Chip 2007 January, February, March & April

home *** CD-ROM | disk | FTP | other *** search

/ Chip 2007 January, February, March & April / Chip-Cover-CD-2007-02.iso / Pakiet bezpieczenstwa / mini Pentoo LiveCD 2006.1 / mpentoo-2006.1.iso / livecd.squashfs / usr / lib / python2.4 / site-packages / impacket / dcerpc / dcerpc.pyc (.txt) < prev next >

Wrap

Python Compiled Bytecode | 2006-06-30 | 38KB | 1,063 lines

# Source Generated with Decompyle++ # File: in.pyc (Python 2.4) import array from binascii import crc32 try: from Crypto.Cipher import ARC4 from Crypto.Hash import MD4 POW = None except Exception: try: import POW except Exception: print 'WARNING: Crypto package not found. Some features will fail.' from impacket import ntlm from impacket import ImpactPacket from impacket.structure import Structure, pack, unpack MSRPC_REQUEST = 0 MSRPC_RESPONSE = 2 MSRPC_FAULT = 3 MSRPC_ACK = 7 MSRPC_BIND = 11 MSRPC_BINDACK = 12 MSRPC_BINDNAK = 13 MSRPC_ALTERCTX = 14 MSRPC_AUTH3 = 16 MSRPC_FIRSTFRAG = 1 MSRPC_LASTFRAG = 2 MSRPC_NOTAFRAG = 4 MSRPC_RECRESPOND = 8 MSRPC_NOMULTIPLEX = 16 MSRPC_NOTFORIDEMP = 32 MSRPC_NOTFORBCAST = 64 MSRPC_NOUUID = 128 rpc_provider_reason = { 0: 'reason_not_specified', 1: 'abstract_syntax_not_supported', 2: 'proposed_transfer_syntaxes_not_supported', 3: 'local_limit_exceeded' } MSRPC_CONT_RESULT_ACCEPT = 0 MSRPC_CONT_RESULT_USER_REJECT = 1 MSRPC_CONT_RESULT_PROV_REJECT = 2 rpc_cont_def_result = { 0: 'acceptance', 1: 'user_rejection', 2: 'provider_rejection' } rpc_status_codes = { 0x5L: 'rpc_s_access_denied', 0x8L: 'Authentication type not recognized', 0x6C6L: 'rpc_x_invalid_bound', 0x6F7L: 'rpc_x_bad_stub_data', 0x1C010001L: 'nca_s_comm_failure', 0x1C010002L: 'nca_s_op_rng_error', 0x1C010003L: 'nca_s_unk_if', 0x1C010006L: 'nca_s_wrong_boot_time', 0x1C010009L: 'nca_s_you_crashed', 0x1C01000BL: 'nca_s_proto_error', 0x1C010013L: 'nca_s_out_args_too_big ', 0x1C010014L: 'nca_s_server_too_busy', 0x1C010015L: 'nca_s_fault_string_too_long', 0x1C010017L: 'nca_s_unsupported_type ', 0x1C000001L: 'nca_s_fault_int_div_by_zero', 0x1C000002L: 'nca_s_fault_addr_error ', 0x1C000003L: 'nca_s_fault_fp_div_zero', 0x1C000004L: 'nca_s_fault_fp_underflow', 0x1C000005L: 'nca_s_fault_fp_overflow', 0x1C000006L: 'nca_s_fault_invalid_tag', 0x1C000007L: 'nca_s_fault_invalid_bound ', 0x1C000008L: 'nca_s_rpc_version_mismatch', 0x1C000009L: 'nca_s_unspec_reject ', 0x1C00000AL: 'nca_s_bad_actid', 0x1C00000BL: 'nca_s_who_are_you_failed', 0x1C00000CL: 'nca_s_manager_not_entered ', 0x1C00000DL: 'nca_s_fault_cancel', 0x1C00000EL: 'nca_s_fault_ill_inst', 0x1C00000FL: 'nca_s_fault_fp_error', 0x1C000010L: 'nca_s_fault_int_overflow', 0x1C000012L: 'nca_s_fault_unspec', 0x1C000013L: 'nca_s_fault_remote_comm_failure ', 0x1C000014L: 'nca_s_fault_pipe_empty ', 0x1C000015L: 'nca_s_fault_pipe_closed', 0x1C000016L: 'nca_s_fault_pipe_order ', 0x1C000017L: 'nca_s_fault_pipe_discipline', 0x1C000018L: 'nca_s_fault_pipe_comm_error', 0x1C000019L: 'nca_s_fault_pipe_memory', 0x1C00001AL: 'nca_s_fault_context_mismatch ', 0x1C00001BL: 'nca_s_fault_remote_no_memory ', 0x1C00001CL: 'nca_s_invalid_pres_context_id', 0x1C00001DL: 'nca_s_unsupported_authn_level', 0x1C00001FL: 'nca_s_invalid_checksum ', 0x1C000020L: 'nca_s_invalid_crc', 0x1C000021L: 'nca_s_fault_user_defined', 0x1C000022L: 'nca_s_fault_tx_open_failed', 0x1C000023L: 'nca_s_fault_codeset_conv_error', 0x1C000024L: 'nca_s_fault_object_not_found ', 0x1C000025L: 'nca_s_fault_no_client_stub' } class MSRPCArray: def __init__(self, id = 0, len = 0, size = 0): self._length = len self._size = size self._id = id self._max_len = 0 self._offset = 0 self._length2 = 0 self._name = '' def set_max_len(self, n): self._max_len = n def set_offset(self, n): self._offset = n def set_length2(self, n): self._length2 = n def get_size(self): return self._size def set_name(self, n): self._name = n def get_name(self): return self._name def get_id(self): return self._id def rawData(self): return pack('<HHLLLL', self._length, self._size, 305419896, self._max_len, self._offset, self._length2) + self._name.encode('utf-16le') class MSRPCNameArray: def __init__(self, data = None): self._count = 0 self._max_count = 0 self._elements = [] if data: self.load(data) def load(self, data): ptr = unpack('<L', data[:4])[0] index = 4 if 0 == ptr: return None (self._count, _, self._max_count) = unpack('<LLL', data[index:index + 12]) index += 12 for i in range(0, self._count): (aindex, length, size, _) = unpack('<LHHL', data[index:index + 12]) self._elements.append(MSRPCArray(aindex, length, size)) index += 12 for element in self._elements: (max_len, offset, curlen) = unpack('<LLL', data[index:index + 12]) index += 12 element.set_name(unicode(data[index:index + 2 * curlen], 'utf-16le')) element.set_max_len(max_len) element.set_offset(offset) element.set_length2(curlen) index += 2 * curlen if curlen & 1: index += 2 continue def elements(self): return self._elements def rawData(self): ret = pack('<LLLL', 1953789044, self._count, 1195853639, self._max_count) pos_ret = [] for i in xrange(0, self._count): ret += pack('<L', self._elements[i].get_id()) data = self._elements[i].rawData() ret += data[:8] pos_ret += data[8:] return ret + pos_ret class MSRPCHeader(ImpactPacket.Header): _SIZE = 16 commonHdr = (('ver_major', 'B'), ('ver_minor', 'B'), ('type', 'B=MSRPC_REQUEST'), ('flags', 'B=MSRPC_FIRSTFRAG | MSRPC_LASTFRAG'), ('represntation', '<L=0x10'), ('frag_len', '<H=24+len(data)+len(auth_data)'), ('auth_len', '<H=len(auth_data)-8'), ('call_id', '<L=1')) structure = (('data', ':'), ('auth_data', ':')) def __init__(self, aBuffer = None, endianness = '<'): ImpactPacket.Header.__init__(self, self._SIZE) self.endianness = endianness self.set_version((5, 0)) self.set_flags(MSRPC_FIRSTFRAG | MSRPC_LASTFRAG) if endianness == '<': self.set_representation(16) else: self.set_representation(0) self._MSRPCHeader__frag_len_set = 0 self.set_auth_len(0) self.set_call_id(1) self.set_auth_data('') if aBuffer: self.load_header(aBuffer) def get_version(self): ''' This method returns a tuple in (major, minor) form.''' return (self.get_byte(0), self.get_byte(1)) def set_version(self, version): ''' This method takes a tuple in (major, minor) form.''' self.set_byte(0, version[0]) self.set_byte(1, version[1]) def get_type(self): return self.get_byte(2) def set_type(self, type): self.set_byte(2, type) def get_flags(self): return self.get_byte(3) def set_flags(self, flags): self.set_byte(3, flags) def get_representation(self): return self.get_long(4, self.endianness) def set_representation(self, representation): self.set_long(4, representation, self.endianness) def get_frag_len(self): return self.get_word(8, self.endianness) def set_frag_len(self, len): self._MSRPCHeader__frag_len_set == 1 self.set_word(8, len, self.endianness) def get_auth_len(self): return self.get_word(10, self.endianness) def set_auth_len(self, len): self.set_word(10, len, self.endianness) def set_auth_data(self, data): self._auth_data = data def get_call_id(self): return self.get_long(12, self.endianness) def set_call_id(self, id): self.set_long(12, id, self.endianness) def get_header_size(self): return self._SIZE def contains(self, aHeader): ImpactPacket.Header.contains(self, aHeader) if self.child(): self.set_op_num(self.child().OP_NUM) def set_alloc_hint(self, hint): pass def get_packet(self): if self._auth_data: self.set_auth_len(len(self._auth_data) - 8) if self.child(): contents_size = self.child().get_size() else: contents_size = 0 contents_size += len(self._auth_data) if not self._MSRPCHeader__frag_len_set: self.set_frag_len(self.get_header_size() + contents_size) self.set_alloc_hint(contents_size) return ImpactPacket.Header.get_packet(self) + self._auth_data class MSRPCRequestHeader(MSRPCHeader): _SIZE = 24 structure = (('alloc_hint', '<L=frag_len'), ('ctx_id', '<H=0'), ('op_num', '<H'), ('data', ':'), ('auth_data', ':')) def __init__(self, aBuffer = None, endianness = '<'): MSRPCHeader.__init__(self, aBuffer = aBuffer, endianness = endianness) self.set_type(MSRPC_REQUEST) self.set_ctx_id(0) self.set_alloc_hint(0) def get_alloc_hint(self): return self.get_long(16, self.endianness) def set_alloc_hint(self, len): self.set_long(16, len, self.endianness) def get_ctx_id(self): return self.get_word(20, self.endianness) def set_ctx_id(self, id): self.set_word(20, id, self.endianness) def get_op_num(self): return self.get_word(22, self.endianness) def set_op_num(self, op): self.set_word(22, op, self.endianness) class MSRPCRespHeader(MSRPCHeader): _SIZE = 24 structure = (('alloc_hint', '<L=frag_len'), ('ctx_id', '<H=0'), ('cancel_count', '<B'), ('padding', '<B=0'), ('data', ':'), ('auth_data', ':')) def __init__(self, aBuffer = None, endianness = '<'): MSRPCHeader.__init__(self, aBuffer = aBuffer, endianness = endianness) self.set_type(MSRPC_RESPONSE) self.set_ctx_id(0) self.set_alloc_hint(0) def get_alloc_hint(self): return self.get_long(16, self.endianness) def set_alloc_hint(self, len): self.set_long(16, len, self.endianness) def get_ctx_id(self): return self.get_word(20, self.endianness) def set_ctx_id(self, id): self.set_word(20, id, self.endianness) def get_cancel_count(self): return self.get_byte(22) class MSRPCBind(MSRPCHeader): _SIZE = 72 - 44 structure = (('max_tfrag', '<H=4280'), ('max_rfrag', '<H=4280'), ('assoc_group', '<L=0'), ('ctx_num', 'B')) def __init__(self, aBuffer = None, endianness = '<'): MSRPCHeader.__init__(self, aBuffer = aBuffer, endianness = endianness) self.set_type(MSRPC_BIND) self.set_max_tfrag(4280) self.set_max_rfrag(4280) self.set_assoc_group(0) self.set_ctx_num(1) def get_max_tfrag(self): return self.get_word(16, self.endianness) def set_max_tfrag(self, size): self.set_word(16, size, self.endianness) def get_max_rfrag(self): return self.get_word(18, self.endianness) def set_max_rfrag(self, size): self.set_word(18, size, self.endianness) def get_assoc_group(self): return self.get_long(20, self.endianness) def set_assoc_group(self, id): self.set_long(20, id, self.endianness) def get_ctx_num(self): return self.get_byte(24) def set_ctx_num(self, num): self._SIZE = 28 + num * 44 self.set_byte(24, num) def get_ctx_id(self, index = 0): return self.get_word(28 + 44 * index, self.endianness) def set_ctx_id(self, id, index = 0): self.set_word(28 + 44 * index, id, self.endianness) def get_trans_num(self, index = 0): return self.get_byte(30 + 44 * index) def set_trans_num(self, op, index = 0): self.set_byte(30 + 44 * index, op) self.set_byte(31 + 44 * index, 0) def get_if_binuuid(self, index = 0): return self.get_bytes().tolist()[32 + 44 * index:32 + 44 * index + 16] def set_if_binuuid(self, binuuid, index = 0): self.get_bytes()[32 + 44 * index:32 + len(binuuid) + 44 * index] = array.array('B', binuuid) def set_if_ver(self, ver, minor, index = 0): self.set_word(48 + 44 * index, ver, self.endianness) self.set_word(50 + 44 * index, minor, self.endianness) def get_if_ver(self, index = 0): return self.get_word(48 + 44 * index, self.endianness) def get_if_ver_minor(self, index = 0): return self.get_word(50 + 44 * index, self.endianness) def get_xfer_syntax_binuuid(self, index = 0): return self.get_bytes().tolist()[52 + 44 * index:52 + 44 * index + 16] def set_xfer_syntax_binuuid(self, binuuid, index = 0): self.get_bytes()[52 + 44 * index:52 + len(binuuid) + 44 * index] = array.array('B', binuuid) def set_xfer_syntax_ver(self, ver, index = 0): self.set_long(68 + 44 * index, ver, self.endianness) def get_xfer_syntax_ver(self, index = 0): self.get_long(68 + 44 * index, ver, self.endianness) class MSRPCBindAck(ImpactPacket.Header): _SIZE = 56 def __init__(self, aBuffer = None): ImpactPacket.Header.__init__(self, self._SIZE) self.set_type(MSRPC_BINDACK) if aBuffer: self.load_header(aBuffer) def get_version(self): ''' This method returns a tuple in (major, minor) form.''' return (self.get_byte(0), self.get_byte(1)) def set_version(self, version): ''' This method takes a tuple in (major, minor) form.''' self.set_byte(0, version[0]) self.set_byte(1, version[1]) def get_type(self): return self.get_byte(2) def set_type(self, type): self.set_byte(2, type) def get_flags(self): return self.get_byte(3) def set_flags(self, flags): self.set_byte(3, flags) def get_representation(self): return self.get_long(4, '<') def set_representation(self, representation): self.set_long(4, representation, '<') def get_frag_len(self): return self.get_word(8, '<') def set_frag_len(self, len): self.set_word(8, len, '<') def get_auth_len(self): return self.get_word(10, '<') def set_auth_len(self, len): self.set_word(10, len, '<') def get_auth_data(self): data = self.get_bytes() return data[-self.get_auth_len() - 8:] def get_call_id(self): return self.get_long(12, '<') def set_call_id(self, id): self.set_long(12, id, '<') def get_max_tfrag(self): return self.get_word(16, '<') def set_max_tfrag(self, size): self.set_word(16, size, '<') def get_max_rfrag(self): return self.get_word(18, '<') def set_max_rfrag(self, size): self.set_word(18, size, '<') def get_assoc_group(self): return self.get_long(20, '<') def set_assoc_group(self, id): self.set_long(20, id, '<') def get_secondary_addr_len(self): return self.get_word(24, '<') def set_secondary_addr_len(self, len): self.set_word(24, len, '<') def get_secondary_addr(self): return self.get_bytes().tolist()[26:26 + self.get_secondary_addr_len()] def set_secondary_addr(self, addr): self.get_bytes()[26:26 + self.get_secondary_addr_len()] = array.array('B', addr) self.set_secondary_addr_len(len(addr)) def _get_results_offset(self): answer = 26 + self.get_secondary_addr_len() answer += 3 answer -= answer % 4 return answer + 2 def get_results_num(self): return self.get_byte(self._get_results_offset() - 2) def set_results_num(self, num): self.set_byte(self._get_results_offset() - 2, num) def get_result(self, index = 0): return self.get_word(self._get_results_offset() + 2 * index, '<') def set_result(self, res, index = 0): self.set_word(self._get_results_offset() + 2 * index, '<') def get_xfer_syntax_binuuid(self): return self.get_bytes().tolist()[-20:] def set_xfer_syntax_binuuid(self, binuuid): if not 20 == len(binuuid): raise AssertionError self.get_bytes()[-20:] = array.array('B', binuuid) def get_header_size(self): var_size = len(self.get_bytes()) - self._SIZE return self._SIZE + var_size def contains(self, aHeader): ImpactPacket.Header.contains(self, aHeader) if self.child(): contents_size = self.child().get_size() self.set_op_num(self.child().OP_NUM) self.set_frag_len(self.get_header_size() + contents_size) self.set_alloc_hint(contents_size) class MSRPCBindNak(ImpactPacket.Header): _SIZE = 24 def __init__(self, aBuffer = None): ImpactPacket.Header.__init__(self, self._SIZE) self.set_type(MSRPC_BINDNAK) if aBuffer: self.load_header(aBuffer) def get_version(self): ''' This method returns a tuple in (major, minor) form.''' return (self.get_byte(0), self.get_byte(1)) def set_version(self, version): ''' This method takes a tuple in (major, minor) form.''' self.set_byte(0, version[0]) self.set_byte(1, version[1]) def get_type(self): return self.get_byte(2) def set_type(self, type): self.set_byte(2, type) def get_flags(self): return self.get_byte(3) def set_flags(self, flags): self.set_byte(3, flags) def get_representation(self): return self.get_long(4, '<') def set_representation(self, representation): self.set_long(4, representation, '<') def get_frag_len(self): return self.get_word(8, '<') def set_frag_len(self, len): self.set_word(8, len, '<') def get_auth_len(self): return self.get_word(10, '<') def set_auth_len(self, len): self.set_word(10, len, '<') def get_call_id(self): return self.get_long(12, '<') def set_call_id(self, id): self.set_long(12, id, '<') def get_reason(self): return self.get_word(16, '<') def set_reason(self, reason): self.set_word(16, reason, '<') def get_assoc_group(self): return self.get_long(20, '<') def set_assoc_group(self, id): self.set_long(20, id, '<') def get_header_size(self): return self._SIZE class DCERPC: _max_ctx = 0 def __init__(self, transport): self._transport = transport self.set_ctx_id(0) self._max_frag = None self.set_default_max_fragment_size() def set_ctx_id(self, ctx_id): self._ctx = ctx_id def connect(self): return self._transport.connect() def disconnect(self): return self._transport.disconnect() def set_max_fragment_size(self, fragment_size): if fragment_size == -1: self.set_default_max_fragment_size() else: self._max_frag = fragment_size def set_default_max_fragment_size(self): self._max_frag = 0 def send(self, data): raise RuntimeError, 'virtual method. Not implemented in subclass' def recv(self): raise RuntimeError, 'virtual method. Not implemented in subclass' def alter_ctx(self, newUID, bogus_binds = ''): raise RuntimeError, 'virtual method. Not implemented in subclass' def set_credentials(self, username, password): pass def set_auth_level(self, auth_level): pass def get_idempotent(self): return 0 def set_idempotent(self, flag): pass def call(self, function, body): return self.send(DCERPC_RawCall(function, str(body))) class DCERPC_v5(DCERPC): endianness = '<' def __init__(self, transport): DCERPC.__init__(self, transport) self._DCERPC_v5__auth_level = ntlm.NTLM_AUTH_NONE self._DCERPC_v5__username = None self._DCERPC_v5__password = None def set_auth_level(self, auth_level): self._DCERPC_v5__auth_level = auth_level def set_credentials(self, username, password): self.set_auth_level(ntlm.NTLM_AUTH_CONNECT) self._DCERPC_v5__username = username self._DCERPC_v5__password = password def bind(self, uuid, alter = 0, bogus_binds = 0): bind = MSRPCBind(endianness = self.endianness) syntax = '\x04]\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00+\x10H`' if self.endianness == '>': syntax = unpack('<LHHBB6s', syntax) syntax = pack('>LHHBB6s', *syntax) uuid = list(unpack('<LHHBB6sHH', uuid)) uuid[-1] ^= uuid[-2] uuid[-2] ^= uuid[-1] uuid[-1] ^= uuid[-2] uuid = pack('>LHHBB6sHH', *uuid) ctx = 0 for i in range(bogus_binds): bind.set_ctx_id(self._ctx, index = ctx) bind.set_trans_num(1, index = ctx) bind.set_if_binuuid('A' * 20, index = ctx) bind.set_xfer_syntax_binuuid(syntax, index = ctx) bind.set_xfer_syntax_ver(2, index = ctx) self._ctx += 1 ctx += 1 bind.set_ctx_id(self._ctx, index = ctx) bind.set_trans_num(1, index = ctx) bind.set_if_binuuid(uuid, index = ctx) bind.set_xfer_syntax_binuuid(syntax, index = ctx) bind.set_xfer_syntax_ver(2, index = ctx) bind.set_ctx_num(ctx + 1) if alter: bind.set_type(MSRPC_ALTERCTX) if self._DCERPC_v5__auth_level != ntlm.NTLM_AUTH_NONE: if self._DCERPC_v5__username is None or self._DCERPC_v5__password is None: (self._DCERPC_v5__username, self._DCERPC_v5__password, nth, lmh) = self._transport.get_credentials() auth = ntlm.NTLMAuthNegotiate() auth['auth_level'] = self._DCERPC_v5__auth_level auth['auth_ctx_id'] = self._ctx + 79231 bind.set_auth_data(str(auth)) self._transport.send(bind.get_packet()) s = self._transport.recv() if s != 0: resp = MSRPCBindAck(s) else: return 0 if resp.get_type() == MSRPC_BINDNAK: resp = MSRPCBindNak(s) status_code = resp.get_reason() if rpc_status_codes.has_key(status_code): raise Exception(rpc_status_codes[status_code], resp) else: raise Exception('Unknown DCE RPC fault status code: %.8x' % status_code, resp) self._DCERPC_v5__max_xmit_size = resp.get_max_tfrag() if self._DCERPC_v5__auth_level != ntlm.NTLM_AUTH_NONE: authResp = ntlm.NTLMAuthChallenge(data = resp.get_auth_data().tostring()) self._ntlm_challenge = authResp['challenge'] response = ntlm.NTLMAuthChallengeResponse(self._DCERPC_v5__username, self._DCERPC_v5__password, self._ntlm_challenge) response['auth_ctx_id'] = self._ctx + 79231 response['auth_level'] = self._DCERPC_v5__auth_level if self._DCERPC_v5__auth_level in (ntlm.NTLM_AUTH_CONNECT, ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY): if self._DCERPC_v5__password: key = ntlm.compute_nthash(self._DCERPC_v5__password) if POW: hash = POW.Digest(POW.MD4_DIGEST) else: hash = MD4.new() hash.update(key) key = hash.digest() else: key = '\x00' * 16 if POW: cipher = POW.Symmetric(POW.RC4) cipher.encryptInit(key) self.cipher_encrypt = cipher.update else: cipher = ARC4.new(key) self.cipher_encrypt = cipher.encrypt if response['flags'] & ntlm.NTLMSSP_KEY_EXCHANGE: session_key = 'A' * 16 response['session_key'] = self.cipher_encrypt(session_key) if POW: cipher = POW.Symmetric(POW.RC4) cipher.encryptInit(session_key) self.cipher_encrypt = cipher.update else: cipher = ARC4.new(session_key) self.cipher_encrypt = cipher.encrypt self.sequence = 0 auth3 = MSRPCHeader() auth3.set_type(MSRPC_AUTH3) auth3.set_auth_data(str(response)) self._transport.send(auth3.get_packet(), forceWriteAndx = 1) return resp def _transport_send(self, rpc_packet, forceWriteAndx = 0, forceRecv = 0): if self._DCERPC_v5__auth_level == ntlm.NTLM_AUTH_CALL: if rpc_packet.get_type() == MSRPC_REQUEST: response = ntlm.NTLMAuthChallengeResponse(self._DCERPC_v5__username, self._DCERPC_v5__password, self._ntlm_challenge) response['auth_ctx_id'] = self._ctx + 79231 response['auth_level'] = self._DCERPC_v5__auth_level rpc_packet.set_auth_data(str(response)) if self._DCERPC_v5__auth_level in [ ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY]: verifier = ntlm.NTLMAuthVerifier() verifier['auth_level'] = self._DCERPC_v5__auth_level verifier['auth_ctx_id'] = self._ctx + 79231 verifier['data'] = ' ' * 12 rpc_packet.set_auth_data(str(verifier)) rpc_call = rpc_packet.child() if self._DCERPC_v5__auth_level == ntlm.NTLM_AUTH_PKT_PRIVACY: data = DCERPC_RawCall(rpc_call.OP_NUM) data.setData(self.cipher_encrypt(rpc_call.get_packet())) rpc_packet.contains(data) crc = crc32(rpc_call.get_packet()) data = pack('<LLL', 0, crc, self.sequence) data = self.cipher_encrypt(data) verifier['data'] = data rpc_packet.set_auth_data(str(verifier)) self.sequence += 1 self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv) def send(self, data): rpc = MSRPCRequestHeader(endianness = self.endianness) rpc.set_ctx_id(self._ctx) max_frag = self._max_frag if data.get_size() > self._DCERPC_v5__max_xmit_size - 32: max_frag = self._DCERPC_v5__max_xmit_size - 32 if self._max_frag: max_frag = min(max_frag, self._max_frag) if max_frag: packet = str(data.get_bytes().tostring()) offset = 0 rawcall = DCERPC_RawCall(data.OP_NUM) while None: toSend = packet[offset:offset + max_frag] if not toSend: break flags = 0 if offset == 0: flags |= MSRPC_FIRSTFRAG offset += len(toSend) if offset == len(packet): flags |= MSRPC_LASTFRAG rawcall.setData(toSend) rpc.contains(rawcall) self._transport_send(rpc, forceWriteAndx = 1, forceRecv = flags & MSRPC_LASTFRAG) else: rpc.contains(data) self._transport_send(rpc) def recv(self): self.response_data = self._transport.recv() self.response_header = MSRPCRespHeader(self.response_data) off = self.response_header.get_header_size() if self.response_header.get_type() == MSRPC_FAULT and self.response_header.get_frag_len() >= off + 4: status_code = unpack('<L', self.response_data[off:off + 4])[0] if rpc_status_codes.has_key(status_code): raise Exception(rpc_status_codes[status_code]) else: raise Exception('Unknown DCE RPC fault status code: %.8x' % status_code) answer = self.response_data[off:] auth_len = self.response_header.get_auth_len() if auth_len: auth_len += 8 auth_data = answer[-auth_len:] ntlmssp = ntlm.NTLMAuthHeader(data = auth_data) answer = answer[:-auth_len] if ntlmssp['auth_level'] == ntlm.NTLM_AUTH_PKT_PRIVACY: answer = self.cipher_encrypt(answer) if ntlmssp['auth_pad_len']: answer = answer[:-ntlmssp['auth_pad_len']] if ntlmssp['auth_level'] in [ ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY]: ntlmssp = ntlm.NTLMAuthVerifier(data = auth_data) data = self.cipher_encrypt(ntlmssp['data']) (zero, crc, sequence) = unpack('<LLL', data) self.sequence = sequence + 1 return answer def alter_ctx(self, newUID, bogus_binds = 0): answer = self.__class__(self._transport) answer.set_credentials(self._DCERPC_v5__username, self._DCERPC_v5__password) answer.set_auth_level(self._DCERPC_v5__auth_level) self._max_ctx += 1 answer.set_ctx_id(self._max_ctx) answer.bind(newUID, alter = 1, bogus_binds = bogus_binds) return answer class DCERPC_RawCall(ImpactPacket.Header): def __init__(self, op_num, data = ''): self.OP_NUM = op_num ImpactPacket.Header.__init__(self) self.setData(data) def setData(self, data): self.get_bytes()[:] = array.array('B', data) def get_header_size(self): return len(self.get_bytes())