further fix for NDR64

2025-04-18 07:44:00 +03:00 · 2018-12-10 01:05:10 +08:00 · 2018-12-10 01:05:10 +08:00 · 758e616d6f
commit 758e616d6f
parent 57d51600c0
5 changed files with 42 additions and 44 deletions
--- a/client.py
+++ b/client.py
@ -13,12 +13,11 @@ except ImportError:
 	import upy.codecs as codecs

 import filetimes, rpcBind, rpcRequest
-from dcerpc import MSRPCHeader, MSRPCBindNak, MSRPCRespHeader
+from dcerpc import MSRPCHeader, MSRPCBindNak, MSRPCRespHeader, MSRPC_BINDACK, MSRPC_BINDNAK
 from kmsBase import kmsRequestStruct, UUID
 from kmsRequestV4 import kmsRequestV4, generateHash
 from kmsRequestV5 import kmsRequestV5
 from kmsRequestV6 import kmsRequestV6
-from rpcBase import rpcBase

 config = {}

@ -58,7 +57,7 @@ def main():
 		print("No data received! Exiting...")
 		sys.exit()
 	packetType = MSRPCHeader(bindResponse)['type']
-	if packetType == rpcBase.packetType['bindAck']:
+	if packetType == MSRPC_BINDACK:
 		if config['verbose']:
 			print("RPC bind acknowledged.")
 		kmsRequest = createKmsRequest()
@ -79,7 +78,7 @@ def main():
 		print("KMS Host Current Client Count:", kmsResp['currentClientCount'])
 		print("KMS VL Activation Interval:", kmsResp['vLActivationInterval'])
 		print("KMS VL Renewal Interval:", kmsResp['vLRenewalInterval'])
-	elif packetType == rpcBase.packetType['bindNak']:
+	elif packetType == MSRPC_BINDNAK:
 		print(MSRPCBindNak(bindResponse).dump())
 		sys.exit()
 	else:
--- a/rpcBase.py
+++ b/rpcBase.py
@ -1,26 +1,5 @@

 class rpcBase:
-	packetType = {
-		'request' : 0,
-		'ping' : 1,
-		'response' : 2,
-		'fault' : 3,
-		'working' : 4,
-		'nocall' : 5,
-		'reject' : 6,
-		'ack' : 7,
-		'clCancel' : 8,
-		'fack' : 9,
-		'cancelAck' : 10,
-		'bindReq' : 11,
-		'bindAck' : 12,
-		'bindNak' : 13,
-		'alterContext' : 14,
-		'alterContextResp' : 15,
-		'shutdown' : 17,
-		'coCancel' : 18,
-		'orphaned' : 19
-	}

 	packetFlags = {
 		'firstFrag' : 1, # 0x01
--- a/rpcBind.py
+++ b/rpcBind.py
@ -5,7 +5,7 @@ try:
 except ImportError:
 	import upy.uuid as uuid

-from dcerpc import MSRPCHeader, MSRPCBindAck
+from dcerpc import MSRPCHeader, MSRPCBindAck, MSRPC_BINDACK, MSRPC_BIND, MSRPC_ALTERCTX, MSRPC_ALTERCTX_R
 from structure import Structure

 uuidNDR32 = uuid.UUID('8a885d04-1ceb-11c9-9fe8-08002b104860')
@ -98,11 +98,15 @@ class handler(rpcBase.rpcBase):

 		response['ver_major'] = request['ver_major']
 		response['ver_minor'] = request['ver_minor']
-		response['type'] = self.packetType['bindAck']
 		response['flags'] = self.packetFlags['firstFrag'] | self.packetFlags['lastFrag']
-		response['flags'] |= request['flags'] & self.packetFlags['multiplex']
+		if request['type'] == MSRPC_BIND:
+			response['type'] = MSRPC_BINDACK
+			response['flags'] |= request['flags'] & self.packetFlags['multiplex']
+		elif request['type'] == MSRPC_ALTERCTX:
+			response['type'] = MSRPC_ALTERCTX_R
+		else:
+			raise TypeError('Unknown RPC request type for bind like handler: %s' % response['type'])
 		response['representation'] = request['representation']
-		response['frag_len'] = 36 + bind['ctx_num'] * 24
 		response['auth_len'] = request['auth_len']
 		response['call_id'] = request['call_id']

@ -111,14 +115,31 @@ class handler(rpcBase.rpcBase):
 		response['assoc_group'] = 0x1063bf3f

 		port = str(self.config['port']).encode()
-		response['SecondaryAddrLen'] = len(port) + 1
-		response['SecondaryAddr'] = port
+		if request['type'] == MSRPC_BIND:
+			response['SecondaryAddrLen'] = len(port) + 1
+			response['SecondaryAddr'] = port
+			response['frag_len'] = 36 + bind['ctx_num'] * 24
+		elif request['type'] == MSRPC_ALTERCTX:
+			response['SecondaryAddrLen'] = 0
+			response['frag_len'] = 32 + bind['ctx_num'] * 24
+		else:
+			raise TypeError('Unknown RPC request type for bind like handler: %s' % response['type'])
 		response['ctx_num'] = bind['ctx_num']

 		preparedResponses = {}
-		preparedResponses[uuidNDR32] = CtxItemResult(0, 0, uuidNDR32, 2)
-		preparedResponses[uuidNDR64] = CtxItemResult(0, 0, uuidNDR64, 1)
-		preparedResponses[uuidTime] = CtxItemResult(3, 3, uuidEmpty, 0)
+		if request['type'] == MSRPC_BIND:
+			if uuidNDR64 in [bind['ctx_items'][i].ts() for i in range(bind['ctx_num'])]:
+				preparedResponses[uuidNDR32] = CtxItemResult(2, 2, uuidEmpty, 0)
+				preparedResponses[uuidNDR64] = CtxItemResult(0, 0, uuidNDR64, 1)
+				preparedResponses[uuidTime] = CtxItemResult(3, 3, uuidEmpty, 0)
+			else:
+				preparedResponses[uuidNDR32] = CtxItemResult(0, 0, uuidNDR32, 2)
+				preparedResponses[uuidNDR64] = CtxItemResult(2, 2, uuidEmpty, 0)
+				preparedResponses[uuidTime] = CtxItemResult(3, 3, uuidEmpty, 0)
+		elif request['type'] == MSRPC_ALTERCTX:
+			preparedResponses[uuidNDR32] = CtxItemResult(0, 0, uuidNDR32, 2)
+		else:
+			raise TypeError('Unknown RPC request type for bind like handler: %s' % response['type'])

 		response['ctx_items'] = b''
 		for i in range (0, bind['ctx_num']):
@ -161,7 +182,7 @@ class handler(rpcBase.rpcBase):
 		request = MSRPCHeader()
 		request['ver_major'] = 5
 		request['ver_minor'] = 0
-		request['type'] = self.packetType['bindReq']
+		request['type'] = MSRPC_BIND
 		request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags['lastFrag'] | self.packetFlags['multiplex']
 		request['call_id'] = self.config['call_id']
 		request['pduData'] = bytes(bind)
--- a/rpcRequest.py
+++ b/rpcRequest.py
@ -2,7 +2,7 @@ import binascii
 import kmsBase
 import rpcBase

-from dcerpc import MSRPCRequestHeader, MSRPCRespHeader
+from dcerpc import MSRPCRequestHeader, MSRPCRespHeader, MSRPC_REQUEST, MSRPC_RESPONSE

 class handler(rpcBase.rpcBase):
 	def parseRequest(self):
@ -21,7 +21,7 @@ class handler(rpcBase.rpcBase):
 		response = MSRPCRespHeader()
 		response['ver_major'] = request['ver_major']
 		response['ver_minor'] = request['ver_minor']
-		response['type'] = self.packetType['response']
+		response['type'] = MSRPC_RESPONSE
 		response['flags'] = self.packetFlags['firstFrag'] | self.packetFlags['lastFrag']
 		response['representation'] = request['representation']
 		response['call_id'] = request['call_id']
@ -43,7 +43,7 @@ class handler(rpcBase.rpcBase):

 		request['ver_major'] = 5
 		request['ver_minor'] = 0
-		request['type'] = self.packetType['request']
+		request['type'] = MSRPC_REQUEST
 		request['flags'] = self.packetFlags['firstFrag'] | self.packetFlags['lastFrag']
 		request['representation'] = 0x10
 		request['call_id'] = self.config['call_id']
--- a/server.py
+++ b/server.py
@ -17,8 +17,7 @@ except ImportError:
 import errno

 import rpcBind, rpcRequest
-from dcerpc import MSRPCHeader
-from rpcBase import rpcBase
+from dcerpc import MSRPCHeader, MSRPC_BIND, MSRPC_REQUEST, MSRPC_ALTERCTX

 try:
 	IOError
@ -121,11 +120,11 @@ class kmsServer(socketserver.BaseRequestHandler):
 			# data = bytearray(data.strip())
 			# print binascii.b2a_hex(str(data))
 			packetType = MSRPCHeader(data)['type']
-			if packetType == rpcBase.packetType['bindReq']:
+			if packetType in (MSRPC_BIND, MSRPC_ALTERCTX):
 				if config['verbose']:
 					print("RPC bind request received.")
 				handler = rpcBind.handler(data, config)
-			elif packetType == rpcBase.packetType['request']:
+			elif packetType == MSRPC_REQUEST:
 				if config['verbose']:
 					print("Received activation request.")
 				handler = rpcRequest.handler(data, config)
@ -136,10 +135,10 @@ class kmsServer(socketserver.BaseRequestHandler):
 			res = handler.populate().__bytes__()
 			self.request.send(res)

-			if packetType == rpcBase.packetType['bindReq']:
+			if packetType == MSRPC_BIND:
 				if config['verbose']:
 					print("RPC bind acknowledged.")
-			elif packetType == rpcBase.packetType['request']:
+			elif packetType == MSRPC_REQUEST:
 				if config['verbose']:
 					print("Responded to activation request.")
 				break