OpenVAS Scanner  7.0.1~git
nasl_smb.c
Go to the documentation of this file.
1 /* Copyright (C) 2009-2019 Greenbone Networks GmbH
2  *
3  * SPDX-License-Identifier: GPL-2.0-or-later
4  *
5  * This program is free software; you can redistribute it and/or
6  * modify it under the terms of the GNU General Public License
7  * as published by the Free Software Foundation; either version 2
8  * of the License, or (at your option) any later version.
9  *
10  * This program is distributed in the hope that it will be useful,
11  * but WITHOUT ANY WARRANTY; without even the implied warranty of
12  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
13  * GNU General Public License for more details.
14  *
15  * You should have received a copy of the GNU General Public License
16  * along with this program; if not, write to the Free Software
17  * Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.
18  */
19 
30 #include "nasl_smb.h"
31 
32 #include "../misc/plugutils.h"
33 #include "openvas_smb_interface.h"
34 
35 #include <arpa/inet.h>
36 #include <errno.h>
37 #include <gvm/base/logging.h>
38 #include <gvm/base/networking.h>
39 #include <netinet/in.h>
40 #include <stdio.h>
41 #include <string.h>
42 #include <sys/socket.h>
43 #include <unistd.h>
44 
45 #define IMPORT(var) char *var = get_str_var_by_name (lexic, #var)
46 
47 #undef G_LOG_DOMAIN
48 
51 #define G_LOG_DOMAIN "lib nasl"
52 
61 tree_cell *
63 {
64  char *version = smb_versioninfo ();
65  tree_cell *retc;
66  (void) lexic;
67 
68  if (!version)
69  return NULL;
70 
72  retc->x.str_val = strdup (version);
73  retc->size = strlen (version);
74  return retc;
75 }
76 
89 tree_cell *
91 {
92  struct script_infos *script_infos = lexic->script_infos;
93  struct in6_addr *host = plug_get_host_ip (script_infos);
94  char *ip;
95  char *username = get_str_var_by_name (lexic, "username");
96  char *password = get_str_var_by_name (lexic, "password");
97  char *share = get_str_var_by_name (lexic, "share");
98 
99  tree_cell *retc;
100  SMB_HANDLE handle;
101  int value;
102 
103  if ((host == NULL) || (username == NULL) || (password == NULL)
104  || (share == NULL))
105  {
106  g_message ("nasl_smb_connect: Invalid input arguments");
107  return NULL;
108  }
109 
110  ip = addr6_as_str (host);
111  if ((strlen (password) == 0) || (strlen (username) == 0) || (strlen (ip) == 0)
112  || (strlen (share) == 0))
113  {
114  g_message ("nasl_smb_connect: Invalid input arguments");
115  g_free (ip);
116  return NULL;
117  }
118 
119  retc = alloc_typed_cell (CONST_INT);
120  value = smb_connect (ip, share, username, password, &handle);
121  g_free (ip);
122 
123  if (value == -1)
124  {
125  g_message ("nasl_smb_connect: SMB Connect failed");
126  return NULL;
127  }
128 
129  retc->x.i_val = handle;
130  return retc;
131 }
132 
144 tree_cell *
146 {
147  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
148  int ret;
149  tree_cell *retc;
150 
151  retc = alloc_typed_cell (CONST_INT);
152 
153  ret = smb_close (handle);
154  if (ret == 0)
155  {
156  retc->x.i_val = 1;
157  return retc;
158  }
159  else
160  return NULL;
161 }
162 
174 tree_cell *
176 {
177  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
178  char *filename = get_str_var_by_name (lexic, "filename");
179 
180  if (!filename)
181  {
182  g_message ("smb_file_SDDL failed: Invalid filename");
183  return NULL;
184  }
185 
186  if (!handle)
187  {
188  g_message ("smb_file_SDDL failed: Invalid smb_handle");
189  return NULL;
190  }
191 
192  tree_cell *retc;
193  char *buffer = NULL;
194 
195  buffer = smb_file_SDDL (handle, filename);
196 
197  if (buffer == NULL)
198  return NULL;
199 
200  retc = alloc_typed_cell (CONST_DATA);
201  retc->size = strlen (buffer);
202  retc->x.str_val = strdup (buffer);
203  return retc;
204 }
205 
217 tree_cell *
219 {
220  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
221  char *filename = get_str_var_by_name (lexic, "filename");
222 
223  if (!filename)
224  {
225  g_message ("smb_file_owner_sid failed: Invalid filename");
226  return NULL;
227  }
228 
229  if (!handle)
230  {
231  g_message ("smb_file_owner_sid failed: Invalid smb_handle");
232  return NULL;
233  }
234 
235  tree_cell *retc;
236  char *buffer;
237 
238  buffer = smb_file_OwnerSID (handle, filename);
239 
240  if (buffer == NULL)
241  return NULL;
242 
243  retc = alloc_typed_cell (CONST_DATA);
244  retc->size = strlen (buffer);
245  retc->x.str_val = strdup (buffer);
246  return retc;
247 }
248 
260 tree_cell *
262 {
263  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
264  char *filename = get_str_var_by_name (lexic, "filename");
265 
266  if (!filename)
267  {
268  g_message ("smb_file_group_sid failed: Invalid filename");
269  return NULL;
270  }
271 
272  if (!handle)
273  {
274  g_message ("smb_file_group_sid failed: Invalid smb_handle");
275  return NULL;
276  }
277 
278  tree_cell *retc;
279  char *buffer;
280 
281  buffer = smb_file_GroupSID (handle, filename);
282 
283  if (buffer == NULL)
284  return NULL;
285 
286  retc = alloc_typed_cell (CONST_DATA);
287  retc->size = strlen (buffer);
288  retc->x.str_val = strdup (buffer);
289  return retc;
290 }
291 
303 tree_cell *
305 {
306  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
307  char *filename = get_str_var_by_name (lexic, "filename");
308 
309  if (!filename)
310  {
311  g_message ("smb_file_trustee_rights failed: Invalid filename");
312  return NULL;
313  }
314 
315  if (!handle)
316  {
317  g_message ("smb_file_trustee_rights failed: Invalid smb_handle");
318  return NULL;
319  }
320 
321  tree_cell *retc;
322  char *buffer;
323 
324  buffer = smb_file_TrusteeRights (handle, filename);
325 
326  if (buffer == NULL)
327  return NULL;
328 
329  retc = alloc_typed_cell (CONST_DATA);
330  retc->size = strlen (buffer);
331  retc->x.str_val = strdup (buffer);
332  return retc;
333 }
334 
348 tree_cell *
350 {
351  struct script_infos *script_infos = lexic->script_infos;
352  struct in6_addr *host = plug_get_host_ip (script_infos);
353  char *ip, *argv[4], *unicode, target[2048], *c;
354  tree_cell *retc;
355  GString *string = NULL;
356  int sout, ret;
357  GError *err = NULL;
358 
359  IMPORT (username);
360  IMPORT (password);
361  IMPORT (cmd);
362 
363  if ((host == NULL) || (username == NULL) || (password == NULL)
364  || (cmd == NULL))
365  {
366  g_message ("win_cmd_exec: Invalid input arguments");
367  return NULL;
368  }
369 
370  ip = addr6_as_str (host);
371  if ((strlen (password) == 0) || (strlen (username) == 0) || strlen (ip) == 0)
372  {
373  g_message ("win_cmd_exec: Invalid input arguments");
374  g_free (ip);
375  return NULL;
376  }
377 
378  /* wmiexec.py uses domain/username format. */
379  if ((c = strchr (username, '\\')))
380  *c = '/';
381  argv[0] = "impacket-wmiexec";
382  snprintf (target, sizeof (target), "%s:%s@%s", username, password, ip);
383  argv[1] = target;
384  argv[2] = cmd;
385  argv[3] = NULL;
386  ret = g_spawn_async_with_pipes (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, NULL,
387  NULL, NULL, NULL, &sout, NULL, &err);
388  g_free (ip);
389  if (ret == FALSE)
390  {
391  g_warning ("win_cmd_exec: %s", err ? err->message : "Error");
392  if (err)
393  g_error_free (err);
394  return NULL;
395  }
396 
397  string = g_string_new ("");
398  while (1)
399  {
400  char buf[4096];
401  size_t bytes;
402 
403  bytes = read (sout, buf, sizeof (buf));
404  if (!bytes)
405  break;
406  else if (bytes > 0)
407  g_string_append_len (string, buf, bytes);
408  else
409  {
410  g_warning ("win_cmd_exec: %s", strerror (errno));
411  g_string_free (string, TRUE);
412  close (sout);
413  return NULL;
414  }
415  }
416  close (sout);
417 
418  if (g_str_has_prefix (string->str, "[-]"))
419  {
420  g_warning ("win_cmd_exec: %s", string->str);
421  g_string_free (string, TRUE);
422  return NULL;
423  }
424  else if ((unicode = strstr (string->str, "\xff\xfe")))
425  {
426  /* UTF-16 case. */
427  size_t length, diff;
428  GError *err = NULL;
429  char *tmp;
430 
431  diff = unicode - string->str + 1;
432  tmp = g_convert (unicode + 2, string->len - diff, "UTF-8", "UTF-16", NULL,
433  &length, &err);
434  if (!tmp)
435  {
436  g_warning ("win_cmd_exec: %s", err->message);
437  g_string_free (string, TRUE);
438  g_error_free (err);
439  return NULL;
440  }
441  g_free (string->str);
442  string->len = length;
443  string->str = tmp;
444  }
445 
446  retc = alloc_typed_cell (CONST_DATA);
447  retc->x.str_val = string->str;
448  retc->size = string->len;
449  return retc;
450 }
smb_versioninfo
char * smb_versioninfo(void)
Return version info for SMB implementation.
Definition: smb_interface_stub.c:41
nasl_win_cmd_exec
tree_cell * nasl_win_cmd_exec(lex_ctxt *lexic)
Execute the command in windows.
Definition: nasl_smb.c:349
script_infos
Definition: scanneraux.h:43
CONST_DATA
@ CONST_DATA
Definition: nasl_tree.h:93
nasl_smb.h
Protos for NASL SMB API.
SMB_HANDLE
long int SMB_HANDLE
Definition: openvas_smb_interface.h:31
plug_get_host_ip
struct in6_addr * plug_get_host_ip(struct script_infos *args)
Definition: plugutils.c:285
TC::str_val
char * str_val
Definition: nasl_tree.h:112
nasl_smb_close
tree_cell * nasl_smb_close(lex_ctxt *lexic)
Close SMB service handle.
Definition: nasl_smb.c:145
IMPORT
#define IMPORT(var)
Definition: nasl_smb.c:45
smb_file_GroupSID
char * smb_file_GroupSID(SMB_HANDLE, const char *)
Obtain the SID of the Group for a given file/path.
Definition: smb_interface_stub.c:131
TC::x
union TC::@2 x
get_str_var_by_name
char * get_str_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1127
nasl_smb_file_owner_sid
tree_cell * nasl_smb_file_owner_sid(lex_ctxt *lexic)
Obtain File Owner SID.
Definition: nasl_smb.c:218
nasl_smb_file_SDDL
tree_cell * nasl_smb_file_SDDL(lex_ctxt *lexic)
Obtain Security Descriptor in SDDL format.
Definition: nasl_smb.c:175
TC::size
int size
Definition: nasl_tree.h:109
smb_file_TrusteeRights
char * smb_file_TrusteeRights(SMB_HANDLE, const char *)
Obtain the Trustee SID and their rights for a given file/path.
Definition: smb_interface_stub.c:148
get_int_var_by_name
long int get_int_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1113
nasl_smb_connect
tree_cell * nasl_smb_connect(lex_ctxt *lexic)
Connect to SMB service and return a handle for it.
Definition: nasl_smb.c:90
smb_file_SDDL
char * smb_file_SDDL(SMB_HANDLE, const char *)
Obtain Windows file rights in SDDL format.
Definition: smb_interface_stub.c:97
smb_connect
int smb_connect(const char *, const char *, const char *, const char *, SMB_HANDLE *)
Establish connection to a SMB service.
Definition: smb_interface_stub.c:62
struct_lex_ctxt::script_infos
struct script_infos * script_infos
Definition: nasl_lex_ctxt.h:41
nasl_smb_file_group_sid
tree_cell * nasl_smb_file_group_sid(lex_ctxt *lexic)
Obtain File Group SID.
Definition: nasl_smb.c:261
TC
Definition: nasl_tree.h:104
struct_lex_ctxt
Definition: nasl_lex_ctxt.h:33
host
Host information, implemented as doubly linked list.
Definition: hosts.c:47
openvas_smb_interface.h
API protos describing the interface of a smb interface implementation.
CONST_INT
@ CONST_INT
Definition: nasl_tree.h:90
smb_close
int smb_close(SMB_HANDLE)
Close the connection handle for SMB service.
Definition: smb_interface_stub.c:81
alloc_typed_cell
tree_cell * alloc_typed_cell(int typ)
Definition: nasl_tree.c:40
smb_file_OwnerSID
char * smb_file_OwnerSID(SMB_HANDLE, const char *)
Obtain the SID of the Owner for a given file/path.
Definition: smb_interface_stub.c:114
nasl_smb_versioninfo
tree_cell * nasl_smb_versioninfo(lex_ctxt *lexic)
Get a version string of the SMB implementation.
Definition: nasl_smb.c:62
nasl_smb_file_trustee_rights
tree_cell * nasl_smb_file_trustee_rights(lex_ctxt *lexic)
Obtain File Trustee SID with Access Mask.
Definition: nasl_smb.c:304
TC::i_val
long int i_val
Definition: nasl_tree.h:113