From 935dc98f6670ba630bd2086ef9eddcc94a0562e2 Mon Sep 17 00:00:00 2001 From: Luke Leighton Date: Wed, 14 Oct 1998 06:29:20 +0000 Subject: dce/rpc (This used to be commit 69f5f9f88935de1f63ffc9aa19c0629b395e66e6) --- source3/include/client.h | 1 + source3/include/proto.h | 3 +- source3/include/rpc_dce.h | 2 +- source3/lib/crc32.c | 116 ++++++++++++++--------------- source3/libsmb/pwd_cache.c | 2 +- source3/rpc_client/cli_pipe.c | 166 +++++++++++++++++++++++++++++++----------- source3/rpc_parse/parse_rpc.c | 44 +++++++++-- source3/rpcclient/cmd_samr.c | 5 +- source3/smbd/password.c | 8 +- 9 files changed, 231 insertions(+), 116 deletions(-) diff --git a/source3/include/client.h b/source3/include/client.h index 0da4b40c18..53674fe80a 100644 --- a/source3/include/client.h +++ b/source3/include/client.h @@ -121,6 +121,7 @@ struct cli_state { unsigned char ntlmssp_hash[258]; /* ntlmssp data. */ uint32 ntlmssp_cli_flgs; /* ntlmssp client flags */ uint32 ntlmssp_srv_flgs; /* ntlmssp server flags */ + uint32 ntlmssp_seq_num; /* ntlmssp sequence number */ DOM_CRED clnt_cred; /* Client credential. */ fstring mach_acct; /* MYNAME$. */ fstring srv_name_slash; /* \\remote server. */ diff --git a/source3/include/proto.h b/source3/include/proto.h index e594780535..8a0ff12ed9 100644 --- a/source3/include/proto.h +++ b/source3/include/proto.h @@ -1558,7 +1558,8 @@ void make_rpc_hdr_autha(RPC_HDR_AUTHA *rai, void smb_io_rpc_hdr_autha(char *desc, RPC_HDR_AUTHA *rai, prs_struct *ps, int depth); void make_rpc_hdr_auth(RPC_HDR_AUTH *rai, uint8 auth_type, uint8 auth_level, - uint8 stub_type_len); + uint8 stub_type_len, + uint32 ptr); void smb_io_rpc_hdr_auth(char *desc, RPC_HDR_AUTH *rai, prs_struct *ps, int depth); void make_rpc_auth_verifier(RPC_AUTH_VERIFIER *rav, char *signature, uint32 msg_type); diff --git a/source3/include/rpc_dce.h b/source3/include/rpc_dce.h index 982ec1f52b..c6499853d6 100644 --- a/source3/include/rpc_dce.h +++ b/source3/include/rpc_dce.h @@ -170,7 +170,7 @@ typedef struct rpc_hdr_auth_info uint8 stub_type_len; /* don't know */ uint8 padding; /* padding */ - uint32 unknown; /* 0x0014a0c0 */ + uint32 unknown; /* pointer */ } RPC_HDR_AUTH; diff --git a/source3/lib/crc32.c b/source3/lib/crc32.c index 7d0b6e350d..b92bc70d12 100644 --- a/source3/lib/crc32.c +++ b/source3/lib/crc32.c @@ -1,73 +1,73 @@ /* - * Dr Dobb's Journal: http://www.ddj.com/ftp/1992/1992.05/crcman.zip + * Copyright francesco@aerra.it - code used WITHOUT acknowledgment to + * request to use it here yet received. * - * Copyright Mark R. Nelson 1992 + * must work on the dr dobb's version or find another version if + * permission not received or permission refused. * - * This code used by permission of J Erickson - * Tues 6th October 1998. Copyright acknowledged above, as agreed. * */ #include "includes.h" +extern int DEBUGLEVEL; -#define CRC32_POLYNOMIAL 0xEDB88320L - -/***************************************************************** - Instead of performing a straightforward calculation of the 32 bit - CRC using a series of logical operations, this program uses the - faster table lookup method. This routine is called once when the - program starts up to build the table which will be used later - when calculating the CRC values. - *****************************************************************/ - -static uint32 CRCTable[256]; - -void crc32_build_table(void) +static unsigned long CRCTable[256] = { - int i; - int j; - uint32 crc; - - for ( i = 0; i <= 255 ; i++ ) - { - crc = i; - for ( j = 8 ; j > 0; j-- ) - { - if ( crc & 1 ) - { - crc = ( crc >> 1 ) ^ CRC32_POLYNOMIAL; - } - else - { - crc >>= 1; - } - } - CRCTable[ i ] = crc; - } -} - -/***************************************************************** - This routine calculates the CRC for a block of data using the - table lookup method. - *****************************************************************/ + 0x00000000,0x77073096,0xEE0E612C,0x990951BA,0x076DC419,0x706AF48F, + 0xE963A535,0x9E6495A3,0x0EDB8832,0x79DCB8A4,0xE0D5E91E,0x97D2D988, + 0x09B64C2B,0x7EB17CBD,0xE7B82D07,0x90BF1D91,0x1DB71064,0x6AB020F2, + 0xF3B97148,0x84BE41DE,0x1ADAD47D,0x6DDDE4EB,0xF4D4B551,0x83D385C7, + 0x136C9856,0x646BA8C0,0xFD62F97A,0x8A65C9EC,0x14015C4F,0x63066CD9, + 0xFA0F3D63,0x8D080DF5,0x3B6E20C8,0x4C69105E,0xD56041E4,0xA2677172, + 0x3C03E4D1,0x4B04D447,0xD20D85FD,0xA50AB56B,0x35B5A8FA,0x42B2986C, + 0xDBBBC9D6,0xACBCF940,0x32D86CE3,0x45DF5C75,0xDCD60DCF,0xABD13D59, + 0x26D930AC,0x51DE003A,0xC8D75180,0xBFD06116,0x21B4F4B5,0x56B3C423, + 0xCFBA9599,0xB8BDA50F,0x2802B89E,0x5F058808,0xC60CD9B2,0xB10BE924, + 0x2F6F7C87,0x58684C11,0xC1611DAB,0xB6662D3D,0x76DC4190,0x01DB7106, + 0x98D220BC,0xEFD5102A,0x71B18589,0x06B6B51F,0x9FBFE4A5,0xE8B8D433, + 0x7807C9A2,0x0F00F934,0x9609A88E,0xE10E9818,0x7F6A0DBB,0x086D3D2D, + 0x91646C97,0xE6635C01,0x6B6B51F4,0x1C6C6162,0x856530D8,0xF262004E, + 0x6C0695ED,0x1B01A57B,0x8208F4C1,0xF50FC457,0x65B0D9C6,0x12B7E950, + 0x8BBEB8EA,0xFCB9887C,0x62DD1DDF,0x15DA2D49,0x8CD37CF3,0xFBD44C65, + 0x4DB26158,0x3AB551CE,0xA3BC0074,0xD4BB30E2,0x4ADFA541,0x3DD895D7, + 0xA4D1C46D,0xD3D6F4FB,0x4369E96A,0x346ED9FC,0xAD678846,0xDA60B8D0, + 0x44042D73,0x33031DE5,0xAA0A4C5F,0xDD0D7CC9,0x5005713C,0x270241AA, + 0xBE0B1010,0xC90C2086,0x5768B525,0x206F85B3,0xB966D409,0xCE61E49F, + 0x5EDEF90E,0x29D9C998,0xB0D09822,0xC7D7A8B4,0x59B33D17,0x2EB40D81, + 0xB7BD5C3B,0xC0BA6CAD,0xEDB88320,0x9ABFB3B6,0x03B6E20C,0x74B1D29A, + 0xEAD54739,0x9DD277AF,0x04DB2615,0x73DC1683,0xE3630B12,0x94643B84, + 0x0D6D6A3E,0x7A6A5AA8,0xE40ECF0B,0x9309FF9D,0x0A00AE27,0x7D079EB1, + 0xF00F9344,0x8708A3D2,0x1E01F268,0x6906C2FE,0xF762575D,0x806567CB, + 0x196C3671,0x6E6B06E7,0xFED41B76,0x89D32BE0,0x10DA7A5A,0x67DD4ACC, + 0xF9B9DF6F,0x8EBEEFF9,0x17B7BE43,0x60B08ED5,0xD6D6A3E8,0xA1D1937E, + 0x38D8C2C4,0x4FDFF252,0xD1BB67F1,0xA6BC5767,0x3FB506DD,0x48B2364B, + 0xD80D2BDA,0xAF0A1B4C,0x36034AF6,0x41047A60,0xDF60EFC3,0xA867DF55, + 0x316E8EEF,0x4669BE79,0xCB61B38C,0xBC66831A,0x256FD2A0,0x5268E236, + 0xCC0C7795,0xBB0B4703,0x220216B9,0x5505262F,0xC5BA3BBE,0xB2BD0B28, + 0x2BB45A92,0x5CB36A04,0xC2D7FFA7,0xB5D0CF31,0x2CD99E8B,0x5BDEAE1D, + 0x9B64C2B0,0xEC63F226,0x756AA39C,0x026D930A,0x9C0906A9,0xEB0E363F, + 0x72076785,0x05005713,0x95BF4A82,0xE2B87A14,0x7BB12BAE,0x0CB61B38, + 0x92D28E9B,0xE5D5BE0D,0x7CDCEFB7,0x0BDBDF21,0x86D3D2D4,0xF1D4E242, + 0x68DDB3F8,0x1FDA836E,0x81BE16CD,0xF6B9265B,0x6FB077E1,0x18B74777, + 0x88085AE6,0xFF0F6A70,0x66063BCA,0x11010B5C,0x8F659EFF,0xF862AE69, + 0x616BFFD3,0x166CCF45,0xA00AE278,0xD70DD2EE,0x4E048354,0x3903B3C2, + 0xA7672661,0xD06016F7,0x4969474D,0x3E6E77DB,0xAED16A4A,0xD9D65ADC, + 0x40DF0B66,0x37D83BF0,0xA9BCAE53,0xDEBB9EC5,0x47B2CF7F,0x30B5FFE9, + 0xBDBDF21C,0xCABAC28A,0x53B39330,0x24B4A3A6,0xBAD03605,0xCDD70693, + 0x54DE5729,0x23D967BF,0xB3667A2E,0xC4614AB8,0x5D681B02,0x2A6F2B94, + 0xB40BBE37,0xC30C8EA1,0x5A05DF1B,0x2D02EF8D +}; uint32 crc32_calc_buffer( uint32 count, char *buffer) { - char *p; - uint32 crc; - - p = buffer; - crc = 0xffffffff; - - while ( count-- != 0 ) + unsigned long crc=0xffffffff; + int i; + for(i=0;i> 8 ) & 0x00FFFFFFL; - temp2 = CRCTable[ ( (int) crc ^ *p++ ) & 0xff ]; - crc = temp1 ^ temp2; + crc = (crc>>8) ^ CRCTable[(buffer[i] ^ crc) & 0xff]; } - return crc; + crc^=0xffffffff; + DEBUG(10,("crc_32_calc_buffer: %x\n", crc)); + dump_data(100, buffer, count); + return crc; } - diff --git a/source3/libsmb/pwd_cache.c b/source3/libsmb/pwd_cache.c index c4c578cde6..bbd5f63d4b 100644 --- a/source3/libsmb/pwd_cache.c +++ b/source3/libsmb/pwd_cache.c @@ -219,7 +219,7 @@ void pwd_make_lm_nt_owf(struct pwd_info *pwd, uchar cryptkey[8]) #ifdef DEBUG_PASSWORD DEBUG(100,("lm_owf_passwd: ")); - dump_data(100, pwd->smb_nt_owf, sizeof(pwd->smb_nt_owf)); + dump_data(100, pwd->smb_lm_owf, sizeof(pwd->smb_lm_owf)); DEBUG(100,("lm_sess_pwd: ")); dump_data(100, pwd->smb_lm_pwd, sizeof(pwd->smb_lm_pwd)); #endif diff --git a/source3/rpc_client/cli_pipe.c b/source3/rpc_client/cli_pipe.c index d21840ec46..93befe7ac4 100644 --- a/source3/rpc_client/cli_pipe.c +++ b/source3/rpc_client/cli_pipe.c @@ -114,14 +114,12 @@ static BOOL rpc_read(struct cli_state *cli, /**************************************************************************** checks the header ****************************************************************************/ -static BOOL rpc_check_hdr(prs_struct *rdata, uint8 *pkt_type, +static BOOL rpc_check_hdr(prs_struct *rdata, RPC_HDR *rhdr, BOOL *first, BOOL *last, int *len) { - RPC_HDR rhdr; - DEBUG(5,("rpc_check_hdr: rdata->data->data_used: %d\n", rdata->data->data_used)); - smb_io_rpc_hdr ("rpc_hdr ", &rhdr , rdata, 0); + smb_io_rpc_hdr ("rpc_hdr ", rhdr , rdata, 0); if (!rdata->offset || rdata->offset != 0x10) { @@ -132,14 +130,78 @@ static BOOL rpc_check_hdr(prs_struct *rdata, uint8 *pkt_type, DEBUG(5,("rpc_check_hdr: (after smb_io_rpc_hdr call) rdata->data->data_used: %d\n", rdata->data->data_used)); - (*first ) = IS_BITS_SET_ALL(rhdr.flags, RPC_FLG_FIRST); - (*last ) = IS_BITS_SET_ALL(rhdr.flags, RPC_FLG_LAST ); - (*len ) = rhdr.frag_len - rdata->data->data_used; - (*pkt_type) = rhdr.pkt_type; + (*first ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_FIRST); + (*last ) = IS_BITS_SET_ALL(rhdr->flags, RPC_FLG_LAST ); + (*len ) = rhdr->frag_len - rdata->data->data_used; return True; } +/**************************************************************************** + decrypt data on an rpc pipe + ****************************************************************************/ + +static BOOL rpc_auth_pipe(struct cli_state *cli, prs_struct *rdata, + int len, int auth_len) +{ + RPC_AUTH_NTLMSSP_CHK chk; + uint32 crc32; + int data_len = len - 0x18 - auth_len - 8; + char *reply_data = (uchar*)mem_data(&rdata->data, 0x18); + + BOOL auth_verify = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SIGN); + BOOL auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL); + + DEBUG(5,("rpc_auth_pipe: len: %d auth_len: %d verify %s seal %s\n", + len, auth_len, BOOLSTR(auth_verify), BOOLSTR(auth_seal))); + +/* RPC_HDR_AUTH rhdr_auth; + prs_struct auth_req; + prs_init(&auth_req , 0x10, 4, 0, True); + smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0); + prs_mem_free(&auth_req); + +*/ + if (auth_seal) + { + DEBUG(10,("rpc_auth_pipe: seal\n")); + dump_data(100, reply_data, data_len); + NTLMSSPcalc(cli->ntlmssp_hash, reply_data, data_len); + dump_data(100, reply_data, data_len); + } + + if (auth_verify) + { + prs_struct auth_verf; + char *data = (uchar*)mem_data(&rdata->data, len - auth_len); + prs_init(&auth_verf, 0x08, 4, 0, True); + DEBUG(10,("rpc_auth_pipe: verify\n")); + dump_data(100, data, auth_len); + NTLMSSPcalc(cli->ntlmssp_hash, data + 4, auth_len - 4); + memcpy(auth_verf.data->data, data, 16); + smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0); + dump_data(100, data, auth_len); + prs_mem_free(&auth_verf); + } + + if (auth_verify) + { + crc32 = crc32_calc_buffer(data_len, reply_data); + if (chk.crc32 != crc32 || + chk.ver != NTLMSSP_SIGN_VERSION || + chk.seq_num != cli->ntlmssp_seq_num++) + { + DEBUG(5,("rpc_auth_pipe: verify failed - crc %x ver %x seq %d\n", + crc32, NTLMSSP_SIGN_VERSION, cli->ntlmssp_seq_num)); + DEBUG(5,("rpc_auth_pipe: verify expect - crc %x ver %x seq %d\n", + chk.crc32, chk.ver, chk.seq_num)); + return False; + } + } + return True; +} + + /**************************************************************************** send data on an rpc pipe, which *must* be in one fragment. receive response data from an rpc pipe, which may be large... @@ -163,12 +225,13 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, prs_struct *rparam, prs_struct *rdata) { int len; + int alloc_hint = 0; uint16 setup[2]; /* only need 2 uint16 setup parameters */ uint32 err; - uint8 pkt_type = 0xff; BOOL first = True; BOOL last = True; + RPC_HDR rhdr; /* * Setup the pointers from the incoming. @@ -215,12 +278,16 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, rdata->data->margin = 0; if (rparam) rparam->data->margin = 0; - if (!rpc_check_hdr(rdata, &pkt_type, &first, &last, &len)) return False; + if (!rpc_check_hdr(rdata, &rhdr, &first, &last, &len)) + { + return False; + } - if (pkt_type == RPC_RESPONSE) + if (rhdr.pkt_type == RPC_RESPONSE) { RPC_HDR_RESP rhdr_resp; smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, rdata, 0); + alloc_hint = rhdr_resp.alloc_hint; } DEBUG(5,("rpc_api_pipe: len left: %d smbtrans read: %d\n", @@ -236,6 +303,11 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, } } + if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len)) + { + return False; + } + /* only one rpc fragment, and it has been read */ if (first && last) { @@ -245,39 +317,43 @@ static BOOL rpc_api_pipe(struct cli_state *cli, uint16 cmd, while (!last) /* read more fragments until we get the last one */ { - RPC_HDR rhdr; RPC_HDR_RESP rhdr_resp; int num_read; prs_struct hps; - prs_init(&hps, 0x18, 4, 0, True); + prs_init(&hps, 0x8, 4, 0, True); num_read = cli_read(cli, cli->nt_pipe_fnum, hps.data->data, 0, 0x18); DEBUG(5,("rpc_api_pipe: read header (size:%d)\n", num_read)); if (num_read != 0x18) return False; - smb_io_rpc_hdr ("rpc_hdr ", &rhdr , &hps, 0); + if (!rpc_check_hdr(&hps, &rhdr, &first, &last, &len)) + { + return False; + } + smb_io_rpc_hdr_resp("rpc_hdr_resp", &rhdr_resp, &hps, 0); prs_mem_free(&hps); if (cli_error(cli, NULL, &err)) return False; - first = IS_BITS_SET_ALL(rhdr.flags, RPC_FLG_FIRST); - last = IS_BITS_SET_ALL(rhdr.flags, RPC_FLG_LAST ); - if (first) { DEBUG(0,("rpc_api_pipe: wierd rpc header received\n")); return False; } - len = rhdr.frag_len - hps.offset; if (!rpc_read(cli, rdata, len, rdata->data->data_used)) { return False; } + + if (rhdr.auth_len != 0 && !rpc_auth_pipe(cli, rdata, rhdr.frag_len, rhdr.auth_len)) + { + return False; + } } return True; @@ -316,7 +392,7 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr, if (auth_req != NULL && rhdr_auth != NULL && auth_ntlm != NULL) { - make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00); + make_rpc_hdr_auth(&hdr_auth, 0x0a, 0x06, 0x00, 1); smb_io_rpc_hdr_auth("hdr_auth", &hdr_auth, rhdr_auth, 0); mem_realloc_data(rhdr_auth->data, rhdr_auth->offset); @@ -335,9 +411,12 @@ static BOOL create_rpc_bind_req(prs_struct *rhdr, /* create the request RPC_HDR */ make_rpc_hdr(&hdr, RPC_BIND, 0x0, call_id, + (auth_req != NULL ? auth_req ->offset : 0) + + (auth_ntlm != NULL ? auth_ntlm->offset : 0) + + (rhdr_auth != NULL ? rhdr_auth->offset : 0) + rhdr_rb->offset + 0x10, - auth_req != NULL ? auth_req ->offset : 0 + - auth_ntlm != NULL ? auth_ntlm->offset : 0); + (auth_req != NULL ? auth_req ->offset : 0) + + (auth_ntlm != NULL ? auth_ntlm->offset : 0)); smb_io_rpc_hdr("hdr" , &hdr , rhdr, 0); mem_realloc_data(rhdr->data, rhdr->offset); @@ -505,7 +584,7 @@ BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num, auth_seal = IS_BITS_SET_ALL(cli->ntlmssp_srv_flgs, NTLMSSP_NEGOTIATE_SEAL); /* happen to know that NTLMSSP authentication verifier is 16 bytes */ - auth_len = auth_verify ? 16 : 0; + auth_len = (auth_verify ? 16 : 0); data_len = data->offset + auth_len + (auth_verify ? 8 : 0) + 0x18; data->data->offset.end = data->offset; @@ -522,15 +601,19 @@ BOOL rpc_api_pipe_req(struct cli_state *cli, uint8 op_num, NTLMSSPcalc(cli->ntlmssp_hash, (uchar*)mem_data(&data->data, 0), data->offset); } - if (auth_verify) + if (auth_seal || auth_verify) { - RPC_AUTH_NTLMSSP_CHK chk; RPC_HDR_AUTH rhdr_auth; - make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x08); + make_rpc_hdr_auth(&rhdr_auth, 0x0a, 0x06, 0x08, (auth_verify ? 1 : 0)); smb_io_rpc_hdr_auth("hdr_auth", &rhdr_auth, &hdr_auth, 0); + } - make_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, 0); + if (auth_verify) + { + RPC_AUTH_NTLMSSP_CHK chk; + + make_rpc_auth_ntlmssp_chk(&chk, NTLMSSP_SIGN_VERSION, crc32, cli->ntlmssp_seq_num++); smb_io_rpc_auth_ntlmssp_chk("auth_sign", &chk, &auth_verf, 0); NTLMSSPcalc(cli->ntlmssp_hash, (uchar*)mem_data(&auth_verf.data, 4), 12); } @@ -737,11 +820,11 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, if (!valid_pipe_name(pipe_name, abstract, transfer)) return False; - prs_init(&hdr , 0x10 , 4, 0x0 , False); - prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False); - prs_init(&hdr_auth , ntlmssp_auth ? 8 : 0, 4, SAFETY_MARGIN, False); - prs_init(&auth_req , ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False); - prs_init(&auth_ntlm, ntlmssp_auth ? 1024 : 0, 4, SAFETY_MARGIN, False); + prs_init(&hdr , 0x10 , 4, 0x0 , False); + prs_init(&hdr_rb , 1024 , 4, SAFETY_MARGIN, False); + prs_init(&hdr_auth , (ntlmssp_auth ? 8 : 0), 4, SAFETY_MARGIN, False); + prs_init(&auth_req , (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False); + prs_init(&auth_ntlm, (ntlmssp_auth ? 1024 : 0), 4, SAFETY_MARGIN, False); prs_init(&rdata , 0 , 4, SAFETY_MARGIN, True); prs_init(&rparam , 0 , 4, SAFETY_MARGIN, True); @@ -810,11 +893,6 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, prs_init(&auth_resp, 1024, 4, SAFETY_MARGIN, False); pwd_make_lm_nt_owf(&cli->pwd, rhdr_chal.challenge); - pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL); - pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL); - NTLMSSPOWFencrypt(lm_hash, lm_owf, p24); - bzero(lm_hash, sizeof(lm_hash)); - NTLMSSPhash(cli->ntlmssp_hash, p24); create_rpc_bind_resp(&cli->pwd, cli->domain, cli->user_name, global_myname, @@ -822,6 +900,12 @@ static BOOL rpc_pipe_bind(struct cli_state *cli, char *pipe_name, call_id, &hdra, &hdr_autha, &auth_resp); + pwd_get_lm_nt_owf(&cli->pwd, lm_owf, NULL); + pwd_get_lm_nt_16(&cli->pwd, lm_hash, NULL); + NTLMSSPOWFencrypt(lm_hash, lm_owf, p24); + bzero(lm_hash, sizeof(lm_hash)); + NTLMSSPhash(cli->ntlmssp_hash, p24); + /* this is a hack due to limitations in rpc_api_pipe */ prs_init(&dataa, mem_buf_len(hdra.data), 4, 0x0, False); mem_buf_copy(dataa.data->data, hdra.data, 0, mem_buf_len(hdra.data)); @@ -909,16 +993,16 @@ BOOL cli_nt_session_open(struct cli_state *cli, char *pipe_name, BOOL encrypted) if (encrypted) { - cli->ntlmssp_cli_flgs = - NTLMSSP_NEGOTIATE_UNICODE | -/* NTLMSSP_NEGOTIATE_OEM | - */ + cli->ntlmssp_cli_flgs = 0xb2b3; +/* NTLMSSP_NEGOTIATE_UNICODE | + NTLMSSP_NEGOTIATE_OEM | + NTLMSSP_NEGOTIATE_SIGN | NTLMSSP_NEGOTIATE_SEAL | NTLMSSP_NEGOTIATE_LM_KEY | NTLMSSP_NEGOTIATE_NTLM | NTLMSSP_NEGOTIATE_ALWAYS_SIGN; -/* + NTLMSSP_NEGOTIATE_00001000 | NTLMSSP_NEGOTIATE_00002000; */ diff --git a/source3/rpc_parse/parse_rpc.c b/source3/rpc_parse/parse_rpc.c index 6b4deb00cf..f9745da4b4 100644 --- a/source3/rpc_parse/parse_rpc.c +++ b/source3/rpc_parse/parse_rpc.c @@ -462,7 +462,8 @@ creates an RPC_HDR_AUTH structure. ********************************************************************/ void make_rpc_hdr_auth(RPC_HDR_AUTH *rai, uint8 auth_type, uint8 auth_level, - uint8 stub_type_len) + uint8 stub_type_len, + uint32 ptr) { if (rai == NULL) return; @@ -471,7 +472,7 @@ void make_rpc_hdr_auth(RPC_HDR_AUTH *rai, rai->stub_type_len = stub_type_len; /* 0x00 */ rai->padding = 0; /* padding 0x00 */ - rai->unknown = 0x0014a0c0; /* non-zero pointer to something */ + rai->unknown = ptr; /* non-zero pointer to something */ } /******************************************************************* @@ -532,8 +533,8 @@ void make_rpc_auth_ntlmssp_neg(RPC_AUTH_NTLMSSP_NEG *neg, neg->neg_flgs = neg_flgs ; /* 0x00b2b3 */ - make_str_hdr(&neg->hdr_myname, len_myname+1, len_myname+1, 0x20); - make_str_hdr(&neg->hdr_domain, len_domain+1, len_domain+1, 0x20 + len_myname+1); + make_str_hdr(&neg->hdr_domain, len_domain, len_domain, 0x20 + len_myname); + make_str_hdr(&neg->hdr_myname, len_myname, len_myname, 0x20); fstrcpy(neg->myname, myname); fstrcpy(neg->domain, domain); @@ -551,11 +552,38 @@ void smb_io_rpc_auth_ntlmssp_neg(char *desc, RPC_AUTH_NTLMSSP_NEG *neg, prs_stru prs_uint32("neg_flgs ", ps, depth, &(neg->neg_flgs)); - smb_io_strhdr("hdr_myname", &(neg->hdr_myname), ps, depth); - smb_io_strhdr("hdr_domain", &(neg->hdr_domain), ps, depth); + if (ps->io) + { + uint32 old_offset; + + /* reading */ + + ZERO_STRUCTP(neg); + + smb_io_strhdr("hdr_domain", &(neg->hdr_domain), ps, depth); + smb_io_strhdr("hdr_myname", &(neg->hdr_myname), ps, depth); + + old_offset = ps->offset; + + ps->offset = neg->hdr_myname .buffer + 0x1c; + prs_uint8s(True , "myname", ps, depth, (uint8*)neg->myname , MIN(neg->hdr_myname .str_str_len, sizeof(neg->myname ))); + old_offset += neg->hdr_myname .str_str_len; + + ps->offset = neg->hdr_domain .buffer + 0x1c; + prs_uint8s(True , "domain", ps, depth, (uint8*)neg->domain , MIN(neg->hdr_domain .str_str_len, sizeof(neg->domain ))); + old_offset += neg->hdr_domain .str_str_len; + + ps->offset = old_offset; + } + else + { + /* writing */ + smb_io_strhdr("hdr_domain", &(neg->hdr_domain), ps, depth); + smb_io_strhdr("hdr_myname", &(neg->hdr_myname), ps, depth); - prs_string("domain", ps, depth, neg->domain, neg->hdr_domain.str_str_len-1, sizeof(neg->domain)); - prs_string("myname", ps, depth, neg->myname, neg->hdr_myname.str_str_len-1, sizeof(neg->myname)); + prs_uint8s(True , "myname", ps, depth, (uint8*)neg->myname , MIN(neg->hdr_myname .str_str_len, sizeof(neg->myname ))); + prs_uint8s(True , "domain", ps, depth, (uint8*)neg->domain , MIN(neg->hdr_domain .str_str_len, sizeof(neg->domain ))); + } } /******************************************************************* diff --git a/source3/rpcclient/cmd_samr.c b/source3/rpcclient/cmd_samr.c index 81fd373613..2b5fe909ab 100644 --- a/source3/rpcclient/cmd_samr.c +++ b/source3/rpcclient/cmd_samr.c @@ -80,7 +80,7 @@ void cmd_sam_ntchange_pwd(struct client_info *info) E_old_pw_hash(lm_newhash, nt_oldhash, nt_hshhash); /* open SAMR session. */ - res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR, False) : False; + res = res ? cli_nt_session_open(smb_cli, PIPE_SAMR, True) : False; /* establish a connection. */ res = res ? do_samr_unknown_38(smb_cli, srv_name) : False; @@ -119,12 +119,13 @@ void cmd_sam_test(struct client_info *info) fstrcpy(sid , info->dom.level5_sid); fstrcpy(domain, info->dom.level5_dom); +/* if (strlen(sid) == 0) { fprintf(out_hnd, "please use 'lsaquery' first, to ascertain the SID\n"); return; } - +*/ fstrcpy(srv_name, "\\\\"); fstrcat(srv_name, info->dest_host); strupper(srv_name); diff --git a/source3/smbd/password.c b/source3/smbd/password.c index b505da18fa..49ad4a514f 100644 --- a/source3/smbd/password.c +++ b/source3/smbd/password.c @@ -470,26 +470,26 @@ static BOOL pass_check_smb(char *user,char *password, struct passwd *pwd) } if (!pass) { - DEBUG(1,("Couldn't find user %s\n",user)); + DEBUG(3,("Couldn't find user %s\n",user)); return(False); } smb_pass = getsmbpwnam(user); if (!smb_pass) { - DEBUG(0,("Couldn't find user %s in smb_passwd file.\n", user)); + DEBUG(3,("Couldn't find user %s in smb_passwd file.\n", user)); return(False); } /* Quit if the account was disabled. */ if(smb_pass->acct_ctrl & ACB_DISABLED) { - DEBUG(0,("account for user %s was disabled.\n", user)); + DEBUG(3,("account for user %s was disabled.\n", user)); return(False); } /* Ensure the uid's match */ if (smb_pass->smb_userid != pass->pw_uid) { - DEBUG(0,("Error : UNIX and SMB uids in password files do not match !\n")); + DEBUG(3,("Error : UNIX and SMB uids in password files do not match !\n")); return(False); } -- cgit