Fix some Netlogon data definitions and register the service

rapid7 · Sep 18, 2020 · 344d04f · 344d04f
1 parent ef6d9a5
commit 344d04f
Show file tree

Hide file tree

Showing 7 changed files with 30 additions and 11 deletions.
diff --git a/lib/ruby_smb/dcerpc.rb b/lib/ruby_smb/dcerpc.rb
@@ -13,13 +13,14 @@ module Dcerpc
     require 'ruby_smb/dcerpc/rpc_security_attributes'
     require 'ruby_smb/dcerpc/pdu_header'
     require 'ruby_smb/dcerpc/srvsvc'
-    require 'ruby_smb/dcerpc/winreg'
     require 'ruby_smb/dcerpc/svcctl'
+    require 'ruby_smb/dcerpc/winreg'
+    require 'ruby_smb/dcerpc/netlogon'
     require 'ruby_smb/dcerpc/request'
     require 'ruby_smb/dcerpc/response'
     require 'ruby_smb/dcerpc/bind'
     require 'ruby_smb/dcerpc/bind_ack'
-    require 'ruby_smb/dcerpc/netlogon'
+
 
 
     # Bind to the remote server interface endpoint.

diff --git a/lib/ruby_smb/dcerpc/netlogon.rb b/lib/ruby_smb/dcerpc/netlogon.rb
@@ -13,7 +13,7 @@ module Netlogon
       NETR_SERVER_PASSWORD_SET2 = 30
 
       # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/3b224201-b531-43e2-8c79-b61f6dea8640
-      class LogonSrvHandle < Ndr::NdrLpStr; end
+      class LogonsrvHandle < Ndr::NdrLpStr; end
 
       # see: https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-nrpc/d55e2632-7163-4f6c-b662-4b870e8cc1cd
       class NetlogonCredential < Ndr::NdrFixedByteArray
@@ -47,6 +47,15 @@ class NetlogonSecureChannelType < Ndr::NdrEnum
         def as_enum
           ALL[value]
         end
+
+        def assign(val)
+          if val.is_a? Symbol
+            val = ALL.key(val)
+            raise ArgumentError, 'invalid value name' if val.nil?
+          end
+
+          super
+        end
       end
 
       require 'ruby_smb/dcerpc/netlogon/netr_server_req_challenge_request'

diff --git a/lib/ruby_smb/dcerpc/netlogon/netr_server_authenticate3_request.rb b/lib/ruby_smb/dcerpc/netlogon/netr_server_authenticate3_request.rb
@@ -10,7 +10,7 @@ class NetrServerAuthenticate3Request < BinData::Record
 
         endian :little
 
-        logon_srv_handle             :primary_name
+        logonsrv_handle              :primary_name
         ndr_string                   :account_name
         netlogon_secure_channel_type :secure_channel_type
         ndr_string                   :computer_name

diff --git a/lib/ruby_smb/dcerpc/netlogon/netr_server_req_challenge_request.rb b/lib/ruby_smb/dcerpc/netlogon/netr_server_req_challenge_request.rb
@@ -10,7 +10,7 @@ class NetrServerReqChallengeRequest < BinData::Record
 
         endian :little
 
-        logon_srv_handle    :primary_name
+        logonsrv_handle     :primary_name
         ndr_string          :computer_name
         netlogon_credential :client_challenge
 

diff --git a/lib/ruby_smb/dcerpc/request.rb b/lib/ruby_smb/dcerpc/request.rb
@@ -31,6 +31,11 @@ class Request < BinData::Record
           save_key_request       RubySMB::Dcerpc::Winreg::REG_SAVE_KEY
           string                 :default
         end
+        choice 'Netlogon', selection: -> { opnum } do
+          netr_server_authenticate3_request RubySMB::Dcerpc::Netlogon::NETR_SERVER_AUTHENTICATE3
+          netr_server_req_challenge_request RubySMB::Dcerpc::Netlogon::NETR_SERVER_REQ_CHALLENGE
+          string                            :default
+        end
         choice 'Srvsvc', selection: -> { opnum } do
           net_share_enum_all RubySMB::Dcerpc::Srvsvc::NET_SHARE_ENUM_ALL, host: -> { host rescue '' }
           string             :default

diff --git a/lib/ruby_smb/smb1/pipe.rb b/lib/ruby_smb/smb1/pipe.rb
@@ -16,12 +16,14 @@ class Pipe < File
       def initialize(tree:, response:, name:)
         raise ArgumentError, 'No Name Provided' if name.nil?
         case name
+        when 'netlogon', '\\netlogon'
+          extend RubySMB::Dcerpc::Netlogon
         when 'srvsvc', '\\srvsvc'
           extend RubySMB::Dcerpc::Srvsvc
-        when 'winreg', '\\winreg'
-          extend RubySMB::Dcerpc::Winreg
         when 'svcctl', '\\svcctl'
           extend RubySMB::Dcerpc::Svcctl
+        when 'winreg', '\\winreg'
+          extend RubySMB::Dcerpc::Winreg
         end
         super(tree: tree, response: response, name: name)
       end

diff --git a/lib/ruby_smb/smb2/pipe.rb b/lib/ruby_smb/smb2/pipe.rb
@@ -13,12 +13,14 @@ class Pipe < File
       def initialize(tree:, response:, name:)
         raise ArgumentError, 'No Name Provided' if name.nil?
         case name
-        when 'srvsvc'
+        when 'netlogon', '\\netlogon'
+          extend RubySMB::Dcerpc::Netlogon
+        when 'srvsvc', '\\srvsvc'
           extend RubySMB::Dcerpc::Srvsvc
-        when 'winreg'
-          extend RubySMB::Dcerpc::Winreg
-        when 'svcctl'
+        when 'svcctl', '\\svcctl'
           extend RubySMB::Dcerpc::Svcctl
+        when 'winreg', '\\winreg'
+          extend RubySMB::Dcerpc::Winreg
         end
         super(tree: tree, response: response, name: name)
       end