From 90b42232fafb33f2e761bef15577bd6b42b59ce5 Mon Sep 17 00:00:00 2001 From: Kirby Kuehl Date: Sun, 10 Jan 2010 10:32:42 -0600 Subject: [PATCH] dcerpc request smb transact and fix for dcerpc bindack --- src/app-layer-dcerpc.c | 1506 +++++++++++++++++++++++++--------------- src/app-layer-dcerpc.h | 84 +-- src/app-layer-smb.c | 720 +++++++++++++------ src/app-layer-smb.h | 80 +-- src/app-layer-smb2.c | 22 +- src/app-layer-smb2.h | 34 +- 6 files changed, 1544 insertions(+), 902 deletions(-) diff --git a/src/app-layer-dcerpc.c b/src/app-layer-dcerpc.c index 35de702df4..5965c40878 100644 --- a/src/app-layer-dcerpc.c +++ b/src/app-layer-dcerpc.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009 Open Information Security Foundation + * Copyright (c) 2009, 2010 Open Information Security Foundation * app-layer-dcerpc.c * * \author Kirby Kuehl @@ -26,31 +26,101 @@ #include "app-layer-dcerpc.h" - enum { - DCERPC_FIELD_NONE = 0, + DCERPC_FIELD_NONE = 0, DCERPC_PARSE_DCERPC_HEADER, DCERPC_PARSE_DCERPC_BIND, DCERPC_PARSE_DCERPC_BIND_ACK, DCERPC_PARSE_DCERPC_REQUEST, - /* must be last */ - DCERPC_FIELD_MAX, + /* must be last */ + DCERPC_FIELD_MAX, }; -void printUUID(char *type, struct uuid_entry *uuid) { +#if 0 +/* \brief hexdump function from libdnet, used for debugging only */ +void hexdump(const void *buf, size_t len) { + /* dumps len bytes of *buf to stdout. Looks like: + * [0000] 75 6E 6B 6E 6F 77 6E 20 + * 30 FF 00 00 00 00 39 00 unknown 0.....9. + * (in a single line of course) + */ + + const unsigned char *p = buf; + unsigned char c; + size_t n; + char bytestr[4] = {0}; + char addrstr[10] = {0}; + char hexstr[16 * 3 + 5] = {0}; + char charstr[16 * 1 + 5] = {0}; + for (n = 1; n <= len; n++) { + if (n % 16 == 1) { + /* store address for this line */ +#if __WORDSIZE == 64 + snprintf(addrstr, sizeof(addrstr), "%.4lx", + ((uint64_t)p-(uint64_t)buf) ); +#else + snprintf(addrstr, sizeof(addrstr), "%.4x", ((uint32_t) p + - (uint32_t) buf)); +#endif + } + + c = *p; + if (isalnum(c) == 0) { + c = '.'; + } + + /* store hex str (for left side) */ + snprintf(bytestr, sizeof(bytestr), "%02X ", *p); + strncat(hexstr, bytestr, sizeof(hexstr) - strlen(hexstr) - 1); + + /* store char str (for right side) */ + snprintf(bytestr, sizeof(bytestr), "%c", c); + strncat(charstr, bytestr, sizeof(charstr) - strlen(charstr) - 1); + + if (n % 16 == 0) { + /* line completed */ + printf("[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr); + hexstr[0] = 0; + charstr[0] = 0; + } else if (n % 8 == 0) { + /* half line: add whitespaces */ + strncat(hexstr, " ", sizeof(hexstr) - strlen(hexstr) - 1); + strncat(charstr, " ", sizeof(charstr) - strlen(charstr) - 1); + } + p++; /* next byte */ + } + + if (strlen(hexstr) > 0) { + /* print rest of buffer if not empty */ + printf("[%4.4s] %-50.50s %s\n", addrstr, hexstr, charstr); + } +} +#endif + +/** + * \brief printUUID function used to print UUID, Major and Minor Version Number + * and if it was Accepted or Rejected in the BIND_ACK. + */ +void printUUID(char *type, struct uuid_entry *uuid) { uint8_t i = 0; - printf("%s UUID [%2u] %s ", type, uuid->ctxid, (uuid->result == 0) ? "Accepted" : "Rejected"); + printf("%s UUID [%2u] %s ", type, uuid->ctxid, + (uuid->result == 0) ? "Accepted" : "Rejected"); for (i = 0; i < 16; i++) { printf("%02x", uuid->uuid[i]); } - printf(" Major Version 0x%04x Minor Version 0x%04x\n", uuid->version, uuid->versionminor); + printf(" Major Version 0x%04x Minor Version 0x%04x\n", uuid->version, + uuid->versionminor); } -static uint32_t DCERPCParseSecondaryAddr(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) -{ +/** + * \brief DCERPCParseSecondaryAddr reads secondaryaddrlen bytes from the BIND_ACK + * DCERPC call. + */ +static uint32_t DCERPCParseSecondaryAddr(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); - DCERPCState *sstate = (DCERPCState *)dcerpc_state; + DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; while (sstate->secondaryaddrlenleft-- && input_len--) { SCLogDebug("0x%02x ", *p); @@ -60,10 +130,11 @@ static uint32_t DCERPCParseSecondaryAddr(Flow *f, void *dcerpc_state, AppLayerPa SCReturnUInt((uint32_t)(p - input)); } -static uint32_t PaddingParser(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { - SCEnter(); - DCERPCState *sstate = (DCERPCState *)dcerpc_state; +static uint32_t PaddingParser(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + SCEnter(); + DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; while (sstate->padleft-- && input_len--) { SCLogDebug("0x%02x ", *p); @@ -73,31 +144,35 @@ static uint32_t PaddingParser(Flow *f, void *dcerpc_state, AppLayerParserState * SCReturnUInt((uint32_t)(p - input)); } -static uint32_t DCERPCGetCTXItems(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { +static uint32_t DCERPCGetCTXItems(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); - DCERPCState *sstate = (DCERPCState *)dcerpc_state; + DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; if (input_len) { - switch(sstate->ctxbytesprocessed) { + switch (sstate->ctxbytesprocessed) { case 0: if (input_len >= 4) { - sstate->numctxitems = *p; - sstate->numctxitemsleft = sstate->numctxitems; - sstate->ctxbytesprocessed += 4; - sstate->bytesprocessed += 4; - SCReturnUInt(4U); - } else { - sstate->numctxitems = *(p++); - sstate->numctxitemsleft = sstate->numctxitems; - if (!(--input_len)) break; + sstate->numctxitems = *p; + sstate->numctxitemsleft = sstate->numctxitems; + sstate->ctxbytesprocessed += 4; + sstate->bytesprocessed += 4; + SCReturnUInt(4U); + } else { + sstate->numctxitems = *(p++); + sstate->numctxitemsleft = sstate->numctxitems; + if (!(--input_len)) + break; } case 1: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 2: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 3: p++; input_len--; @@ -109,39 +184,46 @@ static uint32_t DCERPCGetCTXItems(Flow *f, void *dcerpc_state, AppLayerParserSta SCReturnUInt((uint32_t)(p - input)); } +/** + * \brief DCERPCParseBINDCTXItem is called for each CTXItem found the DCERPC BIND call. + * each UUID is added to a TAILQ. + */ -static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { +static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); - DCERPCState *sstate = (DCERPCState *)dcerpc_state; + DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; if (input_len) { - switch(sstate->ctxbytesprocessed) { + switch (sstate->ctxbytesprocessed) { case 0: if (input_len >= 44) { sstate->ctxid = *(p); sstate->ctxid |= *(p + 1) << 8; - sstate->uuid[3] = *(p+4); - sstate->uuid[2] = *(p+5); - sstate->uuid[1] = *(p+6); - sstate->uuid[0] = *(p+7); - sstate->uuid[5] = *(p+8); - sstate->uuid[4] = *(p+9); - sstate->uuid[7] = *(p+10); - sstate->uuid[6] = *(p+11); - sstate->uuid[8] = *(p+12); - sstate->uuid[9] = *(p+13); - sstate->uuid[10] = *(p+14); - sstate->uuid[11] = *(p+15); - sstate->uuid[12] = *(p+16); - sstate->uuid[13] = *(p+17); - sstate->uuid[14] = *(p+18); - sstate->uuid[15] = *(p+19); + sstate->uuid[3] = *(p + 4); + sstate->uuid[2] = *(p + 5); + sstate->uuid[1] = *(p + 6); + sstate->uuid[0] = *(p + 7); + sstate->uuid[5] = *(p + 8); + sstate->uuid[4] = *(p + 9); + sstate->uuid[7] = *(p + 10); + sstate->uuid[6] = *(p + 11); + sstate->uuid[8] = *(p + 12); + sstate->uuid[9] = *(p + 13); + sstate->uuid[10] = *(p + 14); + sstate->uuid[11] = *(p + 15); + sstate->uuid[12] = *(p + 16); + sstate->uuid[13] = *(p + 17); + sstate->uuid[14] = *(p + 18); + sstate->uuid[15] = *(p + 19); sstate->version = *(p + 20); sstate->version |= *(p + 21) << 8; sstate->versionminor = *(p + 22); sstate->versionminor |= *(p + 23) << 8; - sstate->uuid_entry = (struct uuid_entry *) calloc(1, sizeof(struct uuid_entry)); + sstate->uuid_entry = (struct uuid_entry *) calloc(1, + sizeof(struct uuid_entry)); if (sstate->uuid_entry == NULL) { SCReturnUInt(0); } else { @@ -150,7 +232,8 @@ static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, AppLayerPars sstate->uuid_entry->ctxid = sstate->ctxid; sstate->uuid_entry->version = sstate->version; sstate->uuid_entry->versionminor = sstate->versionminor; - TAILQ_INSERT_HEAD(&sstate->uuid_list, sstate->uuid_entry, next); + TAILQ_INSERT_HEAD(&sstate->uuid_list, sstate->uuid_entry, + next); //printUUID("BIND", sstate->uuid_entry); } sstate->numctxitemsleft--; @@ -159,143 +242,186 @@ static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, AppLayerPars SCReturnUInt(44U); } else { sstate->ctxid = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; } case 1: sstate->ctxid |= *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 2: /* num transact items */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 3: /* reserved */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 4: sstate->uuid[3] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 5: sstate->uuid[2] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 6: sstate->uuid[1] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 7: sstate->uuid[0] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 8: sstate->uuid[5] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 9: sstate->uuid[4] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 10: sstate->uuid[7] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 11: sstate->uuid[6] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 12: sstate->uuid[8] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 13: sstate->uuid[9] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 14: sstate->uuid[10] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 15: sstate->uuid[11] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 16: sstate->uuid[12] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 17: sstate->uuid[13] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 18: sstate->uuid[14] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 19: sstate->uuid[15] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 20: - sstate->version = *(p++); - if (!(--input_len)) break; + sstate->version = *(p++); + if (!(--input_len)) + break; case 21: - sstate->version |= *(p++); - if (!(--input_len)) break; + sstate->version |= *(p++); + if (!(--input_len)) + break; case 22: - sstate->versionminor = *(p++); - if (!(--input_len)) break; + sstate->versionminor = *(p++); + if (!(--input_len)) + break; case 23: - sstate->versionminor |= *(p++); - if (!(--input_len)) break; + sstate->versionminor |= *(p++); + if (!(--input_len)) + break; case 24: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 25: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 26: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 27: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 28: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 29: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 30: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 31: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 32: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 33: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 34: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 35: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 36: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 37: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 38: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 39: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 40: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 41: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 42: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 43: sstate->numctxitemsleft--; if (sstate->uuid_entry == NULL) { - SCReturnUInt(0); + SCReturnUInt(0); } else { - memcpy(sstate->uuid_entry->uuid, sstate->uuid, - sizeof(sstate->uuid)); + memcpy(sstate->uuid_entry->uuid, sstate->uuid, + sizeof(sstate->uuid)); sstate->uuid_entry->ctxid = sstate->ctxid; sstate->uuid_entry->version = sstate->version; sstate->uuid_entry->versionminor = sstate->versionminor; @@ -311,19 +437,27 @@ static uint32_t DCERPCParseBINDCTXItem(Flow *f, void *dcerpc_state, AppLayerPars SCReturnUInt((uint32_t)(p - input)); } -static uint32_t DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { +/** + * \brief DCERPCParseBINDACKCTXItem is called for each CTXItem found in + * the BIND_ACK call. The result (Accepted or Rejected) is added to the + * correct UUID from the BIND call. + */ +static uint32_t DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); - DCERPCState *sstate = (DCERPCState *)dcerpc_state; + DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; struct uuid_entry *uuid_entry; + if (input_len) { - switch(sstate->ctxbytesprocessed) { + switch (sstate->ctxbytesprocessed) { case 0: if (input_len >= 24) { sstate->result = *p; - sstate->result |= *(p+1) << 8; + sstate->result |= *(p + 1) << 8; TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) { - if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) { + if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) { uuid_entry->result = sstate->result; //printUUID("BIND_ACK", uuid_entry); break; @@ -335,79 +469,102 @@ static uint32_t DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, AppLayerP SCReturnUInt(24U); } else { sstate->result = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; } case 1: sstate->result |= *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 2: /* num transact items */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 3: /* reserved */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 4: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 5: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 6: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 7: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 8: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 9: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 10: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 11: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 12: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 13: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 14: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 15: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 16: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 17: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 18: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 19: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 20: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 21: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 22: p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 23: TAILQ_FOREACH(uuid_entry, &sstate->uuid_list, next) { - if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) { + if(uuid_entry->ctxid == sstate->numctxitems - sstate->numctxitemsleft) { uuid_entry->result = sstate->result; //printUUID("BIND_ACK", uuid_entry); break; @@ -425,10 +582,11 @@ static uint32_t DCERPCParseBINDACKCTXItem(Flow *f, void *dcerpc_state, AppLayerP SCReturnUInt((uint32_t)(p - input)); } -static uint32_t DCERPCParseBIND(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { +static uint32_t DCERPCParseBIND(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); - DCERPCState *sstate = (DCERPCState *)dcerpc_state; + DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; if (input_len) { switch (sstate->bytesprocessed) { @@ -436,56 +594,67 @@ static uint32_t DCERPCParseBIND(Flow *f, void *dcerpc_state, AppLayerParserState sstate->numctxitems = 0; if (input_len >= 12) { TAILQ_INIT(&sstate->uuid_list); - sstate->numctxitems = *(p+8); + sstate->numctxitems = *(p + 8); sstate->numctxitemsleft = sstate->numctxitems; sstate->bytesprocessed += 12; SCReturnUInt(12U); } else { /* max_xmit_frag */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; } case 17: /* max_xmit_frag */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 18: /* max_recv_frag */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 19: /* max_recv_frag */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 20: /* assoc_group_id */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 21: /* assoc_group_id */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 22: /* assoc_group_id */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 23: /* assoc_group_id */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 24: sstate->numctxitems = *(p++); sstate->numctxitemsleft = sstate->numctxitems; TAILQ_INIT(&sstate->uuid_list); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 25: /* pad byte 1 */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 26: /* pad byte 2 */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 27: /* pad byte 3 */ p++; @@ -497,60 +666,147 @@ static uint32_t DCERPCParseBIND(Flow *f, void *dcerpc_state, AppLayerParserState SCReturnUInt((uint32_t)(p - input)); } -static uint32_t DCERPCParseBINDACK(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { +static uint32_t DCERPCParseBINDACK(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); - DCERPCState *sstate = (DCERPCState *)dcerpc_state; + DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; - switch(sstate->bytesprocessed) { + switch (sstate->bytesprocessed) { case 16: sstate->numctxitems = 0; if (input_len >= 10) { - sstate->secondaryaddrlen = *(p+8); - sstate->secondaryaddrlen |= *(p+9) << 8; + if (sstate->dcerpc.packed_drep[0] == 0x10) { + sstate->secondaryaddrlen = *(p + 8); + sstate->secondaryaddrlen |= *(p + 9) << 8; + } else { + sstate->secondaryaddrlen = *(p + 8) << 8; + sstate->secondaryaddrlen |= *(p + 9); + } sstate->secondaryaddrlenleft = sstate->secondaryaddrlen; sstate->bytesprocessed += 10; SCReturnUInt(10U); } else { /* max_xmit_frag */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; } case 17: /* max_xmit_frag */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 18: /* max_recv_frag */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 19: /* max_recv_frag */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 20: /* assoc_group_id */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 21: /* assoc_group_id */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 22: /* assoc_group_id */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 23: /* assoc_group_id */ p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 24: sstate->secondaryaddrlen = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 25: sstate->secondaryaddrlen |= *(p++) << 8; + if (sstate->dcerpc.packed_drep[0] == 0x01) { + bswap_16(sstate->secondaryaddrlen); + } sstate->secondaryaddrlenleft = sstate->secondaryaddrlen; - SCLogDebug("secondaryaddrlen %u 0x%04x\n", sstate->secondaryaddrlen, sstate->secondaryaddrlen); + SCLogDebug("secondaryaddrlen %u 0x%04x\n", sstate->secondaryaddrlen, + sstate->secondaryaddrlen); + --input_len; + break; + } + sstate->bytesprocessed += (p - input); + SCReturnUInt((uint32_t)(p - input)); +} + +static uint32_t DCERPCParseREQUEST(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + SCEnter(); + DCERPCState *sstate = (DCERPCState *) dcerpc_state; + uint8_t *p = input; + + switch (sstate->bytesprocessed) { + case 16: + sstate->numctxitems = 0; + if (input_len >= 8) { + if (sstate->dcerpc.packed_drep[0] == 0x10) { + sstate->opnum = *(p + 6); + sstate->opnum |= *(p + 7) << 8; + } else { + sstate->opnum = *(p + 6) << 8; + sstate->opnum |= *(p + 7); + } + sstate->bytesprocessed += 8; + SCReturnUInt(8U); + } else { + /* alloc hint 1 */ + p++; + if (!(--input_len)) + break; + } + case 17: + /* alloc hint 2 */ + p++; + if (!(--input_len)) + break; + case 18: + /* alloc hint 3 */ + p++; + if (!(--input_len)) + break; + case 19: + /* alloc hint 4 */ + p++; + if (!(--input_len)) + break; + case 20: + /* context id 1 */ + p++; + if (!(--input_len)) + break; + case 21: + /* context id 2 */ + p++; + if (!(--input_len)) + break; + case 22: + sstate->opnum = *(p++); + if (!(--input_len)) + break; + case 23: + sstate->opnum |= *(p++) << 8; + if (sstate->dcerpc.packed_drep[0] == 0x01) { + bswap_16(sstate->opnum); + } --input_len; break; } @@ -558,18 +814,38 @@ static uint32_t DCERPCParseBINDACK(Flow *f, void *dcerpc_state, AppLayerParserSt SCReturnUInt((uint32_t)(p - input)); } -static uint32_t DCERPCParseHeader(Flow *f, void *dcerpc_state, AppLayerParserState - *pstate, uint8_t *input, uint32_t input_len, - AppLayerParserResult *output) { +static uint32_t StubDataParser(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); - DCERPCState *sstate = (DCERPCState *)dcerpc_state; + DCERPCState *sstate = (DCERPCState *) dcerpc_state; + uint8_t *p = input; + while (sstate->padleft-- && input_len--) { + SCLogDebug("0x%02x ", *p); + p++; + } + sstate->bytesprocessed += (p - input); + SCReturnUInt((uint32_t)(p - input)); +} + +/** + * \brief DCERPCParseHeader parses the 16 byte DCERPC header + * A fast path for normal decoding is used when there is enough bytes + * present to parse the entire header. A slow path is used to parse + * fragmented packets. + */ +static uint32_t DCERPCParseHeader(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + SCEnter(); + DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint8_t *p = input; if (input_len) { switch (sstate->bytesprocessed) { case 0: if (input_len >= DCERPC_HDR_LEN) { - //if (*p != 5) SCReturnInt(1); - //if (!(*(p + 1 ) == 0 || (*(p + 1) == 1))) SCReturnInt(2); + //if (*p != 5) SCReturnUInt(); + //if (!(*(p + 1 ) == 0 || (*(p + 1) == 1))) SCReturnInt(0); sstate->dcerpc.rpc_vers = *p; sstate->dcerpc.rpc_vers_minor = *(p + 1); sstate->dcerpc.type = *(p + 2); @@ -583,70 +859,94 @@ static uint32_t DCERPCParseHeader(Flow *f, void *dcerpc_state, AppLayerParserSta sstate->dcerpc.frag_length |= *(p + 9) << 8; sstate->dcerpc.auth_length = *(p + 10); sstate->dcerpc.auth_length |= *(p + 11) << 8; + sstate->dcerpc.call_id = *(p + 12) << 24; + sstate->dcerpc.call_id |= *(p + 13) << 16; + sstate->dcerpc.call_id |= *(p + 14) << 8; + sstate->dcerpc.call_id |= *(p + 15); } else { sstate->dcerpc.frag_length = *(p + 8) << 8; sstate->dcerpc.frag_length |= *(p + 9); sstate->dcerpc.auth_length = *(p + 10) << 8; sstate->dcerpc.auth_length |= *(p + 11); + sstate->dcerpc.call_id = *(p + 12); + sstate->dcerpc.call_id |= *(p + 13) << 8; + sstate->dcerpc.call_id |= *(p + 14) << 16; + sstate->dcerpc.call_id |= *(p + 15) << 24; } - sstate->dcerpc.call_id = *(p + 12) << 24; - sstate->dcerpc.call_id |= *(p + 13) << 16; - sstate->dcerpc.call_id |= *(p + 14) << 8; - sstate->dcerpc.call_id |= *(p + 15); sstate->bytesprocessed = DCERPC_HDR_LEN; SCReturnUInt(16U); break; } else { sstate->dcerpc.rpc_vers = *(p++); // if (sstate->dcerpc.rpc_vers != 5) SCReturnInt(2); - if (!(--input_len)) break; + if (!(--input_len)) + break; } case 1: sstate->dcerpc.rpc_vers_minor = *(p++); - if ((sstate->dcerpc.rpc_vers_minor != 0) || - (sstate->dcerpc.rpc_vers_minor != 1)) SCReturnInt(3); - if (!(--input_len)) break; + // if ((sstate->dcerpc.rpc_vers_minor != 0) || + // (sstate->dcerpc.rpc_vers_minor != 1)) SCReturnInt(3); + if (!(--input_len)) + break; case 2: sstate->dcerpc.type = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 3: sstate->dcerpc.pfc_flags = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 4: sstate->dcerpc.packed_drep[0] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 5: sstate->dcerpc.packed_drep[1] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 6: sstate->dcerpc.packed_drep[2] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 7: sstate->dcerpc.packed_drep[3] = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 8: sstate->dcerpc.frag_length = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 9: sstate->dcerpc.frag_length |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 10: sstate->dcerpc.auth_length = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 11: sstate->dcerpc.auth_length |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 12: sstate->dcerpc.call_id = *(p++) << 24; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 13: sstate->dcerpc.call_id |= *(p++) << 16; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 14: sstate->dcerpc.call_id |= *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 15: sstate->dcerpc.call_id |= *(p++); + if (sstate->dcerpc.packed_drep[0] == 0x01) { + bswap_16(sstate->dcerpc.frag_length); + bswap_16(sstate->dcerpc.auth_length); + bswap_32(sstate->dcerpc.call_id); + } --input_len; break; } @@ -655,49 +955,53 @@ static uint32_t DCERPCParseHeader(Flow *f, void *dcerpc_state, AppLayerParserSta SCReturnUInt((uint32_t)(p - input)); } -static int DCERPCParse(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { +static int DCERPCParse(Flow *f, void *dcerpc_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); - DCERPCState *sstate = (DCERPCState *)dcerpc_state; + DCERPCState *sstate = (DCERPCState *) dcerpc_state; uint32_t retval = 0; uint32_t parsed = 0; if (pstate == NULL) SCReturnInt(-1); - - while (sstate->bytesprocessed < DCERPC_HDR_LEN && input_len) { + while (sstate->bytesprocessed < DCERPC_HDR_LEN && input_len) { retval = DCERPCParseHeader(f, dcerpc_state, pstate, input, input_len, output); parsed += retval; input_len -= retval; } - SCLogDebug("Done with DCERPCParseHeader bytesprocessed %u\n", sstate->bytesprocessed); + SCLogDebug("Done with DCERPCParseHeader bytesprocessed %u/%u left %u\n", + sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len); switch (sstate->dcerpc.type) { case BIND: case ALTER_CONTEXT: - while (sstate->bytesprocessed < DCERPC_HDR_LEN + 12 && - sstate->bytesprocessed < sstate->dcerpc.frag_length && - input_len) { - retval = DCERPCParseBIND(f, dcerpc_state, pstate, input + parsed, input_len, - output); + while (sstate->bytesprocessed < DCERPC_HDR_LEN + 12 + && sstate->bytesprocessed < sstate->dcerpc.frag_length + && input_len) { + retval = DCERPCParseBIND(f, dcerpc_state, pstate, input + parsed, + input_len, output); parsed += retval; input_len -= retval; } - SCLogDebug("Done with DCERPCParseBIND bytesprocessed %u\n", sstate->bytesprocessed); + SCLogDebug( + "Done with DCERPCParseBIND bytesprocessed %u/%u -- Should be 12\n", + sstate->bytesprocessed, sstate->dcerpc.frag_length); - while (sstate->numctxitemsleft && sstate->bytesprocessed < sstate->dcerpc.frag_length && - input_len) { - retval = DCERPCParseBINDCTXItem(f, dcerpc_state, pstate, input + parsed, input_len, - output); + while (sstate->numctxitemsleft && sstate->bytesprocessed + < sstate->dcerpc.frag_length && input_len) { + retval = DCERPCParseBINDCTXItem(f, dcerpc_state, pstate, input + + parsed, input_len, output); if (sstate->ctxbytesprocessed == 44) { sstate->ctxbytesprocessed = 0; } parsed += retval; input_len -= retval; } - SCLogDebug("Done with DCERPCParseBINDCTXItem bytesprocessed %u\n", sstate->bytesprocessed); - + SCLogDebug("BIND processed %u/%u\n", sstate->bytesprocessed, + sstate->dcerpc.frag_length); if (sstate->bytesprocessed == sstate->dcerpc.frag_length) { sstate->bytesprocessed = 0; sstate->ctxbytesprocessed = 0; @@ -705,66 +1009,109 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, break; case BIND_ACK: case ALTER_CONTEXT_RESP: - while (sstate->bytesprocessed < DCERPC_HDR_LEN + 9 && - sstate->bytesprocessed < sstate->dcerpc.frag_length && - input_len) { - retval = DCERPCParseBINDACK(f, dcerpc_state, pstate, input + parsed, input_len, - output); + while (sstate->bytesprocessed < DCERPC_HDR_LEN + 9 + && sstate->bytesprocessed < sstate->dcerpc.frag_length + && input_len) { + retval = DCERPCParseBINDACK(f, dcerpc_state, pstate, + input + parsed, input_len, output); parsed += retval; input_len -= retval; } - SCLogDebug("Done with DCERPCParseBINDACK bytesprocessed %u\n", sstate->bytesprocessed); + SCLogDebug("DCERPCParseBINDACK processed %u/%u left %u\n", + sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len); - while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10 + sstate->secondaryaddrlen && input_len--) { - retval = DCERPCParseSecondaryAddr(f, dcerpc_state, pstate, input + parsed, input_len, - output); + while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10 + + sstate->secondaryaddrlen && input_len + && sstate->bytesprocessed < sstate->dcerpc.frag_length) { + retval = DCERPCParseSecondaryAddr(f, dcerpc_state, pstate, input + + parsed, input_len, output); parsed += retval; input_len -= retval; } - SCLogDebug("Done with DCERPCParseSecondaryAddr bytesprocessed %u\n", sstate->bytesprocessed); + SCLogDebug( + "DCERPCParseSecondaryAddr %u/%u left %u secondaryaddr len(%u)\n", + sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len, + sstate->secondaryaddrlen); - if(sstate->bytesprocessed == DCERPC_HDR_LEN + 10 + sstate->secondaryaddrlen) { + if (sstate->bytesprocessed == DCERPC_HDR_LEN + 10 + + sstate->secondaryaddrlen) { sstate->pad = sstate->bytesprocessed % 4; sstate->padleft = sstate->pad; } - SCLogDebug("pad %u\n", sstate->pad); - while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10 + sstate->secondaryaddrlen + sstate->pad && input_len--) { - retval = PaddingParser(f, dcerpc_state, pstate, input + parsed, input_len, - output); + while (sstate->bytesprocessed < DCERPC_HDR_LEN + 10 + + sstate->secondaryaddrlen + sstate->pad && input_len + && sstate->bytesprocessed < sstate->dcerpc.frag_length) { + retval = PaddingParser(f, dcerpc_state, pstate, input + parsed, + input_len, output); parsed += retval; input_len -= retval; } - SCLogDebug("Done with PaddingParser bytesprocessed %u\n", sstate->bytesprocessed); + SCLogDebug("PaddingParser %u/%u left %u pad(%u)\n", + sstate->bytesprocessed, sstate->dcerpc.frag_length, input_len, + sstate->pad); - while(sstate->bytesprocessed >= DCERPC_HDR_LEN + 10 + sstate->pad + sstate->secondaryaddrlen && - sstate->bytesprocessed < DCERPC_HDR_LEN + 14 + sstate->pad + sstate->secondaryaddrlen) { - retval = DCERPCGetCTXItems(f, dcerpc_state, pstate, input + parsed, input_len, - output); + while (sstate->bytesprocessed >= DCERPC_HDR_LEN + 10 + sstate->pad + + sstate->secondaryaddrlen && sstate->bytesprocessed + < DCERPC_HDR_LEN + 14 + sstate->pad + sstate->secondaryaddrlen + && sstate->bytesprocessed < sstate->dcerpc.frag_length) { + retval = DCERPCGetCTXItems(f, dcerpc_state, pstate, input + parsed, + input_len, output); parsed += retval; input_len -= retval; } - SCLogDebug("Done with DCERPCGetCTXItems bytesprocessed %u\n", sstate->bytesprocessed); + SCLogDebug("DCERPCGetCTXItems %u/%u (%u)\n", sstate->bytesprocessed, + sstate->dcerpc.frag_length, sstate->numctxitems); - if (sstate->bytesprocessed == DCERPC_HDR_LEN + 14 + sstate->pad + sstate->secondaryaddrlen) { + if (sstate->bytesprocessed == DCERPC_HDR_LEN + 14 + sstate->pad + + sstate->secondaryaddrlen) { sstate->ctxbytesprocessed = 0; } - while (sstate->numctxitemsleft && input_len) { - retval = DCERPCParseBINDACKCTXItem(f, dcerpc_state, pstate, input + parsed, input_len, - output); + while (sstate->numctxitemsleft && input_len && sstate->bytesprocessed + < sstate->dcerpc.frag_length) { + retval = DCERPCParseBINDACKCTXItem(f, dcerpc_state, pstate, input + + parsed, input_len, output); if (sstate->ctxbytesprocessed == 24) { sstate->ctxbytesprocessed = 0; } parsed += retval; input_len -= retval; } - SCLogDebug("Done with DCERPCParseBINDACKCTXItem bytesprocessed %u\n", sstate->bytesprocessed); + SCLogDebug("BINDACK processed %u/%u\n", sstate->bytesprocessed, + sstate->dcerpc.frag_length); + if (sstate->bytesprocessed == sstate->dcerpc.frag_length) { + sstate->bytesprocessed = 0; + sstate->ctxbytesprocessed = 0; + } + break; + case REQUEST: + while (sstate->bytesprocessed < DCERPC_HDR_LEN + 8 + && sstate->bytesprocessed < sstate->dcerpc.frag_length + && input_len) { + retval = DCERPCParseREQUEST(f, dcerpc_state, pstate, + input + parsed, input_len, output); + parsed += retval; + input_len -= retval; + } + while (sstate->bytesprocessed >= DCERPC_HDR_LEN + 8 + && sstate->bytesprocessed < sstate->dcerpc.frag_length + && input_len) { + retval = StubDataParser(f, dcerpc_state, pstate, input + parsed, + input_len, output); + parsed += retval; + input_len -= retval; + } + SCLogDebug("REQUEST processed %u/%u\n", sstate->bytesprocessed, + sstate->dcerpc.frag_length); if (sstate->bytesprocessed == sstate->dcerpc.frag_length) { sstate->bytesprocessed = 0; } break; + default: + SCLogDebug("DCERPC Type 0x%02x not implemented yet\n", sstate->dcerpc.type); + break; } pstate->parse_field = 0; pstate->flags |= APP_LAYER_PARSER_DONE; @@ -772,7 +1119,6 @@ static int DCERPCParse(Flow *f, void *dcerpc_state, AppLayerParserState *pstate, SCReturnInt(1); } - static void *DCERPCStateAlloc(void) { void *s = malloc(sizeof(DCERPCState)); if (s == NULL) @@ -783,7 +1129,7 @@ static void *DCERPCStateAlloc(void) { } static void DCERPCStateFree(void *s) { - DCERPCState *sstate = (DCERPCState *)s; + DCERPCState *sstate = (DCERPCState *) s; struct uuid_entry *item; @@ -799,351 +1145,371 @@ static void DCERPCStateFree(void *s) { } void RegisterDCERPCParsers(void) { - AppLayerRegisterProto("dcerpc", ALPROTO_DCERPC, STREAM_TOSERVER, DCERPCParse); - AppLayerRegisterProto("dcerpc", ALPROTO_DCERPC, STREAM_TOCLIENT, DCERPCParse); - AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc, DCERPCStateFree); + AppLayerRegisterProto("dcerpc", ALPROTO_DCERPC, STREAM_TOSERVER, + DCERPCParse); + AppLayerRegisterProto("dcerpc", ALPROTO_DCERPC, STREAM_TOCLIENT, + DCERPCParse); + AppLayerRegisterStateFuncs(ALPROTO_DCERPC, DCERPCStateAlloc, + DCERPCStateFree); } /* UNITTESTS */ #ifdef UNITTESTS - int DCERPCParserTest01(void) { int result = 1; Flow f; uint8_t dcerpcbind[] = { - 0x05, 0x00, - 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3c, 0x04, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16, - 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x2c, 0xd0, - 0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f, - 0xbf, 0x85, 0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00, - 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, - 0x01, 0x00, 0x2c, 0x75, 0xce, 0x7e, 0x82, 0x3b, - 0x06, 0xac, 0x1b, 0xf0, 0xf5, 0xb7, 0xa7, 0xf7, - 0x28, 0xaf, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xe3, 0xb2, - 0x10, 0xd1, 0xd0, 0x0c, 0xcc, 0x3d, 0x2f, 0x80, - 0x20, 0x7c, 0xef, 0xe7, 0x09, 0xe0, 0x04, 0x00, - 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, - 0x01, 0x00, 0xde, 0x85, 0x70, 0xc4, 0x02, 0x7c, - 0x60, 0x23, 0x67, 0x0c, 0x22, 0xbf, 0x18, 0x36, - 0x79, 0x17, 0x01, 0x00, 0x02, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x41, 0x65, - 0x29, 0x51, 0xaa, 0xe7, 0x7b, 0xa8, 0xf2, 0x37, - 0x0b, 0xd0, 0x3f, 0xb3, 0x36, 0xed, 0x05, 0x00, - 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, - 0x01, 0x00, 0x14, 0x96, 0x80, 0x01, 0x2e, 0x78, - 0xfb, 0x5d, 0xb4, 0x3c, 0x14, 0xb3, 0x3d, 0xaa, - 0x02, 0xfb, 0x06, 0x00, 0x00, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x3b, 0x04, - 0x68, 0x3e, 0x63, 0xfe, 0x9f, 0xd8, 0x64, 0x55, - 0xcd, 0xe7, 0x39, 0xaf, 0x98, 0x9f, 0x03, 0x00, - 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00, - 0x01, 0x00, 0x16, 0x7a, 0x4f, 0x1b, 0xdb, 0x25, - 0x92, 0x55, 0xdd, 0xae, 0x9e, 0x5b, 0x3e, 0x93, - 0x66, 0x93, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0xe8, 0xa4, - 0x8a, 0xcf, 0x95, 0x6c, 0xc7, 0x8f, 0x14, 0xcc, - 0x56, 0xfc, 0x7b, 0x5f, 0x4f, 0xe8, 0x04, 0x00, - 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00, - 0x01, 0x00, 0xd8, 0xda, 0xfb, 0xbc, 0xa2, 0x55, - 0x6f, 0x5d, 0xc0, 0x2d, 0x88, 0x6f, 0x00, 0x17, - 0x52, 0x8d, 0x06, 0x00, 0x03, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x3f, 0x17, - 0x55, 0x0c, 0xf4, 0x23, 0x3c, 0xca, 0xe6, 0xa0, - 0xaa, 0xcc, 0xb5, 0xe3, 0xf9, 0xce, 0x04, 0x00, - 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, - 0x01, 0x00, 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, - 0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, - 0x2e, 0xf5, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00, 0xc9, 0x9f, - 0x3e, 0x6e, 0x82, 0x0a, 0x2b, 0x28, 0x37, 0x78, - 0xe1, 0x13, 0x70, 0x05, 0x38, 0x4d, 0x01, 0x00, - 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00, - 0x01, 0x00, 0x11, 0xaa, 0x4b, 0x15, 0xdf, 0xa6, - 0x86, 0x3f, 0xfb, 0xe0, 0x09, 0xb7, 0xf8, 0x56, - 0xd2, 0x3f, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x0e, 0x00, 0x01, 0x00, 0xee, 0x99, - 0xc4, 0x25, 0x11, 0xe4, 0x95, 0x62, 0x29, 0xfa, - 0xfd, 0x26, 0x57, 0x02, 0xf1, 0xce, 0x03, 0x00, - 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x00, - 0x01, 0x00, 0xba, 0x81, 0x9e, 0x1a, 0xdf, 0x2b, - 0xba, 0xe4, 0xd3, 0x17, 0x41, 0x60, 0x6d, 0x2d, - 0x9e, 0x28, 0x03, 0x00, 0x03, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0xa0, 0x24, - 0x03, 0x9a, 0xa9, 0x99, 0xfb, 0xbe, 0x49, 0x11, - 0xad, 0x77, 0x30, 0xaa, 0xbc, 0xb6, 0x02, 0x00, - 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x11, 0x00, - 0x01, 0x00, 0x32, 0x04, 0x7e, 0xae, 0xec, 0x28, - 0xd1, 0x55, 0x83, 0x4e, 0xc3, 0x47, 0x5d, 0x1d, - 0xc6, 0x65, 0x02, 0x00, 0x03, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xc6, 0xa4, - 0x81, 0x48, 0x66, 0x2a, 0x74, 0x7d, 0x56, 0x6e, - 0xc5, 0x1d, 0x19, 0xf2, 0xb5, 0xb6, 0x03, 0x00, - 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00, - 0x01, 0x00, 0xcb, 0xae, 0xb3, 0xc0, 0x0c, 0xf4, - 0xa4, 0x5e, 0x91, 0x72, 0xdd, 0x53, 0x24, 0x70, - 0x89, 0x02, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0xb8, 0xd0, - 0xa0, 0x1a, 0x5e, 0x7a, 0x2d, 0xfe, 0x35, 0xc6, - 0x7d, 0x08, 0x0d, 0x33, 0x73, 0x18, 0x02, 0x00, - 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x15, 0x00, - 0x01, 0x00, 0x21, 0xd3, 0xaa, 0x09, 0x03, 0xa7, - 0x0b, 0xc2, 0x06, 0x45, 0xd9, 0x6c, 0x75, 0xc2, - 0x15, 0xa8, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x16, 0x00, 0x01, 0x00, 0xe1, 0xbd, - 0x59, 0xfc, 0xbc, 0xa9, 0x95, 0xc2, 0x68, 0x79, - 0xf3, 0x75, 0xe0, 0xae, 0x6c, 0xe5, 0x04, 0x00, - 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x17, 0x00, - 0x01, 0x00, 0x06, 0x52, 0xb4, 0x71, 0x70, 0x15, - 0x4e, 0xf5, 0x7f, 0x08, 0x86, 0x14, 0xe6, 0x17, - 0xd5, 0x97, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00 }; - - uint8_t dcerpcbindack[] = { - 0x05, 0x00, 0x0c, 0x03, - 0x10, 0x00, 0x00, 0x00, 0x6c, 0x02, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, - 0xce, 0x47, 0x00, 0x00, 0x0c, 0x00, 0x5c, 0x50, - 0x49, 0x50, 0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73, - 0x73, 0x00, 0xf6, 0x6e, 0x18, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, - 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, - 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - - /* uint8_t dcerpcbind[] = { 0x05, 0x00, - 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3c, 0x04, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16, - 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x32, 0x71, - 0xab, 0xa1, 0xc1, 0x2b, 0x7a, 0xda, 0xe9, 0x28, 0xa9, 0x6c, 0x26, 0x75, 0xee, 0x33, 0x03, 0x00, - 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, 0x01, 0x00, 0xeb, 0xb6, 0xaf, 0xaa, 0x87, 0x53, - 0x0c, 0x1b, 0x1d, 0xfa, 0x90, 0x9f, 0x04, 0x6c, 0x9e, 0x37, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xcc, 0xd0, 0x96, 0x50, 0xfe, 0xc5, 0x62, 0x41, 0xf2, 0x66, - 0x9e, 0x35, 0x93, 0xb3, 0xa3, 0x36, 0x06, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, - 0x01, 0x00, 0xf7, 0x3c, 0x42, 0x42, 0x32, 0xe5, 0x0a, 0x2d, 0x81, 0xf3, 0x9f, 0x77, 0x57, 0x82, - 0xe5, 0x66, 0x02, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x8d, 0xe3, - 0x3d, 0x0b, 0xe5, 0xd0, 0x91, 0x5e, 0x83, 0xe2, 0xec, 0x91, 0x66, 0x20, 0x1c, 0xd4, 0x04, 0x00, - 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, 0x01, 0x00, 0x0e, 0xb9, 0xaa, 0x41, 0x6e, 0xb3, - 0x2b, 0xb1, 0x8b, 0xbd, 0x6b, 0xdc, 0xe7, 0xe2, 0x4c, 0x91, 0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0xfc, 0xae, 0x72, 0xe2, 0x91, 0x76, 0x38, 0xf4, 0x96, 0x6c, - 0xdf, 0x70, 0x15, 0x97, 0x19, 0x5f, 0x06, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00, - 0x01, 0x00, 0x67, 0x75, 0xe4, 0xca, 0x4b, 0xda, 0xaf, 0x28, 0xf4, 0x4b, 0x85, 0xbd, 0xe6, 0xf5, - 0xaa, 0xb1, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0x60, 0xc5, - 0xc8, 0x81, 0x00, 0x24, 0x7b, 0xbc, 0xb1, 0xcc, 0xb1, 0x72, 0xc4, 0xef, 0x8d, 0x4f, 0x02, 0x00, - 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00, 0x01, 0x00, 0x11, 0x64, 0x1b, 0x63, 0x52, 0x04, - 0x44, 0xce, 0xa5, 0xec, 0x2c, 0xd8, 0x5e, 0xab, 0xaf, 0x4c, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0xec, 0xd9, 0xa8, 0x20, 0xb5, 0xf9, 0xc6, 0xf4, 0x8b, 0x94, - 0x14, 0x33, 0xed, 0xc2, 0xcd, 0x22, 0x02, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, - 0x01, 0x00, 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, 0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, - 0x2e, 0xf5, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00, 0xf9, 0x25, - 0xf3, 0xf0, 0xc6, 0x9a, 0xd8, 0x0a, 0xb9, 0xe8, 0x9b, 0xb3, 0xc6, 0x2a, 0xfc, 0x24, 0x06, 0x00, - 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00, 0x01, 0x00, 0xf3, 0x69, 0xcf, 0x88, 0xcc, 0xa9, - 0x2d, 0xd8, 0x29, 0x2b, 0x58, 0xcb, 0x13, 0x7b, 0x9b, 0x29, 0x05, 0x00, 0x02, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x0e, 0x00, 0x01, 0x00, 0xe0, 0x5c, 0xe6, 0x34, 0x98, 0xd1, 0xf0, 0x9f, 0x12, 0x03, - 0x65, 0xed, 0x20, 0x1b, 0x77, 0x12, 0x04, 0x00, 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x00, - 0x01, 0x00, 0x12, 0xdb, 0xd3, 0x66, 0x28, 0xd0, 0xe3, 0x60, 0x5c, 0x87, 0x55, 0xb2, 0xeb, 0xc6, - 0x27, 0x20, 0x01, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0x8b, 0x56, - 0x01, 0xdc, 0x51, 0xc9, 0x42, 0x52, 0x27, 0x39, 0xd7, 0x91, 0x05, 0x39, 0xc9, 0x7c, 0x06, 0x00, - 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x11, 0x00, 0x01, 0x00, 0x6f, 0x31, 0xd2, 0x9e, 0x0b, 0x53, - 0xf3, 0x3e, 0xdb, 0x5c, 0xd9, 0xc2, 0x4e, 0xa2, 0x5b, 0x77, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xfd, 0xf8, 0x7c, 0xb9, 0xca, 0x86, 0xa8, 0xa9, 0x9a, 0x6d, - 0xe8, 0x61, 0x99, 0xbf, 0x66, 0x10, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00, - 0x01, 0x00, 0xbe, 0x4e, 0x22, 0x46, 0x15, 0x56, 0xb8, 0xaa, 0x0c, 0x3c, 0xbd, 0x64, 0x0e, 0x95, - 0x3b, 0xe4, 0x05, 0x00, 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0xcc, 0x35, - 0x9e, 0xa9, 0x0b, 0xb7, 0xcd, 0x00, 0x26, 0x6b, 0xb5, 0xd6, 0x97, 0x25, 0x77, 0x60, 0x02, 0x00, - 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, - 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x15, 0x00, 0x01, 0x00, 0xff, 0x18, 0x1a, 0x22, 0xcd, 0x5f, - 0xa2, 0x28, 0x63, 0x8c, 0x77, 0x5f, 0x70, 0xcb, 0x27, 0x49, 0x06, 0x00, 0x01, 0x00, 0x04, 0x5d, - 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, - 0x00, 0x00, 0x16, 0x00, 0x01, 0x00, 0x93, 0x0d, 0xd6, 0x59, 0xd8, 0xb7, 0xed, 0x1c, 0x0d, 0x2e, - 0x3b, 0x40, 0xd2, 0x52, 0x88, 0x7c, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, - 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x17, 0x00, - 0x01, 0x00, 0x53, 0x15, 0xa6, 0x63, 0x96, 0x75, 0x42, 0x46, 0xac, 0x21, 0x7b, 0x37, 0xcb, 0xac, - 0x3f, 0x86, 0x02, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, - 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00 }; + 0x0b, 0x03, 0x10, 0x00, 0x00, 0x00, 0x3c, 0x04, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xd0, 0x16, + 0xd0, 0x16, 0x00, 0x00, 0x00, 0x00, 0x18, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x01, 0x00, 0x2c, 0xd0, + 0x28, 0xda, 0x76, 0x91, 0xf6, 0x6e, 0xcb, 0x0f, + 0xbf, 0x85, 0xcd, 0x9b, 0xf6, 0x39, 0x01, 0x00, + 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x01, 0x00, + 0x01, 0x00, 0x2c, 0x75, 0xce, 0x7e, 0x82, 0x3b, + 0x06, 0xac, 0x1b, 0xf0, 0xf5, 0xb7, 0xa7, 0xf7, + 0x28, 0xaf, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0xe3, 0xb2, + 0x10, 0xd1, 0xd0, 0x0c, 0xcc, 0x3d, 0x2f, 0x80, + 0x20, 0x7c, 0xef, 0xe7, 0x09, 0xe0, 0x04, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x03, 0x00, + 0x01, 0x00, 0xde, 0x85, 0x70, 0xc4, 0x02, 0x7c, + 0x60, 0x23, 0x67, 0x0c, 0x22, 0xbf, 0x18, 0x36, + 0x79, 0x17, 0x01, 0x00, 0x02, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x04, 0x00, 0x01, 0x00, 0x41, 0x65, + 0x29, 0x51, 0xaa, 0xe7, 0x7b, 0xa8, 0xf2, 0x37, + 0x0b, 0xd0, 0x3f, 0xb3, 0x36, 0xed, 0x05, 0x00, + 0x01, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x05, 0x00, + 0x01, 0x00, 0x14, 0x96, 0x80, 0x01, 0x2e, 0x78, + 0xfb, 0x5d, 0xb4, 0x3c, 0x14, 0xb3, 0x3d, 0xaa, + 0x02, 0xfb, 0x06, 0x00, 0x00, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x06, 0x00, 0x01, 0x00, 0x3b, 0x04, + 0x68, 0x3e, 0x63, 0xfe, 0x9f, 0xd8, 0x64, 0x55, + 0xcd, 0xe7, 0x39, 0xaf, 0x98, 0x9f, 0x03, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x07, 0x00, + 0x01, 0x00, 0x16, 0x7a, 0x4f, 0x1b, 0xdb, 0x25, + 0x92, 0x55, 0xdd, 0xae, 0x9e, 0x5b, 0x3e, 0x93, + 0x66, 0x93, 0x04, 0x00, 0x01, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x08, 0x00, 0x01, 0x00, 0xe8, 0xa4, + 0x8a, 0xcf, 0x95, 0x6c, 0xc7, 0x8f, 0x14, 0xcc, + 0x56, 0xfc, 0x7b, 0x5f, 0x4f, 0xe8, 0x04, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x09, 0x00, + 0x01, 0x00, 0xd8, 0xda, 0xfb, 0xbc, 0xa2, 0x55, + 0x6f, 0x5d, 0xc0, 0x2d, 0x88, 0x6f, 0x00, 0x17, + 0x52, 0x8d, 0x06, 0x00, 0x03, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x0a, 0x00, 0x01, 0x00, 0x3f, 0x17, + 0x55, 0x0c, 0xf4, 0x23, 0x3c, 0xca, 0xe6, 0xa0, + 0xaa, 0xcc, 0xb5, 0xe3, 0xf9, 0xce, 0x04, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0b, 0x00, + 0x01, 0x00, 0x6a, 0x28, 0x19, 0x39, 0x0c, 0xb1, + 0xd0, 0x11, 0x9b, 0xa8, 0x00, 0xc0, 0x4f, 0xd9, + 0x2e, 0xf5, 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x0c, 0x00, 0x01, 0x00, 0xc9, 0x9f, + 0x3e, 0x6e, 0x82, 0x0a, 0x2b, 0x28, 0x37, 0x78, + 0xe1, 0x13, 0x70, 0x05, 0x38, 0x4d, 0x01, 0x00, + 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0d, 0x00, + 0x01, 0x00, 0x11, 0xaa, 0x4b, 0x15, 0xdf, 0xa6, + 0x86, 0x3f, 0xfb, 0xe0, 0x09, 0xb7, 0xf8, 0x56, + 0xd2, 0x3f, 0x05, 0x00, 0x00, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x0e, 0x00, 0x01, 0x00, 0xee, 0x99, + 0xc4, 0x25, 0x11, 0xe4, 0x95, 0x62, 0x29, 0xfa, + 0xfd, 0x26, 0x57, 0x02, 0xf1, 0xce, 0x03, 0x00, + 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x0f, 0x00, + 0x01, 0x00, 0xba, 0x81, 0x9e, 0x1a, 0xdf, 0x2b, + 0xba, 0xe4, 0xd3, 0x17, 0x41, 0x60, 0x6d, 0x2d, + 0x9e, 0x28, 0x03, 0x00, 0x03, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x10, 0x00, 0x01, 0x00, 0xa0, 0x24, + 0x03, 0x9a, 0xa9, 0x99, 0xfb, 0xbe, 0x49, 0x11, + 0xad, 0x77, 0x30, 0xaa, 0xbc, 0xb6, 0x02, 0x00, + 0x03, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x11, 0x00, + 0x01, 0x00, 0x32, 0x04, 0x7e, 0xae, 0xec, 0x28, + 0xd1, 0x55, 0x83, 0x4e, 0xc3, 0x47, 0x5d, 0x1d, + 0xc6, 0x65, 0x02, 0x00, 0x03, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x12, 0x00, 0x01, 0x00, 0xc6, 0xa4, + 0x81, 0x48, 0x66, 0x2a, 0x74, 0x7d, 0x56, 0x6e, + 0xc5, 0x1d, 0x19, 0xf2, 0xb5, 0xb6, 0x03, 0x00, + 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x13, 0x00, + 0x01, 0x00, 0xcb, 0xae, 0xb3, 0xc0, 0x0c, 0xf4, + 0xa4, 0x5e, 0x91, 0x72, 0xdd, 0x53, 0x24, 0x70, + 0x89, 0x02, 0x05, 0x00, 0x03, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x14, 0x00, 0x01, 0x00, 0xb8, 0xd0, + 0xa0, 0x1a, 0x5e, 0x7a, 0x2d, 0xfe, 0x35, 0xc6, + 0x7d, 0x08, 0x0d, 0x33, 0x73, 0x18, 0x02, 0x00, + 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x15, 0x00, + 0x01, 0x00, 0x21, 0xd3, 0xaa, 0x09, 0x03, 0xa7, + 0x0b, 0xc2, 0x06, 0x45, 0xd9, 0x6c, 0x75, 0xc2, + 0x15, 0xa8, 0x01, 0x00, 0x03, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00, 0x16, 0x00, 0x01, 0x00, 0xe1, 0xbd, + 0x59, 0xfc, 0xbc, 0xa9, 0x95, 0xc2, 0x68, 0x79, + 0xf3, 0x75, 0xe0, 0xae, 0x6c, 0xe5, 0x04, 0x00, + 0x02, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, + 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, 0x2b, 0x10, + 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x17, 0x00, + 0x01, 0x00, 0x06, 0x52, 0xb4, 0x71, 0x70, 0x15, + 0x4e, 0xf5, 0x7f, 0x08, 0x86, 0x14, 0xe6, 0x17, + 0xd5, 0x97, 0x04, 0x00, 0x00, 0x00, 0x04, 0x5d, + 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, + 0x08, 0x00, 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, + 0x00, 0x00}; uint8_t dcerpcbindack[] = { 0x05, 0x00, 0x0c, 0x03, - 0x10, 0x00, 0x00, 0x00, 0x6c, 0x02, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, - 0xce, 0x47, 0x00, 0x00, 0x0c, 0x00, 0x5c, 0x50, 0x49, 0x50, 0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73, - 0x73, 0x00, 0xf6, 0x6e, 0x18, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, - 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, - 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00 }; - - */ + 0x10, 0x00, 0x00, 0x00, 0x6c, 0x02, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0xb8, 0x10, 0xb8, 0x10, + 0xce, 0x47, 0x00, 0x00, 0x0c, 0x00, 0x5c, 0x50, + 0x49, 0x50, 0x45, 0x5c, 0x6c, 0x73, 0x61, 0x73, + 0x73, 0x00, 0xf6, 0x6e, 0x18, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x5d, 0x88, 0x8a, + 0xeb, 0x1c, 0xc9, 0x11, 0x9f, 0xe8, 0x08, 0x00, + 0x2b, 0x10, 0x48, 0x60, 0x02, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x02, 0x00, 0x01, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00}; +#if 0 + uint8_t dcerpcrequest[] = { + 0x05, 0x00, 0x00, 0x00, 0x10, + 0x00, 0x00, 0x00, 0x00, 0x04, 0x00, 0x00, 0x00, + 0x00, 0x00, 0x00, 0xe8, 0x03, 0x00, 0x00, 0x0b, + 0x00, 0x09, 0x00, 0x45, 0x00, 0x2c, 0x00, 0x4d, + 0x00, 0x73, 0x00, 0x53, 0x00, 0x59, 0x00, 0x2a, + 0x00, 0x4a, 0x00, 0x7a, 0x00, 0x3e, 0x00, 0x58, + 0x00, 0x21, 0x00, 0x4a, 0x00, 0x30, 0x00, 0x41, + 0x00, 0x4b, 0x00, 0x4b, 0x00, 0x3c, 0x00, 0x48, + 0x00, 0x24, 0x00, 0x38, 0x00, 0x54, 0x00, 0x60, + 0x00, 0x2d, 0x00, 0x29, 0x00, 0x64, 0x00, 0x5b, + 0x00, 0x77, 0x00, 0x3a, 0x00, 0x4c, 0x00, 0x24, + 0x00, 0x23, 0x00, 0x66, 0x00, 0x43, 0x00, 0x68, + 0x00, 0x22, 0x00, 0x55, 0x00, 0x29, 0x00, 0x2c, + 0x00, 0x4f, 0x00, 0x5a, 0x00, 0x50, 0x00, 0x61, + 0x00, 0x2a, 0x00, 0x6f, 0x00, 0x2f, 0x00, 0x4d, + 0x00, 0x68, 0x00, 0x3a, 0x00, 0x5c, 0x00, 0x67, + 0x00, 0x68, 0x00, 0x68, 0x00, 0x49, 0x00, 0x45, + 0x00, 0x4c, 0x00, 0x72, 0x00, 0x53, 0x00, 0x4c, + 0x00, 0x25, 0x00, 0x4d, 0x00, 0x67, 0x00, 0x2e, + 0x00, 0x4f, 0x00, 0x64, 0x00, 0x61, 0x00, 0x73, + 0x00, 0x24, 0x00, 0x46, 0x00, 0x35, 0x00, 0x2e, + 0x00, 0x45, 0x00, 0x6f, 0x00, 0x40, 0x00, 0x41, + 0x00, 0x33, 0x00, 0x38, 0x00, 0x47, 0x00, 0x71, + 0x00, 0x5a, 0x00, 0x37, 0x00, 0x7a, 0x00, 0x35, + 0x00, 0x6b, 0x00, 0x3c, 0x00, 0x26, 0x00, 0x37, + 0x00, 0x69, 0x00, 0x75, 0x00, 0x36, 0x00, 0x37, + 0x00, 0x47, 0x00, 0x21, 0x00, 0x2d, 0x00, 0x69, + 0x00, 0x37, 0x00, 0x78, 0x00, 0x5f, 0x00, 0x72, + 0x00, 0x4b, 0x00, 0x5c, 0x00, 0x74, 0x00, 0x3e, + 0x00, 0x52, 0x00, 0x7a, 0x00, 0x49, 0x00, 0x31, + 0x00, 0x5a, 0x00, 0x7b, 0x00, 0x29, 0x00, 0x3b, + 0x00, 0x78, 0x00, 0x3b, 0x00, 0x55, 0x00, 0x3e, + 0x00, 0x35, 0x00, 0x2b, 0x00, 0x4e, 0x00, 0x4f, + 0x00, 0x59, 0x00, 0x38, 0x00, 0x2a, 0x00, 0x59, + 0x00, 0x6b, 0x00, 0x42, 0x00, 0x4c, 0x00, 0x3e, + 0x00, 0x6a, 0x00, 0x49, 0x00, 0x2c, 0x00, 0x79, + 0x00, 0x6e, 0x00, 0x35, 0x00, 0x4f, 0x00, 0x49, + 0x00, 0x55, 0x00, 0x35, 0x00, 0x61, 0x00, 0x72, + 0x00, 0x77, 0x00, 0x38, 0x00, 0x32, 0x00, 0x24, + 0x00, 0x46, 0x00, 0x32, 0x00, 0x32, 0x00, 0x27, + 0x00, 0x64, 0x00, 0x5a, 0x00, 0x77, 0x00, 0x2e, + 0x00, 0x37, 0x00, 0x77, 0x00, 0x2e, 0x00, 0x28, + 0x00, 0x63, 0x00, 0x4f, 0x00, 0x67, 0x00, 0x64, + 0x00, 0x39, 0x00, 0x37, 0x00, 0x31, 0x00, 0x30, + 0x00, 0x28, 0x00, 0x2e, 0x00, 0x6f, 0x00, 0x3e, + 0x00, 0x59, 0x00, 0x28, 0x00, 0x67, 0x00, 0x52, + 0x00, 0x35, 0x00, 0x5a, 0x00, 0x7c, 0x00, 0x56, + 0x00, 0x6a, 0x00, 0x5c, 0x00, 0x3c, 0x00, 0x30, + 0x00, 0x59, 0x00, 0x5c, 0x00, 0x5e, 0x00, 0x38, + 0x00, 0x54, 0x00, 0x5c, 0x00, 0x5b, 0x00, 0x42, + 0x00, 0x62, 0x00, 0x70, 0x00, 0x34, 0x00, 0x5c, + 0x00, 0x57, 0x00, 0x7a, 0x00, 0x4b, 0x00, 0x2f, + 0x00, 0x6b, 0x00, 0x6a, 0x00, 0x4f, 0x00, 0x41, + 0x00, 0x33, 0x00, 0x52, 0x00, 0x36, 0x00, 0x27, + 0x00, 0x30, 0x00, 0x6d, 0x00, 0x4a, 0x00, 0x30, + 0x00, 0x78, 0x00, 0x46, 0x00, 0x65, 0x00, 0x4e, + 0x00, 0x29, 0x00, 0x66, 0x00, 0x3f, 0x00, 0x72, + 0x00, 0x71, 0x00, 0x75, 0x00, 0x4c, 0x00, 0x2b, + 0x00, 0x5c, 0x00, 0x46, 0x00, 0x52, 0x00, 0x7b, + 0x00, 0x5c, 0x00, 0x69, 0x00, 0x66, 0x00, 0x56, + 0x00, 0x31, 0x00, 0x2d, 0x00, 0x72, 0x00, 0x61, + 0x00, 0x68, 0x00, 0x28, 0x00, 0x7d, 0x00, 0x58, + 0x00, 0x2a, 0x00, 0x7b, 0x00, 0x28, 0x00, 0x5b, + 0x00, 0x54, 0x00, 0x3a, 0x00, 0x26, 0x00, 0x52, + 0x00, 0x44, 0x00, 0x60, 0x00, 0x50, 0x00, 0x65, + 0x00, 0x48, 0x00, 0x7d, 0x00, 0x2a, 0x00, 0x74, + 0x00, 0x49, 0x00, 0x7b, 0x00, 0x21, 0x00, 0x61, + 0x00, 0x52, 0x00, 0x43, 0x00, 0x5f, 0x00, 0x5a, + 0x00, 0x74, 0x00, 0x5c, 0x00, 0x62, 0x00, 0x68, + 0x00, 0x6c, 0x00, 0x6c, 0x00, 0x2b, 0x00, 0x6f, + 0x00, 0x7c, 0x00, 0x42, 0x00, 0x67, 0x00, 0x32, + 0x00, 0x58, 0x00, 0x35, 0x00, 0x30, 0x00, 0x2f, + 0x00, 0x2d, 0x00, 0x60, 0x00, 0x62, 0x00, 0x51, + 0x00, 0x2a, 0x00, 0x30, 0x00, 0x31, 0x00, 0x48, + 0x00, 0x5b, 0x00, 0x5b, 0x00, 0x5d, 0x00, 0x25, + 0x00, 0x58, 0x00, 0x4a, 0x00, 0x76, 0x00, 0x32, + 0x00, 0x62, 0x00, 0x27, 0x00, 0x42, 0x00, 0x40, + 0x00, 0x53, 0x00, 0x7c, 0x00, 0x7d, 0x00, 0x50, + 0x00, 0x3d, 0x00, 0x40, 0x00, 0x76, 0x00, 0x38, + 0x00, 0x58, 0x00, 0x39, 0x00, 0x63, 0x00, 0x3c, + 0x00, 0x5b, 0x00, 0x23, 0x00, 0x53, 0x00, 0x7a, + 0x00, 0x54, 0x00, 0x74, 0x00, 0x61, 0x00, 0x76, + 0x00, 0x4a, 0x00, 0x3e, 0x00, 0x33, 0x00, 0x75, + 0x00, 0x66, 0x00, 0x2d, 0x00, 0x48, 0x00, 0x33, + 0x00, 0x71, 0x00, 0x76, 0x00, 0x48, 0x00, 0x71, + 0x00, 0x41, 0x00, 0x6f, 0x00, 0x2a, 0x00, 0x67, + 0x00, 0x70, 0x00, 0x21, 0x00, 0x70, 0x00, 0x4b, + 0x00, 0x52, 0x00, 0x58, 0x00, 0x68, 0x00, 0x23, + 0x00, 0x39, 0x00, 0x46, 0x00, 0x4d, 0x00, 0x51, + 0x00, 0x57, 0x00, 0x3a, 0x00, 0x79, 0x00, 0x7b, + 0x00, 0x6c, 0x00, 0x55, 0x00, 0x33, 0x00, 0x65, + 0x00, 0x49, 0x00, 0x72, 0x00, 0x30, 0x00, 0x4f, + 0x00, 0x41, 0x00, 0x6e, 0x00, 0x31, 0x00, 0x4a, + 0x00, 0x60, 0x00, 0x79, 0x00, 0x70, 0x00, 0x4f, + 0x00, 0x58, 0x00, 0x75, 0x00, 0x44, 0x00, 0x59, + 0x00, 0x58, 0x00, 0x46, 0x00, 0x3d, 0x00, 0x46, + 0x00, 0x74, 0x00, 0x51, 0x00, 0x57, 0x00, 0x6e, + 0x00, 0x2d, 0x00, 0x47, 0x00, 0x23, 0x00, 0x45, + 0x00, 0x60, 0x00, 0x4c, 0x00, 0x72, 0x00, 0x4e, + 0x00, 0x74, 0x00, 0x40, 0x00, 0x76, 0x00, 0x75, + 0x00, 0x74, 0x00, 0x56, 0x00, 0x44, 0x00, 0x29, + 0x00, 0x62, 0x00, 0x58, 0x00, 0x31, 0x00, 0x78, + 0x00, 0x32, 0x00, 0x52, 0x00, 0x4a, 0x00, 0x6b, + 0x00, 0x55, 0x00, 0x72, 0x00, 0x6f, 0x00, 0x6f, + 0x00, 0x4a, 0x00, 0x54, 0x00, 0x7d, 0x00, 0x68, + 0x00, 0x3f, 0x00, 0x28, 0x00, 0x21, 0x00, 0x53, + 0x00, 0x48, 0x00, 0x5a, 0x00, 0x34, 0x00, 0x36, + 0x00, 0x35, 0x00, 0x64, 0x00, 0x4e, 0x00, 0x75, + 0x00, 0x69, 0x00, 0x23, 0x00, 0x75, 0x00, 0x55, + 0x00, 0x43, 0x00, 0x75, 0x00, 0x2f, 0x00, 0x73, + 0x00, 0x62, 0x00, 0x6f, 0x00, 0x37, 0x00, 0x4e, + 0x00, 0x25, 0x00, 0x25, 0x00, 0x21, 0x00, 0x3d, + 0x00, 0x3c, 0x00, 0x71, 0x00, 0x3e, 0x00, 0x3f, + 0x00, 0x30, 0x00, 0x36, 0x00, 0x62, 0x00, 0x63, + 0x00, 0x53, 0x00, 0x54, 0x00, 0x5d, 0x00, 0x61, + 0x00, 0x4c, 0x00, 0x28, 0x00, 0x2b, 0x00, 0x4c, + 0x00, 0x4e, 0x00, 0x66, 0x00, 0x5f, 0x00, 0x4b, + 0x00, 0x43, 0x00, 0x75, 0x00, 0x45, 0x00, 0x37, + 0x00, 0x28, 0x00, 0x56, 0x00, 0x36, 0x00, 0x6a, + 0x00, 0x3e, 0x00, 0x64, 0x00, 0x34, 0x00, 0x6a, + 0x00, 0x7d, 0x00, 0x4a, 0x00, 0x66, 0x00, 0x7a, + 0x00, 0x3e, 0x00, 0x75, 0x00, 0x38, 0x00, 0x7b, + 0x00, 0x42, 0x00, 0x76, 0x00, 0x29, 0x00, 0x4c, + 0x00, 0x65, 0x00, 0x2e, 0x00, 0x32, 0x00, 0x4b, + 0x00, 0x2b, 0x00, 0x51, 0x00, 0x47, 0x00, 0x22, + 0x00, 0x48, 0x00, 0x3d, 0x00, 0x49, 0x00, 0x44, + 0x00, 0x5d, 0x00, 0x59, 0x00, 0x63, 0x00, 0x5c, + 0x00, 0x24, 0x00, 0x35, 0x00, 0x34, 0x00, 0x70, + 0x00, 0x69, 0x00}; + uint32_t requestlen = sizeof(dcerpcrequest); +#endif uint32_t bindlen = sizeof(dcerpcbind); uint32_t bindacklen = sizeof(dcerpcbindack); @@ -1155,7 +1521,7 @@ int DCERPCParserTest01(void) { StreamL7DataPtrInit(&ssn,StreamL7GetStorageSize()); f.protoctx = (void *)&ssn; - int r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER, dcerpcbind, bindlen, FALSE); + int r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOSERVER|STREAM_START, dcerpcbind, bindlen, FALSE); if (r != 0) { printf("dcerpc header check returned %" PRId32 ", expected 0: ", r); result = 0; @@ -1188,7 +1554,12 @@ int DCERPCParserTest01(void) { goto end; } - r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT|STREAM_EOF, dcerpcbindack, bindacklen, FALSE); + r = AppLayerParse(&f, ALPROTO_DCERPC, STREAM_TOCLIENT, dcerpcbindack, bindacklen, FALSE); + if (r != 0) { + printf("dcerpc header check returned %" PRId32 ", expected 0: ", r); + result = 0; + goto end; + } if (dcerpc_state->dcerpc.type != BIND_ACK) { printf("expected dcerpc type 0x%02x , got 0x%02x : ", BIND_ACK, dcerpc_state->dcerpc.type); result = 0; @@ -1203,7 +1574,6 @@ int DCERPCParserTest01(void) { TAILQ_FOREACH(uuid_entry, &dcerpc_state->uuid_list, next) { printUUID("BIND_ACK", uuid_entry); } - end: return result; } diff --git a/src/app-layer-dcerpc.h b/src/app-layer-dcerpc.h index d64a3af3c2..09cccb3b71 100644 --- a/src/app-layer-dcerpc.h +++ b/src/app-layer-dcerpc.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009 Open Information Security Foundation + * Copyright (c) 2009,2010 Open Information Security Foundation * app-layer-dcerpc.h * * \author Kirby Kuehl @@ -11,6 +11,7 @@ #include "app-layer-parser.h" #include "flow.h" #include "queue.h" +#include void RegisterDCERPCParsers(void); void DCERPCParserTests(void); @@ -77,24 +78,24 @@ typedef struct { #define RESERVED_80 0x80 typedef struct dcerpc_hdr_ { - uint8_t rpc_vers; /* 00:01 RPC version should be 5 */ - uint8_t rpc_vers_minor; /* 01:01 minor version */ - uint8_t type; /* 02:01 packet type */ - uint8_t pfc_flags; /* 03:01 flags (see PFC_... ) */ - uint8_t packed_drep[4]; /* 04:04 NDR data representation format label */ - uint16_t frag_length; /* 08:02 total length of fragment */ - uint16_t auth_length; /* 10:02 length of auth_value */ - uint32_t call_id; /* 12:04 call identifier */ + uint8_t rpc_vers; /* 00:01 RPC version should be 5 */ + uint8_t rpc_vers_minor; /* 01:01 minor version */ + uint8_t type; /* 02:01 packet type */ + uint8_t pfc_flags; /* 03:01 flags (see PFC_... ) */ + uint8_t packed_drep[4]; /* 04:04 NDR data representation format label */ + uint16_t frag_length; /* 08:02 total length of fragment */ + uint16_t auth_length; /* 10:02 length of auth_value */ + uint32_t call_id; /* 12:04 call identifier */ }dcerpc_t; #define DCERPC_HDR_LEN 16 struct uuid_entry { - uint16_t ctxid; - uint16_t result; - uint8_t uuid[16]; - uint16_t version; - uint16_t versionminor; + uint16_t ctxid; + uint16_t result; + uint8_t uuid[16]; + uint16_t version; + uint16_t versionminor; TAILQ_ENTRY(uuid_entry) next; }; @@ -104,17 +105,18 @@ typedef struct DCERPCState_ { uint8_t numctxitems; uint8_t numctxitemsleft; uint8_t ctxbytesprocessed; - uint16_t ctxid; - uint16_t result; - uint8_t uuid[16]; - uint16_t version; - uint16_t versionminor; - uint8_t pad; - uint8_t padleft; + uint16_t ctxid; + uint16_t result; + uint8_t uuid[16]; + uint16_t version; + uint16_t versionminor; + uint8_t pad; + uint8_t padleft; struct uuid_entry *uuid_entry; TAILQ_HEAD(, uuid_entry) uuid_list; uint16_t secondaryaddrlen; uint16_t secondaryaddrlenleft; + uint16_t opnum; }DCERPCState; @@ -123,16 +125,16 @@ typedef struct DCERPCState_ { #define PFC_PENDING_CANCEL 0x04/* Cancel was pending at sender */ #define PFC_RESERVED_1 0x08 #define PFC_CONC_MPX 0x10/* supports concurrent multiplexing - * of a single connection. */ + * of a single connection. */ #define PFC_DID_NOT_EXECUTE 0x20/* only meaningful on `fault' packet; - * if true, guaranteed call did not - * execute. */ + * if true, guaranteed call did not + * execute. */ #define PFC_MAYBE 0x40/* `maybe' call semantics requested */ #define PFC_OBJECT_UUID 0x80/* if true, a non-nil object UUID - * was specified in the handle, and - * is present in the optional object - * field. If false, the object field - * is omitted. */ + * was specified in the handle, and + * is present in the optional object + * field. If false, the object field + * is omitted. */ #define REASON_NOT_SPECIFIED 0 #define TEMPORARY_CONGESTION 1 #define LOCAL_LIMIT_EXCEEDED 2 @@ -142,20 +144,20 @@ typedef struct DCERPCState_ { #define USER_DATA_NOT_READABLE 6 /* not used */ #define NO_PSAP_AVAILABLE 7 /* not used */ /* -typedef uint16_t p_context_id_t; -typedef struct { - uuid_t if_uuid; - uint32_t if_version; -} p_syntax_id_t; + typedef uint16_t p_context_id_t; + typedef struct { + uuid_t if_uuid; + uint32_t if_version; + } p_syntax_id_t; -typedef struct { - p_context_id_t p_cont_id; - uint8_t n_transfer_syn; // number of items - uint8_t reserved; // alignment pad, m.b.z. - p_syntax_id_t abstract_syntax; // transfer syntax list - p_syntax_id_t [size_is(n_transfer_syn)] transfer_syntaxes[]; -} p_cont_elem_t; -*/ + typedef struct { + p_context_id_t p_cont_id; + uint8_t n_transfer_syn; // number of items + uint8_t reserved; // alignment pad, m.b.z. + p_syntax_id_t abstract_syntax; // transfer syntax list + p_syntax_id_t [size_is(n_transfer_syn)] transfer_syntaxes[]; + } p_cont_elem_t; + */ #endif /* APPLAYERDCERPC_H_ */ diff --git a/src/app-layer-smb.c b/src/app-layer-smb.c index 743871eed2..dd4ef875d3 100644 --- a/src/app-layer-smb.c +++ b/src/app-layer-smb.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009 Open Information Security Foundation + * Copyright (c) 2009, 2010 Open Information Security Foundation * app-layer-smb.c * * \author Kirby Kuehl @@ -39,6 +39,7 @@ enum { }; #if 0 +/* \brief hexdump function from libdnet, used for debugging only */ void hexdump(const void *buf, size_t len) { /* dumps len bytes of *buf to stdout. Looks like: * [0000] 75 6E 6B 6E 6F 77 6E 20 @@ -49,10 +50,10 @@ void hexdump(const void *buf, size_t len) { const unsigned char *p = buf; unsigned char c; size_t n; - char bytestr[4] = { 0 }; - char addrstr[10] = { 0 }; - char hexstr[16 * 3 + 5] = { 0 }; - char charstr[16 * 1 + 5] = { 0 }; + char bytestr[4] = {0}; + char addrstr[10] = {0}; + char hexstr[16 * 3 + 5] = {0}; + char charstr[16 * 1 + 5] = {0}; for (n = 1; n <= len; n++) { if (n % 16 == 1) { /* store address for this line */ @@ -102,9 +103,10 @@ void hexdump(const void *buf, size_t len) { * \brief SMB Write AndX Request Parsing */ /* For WriteAndX we need to get writeandxdataoffset */ -static uint32_t SMBParseWriteAndX(Flow *f, void *smb_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { - SCEnter(); +static uint32_t SMBParseWriteAndX(Flow *f, void *smb_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; switch (sstate->andx.andxbytesprocessed) { @@ -112,122 +114,149 @@ static uint32_t SMBParseWriteAndX(Flow *f, void *smb_state, AppLayerParserState sstate->andx.paddingparsed = 0; if (input_len >= 28) { sstate->andx.andxcommand = *p; - sstate->andx.andxoffset = *(p+2) << 8; - sstate->andx.andxoffset |= *(p+3); - sstate->andx.datalength = *(p+18) << 16; - sstate->andx.datalength |= *(p+19) << 24; - sstate->andx.datalength |= *(p+20) << 8; - sstate->andx.datalength |= *(p+21); - sstate->andx.dataoffset = *(p+22) << 8; - sstate->andx.dataoffset|= *(p+23); - sstate->andx.dataoffset|= (uint64_t) *(p+24) << 56; - sstate->andx.dataoffset|= (uint64_t) *(p+25) << 48; - sstate->andx.dataoffset|= (uint64_t) *(p+26) << 40; - sstate->andx.dataoffset|= (uint64_t) *(p+27) << 32; + sstate->andx.andxoffset = *(p + 2); + sstate->andx.andxoffset |= *(p + 3) << 8; + sstate->andx.datalength = *(p + 18); + sstate->andx.datalength |= *(p + 19) << 8; + sstate->andx.datalength |= *(p + 20) << 16; + sstate->andx.datalength |= *(p + 21) << 24; + sstate->andx.dataoffset = *(p + 22); + sstate->andx.dataoffset |= *(p + 23) << 8; + sstate->andx.dataoffset |= (uint64_t) * (p + 24) << 56; + sstate->andx.dataoffset |= (uint64_t) * (p + 25) << 48; + sstate->andx.dataoffset |= (uint64_t) * (p + 26) << 40; + sstate->andx.dataoffset |= (uint64_t) * (p + 27) << 32; sstate->bytesprocessed += 28; SCReturnUInt(28U); } else { sstate->andx.andxcommand = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; } case 1: p++; // Reserved - if (!(--input_len)) break; + if (!(--input_len)) + break; case 2: sstate->andx.andxoffset = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 3: sstate->andx.andxoffset |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 4: // SMB_COM_WRITE_ANDX Fid 1 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 5: // SMB_COM_WRITE_ANDX Fid 2 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 6: // SMB_COM_WRITE_ANDX Offset 1 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 7: // SMB_COM_WRITE_ANDX Offset 2 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 8: // SMB_COM_WRITE_ANDX Offset 3 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 9: // SMB_COM_WRITE_ANDX Offset 4 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 10: // SMB_COM_WRITE_ANDX Reserved 1 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 11: // SMB_COM_WRITE_ANDX Reserved 2 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 12: // SMB_COM_WRITE_ANDX Reserved 3 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 13: // SMB_COM_WRITE_ANDX Reserved 4 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 14: // SMB_COM_WRITE_ANDX WriteMode 1 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 15: // SMB_COM_WRITE_ANDX WriteMode 2 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 16: // SMB_COM_WRITE_ANDX BytesRemaining 1 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 17: // SMB_COM_WRITE_ANDX BytesRemaining 2 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 18: // DataLengthHigh 1 sstate->andx.datalength = *(p++) << 16; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 19: // DataLengthHigh 2 sstate->andx.datalength |= *(p++) << 24; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 20: // DataLength 1 sstate->andx.datalength |= *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 21: // DataLength 2 sstate->andx.datalength |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 22: sstate->andx.dataoffset = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 23: sstate->andx.dataoffset |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 24: - sstate->andx.dataoffset|= (uint64_t) *(p++) << 56; - if (!(--input_len)) break; + sstate->andx.dataoffset |= (uint64_t) * (p++) << 56; + if (!(--input_len)) + break; case 25: - sstate->andx.dataoffset|= (uint64_t) *(p++) << 48; - if (!(--input_len)) break; + sstate->andx.dataoffset |= (uint64_t) * (p++) << 48; + if (!(--input_len)) + break; case 26: - sstate->andx.dataoffset|= (uint64_t) *(p++) << 40; - if (!(--input_len)) break; + sstate->andx.dataoffset |= (uint64_t) * (p++) << 40; + if (!(--input_len)) + break; case 27: - sstate->andx.dataoffset|= (uint64_t) *(p++) << 32; + sstate->andx.dataoffset |= (uint64_t) * (p++) << 32; --input_len; break; } @@ -238,9 +267,10 @@ static uint32_t SMBParseWriteAndX(Flow *f, void *smb_state, AppLayerParserState /** * \brief SMB Read AndX Response Parsing */ -static uint32_t SMBParseReadAndX(Flow *f, void *smb_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { - SCEnter(); +static uint32_t SMBParseReadAndX(Flow *f, void *smb_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; switch (sstate->andx.andxbytesprocessed) { @@ -248,81 +278,99 @@ static uint32_t SMBParseReadAndX(Flow *f, void *smb_state, AppLayerParserState * sstate->andx.paddingparsed = 0; if (input_len >= 24) { sstate->andx.andxcommand = *p; - sstate->andx.andxoffset = *(p+2) << 8; - sstate->andx.andxoffset |= *(p+3); - sstate->andx.datalength = *(p+10) << 8; - sstate->andx.datalength |= *(p+11); - sstate->andx.dataoffset = *(p+12) << 8; - sstate->andx.dataoffset |= *(p+13); - sstate->andx.datalength |= (uint64_t) *(p+14) << 56; - sstate->andx.datalength |= (uint64_t) *(p+15) << 48; - sstate->andx.datalength |= (uint64_t) *(p+16) << 40; - sstate->andx.datalength |= (uint64_t) *(p+17) << 32; + sstate->andx.andxoffset = *(p + 2); + sstate->andx.andxoffset |= *(p + 3) << 8; + sstate->andx.datalength = *(p + 10); + sstate->andx.datalength |= *(p + 11) << 8; + sstate->andx.dataoffset = *(p + 12); + sstate->andx.dataoffset |= *(p + 13) << 8; + sstate->andx.datalength |= (uint64_t) * (p + 14) << 32; + sstate->andx.datalength |= (uint64_t) * (p + 15) << 40; + sstate->andx.datalength |= (uint64_t) * (p + 16) << 48; + sstate->andx.datalength |= (uint64_t) * (p + 17) << 56; sstate->bytesprocessed += 24; SCReturnUInt(24U); } else { sstate->andx.andxcommand = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; } case 1: p++; // Reserved - if (!(--input_len)) break; + if (!(--input_len)) + break; case 2: - sstate->andx.andxoffset |= *(p++) << 8; - if (!(--input_len)) break; - case 3: sstate->andx.andxoffset |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; + case 3: + sstate->andx.andxoffset |= *(p++) << 8; + if (!(--input_len)) + break; case 4: // SMB_COM_READ_ANDX Remaining Reserved must be 0xff p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 5: // SMB_COM_READ_ANDX Remaining Reserved must be 0xff p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 6: // SMB_COM_READ_ANDX DataCompactionMode 1 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 7: // SMB_COM_READ_ANDX DataCompactionMode 1 p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 8: // SMB_COM_READ_ANDX Reserved p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 9: // SMB_COM_READ_ANDX Reserved p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 10: - sstate->andx.datalength = *(p++) << 8; - if (!(--input_len)) break; + sstate->andx.datalength = *(p++); + if (!(--input_len)) + break; case 11: - sstate->andx.datalength |= *(p++); - if (!(--input_len)) break; + sstate->andx.datalength |= *(p++) << 8; + if (!(--input_len)) + break; case 12: - sstate->andx.dataoffset = *(p++) << 8; - if (!(--input_len)) break; + sstate->andx.dataoffset = *(p++); + if (!(--input_len)) + break; case 13: - sstate->andx.dataoffset|= *(p++); - if (!(--input_len)) break; + sstate->andx.dataoffset |= *(p++) << 8; + if (!(--input_len)) + break; case 14: - sstate->andx.datalength |= *(p++) << 24; - if (!(--input_len)) break; - case 15: sstate->andx.datalength |= *(p++) << 16; - if (!(--input_len)) break; + if (!(--input_len)) + break; + case 15: + sstate->andx.datalength |= *(p++) << 24; + if (!(--input_len)) + break; case 16: // SMB_COM_READ_ANDX Reserved p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 17: // SMB_COM_READ_ANDX Reserved p++; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 18: // SMB_COM_READ_ANDX Reserved p++; @@ -333,18 +381,185 @@ static uint32_t SMBParseReadAndX(Flow *f, void *smb_state, AppLayerParserState * SCReturnUInt((uint32_t)(p - input)); } +static uint32_t SMBParseTransact(Flow *f, void *smb_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { + SCEnter(); + SMBState *sstate = (SMBState *) smb_state; + uint8_t *p = input; + switch (sstate->andx.andxbytesprocessed) { + case 0: + sstate->andx.paddingparsed = 0; + if (input_len >= 27) { + sstate->andx.datalength = *(p + 22); + sstate->andx.datalength |= *(p + 23) << 8; + sstate->andx.dataoffset = *(p + 24); + sstate->andx.dataoffset |= *(p + 25) << 8; + sstate->andx.datalength |= (uint64_t) * (p + 14) << 56; + sstate->andx.datalength |= (uint64_t) * (p + 15) << 48; + sstate->andx.datalength |= (uint64_t) * (p + 16) << 40; + sstate->andx.datalength |= (uint64_t) * (p + 17) << 32; + sstate->bytesprocessed += 24; + SCReturnUInt(24U); + } else { + /* total parameter count 1 */ + p++; + if (!(--input_len)) + break; + } + case 1: + /* total parameter count 2 */ + p++; + if (!(--input_len)) + break; + case 2: + /* total data count 1 */ + p++; + if (!(--input_len)) + break; + case 3: + /* total data count 2 */ + p++; + if (!(--input_len)) + break; + case 4: + /* max parameter count 1 */ + p++; + if (!(--input_len)) + break; + case 5: + /* max parameter count 2 */ + p++; + if (!(--input_len)) + break; + case 6: + /* max data count 1 */ + p++; + if (!(--input_len)) + break; + case 7: + /* max data count 2 */ + p++; + if (!(--input_len)) + break; + case 8: + /* max setup count */ + p++; + if (!(--input_len)) + break; + case 9: + /* Reserved */ + p++; + if (!(--input_len)) + break; + case 10: + /* Flags */ + p++; + if (!(--input_len)) + break; + case 11: + /* Flags */ + p++; + if (!(--input_len)) + break; + case 12: + /* Timeout */ + p++; + if (!(--input_len)) + break; + case 13: + /* Timeout */ + p++; + if (!(--input_len)) + break; + case 14: + /* Timeout */ + p++; + if (!(--input_len)) + break; + case 15: + /* Timeout */ + p++; + if (!(--input_len)) + break; + case 16: + /* Reserved */ + p++; + if (!(--input_len)) + break; + case 17: + /* Reserved */ + p++; + if (!(--input_len)) + break; + case 18: + /* Parameter Count */ + p++; + if (!(--input_len)) + break; + case 19: + /* Parameter Count */ + p++; + if (!(--input_len)) + break; + case 20: + /* Parameter Offset */ + p++; + if (!(--input_len)) + break; + case 21: + /* Parameter Offset */ + p++; + if (!(--input_len)) + break; + case 22: + /* Data Count */ + sstate->andx.datalength = *(p++); + if (!(--input_len)) + break; + case 23: + /* Data Count */ + sstate->andx.datalength |= *(p++) << 8; + if (!(--input_len)) + break; + case 24: + /* Data Offset */ + sstate->andx.dataoffset = *(p++); + if (!(--input_len)) + break; + case 25: + /* Data Offset */ + sstate->andx.dataoffset |= *(p++) << 8; + if (!(--input_len)) + case 26: + /* Setup Count */ + p++; + if (!(--input_len)) + case 27: + /* Reserved */ + p++; + --input_len; + break; + } + sstate->bytesprocessed += (p - input); + SCReturnUInt((uint32_t)(p - input)); +} + /** * Handle variable length padding for WriteAndX and ReadAndX */ static uint32_t PaddingParser(void *smb_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { - SCEnter(); + SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; - while ((uint32_t)(sstate->bytesprocessed + (p - input)) < sstate->andx.dataoffset && sstate->bytecount.bytecount-- && input_len--) { + while ((uint32_t)(sstate->bytesprocessed + (p - input)) + < sstate->andx.dataoffset && sstate->bytecount.bytecount-- + && input_len--) { p++; } - if ((uint32_t)(sstate->bytesprocessed + (p - input)) == sstate->andx.dataoffset) { + if ((uint32_t)(sstate->bytesprocessed + (p - input)) + == sstate->andx.dataoffset) { sstate->andx.paddingparsed = 1; } sstate->bytesprocessed += (p - input); @@ -357,12 +572,13 @@ static uint32_t PaddingParser(void *smb_state, AppLayerParserState *pstate, */ static uint32_t DataParser(void *smb_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { - SCEnter(); + SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; if (sstate->andx.paddingparsed) { - while (sstate->andx.datalength-- && sstate->bytecount.bytecount-- && input_len--) { + while (sstate->andx.datalength-- && sstate->bytecount.bytecount-- + && input_len--) { SCLogDebug("0x%02x ", *p); p++; } @@ -371,15 +587,14 @@ static uint32_t DataParser(void *smb_state, AppLayerParserState *pstate, SCReturnUInt((uint32_t)(p - input)); } - /** * \brief Obtain SMB WordCount which is 2 times the value. * Reset bytecount.bytecountbytes to 0. * Determine if this is an SMB AndX Command */ -static uint32_t SMBGetWordCount(Flow *f, void *smb_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) -{ +static uint32_t SMBGetWordCount(Flow *f, void *smb_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); if (input_len) { SMBState *sstate = (SMBState *) smb_state; @@ -398,24 +613,24 @@ static uint32_t SMBGetWordCount(Flow *f, void *smb_state, AppLayerParserState *p * is after the first bytecount byte. */ -static uint32_t SMBGetByteCount(Flow *f, void *smb_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) -{ +static uint32_t SMBGetByteCount(Flow *f, void *smb_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; - if (input_len && sstate->bytesprocessed == NBSS_HDR_LEN + SMB_HDR_LEN + - 1 + sstate->wordcount.wordcount) { - sstate->bytecount.bytecount = *(p++); - sstate->bytesprocessed++; - --input_len; + if (input_len && sstate->bytesprocessed == NBSS_HDR_LEN + SMB_HDR_LEN + 1 + + sstate->wordcount.wordcount) { + sstate->bytecount.bytecount = *(p++); + sstate->bytesprocessed++; + --input_len; } - if (input_len && sstate->bytesprocessed == NBSS_HDR_LEN + SMB_HDR_LEN + - 2 + sstate->wordcount.wordcount) { - sstate->bytecount.bytecount |= *(p++) << 8; - sstate->bytesprocessed++; - SCLogDebug("Bytecount %u", sstate->bytecount.bytecount); - --input_len; + if (input_len && sstate->bytesprocessed == NBSS_HDR_LEN + SMB_HDR_LEN + 2 + + sstate->wordcount.wordcount) { + sstate->bytecount.bytecount |= *(p++) << 8; + sstate->bytesprocessed++; + SCLogDebug("Bytecount %u", sstate->bytecount.bytecount); + --input_len; } SCReturnUInt((uint32_t)(p - input)); } @@ -424,22 +639,34 @@ static uint32_t SMBGetByteCount(Flow *f, void *smb_state, AppLayerParserState *p * \brief SMBParseWordCount parses the SMB Wordcount portion of the SMB Transaction. * until sstate->wordcount.wordcount bytes are parsed. */ -static uint32_t SMBParseWordCount(Flow *f, void *smb_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) -{ +static uint32_t SMBParseWordCount(Flow *f, void *smb_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; uint32_t retval = 0; uint32_t parsed = 0; - if ((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) && sstate->smb.command == SMB_COM_READ_ANDX) { - retval = SMBParseReadAndX(f, sstate, pstate, input + parsed, input_len, output); + if ((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) && sstate->smb.command + == SMB_COM_READ_ANDX) { + retval = SMBParseReadAndX(f, sstate, pstate, input + parsed, input_len, + output); parsed += retval; input_len -= retval; sstate->wordcount.wordcount -= retval; SCReturnUInt(retval); - } else if (((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) == 0) && sstate->smb.command == SMB_COM_WRITE_ANDX) { - retval = SMBParseWriteAndX(f, sstate, pstate, input + parsed, input_len, output); + } else if (((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) == 0) + && sstate->smb.command == SMB_COM_WRITE_ANDX) { + retval = SMBParseWriteAndX(f, sstate, pstate, input + parsed, + input_len, output); + parsed += retval; + input_len -= retval; + sstate->wordcount.wordcount -= retval; + SCReturnUInt(retval); + } else if ((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) + && sstate->smb.command == SMB_COM_TRANSACTION) { + retval = SMBParseTransact(f, sstate, pstate, input + parsed, input_len, + output); parsed += retval; input_len -= retval; sstate->wordcount.wordcount -= retval; @@ -459,23 +686,28 @@ static uint32_t SMBParseWordCount(Flow *f, void *smb_state, AppLayerParserState * until sstate->bytecount.bytecount bytes are parsed. */ -static uint32_t SMBParseByteCount(Flow *f, void *smb_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) -{ +static uint32_t SMBParseByteCount(Flow *f, void *smb_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; uint32_t retval = 0; uint32_t parsed = 0; - if (((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) && sstate->smb.command == SMB_COM_READ_ANDX) || - (((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) == 0) && sstate->smb.command == SMB_COM_WRITE_ANDX)) { + if (((sstate->smb.flags & SMB_FLAGS_SERVER_TO_REDIR) && sstate->smb.command + == SMB_COM_READ_ANDX) || (((sstate->smb.flags + & SMB_FLAGS_SERVER_TO_REDIR) == 0) && sstate->smb.command + == SMB_COM_WRITE_ANDX) || + (sstate->smb.command == SMB_COM_TRANSACTION)) { if (sstate->andx.paddingparsed == 0) { - retval = PaddingParser(sstate, pstate, input + parsed, input_len, output); + retval = PaddingParser(sstate, pstate, input + parsed, input_len, + output); parsed += retval; input_len -= retval; } if (sstate->andx.datalength) { - retval = DataParser(sstate, pstate, input + parsed, input_len, output); + retval = DataParser(sstate, pstate, input + parsed, input_len, + output); parsed += retval; input_len -= retval; } @@ -493,9 +725,9 @@ static uint32_t SMBParseByteCount(Flow *f, void *smb_state, AppLayerParserState SCReturnUInt((uint32_t)(p - input)); } -static uint32_t NBSSParseHeader(Flow *f, void *smb_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) -{ +static uint32_t NBSSParseHeader(Flow *f, void *smb_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; @@ -514,14 +746,17 @@ static uint32_t NBSSParseHeader(Flow *f, void *smb_state, AppLayerParserState *p SCReturnUInt(4U); } else { sstate->nbss.type = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; } case 1: sstate->nbss.length = (*(p++) & 0x01) << 16; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 2: sstate->nbss.length |= *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 3: sstate->nbss.length |= *(p++); --input_len; @@ -532,9 +767,12 @@ static uint32_t NBSSParseHeader(Flow *f, void *smb_state, AppLayerParserState *p SCReturnUInt((uint32_t)(p - input)); } -static uint32_t SMBParseHeader(Flow *f, void *smb_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) -{ +/** + * \brief SMBParseHeader parses and validates the 32 byte SMB Header + */ +static uint32_t SMBParseHeader(Flow *f, void *smb_state, + AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, + AppLayerParserResult *output) { SCEnter(); SMBState *sstate = (SMBState *) smb_state; uint8_t *p = input; @@ -556,14 +794,14 @@ static uint32_t SMBParseHeader(Flow *f, void *smb_state, AppLayerParserState *ps sstate->smb.flags2 |= *(p + 11); sstate->smb.pidhigh = *(p + 12) << 8; sstate->smb.pidhigh |= *(p + 13); - sstate->smb.securitysignature = (uint64_t) *(p + 14) << 56; - sstate->smb.securitysignature |= (uint64_t) *(p + 15) << 48; - sstate->smb.securitysignature |= (uint64_t) *(p + 16) << 40; - sstate->smb.securitysignature |= (uint64_t) *(p + 17) << 32; - sstate->smb.securitysignature |= (uint64_t) *(p + 18) << 24; - sstate->smb.securitysignature |= (uint64_t) *(p + 19) << 16; - sstate->smb.securitysignature |= (uint64_t) *(p + 20) << 8; - sstate->smb.securitysignature |= (uint64_t) *(p + 21); + sstate->smb.securitysignature = (uint64_t) * (p + 14) << 56; + sstate->smb.securitysignature |= (uint64_t) * (p + 15) << 48; + sstate->smb.securitysignature |= (uint64_t) * (p + 16) << 40; + sstate->smb.securitysignature |= (uint64_t) * (p + 17) << 32; + sstate->smb.securitysignature |= (uint64_t) * (p + 18) << 24; + sstate->smb.securitysignature |= (uint64_t) * (p + 19) << 16; + sstate->smb.securitysignature |= (uint64_t) * (p + 20) << 8; + sstate->smb.securitysignature |= (uint64_t) * (p + 21); sstate->smb.tid = *(p + 24) << 8; sstate->smb.tid |= *(p + 25); sstate->smb.pid = *(p + 26) << 8; @@ -579,104 +817,135 @@ static uint32_t SMBParseHeader(Flow *f, void *smb_state, AppLayerParserState *ps //sstate->smb.protocol[0] = *(p++); if (*(p++) != 0xff) SCReturnInt(0); - if (!(--input_len)) break; + if (!(--input_len)) + break; } case 5: //sstate->smb.protocol[1] = *(p++); if (*(p++) != 'S') SCReturnInt(0); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 6: //sstate->smb.protocol[2] = *(p++); if (*(p++) != 'M') SCReturnInt(0); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 7: //sstate->smb.protocol[3] = *(p++); if (*(p++) != 'B') SCReturnInt(0); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 8: sstate->smb.command = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 9: sstate->smb.status = *(p++) << 24; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 10: sstate->smb.status |= *(p++) << 16; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 11: sstate->smb.status |= *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 12: sstate->smb.status |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 13: sstate->smb.flags = *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 14: sstate->smb.flags2 = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 15: sstate->smb.flags2 |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 16: sstate->smb.pidhigh = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 17: sstate->smb.pidhigh |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 18: - sstate->smb.securitysignature = (uint64_t) *(p++) << 56; - if (!(--input_len)) break; + sstate->smb.securitysignature = (uint64_t) * (p++) << 56; + if (!(--input_len)) + break; case 19: - sstate->smb.securitysignature |= (uint64_t) *(p++) << 48; - if (!(--input_len)) break; + sstate->smb.securitysignature |= (uint64_t) * (p++) << 48; + if (!(--input_len)) + break; case 20: - sstate->smb.securitysignature |= (uint64_t) *(p++) << 40; - if (!(--input_len)) break; + sstate->smb.securitysignature |= (uint64_t) * (p++) << 40; + if (!(--input_len)) + break; case 21: - sstate->smb.securitysignature |= (uint64_t) *(p++) << 32; - if (!(--input_len)) break; + sstate->smb.securitysignature |= (uint64_t) * (p++) << 32; + if (!(--input_len)) + break; case 22: - sstate->smb.securitysignature |= (uint64_t) *(p++) << 24; - if (!(--input_len)) break; + sstate->smb.securitysignature |= (uint64_t) * (p++) << 24; + if (!(--input_len)) + break; case 23: - sstate->smb.securitysignature |=(uint64_t) *(p++) << 16; - if (!(--input_len)) break; + sstate->smb.securitysignature |= (uint64_t) * (p++) << 16; + if (!(--input_len)) + break; case 24: - sstate->smb.securitysignature |= (uint64_t) *(p++) << 8; - if (!(--input_len)) break; + sstate->smb.securitysignature |= (uint64_t) * (p++) << 8; + if (!(--input_len)) + break; case 25: - sstate->smb.securitysignature |= (uint64_t) *(p++); - if (!(--input_len)) break; + sstate->smb.securitysignature |= (uint64_t) * (p++); + if (!(--input_len)) + break; case 26: p++; // UNUSED - if (!(--input_len)) break; + if (!(--input_len)) + break; case 27: p++; // UNUSED - if (!(--input_len)) break; + if (!(--input_len)) + break; case 28: sstate->smb.tid = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 29: sstate->smb.tid |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 30: sstate->smb.pid = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 31: sstate->smb.pid |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 32: sstate->smb.uid = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 33: sstate->smb.uid |= *(p++); - if (!(--input_len)) break; + if (!(--input_len)) + break; case 34: sstate->smb.mid = *(p++) << 8; - if (!(--input_len)) break; + if (!(--input_len)) + break; case 35: sstate->smb.mid |= *(p++); --input_len; @@ -688,8 +957,7 @@ static uint32_t SMBParseHeader(Flow *f, void *smb_state, AppLayerParserState *ps } static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, - uint8_t *input, uint32_t input_len, AppLayerParserResult *output) -{ + uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { SCEnter(); SMBState *sstate = (SMBState *) smb_state; @@ -699,72 +967,75 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, if (pstate == NULL) SCReturnInt(-1); - while (sstate->bytesprocessed < NBSS_HDR_LEN) { - retval = NBSSParseHeader(f, smb_state, pstate, input, input_len, - output); + while (sstate->bytesprocessed < NBSS_HDR_LEN) { + retval + = NBSSParseHeader(f, smb_state, pstate, input, input_len, + output); parsed += retval; input_len -= retval; - SCLogDebug("NBSS Header (%u/%u) Type 0x%02x Length 0x%04x parsed %ld input_len %u", + SCLogDebug( + "NBSS Header (%u/%u) Type 0x%02x Length 0x%04x parsed %ld input_len %u", sstate->bytesprocessed, NBSS_HDR_LEN, sstate->nbss.type, sstate->nbss.length, parsed, input_len); } - switch(sstate->nbss.type) { + switch (sstate->nbss.type) { case NBSS_SESSION_MESSAGE: - while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN && - sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN)) { - retval = SMBParseHeader(f, smb_state, pstate, input + - parsed, input_len, output); + while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN + && sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN)) { + retval = SMBParseHeader(f, smb_state, pstate, input + parsed, + input_len, output); parsed += retval; input_len -= retval; - SCLogDebug("SMB Header (%u/%u) Command 0x%02x parsed %ld input_len %u", + SCLogDebug( + "SMB Header (%u/%u) Command 0x%02x parsed %ld input_len %u", sstate->bytesprocessed, NBSS_HDR_LEN + SMB_HDR_LEN, sstate->smb.command, parsed, input_len); } do { - if (input_len && (sstate->bytesprocessed == NBSS_HDR_LEN + SMB_HDR_LEN)) { - retval = SMBGetWordCount(f, smb_state, pstate, - input + parsed, input_len, - output); + if (input_len && (sstate->bytesprocessed == NBSS_HDR_LEN + + SMB_HDR_LEN)) { + retval = SMBGetWordCount(f, smb_state, pstate, input + parsed, + input_len, output); parsed += retval; input_len -= retval; SCLogDebug("wordcount (%u) parsed %ld input_len %u", sstate->wordcount.wordcount, parsed, input_len); } - while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN + SMB_HDR_LEN + 1 && - sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN + 1 - + sstate->wordcount.wordcount)) { + while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN + + SMB_HDR_LEN + 1 && sstate->bytesprocessed < NBSS_HDR_LEN + + SMB_HDR_LEN + 1 + sstate->wordcount.wordcount)) { retval = SMBParseWordCount(f, smb_state, pstate, - input + parsed, input_len, - output); + input + parsed, input_len, output); parsed += retval; input_len -= retval; } - while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN + SMB_HDR_LEN + - 1 + sstate->wordcount.wordcount && sstate->bytesprocessed < NBSS_HDR_LEN + - SMB_HDR_LEN + 3 + sstate->wordcount.wordcount)) { - retval = SMBGetByteCount(f, smb_state, pstate, - input + parsed, input_len, - output); + while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN + + SMB_HDR_LEN + 1 + sstate->wordcount.wordcount + && sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN + 3 + + sstate->wordcount.wordcount)) { + retval = SMBGetByteCount(f, smb_state, pstate, input + parsed, + input_len, output); parsed += retval; input_len -= retval; } - while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN + - SMB_HDR_LEN + 3 + sstate->wordcount.wordcount && - sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN + 3 - + sstate->wordcount.wordcount + sstate->bytecount.bytecount)) { + while (input_len && (sstate->bytesprocessed >= NBSS_HDR_LEN + + SMB_HDR_LEN + 3 + sstate->wordcount.wordcount + && sstate->bytesprocessed < NBSS_HDR_LEN + SMB_HDR_LEN + 3 + + sstate->wordcount.wordcount + + sstate->bytecount.bytecount)) { retval = SMBParseByteCount(f, smb_state, pstate, - input + parsed, input_len, - output); + input + parsed, input_len, output); parsed += retval; input_len -= retval; } - } while (sstate->andx.andxcommand != SMB_NO_SECONDARY_ANDX_COMMAND && input_len); + } while (sstate->andx.andxcommand != SMB_NO_SECONDARY_ANDX_COMMAND + && input_len); break; default: break; @@ -775,13 +1046,13 @@ static int SMBParse(Flow *f, void *smb_state, AppLayerParserState *pstate, } /** -* \brief determines if the SMB command is an ANDX command -* \retval 1 if smb command is an AndX command -* \retval 0 if smb command is not an AndX command -*/ + * \brief determines if the SMB command is an ANDX command + * \retval 1 if smb command is an AndX command + * \retval 0 if smb command is not an AndX command + */ int isAndX(SMBState *smb_state) { - SCEnter(); + SCEnter(); switch (smb_state->smb.command) { case SMB_NO_SECONDARY_ANDX_COMMAND: case SMB_COM_LOCKING_ANDX: @@ -792,7 +1063,7 @@ int isAndX(SMBState *smb_state) { case SMB_COM_LOGOFF_ANDX: case SMB_COM_TREE_CONNECT_ANDX: case SMB_COM_NT_CREATE_ANDX: - smb_state->andx.andxbytesprocessed = 0; + smb_state->andx.andxbytesprocessed = 0; SCReturnInt(1); default: SCReturnInt(0); @@ -830,7 +1101,7 @@ void RegisterSMBParsers(void) { int SMBParserTest01(void) { int result = 1; Flow f; - uint8_t smbbuf[] = "\x00\x00\x00\x85" // NBSS + uint8_t smbbuf[] = "\x00\x00\x00\x85" // NBSS "\xff\x53\x4d\x42\x72\x00\x00\x00" // SMB "\x00\x18\x53\xc8\x00\x00\x00\x00" "\x00\x00\x00\x00\x00\x00\x00\x00" @@ -883,7 +1154,6 @@ int SMBParserTest01(void) { goto end; } - end: return result; } diff --git a/src/app-layer-smb.h b/src/app-layer-smb.h index 169390f31a..e4a8e4e7bd 100644 --- a/src/app-layer-smb.h +++ b/src/app-layer-smb.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009 Open Information Security Foundation + * Copyright (c) 2009,2010 Open Information Security Foundation * app-layer-smb.h * * \author Kirby Kuehl @@ -13,21 +13,21 @@ #include "stream.h" #include /* - http://ubiqx.org/cifs/rfc-draft/rfc1002.html#s4.3 - All session packets are of the following general structure: +http://ubiqx.org/cifs/rfc-draft/rfc1002.html#s4.3 +All session packets are of the following general structure: - 1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 - 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | TYPE | FLAGS | LENGTH | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - | | - / TRAILER (Packet Type Dependent) / - | | - +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +1 1 1 1 1 1 1 1 1 1 2 2 2 2 2 2 2 2 2 2 3 3 +0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 2 3 4 5 6 7 8 9 0 1 ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| TYPE | FLAGS | LENGTH | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ +| | +/ TRAILER (Packet Type Dependent) / +| | ++-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+ - The TYPE, FLAGS, and LENGTH fields are present in every session - packet. +The TYPE, FLAGS, and LENGTH fields are present in every session +packet. */ #define NBSS_SESSION_MESSAGE 0x00 #define NBSS_SESSION_REQUEST 0x81 @@ -37,39 +37,39 @@ #define NBSS_SESSION_KEEP_ALIVE 0x85 typedef struct nbss_hdr_ { - uint8_t type; - uint8_t flags; - uint32_t length; + uint8_t type; + uint8_t flags; + uint32_t length; }nbss_hdr_t, *pnbss_hdr_t; #define NBSS_HDR_LEN 4 typedef struct smb_hdr_ { - uint8_t protocol[4]; - uint8_t command; - uint32_t status; - uint8_t flags; - uint16_t flags2; - uint16_t pidhigh; - uint64_t securitysignature; - uint16_t unused; - uint16_t tid; - uint16_t pid; - uint16_t uid; - uint16_t mid; + uint8_t protocol[4]; + uint8_t command; + uint32_t status; + uint8_t flags; + uint16_t flags2; + uint16_t pidhigh; + uint64_t securitysignature; + uint16_t unused; + uint16_t tid; + uint16_t pid; + uint16_t uid; + uint16_t mid; }smb_hdr_t, *psmb_hdr_t; #define SMB_HDR_LEN 32 #define MINIMUM_SMB_LEN 35 #define NBSS_SMB_HDRS_LEN 36 typedef struct wordcount_ { - uint8_t wordcount; - uint8_t *words; + uint8_t wordcount; + uint8_t *words; }wordcount_t, *pwordcount_t; typedef struct bytecount_ { - uint8_t bytecountbytes; - uint16_t bytecount; - uint8_t *bytes; + uint8_t bytecountbytes; + uint16_t bytecount; + uint8_t *bytes; }bytecount_t, *pbytyecount_t; typedef struct andxcount_ { @@ -83,12 +83,12 @@ typedef struct andxcount_ { }andx_t, *pandx_t; typedef struct SMBState_ { - nbss_hdr_t nbss; - smb_hdr_t smb; - wordcount_t wordcount; - bytecount_t bytecount; - andx_t andx; - uint16_t bytesprocessed; + nbss_hdr_t nbss; + smb_hdr_t smb; + wordcount_t wordcount; + bytecount_t bytecount; + andx_t andx; + uint16_t bytesprocessed; }SMBState; #define SMB_FLAGS_SERVER_TO_REDIR 0x80 diff --git a/src/app-layer-smb2.c b/src/app-layer-smb2.c index 80059f8963..f31b618f98 100644 --- a/src/app-layer-smb2.c +++ b/src/app-layer-smb2.c @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009 Open Information Security Foundation + * Copyright (c) 2009,2010 Open Information Security Foundation * app-layer-smb.c * * \author Kirby Kuehl @@ -37,7 +37,7 @@ enum { static uint32_t NBSSParseHeader(void *smb2_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { - SCEnter(); + SCEnter(); SMB2State *sstate = (SMB2State *) smb2_state; uint8_t *p = input; @@ -74,7 +74,7 @@ static uint32_t NBSSParseHeader(void *smb2_state, AppLayerParserState *pstate, static uint32_t SMB2ParseHeader(void *smb2_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { - SCEnter(); + SCEnter(); SMB2State *sstate = (SMB2State *) smb2_state; uint8_t *p = input; if (input_len) { @@ -358,7 +358,7 @@ static uint32_t SMB2ParseHeader(void *smb2_state, AppLayerParserState *pstate, static int SMB2Parse(Flow *f, void *smb2_state, AppLayerParserState *pstate, uint8_t *input, uint32_t input_len, AppLayerParserResult *output) { - SCEnter(); + SCEnter(); SMB2State *sstate = (SMB2State *) smb2_state; uint32_t retval = 0; uint32_t parsed = 0; @@ -427,13 +427,13 @@ int SMB2ParserTest01(void) { int result = 1; Flow f; uint8_t smb2buf[] = - "\x00\x00\x00\x66" // NBSS - "\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00" // SMB2 - "\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" - "\x24\x00\x01\x00x00\x00\x00\x00\x00\x00\x0\x00\x00\x00\x00\x00\x00\x00\x00" - "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x02"; + "\x00\x00\x00\x66" // NBSS + "\xfe\x53\x4d\x42\x40\x00\x00\x00\x00\x00\x00\x00\x00\x00" // SMB2 + "\x3f\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00" + "\x24\x00\x01\x00x00\x00\x00\x00\x00\x00\x0\x00\x00\x00\x00\x00\x00\x00\x00" + "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x02\x02"; uint32_t smb2len = sizeof(smb2buf) - 1; TcpSession ssn; diff --git a/src/app-layer-smb2.h b/src/app-layer-smb2.h index ef9017a621..b38b10c238 100644 --- a/src/app-layer-smb2.h +++ b/src/app-layer-smb2.h @@ -1,5 +1,5 @@ /* - * Copyright (c) 2009 Open Information Security Foundation + * Copyright (c) 2009,2010 Open Information Security Foundation * app-layer-smb2.h * * \author Kirby Kuehl @@ -15,27 +15,27 @@ #include typedef struct smb2_hdr { - uint32_t Protocol; // Contains 0xFE,'SMB' - uint16_t StructureSize; - uint16_t CreditCharge; - uint32_t Status; - uint16_t Command; - uint16_t CreditRequestResponse; - uint32_t Flags; - uint32_t NextCommand; - uint64_t MessageId; - uint32_t ProcessId; - uint32_t TreeId; - uint64_t SessionId; - uint8_t Signature[16]; + uint32_t Protocol; // Contains 0xFE,'SMB' + uint16_t StructureSize; + uint16_t CreditCharge; + uint32_t Status; + uint16_t Command; + uint16_t CreditRequestResponse; + uint32_t Flags; + uint32_t NextCommand; + uint64_t MessageId; + uint32_t ProcessId; + uint32_t TreeId; + uint64_t SessionId; + uint8_t Signature[16]; }smb2_hdr_t, *psmb2_hdr_t; #define SMB2_HDR_LEN 64 typedef struct SMB2State_ { - nbss_hdr_t nbss; - smb2_hdr_t smb2; - uint16_t bytesprocessed; + nbss_hdr_t nbss; + smb2_hdr_t smb2; + uint16_t bytesprocessed; }SMB2State; /* http://msdn.microsoft.com/en-us/library/cc246528(PROT.13).aspx */