diff --git a/lib/ruby_smb/dcerpc/error.rb b/lib/ruby_smb/dcerpc/error.rb index 890dd754..92a96a08 100644 --- a/lib/ruby_smb/dcerpc/error.rb +++ b/lib/ruby_smb/dcerpc/error.rb @@ -47,6 +47,9 @@ class CommunicationError < DcerpcError; end # Raised when an error is returned during a Epm operation class EpmError < DcerpcError; end + # Raised when an error is returned during an LSARPC operation + class LsarpcError < DcerpcError; end + # Raised when an error is returned during a Dfsnm operation class DfsnmError < DcerpcError include RubySMB::Error::UnexpectedStatusCode::Mixin diff --git a/lib/ruby_smb/dcerpc/lsarpc.rb b/lib/ruby_smb/dcerpc/lsarpc.rb index 3b8262f5..9ed3b530 100644 --- a/lib/ruby_smb/dcerpc/lsarpc.rb +++ b/lib/ruby_smb/dcerpc/lsarpc.rb @@ -9,7 +9,6 @@ module Lsarpc # see: https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-dssp/6f843846-2494-4d49-b715-2f181317dd34 UUID = '12345778-1234-abcd-ef00-0123456789ab'.freeze - # UUID = '3919286a-b10c-11d0-9ba8-00c04fd92ef5'.freeze # DSSETUP VER_MAJOR = 0 VER_MINOR = 0 @@ -125,10 +124,10 @@ class LsaprAcl < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - ndr_uint8 :acl_revision - ndr_uint8 :sbz1 + ndr_uint8 :acl_revision + ndr_uint8 :sbz1 ndr_uint16 :acl_size - ndr_conf_array :dummy1, type: :ndr_char#, initial_length: -> { acl_size - 4 } + ndr_conf_array :dummy1, type: :ndr_char end class LsaprAclPtr < LsaprAcl @@ -194,10 +193,10 @@ class SecurityQualityOfService < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - ndr_uint32 :len - ndr_uint16 :impersonation_level - ndr_uint8 :security_context_tracking_mode - ndr_uint8 :effective_only + ndr_uint32 :len + ndr_uint16 :impersonation_level + ndr_uint8 :security_context_tracking_mode + ndr_uint8 :effective_only end class SecurityQualityOfServicePtr < SecurityQualityOfService @@ -209,10 +208,10 @@ class LsaprObjectAttributes < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - ndr_uint32 :len - ndr_char_ptr :root_directory # Not used, must be NULL (0). Should this be 32 or 64bit? - ndr_wide_stringz_ptr :object_name - ndr_uint32 :attributes + ndr_uint32 :len + ndr_char_ptr :root_directory + ndr_wide_stringz_ptr :object_name + ndr_uint32 :attributes lsapr_security_descriptor_ptr :security_descriptor security_quality_of_service_ptr :security_quality_of_service end @@ -241,7 +240,7 @@ class LsaprPolicyAuditLogInfo < Ndr::NdrStruct ndr_uint32 :audit_log_percent_full ndr_uint32 :maximum_log_size ndr_uint64 :audit_retention_period - ndr_uint8 :audit_log_full_shutdown_in_progress + ndr_uint8 :audit_log_full_shutdown_in_progress ndr_uint64 :time_to_shutdown ndr_uint32 :next_audit_record_id end @@ -255,9 +254,9 @@ class LsaprPolicyAuditEventsInfo < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - ndr_uint8 :auditing_mode + ndr_uint8 :auditing_mode ndr_uint32_ptr :event_auditing_options - ndr_uint32 :maximum_audit_event_count + ndr_uint32 :maximum_audit_event_count end class LsaprPolicyAuditEventsInfoPtr < LsaprPolicyAuditEventsInfo @@ -269,9 +268,9 @@ class LsaprPolicyPrimaryDomInfo < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - # rpc_unicode_string :name + # TODO: rpc_unicode_string :name ndr_wide_string_ptr :name - prpc_sid :sid + prpc_sid :sid end class LsaprPolicyPrimaryDomInfoPtr < LsaprPolicyPrimaryDomInfo @@ -283,8 +282,9 @@ class LsaprPolicyAccountDomInfo < Ndr::NdrStruct default_parameters byte_align: 4 endian :little + # TODO: rpc_unicode_string :domain_name ndr_wide_string_ptr :domain_name - prpc_sid :domain_sid + prpc_sid :domain_sid end class LsaprPolicyAccountDomInfoPtr < LsaprPolicyAccountDomInfo @@ -438,11 +438,11 @@ class LsaprPolicyInformationPtr < LsaprPolicyInformation extend Ndr::PointerClassPlugin end + # [2.2.17 LSAPR_SID_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/f04a771b-c018-4098-81b5-2a819f9b5db8) class LsaprSidInformation < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - # ndr_wide_stringz_ptr :n_name prpc_sid :sid end @@ -455,11 +455,12 @@ class LsaprSidInformationArrayPtr < Ndr::NdrConfArray extend Ndr::PointerClassPlugin end + # [2.2.18 LSAPR_SID_ENUM_BUFFER](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/1ffb61f0-a4fe-4487-858d-fb709d605855) class LsaprSidEnumBuffer < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - ndr_uint32 :num_entries + ndr_uint32 :num_entries lsapr_sid_information_array_ptr :sid_info end @@ -467,12 +468,13 @@ class LsaprSidEnumBufferPtr < LsaprSidEnumBuffer extend Ndr::PointerClassPlugin end + # [2.2.11 LSAPR_TRUST_INFORMATION](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/b0f34b28-b5da-44aa-a607-99c09e6526e1) class LsaprTrustInformation < Ndr::NdrStruct default_parameters byte_align: 4 endian :little rpc_unicode_string :name - prpc_sid :sid + prpc_sid :sid end class LsaprTrustInformationArrayPtr < Ndr::NdrConfArray @@ -480,26 +482,28 @@ class LsaprTrustInformationArrayPtr < Ndr::NdrConfArray extend Ndr::PointerClassPlugin end + # [2.2.12 LSAPR_REFERENCED_DOMAIN_LIST](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/3a52af31-247a-4b08-91a0-1d46b2cc49b2) class LsaprReferencedDomainList < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - ndr_uint32 :num_entries + ndr_uint32 :num_entries lsapr_trust_information_array_ptr :domains - ndr_uint32 :max_entries + ndr_uint32 :max_entries end class LsaprReferencedDomainListPtr < LsaprReferencedDomainList extend Ndr::PointerClassPlugin end + # [2.2.19 LSAPR_TRANSLATED_NAME](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/52e1ccc1-b57b-4c02-b35f-bd64913ce99b) class LsaprTranslatedName < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - ndr_uint32 :use + ndr_uint32 :use rpc_unicode_string :name - ndr_uint32 :domain_index + ndr_uint32 :domain_index end class LsaprTranslatedNameArray < Ndr::NdrConfArray @@ -511,12 +515,12 @@ class LsaprTranslatedNameArrayPtr < LsaprTranslatedNameArray extend Ndr::PointerClassPlugin end + # [2.2.20 LSAPR_TRANSLATED_NAMES](https://learn.microsoft.com/en-us/openspecs/windows_protocols/ms-lsat/ff977eb9-563a-4353-a95f-640e7ee16356) class LsaprTranslatedNames < Ndr::NdrStruct default_parameters byte_align: 4 endian :little - ndr_uint32 :num_entries - # Pointer to array of Translated Name + ndr_uint32 :num_entries lsapr_translated_name_array_ptr :names end @@ -550,8 +554,8 @@ def lsar_open_policy_2(system_name:, object_attributes:, access_mask:) raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading LsarOpenPolicy2Response' end unless lsar_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS - raise RubySMB::Dcerpc::Error::SamrError, - "Error returned while querying domain information: #{lsar_response}"\ + raise RubySMB::Dcerpc::Error::LsarpcError, + "Error returned while opening policy: "\ "#{WindowsError::NTStatus.find_by_retval(lsar_response.error_status.value).join(',')}" end lsar_response.policy_handle @@ -566,11 +570,11 @@ def lsar_query_information_policy(policy_handle:, information_class:) begin lsar_response = LsarQueryInformationPolicyResponse.read(response) rescue IOError - raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading LsarQueryInformationPolicy2Response' + raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading LsarQueryInformationPolicyResponse' end unless lsar_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS - raise RubySMB::Dcerpc::Error::SamrError, - "Error returned while querying domain information: #{lsar_response.inspect}"\ + raise RubySMB::Dcerpc::Error::LsarpcError, + "Error returned while querying domain information: "\ "#{WindowsError::NTStatus.find_by_retval(lsar_response.error_status.value).join(',')}" end lsar_response.policy_information @@ -588,8 +592,8 @@ def lsar_query_information_policy_2(policy_handle:, information_class:) raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading LsarQueryInformationPolicy2Response' end unless lsar_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS - raise RubySMB::Dcerpc::Error::SamrError, - "Error returned while querying domain information: #{lsar_response.inspect}"\ + raise RubySMB::Dcerpc::Error::LsarpcError, + "Error returned while querying domain information: "\ "#{WindowsError::NTStatus.find_by_retval(lsar_response.error_status.value).join(',')}" end lsar_response.policy_information @@ -606,8 +610,8 @@ def lsar_close_handle(policy_handle:) raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading LsarCloseHandleResponse' end unless lsar_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS - raise RubySMB::Dcerpc::Error::SamrError, - "Error returned while closing policy handle:"\ + raise RubySMB::Dcerpc::Error::LsarpcError, + "Error returned while closing policy handle: "\ "#{WindowsError::NTStatus.find_by_retval(lsar_response.error_status.value).join(',')}" end lsar_response.policy_handle @@ -623,19 +627,16 @@ def lsar_lookup_sids(policy_handle:, sid_enum_buffer:, lookup_level:) ) response = dcerpc_request(lsar_request) begin - require 'pry-byebug'; binding.pry; - BinData::trace_reading(STDERR) do - lsar_response = LsarLookupSidsResponse.read(response) - end + lsar_response = LsarLookupSidsResponse.read(response) rescue IOError raise RubySMB::Dcerpc::Error::InvalidPacket, 'Error reading LsarLookupSidsResponse' end unless lsar_response.error_status == WindowsError::NTStatus::STATUS_SUCCESS - raise RubySMB::Dcerpc::Error::SamrError, - "Error returned while Looking up SID: "\ + raise RubySMB::Dcerpc::Error::LsarpcError, + "Error returned while looking up SID: "\ "#{WindowsError::NTStatus.find_by_retval(lsar_response.error_status.value).join(',')}" end - lsar_response.referenced_domains + lsar_response.translated_names end end