Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
# -*- coding: binary -*-
2

3

4
module Rex
5
module Proto
6
module DRDA
7
class Utils
8

9
  # Creates a packet with EXCSAT_DDM and an ACCSEC_DDM. This will elicit
10
  # a response from the target server.
11
  def self.client_probe(dbname=nil)
12
    pkt = [
13
      Rex::Proto::DRDA::Packet::EXCSAT_DDM.new,
14
      Rex::Proto::DRDA::Packet::ACCSEC_DDM.new(:dbname => dbname)
15
    ]
16
    pkt.map {|x| x.to_s}.join
17
  end
18

19
  # Creates a packet with EXCSAT_DDM and an SECCHK_DDM.
20
  # In order to ever succeed, you do need a successful probe first.
21
  def self.client_auth(args={})
22
    dbname = args[:dbname]
23
    dbuser = args[:dbuser]
24
    dbpass = args[:dbpass]
25
    pkt = [
26
      Rex::Proto::DRDA::Packet::ACCSEC_DDM.new(:format => 0x41),
27
      Rex::Proto::DRDA::Packet::SECCHK_DDM.new(:dbname => dbname, :dbuser => dbuser, :dbpass => dbpass)
28
    ]
29
    pkt.map {|x| x.to_s}.join
30
  end
31

32
  def self.server_packet_info(obj)
33
    info_hash = {}
34
    return info_hash unless obj.kind_of? Rex::Proto::DRDA::Packet::SERVER_PACKET
35
    obj.each do |ddm|
36
      case ddm.codepoint
37
      when Constants::EXCSATRD
38
        info_hash.merge!(_info_excsatrd(ddm))
39
      when Constants::ACCSECRD
40
        info_hash.merge!(_info_accsecrd(ddm))
41
      when Constants::RDBNFNRM
42
        info_hash.merge!(_info_rdbnfnrm(ddm))
43
      when Constants::SECCHKRM
44
        info_hash.merge!(_info_secchkrm(ddm))
45
      else
46
        next
47
      end
48
    end
49
    return info_hash
50
  end
51

52
  def self._info_excsatrd(ddm)
53
    info_hash = {:excsatrd => true}
54
    ddm.payload.each do |param|
55
      case param.codepoint
56
      when Constants::SRVNAM
57
        info_hash[:instance_name] = Rex::Text.from_ebcdic(param.payload)
58
      when Constants::SRVCLSNM
59
        info_hash[:platform] = Rex::Text.from_ebcdic(param.payload)
60
      when Constants::SRVRLSLV
61
        info_hash[:version] = Rex::Text.from_ebcdic(param.payload)
62
      else
63
        next
64
      end
65
    end
66
    return info_hash
67
  end
68

69
  def self._info_accsecrd(ddm)
70
    info_hash = {:accsecrd => true}
71
    ddm.payload.each do |param|
72
      case param.codepoint
73
      when Constants::SECMEC
74
        info_hash[:plaintext_auth] = true if param.payload =~ /\x00\x03/n
75
      when Constants::SECCHKCD
76
        info_hash[:security_check_code] = param.payload.unpack("C").first
77
        # A little spurious? This is always nonzero when there's no SECCHKRM DDM.
78
        info_hash[:db_login_success] = false unless info_hash[:security_check_code].zero?
79
      else
80
        next
81
      end
82
    end
83
    return info_hash
84
  end
85

86
  def self._info_rdbnfnrm(ddm)
87
    info_hash = {:rdbnfnrm => true}
88
    info_hash[:database_found] = false
89
    ddm.payload.each do |param|
90
      case param.codepoint
91
      when Constants::RDBNAM
92
        info_hash[:db_name] = Rex::Text.from_ebcdic(param.payload).unpack("A*").first
93
      when Constants::SRVDGN
94
        info_hash[:error_message] = Rex::Text.from_ebcdic(param.payload)
95
      else
96
        next
97
      end
98
    end
99
    return info_hash
100
  end
101

102
  def self._info_secchkrm(ddm)
103
    info_hash = {:secchkrm => true}
104
    ddm.payload.each do |param|
105
      case param.codepoint
106
      when Constants::SRVCOD
107
        info_hash[:severity_code] = param.payload.unpack("n").first
108
      when Constants::SECCHKCD
109
        info_hash[:security_check_code] = param.payload.unpack("C").first
110
      else
111
        next
112
      end
113
    end
114
    if info_hash[:severity_code].to_i.zero? and info_hash[:security_check_code].to_i.zero?
115
      info_hash[:db_login_success] = true
116
    end
117
    return info_hash
118
  end
119

120
end
121

122
end
123
end
124
end
125

126