 0, 4, SAFETY_MARGIN, False); + prs_init(&auth_req , ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False); + prs_init(&auth_ntlm, ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False); prs_init(&rdata , 0 , 4, SAFETY_MARGIN, True ); prs_init(&rparam, 0 , 4, SAFETY_MARGIN, True ); - create_rpc_bind_req(&hdr, &hdr_rb, ntlmssp_auth ? &auth_req : NULL, - abstract, transfer, global_myname, global_myworkgroup); + create_rpc_bind_req(&hdr, &hdr_rb, + ntlmssp_auth ? &hdr_auth : NULL, + ntlmssp_auth ? &auth_req : NULL, + ntlmssp_auth ? &auth_ntlm : NULL, + abstract, transfer, global_myname, global_myworkgroup); /* this is a hack due to limitations in rpc_api_pipe */ prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False); @@ -609,7 +616,10 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, /* send data on \PIPE\. receive a response */ if (rpc_api_pipe(cli, 0x0026, NULL, &data, &rparam, &rdata)) { - RPC_HDR_BA hdr_ba; + RPC_HDR_BA hdr_ba; + RPC_HDR_AUTH rhdr_auth; + RPC_AUTH_VERIFIER rhdr_verf; + RPC_AUTH_NTLMSSP_CHAL rhdr_chal; DEBUG(5, ("rpc_api_pipe: return OK\n")); @@ -619,14 +629,33 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, { valid_ack = check_bind_response(&hdr_ba, pipe_name, transfer); } + + if (valid_ack && ntlmssp_auth) + { + smb_io_rpc_hdr_auth("", &rhdr_auth, &rdata, 0); + if (rdata.offset == 0) valid_ack = False; + } + + if (valid_ack && ntlmssp_auth) + { + smb_io_rpc_auth_verifier("", &rhdr_verf, &rdata, 0); + if (rdata.offset == 0) valid_ack = False; + } + if (valid_ack && ntlmssp_auth) + { + smb_io_rpc_auth_ntlmssp_chal("", &rhdr_chal, &rdata, 0); + if (rdata.offset == 0) valid_ack = False; + } } - prs_mem_free(&data ); - prs_mem_free(&hdr ); - prs_mem_free(&hdr_rb ); - prs_mem_free(&auth_req); - prs_mem_free(&rdata ); - prs_mem_free(&rparam ); + prs_mem_free(&data ); + prs_mem_free(&hdr ); + prs_mem_free(&hdr_rb ); + prs_mem_free(&hdr_auth ); + prs_mem_free(&auth_req ); + prs_mem_free(&auth_ntlm); + prs_mem_free(&rdata ); + prs_mem_free(&rparam ); return valid_ack; } diff --git a/source3/rpc_parse/parse_prs.c b/source3/rpc_parse/parse_prs.c index 34f72596ce0..d031a828f12 100644 --- a/source3/rpc_parse/parse_prs.c +++ b/source3/rpc_parse/parse_prs.c @@ -69,9 +69,11 @@ void prs_mem_free(prs_struct *ps) /******************************************************************* link one parsing structure to another ********************************************************************/ -void prs_link(prs_struct *ps, prs_struct const *const to) +void prs_link(prs_struct *prev, prs_struct *ps, prs_struct *next) { - DEBUG(0,("NOT IMPLEMENTED\n")); + ps->data->offset.start = prev != NULL ? prev->data->offset.end : 0; + ps->data->offset.end = ps->data->offset.start + ps->offset; + ps->data->next = next != NULL ? next->data : NULL; } /******************************************************************* @@ -236,7 +238,7 @@ BOOL prs_unistr(char *name, prs_struct *ps, int depth, UNISTR *str) ps->offset += i*2; - dump_data(5+depth, (char *)start, ps->offset); + dump_data(5+depth, (char *)start, i * 2); return True; } @@ -277,7 +279,7 @@ BOOL prs_string(char *name, prs_struct *ps, int depth, char *str, uint16 len, ui ps->offset += i+1; - dump_data(5+depth, (char *)start, ps->offset); + dump_data(5+depth, (char *)start, i); return True; } diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c index 90a013dc12b..a1773bb8278 100644 --- a/source3/rpc_parse/parse_rpc.c +++ b/source3/rpc_parse/parse_rpc.c @@ -415,6 +415,83 @@ void smb_io_rpc_hdr_resp(char *desc, RPC_HDR_RESP *rpc, prs_struct *ps, int dep prs_uint8 ("reserved ", ps, depth, &(rpc->reserved)); } +/******************************************************************* +creates an RPC_HDR_AUTHA structure. +********************************************************************/ +void make_rpc_hdr_autha(RPC_HDR_AUTHA *rai, + uint16 max_tsize, uint16 max_rsize, + uint8 auth_type, uint8 auth_level, + uint8 stub_type_len) +{ + if (rai == NULL) return; + + rai->max_tsize = max_tsize; /* maximum transmission fragment size (0x1630) */ + rai->max_rsize = max_rsize; /* max receive fragment size (0x1630) */ + + rai->auth_type = auth_type; /* nt lm ssp 0x0a */ + rai->auth_level = auth_level; /* 0x06 */ + rai->stub_type_len = stub_type_len; /* 0x00 */ + rai->padding = 0; /* padding 0x00 */ + + rai->unknown = 0x0014a0c0; /* non-zero pointer to something */ +} + +/******************************************************************* +reads or writes an RPC_HDR_AUTHA structure. +********************************************************************/ +void smb_io_rpc_hdr_autha(char *desc, RPC_HDR_AUTHA *rai, prs_struct *ps, int depth) +{ + if (rai == NULL) return; + + prs_debug(ps, depth, desc, "smb_io_rpc_hdr_autha"); + depth++; + + prs_uint16("max_tsize ", ps, depth, &(rai->max_tsize)); + prs_uint16("max_rsize ", ps, depth, &(rai->max_rsize)); + + prs_uint8 ("auth_type ", ps, depth, &(rai->auth_type )); /* 0x0a nt lm ssp */ + prs_uint8 ("auth_level ", ps, depth, &(rai->auth_level ));/* 0x06 */ + prs_uint8 ("stub_type_len", ps, depth, &(rai->stub_type_len)); + prs_uint8 ("padding ", ps, depth, &(rai->padding )); + + prs_uint32("unknown ", ps, depth, &(rai->unknown )); /* 0x0014a0c0 */ +} + +/******************************************************************* +creates an RPC_HDR_AUTH structure. +********************************************************************/ +void make_rpc_hdr_auth(RPC_HDR_AUTH *rai, + uint8 auth_type, uint8 auth_level, + uint8 stub_type_len) +{ + if (rai == NULL) return; + + rai->auth_type = auth_type; /* nt lm ssp 0x0a */ + rai->auth_level = auth_level; /* 0x06 */ + rai->stub_type_len = stub_type_len; /* 0x00 */ + rai->padding = 0; /* padding 0x00 */ + + rai->unknown = 0x0014a0c0; /* non-zero pointer to something */ +} + +/******************************************************************* +reads or writes an RPC_HDR_AUTH structure. +********************************************************************/ +void smb_io_rpc_hdr_auth(char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, int depth) +{ + if (rai == NULL) return; + + prs_debug(ps, depth, desc, "smb_io_rpc_hdr_auth"); + depth++; + + prs_uint8 ("auth_type ", ps, depth, &(rai->auth_type )); /* 0x0a nt lm ssp */ + prs_uint8 ("auth_level ", ps, depth, &(rai->auth_level ));/* 0x06 */ + prs_uint8 ("stub_type_len", ps, depth, &(rai->stub_type_len)); + prs_uint8 ("padding ", ps, depth, &(rai->padding )); + + prs_uint32("unknown ", ps, depth, &(rai->unknown )); /* 0x0014a0c0 */ +} + /******************************************************************* creates an RPC_AUTH_NTLMSSP_NEG structure. ********************************************************************/ @@ -459,19 +536,10 @@ void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_stru creates an RPC_AUTH_VERIFIER structure. ********************************************************************/ void make_rpc_auth_verifier(RPC_AUTH_VERIFIER *rav, - uint8 auth_type, uint8 auth_level, - uint8 stub_type_len, char *signature, uint32 msg_type) { if (rav == NULL) return; - rav->auth_type = auth_type; /* nt lm ssp 0x0a */ - rav->auth_level = auth_level; /* 0x06 */ - rav->stub_type_len = stub_type_len; /* 0x00 */ - rav->padding = 0; /* padding 0x00 */ - - rav->ptr_0 = 0x0014a0c0; /* non-zero pointer to something */ - fstrcpy(rav->signature, signature); /* "NTLMSSP" */ rav->msg_type = msg_type; /* NTLMSSP_MESSAGE_TYPE */ } @@ -486,13 +554,6 @@ void smb_io_rpc_auth_verifier(char *desc, RPC_AUTH_VERIFIER *rav, prs_struct *ps prs_debug(ps, depth, desc, "smb_io_rpc_auth_verifier"); depth++; - prs_uint8("auth_type ", ps, depth, &(rav->auth_type)); /* nt lm ssp 0x0a */ - prs_uint8("auth_level ", ps, depth, &(rav->auth_level));/* 0x06 */ - prs_uint8("stub_type_len", ps, depth, &(rav->stub_type_len)); - prs_uint8("padding ", ps, depth, &(rav->padding)); - - prs_uint32("ptr_0", ps, depth, &(rav->ptr_0 )); /* non-zero pointer to something */ - prs_string("signature", ps, depth, rav->signature, 0, sizeof(rav->signature)); /* "NTLMSSP" */ prs_uint32("msg_type ", ps, depth, &(rav->msg_type )); /* NTLMSSP_MESSAGE_TYPE */ } @@ -511,9 +572,7 @@ void make_rpc_auth_ntlmssp_chal(RPC_AUTH_NTLMSSP_CHAL *chl, chl->neg_flags = neg_flags; /* 0x0082b1 */ memcpy(chl->challenge, challenge, sizeof(chl->challenge)); -/* bzero (chl->reserved , sizeof(chl->reserved)); - */ } /******************************************************************* @@ -531,19 +590,22 @@ void smb_io_rpc_auth_ntlmssp_chal(char *desc, RPC_AUTH_NTLMSSP_CHAL *chl, prs_st prs_uint32("neg_flags", ps, depth, &(chl->neg_flags)); /* 0x0000 82b1 */ prs_uint8s (False, "challenge", ps, depth, chl->challenge, sizeof(chl->challenge)); -/* prs_uint8s (False, "reserved ", ps, depth, chl->reserved , sizeof(chl->reserved )); - */ } /******************************************************************* creates an RPC_AUTH_NTLMSSP_RESP structure. + +*** lkclXXXX FUDGE! HAVE TO MANUALLY SPECIFY OFFSET HERE (0x1c bytes) *** +*** lkclXXXX the actual offset is at the start of the auth verifier *** + ********************************************************************/ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp, uchar lm_resp[24], uchar nt_resp[24], char *domain, char *user, char *wks, uint32 neg_flags) { + uint32 offset; int dom_len = strlen(domain) * 2; int wks_len = strlen(wks ) * 2; int usr_len = strlen(user ) * 2; @@ -552,12 +614,24 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp, if (rsp == NULL) return; - make_str_hdr(&rsp->hdr_lm_resp, lm_len, lm_len, 1); - make_str_hdr(&rsp->hdr_nt_resp, nt_len, nt_len, 1); - make_str_hdr(&rsp->hdr_domain , dom_len, dom_len, 1); - make_str_hdr(&rsp->hdr_usr , usr_len, usr_len, 1); - make_str_hdr(&rsp->hdr_wks , wks_len, wks_len, 1); - make_str_hdr(&rsp->hdr_sess_key, 0, 0, 1); + offset = 0x40; + + make_str_hdr(&rsp->hdr_lm_resp, lm_len, lm_len, offset); + offset += lm_len * 2; + + make_str_hdr(&rsp->hdr_nt_resp, nt_len, nt_len, offset); + offset += nt_len * 2; + + make_str_hdr(&rsp->hdr_domain , dom_len, dom_len, offset); + offset += dom_len * 2; + + make_str_hdr(&rsp->hdr_usr , usr_len, usr_len, offset); + offset += usr_len * 2; + + make_str_hdr(&rsp->hdr_wks , wks_len, wks_len, offset); + offset += wks_len * 2; + + make_str_hdr(&rsp->hdr_sess_key, 0, 0, offset); rsp->neg_flags = neg_flags; @@ -573,6 +647,10 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp, /******************************************************************* reads or writes an RPC_AUTH_NTLMSSP_RESP structure. + +*** lkclXXXX FUDGE! HAVE TO MANUALLY SPECIFY OFFSET HERE (0x1c bytes) *** +*** lkclXXXX the actual offset is at the start of the auth verifier *** + ********************************************************************/ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_struct *ps, int depth) { @@ -581,21 +659,71 @@ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_st prs_debug(ps, depth, desc, "smb_io_rpc_auth_ntlmssp_resp"); depth++; - smb_io_strhdr("hdr_lm_resp ", &rsp->hdr_lm_resp , ps, depth); - smb_io_strhdr("hdr_nt_resp ", &rsp->hdr_nt_resp , ps, depth); - smb_io_strhdr("hdr_domain ", &rsp->hdr_domain , ps, depth); - smb_io_strhdr("hdr_user ", &rsp->hdr_usr , ps, depth); - smb_io_strhdr("hdr_wks ", &rsp->hdr_wks , ps, depth); - smb_io_strhdr("hdr_sess_key", &rsp->hdr_sess_key, ps, depth); - - prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */ - - prs_string("sess_key", ps, depth, rsp->sess_key, rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key)); - prs_string("wks ", ps, depth, rsp->wks , rsp->hdr_wks .str_str_len, sizeof(rsp->wks )); - prs_string("user ", ps, depth, rsp->user , rsp->hdr_usr .str_str_len, sizeof(rsp->user )); - prs_string("domain ", ps, depth, rsp->domain , rsp->hdr_domain .str_str_len, sizeof(rsp->domain )); - prs_string("nt_resp ", ps, depth, rsp->nt_resp , rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp )); - prs_string("lm_resp ", ps, depth, rsp->lm_resp , rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp )); + ZERO_STRUCTP(rsp); + + if (ps->io) + { + uint32 old_offset; + /* reading */ + smb_io_strhdr("hdr_lm_resp ", &rsp->hdr_lm_resp , ps, depth); + smb_io_strhdr("hdr_nt_resp ", &rsp->hdr_nt_resp , ps, depth); + smb_io_strhdr("hdr_domain ", &rsp->hdr_domain , ps, depth); + smb_io_strhdr("hdr_user ", &rsp->hdr_usr , ps, depth); + smb_io_strhdr("hdr_wks ", &rsp->hdr_wks , ps, depth); + smb_io_strhdr("hdr_sess_key", &rsp->hdr_sess_key, ps, depth); + + prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */ + + old_offset = ps->offset; + + ps->offset = rsp->hdr_lm_resp .buffer + 0x1c; + prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp ))); + old_offset += rsp->hdr_lm_resp .str_str_len; + + ps->offset = rsp->hdr_nt_resp .buffer + 0x1c; + prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp ))); + old_offset += rsp->hdr_nt_resp .str_str_len; + + ps->offset = rsp->hdr_domain .buffer + 0x1c; + prs_uint8s(True , "domain ", ps, depth, rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain ))); + old_offset += rsp->hdr_domain .str_str_len; + + ps->offset = rsp->hdr_usr .buffer + 0x1c; + prs_uint8s(True , "user ", ps, depth, rsp->user , MIN(rsp->hdr_usr .str_str_len, sizeof(rsp->user ))); + old_offset += rsp->hdr_usr .str_str_len; + + ps->offset = rsp->hdr_wks .buffer + 0x1c; + prs_uint8s(True , "wks ", ps, depth, rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks ))); + old_offset += rsp->hdr_wks .str_str_len; + + if (rsp->hdr_sess_key.str_str_len != 0) + { + ps->offset = rsp->hdr_sess_key.buffer + 0x1c; + old_offset += rsp->hdr_sess_key.str_str_len; + prs_uint8s(False, "sess_key", ps, depth, rsp->sess_key, MIN(rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key))); + } + + ps->offset = old_offset; + } + else + { + /* writing */ + smb_io_strhdr("hdr_lm_resp ", &rsp->hdr_lm_resp , ps, depth); + smb_io_strhdr("hdr_nt_resp ", &rsp->hdr_nt_resp , ps, depth); + smb_io_strhdr("hdr_domain ", &rsp->hdr_domain , ps, depth); + smb_io_strhdr("hdr_user ", &rsp->hdr_usr , ps, depth); + smb_io_strhdr("hdr_wks ", &rsp->hdr_wks , ps, depth); + smb_io_strhdr("hdr_sess_key", &rsp->hdr_sess_key, ps, depth); + + prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */ + + prs_uint8s(False, "sess_key", ps, depth, rsp->sess_key, MIN(rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key))); + prs_uint8s(True , "wks ", ps, depth, rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks ))); + prs_uint8s(True , "user ", ps, depth, rsp->user , MIN(rsp->hdr_usr .str_str_len, sizeof(rsp->user ))); + prs_uint8s(True , "domain ", ps, depth, rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain ))); + prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp ))); + prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp ))); + } } #if 0 diff --git a/source3/rpc_server/srv_pipe_hnd.c b/source3/rpc_server/srv_pipe_hnd.c index e898a8606f2..31ca1a7c20e 100644 --- a/source3/rpc_server/srv_pipe_hnd.c +++ b/source3/rpc_server/srv_pipe_hnd.c @@ -155,15 +155,33 @@ pipes_struct *open_rpc_pipe_p(char *pipe_name, /**************************************************************************** writes data to a pipe. + + SERIOUSLY ALPHA CODE! ****************************************************************************/ int write_pipe(pipes_struct *p, char *data, int n) { + prs_struct pd; + struct mem_buf data_buf; + DEBUG(6,("write_pipe: %x", p->pnum)); DEBUG(6,("name: %s open: %s len: %d", p->name, BOOLSTR(p->open), n)); - return -1; + dump_data(50, data, n); + + /* fake up a data buffer from the write_pipe data parameters */ + mem_create(&data_buf, data, n, 0, False); + data_buf.offset.start = 0; + data_buf.offset.end = n; + + /* fake up a parsing structure */ + pd.data = &data_buf; + pd.align = 4; + pd.io = True; + pd.offset = 0; + + return rpc_command(p, &pd) ? n : -1; } diff --git a/source3/rpc_server/srv_util.c b/source3/rpc_server/srv_util.c index fc78c656fd2..520a9cc02a2 100644 --- a/source3/rpc_server/srv_util.c +++ b/source3/rpc_server/srv_util.c @@ -209,6 +209,284 @@ BOOL create_rpc_reply(pipes_struct *p, } +static BOOL api_pipe_ntlmssp(pipes_struct *p, prs_struct *pd) +{ + /* receive a negotiate; send a challenge; receive a response */ + switch (p->auth_verifier.msg_type) + { + case NTLMSSP_NEGOTIATE: + { + smb_io_rpc_auth_ntlmssp_neg("", &p->ntlmssp_neg, pd, 0); + break; + } + case NTLMSSP_AUTH: + { + smb_io_rpc_auth_ntlmssp_resp("", &p->ntlmssp_resp, pd, 0); + break; + } + default: + { + /* NTLMSSP expected: unexpected message type */ + DEBUG(3,("unexpected message type in NTLMSSP %d\n", + p->auth_verifier.msg_type)); + return False; + } + } + + return (pd->offset != 0); +} + +struct api_cmd +{ + char * pipe_clnt_name; + char * pipe_srv_name; + BOOL (*fn) (pipes_struct *, prs_struct *); +}; + +static struct api_cmd api_fd_commands[] = +{ + { "lsarpc", "lsass", api_ntlsa_rpc }, + { "samr", "lsass", api_samr_rpc }, + { "srvsvc", "ntsvcs", api_srvsvc_rpc }, + { "wkssvc", "ntsvcs", api_wkssvc_rpc }, + { "NETLOGON", "lsass", api_netlog_rpc }, + { "winreg", "winreg", api_reg_rpc }, + { NULL, NULL, NULL } +}; + +static BOOL api_pipe_bind_auth_resp(pipes_struct *p, prs_struct *pd) +{ + p->ntlmssp_auth = False; + + DEBUG(5,("api_pipe_bind_auth_resp: decode request. %d\n", __LINE__)); + + if (p->hdr.auth_len != 0) + { + /* decode the authentication verifier response */ + smb_io_rpc_hdr_autha("", &p->autha_info, pd, 0); + if (pd->offset == 0) return False; + + p->ntlmssp_auth = p->auth_info.auth_type = 0x0a; + + if (p->ntlmssp_auth) + { + smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0); + if (pd->offset == 0) return False; + + p->ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP"); + } + + if (p->ntlmssp_auth) + { + if (!api_pipe_ntlmssp(p, pd)) return False; + } + } + + return p->ntlmssp_auth; +} + +static BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *pd) +{ + uint16 assoc_gid; + fstring ack_pipe_name; + int i = 0; + + p->ntlmssp_auth = False; + + DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__)); + + for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) + { + if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) && + api_fd_commands[i].fn != NULL) + { + DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", + api_fd_commands[i].pipe_clnt_name, + api_fd_commands[i].pipe_srv_name)); + fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name); + break; + } + } + + if (api_fd_commands[i].fn == NULL) return False; + + /* decode the bind request */ + smb_io_rpc_hdr_rb("", &p->hdr_rb, pd, 0); + + if (pd->offset == 0) return False; + + if (p->hdr.auth_len != 0) + { + /* decode the authentication verifier */ + smb_io_rpc_hdr_auth ("", &p->auth_info , pd, 0); + if (pd->offset == 0) return False; + + p->ntlmssp_auth = p->auth_info.auth_type = 0x0a; + + if (p->ntlmssp_auth) + { + smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0); + if (pd->offset == 0) return False; + + p->ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP"); + } + + if (p->ntlmssp_auth) + { + if (!api_pipe_ntlmssp(p, pd)) return False; + } + } + + /* name has to be \PIPE\xxxxx */ + fstrcpy(ack_pipe_name, "\\PIPE\\"); + fstrcat(ack_pipe_name, p->pipe_srv_name); + + DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__)); + + prs_init(&(p->rdata), 1024, 4, 0, False); + prs_init(&(p->rhdr ), 0x10, 4, 0, False); + prs_init(&(p->rauth), 1024, 4, 0, False); + prs_init(&(p->rverf), 0x08, 4, 0, False); + prs_init(&(p->rntlm), 1024, 4, 0, False); + + /***/ + /*** do the bind ack first ***/ + /***/ + + if (p->ntlmssp_auth) + { + assoc_gid = 0x7a77; + } + else + { + assoc_gid = p->hdr_rb.bba.assoc_gid; + } + + make_rpc_hdr_ba(&p->hdr_ba, + p->hdr_rb.bba.max_tsize, + p->hdr_rb.bba.max_rsize, + assoc_gid, + ack_pipe_name, + 0x1, 0x0, 0x0, + &(p->hdr_rb.transfer)); + + smb_io_rpc_hdr_ba("", &p->hdr_ba, &p->rdata, 0); + mem_realloc_data(p->rdata.data, p->rdata.offset); + + /***/ + /*** now the authentication ***/ + /***/ + + if (p->ntlmssp_auth) + { + uint8 challenge[8]; + generate_random_buffer(challenge, 8, False); + + /*** authentication info ***/ + + make_rpc_hdr_auth(&p->auth_info, + 0x0a, 0x06, 0); + smb_io_rpc_hdr_auth("", &p->auth_info, &p->rverf, 0); + mem_realloc_data(p->rverf.data, p->rverf.offset); + + /*** NTLMSSP verifier ***/ + + make_rpc_auth_verifier(&p->auth_verifier, + "NTLMSSP", NTLMSSP_CHALLENGE); + smb_io_rpc_auth_verifier("", &p->auth_verifier, &p->rauth, 0); + mem_realloc_data(p->rauth.data, p->rauth.offset); + + /* NTLMSSP challenge ***/ + + make_rpc_auth_ntlmssp_chal(&p->ntlmssp_chal, + 0x000082b1, challenge); + smb_io_rpc_auth_ntlmssp_chal("", &p->ntlmssp_chal, &p->rntlm, 0); + mem_realloc_data(p->rntlm.data, p->rntlm.offset); + } + + /***/ + /*** then do the header, now we know the length ***/ + /***/ + + make_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST, + p->hdr.call_id, + p->rdata.offset + p->rverf.offset + p->rauth.offset + p->rntlm.offset + 0x10, + p->rauth.offset + p->rntlm.offset); + + smb_io_rpc_hdr("", &p->hdr, &p->rhdr, 0); + mem_realloc_data(p->rhdr.data, p->rdata.offset); + + /***/ + /*** link rpc header, bind acknowledgment and authentication responses ***/ + /***/ + + if (p->ntlmssp_auth) + { + prs_link(NULL , &p->rhdr , &p->rdata); + prs_link(&p->rhdr , &p->rdata, &p->rverf); + prs_link(&p->rdata, &p->rverf, &p->rauth); + prs_link(&p->rverf, &p->rauth, &p->rntlm); + prs_link(&p->rauth, &p->rntlm, NULL ); + } + else + { + prs_link(NULL , &p->rhdr , &p->rdata); + prs_link(&p->rhdr, &p->rdata, NULL ); + } + + return True; +} + +static BOOL api_pipe_request(pipes_struct *p, prs_struct *pd) +{ + int i = 0; + + for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) + { + if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) && + api_fd_commands[i].fn != NULL) + { + DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name)); + return api_fd_commands[i].fn(p, pd); + } + } + return False; +} + +BOOL rpc_command(pipes_struct *p, prs_struct *pd) +{ + BOOL reply = False; + if (pd->data == NULL) return False; + + /* process the rpc header */ + smb_io_rpc_hdr("", &p->hdr, pd, 0); + + if (pd->offset == 0) return False; + + switch (p->hdr.pkt_type) + { + case RPC_BIND : + { + reply = api_pipe_bind_req(p, pd); + break; + } + case RPC_REQUEST: + { + reply = api_pipe_request (p, pd); + break; + } + case RPC_BINDRESP: /* not the real name! */ + { + reply = api_pipe_bind_auth_resp(p, pd); + break; + } + } + + + return reply; +} + + /******************************************************************* receives a netlogon pipe and responds. ********************************************************************/ @@ -256,7 +534,7 @@ static BOOL api_rpc_command(pipes_struct *p, mem_realloc_data(p->rdata.data, p->rdata.offset); - DEBUG(10,("called %s\n", rpc_name)); + DEBUG(10,("called %s\n", rpc_name)); return True; } diff --git a/source3/smbd/ipc.c b/source3/smbd/ipc.c index c0ce1900235..c647a5de3e0 100644 --- a/source3/smbd/ipc.c +++ b/source3/smbd/ipc.c @@ -3110,251 +3110,18 @@ static BOOL api_WPrintPortEnum(connection_struct *conn,uint16 vuid, char *param, return(True); } -static BOOL api_pipe_ntlmssp(pipes_struct *p, prs_struct *pd) -{ - /* receive a negotiate; send a challenge; receive a response */ - switch (p->auth_verifier.msg_type) - { - case NTLMSSP_NEGOTIATE: - { - smb_io_rpc_auth_ntlmssp_neg("", &p->ntlmssp_neg, pd, 0); - break; - } - case NTLMSSP_AUTH: - { - smb_io_rpc_auth_ntlmssp_resp("", &p->ntlmssp_resp, pd, 0); - break; - } - default: - { - /* NTLMSSP expected: unexpected message type */ - DEBUG(3,("unexpected message type in NTLMSSP %d\n", - p->auth_verifier.msg_type)); - return False; - } - } - - return (pd->offset != 0); -} - -struct api_cmd -{ - char * pipe_clnt_name; - char * pipe_srv_name; - BOOL (*fn) (pipes_struct *, prs_struct *); -}; - -static struct api_cmd api_fd_commands[] = -{ - { "lsarpc", "lsass", api_ntlsa_rpc }, - { "samr", "lsass", api_samr_rpc }, - { "srvsvc", "ntsvcs", api_srvsvc_rpc }, - { "wkssvc", "ntsvcs", api_wkssvc_rpc }, - { "NETLOGON", "lsass", api_netlog_rpc }, - { "winreg", "winreg", api_reg_rpc }, - { NULL, NULL, NULL } -}; - -static BOOL api_pipe_bind_req(pipes_struct *p, prs_struct *pd) -{ - BOOL ntlmssp_auth = False; - uint16 assoc_gid; - fstring ack_pipe_name; - int i = 0; - - DEBUG(5,("api_pipe_bind_req: decode request. %d\n", __LINE__)); - - for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) - { - if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) && - api_fd_commands[i].fn != NULL) - { - DEBUG(3,("api_pipe_bind_req: \\PIPE\\%s -> \\PIPE\\%s\n", - api_fd_commands[i].pipe_clnt_name, - api_fd_commands[i].pipe_srv_name)); - fstrcpy(p->pipe_srv_name, api_fd_commands[i].pipe_srv_name); - break; - } - } - - if (api_fd_commands[i].fn == NULL) return False; - - /* decode the bind request */ - smb_io_rpc_hdr_rb("", &p->hdr_rb, pd, 0); - - if (pd->offset == 0) return False; - - if (p->hdr.auth_len != 0) - { - /* decode the authentication verifier */ - smb_io_rpc_auth_verifier("", &p->auth_verifier, pd, 0); - - if (pd->offset == 0) return False; - - ntlmssp_auth = strequal(p->auth_verifier.signature, "NTLMSSP"); - - if (ntlmssp_auth) - { - if (!api_pipe_ntlmssp(p, pd)) return False; - } - } - - /* name has to be \PIPE\xxxxx */ - fstrcpy(ack_pipe_name, "\\PIPE\\"); - fstrcat(ack_pipe_name, p->pipe_srv_name); - - DEBUG(5,("api_pipe_bind_req: make response. %d\n", __LINE__)); - - prs_init(&(p->rdata), 1024, 4, 0, False); - prs_init(&(p->rhdr ), 0x10, 4, 0, False); - prs_init(&(p->rauth), 1024, 4, 0, False); - prs_init(&(p->rntlm), 1024, 4, 0, False); - - /***/ - /*** do the bind ack first ***/ - /***/ - - if (ntlmssp_auth) - { - assoc_gid = 0x7a77; - } - else - { - assoc_gid = p->hdr_rb.bba.assoc_gid; - } - - make_rpc_hdr_ba(&p->hdr_ba, - p->hdr_rb.bba.max_tsize, - p->hdr_rb.bba.max_rsize, - assoc_gid, - ack_pipe_name, - 0x1, 0x0, 0x0, - &(p->hdr_rb.transfer)); - - smb_io_rpc_hdr_ba("", &p->hdr_ba, &p->rdata, 0); - mem_realloc_data(p->rdata.data, p->rdata.offset); - - /***/ - /*** now the authentication ***/ - /***/ - - if (ntlmssp_auth) - { - uint8 challenge[8]; - generate_random_buffer(challenge, 8, False); - - make_rpc_auth_verifier(&p->auth_verifier, - 0x0a, 0x06, 0, - "NTLMSSP", NTLMSSP_CHALLENGE); - smb_io_rpc_auth_verifier("", &p->auth_verifier, &p->rauth, 0); - mem_realloc_data(p->rauth.data, p->rauth.offset); - - make_rpc_auth_ntlmssp_chal(&p->ntlmssp_chal, - 0x000082b1, challenge); - smb_io_rpc_auth_ntlmssp_chal("", &p->ntlmssp_chal, &p->rntlm, 0); - mem_realloc_data(p->rntlm.data, p->rntlm.offset); - } - - /***/ - /*** then do the header, now we know the length ***/ - /***/ - - make_rpc_hdr(&p->hdr, RPC_BINDACK, RPC_FLG_FIRST | RPC_FLG_LAST, - p->hdr.call_id, - p->rdata.offset + p->rauth.offset + p->rntlm.offset + 0x10, - p->rauth.offset + p->rntlm.offset); - - smb_io_rpc_hdr("", &p->hdr, &p->rhdr, 0); - mem_realloc_data(p->rhdr.data, p->rdata.offset); - - /***/ - /*** link rpc header, bind acknowledgment and authentication responses ***/ - /***/ - - p->rhdr.data->offset.start = 0; - p->rhdr.data->offset.end = p->rhdr.offset; - p->rhdr.data->next = p->rdata.data; - - if (ntlmssp_auth) - { - p->rdata.data->offset.start = p->rhdr.offset; - p->rdata.data->offset.end = p->rhdr.offset + p->rdata.offset; - p->rdata.data->next = p->rauth.data; - - p->rauth.data->offset.start = p->rhdr.offset + p->rdata.offset; - p->rauth.data->offset.end = p->rhdr.offset + p->rdata.offset + p->rauth.offset; - p->rauth.data->next = p->rntlm.data; - - p->rntlm.data->offset.start = p->rhdr.offset + p->rdata.offset + p->rauth.offset; - p->rntlm.data->offset.end = p->rhdr.offset + p->rdata.offset + p->rauth.offset + p->rntlm.offset; - p->rntlm.data->next = NULL; - } - else - { - p->rdata.data->offset.start = p->rhdr.offset; - p->rdata.data->offset.end = p->rhdr.offset + p->rdata.offset; - p->rdata.data->next = NULL; - } - - return True; -} - -static BOOL api_pipe_request(pipes_struct *p, prs_struct *pd) -{ - int i = 0; - - for (i = 0; api_fd_commands[i].pipe_clnt_name; i++) - { - if (strequal(api_fd_commands[i].pipe_clnt_name, p->name) && - api_fd_commands[i].fn != NULL) - { - DEBUG(3,("Doing \\PIPE\\%s\n", api_fd_commands[i].pipe_clnt_name)); - return api_fd_commands[i].fn(p, pd); - } - } - return False; -} - -static BOOL api_dce_rpc_command(char *outbuf, +static void api_rpc_trans_reply(char *outbuf, pipes_struct *p, prs_struct *pd) { - BOOL reply = False; - if (pd->data == NULL) return False; - - /* process the rpc header */ - smb_io_rpc_hdr("", &p->hdr, pd, 0); - - if (pd->offset == 0) return False; + send_trans_reply(outbuf, p->rhdr.data, NULL, NULL, 0, p->file_offset); - switch (p->hdr.pkt_type) + if (mem_buf_len(p->rhdr.data) <= p->file_offset) { - case RPC_BIND : - { - reply = api_pipe_bind_req(p, pd); - break; - } - case RPC_REQUEST: - { - reply = api_pipe_request (p, pd); - break; - } + /* all of data was sent: no need to wait for SMBreadX calls */ + mem_free_data(p->rhdr .data); + mem_free_data(p->rdata.data); } - - if (reply) - { - /* now send the reply */ - send_trans_reply(outbuf, p->rhdr.data, NULL, NULL, 0, p->file_offset); - - if (mem_buf_len(p->rhdr.data) <= p->file_offset) - { - /* all of data was sent: no need to wait for SMBreadX calls */ - mem_free_data(p->rhdr .data); - mem_free_data(p->rdata.data); - } - } - - return reply; } /**************************************************************************** @@ -3463,7 +3230,11 @@ static int api_fd_reply(connection_struct *conn,uint16 vuid,char *outbuf, case 0x26: { /* dce/rpc command */ - reply = api_dce_rpc_command(outbuf, p, &pd); + reply = rpc_command(p, &pd); + if (reply) + { + api_rpc_trans_reply(outbuf, p, &pd); + } break; } case 0x01: diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c index 00eec4e0e35..65da9337b2e 100644 --- a/source3/smbd/pipes.c +++ b/source3/smbd/pipes.c @@ -123,7 +123,7 @@ int reply_pipe_write_and_X(char *inbuf,char *outbuf,int length,int bufsize) if (!p) return(ERROR(ERRDOS,ERRbadfid)); - data = smb_buf(inbuf) + smb_doff; + data = smb_base(inbuf) + smb_doff; if (numtowrite == 0) { -- 2.34.1