/* * smb_andx_decode.c * * Copyright (C) 2004-2006 Sourcefire,Inc * * This program is free software; you can redistribute it and/or modify * it under the terms of the GNU General Public License Version 2 as * published by the Free Software Foundation.  You may not use, modify or * distribute this program under any other version of the GNU General * Public License. * * This program is distributed in the hope that it will be useful, * but WITHOUT ANY WARRANTY; without even the implied warranty of * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the * GNU General Public License for more details. * * You should have received a copy of the GNU General Public License * along with this program; if not, write to the Free Software * Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA. * * Description: * * This performs the decoding of SMB AndX commands. * * NOTES: * - 08.12.04:  Initial Development.  SAS * */#ifdef HAVE_CONFIG_H#include "config.h"#endif#include <stdlib.h>#ifdef HAVE_WCHAR_H#include <wchar.h>#endif#include <string.h>#include "debug.h"#include "bounds.h"#include "snort_dcerpc.h"#include "smb_structs.h"#include "smb_andx_structs.h"#include "smb_andx_decode.h"#include "dcerpc_util.h"#include "dcerpc.h"#define FIELD_ACCT_NAME 0#define FIELD_PRIM_DOMAIN 1#define SESS_AUTH_FIELD(i) ((i == FIELD_ACCT_NAME) ? "AccountName" : ((i == FIELD_PRIM_DOMAIN) ? "PrimaryDomain"  : "Unknown"))#define FIELD_NATIVE_OS 0#define FIELD_NATIVE_LANMAN 1#define SESS_NATIVE_FIELD(i) ((i == FIELD_NATIVE_OS) ? "NativeOS" : ((i == FIELD_NATIVE_LANMAN) ? "NativeLanMan" : "Unknown"))/* Externs */extern DCERPC         *_dcerpc;extern SFSnortPacket  *_dcerpc_pkt;extern u_int8_t        _disable_smb_fragmentation;extern u_int16_t       _max_frag_size;static void ReassembleSMBWriteX(SMB_WRITEX_REQ *writeX, u_int8_t *smb_data);static int SMB_Fragmentation(u_int8_t *smb_hdr, SMB_WRITEX_REQ *writeX,                               u_int8_t *smb_data, u_int16_t data_size);static int GetSMBStringLength(u_int8_t *data, u_int16_t data_size, int unicode);#ifdef DEBUG_DCERPC_PRINTstatic void PrintSMBString(char *pre, u_int8_t *str, u_int16_t str_len, int unicode);#endif/* smb_data is guaranteed to be at least an SMB_WRITEX_REQ length away from writeX * if it's farther it's because there was padding */static void ReassembleSMBWriteX(SMB_WRITEX_REQ *writeX, u_int8_t *smb_data){    SMB_WRITEX_REQ temp_writeX;    u_int16_t      smb_hdr_len = sizeof(SMB_HDR) + sizeof(NBT_HDR);    u_int16_t      writeX_len = (u_int16_t)(smb_data - (u_int8_t *)writeX);    u_int32_t      check_len;    int            ret;    int            padding = writeX_len - sizeof(SMB_WRITEX_REQ);    check_len = (u_int32_t)smb_hdr_len + (u_int32_t)writeX_len + (u_int32_t)_dcerpc->write_andx_buf_len;    /* Make sure we have room to fit into alternate buffer */    if ( check_len > _dpd.altBufferLen )    {        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Reassembled SMB packet greater than %d bytes, skipping.",															_dpd.altBufferLen));        goto dcerpc_fragfree;    }    /* Mock up header */    ret = SafeMemcpy(&temp_writeX, writeX, sizeof(SMB_WRITEX_REQ), &temp_writeX, (u_int8_t *)&temp_writeX + sizeof(SMB_WRITEX_REQ));    if (ret == 0)    {        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "WriteAndX header too big: %u, skipping SMB reassembly.",                                 _dpd.altBufferLen));        goto dcerpc_fragfree;    }    temp_writeX.remaining = smb_htons(_dcerpc->write_andx_buf_len);    temp_writeX.dataLength = smb_htons(_dcerpc->write_andx_buf_len);    temp_writeX.dataOffset = smb_htons(sizeof(SMB_HDR) + sizeof(SMB_WRITEX_REQ) + padding);    temp_writeX.andXCommand = 0xFF;    temp_writeX.andXOffset = 0x0000;    /* Copy headers into buffer */    /* SMB Header */    ret = SafeMemcpy(_dpd.altBuffer, _dcerpc_pkt->payload, smb_hdr_len,                            _dpd.altBuffer, _dpd.altBuffer + _dpd.altBufferLen);    if ( ret == 0 )    {        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "WriteAndX header too big: %u, skipping SMB reassembly.",															_dpd.altBufferLen));        goto dcerpc_fragfree;    }    _dcerpc_pkt->normalized_payload_size = smb_hdr_len;        /* Write AndX header */    ret = SafeMemcpy(_dpd.altBuffer + _dcerpc_pkt->normalized_payload_size, &temp_writeX,                     sizeof(SMB_WRITEX_REQ), _dpd.altBuffer, _dpd.altBuffer + _dpd.altBufferLen);    if ( ret == 0 )    {        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "WriteAndX header too big: %u, skipping SMB reassembly.",															_dpd.altBufferLen));        goto dcerpc_fragfree;    }    _dcerpc_pkt->normalized_payload_size += sizeof(SMB_WRITEX_REQ);    /* Account for optional padding byte in WriteAndX header.  It is never used so we don't write it. */    _dcerpc_pkt->normalized_payload_size += padding;        /* Copy data into buffer */    ret = SafeMemcpy(_dpd.altBuffer + _dcerpc_pkt->normalized_payload_size, _dcerpc->write_andx_buf,                    _dcerpc->write_andx_buf_len, _dpd.altBuffer, _dpd.altBuffer + _dpd.altBufferLen);    if ( ret == 0 )    {        DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "WriteAndX header too big: %u, skipping SMB reassembly.",															_dpd.altBufferLen));        goto dcerpc_fragfree;    }    _dcerpc_pkt->normalized_payload_size += _dcerpc->write_andx_buf_len;    _dcerpc_pkt->flags |= FLAG_ALT_DECODE;    if (_dcerpc->write_andx_buf_len > 0)        ProcessDCERPCMessage(_dcerpc_pkt->payload + sizeof(NBT_HDR),                             sizeof(SMB_HDR) + writeX_len,                             _dcerpc->write_andx_buf, _dcerpc->write_andx_buf_len);dcerpc_fragfree:    /* Get ready for next write */    DCERPC_FragFree(_dcerpc->write_andx_buf, _dcerpc->write_andx_buf_size);    _dcerpc->write_andx_buf = NULL;    _dcerpc->write_andx_buf_len = 0;    _dcerpc->write_andx_buf_size = 0;    _dcerpc->fragmentation &= ~SMB_FRAGMENTATION;    _dcerpc->fragmentation &= ~SUSPEND_FRAGMENTATION;}int SMB_Fragmentation(u_int8_t *smb_hdr, SMB_WRITEX_REQ *writeX, u_int8_t *smb_data, u_int16_t data_size){    u_int16_t writeX_length, temp_len;    int       success = 0;    int ret = 0;    /* Check for fragmentation */    if ( _disable_smb_fragmentation )        return 0;    /* If not yet reassembling, attempt to parse as full DCE/RPC packet */    if ( !(_dcerpc->fragmentation & SMB_FRAGMENTATION) )    {        success = ProcessDCERPCMessage(smb_hdr, smb_data - smb_hdr, smb_data, data_size);        if ( success )            return 0;    }    /* Set up writeX buffer to save SMB data.  Ignore dataLengthHigh, since we won't        handle fragments that big.  */    writeX_length = data_size;    /* Allocate space for buffer        For now, ignore offset, since servers seem to */    if ( _dcerpc->fragmentation & SUSPEND_FRAGMENTATION )        return 0;    if ( _dcerpc->write_andx_buf == NULL )    {        if ( writeX_length > _max_frag_size )            writeX_length = _max_frag_size;        _dcerpc->write_andx_buf = (u_int8_t *) DCERPC_FragAlloc(NULL, 0, &writeX_length);        if ( writeX_length == 0 )        {            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Memcap reached, ignoring SMB fragmentation reassembly.\n"););            DCERPC_FragFree(_dcerpc->write_andx_buf, 0);            _dcerpc->write_andx_buf = NULL;            _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION;            return 0;        }                if ( !_dcerpc->write_andx_buf )            DynamicPreprocessorFatalMessage("Failed to allocate space for first SMB Write AndX\n");        _dcerpc->write_andx_buf_size = writeX_length;        _dcerpc->write_andx_buf_len  = 0;    }    else    {        u_int16_t new_size;        if ( writeX_length > _max_frag_size )            writeX_length = _max_frag_size;        if ( _dcerpc->write_andx_buf_size >= (0xFFFF - writeX_length) )        {            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "SMB fragmentation overflow.\n"););            _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION;                        DCERPC_FragFree(_dcerpc->write_andx_buf, _dcerpc->write_andx_buf_size);            _dcerpc->write_andx_buf = NULL;            _dcerpc->write_andx_buf_len = 0;            _dcerpc->write_andx_buf_size = 0;            return 0;        }        new_size = _dcerpc->write_andx_buf_size + writeX_length;        _dcerpc->write_andx_buf = (u_int8_t *) DCERPC_FragAlloc(_dcerpc->write_andx_buf,                                             _dcerpc->write_andx_buf_size, &new_size);                    if ( new_size == _dcerpc->write_andx_buf_size )        {            DEBUG_WRAP(DebugMessage(DEBUG_DCERPC, "Memcap reached, suspending SMB fragmentation reassembly.\n"););            _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION;                        DCERPC_FragFree(_dcerpc->write_andx_buf, _dcerpc->write_andx_buf_size);            _dcerpc->write_andx_buf = NULL;            _dcerpc->write_andx_buf_len = 0;            _dcerpc->write_andx_buf_size = 0;            return 0;        }        if ( !_dcerpc->write_andx_buf )            DynamicPreprocessorFatalMessage("Failed to reallocate space for SMB Write AndX\n");        _dcerpc->write_andx_buf_size = new_size;    }    /* SMB frag */    if ( writeX_length > (_dcerpc->write_andx_buf_size - _dcerpc->write_andx_buf_len) )    {        writeX_length = _dcerpc->write_andx_buf_size - _dcerpc->write_andx_buf_len;    }    /* Make sure data to be copied is within source buffer */    if ( (smb_data + writeX_length) > (_dcerpc_pkt->payload + _dcerpc_pkt->payload_size) )    {        temp_len = _dcerpc_pkt->payload + _dcerpc_pkt->payload_size - smb_data;        if ( writeX_length > temp_len )        {            writeX_length = temp_len;        }    }    ret = SafeMemcpy(_dcerpc->write_andx_buf + _dcerpc->write_andx_buf_len, smb_data, writeX_length,                     _dcerpc->write_andx_buf, _dcerpc->write_andx_buf + _dcerpc->write_andx_buf_size);    if (ret == 0)    {        DCERPC_FragFree(_dcerpc->write_andx_buf, _dcerpc->write_andx_buf_size);        _dcerpc->write_andx_buf = NULL;        _dcerpc->write_andx_buf_len = 0;        _dcerpc->write_andx_buf_size = 0;        _dcerpc->fragmentation |= SUSPEND_FRAGMENTATION;        return 0;    }    _dcerpc->write_andx_buf_len += writeX_length;    _dcerpc->fragmentation |= SMB_FRAGMENTATION;    if ( IsCompleteDCERPCMessage(_dcerpc->write_andx_buf, _dcerpc->write_andx_buf_len) )    {        ReassembleSMBWriteX(writeX, smb_data);        _dcerpc->fragmentation &= ~SMB_FRAGMENTATION;    }    return 0;}/* IPC$ has to occur at the end of this path - path_len should include null termination */static int IsIPC(u_int8_t *path, int path_len, u_int32_t isUnicode){    const u_int8_t ipc[] = {'I', 'P', 'C', '$', '\0'};    const u_int16_t ipc_len = 5;    const u_int8_t unicode_ipc[] = {'I', '\0', 'P', '\0', 'C', '\0', '$', '\0', '\0', '\0'};    const u_int16_t unicode_ipc_len = 10;    if (isUnicode)    {        if (path_len < unicode_ipc_len)            return 0;        /* go to end of path then back up the length of the          * unicode_ipc string */        path = (path + path_len) - unicode_ipc_len;        if (memcmp(path, unicode_ipc, unicode_ipc_len) == 0)            return 1;    }    else    {        if (path_len < ipc_len)            return 0;        /* go to end of path and back up the length of the         * ipc string */        path = (path + path_len) - ipc_len;        if (memcmp(path, ipc, ipc_len) == 0)            return 1;    }            return 0;}/* returns -1 if not null terminated  * returns -2 for other error * otherwise returns length of null terminated string * including null terminating bytes */static int GetSMBStringLength(u_int8_t *data, u_int16_t data_size, int unicode){    u_int16_t size_left;    if (data == NULL)        return -2;    size_left = data_size;    if (unicode)    {        while (size_left >= sizeof(uni_char_t))        {            size_left -= sizeof(uni_char_t);            if (*((uni_char_t *)data) == 0x0000)            {                return (int)(data_size - size_left);            }            data += sizeof(uni_char_t);        }    }    else    {        while (size_left >= sizeof(char))        {            size_left -= sizeof(char);            if (*((char *)data) == 0x00)            {                return (int)(data_size - size_left);            }            data += sizeof(char);        }    }    return -1;}#ifdef DEBUG_DCERPC_PRINTstatic void PrintSMBString(char *pre, u_int8_t *str, u_int16_t str_len, int unicode){    if (pre == NULL || str == NULL || str_len == 0)        return;    printf("%s", pre);    if (unicode)    {        int i = 0;        while (i < str_len)        {            printf("%c", str[i]);            i += sizeof(uni_char_t);        }    }    else    {        printf("%.*s", str_len, str);    }