File: decode_smb.c

package info (click to toggle)
dsniff 2.4b1+debian-29
  • links: PTS, VCS
  • area: main
  • in suites: bullseye, buster, sid
  • size: 2,020 kB
  • sloc: ansic: 10,803; sh: 152; makefile: 126
file content (91 lines) | stat: -rw-r--r-- 1,797 bytes parent folder | download | duplicates (4)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
/*
 * decode_smb.c
 *
 * Microsoft Server Message Block.
 * 
 * Copyright (c) 2000 Dug Song <dugsong@monkey.org>
 *
 * $Id: decode_smb.c,v 1.4 2001/03/15 08:33:02 dugsong Exp $
 */

#include "config.h"

#include <sys/types.h>
#include <arpa/nameser.h>

#include <stdio.h>
#include <string.h>
#include <strlcat.h>

#include "decode.h"

struct smbhdr {
	u_char	proto[4];
	u_char	cmd;
	u_char	err[4];
	u_char	flags1;
	u_short	flags2;
	u_short	pad[6];
	u_short	tid, pid, uid, mid;
};

int
decode_smb(u_char *buf, int len, u_char *obuf, int olen)
{
	struct smbhdr *smb;
	int i, j, k;
	u_char *p, *q, *end;
	char *user, *pass;
	
	obuf[0] = '\0';
	
	/* Skip NetBIOS session request. */
	if (len < 4 || buf[0] != 0x81) return (0);
	buf += 2;
	GETSHORT(i, buf); len -= 4;
	if (len < i) return (0);
	buf += i; len -= i;
	end = buf + len;
	
	/* Parse SMBs. */
	for (p = buf; p < end; p += i) {
		GETLONG(i, p);
		if (i > end - p || i < sizeof(*smb) + 32)
			continue;
		
		smb = (struct smbhdr *)p;
		if (memcmp(smb->proto, "\xffSMB", 4) != 0 || smb->cmd != 0x73)
			continue;
		
		user = pass = NULL;
		q = (u_char *)(smb + 1);
		
		if (*q == 10) {		/* Pre NT LM 0.12 */
			q += 15; j = pletohs(q); q += 2;
			if (j > i - (sizeof(*smb) + 15 + 6))
				continue;
			pass = q + 6;
			user = pass + j;
		}
		else if (*q == 13) {	/* NT LM 0.12 */
			q += 15; j = pletohs(q);
			q += 2;  k = pletohs(q);
			if (j > i - ((q - p) + 12) || k > i - ((q - p) + 11))
				continue;
			pass = q + 12;
			user = pass + j + k;
		}
		else continue;
		
		/* XXX - skip null IPC sessions, etc. */
		if (user && pass && strlen(user) &&
		    is_ascii_string(pass, j - 1)) {
			strlcat(obuf, user, olen);
			strlcat(obuf, " ", olen);
			strlcat(obuf, pass, olen);
			strlcat(obuf, "\n", olen);
		}
	}
	return (strlen(obuf));
}