OpenVAS Scanner  22.7.9
nasl_smb.c File Reference

API for NASL built-in SMB access focussing effective file rights. More...

#include "nasl_smb.h"
#include "../misc/plugutils.h"
#include "openvas_smb_interface.h"
#include <arpa/inet.h>
#include <errno.h>
#include <gvm/base/logging.h>
#include <gvm/base/networking.h>
#include <netinet/in.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <unistd.h>
Include dependency graph for nasl_smb.c:

Go to the source code of this file.

Macros

#define IMPORT(var)   char *var = get_str_var_by_name (lexic, #var)
 
#define G_LOG_DOMAIN   "lib nasl"
 GLib logging domain. More...
 

Functions

tree_cellnasl_smb_versioninfo (lex_ctxt *lexic)
 Get a version string of the SMB implementation. More...
 
tree_cellnasl_smb_connect (lex_ctxt *lexic)
 Connect to SMB service and return a handle for it. More...
 
tree_cellnasl_smb_close (lex_ctxt *lexic)
 Close SMB service handle. More...
 
tree_cellnasl_smb_file_SDDL (lex_ctxt *lexic)
 Obtain Security Descriptor in SDDL format. More...
 
tree_cellnasl_smb_file_owner_sid (lex_ctxt *lexic)
 Obtain File Owner SID. More...
 
tree_cellnasl_smb_file_group_sid (lex_ctxt *lexic)
 Obtain File Group SID. More...
 
tree_cellnasl_smb_file_trustee_rights (lex_ctxt *lexic)
 Obtain File Trustee SID with Access Mask. More...
 
tree_cellnasl_win_cmd_exec (lex_ctxt *lexic)
 Execute the command in windows. More...
 

Detailed Description

API for NASL built-in SMB access focussing effective file rights.

Provides SMB API as built-in functions to NASL via calling corresponding functions of a appropriate library. The focus is on effective files rights which can't be retrieved via WMI.

Definition in file nasl_smb.c.

Macro Definition Documentation

◆ G_LOG_DOMAIN

#define G_LOG_DOMAIN   "lib nasl"

GLib logging domain.

Definition at line 37 of file nasl_smb.c.

◆ IMPORT

#define IMPORT (   var)    char *var = get_str_var_by_name (lexic, #var)

Definition at line 31 of file nasl_smb.c.

Function Documentation

◆ nasl_smb_close()

tree_cell* nasl_smb_close ( lex_ctxt lexic)

Close SMB service handle.

Parameters
[in]lexicLexical context of NASL interpreter.
Returns
NULL in case of a serious problem. Else returns a treecell with integer == 1.

Retrieves local variable "smb_handle" from the lexical context and closes the respective handle.

Definition at line 131 of file nasl_smb.c.

132 {
133  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
134  int ret;
135  tree_cell *retc;
136 
137  retc = alloc_typed_cell (CONST_INT);
138 
139  ret = smb_close (handle);
140  if (ret == 0)
141  {
142  retc->x.i_val = 1;
143  return retc;
144  }
145  else
146  return NULL;
147 }

References alloc_typed_cell(), CONST_INT, get_int_var_by_name(), TC::i_val, smb_close(), and TC::x.

Here is the call graph for this function:

◆ nasl_smb_connect()

tree_cell* nasl_smb_connect ( lex_ctxt lexic)

Connect to SMB service and return a handle for it.

Parameters
[in]lexicLexical context of NASL interpreter.
Returns
NULL in case the connection could not be established. Else a tree_cell with the handle.

Retrieves local variables "host", "username", "password" and "share" from the lexical context, performs and connects to this given SMB service returning a handle for the service as integer.

Definition at line 76 of file nasl_smb.c.

77 {
78  struct script_infos *script_infos = lexic->script_infos;
79  struct in6_addr *host = plug_get_host_ip (script_infos);
80  char *ip;
81  char *username = get_str_var_by_name (lexic, "username");
82  char *password = get_str_var_by_name (lexic, "password");
83  char *share = get_str_var_by_name (lexic, "share");
84 
85  tree_cell *retc;
86  SMB_HANDLE handle;
87  int value;
88 
89  if ((host == NULL) || (username == NULL) || (password == NULL)
90  || (share == NULL))
91  {
92  g_message ("nasl_smb_connect: Invalid input arguments");
93  return NULL;
94  }
95 
96  ip = addr6_as_str (host);
97  if ((strlen (password) == 0) || (strlen (username) == 0) || (strlen (ip) == 0)
98  || (strlen (share) == 0))
99  {
100  g_message ("nasl_smb_connect: Invalid input arguments");
101  g_free (ip);
102  return NULL;
103  }
104 
105  retc = alloc_typed_cell (CONST_INT);
106  value = smb_connect (ip, share, username, password, &handle);
107  g_free (ip);
108 
109  if (value == -1)
110  {
111  g_message ("nasl_smb_connect: SMB Connect failed");
112  return NULL;
113  }
114 
115  retc->x.i_val = handle;
116  return retc;
117 }

References alloc_typed_cell(), CONST_INT, get_str_var_by_name(), TC::i_val, plug_get_host_ip(), struct_lex_ctxt::script_infos, smb_connect(), and TC::x.

Here is the call graph for this function:

◆ nasl_smb_file_group_sid()

tree_cell* nasl_smb_file_group_sid ( lex_ctxt lexic)

Obtain File Group SID.

Parameters
[in]lexicLexical context of NASL interpreter.
Returns
NULL in case of problem. Else returns a treecell with Group SID string

Retrieves local variable "smb_handle" and "filename" from the lexical context and perform file rights query.

Definition at line 247 of file nasl_smb.c.

248 {
249  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
250  char *filename = get_str_var_by_name (lexic, "filename");
251 
252  if (!filename)
253  {
254  g_message ("smb_file_group_sid failed: Invalid filename");
255  return NULL;
256  }
257 
258  if (!handle)
259  {
260  g_message ("smb_file_group_sid failed: Invalid smb_handle");
261  return NULL;
262  }
263 
264  tree_cell *retc;
265  char *buffer;
266 
267  buffer = smb_file_GroupSID (handle, filename);
268 
269  if (buffer == NULL)
270  return NULL;
271 
272  retc = alloc_typed_cell (CONST_DATA);
273  retc->size = strlen (buffer);
274  retc->x.str_val = strdup (buffer);
275  return retc;
276 }

References alloc_typed_cell(), CONST_DATA, get_int_var_by_name(), get_str_var_by_name(), TC::size, smb_file_GroupSID(), TC::str_val, and TC::x.

Here is the call graph for this function:

◆ nasl_smb_file_owner_sid()

tree_cell* nasl_smb_file_owner_sid ( lex_ctxt lexic)

Obtain File Owner SID.

Parameters
[in]lexicLexical context of NASL interpreter.
Returns
NULL in case of problem. Else returns a treecell with Owner SID string

Retrieves local variable "smb_handle" and "filename" from the lexical context and perform file rights query.

Definition at line 204 of file nasl_smb.c.

205 {
206  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
207  char *filename = get_str_var_by_name (lexic, "filename");
208 
209  if (!filename)
210  {
211  g_message ("smb_file_owner_sid failed: Invalid filename");
212  return NULL;
213  }
214 
215  if (!handle)
216  {
217  g_message ("smb_file_owner_sid failed: Invalid smb_handle");
218  return NULL;
219  }
220 
221  tree_cell *retc;
222  char *buffer;
223 
224  buffer = smb_file_OwnerSID (handle, filename);
225 
226  if (buffer == NULL)
227  return NULL;
228 
229  retc = alloc_typed_cell (CONST_DATA);
230  retc->size = strlen (buffer);
231  retc->x.str_val = strdup (buffer);
232  return retc;
233 }

References alloc_typed_cell(), CONST_DATA, get_int_var_by_name(), get_str_var_by_name(), TC::size, smb_file_OwnerSID(), TC::str_val, and TC::x.

Here is the call graph for this function:

◆ nasl_smb_file_SDDL()

tree_cell* nasl_smb_file_SDDL ( lex_ctxt lexic)

Obtain Security Descriptor in SDDL format.

Parameters
[in]lexicLexical context of NASL interpreter.
Returns
NULL in case of problem. Else returns a treecell with SDDL string

Retrieves local variable "smb_handle" and "filename" from the lexical context and perform file rights query.

Definition at line 161 of file nasl_smb.c.

162 {
163  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
164  char *filename = get_str_var_by_name (lexic, "filename");
165 
166  if (!filename)
167  {
168  g_message ("smb_file_SDDL failed: Invalid filename");
169  return NULL;
170  }
171 
172  if (!handle)
173  {
174  g_message ("smb_file_SDDL failed: Invalid smb_handle");
175  return NULL;
176  }
177 
178  tree_cell *retc;
179  char *buffer = NULL;
180 
181  buffer = smb_file_SDDL (handle, filename);
182 
183  if (buffer == NULL)
184  return NULL;
185 
186  retc = alloc_typed_cell (CONST_DATA);
187  retc->size = strlen (buffer);
188  retc->x.str_val = strdup (buffer);
189  return retc;
190 }

References alloc_typed_cell(), CONST_DATA, get_int_var_by_name(), get_str_var_by_name(), TC::size, smb_file_SDDL(), TC::str_val, and TC::x.

Here is the call graph for this function:

◆ nasl_smb_file_trustee_rights()

tree_cell* nasl_smb_file_trustee_rights ( lex_ctxt lexic)

Obtain File Trustee SID with Access Mask.

Parameters
[in]lexicLexical context of NASL interpreter.
Returns
NULL in case of problem. Else returns a treecell with Trustee SID and Access Mask string

Retrieves local variable "smb_handle" and "filename" from the lexical context and perform file rights query.

Definition at line 290 of file nasl_smb.c.

291 {
292  SMB_HANDLE handle = (SMB_HANDLE) get_int_var_by_name (lexic, "smb_handle", 0);
293  char *filename = get_str_var_by_name (lexic, "filename");
294 
295  if (!filename)
296  {
297  g_message ("smb_file_trustee_rights failed: Invalid filename");
298  return NULL;
299  }
300 
301  if (!handle)
302  {
303  g_message ("smb_file_trustee_rights failed: Invalid smb_handle");
304  return NULL;
305  }
306 
307  tree_cell *retc;
308  char *buffer;
309 
310  buffer = smb_file_TrusteeRights (handle, filename);
311 
312  if (buffer == NULL)
313  return NULL;
314 
315  retc = alloc_typed_cell (CONST_DATA);
316  retc->size = strlen (buffer);
317  retc->x.str_val = strdup (buffer);
318  return retc;
319 }

References alloc_typed_cell(), CONST_DATA, get_int_var_by_name(), get_str_var_by_name(), TC::size, smb_file_TrusteeRights(), TC::str_val, and TC::x.

Here is the call graph for this function:

◆ nasl_smb_versioninfo()

tree_cell* nasl_smb_versioninfo ( lex_ctxt lexic)

Get a version string of the SMB implementation.

Parameters
[in]lexicLexical context of NASL interpreter.
Returns
NULL in case no implementation is present. Else a tree_cell with the version as string.

Definition at line 48 of file nasl_smb.c.

49 {
50  char *version = smb_versioninfo ();
51  tree_cell *retc;
52  (void) lexic;
53 
54  if (!version)
55  return NULL;
56 
58  retc->x.str_val = strdup (version);
59  retc->size = strlen (version);
60  return retc;
61 }

References alloc_typed_cell(), CONST_DATA, TC::size, smb_versioninfo(), TC::str_val, and TC::x.

Here is the call graph for this function:

◆ nasl_win_cmd_exec()

tree_cell* nasl_win_cmd_exec ( lex_ctxt lexic)

Execute the command in windows.

Parameters
[in]lexicLexical context of NASL interpreter.
Returns
NULL if the query fails. Else a tree_cell with the command execution result.

Retrieves local variables "cmd" from the lexical context, performs the windows command execution operation returning the result.

Definition at line 335 of file nasl_smb.c.

336 {
337  struct script_infos *script_infos = lexic->script_infos;
338  struct in6_addr *host = plug_get_host_ip (script_infos);
339  char *ip, *argv[4], *unicode, target[2048], *c;
340  tree_cell *retc;
341  GString *string = NULL;
342  int sout, ret;
343  GError *err = NULL;
344 
345  IMPORT (username);
346  IMPORT (password);
347  IMPORT (cmd);
348 
349  if ((host == NULL) || (username == NULL) || (password == NULL)
350  || (cmd == NULL))
351  {
352  g_message ("win_cmd_exec: Invalid input arguments");
353  return NULL;
354  }
355 
356  ip = addr6_as_str (host);
357  if ((strlen (password) == 0) || (strlen (username) == 0) || strlen (ip) == 0)
358  {
359  g_message ("win_cmd_exec: Invalid input arguments");
360  g_free (ip);
361  return NULL;
362  }
363 
364  /* wmiexec.py uses domain/username format. */
365  if ((c = strchr (username, '\\')))
366  *c = '/';
367  argv[0] = "impacket-wmiexec";
368  snprintf (target, sizeof (target), "%s:%s@%s", username, password, ip);
369  argv[1] = target;
370  argv[2] = cmd;
371  argv[3] = NULL;
372  ret = g_spawn_async_with_pipes (NULL, argv, NULL, G_SPAWN_SEARCH_PATH, NULL,
373  NULL, NULL, NULL, &sout, NULL, &err);
374  g_free (ip);
375  if (ret == FALSE)
376  {
377  g_warning ("win_cmd_exec: %s", err ? err->message : "Error");
378  if (err)
379  g_error_free (err);
380  return NULL;
381  }
382 
383  string = g_string_new ("");
384  while (1)
385  {
386  char buf[4096];
387  size_t bytes;
388 
389  bytes = read (sout, buf, sizeof (buf));
390  if (!bytes)
391  break;
392  else if (bytes > 0)
393  g_string_append_len (string, buf, bytes);
394  else
395  {
396  g_warning ("win_cmd_exec: %s", strerror (errno));
397  g_string_free (string, TRUE);
398  close (sout);
399  return NULL;
400  }
401  }
402  close (sout);
403 
404  if (g_str_has_prefix (string->str, "[-]"))
405  {
406  g_warning ("win_cmd_exec: %s", string->str);
407  g_string_free (string, TRUE);
408  return NULL;
409  }
410  else if ((unicode = strstr (string->str, "\xff\xfe")))
411  {
412  /* UTF-16 case. */
413  size_t length, diff;
414  err = NULL;
415  char *tmp;
416 
417  diff = unicode - string->str + 1;
418  tmp = g_convert (unicode + 2, string->len - diff, "UTF-8", "UTF-16", NULL,
419  &length, &err);
420  if (!tmp)
421  {
422  g_warning ("win_cmd_exec: %s", err->message);
423  g_string_free (string, TRUE);
424  g_error_free (err);
425  return NULL;
426  }
427  g_free (string->str);
428  string->len = length;
429  string->str = tmp;
430  }
431 
432  retc = alloc_typed_cell (CONST_DATA);
433  retc->x.str_val = string->str;
434  retc->size = string->len;
435  return retc;
436 }

References alloc_typed_cell(), CONST_DATA, IMPORT, length, plug_get_host_ip(), struct_lex_ctxt::script_infos, TC::size, TC::str_val, and TC::x.

Here is the call graph for this function:
smb_versioninfo
char * smb_versioninfo(void)
Return version info for SMB implementation.
Definition: smb_interface_stub.c:27
script_infos
Definition: scanneraux.h:29
CONST_DATA
@ CONST_DATA
Definition: nasl_tree.h:82
SMB_HANDLE
long int SMB_HANDLE
Definition: openvas_smb_interface.h:17
plug_get_host_ip
struct in6_addr * plug_get_host_ip(struct script_infos *args)
Definition: plugutils.c:316
TC::str_val
char * str_val
Definition: nasl_tree.h:103
TC::x
union TC::@5 x
IMPORT
#define IMPORT(var)
Definition: nasl_smb.c:31
smb_file_GroupSID
char * smb_file_GroupSID(SMB_HANDLE, const char *)
Obtain the SID of the Group for a given file/path.
Definition: smb_interface_stub.c:117
get_str_var_by_name
char * get_str_var_by_name(lex_ctxt *, const char *)
Definition: nasl_var.c:1118
TC::size
int size
Definition: nasl_tree.h:99
smb_file_TrusteeRights
char * smb_file_TrusteeRights(SMB_HANDLE, const char *)
Obtain the Trustee SID and their rights for a given file/path.
Definition: smb_interface_stub.c:134
get_int_var_by_name
long int get_int_var_by_name(lex_ctxt *, const char *, int)
Definition: nasl_var.c:1104
smb_file_SDDL
char * smb_file_SDDL(SMB_HANDLE, const char *)
Obtain Windows file rights in SDDL format.
Definition: smb_interface_stub.c:83
smb_connect
int smb_connect(const char *, const char *, const char *, const char *, SMB_HANDLE *)
Establish connection to a SMB service.
Definition: smb_interface_stub.c:48
struct_lex_ctxt::script_infos
struct script_infos * script_infos
Definition: nasl_lex_ctxt.h:30
TC
Definition: nasl_tree.h:94
host
Host information, implemented as doubly linked list.
Definition: hosts.c:37
CONST_INT
@ CONST_INT
Definition: nasl_tree.h:79
smb_close
int smb_close(SMB_HANDLE)
Close the connection handle for SMB service.
Definition: smb_interface_stub.c:67
alloc_typed_cell
tree_cell * alloc_typed_cell(int typ)
Definition: nasl_tree.c:28
length
u_short length
Definition: nasl_packet_forgery.c:4
smb_file_OwnerSID
char * smb_file_OwnerSID(SMB_HANDLE, const char *)
Obtain the SID of the Owner for a given file/path.
Definition: smb_interface_stub.c:100
TC::i_val
long int i_val
Definition: nasl_tree.h:104