# SPDX-License-Identifier: GPL-2.0-or-later # This file is part of Scapy # See https://scapy.net/ for more information # Copyright (C) Gabriel Potter # scapy.contrib.description = DCE/RPC # scapy.contrib.status = loads """ DCE/RPC Distributed Computing Environment / Remote Procedure Calls Based on [C706] - aka DCE/RPC 1.1 https://pubs.opengroup.org/onlinepubs/9629399/toc.pdf And on [MS-RPCE] https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-rpce/290c38b1-92fe-4229-91e6-4fc376610c15 .. note:: Please read the documentation over `DCE/RPC `_ """ from functools import partial import collections import struct from enum import IntEnum from uuid import UUID from scapy.base_classes import Packet_metaclass from scapy.config import conf from scapy.compat import bytes_encode, plain_str from scapy.error import log_runtime from scapy.layers.dns import DNSStrField from scapy.layers.ntlm import ( NTLM_Header, NTLMSSP_MESSAGE_SIGNATURE, ) from scapy.packet import ( Packet, Raw, bind_bottom_up, bind_layers, bind_top_down, NoPayload, ) from scapy.fields import ( _FieldContainer, BitEnumField, BitField, ByteEnumField, ByteField, ConditionalField, EnumField, Field, FieldLenField, FieldListField, FlagsField, IntField, LEIntEnumField, LEIntField, LELongField, LEShortEnumField, LEShortField, LenField, MultipleTypeField, PacketField, PacketLenField, PacketListField, PadField, ReversePadField, ShortEnumField, ShortField, SignedByteField, StrField, StrFixedLenField, StrLenField, StrLenFieldUtf16, StrNullField, StrNullFieldUtf16, TrailerField, UUIDEnumField, UUIDField, XByteField, XLEIntField, XLELongField, XLEShortField, XShortField, XStrFixedLenField, ) from scapy.sessions import DefaultSession from scapy.supersocket import StreamSocket from scapy.layers.kerberos import ( KRB_InnerToken, Kerberos, ) from scapy.layers.gssapi import ( GSS_S_COMPLETE, GSSAPI_BLOB_SIGNATURE, GSSAPI_BLOB, SSP, ) from scapy.layers.inet import TCP from scapy.contrib.rtps.common_types import ( EField, EPacket, EPacketField, EPacketListField, ) # Typing imports from typing import ( Optional, ) # the alignment of auth_pad # This is 4 in [C706] 13.2.6.1 but was updated to 16 in [MS-RPCE] 2.2.2.11 _COMMON_AUTH_PAD = 16 # the alignment of the NDR Type 1 serialization private header # ([MS-RPCE] sect 2.2.6.2) _TYPE1_S_PAD = 8 # DCE/RPC Packet DCE_RPC_TYPE = { 0: "request", 1: "ping", 2: "response", 3: "fault", 4: "working", 5: "no_call", 6: "reject", 7: "acknowledge", 8: "connectionless_cancel", 9: "frag_ack", 10: "cancel_ack", 11: "bind", 12: "bind_ack", 13: "bind_nak", 14: "alter_context", 15: "alter_context_resp", 16: "auth3", 17: "shutdown", 18: "co_cancel", 19: "orphaned", } _DCE_RPC_4_FLAGS1 = [ "reserved_01", "last_frag", "frag", "no_frag_ack", "maybe", "idempotent", "broadcast", "reserved_7", ] _DCE_RPC_4_FLAGS2 = [ "reserved_0", "cancel_pending", "reserved_2", "reserved_3", "reserved_4", "reserved_5", "reserved_6", "reserved_7", ] DCE_RPC_TRANSFER_SYNTAXES = { UUID("00000000-0000-0000-0000-000000000000"): "NULL", UUID("6cb71c2c-9812-4540-0300-000000000000"): "Bind Time Feature Negotiation", UUID("8a885d04-1ceb-11c9-9fe8-08002b104860"): "NDR 2.0", UUID("71710533-beba-4937-8319-b5dbef9ccc36"): "NDR64", } DCE_RPC_INTERFACES_NAMES = {} DCE_RPC_INTERFACES_NAMES_rev = {} class DCERPC_Transport(IntEnum): NCACN_IP_TCP = 1 NCACN_NP = 2 # TODO: add more.. if people use them? def _dce_rpc_endianness(pkt): """ Determine the right endianness sign for a given DCE/RPC packet """ if pkt.endian == 0: # big endian return ">" elif pkt.endian == 1: # little endian return "<" else: return "!" class _EField(EField): def __init__(self, fld): super(_EField, self).__init__(fld, endianness_from=_dce_rpc_endianness) class DceRpc(Packet): """DCE/RPC packet""" @classmethod def dispatch_hook(cls, _pkt=None, *args, **kargs): if _pkt and len(_pkt) >= 1: ver = ord(_pkt[0:1]) if ver == 4: return DceRpc4 elif ver == 5: return DceRpc5 return DceRpc5 bind_bottom_up(TCP, DceRpc, sport=135) bind_layers(TCP, DceRpc, dport=135) class _DceRpcPayload(Packet): @property def endianness(self): if not self.underlayer: return "!" return _dce_rpc_endianness(self.underlayer) # sect 12.5 _drep = [ BitEnumField("endian", 1, 4, ["big", "little"]), BitEnumField("encoding", 0, 4, ["ASCII", "EBCDIC"]), ByteEnumField("float", 0, ["IEEE", "VAX", "CRAY", "IBM"]), ByteField("reserved1", 0), ] class DceRpc4(DceRpc): """ DCE/RPC v4 'connection-less' packet """ name = "DCE/RPC v4" fields_desc = ( [ ByteEnumField( "rpc_vers", 4, {4: "4 (connection-less)", 5: "5 (connection-oriented)"} ), ByteEnumField("ptype", 0, DCE_RPC_TYPE), FlagsField("flags1", 0, 8, _DCE_RPC_4_FLAGS1), FlagsField("flags2", 0, 8, _DCE_RPC_4_FLAGS2), ] + _drep + [ XByteField("serial_hi", 0), _EField(UUIDField("object", None)), _EField(UUIDField("if_id", None)), _EField(UUIDField("act_id", None)), _EField(IntField("server_boot", 0)), _EField(IntField("if_vers", 1)), _EField(IntField("seqnum", 0)), _EField(ShortField("opnum", 0)), _EField(XShortField("ihint", 0xFFFF)), _EField(XShortField("ahint", 0xFFFF)), _EField(LenField("len", None, fmt="H")), _EField(ShortField("fragnum", 0)), ByteEnumField("auth_proto", 0, ["none", "OSF DCE Private Key"]), XByteField("serial_lo", 0), ] ) # Exceptionally, we define those 3 here. class NL_AUTH_MESSAGE(Packet): # [MS-NRPC] sect 2.2.1.3.1 name = "NL_AUTH_MESSAGE" fields_desc = [ LEIntEnumField( "MessageType", 0x00000000, { 0x00000000: "Request", 0x00000001: "Response", }, ), FlagsField( "Flags", 0, -32, [ "NETBIOS_DOMAIN_NAME", "NETBIOS_COMPUTER_NAME", "DNS_DOMAIN_NAME", "DNS_HOST_NAME", "NETBIOS_COMPUTER_NAME_UTF8", ], ), ConditionalField( StrNullField("NetbiosDomainName", ""), lambda pkt: pkt.Flags.NETBIOS_DOMAIN_NAME, ), ConditionalField( StrNullField("NetbiosComputerName", ""), lambda pkt: pkt.Flags.NETBIOS_COMPUTER_NAME, ), ConditionalField( DNSStrField("DnsDomainName", ""), lambda pkt: pkt.Flags.DNS_DOMAIN_NAME, ), ConditionalField( DNSStrField("DnsHostName", ""), lambda pkt: pkt.Flags.DNS_HOST_NAME, ), ConditionalField( # What the fuck? Why are they doing this # The spec is just wrong DNSStrField("NetbiosComputerNameUtf8", ""), lambda pkt: pkt.Flags.NETBIOS_COMPUTER_NAME_UTF8, ), ] class NL_AUTH_SIGNATURE(Packet): # [MS-NRPC] sect 2.2.1.3.2/2.2.1.3.3 name = "NL_AUTH_(SHA2_)SIGNATURE" fields_desc = [ LEShortEnumField( "SignatureAlgorithm", 0x0077, { 0x0077: "HMAC-MD5", 0x0013: "HMAC-SHA256", }, ), LEShortEnumField( "SealAlgorithm", 0xFFFF, { 0xFFFF: "Unencrypted", 0x007A: "RC4", 0x001A: "AES-128", }, ), XLEShortField("Pad", 0xFFFF), ShortField("Flags", 0), XStrFixedLenField("SequenceNumber", b"", length=8), XStrFixedLenField("Checksum", b"", length=8), ConditionalField( XStrFixedLenField("Confounder", b"", length=8), lambda pkt: pkt.SealAlgorithm != 0xFFFF, ), MultipleTypeField( [ ( StrFixedLenField("Reserved2", b"", length=24), lambda pkt: pkt.SignatureAlgorithm == 0x0013, ), ], StrField("Reserved2", b""), ), ] # [MS-RPCE] sect 2.2.1.1.7 # https://learn.microsoft.com/en-us/windows/win32/rpc/authentication-service-constants # rpcdce.h class RPC_C_AUTHN(IntEnum): NONE = 0x00 DCE_PRIVATE = 0x01 DCE_PUBLIC = 0x02 DEC_PUBLIC = 0x04 GSS_NEGOTIATE = 0x09 WINNT = 0x0A GSS_SCHANNEL = 0x0E GSS_KERBEROS = 0x10 DPA = 0x11 MSN = 0x12 KERNEL = 0x14 DIGEST = 0x15 NEGO_EXTENDED = 0x1E PKU2U = 0x1F LIVE_SSP = 0x20 LIVEXP_SSP = 0x23 CLOUD_AP = 0x24 NETLOGON = 0x44 MSONLINE = 0x52 MQ = 0x64 DEFAULT = 0xFFFFFFFF class RPC_C_AUTHN_LEVEL(IntEnum): DEFAULT = 0x0 NONE = 0x1 CONNECT = 0x2 CALL = 0x3 PKT = 0x4 PKT_INTEGRITY = 0x5 PKT_PRIVACY = 0x6 DCE_C_AUTHN_LEVEL = RPC_C_AUTHN_LEVEL # C706 name # C706 sect 13.2.6.1 class CommonAuthVerifier(Packet): name = "Common Authentication Verifier" fields_desc = [ ByteEnumField( "auth_type", 0, RPC_C_AUTHN, ), ByteEnumField("auth_level", 0, RPC_C_AUTHN_LEVEL), ByteField("auth_pad_length", None), ByteField("auth_reserved", 0), XLEIntField("auth_context_id", 0), MultipleTypeField( [ # SPNEGO ( PacketLenField( "auth_value", GSSAPI_BLOB(), GSSAPI_BLOB, length_from=lambda pkt: pkt.parent.auth_len, ), lambda pkt: pkt.auth_type == 0x09 and pkt.parent and # Bind/Alter pkt.parent.ptype in [11, 12, 13, 14, 15, 16], ), ( PacketLenField( "auth_value", GSSAPI_BLOB_SIGNATURE(), GSSAPI_BLOB_SIGNATURE, length_from=lambda pkt: pkt.parent.auth_len, ), lambda pkt: pkt.auth_type == 0x09 and pkt.parent and ( # Other not pkt.parent or pkt.parent.ptype not in [11, 12, 13, 14, 15, 16] ), ), # Kerberos ( PacketLenField( "auth_value", Kerberos(), Kerberos, length_from=lambda pkt: pkt.parent.auth_len, ), lambda pkt: pkt.auth_type == 0x10 and pkt.parent and # Bind/Alter pkt.parent.ptype in [11, 12, 13, 14, 15, 16], ), ( PacketLenField( "auth_value", KRB_InnerToken(), KRB_InnerToken, length_from=lambda pkt: pkt.parent.auth_len, ), lambda pkt: pkt.auth_type == 0x10 and pkt.parent and ( # Other not pkt.parent or pkt.parent.ptype not in [11, 12, 13, 14, 15, 16] ), ), # NTLM ( PacketLenField( "auth_value", NTLM_Header(), NTLM_Header, length_from=lambda pkt: pkt.parent.auth_len, ), lambda pkt: pkt.auth_type in [0x0A, 0xFF] and pkt.parent and # Bind/Alter pkt.parent.ptype in [11, 12, 13, 14, 15, 16], ), ( PacketLenField( "auth_value", NTLMSSP_MESSAGE_SIGNATURE(), NTLMSSP_MESSAGE_SIGNATURE, length_from=lambda pkt: pkt.parent.auth_len, ), lambda pkt: pkt.auth_type in [0x0A, 0xFF] and pkt.parent and ( # Other not pkt.parent or pkt.parent.ptype not in [11, 12, 13, 14, 15, 16] ), ), # NetLogon ( PacketLenField( "auth_value", NL_AUTH_MESSAGE(), NL_AUTH_MESSAGE, length_from=lambda pkt: pkt.parent.auth_len, ), lambda pkt: pkt.auth_type == 0x44 and pkt.parent and # Bind/Alter pkt.parent.ptype in [11, 12, 13, 14, 15], ), ( PacketLenField( "auth_value", NL_AUTH_SIGNATURE(), NL_AUTH_SIGNATURE, length_from=lambda pkt: pkt.parent.auth_len, ), lambda pkt: pkt.auth_type == 0x44 and ( # Other not pkt.parent or pkt.parent.ptype not in [11, 12, 13, 14, 15] ), ), ], PacketLenField( "auth_value", None, conf.raw_layer, length_from=lambda pkt: pkt.parent and pkt.parent.auth_len or 0, ), ), ] def is_protected(self): if not self.auth_value: return False if self.parent and self.parent.ptype in [11, 12, 13, 14, 15, 16]: return False return True def is_ssp(self): if not self.auth_value: return False if self.parent and self.parent.ptype not in [11, 12, 13, 14, 15, 16]: return False return True def default_payload_class(self, pkt): return conf.padding_layer # [MS-RPCE] sect 2.2.2.13 - Verification Trailer _SECTRAILER_MAGIC = b"\x8a\xe3\x13\x71\x02\xf4\x36\x71" class DceRpcSecVTCommand(Packet): name = "Verification trailer command" fields_desc = [ BitField("SEC_VT_MUST_PROCESS_COMMAND", 0, 1, tot_size=-2), BitField("SEC_VT_COMMAND_END", 0, 1), BitEnumField( "Command", 0, -14, { 0x0001: "SEC_VT_COMMAND_BITMASK_1", 0x0002: "SEC_VT_COMMAND_PCONTEXT", 0x0003: "SEC_VT_COMMAND_HEADER2", }, end_tot_size=-2, ), LEShortField("Length", None), ] def guess_payload_class(self, payload): if self.Command == 0x0001: return DceRpcSecVTBitmask elif self.Command == 0x0002: return DceRpcSecVTPcontext elif self.Command == 0x0003: return DceRpcSecVTHeader2 return conf.raw_payload # [MS-RPCE] sect 2.2.2.13.2 class DceRpcSecVTBitmask(Packet): name = "rpc_sec_vt_bitmask" fields_desc = [ LEIntField("bits", 1), ] def default_payload_class(self, pkt): return conf.padding_layer # [MS-RPCE] sect 2.2.2.13.4 class DceRpcSecVTPcontext(Packet): name = "rpc_sec_vt_pcontext" fields_desc = [ UUIDEnumField( "InterfaceId", None, ( DCE_RPC_INTERFACES_NAMES.get, lambda x: DCE_RPC_INTERFACES_NAMES_rev.get(x.lower()), ), uuid_fmt=UUIDField.FORMAT_LE, ), LEIntField("Version", 0), UUIDEnumField( "TransferSyntax", None, DCE_RPC_TRANSFER_SYNTAXES, uuid_fmt=UUIDField.FORMAT_LE, ), LEIntField("TransferVersion", 0), ] def default_payload_class(self, pkt): return conf.padding_layer # [MS-RPCE] sect 2.2.2.13.3 class DceRpcSecVTHeader2(Packet): name = "rpc_sec_vt_header2" fields_desc = [ ByteField("PTYPE", 0), ByteField("Reserved1", 0), LEShortField("Reserved2", 0), LEIntField("drep", 0), LEIntField("call_id", 0), LEShortField("p_cont_id", 0), LEShortField("opnum", 0), ] def default_payload_class(self, pkt): return conf.padding_layer class DceRpcSecVT(Packet): name = "Verification trailer" fields_desc = [ XStrFixedLenField("rpc_sec_verification_trailer", _SECTRAILER_MAGIC, length=8), PacketListField("commands", [], DceRpcSecVTCommand), ] class _VerifTrailerField(PacketField): def getfield( self, pkt, s, ): if _SECTRAILER_MAGIC in s: # a bit ugly ind = s.index(_SECTRAILER_MAGIC) sectrailer_bytes, remain = bytes(s[:-ind]), bytes(s[-ind:]) vt_trailer = self.m2i(pkt, sectrailer_bytes) if not isinstance(vt_trailer.payload, NoPayload): # bad parse return s, None return remain, vt_trailer return s, None # sect 12.6.3 _DCE_RPC_5_FLAGS = { 0x01: "PFC_FIRST_FRAG", 0x02: "PFC_LAST_FRAG", 0x04: "PFC_PENDING_CANCEL", 0x08: "PFC_RESERVED_1", 0x10: "PFC_CONC_MPX", 0x20: "PFC_DID_NOT_EXECUTE", 0x40: "PFC_MAYBE", 0x80: "PFC_OBJECT_UUID", } # [MS-RPCE] sect 2.2.2.3 _DCE_RPC_5_FLAGS_2 = _DCE_RPC_5_FLAGS.copy() _DCE_RPC_5_FLAGS_2[0x04] = "PFC_SUPPORT_HEADER_SIGN" _DCE_RPC_ERROR_CODES = { # Appendix N 0x1C010001: "nca_s_comm_failure", 0x1C010002: "nca_s_op_rng_error", 0x1C010003: "nca_s_unk_if", 0x1C010006: "nca_s_wrong_boot_time", 0x1C010009: "nca_s_you_crashed", 0x1C01000B: "nca_s_proto_error", 0x1C010013: "nca_s_out_args_too_big", 0x1C010014: "nca_s_server_too_busy", 0x1C010015: "nca_s_fault_string_too_long", 0x1C010017: "nca_s_unsupported_type", 0x1C000001: "nca_s_fault_int_div_by_zero", 0x1C000002: "nca_s_fault_addr_error", 0x1C000003: "nca_s_fault_fp_div_zero", 0x1C000004: "nca_s_fault_fp_underflow", 0x1C000005: "nca_s_fault_fp_overflow", 0x1C000006: "nca_s_fault_invalid_tag", 0x1C000007: "nca_s_fault_invalid_bound", 0x1C000008: "nca_s_rpc_version_mismatch", 0x1C000009: "nca_s_unspec_reject", 0x1C00000A: "nca_s_bad_actid", 0x1C00000B: "nca_s_who_are_you_failed", 0x1C00000C: "nca_s_manager_not_entered", 0x1C00000D: "nca_s_fault_cancel", 0x1C00000E: "nca_s_fault_ill_inst", 0x1C00000F: "nca_s_fault_fp_error", 0x1C000010: "nca_s_fault_int_overflow", 0x1C000012: "nca_s_fault_unspec", 0x1C000013: "nca_s_fault_remote_comm_failure", 0x1C000014: "nca_s_fault_pipe_empty", 0x1C000015: "nca_s_fault_pipe_closed", 0x1C000016: "nca_s_fault_pipe_order", 0x1C000017: "nca_s_fault_pipe_discipline", 0x1C000018: "nca_s_fault_pipe_comm_error", 0x1C000019: "nca_s_fault_pipe_memory", 0x1C00001A: "nca_s_fault_context_mismatch", 0x1C00001B: "nca_s_fault_remote_no_memory", 0x1C00001C: "nca_s_invalid_pres_context_id", 0x1C00001D: "nca_s_unsupported_authn_level", 0x1C00001F: "nca_s_invalid_checksum", 0x1C000020: "nca_s_invalid_crc", 0x1C000021: "nca_s_fault_user_defined", 0x1C000022: "nca_s_fault_tx_open_failed", 0x1C000023: "nca_s_fault_codeset_conv_error", 0x1C000024: "nca_s_fault_object_not_found", 0x1C000025: "nca_s_fault_no_client_stub", # [MS-ERREF] 0x000006D3: "RPC_S_UNKNOWN_AUTHN_SERVICE", 0x000006F7: "RPC_X_BAD_STUB_DATA", # [MS-RPCE] 0x000006D8: "EPT_S_CANT_PERFORM_OP", } _DCE_RPC_REJECTION_REASONS = { 0: "REASON_NOT_SPECIFIED", 1: "TEMPORARY_CONGESTION", 2: "LOCAL_LIMIT_EXCEEDED", 3: "CALLED_PADDR_UNKNOWN", 4: "PROTOCOL_VERSION_NOT_SUPPORTED", 5: "DEFAULT_CONTEXT_NOT_SUPPORTED", 6: "USER_DATA_NOT_READABLE", 7: "NO_PSAP_AVAILABLE", 8: "AUTHENTICATION_TYPE_NOT_RECOGNIZED", 9: "INVALID_CHECKSUM", } class DceRpc5(DceRpc): """ DCE/RPC v5 'connection-oriented' packet """ name = "DCE/RPC v5" fields_desc = ( [ ByteEnumField( "rpc_vers", 5, {4: "4 (connection-less)", 5: "5 (connection-oriented)"} ), ByteField("rpc_vers_minor", 0), ByteEnumField("ptype", 0, DCE_RPC_TYPE), MultipleTypeField( # [MS-RPCE] sect 2.2.2.3 [ ( FlagsField("pfc_flags", 0x3, 8, _DCE_RPC_5_FLAGS_2), lambda pkt: pkt.ptype in [11, 12, 13, 14, 15, 16], ) ], FlagsField("pfc_flags", 0x3, 8, _DCE_RPC_5_FLAGS), ), ] + _drep + [ ByteField("reserved2", 0), _EField(ShortField("frag_len", None)), _EField( FieldLenField( "auth_len", None, fmt="H", length_of="auth_verifier", adjust=lambda pkt, x: 0 if not x else (x - 8), ) ), _EField(IntField("call_id", None)), # Now let's proceed with trailer fields, i.e. at the end of the PACKET # (below all payloads, etc.). Have a look at Figure 3 in sect 2.2.2.13 # of [MS-RPCE] but note the following: # - auth_verifier includes sec_trailer + the authentication token # - auth_padding is the authentication padding # - vt_trailer is the verification trailer ConditionalField( TrailerField( PacketLenField( "auth_verifier", None, CommonAuthVerifier, length_from=lambda pkt: pkt.auth_len + 8, ) ), lambda pkt: pkt.auth_len != 0, ), ConditionalField( TrailerField( StrLenField( "auth_padding", None, length_from=lambda pkt: pkt.auth_verifier.auth_pad_length, ) ), lambda pkt: pkt.auth_len != 0, ), TrailerField( _VerifTrailerField("vt_trailer", None, DceRpcSecVT), ), ] ) def do_dissect(self, s): # Overload do_dissect to only include the current layer in dissection. # This allows to support TrailerFields, even in the case where multiple DceRpc5 # packets are concatenated frag_len = self.get_field("frag_len").getfield(self, s[8:10])[1] s, remain = s[:frag_len], s[frag_len:] return super(DceRpc5, self).do_dissect(s) + remain def extract_padding(self, s): # Now, take any data that doesn't fit in the current fragment and make it # padding. The caller is responsible for looking for eventual padding and # creating the next fragment, etc. pay_len = self.frag_len - len(self.original) + len(s) return s[:pay_len], s[pay_len:] def post_build(self, pkt, pay): if ( self.auth_verifier and self.auth_padding is None and self.auth_verifier.auth_pad_length is None ): # Compute auth_len and add padding auth_len = self.get_field("auth_len").getfield(self, pkt[10:12])[1] + 8 auth_verifier, pay = pay[-auth_len:], pay[:-auth_len] pdu_len = len(pay) if self.payload: pdu_len -= len(self.payload.self_build()) padlen = (-pdu_len) % _COMMON_AUTH_PAD auth_verifier = ( auth_verifier[:2] + struct.pack("B", padlen) + auth_verifier[3:] ) pay = pay + (padlen * b"\x00") + auth_verifier if self.frag_len is None: # Compute frag_len length = len(pkt) + len(pay) pkt = ( pkt[:8] + self.get_field("frag_len").addfield(self, b"", length) + pkt[10:] ) return pkt + pay def answers(self, pkt): return isinstance(pkt, DceRpc5) and pkt[DceRpc5].call_id == self.call_id @classmethod def tcp_reassemble(cls, data, _, session): if data[0:1] != b"\x05": return endian = struct.unpack("!B", data[4:5])[0] >> 4 if endian not in [0, 1]: return length = struct.unpack(("<" if endian else ">") + "H", data[8:10])[0] if len(data) >= length: if conf.dcerpc_session_enable: # If DCE/RPC sessions are enabled, use them ! if "dcerpcsess" not in session: session["dcerpcsess"] = dcerpcsess = DceRpcSession() else: dcerpcsess = session["dcerpcsess"] return dcerpcsess.process(DceRpc5(data)) return DceRpc5(data) # sec 12.6.3.1 class DceRpc5AbstractSyntax(EPacket): name = "Presentation Syntax (p_syntax_id_t)" fields_desc = [ _EField( UUIDEnumField( "if_uuid", None, ( # Those are dynamic DCE_RPC_INTERFACES_NAMES.get, lambda x: DCE_RPC_INTERFACES_NAMES_rev.get(x.lower()), ), ) ), _EField(IntField("if_version", 3)), ] class DceRpc5TransferSyntax(EPacket): name = "Presentation Transfer Syntax (p_syntax_id_t)" fields_desc = [ _EField( UUIDEnumField( "if_uuid", None, DCE_RPC_TRANSFER_SYNTAXES, ) ), _EField(IntField("if_version", 3)), ] class DceRpc5Context(EPacket): name = "Presentation Context (p_cont_elem_t)" fields_desc = [ _EField(ShortField("cont_id", 0)), FieldLenField("n_transfer_syn", None, count_of="transfer_syntaxes", fmt="B"), ByteField("reserved", 0), EPacketField("abstract_syntax", None, DceRpc5AbstractSyntax), EPacketListField( "transfer_syntaxes", None, DceRpc5TransferSyntax, count_from=lambda pkt: pkt.n_transfer_syn, endianness_from=_dce_rpc_endianness, ), ] class DceRpc5Result(EPacket): name = "Context negotiation Result" fields_desc = [ _EField( ShortEnumField( "result", 0, ["acceptance", "user_rejection", "provider_rejection"] ) ), _EField( ShortEnumField( "reason", 0, _DCE_RPC_REJECTION_REASONS, ) ), EPacketField("transfer_syntax", None, DceRpc5TransferSyntax), ] class DceRpc5PortAny(EPacket): name = "Port Any (port_any_t)" fields_desc = [ _EField(FieldLenField("length", None, length_of="port_spec", fmt="H")), _EField(StrLenField("port_spec", b"", length_from=lambda pkt: pkt.length)), ] # sec 12.6.4.3 class DceRpc5Bind(_DceRpcPayload): name = "DCE/RPC v5 - Bind" fields_desc = [ _EField(ShortField("max_xmit_frag", 5840)), _EField(ShortField("max_recv_frag", 8192)), _EField(IntField("assoc_group_id", 0)), # p_cont_list_t _EField( FieldLenField("n_context_elem", None, count_of="context_elem", fmt="B") ), StrFixedLenField("reserved", 0, length=3), EPacketListField( "context_elem", [], DceRpc5Context, endianness_from=_dce_rpc_endianness, count_from=lambda pkt: pkt.n_context_elem, ), ] bind_layers(DceRpc5, DceRpc5Bind, ptype=11) # sec 12.6.4.4 class DceRpc5BindAck(_DceRpcPayload): name = "DCE/RPC v5 - Bind Ack" fields_desc = [ _EField(ShortField("max_xmit_frag", 5840)), _EField(ShortField("max_recv_frag", 8192)), _EField(IntField("assoc_group_id", 0)), PadField( EPacketField("sec_addr", None, DceRpc5PortAny), align=4, ), # p_result_list_t _EField(FieldLenField("n_results", None, count_of="results", fmt="B")), StrFixedLenField("reserved", 0, length=3), EPacketListField( "results", [], DceRpc5Result, endianness_from=_dce_rpc_endianness, count_from=lambda pkt: pkt.n_results, ), ] bind_layers(DceRpc5, DceRpc5BindAck, ptype=12) # sec 12.6.4.5 class DceRpc5Version(EPacket): name = "version_t" fields_desc = [ ByteField("major", 0), ByteField("minor", 0), ] class DceRpc5BindNak(_DceRpcPayload): name = "DCE/RPC v5 - Bind Nak" fields_desc = [ _EField( ShortEnumField("provider_reject_reason", 0, _DCE_RPC_REJECTION_REASONS) ), # p_rt_versions_supported_t _EField(FieldLenField("n_protocols", None, count_of="protocols", fmt="B")), EPacketListField( "protocols", [], DceRpc5Version, count_from=lambda pkt: pkt.n_protocols, endianness_from=_dce_rpc_endianness, ), # [MS-RPCE] sect 2.2.2.9 ConditionalField( ReversePadField( _EField( UUIDEnumField( "signature", None, { UUID( "90740320-fad0-11d3-82d7-009027b130ab" ): "Extended Error", }, ) ), align=8, ), lambda pkt: pkt.fields.get("signature", None) or ( pkt.underlayer and pkt.underlayer.frag_len >= 24 + pkt.n_protocols * 2 + 16 ), ), ] bind_layers(DceRpc5, DceRpc5BindNak, ptype=13) # sec 12.6.4.1 class DceRpc5AlterContext(_DceRpcPayload): name = "DCE/RPC v5 - AlterContext" fields_desc = DceRpc5Bind.fields_desc bind_layers(DceRpc5, DceRpc5AlterContext, ptype=14) # sec 12.6.4.2 class DceRpc5AlterContextResp(_DceRpcPayload): name = "DCE/RPC v5 - AlterContextResp" fields_desc = DceRpc5BindAck.fields_desc bind_layers(DceRpc5, DceRpc5AlterContextResp, ptype=15) # [MS-RPCE] sect 2.2.2.10 - rpc_auth_3 class DceRpc5Auth3(Packet): name = "DCE/RPC v5 - Auth3" fields_desc = [StrFixedLenField("pad", b"", length=4)] bind_layers(DceRpc5, DceRpc5Auth3, ptype=16) # sec 12.6.4.7 class DceRpc5Fault(_DceRpcPayload): name = "DCE/RPC v5 - Fault" fields_desc = [ _EField(IntField("alloc_hint", 0)), _EField(ShortField("cont_id", 0)), ByteField("cancel_count", 0), FlagsField("reserved", 0, -8, {0x1: "RPC extended error"}), _EField(LEIntEnumField("status", 0, _DCE_RPC_ERROR_CODES)), IntField("reserved2", 0), ] bind_layers(DceRpc5, DceRpc5Fault, ptype=3) # sec 12.6.4.9 class DceRpc5Request(_DceRpcPayload): name = "DCE/RPC v5 - Request" fields_desc = [ _EField(IntField("alloc_hint", 0)), _EField(ShortField("cont_id", 0)), _EField(ShortField("opnum", 0)), ConditionalField( PadField( _EField(UUIDField("object", None)), align=8, ), lambda pkt: pkt.underlayer and pkt.underlayer.pfc_flags.PFC_OBJECT_UUID, ), ] bind_layers(DceRpc5, DceRpc5Request, ptype=0) # sec 12.6.4.10 class DceRpc5Response(_DceRpcPayload): name = "DCE/RPC v5 - Response" fields_desc = [ _EField(IntField("alloc_hint", 0)), _EField(ShortField("cont_id", 0)), ByteField("cancel_count", 0), ByteField("reserved", 0), ] bind_layers(DceRpc5, DceRpc5Response, ptype=2) # --- API DceRpcOp = collections.namedtuple("DceRpcOp", ["request", "response"]) DCE_RPC_INTERFACES = {} class DceRpcInterface: def __init__(self, name, uuid, version_tuple, if_version, opnums): self.name = name self.uuid = uuid self.major_version, self.minor_version = version_tuple self.if_version = if_version self.opnums = opnums def __repr__(self): return "" % ( self.name, self.major_version, self.minor_version, ) def register_dcerpc_interface(name, uuid, version, opnums): """ Register a DCE/RPC interface """ version_tuple = tuple(map(int, version.split("."))) assert len(version_tuple) == 2, "Version should be in format 'X.X' !" if_version = (version_tuple[1] << 16) + version_tuple[0] if (uuid, if_version) in DCE_RPC_INTERFACES: # Interface is already registered. interface = DCE_RPC_INTERFACES[(uuid, if_version)] if interface.name == name: if interface.if_version == if_version and set(opnums) - set( interface.opnums ): # Interface is an extension of a previous interface interface.opnums.update(opnums) return elif interface.if_version != if_version: # Interface has a different version pass else: log_runtime.warning( "This interface is already registered: %s. Skip" % interface ) return else: raise ValueError( "An interface with the same UUID is already registered: %s" % interface ) DCE_RPC_INTERFACES_NAMES[uuid] = name DCE_RPC_INTERFACES_NAMES_rev[name.lower()] = uuid DCE_RPC_INTERFACES[(uuid, if_version)] = DceRpcInterface( name, uuid, version_tuple, if_version, opnums, ) # bind for build for opnum, operations in opnums.items(): bind_top_down(DceRpc5Request, operations.request, opnum=opnum) def find_dcerpc_interface(name): """ Find an interface object through the name in the IDL """ try: return next(x for x in DCE_RPC_INTERFACES.values() if x.name == name) except StopIteration: raise AttributeError("Unknown interface !") COM_INTERFACES = {} class ComInterface: def __init__(self, name, uuid, opnums): self.name = name self.uuid = uuid self.opnums = opnums def __repr__(self): return "" % (self.name,) def register_com_interface(name, uuid, opnums): """ Register a COM interface """ COM_INTERFACES[uuid] = ComInterface( name, uuid, opnums, ) # --- NDR fields - [C706] chap 14 def _set_ctx_on(f, obj): if isinstance(f, _NDRPacket): f.ndr64 = obj.ndr64 f.ndrendian = obj.ndrendian if isinstance(f, list): for x in f: if isinstance(x, _NDRPacket): x.ndr64 = obj.ndr64 x.ndrendian = obj.ndrendian def _e(ndrendian): return {"big": ">", "little": "<"}[ndrendian] class _NDRPacket(Packet): __slots__ = ["ndr64", "ndrendian", "deferred_pointers", "request_packet"] def __init__(self, *args, **kwargs): self.ndr64 = kwargs.pop("ndr64", False) self.ndrendian = kwargs.pop("ndrendian", "little") # request_packet is used in the session, so that a response packet # can resolve union arms if the case parameter is in the request. self.request_packet = kwargs.pop("request_packet", None) self.deferred_pointers = [] super(_NDRPacket, self).__init__(*args, **kwargs) def do_dissect(self, s): _up = self.parent or self.underlayer if _up and isinstance(_up, _NDRPacket): self.ndr64 = _up.ndr64 self.ndrendian = _up.ndrendian else: # See comment above NDRConstructedType return NDRConstructedType([]).read_deferred_pointers( self, super(_NDRPacket, self).do_dissect(s) ) return super(_NDRPacket, self).do_dissect(s) def post_dissect(self, s): if self.deferred_pointers: # Can't trust the cache if there were deferred pointers self.raw_packet_cache = None return s def do_build(self): _up = self.parent or self.underlayer for f in self.fields.values(): _set_ctx_on(f, self) if not _up or not isinstance(_up, _NDRPacket): # See comment above NDRConstructedType return NDRConstructedType([]).add_deferred_pointers( self, super(_NDRPacket, self).do_build() ) return super(_NDRPacket, self).do_build() def default_payload_class(self, pkt): return conf.padding_layer def clone_with(self, *args, **kwargs): pkt = super(_NDRPacket, self).clone_with(*args, **kwargs) # We need to copy deferred_pointers to not break pointer deferral # on build. pkt.deferred_pointers = self.deferred_pointers pkt.ndr64 = self.ndr64 pkt.ndrendian = self.ndrendian return pkt def copy(self): pkt = super(_NDRPacket, self).copy() pkt.deferred_pointers = self.deferred_pointers pkt.ndr64 = self.ndr64 pkt.ndrendian = self.ndrendian return pkt def show2(self, dump=False, indent=3, lvl="", label_lvl=""): return self.__class__( bytes(self), ndr64=self.ndr64, ndrendian=self.ndrendian ).show(dump, indent, lvl, label_lvl) def getfield_and_val(self, attr): try: return Packet.getfield_and_val(self, attr) except ValueError: if self.request_packet: # Try to resolve the field from the request on failure try: return self.request_packet.getfield_and_val(attr) except AttributeError: pass raise def valueof(self, request): """ Util to get the value of a NDRField, ignoring arrays, pointers, etc. """ val = self for ndr_field in request.split("."): fld, fval = val.getfield_and_val(ndr_field) val = fld.valueof(val, fval) return val class _NDRAlign: def padlen(self, flen, pkt): return -flen % self._align[pkt.ndr64] def original_length(self, pkt): # Find the length of the NDR frag to be able to pad properly while pkt: par = pkt.parent or pkt.underlayer if par and isinstance(par, _NDRPacket): pkt = par else: break return len(pkt.original) class NDRAlign(_NDRAlign, ReversePadField): """ ReversePadField modified to fit NDR. - If no align size is specified, use the one from the inner field - Size is calculated from the beginning of the NDR stream """ def __init__(self, fld, align, padwith=None): super(NDRAlign, self).__init__(fld, align=align, padwith=padwith) class _VirtualField(Field): # Hold a value but doesn't show up when building/dissecting def addfield(self, pkt, s, x): return s def getfield(self, pkt, s): return s, None class _NDRPacketMetaclass(Packet_metaclass): def __new__(cls, name, bases, dct): newcls = super(_NDRPacketMetaclass, cls).__new__(cls, name, bases, dct) conformants = dct.get("DEPORTED_CONFORMANTS", []) if conformants: amount = len(conformants) if amount == 1: newcls.fields_desc.insert( 0, _VirtualField("max_count", None), ) else: newcls.fields_desc.insert( 0, FieldListField( "max_counts", [], _VirtualField("", 0), count_from=lambda _: amount, ), ) return newcls # type: ignore class NDRPacket(_NDRPacket, metaclass=_NDRPacketMetaclass): """ A NDR Packet. Handles pointer size & endianness """ __slots__ = ["_align"] # NDR64 pad structures # [MS-RPCE] 2.2.5.3.4.1 ALIGNMENT = (1, 1) # [C706] sect 14.3.7 - Conformants max_count can be added to the beginning DEPORTED_CONFORMANTS = [] # Primitive types class _NDRValueOf: def valueof(self, pkt, x): return x class _NDRLenField(_NDRValueOf, Field): """ Field similar to FieldLenField that takes size_of and adjust as arguments, and take the value of a size on build. """ __slots__ = ["size_of", "adjust"] def __init__(self, *args, **kwargs): self.size_of = kwargs.pop("size_of", None) self.adjust = kwargs.pop("adjust", lambda _, x: x) super(_NDRLenField, self).__init__(*args, **kwargs) def i2m(self, pkt, x): if x is None and pkt is not None and self.size_of is not None: fld, fval = pkt.getfield_and_val(self.size_of) f = fld.i2len(pkt, fval) x = self.adjust(pkt, f) elif x is None: x = 0 return x class NDRByteField(_NDRLenField, ByteField): pass class NDRSignedByteField(_NDRLenField, SignedByteField): pass class _NDRField(_NDRLenField): FMT = "" ALIGN = (0, 0) def getfield(self, pkt, s): return NDRAlign( Field("", 0, fmt=_e(pkt.ndrendian) + self.FMT), align=self.ALIGN ).getfield(pkt, s) def addfield(self, pkt, s, val): return NDRAlign( Field("", 0, fmt=_e(pkt.ndrendian) + self.FMT), align=self.ALIGN ).addfield(pkt, s, self.i2m(pkt, val)) class NDRShortField(_NDRField): FMT = "H" ALIGN = (2, 2) class NDRSignedShortField(_NDRField): FMT = "h" ALIGN = (2, 2) class NDRIntField(_NDRField): FMT = "I" ALIGN = (4, 4) class NDRSignedIntField(_NDRField): FMT = "i" ALIGN = (4, 4) class NDRLongField(_NDRField): FMT = "Q" ALIGN = (8, 8) class NDRSignedLongField(_NDRField): FMT = "q" ALIGN = (8, 8) class NDRIEEEFloatField(_NDRField): FMT = "f" ALIGN = (4, 4) class NDRIEEEDoubleField(_NDRField): FMT = "d" ALIGN = (8, 8) # Enum types class _NDREnumField(_NDRValueOf, EnumField): # [MS-RPCE] sect 2.2.5.2 - Enums are 4 octets in NDR64 FMTS = ["H", "I"] def getfield(self, pkt, s): fmt = _e(pkt.ndrendian) + self.FMTS[pkt.ndr64] return NDRAlign(Field("", 0, fmt=fmt), align=(2, 4)).getfield(pkt, s) def addfield(self, pkt, s, val): fmt = _e(pkt.ndrendian) + self.FMTS[pkt.ndr64] return NDRAlign(Field("", 0, fmt=fmt), align=(2, 4)).addfield( pkt, s, self.i2m(pkt, val) ) class NDRInt3264EnumField(NDRAlign): def __init__(self, *args, **kwargs): super(NDRInt3264EnumField, self).__init__( _NDREnumField(*args, **kwargs), align=(2, 4) ) class NDRIntEnumField(_NDRValueOf, NDRAlign): # v1_enum are always 4-octets, even in NDR32 def __init__(self, *args, **kwargs): super(NDRIntEnumField, self).__init__( LEIntEnumField(*args, **kwargs), align=(4, 4) ) # Special types class NDRInt3264Field(_NDRLenField): FMTS = ["I", "Q"] def getfield(self, pkt, s): fmt = _e(pkt.ndrendian) + self.FMTS[pkt.ndr64] return NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)).getfield(pkt, s) def addfield(self, pkt, s, val): fmt = _e(pkt.ndrendian) + self.FMTS[pkt.ndr64] return NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)).addfield( pkt, s, self.i2m(pkt, val) ) class NDRSignedInt3264Field(NDRInt3264Field): FMTS = ["i", "q"] # Pointer types class NDRPointer(_NDRPacket): fields_desc = [ MultipleTypeField( [(XLELongField("referent_id", 1), lambda pkt: pkt and pkt.ndr64)], XLEIntField("referent_id", 1), ), PacketField("value", None, conf.raw_layer), ] class NDRFullPointerField(_FieldContainer): """ A NDR Full/Unique pointer field encapsulation. :param deferred: This pointer is deferred. This means that it's representation will not appear after the pointer. See [C706] 14.3.12.3 - Algorithm for Deferral of Referents """ EMBEDDED = False def __init__(self, fld, deferred=False, fmt="I"): self.fld = fld self.default = None self.deferred = deferred def getfield(self, pkt, s): fmt = _e(pkt.ndrendian) + ["I", "Q"][pkt.ndr64] remain, referent_id = NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)).getfield( pkt, s ) if not self.EMBEDDED and referent_id == 0: return remain, None if self.deferred: # deferred ptr = NDRPointer( ndr64=pkt.ndr64, ndrendian=pkt.ndrendian, referent_id=referent_id ) pkt.deferred_pointers.append((ptr, partial(self.fld.getfield, pkt))) return remain, ptr remain, val = self.fld.getfield(pkt, remain) return remain, NDRPointer( ndr64=pkt.ndr64, ndrendian=pkt.ndrendian, referent_id=referent_id, value=val ) def addfield(self, pkt, s, val): if val is not None and not isinstance(val, NDRPointer): raise ValueError( "Expected NDRPointer in %s. You are using it wrong!" % self.name ) fmt = _e(pkt.ndrendian) + ["I", "Q"][pkt.ndr64] fld = NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)) if not self.EMBEDDED and val is None: return fld.addfield(pkt, s, 0) else: _set_ctx_on(val.value, pkt) s = fld.addfield(pkt, s, val.referent_id) if self.deferred: # deferred pkt.deferred_pointers.append( ((lambda s: self.fld.addfield(pkt, s, val.value)), val) ) return s return self.fld.addfield(pkt, s, val.value) def any2i(self, pkt, x): # User-friendly helper if x is not None and not isinstance(x, NDRPointer): return NDRPointer( referent_id=0x20000, value=self.fld.any2i(pkt, x), ) return x # Can't use i2repr = Field.i2repr and so on on PY2 :/ def i2repr(self, pkt, val): return repr(val) def i2h(self, pkt, x): return x def h2i(self, pkt, x): return x def i2len(self, pkt, x): if x is None: return 0 return self.fld.i2len(pkt, x.value) def valueof(self, pkt, x): if x is None: return x return self.fld.valueof(pkt, x.value) class NDRRefEmbPointerField(NDRFullPointerField): """ A NDR Embedded Reference pointer """ EMBEDDED = True # Constructed types # Note: this is utterly complex and will drive you crazy # If you have a NDRPacket that contains a deferred pointer on the top level # (only happens in non DCE/RPC structures, such as in MS-PAC, where you have an NDR # structure encapsulated in a non-NDR structure), there will be left-over deferred # pointers when exiting dissection/build (deferred pointers are only computed when # reaching a field that extends NDRConstructedType, which is normal: if you follow # the DCE/RPC spec, pointers are never deferred in root structures) # Therefore there is a special case forcing the build/dissection of any leftover # pointers in NDRPacket, if Scapy detects that they won't be handled by any parent. # Implementation notes: I chose to set 'handles_deferred' inside the FIELD, rather # than inside the PACKET. This is faster to compute because whether a constructed type # should handle deferral or not is computed only once when loading, therefore Scapy # knows in advance whether to handle deferred pointers or not. But it is technically # incorrect: with this approach, a structure (packet) cannot be used in 2 code paths # that have different pointer managements. I mean by that that if there was a # structure that was directly embedded in a RPC request without a pointer but also # embedded with a pointer in another RPC request, it would break. # Fortunately this isn't the case: structures are never reused for 2 purposes. # (or at least I never seen that... ) class NDRConstructedType(object): def __init__(self, fields): self.handles_deferred = False self.ndr_fields = fields self.rec_check_deferral() def rec_check_deferral(self): # We iterate through the fields within this constructed type. # If we have a pointer, mark this field as handling deferrance # and make all sub-constructed types not. for f in self.ndr_fields: if isinstance(f, NDRFullPointerField) and f.deferred: self.handles_deferred = True if isinstance(f, NDRConstructedType): f.rec_check_deferral() if f.handles_deferred: self.handles_deferred = True f.handles_deferred = False def getfield(self, pkt, s): s, fval = super(NDRConstructedType, self).getfield(pkt, s) if isinstance(fval, _NDRPacket): # If a sub-packet we just dissected has deferred pointers, # pass it to parent packet to propagate. pkt.deferred_pointers.extend(fval.deferred_pointers) del fval.deferred_pointers[:] if self.handles_deferred: # This field handles deferral ! s = self.read_deferred_pointers(pkt, s) return s, fval def read_deferred_pointers(self, pkt, s): # Now read content of the pointers that were deferred q = collections.deque() q.extend(pkt.deferred_pointers) del pkt.deferred_pointers[:] while q: # Recursively resolve pointers that were deferred ptr, getfld = q.popleft() s, val = getfld(s) ptr.value = val if isinstance(val, _NDRPacket): # Pointer resolves to a packet.. that may have deferred pointers? q.extend(val.deferred_pointers) del val.deferred_pointers[:] return s def addfield(self, pkt, s, val): s = super(NDRConstructedType, self).addfield(pkt, s, val) if isinstance(val, _NDRPacket): # If a sub-packet we just dissected has deferred pointers, # pass it to parent packet to propagate. pkt.deferred_pointers.extend(val.deferred_pointers) del val.deferred_pointers[:] if self.handles_deferred: # This field handles deferral ! s = self.add_deferred_pointers(pkt, s) return s def add_deferred_pointers(self, pkt, s): # Now add content of pointers that were deferred q = collections.deque() q.extend(pkt.deferred_pointers) del pkt.deferred_pointers[:] while q: addfld, fval = q.popleft() s = addfld(s) if isinstance(fval, NDRPointer) and isinstance(fval.value, _NDRPacket): q.extend(fval.value.deferred_pointers) del fval.value.deferred_pointers[:] return s class _NDRPacketField(_NDRValueOf, PacketField): def m2i(self, pkt, m): return self.cls(m, ndr64=pkt.ndr64, ndrendian=pkt.ndrendian, _parent=pkt) # class _NDRPacketPadField(PadField): # def padlen(self, flen, pkt): # if pkt.ndr64: # return -flen % self._align[1] # else: # return 0 class NDRPacketField(NDRConstructedType, NDRAlign): def __init__(self, name, default, pkt_cls, **kwargs): self.DEPORTED_CONFORMANTS = pkt_cls.DEPORTED_CONFORMANTS self.fld = _NDRPacketField(name, default, pkt_cls=pkt_cls, **kwargs) NDRAlign.__init__( self, # There is supposed to be padding after a struct in NDR64? # _NDRPacketPadField(fld, align=pkt_cls.ALIGNMENT), self.fld, align=pkt_cls.ALIGNMENT, ) NDRConstructedType.__init__(self, pkt_cls.fields_desc) def getfield(self, pkt, x): # Handle deformed conformants max_count here if self.DEPORTED_CONFORMANTS: # C706 14.3.2: "In other words, the size information precedes the # structure and is aligned independently of the structure alignment." fld = NDRInt3264Field("", 0) max_counts = [] for _ in self.DEPORTED_CONFORMANTS: x, max_count = fld.getfield(pkt, x) max_counts.append(max_count) res, val = super(NDRPacketField, self).getfield(pkt, x) if len(max_counts) == 1: val.max_count = max_counts[0] else: val.max_counts = max_counts return res, val return super(NDRPacketField, self).getfield(pkt, x) def addfield(self, pkt, s, x): # Handle deformed conformants max_count here if self.DEPORTED_CONFORMANTS: mcfld = NDRInt3264Field("", 0) if len(self.DEPORTED_CONFORMANTS) == 1: max_counts = [x.max_count] else: max_counts = x.max_counts for fldname, max_count in zip(self.DEPORTED_CONFORMANTS, max_counts): if max_count is None: fld, val = x.getfield_and_val(fldname) max_count = fld.i2len(x, val) s = mcfld.addfield(pkt, s, max_count) return super(NDRPacketField, self).addfield(pkt, s, x) return super(NDRPacketField, self).addfield(pkt, s, x) # Array types class _NDRPacketListField(NDRConstructedType, PacketListField): """ A PacketListField for NDR that can optionally pack the packets into NDRPointers """ islist = 1 holds_packets = 1 __slots__ = ["ptr_pack", "fld"] def __init__(self, name, default, pkt_cls, **kwargs): self.ptr_pack = kwargs.pop("ptr_pack", False) if self.ptr_pack: self.fld = NDRFullPointerField( NDRPacketField("", None, pkt_cls), deferred=True ) else: self.fld = NDRPacketField("", None, pkt_cls) PacketListField.__init__(self, name, default, pkt_cls=pkt_cls, **kwargs) NDRConstructedType.__init__(self, [self.fld]) def m2i(self, pkt, s): remain, val = self.fld.getfield(pkt, s) # A mistake here would be to use / instead of add_payload. It adds a copy # which breaks pointer defferal. Same applies elsewhere val.add_payload(conf.padding_layer(remain)) return val def any2i(self, pkt, x): # User-friendly helper if isinstance(x, list): x = [self.fld.any2i(pkt, y) for y in x] return super(_NDRPacketListField, self).any2i(pkt, x) def i2m(self, pkt, val): return self.fld.addfield(pkt, b"", val) def i2len(self, pkt, x): return len(x) def valueof(self, pkt, x): return [self.fld.valueof(pkt, y) for y in x] class NDRFieldListField(NDRConstructedType, FieldListField): """ A FieldListField for NDR """ islist = 1 def __init__(self, *args, **kwargs): kwargs.pop("ptr_pack", None) # TODO: unimplemented if "length_is" in kwargs: kwargs["count_from"] = kwargs.pop("length_is") elif "size_is" in kwargs: kwargs["count_from"] = kwargs.pop("size_is") FieldListField.__init__(self, *args, **kwargs) NDRConstructedType.__init__(self, [self.field]) def i2len(self, pkt, x): return len(x) def valueof(self, pkt, x): return [self.field.valueof(pkt, y) for y in x] class NDRVaryingArray(_NDRPacket): fields_desc = [ MultipleTypeField( [(LELongField("offset", 0), lambda pkt: pkt and pkt.ndr64)], LEIntField("offset", 0), ), MultipleTypeField( [ ( LELongField("actual_count", None), lambda pkt: pkt and pkt.ndr64, ) ], LEIntField("actual_count", None), ), PacketField("value", None, conf.raw_layer), ] class _NDRVarField(object): """ NDR Varying Array / String field """ LENGTH_FROM = False COUNT_FROM = False def __init__(self, *args, **kwargs): # size is either from the length_is, if specified, or the "actual_count" self.from_actual = "length_is" not in kwargs length_is = kwargs.pop("length_is", lambda pkt: pkt.actual_count) if self.LENGTH_FROM: kwargs["length_from"] = length_is elif self.COUNT_FROM: kwargs["count_from"] = length_is super(_NDRVarField, self).__init__(*args, **kwargs) def getfield(self, pkt, s): fmt = _e(pkt.ndrendian) + ["I", "Q"][pkt.ndr64] remain, offset = NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)).getfield(pkt, s) remain, actual_count = NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)).getfield( pkt, remain ) final = NDRVaryingArray( ndr64=pkt.ndr64, ndrendian=pkt.ndrendian, offset=offset, actual_count=actual_count, ) if self.from_actual: remain, val = super(_NDRVarField, self).getfield(final, remain) else: remain, val = super(_NDRVarField, self).getfield(pkt, remain) final.value = super(_NDRVarField, self).i2h(pkt, val) return remain, final def addfield(self, pkt, s, val): if not isinstance(val, NDRVaryingArray): raise ValueError( "Expected NDRVaryingArray in %s. You are using it wrong!" % self.name ) fmt = _e(pkt.ndrendian) + ["I", "Q"][pkt.ndr64] _set_ctx_on(val.value, pkt) s = NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)).addfield(pkt, s, val.offset) s = NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)).addfield( pkt, s, val.actual_count is None and super(_NDRVarField, self).i2len(pkt, val.value) or val.actual_count, ) return super(_NDRVarField, self).addfield( pkt, s, super(_NDRVarField, self).h2i(pkt, val.value) ) def i2len(self, pkt, x): return super(_NDRVarField, self).i2len(pkt, x.value) def any2i(self, pkt, x): # User-friendly helper if not isinstance(x, NDRVaryingArray): return NDRVaryingArray( value=super(_NDRVarField, self).any2i(pkt, x), ) return x # Can't use i2repr = Field.i2repr and so on on PY2 :/ def i2repr(self, pkt, val): return repr(val) def i2h(self, pkt, x): return x def h2i(self, pkt, x): return x def valueof(self, pkt, x): return super(_NDRVarField, self).valueof(pkt, x.value) class NDRConformantArray(_NDRPacket): fields_desc = [ MultipleTypeField( [(LELongField("max_count", None), lambda pkt: pkt and pkt.ndr64)], LEIntField("max_count", None), ), MultipleTypeField( [ ( PacketListField( "value", [], conf.raw_layer, count_from=lambda pkt: pkt.max_count, ), ( lambda pkt: pkt.fields.get("value", None) and isinstance(pkt.fields["value"][0], Packet), lambda _, val: val and isinstance(val[0], Packet), ), ) ], FieldListField( "value", [], LEIntField("", 0), count_from=lambda pkt: pkt.max_count ), ), ] class NDRConformantString(_NDRPacket): fields_desc = [ MultipleTypeField( [(LELongField("max_count", None), lambda pkt: pkt and pkt.ndr64)], LEIntField("max_count", None), ), StrField("value", ""), ] class _NDRConfField(object): """ NDR Conformant Array / String field """ CONFORMANT_STRING = False LENGTH_FROM = False COUNT_FROM = False def __init__(self, *args, **kwargs): self.conformant_in_struct = kwargs.pop("conformant_in_struct", False) # size_is/max_is end up here, and is what defines a conformant field. if "size_is" in kwargs: size_is = kwargs.pop("size_is") if self.LENGTH_FROM: kwargs["length_from"] = size_is elif self.COUNT_FROM: kwargs["count_from"] = size_is super(_NDRConfField, self).__init__(*args, **kwargs) def getfield(self, pkt, s): # [C706] - 14.3.7 Structures Containing Arrays fmt = _e(pkt.ndrendian) + ["I", "Q"][pkt.ndr64] if self.conformant_in_struct: return super(_NDRConfField, self).getfield(pkt, s) remain, max_count = NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)).getfield( pkt, s ) remain, val = super(_NDRConfField, self).getfield(pkt, remain) return remain, ( NDRConformantString if self.CONFORMANT_STRING else NDRConformantArray )(ndr64=pkt.ndr64, ndrendian=pkt.ndrendian, max_count=max_count, value=val) def addfield(self, pkt, s, val): if self.conformant_in_struct: return super(_NDRConfField, self).addfield(pkt, s, val) if self.CONFORMANT_STRING and not isinstance(val, NDRConformantString): raise ValueError( "Expected NDRConformantString in %s. You are using it wrong!" % self.name ) elif not self.CONFORMANT_STRING and not isinstance(val, NDRConformantArray): raise ValueError( "Expected NDRConformantArray in %s. You are using it wrong!" % self.name ) fmt = _e(pkt.ndrendian) + ["I", "Q"][pkt.ndr64] _set_ctx_on(val.value, pkt) if val.value and isinstance(val.value[0], NDRVaryingArray): value = val.value[0] else: value = val.value s = NDRAlign(Field("", 0, fmt=fmt), align=(4, 8)).addfield( pkt, s, val.max_count is None and super(_NDRConfField, self).i2len(pkt, value) or val.max_count, ) return super(_NDRConfField, self).addfield(pkt, s, value) def _subval(self, x): if self.conformant_in_struct: value = x elif ( not self.CONFORMANT_STRING and x.value and isinstance(x.value[0], NDRVaryingArray) ): value = x.value[0] else: value = x.value return value def i2len(self, pkt, x): return super(_NDRConfField, self).i2len(pkt, self._subval(x)) def any2i(self, pkt, x): # User-friendly helper if self.conformant_in_struct: return super(_NDRConfField, self).any2i(pkt, x) if self.CONFORMANT_STRING and not isinstance(x, NDRConformantString): return NDRConformantString( value=super(_NDRConfField, self).any2i(pkt, x), ) elif not isinstance(x, NDRConformantArray): return NDRConformantArray( value=super(_NDRConfField, self).any2i(pkt, x), ) return x # Can't use i2repr = Field.i2repr and so on on PY2 :/ def i2repr(self, pkt, val): return repr(val) def i2h(self, pkt, x): return x def h2i(self, pkt, x): return x def valueof(self, pkt, x): return super(_NDRConfField, self).valueof(pkt, self._subval(x)) class NDRVarPacketListField(_NDRVarField, _NDRPacketListField): """ NDR Varying PacketListField. Unused """ COUNT_FROM = True class NDRConfPacketListField(_NDRConfField, _NDRPacketListField): """ NDR Conformant PacketListField """ COUNT_FROM = True class NDRConfVarPacketListField(_NDRConfField, _NDRVarField, _NDRPacketListField): """ NDR Conformant Varying PacketListField """ COUNT_FROM = True class NDRConfFieldListField(_NDRConfField, NDRFieldListField): """ NDR Conformant FieldListField """ COUNT_FROM = True class NDRConfVarFieldListField(_NDRConfField, _NDRVarField, NDRFieldListField): """ NDR Conformant Varying FieldListField """ COUNT_FROM = True # NDR String fields class _NDRUtf16(Field): def h2i(self, pkt, x): encoding = {"big": "utf-16be", "little": "utf-16le"}[pkt.ndrendian] return plain_str(x).encode(encoding) def i2h(self, pkt, x): encoding = {"big": "utf-16be", "little": "utf-16le"}[pkt.ndrendian] return bytes_encode(x).decode(encoding, errors="replace") class NDRConfStrLenField(_NDRConfField, _NDRValueOf, StrLenField): """ NDR Conformant StrLenField. This is not a "string" per NDR, but an a conformant byte array (e.g. tower_octet_string) """ CONFORMANT_STRING = True LENGTH_FROM = True class NDRConfStrLenFieldUtf16(_NDRConfField, _NDRValueOf, StrLenFieldUtf16, _NDRUtf16): """ NDR Conformant StrLenField. See NDRConfLenStrField for comment. """ CONFORMANT_STRING = True ON_WIRE_SIZE_UTF16 = False LENGTH_FROM = True class NDRVarStrLenField(_NDRVarField, StrLenField): """ NDR Varying StrLenField """ LENGTH_FROM = True class NDRVarStrLenFieldUtf16(_NDRVarField, _NDRValueOf, StrLenFieldUtf16, _NDRUtf16): """ NDR Varying StrLenField """ ON_WIRE_SIZE_UTF16 = False LENGTH_FROM = True class NDRConfVarStrLenField(_NDRConfField, _NDRVarField, _NDRValueOf, StrLenField): """ NDR Conformant Varying StrLenField """ LENGTH_FROM = True class NDRConfVarStrLenFieldUtf16( _NDRConfField, _NDRVarField, _NDRValueOf, StrLenFieldUtf16, _NDRUtf16 ): """ NDR Conformant Varying StrLenField """ ON_WIRE_SIZE_UTF16 = False LENGTH_FROM = True class NDRConfVarStrNullField(_NDRConfField, _NDRVarField, _NDRValueOf, StrNullField): """ NDR Conformant Varying StrNullField """ NULLFIELD = True class NDRConfVarStrNullFieldUtf16( _NDRConfField, _NDRVarField, _NDRValueOf, StrNullFieldUtf16, _NDRUtf16 ): """ NDR Conformant Varying StrNullFieldUtf16 """ ON_WIRE_SIZE_UTF16 = False NULLFIELD = True # Union type class NDRUnion(_NDRPacket): fields_desc = [ IntField("tag", 0), PacketField("value", None, conf.raw_layer), ] class _NDRUnionField(MultipleTypeField): __slots__ = ["switch_fmt", "align"] def __init__(self, flds, dflt, align, switch_fmt): self.switch_fmt = switch_fmt self.align = align super(_NDRUnionField, self).__init__(flds, dflt) def getfield(self, pkt, s): fmt = _e(pkt.ndrendian) + self.switch_fmt[pkt.ndr64] remain, tag = NDRAlign(Field("", 0, fmt=fmt), align=self.align).getfield(pkt, s) fld, _ = super(_NDRUnionField, self)._find_fld_pkt_val(pkt, NDRUnion(tag=tag)) remain, val = fld.getfield(pkt, remain) return remain, NDRUnion( tag=tag, value=val, ndr64=pkt.ndr64, ndrendian=pkt.ndrendian, _parent=pkt ) def addfield(self, pkt, s, val): fmt = _e(pkt.ndrendian) + self.switch_fmt[pkt.ndr64] if not isinstance(val, NDRUnion): raise ValueError( "Expected NDRUnion in %s. You are using it wrong!" % self.name ) _set_ctx_on(val.value, pkt) # First, align the whole tag+union against the align param s = NDRAlign(Field("", 0, fmt=fmt), align=self.align).addfield(pkt, s, val.tag) # Then, compute the subfield with its own alignment return super(_NDRUnionField, self).addfield(pkt, s, val) def _find_fld_pkt_val(self, pkt, val): fld, val = super(_NDRUnionField, self)._find_fld_pkt_val(pkt, val) return fld, val.value # Can't use i2repr = Field.i2repr and so on on PY2 :/ def i2repr(self, pkt, val): return repr(val) def i2h(self, pkt, x): return x def h2i(self, pkt, x): return x def valueof(self, pkt, x): fld, val = self._find_fld_pkt_val(pkt, x) return fld.valueof(pkt, x.value) class NDRUnionField(NDRConstructedType, _NDRUnionField): def __init__(self, flds, dflt, align, switch_fmt): _NDRUnionField.__init__(self, flds, dflt, align=align, switch_fmt=switch_fmt) NDRConstructedType.__init__(self, [x[0] for x in flds] + [dflt]) def any2i(self, pkt, x): # User-friendly helper if x: if not isinstance(x, NDRUnion): raise ValueError("Invalid value for %s; should be NDRUnion" % self.name) else: x.value = _NDRUnionField.any2i(self, pkt, x) return x # Misc class NDRRecursiveField(Field): """ A special Field that is used for pointer recursion """ def __init__(self, name, fmt="I"): super(NDRRecursiveField, self).__init__(name, None, fmt=fmt) def getfield(self, pkt, s): return NDRFullPointerField( NDRPacketField("", None, pkt.__class__), deferred=True ).getfield(pkt, s) def addfield(self, pkt, s, val): return NDRFullPointerField( NDRPacketField("", None, pkt.__class__), deferred=True ).addfield(pkt, s, val) # The very few NDR-specific structures class NDRContextHandle(NDRPacket): ALIGNMENT = (4, 4) fields_desc = [ LEIntField("attributes", 0), StrFixedLenField("uuid", b"", length=16), ] def guess_payload_class(self, payload): return conf.padding_layer # --- Type Serialization Version 1 - [MSRPCE] sect 2.2.6 def _get_ndrtype1_endian(pkt): if pkt.underlayer is None: return "<" return {0x00: ">", 0x10: "<"}.get(pkt.underlayer.Endianness, "<") class NDRSerialization1Header(Packet): fields_desc = [ ByteField("Version", 1), ByteEnumField("Endianness", 0x10, {0x00: "big", 0x10: "little"}), LEShortField("CommonHeaderLength", 8), XLEIntField("Filler", 0xCCCCCCCC), ] class NDRSerialization1PrivateHeader(Packet): fields_desc = [ EField( LEIntField("ObjectBufferLength", 0), endianness_from=_get_ndrtype1_endian ), XLEIntField("Filler", 0), ] def ndr_deserialize1(b, cls, ndr64=False): """ Deserialize Type Serialization Version 1 according to [MS-RPCE] sect 2.2.6 """ if issubclass(cls, NDRPacket): # We use an intermediary class for two reasons: # - it properly sets deferred pointers # - it uses NDRPacketField which handles deported conformant fields class _cls(NDRPacket): fields_desc = [ NDRFullPointerField(NDRPacketField("pkt", None, cls)), ] hdr = NDRSerialization1Header(b[:8]) / NDRSerialization1PrivateHeader(b[8:16]) endian = {0x00: "big", 0x10: "little"}[hdr.Endianness] padlen = (-hdr.ObjectBufferLength) % _TYPE1_S_PAD # padlen should be 0 (pad included in length), but some implementations # implement apparently misread the spec return ( hdr / _cls( b[16 : 20 + hdr.ObjectBufferLength], ndr64=ndr64, ndrendian=endian, ).pkt / conf.padding_layer(b[20 + padlen + hdr.ObjectBufferLength :]) ) return NDRSerialization1Header(b[:8]) / cls(b[8:]) def ndr_serialize1(pkt): """ Serialize Type Serialization Version 1 """ pkt = pkt.copy() endian = getattr(pkt, "ndrendian", "little") if not isinstance(pkt, NDRSerialization1Header): if not isinstance(pkt, NDRPacket): return bytes(NDRSerialization1Header(Endianness=endian) / pkt) if isinstance(pkt, NDRPointer): cls = pkt.value.__class__ else: cls = pkt.__class__ val = pkt pkt_len = len(pkt) # ObjectBufferLength: # > It MUST include the padding length and exclude the header itself pkt = NDRSerialization1Header( Endianness=endian ) / NDRSerialization1PrivateHeader( ObjectBufferLength=pkt_len + (-pkt_len) % _TYPE1_S_PAD ) else: cls = pkt.value.__class__ val = pkt.payload.payload pkt.payload.remove_payload() # See above about why we need an intermediary class class _cls(NDRPacket): fields_desc = [ NDRFullPointerField(NDRPacketField("pkt", None, cls)), ] ret = bytes(pkt / _cls(pkt=val)) return ret + (-len(ret) % _TYPE1_S_PAD) * b"\x00" class _NDRSerializeType1: def __init__(self, *args, **kwargs): super(_NDRSerializeType1, self).__init__(*args, **kwargs) def i2m(self, pkt, val): return ndr_serialize1(val) def m2i(self, pkt, s): return ndr_deserialize1(s, self.cls, ndr64=False) def i2len(self, pkt, val): return len(self.i2m(pkt, val)) class NDRSerializeType1PacketField(_NDRSerializeType1, PacketField): __slots__ = ["ptr"] class NDRSerializeType1PacketLenField(_NDRSerializeType1, PacketLenField): __slots__ = ["ptr"] class NDRSerializeType1PacketListField(_NDRSerializeType1, PacketListField): __slots__ = ["ptr"] # --- DCE/RPC session class DceRpcSession(DefaultSession): """ A DCE/RPC session within a TCP socket. """ def __init__(self, *args, **kwargs): self.rpc_bind_interface = None self.ndr64 = False self.ndrendian = "little" self.support_header_signing = kwargs.pop("support_header_signing", True) self.header_sign = conf.dcerpc_force_header_signing self.ssp = kwargs.pop("ssp", None) self.sspcontext = kwargs.pop("sspcontext", None) self.auth_level = kwargs.pop("auth_level", None) self.auth_context_id = kwargs.pop("auth_context_id", 0) self.map_callid_opnum = {} self.frags = collections.defaultdict(lambda: b"") self.sniffsspcontexts = {} # Unfinished contexts for passive if conf.dcerpc_session_enable and conf.winssps_passive: for ssp in conf.winssps_passive: self.sniffsspcontexts[ssp] = None super(DceRpcSession, self).__init__(*args, **kwargs) def _up_pkt(self, pkt): """ Common function to handle the DCE/RPC session: what interfaces are bind, opnums, etc. """ opnum = None opts = {} if DceRpc5Bind in pkt or DceRpc5AlterContext in pkt: # bind => get which RPC interface for ctx in pkt.context_elem: if_uuid = ctx.abstract_syntax.if_uuid if_version = ctx.abstract_syntax.if_version try: self.rpc_bind_interface = DCE_RPC_INTERFACES[(if_uuid, if_version)] except KeyError: self.rpc_bind_interface = None log_runtime.warning( "Unknown RPC interface %s. Try loading the IDL" % if_uuid ) elif DceRpc5BindAck in pkt or DceRpc5AlterContextResp in pkt: # bind ack => is it NDR64 for res in pkt.results: if res.result == 0: # Accepted self.ndrendian = {0: "big", 1: "little"}[pkt[DceRpc5].endian] if res.transfer_syntax.sprintf("%if_uuid%") == "NDR64": self.ndr64 = True elif DceRpc5Request in pkt: # request => match opnum with callID opnum = pkt.opnum self.map_callid_opnum[pkt.call_id] = opnum, pkt[DceRpc5Request].payload elif DceRpc5Response in pkt: # response => get opnum from table try: opnum, opts["request_packet"] = self.map_callid_opnum[pkt.call_id] del self.map_callid_opnum[pkt.call_id] except KeyError: log_runtime.info("Unknown call_id %s in DCE/RPC session" % pkt.call_id) # Bind / Alter request/response specific if ( DceRpc5Bind in pkt or DceRpc5AlterContext in pkt or DceRpc5BindAck in pkt or DceRpc5AlterContextResp in pkt ): # Detect if "Header Signing" is in use if pkt.pfc_flags & 0x04: # PFC_SUPPORT_HEADER_SIGN self.header_sign = True return opnum, opts # [C706] sect 12.6.2 - Fragmentation and Reassembly # Since the connection-oriented transport guarantees sequentiality, the receiver # will always receive the fragments in order. def _defragment(self, pkt): """ Function to defragment DCE/RPC packets. """ uid = pkt.call_id if pkt.pfc_flags.PFC_FIRST_FRAG and pkt.pfc_flags.PFC_LAST_FRAG: # Not fragmented return pkt if pkt.pfc_flags.PFC_FIRST_FRAG or uid in self.frags: # Packet is fragmented self.frags[uid] += pkt[DceRpc5].payload.payload.original if pkt.pfc_flags.PFC_LAST_FRAG: pkt[DceRpc5].payload.remove_payload() pkt[DceRpc5].payload /= self.frags[uid] return pkt else: # Not fragmented return pkt def _fragment(self, pkt): """ Function to fragment DCE/RPC packets. """ # unimplemented pass # [MS-RPCE] sect 3.3.1.5.2.2 # The PDU header, PDU body, and sec_trailer MUST be passed in the input message, in # this order, to GSS_WrapEx, GSS_UnwrapEx, GSS_GetMICEx, and GSS_VerifyMICEx. For # integrity protection the sign flag for that PDU segment MUST be set to TRUE, else # it MUST be set to FALSE. For confidentiality protection, the conf_req_flag for # that PDU segment MUST be set to TRUE, else it MUST be set to FALSE. # If the authentication level is RPC_C_AUTHN_LEVEL_PKT_PRIVACY, the PDU body will # be encrypted. # The PDU body from the output message of GSS_UnwrapEx represents the plain text # version of the PDU body. The PDU header and sec_trailer output from the output # message SHOULD be ignored. # Similarly the signature output SHOULD be ignored. def in_pkt(self, pkt): # Defragment pkt = self._defragment(pkt) if not pkt: return # Get opnum and options opnum, opts = self._up_pkt(pkt) # Check for encrypted payloads body = None if conf.raw_layer in pkt.payload: body = bytes(pkt.payload[conf.raw_layer]) # If we are doing passive sniffing if conf.dcerpc_session_enable and conf.winssps_passive: # We have Windows SSPs, and no current context if pkt.auth_verifier and pkt.auth_verifier.is_ssp(): # This is a bind/alter/auth3 req/resp for ssp in self.sniffsspcontexts: self.sniffsspcontexts[ssp], status = ssp.GSS_Passive( self.sniffsspcontexts[ssp], pkt.auth_verifier.auth_value, ) if status == GSS_S_COMPLETE: self.auth_level = DCE_C_AUTHN_LEVEL( int(pkt.auth_verifier.auth_level) ) self.ssp = ssp self.sspcontext = self.sniffsspcontexts[ssp] self.sniffsspcontexts[ssp] = None elif ( self.sspcontext and pkt.auth_verifier and pkt.auth_verifier.is_protected() and body ): # This is a request/response if self.sspcontext.passive: self.ssp.GSS_Passive_set_Direction( self.sspcontext, IsAcceptor=DceRpc5Response in pkt, ) if pkt.auth_verifier and pkt.auth_verifier.is_protected() and body: if self.sspcontext is None: return pkt if self.auth_level in ( RPC_C_AUTHN_LEVEL.PKT_INTEGRITY, RPC_C_AUTHN_LEVEL.PKT_PRIVACY, ): # note: 'vt_trailer' is included in the pdu body # [MS-RPCE] sect 2.2.2.13 # "The data structures MUST only appear in a request PDU, and they # SHOULD be placed in the PDU immediately after the stub data but # before the authentication padding octets. Therefore, for security # purposes, the verification trailer is considered part of the PDU # body." if pkt.vt_trailer: body += bytes(pkt.vt_trailer) # Account for padding when computing checksum/encryption if pkt.auth_padding: body += pkt.auth_padding # Build pdu_header and sec_trailer pdu_header = pkt.copy() sec_trailer = pdu_header.auth_verifier # sec_trailer: include the sec_trailer but not the Authentication token authval_len = len(sec_trailer.auth_value) # Discard everything out of the header pdu_header.auth_padding = None pdu_header.auth_verifier = None pdu_header.payload.payload = NoPayload() pdu_header.vt_trailer = None # [MS-RPCE] sect 2.2.2.12 if self.auth_level == RPC_C_AUTHN_LEVEL.PKT_PRIVACY: _msgs = self.ssp.GSS_UnwrapEx( self.sspcontext, [ # "PDU header" SSP.WRAP_MSG( conf_req_flag=False, sign=self.header_sign, data=bytes(pdu_header), ), # "PDU body" SSP.WRAP_MSG( conf_req_flag=True, sign=True, data=body, ), # "sec_trailer" SSP.WRAP_MSG( conf_req_flag=False, sign=self.header_sign, data=bytes(sec_trailer)[:-authval_len], ), ], pkt.auth_verifier.auth_value, ) body = _msgs[1].data # PDU body elif self.auth_level == RPC_C_AUTHN_LEVEL.PKT_INTEGRITY: self.ssp.GSS_VerifyMICEx( self.sspcontext, [ # "PDU header" SSP.MIC_MSG( sign=self.header_sign, data=bytes(pdu_header), ), # "PDU body" SSP.MIC_MSG( sign=True, data=body, ), # "sec_trailer" SSP.MIC_MSG( sign=self.header_sign, data=bytes(sec_trailer)[:-authval_len], ), ], pkt.auth_verifier.auth_value, ) # Put padding back into the header if pkt.auth_padding: padlen = len(pkt.auth_padding) body, pkt.auth_padding = body[:-padlen], body[-padlen:] # Put back vt_trailer into the header if pkt.vt_trailer: vtlen = len(pkt.vt_trailer) body, pkt.vt_trailer = body[:-vtlen], body[-vtlen:] # Try to parse the payload if opnum is not None and self.rpc_bind_interface: # use opnum to parse the payload is_response = DceRpc5Response in pkt try: cls = self.rpc_bind_interface.opnums[opnum][is_response] except KeyError: log_runtime.warning( "Unknown opnum %s for interface %s" % (opnum, self.rpc_bind_interface) ) pkt.payload[conf.raw_layer].load = body return pkt if body: # Dissect payload using class payload = cls(body, ndr64=self.ndr64, ndrendian=self.ndrendian, **opts) pkt.payload[conf.raw_layer].underlayer.remove_payload() pkt /= payload elif not cls.fields_desc: # Request class has no payload pkt /= cls(ndr64=self.ndr64, ndrendian=self.ndrendian, **opts) elif body: pkt.payload[conf.raw_layer].load = body return pkt def out_pkt(self, pkt): assert DceRpc5 in pkt self._up_pkt(pkt) if pkt.auth_verifier is not None: # Verifier already set return [pkt] if self.sspcontext and isinstance( pkt.payload, (DceRpc5Request, DceRpc5Response) ): body = bytes(pkt.payload.payload) signature = None if self.auth_level in ( RPC_C_AUTHN_LEVEL.PKT_INTEGRITY, RPC_C_AUTHN_LEVEL.PKT_PRIVACY, ): # Account for padding when computing checksum/encryption if pkt.auth_padding is None: padlen = (-len(body)) % _COMMON_AUTH_PAD # authdata padding pkt.auth_padding = b"\x00" * padlen else: padlen = len(pkt.auth_padding) # Remember that vt_trailer is included in the PDU if pkt.vt_trailer: body += bytes(pkt.vt_trailer) # Remember that padding IS SIGNED & ENCRYPTED body += pkt.auth_padding # Add the auth_verifier pkt.auth_verifier = CommonAuthVerifier( auth_type=self.ssp.auth_type, auth_level=self.auth_level, auth_context_id=self.auth_context_id, auth_pad_length=padlen, # Note: auth_value should have the correct length because when # using PFC_SUPPORT_HEADER_SIGN, auth_len (and frag_len) is # included in the token.. but this creates a dependency loop as # you'd need to know the token length to compute the token. # Windows solves this by setting the 'Maximum Signature Length' # (or something similar) beforehand, instead of the real length. # See `gensec_sig_size` in samba. auth_value=b"\x00" * self.ssp.MaximumSignatureLength(self.sspcontext), ) # Build pdu_header and sec_trailer pdu_header = pkt.copy() pdu_header.auth_len = len(pdu_header.auth_verifier) - 8 pdu_header.frag_len = len(pdu_header) sec_trailer = pdu_header.auth_verifier # sec_trailer: include the sec_trailer but not the Authentication token authval_len = len(sec_trailer.auth_value) # sec_trailer.auth_value = None # Discard everything out of the header pdu_header.auth_padding = None pdu_header.auth_verifier = None pdu_header.payload.payload = NoPayload() pdu_header.vt_trailer = None signature = None # [MS-RPCE] sect 2.2.2.12 if self.auth_level == RPC_C_AUTHN_LEVEL.PKT_PRIVACY: _msgs, signature = self.ssp.GSS_WrapEx( self.sspcontext, [ # "PDU header" SSP.WRAP_MSG( conf_req_flag=False, sign=self.header_sign, data=bytes(pdu_header), ), # "PDU body" SSP.WRAP_MSG( conf_req_flag=True, sign=True, data=body, ), # "sec_trailer" SSP.WRAP_MSG( conf_req_flag=False, sign=self.header_sign, data=bytes(sec_trailer)[:-authval_len], ), ], ) s = _msgs[1].data # PDU body elif self.auth_level == RPC_C_AUTHN_LEVEL.PKT_INTEGRITY: signature = self.ssp.GSS_GetMICEx( self.sspcontext, [ # "PDU header" SSP.MIC_MSG( sign=self.header_sign, data=bytes(pdu_header), ), # "PDU body" SSP.MIC_MSG( sign=True, data=body, ), # "sec_trailer" SSP.MIC_MSG( sign=self.header_sign, data=bytes(sec_trailer)[:-authval_len], ), ], pkt.auth_verifier.auth_value, ) s = body else: raise ValueError("Impossible") # Put padding back in the header if padlen: s, pkt.auth_padding = s[:-padlen], s[-padlen:] # Put back vt_trailer into the header if pkt.vt_trailer: vtlen = len(pkt.vt_trailer) s, pkt.vt_trailer = s[:-vtlen], s[-vtlen:] else: s = body # now inject the encrypted payload into the packet pkt.payload.payload = conf.raw_layer(load=s) # and the auth_value if signature: pkt.auth_verifier.auth_value = signature else: pkt.auth_verifier = None return [pkt] def process(self, pkt: Packet) -> Optional[Packet]: pkt = super(DceRpcSession, self).process(pkt) if pkt is not None and DceRpc5 in pkt: return self.in_pkt(pkt) return pkt class DceRpcSocket(StreamSocket): """ A Wrapper around StreamSocket that uses a DceRpcSession """ def __init__(self, *args, **kwargs): self.session = DceRpcSession( ssp=kwargs.pop("ssp", None), auth_level=kwargs.pop("auth_level", None), auth_context_id=kwargs.pop("auth_context_id", None), support_header_signing=kwargs.pop("support_header_signing", True), ) super(DceRpcSocket, self).__init__(*args, **kwargs) def send(self, x, **kwargs): for pkt in self.session.out_pkt(x): return super(DceRpcSocket, self).send(pkt, **kwargs) def recv(self, x=None): pkt = super(DceRpcSocket, self).recv(x) if pkt is not None: return self.session.in_pkt(pkt) # --- TODO cleanup below # Heuristically way to find the payload class # # To add a possible payload to a DCE/RPC packet, one must first create the # packet class, then instead of binding layers using bind_layers, he must # call DceRpcPayload.register_possible_payload() with the payload class as # parameter. # # To be able to decide if the payload class is capable of handling the rest of # the dissection, the classmethod can_handle() should be implemented in the # payload class. This method is given the rest of the string to dissect as # first argument, and the DceRpc packet instance as second argument. Based on # this information, the method must return True if the class is capable of # handling the dissection, False otherwise class DceRpc4Payload(Packet): """Dummy class which use the dispatch_hook to find the payload class""" _payload_class = [] @classmethod def dispatch_hook(cls, _pkt, _underlayer=None, *args, **kargs): """dispatch_hook to choose among different registered payloads""" for klass in cls._payload_class: if hasattr(klass, "can_handle") and klass.can_handle(_pkt, _underlayer): return klass log_runtime.warning("DCE/RPC payload class not found or undefined (using Raw)") return Raw @classmethod def register_possible_payload(cls, pay): """Method to call from possible DCE/RPC endpoint to register it as possible payload""" cls._payload_class.append(pay) bind_layers(DceRpc4, DceRpc4Payload)