diff options
| -rw-r--r-- | source3/include/client.h | 2 | ||||
| -rw-r--r-- | source3/include/ntdomain.h | 2 | ||||
| -rw-r--r-- | source3/include/proto.h | 3 | ||||
| -rw-r--r-- | source3/include/rpc_samr.h | 1 | ||||
| -rw-r--r-- | source3/libsmb/smbdes.c | 26 | ||||
| -rw-r--r-- | source3/libsmb/smbencrypt.c | 6 | ||||
| -rw-r--r-- | source3/rpc_client/cli_pipe.c | 20 | ||||
| -rw-r--r-- | source3/rpc_client/cli_samr.c | 51 | ||||
| -rw-r--r-- | source3/rpc_parse/parse_rpc.c | 34 | ||||
| -rw-r--r-- | source3/rpcclient/cmd_samr.c | 7 | ||||
| -rw-r--r-- | source3/smbd/pipes.c | 2 |
11 files changed, 109 insertions, 45 deletions
diff --git a/source3/include/client.h b/source3/include/client.h index 44ac147665..0da4b40c18 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -118,7 +118,7 @@ struct cli_state { uint32 nt_error; /* NT RPC error code. */ uint16 nt_pipe_fnum; /* Pipe handle. */ unsigned char sess_key[16]; /* Current session key. */ - unsigned char ntlmssp_hash[256]; /* ntlmssp data. */ + unsigned char ntlmssp_hash[258]; /* ntlmssp data. */ uint32 ntlmssp_cli_flgs; /* ntlmssp client flags */ uint32 ntlmssp_srv_flgs; /* ntlmssp server flags */ DOM_CRED clnt_cred; /* Client credential. */ diff --git a/source3/include/ntdomain.h b/source3/include/ntdomain.h index 261cc3dfe3..c2a4170595 100644 --- a/source3/include/ntdomain.h +++ b/source3/include/ntdomain.h @@ -84,7 +84,7 @@ typedef struct pipes_struct RPC_AUTH_NTLMSSP_RESP ntlmssp_resp; BOOL ntlmssp_auth; - unsigned char ntlmssp_hash[256]; + unsigned char ntlmssp_hash[258]; uint32 file_offset; uint32 hdr_offsets; diff --git a/source3/include/proto.h b/source3/include/proto.h index 4cf63d2797..b0c50cbca7 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1269,6 +1269,7 @@ BOOL get_samr_query_userinfo(struct cli_state *cli, POLICY_HND *pol_open_domain, uint32 info_level, uint32 user_rid, SAM_USER_INFO_21 *usr); +BOOL do_samr_unknown_38(struct cli_state *cli, char *srv_name); BOOL do_samr_unknown_8(struct cli_state *cli, POLICY_HND *domain_pol, uint16 switch_value); BOOL do_samr_enum_dom_users(struct cli_state *cli, @@ -1541,7 +1542,7 @@ void make_rpc_hdr_ba(RPC_HDR_BA *rpc, uint8 num_results, uint16 result, uint16 reason, RPC_IFACE *transfer); void smb_io_rpc_hdr_ba(char *desc, RPC_HDR_BA *rpc, prs_struct *ps, int depth); -void make_rpc_hdr_req(RPC_HDR_REQ *hdr, uint32 data_len, uint16 opnum); +void make_rpc_hdr_req(RPC_HDR_REQ *hdr, uint32 alloc_hint, uint16 opnum); void smb_io_rpc_hdr_req(char *desc, RPC_HDR_REQ *rpc, prs_struct *ps, int depth); void smb_io_rpc_hdr_resp(char *desc, RPC_HDR_RESP *rpc, prs_struct *ps, int depth); void make_rpc_hdr_autha(RPC_HDR_AUTHA *rai, diff --git a/source3/include/rpc_samr.h b/source3/include/rpc_samr.h index a314015591..5f1a4bb36e 100644 --- a/source3/include/rpc_samr.h +++ b/source3/include/rpc_samr.h @@ -91,6 +91,7 @@ SamrTestPrivateFunctionsUser #define SAMR_UNKNOWN_21 0x21 #define SAMR_UNKNOWN_32 0x32 #define SAMR_UNKNOWN_34 0x34 +#define SAMR_UNKNOWN_38 0x38 #define SAMR_CONNECT 0x39 #define SAMR_OPEN_ALIAS 0x1b #define SAMR_QUERY_ALIASINFO 0x1c diff --git a/source3/libsmb/smbdes.c b/source3/libsmb/smbdes.c index 1d6c6bc0a6..c0f749ad3b 100644 --- a/source3/libsmb/smbdes.c +++ b/source3/libsmb/smbdes.c @@ -357,17 +357,17 @@ void cred_hash3(unsigned char *out,unsigned char *in,unsigned char *key, int for smbhash(out + 8, in + 8, key2, forw); } -void NTLMSSPhash( unsigned char hash[256], unsigned char const key[5]) +void NTLMSSPhash( unsigned char hash[258], unsigned char key[5]) { - unsigned char j = 0; - int ind; + unsigned char j = 0; + int ind; unsigned char k2[8]; - memcpy(k2, key, sizeof(key)); + memcpy(k2, key, 5); k2[5] = 0xe5; - k2[6] = 0xb8; - k2[6] = 0xb0; + k2[6] = 0x38; + k2[7] = 0xb0; for (ind = 0; ind < 256; ind++) { @@ -384,12 +384,15 @@ void NTLMSSPhash( unsigned char hash[256], unsigned char const key[5]) hash[ind] = hash[j]; hash[j] = tc; } + + hash[256] = 0; + hash[257] = 0; } -void NTLMSSPcalc( unsigned char hash[256], unsigned char *data, int len) +void NTLMSSPcalc( unsigned char hash[258], unsigned char *data, int len) { - unsigned char index_i = 0; - unsigned char index_j = 0; + unsigned char index_i = hash[256]; + unsigned char index_j = hash[257]; int ind; for( ind = 0; ind < len; ind++) @@ -405,8 +408,11 @@ void NTLMSSPcalc( unsigned char hash[256], unsigned char *data, int len) hash[index_j] = tc; t = hash[index_i] + hash[index_j]; - data[ind] ^= hash[t]; + data[ind] = data[ind] ^ hash[t]; } + + hash[256] = index_i; + hash[257] = index_j; } void SamOEMhash( unsigned char *data, unsigned char *key, int val) diff --git a/source3/libsmb/smbencrypt.c b/source3/libsmb/smbencrypt.c index 44dcbd5e05..a9e680ccdd 100644 --- a/source3/libsmb/smbencrypt.c +++ b/source3/libsmb/smbencrypt.c @@ -162,6 +162,12 @@ void NTLMSSPOWFencrypt(uchar passwd[8], uchar *ntlmchalresp, uchar p24[24]) memset(p21 + 8, 0xbd, 8); E_P24(p21, ntlmchalresp, p24); +#ifdef DEBUG_PASSWORD + DEBUG(100,("NTLMSSPOWFencrypt: p21, c8, p24\n")); + dump_data(100, p21, 21); + dump_data(100, ntlmchalresp, 8); + dump_data(100, p24, 24); +#endif } diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index f7060e0f71..761f23f885 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -293,7 +293,7 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr, prs_struct *auth_ntlm, uint32 call_id, RPC_IFACE *abstract, RPC_IFACE *transfer, - char *my_name, char *domain) + char *my_name, char *domain, uint32 neg_flags) { RPC_HDR_RB hdr_rb; RPC_HDR hdr; @@ -322,7 +322,7 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr, mem_realloc_data(auth_req->data, auth_req->offset); make_rpc_auth_ntlmssp_neg(&ntlmssp_neg, - 0x0000b2b3, my_name, domain); + neg_flags, my_name, domain); smb_io_rpc_auth_ntlmssp_neg("ntlmssp_neg", &ntlmssp_neg, auth_req, 0); mem_realloc_data(auth_req->data, auth_req->offset); @@ -451,7 +451,7 @@ static BOOL create_rpc_request(prs_struct *rhdr, uint8 op_num, int data_len, if (auth_len != 0) { - alloc_hint = data_len - 0x18 - auth_len - 12; + alloc_hint = data_len - 0x18 - auth_len - 10; } else { @@ -522,7 +522,7 @@ BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num, RPC_AUTH_NTLMSSP_CHK chk; RPC_HDR_AUTH rhdr_auth; - make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x02); + make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x08); smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0); make_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, 0); @@ -747,7 +747,8 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, ntlmssp_auth ? &auth_req : NULL, ntlmssp_auth ? &auth_ntlm : NULL, call_id, - abstract, transfer, global_myname, cli->domain); + abstract, transfer, + global_myname, cli->domain, cli->ntlmssp_cli_flgs); /* this is a hack due to limitations in rpc_api_pipe */ prs_init(&data, mem_buf_len(hdr.data), 4, 0x0, False); @@ -884,16 +885,19 @@ BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name, BOOL encrypted) if (encrypted) { - cli->ntlmssp_cli_flgs = + cli->ntlmssp_cli_flgs = NTLMSSP_NEGOTIATE_UNICODE | - NTLMSSP_NEGOTIATE_OEM | +/* NTLMSSP_NEGOTIATE_OEM | + */ NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_LM_KEY | NTLMSSP_NEGOTIATE_NTLM | - NTLMSSP_NEGOTIATE_ALWAYS_SIGN | + NTLMSSP_NEGOTIATE_ALWAYS_SIGN; +/* NTLMSSP_NEGOTIATE_00001000 | NTLMSSP_NEGOTIATE_00002000; + */ DEBUG(5,("cli_nt_session_open: neg_flags: %lx\n", cli->ntlmssp_cli_flgs)); } diff --git a/source3/rpc_client/cli_samr.c b/source3/rpc_client/cli_samr.c index c9e806fd21..1428178c26 100644 --- a/source3/rpc_client/cli_samr.c +++ b/source3/rpc_client/cli_samr.c @@ -98,6 +98,57 @@ BOOL get_samr_query_userinfo(struct cli_state *cli, } /**************************************************************************** +do a SAMR unknown 0x38 command +****************************************************************************/ +BOOL do_samr_unknown_38(struct cli_state *cli, char *srv_name) +{ + prs_struct data; + prs_struct rdata; + + SAMR_Q_UNKNOWN_38 q_e; + BOOL valid_un8 = False; + + /* create and send a MSRPC command with api SAMR_ENUM_DOM_USERS */ + + prs_init(&data , 1024, 4, SAFETY_MARGIN, False); + prs_init(&rdata, 0 , 4, SAFETY_MARGIN, True ); + + DEBUG(4,("SAMR Unknown 38 server:%s\n", srv_name)); + + make_samr_q_unknown_38(&q_e, srv_name); + + /* turn parameters into data stream */ + samr_io_q_unknown_38("", &q_e, &data, 0); + + /* send the data on \PIPE\ */ + if (rpc_api_pipe_req(cli, SAMR_UNKNOWN_38, &data, &rdata)) + { + SAMR_R_UNKNOWN_38 r_e; + BOOL p; + + samr_io_r_unknown_38("", &r_e, &rdata, 0); + + p = rdata.offset != 0; + if (p && r_e.status != 0) + { + /* report error code */ + DEBUG(0,("SAMR_R_UNKNOWN_38: %s\n", get_nt_error_msg(r_e.status))); + p = False; + } + + if (p) + { + valid_un8 = True; + } + } + + prs_mem_free(&data ); + prs_mem_free(&rdata ); + + return valid_un8; +} + +/**************************************************************************** do a SAMR unknown 0x8 command ****************************************************************************/ BOOL do_samr_unknown_8(struct cli_state *cli, diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c index 2204207440..43cb204681 100644 --- a/source3/rpc_parse/parse_rpc.c +++ b/source3/rpc_parse/parse_rpc.c @@ -554,8 +554,8 @@ void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_stru smb_io_strhdr("hdr_myname", &(neg->hdr_myname), ps, depth); smb_io_strhdr("hdr_domain", &(neg->hdr_domain), ps, depth); - prs_string("myname", ps, depth, neg->myname, neg->hdr_myname.str_str_len, sizeof(neg->myname)); prs_string("domain", ps, depth, neg->domain, neg->hdr_domain.str_str_len, sizeof(neg->domain)); + prs_string("myname", ps, depth, neg->myname, neg->hdr_myname.str_str_len, sizeof(neg->myname)); } /******************************************************************* @@ -635,12 +635,6 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp, usr_len *= 2; } - make_str_hdr(&rsp->hdr_lm_resp, lm_len, lm_len, offset); - offset += lm_len; - - make_str_hdr(&rsp->hdr_nt_resp, nt_len, nt_len, offset); - offset += nt_len; - make_str_hdr(&rsp->hdr_domain , dom_len, dom_len, offset); offset += dom_len; @@ -650,6 +644,12 @@ void make_rpc_auth_ntlmssp_resp(RPC_AUTH_NTLMSSP_RESP *rsp, make_str_hdr(&rsp->hdr_wks , wks_len, wks_len, offset); offset += wks_len; + make_str_hdr(&rsp->hdr_lm_resp, lm_len , lm_len , offset); + offset += lm_len; + + make_str_hdr(&rsp->hdr_nt_resp, nt_len , nt_len , offset); + offset += nt_len; + make_str_hdr(&rsp->hdr_sess_key, 0, 0, offset); rsp->neg_flags = neg_flags; @@ -705,14 +705,6 @@ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_st old_offset = ps->offset; - ps->offset = rsp->hdr_lm_resp .buffer + 0x1c; - prs_uint8s(False, "lm_resp ", ps, depth, (uint8*)rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp ))); - old_offset += rsp->hdr_lm_resp .str_str_len; - - ps->offset = rsp->hdr_nt_resp .buffer + 0x1c; - prs_uint8s(False, "nt_resp ", ps, depth, (uint8*)rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp ))); - old_offset += rsp->hdr_nt_resp .str_str_len; - ps->offset = rsp->hdr_domain .buffer + 0x1c; prs_uint8s(True , "domain ", ps, depth, (uint8*)rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain ))); old_offset += rsp->hdr_domain .str_str_len; @@ -725,6 +717,14 @@ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_st prs_uint8s(True , "wks ", ps, depth, (uint8*)rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks ))); old_offset += rsp->hdr_wks .str_str_len; + ps->offset = rsp->hdr_lm_resp .buffer + 0x1c; + prs_uint8s(False, "lm_resp ", ps, depth, (uint8*)rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp ))); + old_offset += rsp->hdr_lm_resp .str_str_len; + + ps->offset = rsp->hdr_nt_resp .buffer + 0x1c; + prs_uint8s(False, "nt_resp ", ps, depth, (uint8*)rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp ))); + old_offset += rsp->hdr_nt_resp .str_str_len; + if (rsp->hdr_sess_key.str_str_len != 0) { ps->offset = rsp->hdr_sess_key.buffer + 0x1c; @@ -746,11 +746,11 @@ void smb_io_rpc_auth_ntlmssp_resp(char *desc, RPC_AUTH_NTLMSSP_RESP *rsp, prs_st prs_uint32("neg_flags", ps, depth, &(rsp->neg_flags)); /* 0x0000 82b1 */ - prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp ))); - prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp ))); prs_uint8s(True , "domain ", ps, depth, rsp->domain , MIN(rsp->hdr_domain .str_str_len, sizeof(rsp->domain ))); prs_uint8s(True , "user ", ps, depth, rsp->user , MIN(rsp->hdr_usr .str_str_len, sizeof(rsp->user ))); prs_uint8s(True , "wks ", ps, depth, rsp->wks , MIN(rsp->hdr_wks .str_str_len, sizeof(rsp->wks ))); + prs_uint8s(False, "lm_resp ", ps, depth, rsp->lm_resp , MIN(rsp->hdr_lm_resp .str_str_len, sizeof(rsp->lm_resp ))); + prs_uint8s(False, "nt_resp ", ps, depth, rsp->nt_resp , MIN(rsp->hdr_nt_resp .str_str_len, sizeof(rsp->nt_resp ))); prs_uint8s(False, "sess_key", ps, depth, rsp->sess_key, MIN(rsp->hdr_sess_key.str_str_len, sizeof(rsp->sess_key))); } } diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 487c8e46c1..1c361f0f5e 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -68,12 +68,7 @@ void cmd_sam_test(struct client_info *info) res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR, True) : False; /* establish a connection. */ - res = res ? do_samr_connect(smb_cli, - srv_name, 0x00000020, - &info->dom.samr_pol_connect) : False; - - res = res ? do_samr_close(smb_cli, - &info->dom.samr_pol_connect) : False; + res = res ? do_samr_unknown_38(smb_cli, srv_name) : False; /* close the session */ cli_nt_session_close(smb_cli); diff --git a/source3/smbd/pipes.c b/source3/smbd/pipes.c index 3e10065711..7cf7fd8ea3 100644 --- a/source3/smbd/pipes.c +++ b/source3/smbd/pipes.c @@ -99,7 +99,7 @@ int reply_open_pipe_and_X(connection_struct *conn, put_dos_date3(outbuf,smb_vwv4,mtime); SIVAL(outbuf,smb_vwv6,size); SSVAL(outbuf,smb_vwv8,rmode); - SSVAL(outbuf,smb_vwv11,0); + SSVAL(outbuf,smb_vwv11,0x0001); return chain_reply(inbuf,outbuf,length,bufsize); } |