description =
[[
A RPC client for communicating with the DRAZEN_SVC RPC service. It's used for
testing NDR packing/unpacking procedures implemented in "ndr.lua", as well as
testing the real life RPC services such as SRVSVC, RRAS...
DRAZEN_SVC RPC service is built as a project in MIDL_BENCH VS solution.
For this client to work one must have the latest MIDL_BENCH VS project which
can be downloaded from drazen/var/MIDL_BENCH. It then must build and run the
DRAZEN_SVC project which will generally output some information on the console
screen of the server side.
]]
---
-- @usage
-- sudo nmap -sS -p 445 -d2 -n -Pn --script="cli-drazen-svc" 10.1.13.39
-- @output
-- @args
author = "Drazen Popovic"
license = "Same as Nmap--See http://nmap.org/book/man-legal.html"
categories = {"intrusive"}
dependencies = {}
--####################################################################--
--# 1) DRAZEN_SVC client
--####################################################################--
require("msrpc")
require("msrpctypes")
require("bin")
require("smb")
require("ndr")
hostrule = function(host)
return smb.get_port(host) ~= nil
end
action = function(host, port)
--create the SMB session
local status, smbstate
status, smbstate = msrpc.start_smb(host, DRAZEN_SVC_NAMED_PIPE)
if(status == false) then
return false
end
--bind to DRAZEN_SVC service
local bind_result
status, bind_result = msrpc.bind(smbstate, DRAZEN_SVC_UUID, DRAZEN_SVC_VERSION, nil)
if(status == false) then
msrpc.stop_smb(smbstate)
return false
end
--play
DRAZEN_SVC_HelloWorld(smbstate)
local status, s_tptp1 = DRAZEN_SVC_TestPrimTypesPacking1(
smbstate,
-1,
1,
-2,
2,
-4,
4,
-8,
8,
true,
65,
0xff)
for key,val in pairs(s_tptp1) do
if(val == true) then
val = 1
else
if (val == false) then
val = 0
end
end
print(string.format("s_tptp1[%s]=%d", key, val))
end
--[[
DRAZEN_SVC_TestPrimTypesPacking1_msrpctypes(
smbstate,
sm,
usm,
sh,
ush,
l,
ul,
h,
uh,
bo,
c,
by)
]]--
local status, s_tptp2 = DRAZEN_SVC_TestPrimTypesPacking2(
smbstate,
1,
2,
4,
1,
8)
local status, e_tptp3 = DRAZEN_SVC_TestPrimTypesPacking3(
smbstate,
tptp3_enum_t["THREE"]
)
local s = 16
local longs = {}
local shorts = {}
local threes = {}
for i = 1, s*4, 4 do
table.insert(longs, i)
end
for i = 1, s*2, 2 do
table.insert(shorts, i)
end
for i = 1, s*3, 3 do
local three = {}
three.s1 = i
three.s2 = i+1
three.s3 = i+2
table.insert(threes, three)
end
local status, s_tufa = DRAZEN_SVC_TestUniFixedArray(
smbstate,
1,
longs,
1,
shorts,
1,
threes)
local ptr_s1, ptr_s2, ptr_s3
ptr_s1 = {ref = #longs}
ptr_s2 = {ref = #shorts}
ptr_s3 = {ref = #threes}
local status, ptr_s_tuca = DRAZEN_SVC_TestUniConfArray(
smbstate,
ptr_s1,
longs,
ptr_s2,
shorts,
ptr_s3,
threes)
DRAZEN_SVC_TestUniVarArray(
smbstate,
#longs,
longs,
#shorts,
shorts,
#threes,
threes)
DRAZEN_SVC_TestUniConfVarArray(
smbstate,
#longs,
longs,
#shorts,
shorts,
#threes,
threes)
local multi_shorts1 =
{
{1,2,3},
{4,5,6},
{7,8,9}
}
local multi_shorts2 =
{
{10,11,12},
{13,14,15},
{16,17,18},
}
local multi_shorts3 =
{
{19,20,21},
{22,23,24},
{25,26,27}
}
local multi_shorts_arr =
{
multi_shorts1,
multi_shorts2,
multi_shorts3
}
DRAZEN_SVC_TestFixedMulDimArray(
smbstate,
2,
multi_shorts_arr
)
DRAZEN_SVC_TestConfMulDimArray(
smbstate,
3,
multi_shorts_arr
)
DRAZEN_SVC_TestVarMulDimArray(
smbstate,
3,
multi_shorts_arr
)
DRAZEN_SVC_TestConfVarMulDimArray(
smbstate,
3,
multi_shorts_arr
)
local s_ts1 ={}
s_ts1.s1 = 4
s_ts1.shorts = multi_shorts1
s_ts1.s2 = 5
local ptr_s_ts1 = {ref = s_ts1}
DRAZEN_SVC_TestStructure1(
smbstate,
3,
ptr_s_ts1
)
local s_ts2 = {}
s_ts2.s1 = 3
s_ts2.shorts = ptr_s_ts1.ref.shorts
local ptr_s_ts2 = {ref = s_ts2}
local status, ret = DRAZEN_SVC_TestStructure2(
smbstate,
123,
ptr_s_ts2
)
print(ret.ref[1][1])
if(status) then
return
end
local ts6 = {}
ts6.l = 3
ts6.h = 8
ts6.hypers = {1,2,3}
ts6.s = 1
DRAZEN_SVC_TestStructure3(
smbstate,
2,
ts6)
local ts7 = {}
ts7.l = 3
ts7.h = 8
ts7.hypers = {1,2,3}
DRAZEN_SVC_TestStructure4(
smbstate,
2,
ts7)
local ps = {ref = 1}
local psh = {ref = 2}
local pl = {ref = 4}
local phypers_fix = {ref = {1,2}}
local phypers_conf = {ref = {1,2}}
local phypers_var = {ref = {1,2}}
local phypers_conf_var = {ref = {1,2}}
DRAZEN_SVC_TestRefPtr1(
smbstate,
ps,
psh,
pl,
phypers_fix,
phypers_conf,
phypers_var,
phypers_conf_var
)
local trp1t = {}
trp1t.ps = {ref = 1}
trp1t.psh = {ref = 2}
trp1t.pl = {ref = 4}
DRAZEN_SVC_TestRefPtr2(
smbstate,
trp1t
)
local smptrs = {{ref = 1},{ref = 2},{ref = 3}}
local tal1 = {}
tal1.sm = 1
tal1.smptrs = smptrs
local ptal1 = {ref = tal1}
DRAZEN_SVC_TestAll1(
smbstate,
1,
smptrs,
ptal1,
-- {ref = tal1}
{ref =
{
sm = 2,
smptrs = {
{ref = 1},{ref = 2},{ref = 3}
}
}
}
)
DRAZEN_SVC_TestAll1(
smbstate,
1,
smptrs,
ptal1,
{ref = tal1}
)
end
--####################################################################--
--# 2) DRAZEN_SVC INTERFACE
--####################################################################--
DRAZEN_SVC_NAMED_PIPE = "\\drazen_svc"
DRAZEN_SVC_TCP_PORT = 1337
DRAZEN_SVC_UUID_STR = "E75074E2-6EEC-4f08-9454-8D806C221490"
require("uuid")
local drazen_svc_uuid = uuid.UUID:new(DRAZEN_SVC_UUID_STR)
DRAZEN_SVC_UUID = drazen_svc_uuid:getRaw()
DRAZEN_SVC_VERSION = 1
--####################################################################--
--# 3) DRAZEN_SVC TYPES
--####################################################################--
--####################################################################--
--[[
enum _enum_test1{
ONE = 0,
TWO,
THREE,
FOUR,
FIVE};
--]]
---Enum type _enum_test1.
--####################################################################--
tptp3_enum_t = {}
tptp3_enum_t["ONE"] = 0
tptp3_enum_t["TWO"] = 1
tptp3_enum_t["THREE"] = 2
tptp3_enum_t["FOUR"] = 3
tptp3_enum_t["FIVE"] = 4
do
pt_tptp1_struct_t = PT_Struct:new(
{
{"sm", pt_small},
{"usm", pt_small},
{"sh", pt_short},
{"ush", pt_short},
{"lo", pt_long},
{"ulo", pt_long},
{"hy", pt_hyper},
{"uhy", pt_hyper},
{"bo", pt_bool},
{"ch", pt_char},
{"by", pt_octet}
}
)
end
do
pt_tptp2_struct_t = PT_Struct:new(
{
{"sm", pt_small},
{"sh", pt_short},
{"lo", pt_long},
{"sm_", pt_small},
{"hy", pt_hyper}
}
)
end
do
pt_three = PT_Struct:new(
{
{"s1", pt_small},
{"s2", pt_small},
{"s3", pt_small}
}
)
end
do
local pt_longs = PT_FixedArr:new({{16},pt_long})
local pt_shorts = PT_FixedArr:new({{16},pt_short})
local pt_threes = PT_FixedArr:new({{16},pt_three})
pt_tufa_struct_t = PT_Struct:new(
{
{"longs", pt_longs},
{"shorts", pt_shorts},
{"threes", pt_threes}
}
)
end
do
local pt_threes = PT_ConfArr:new({{1}, pt_three})
pt_tuca_struct_t = PT_Struct:new(
{
{"s3", pt_small},
{"threes", pt_threes}
}
)
end
do
local pt_longs = PT_VarArr:new({{16}, pt_long})
pt_tuva_struct_t = PT_Struct:new(
{
{"s1", pt_small},
{"longs", pt_longs}
}
)
end
do
local pt_shorts = PT_FixedArr:new({{3,3}, pt_short})
pt_ts1_struct_t = PT_Struct:new(
{
{"s1", pt_small},
{"shorts", pt_shorts},
{"s2", pt_hyper}
}
)
end
do
local pt_shorts = PT_ConfArr:new({{1,1}, pt_short})
pt_ts2_struct_t = PT_Struct:new(
{
{"s1", pt_small},
{"shorts", pt_shorts}
}
)
end
--a
do
local pt_hypers = PT_VarArr:new(pt_hyper)
pt_test_struct_6 = PT_Struct:new(
{
{"l", pt_long},
{"h", pt_hyper},
{"hypers", pt_hypers},
{"s", pt_small}
}
)
end
do
local pt_hypers = PT_ConfVarArr:new(pt_hyper)
pt_test_struct_7 = PT_Struct:new(
{
{"l", pt_long},
{"h", pt_hyper},
{"hypers", pt_hypers}
}
)
end
do
local pt_ps = PT_RefPtr:new(pt_small)
local pt_psh = PT_RefPtr:new(pt_short)
local pt_pl = PT_RefPtr:new(pt_long)
pt_test_refptr_1 = PT_Struct:new(
{
{"ps", pt_ps},
{"psh", pt_psh},
{"pl", pt_pl}
}
)
end
do
local pt_psmall = PT_FullPtr:new(pt_small)
local pt_smptrs = PT_FixedArr:new(pt_psmall)
pt_test_all_1 = PT_Struct:new(
{
{"sm", pt_small},
{"smptrs", pt_smptrs}
}
)
end
--####################################################################--
--# 4) DRAZEN_SVC OPERATIONS
--####################################################################--
local DRAZEN_SVC_DEBUG_LVL = 2 --debug level
--####################################################################--
--- DRAZEN_SVC operation numbers.
-- @see DRAZEN_SVC.idl
--####################################################################--
DRAZEN_SVC_Opnums = {}
DRAZEN_SVC_Opnums["HelloWorld"] = 0x00
DRAZEN_SVC_Opnums["TestPrimTypesPacking1"] = 0x01
DRAZEN_SVC_Opnums["TestPrimTypesPacking2"] = 0x02
DRAZEN_SVC_Opnums["TestPrimTypesPacking3"] = 0x03
DRAZEN_SVC_Opnums["TestUniFixedArray"] = 0x04
DRAZEN_SVC_Opnums['TestUniConfArray'] = 0x05
DRAZEN_SVC_Opnums['TestUniVarArray'] = 0x06
DRAZEN_SVC_Opnums['TestUniConfVarArray'] = 0x07
DRAZEN_SVC_Opnums['TestFixedMulDimArray'] = 0x08
DRAZEN_SVC_Opnums['TestConfMulDimArray'] = 0x09
DRAZEN_SVC_Opnums['TestVarMulDimArray'] = 0x0a
DRAZEN_SVC_Opnums['TestConfVarMulDimArray'] = 0x0b
DRAZEN_SVC_Opnums['TestStructure1'] = 0x0c
DRAZEN_SVC_Opnums['TestStructure2'] = 0x0d
DRAZEN_SVC_Opnums['TestStructAlign1'] = 0x0e
DRAZEN_SVC_Opnums['TestStructAlign2'] = 0x0f
DRAZEN_SVC_Opnums['TestStructure3'] = 0x10
DRAZEN_SVC_Opnums['TestStructure4'] = 0x11
DRAZEN_SVC_Opnums['TestRefPtr1'] = 0x12
DRAZEN_SVC_Opnums['TestRefPtr2'] = 0x13
DRAZEN_SVC_Opnums['TestAll1'] = 0x14
--####################################################################--
--[[
void Hello_World();
--]]
---Prints out a "HelloWorld" message on the server side.
-- @param smbstate The smb object.
-- @return (status, result)
--* status == true -> result is a blob that represents
--* status == false -> result is a error message that caused the fuzz.
-- @see [DRAZEN_SVC.idl]
--####################################################################--
function DRAZEN_SVC_HelloWorld(smbstate)
--sanity check
--pack the request
local req_blob;
req_blob = ""
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['HelloWorld'],
req_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_HelloWorld: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['HelloWorld'],
call_result)
stdnse.print_debug(DRAZEN_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
local rep_blob
rep_blob = call_result
return true, rep_blob
end
--####################################################################--
--[[
void TestPrimTypesPacking1(
[in] small _small,
[in] unsigned small _usmall,
[in] short _short,
[in] unsigned short _ushort,
[in] long _long,
[in] unsigned long _ulong,
[in] hyper _hyper,
[in] unsigned hyper _uhyper,
[in] boolean _bool,
[in] char _char,
[in] byte _byte
);
--]]
---Prints out all of the type values on the server side. We are testing for valid
--NDR prim types packing, as well as IDL to NDR mappings.
-- @param smbstate The smb object.
-- @return (status, result)
--* status == true -> result is a blob that represents
--* status == false -> result is a error message that caused the fuzz.
-- @see [DRAZEN_SVC.idl]
--####################################################################--
function DRAZEN_SVC_TestPrimTypesPacking1(smbstate, sm, usm, sh, ush, l, ul, h, uh, bo, c, by)
--sanity check
--lua to ndr mapping
local sm_ndr, usm_ndr, sh_ndr, ush_ndr, l_ndr, ul_ndr, h_ndr, uh_ndr, bo_ndr,
c_ndr, by_ndr
sm_ndr = NDR_Small:new(sm)
usm_ndr = NDR_Small:new(usm)
sh_ndr = NDR_Short:new(sh)
ush_ndr = NDR_Short:new(ush)
l_ndr = NDR_Long:new(l)
ul_ndr = NDR_Long:new(ul)
h_ndr = NDR_Hyper:new(h)
uh_ndr = NDR_Hyper:new(uh)
bo_ndr = NDR_Bool:new(bo)
c_ndr = NDR_Char:new(c)
by_ndr = NDR_Octet:new(by)
--pack the request
local tptp1_ndr;
tptp1_ndr = NDR:new()
tptp1_ndr.nest_lvl = DRAZEN_SVC_DEBUG_LVL + 1
tptp1_ndr:push_small(sm_ndr)
tptp1_ndr:push_small(usm_ndr)
tptp1_ndr:push_short(sh_ndr)
tptp1_ndr:push_short(ush_ndr)
tptp1_ndr:push_long(l_ndr)
tptp1_ndr:push_long(ul_ndr)
tptp1_ndr:push_hyper(h_ndr)
tptp1_ndr:push_hyper(uh_ndr)
tptp1_ndr:push_bool(bo_ndr)
tptp1_ndr:push_char(c_ndr)
tptp1_ndr:push_octet(by_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestPrimTypesPacking1'],
tptp1_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestPrimTypesPacking1: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestPrimTypesPacking1'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--return value NDR
local ret_ndr
ret_ndr = NDR_Struct:new(nil, pt_tptp1_struct_t)
--pull the reply
tptp1_ndr.pull_blob = call_result.arguments
tptp1_ndr:pull_struct(ret_ndr)
return true, ret_ndr:getVal()
end
---Testing msrpctypes.lua packing methods.
function DRAZEN_SVC_TestPrimTypesPacking1_msrpctypes(smbstate, sm, usm, sh, ush, l, ul, h, uh, bo, c, by)
--sanity check
--pack the request
local tptp1_req_blob;
tptp1_req_blob = msrpctypes.marshall_int8(sm)
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int8(usm)
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int16(sh)
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int16(ush)
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int32(l)
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int32(ul)
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int64(h)
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int64(uh)
local bo_val
if(bo == true) then
bo_val = 1
else
bo_val = 0
end
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int8(bo_val)
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int8(c)
tptp1_req_blob = tptp1_req_blob .. msrpctypes.marshall_int8(by)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestPrimTypesPacking1'],
tptp1_req_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestPrimTypesPacking1: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestPrimTypesPacking1'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
local rep_blob
rep_blob = call_result
return true, rep_blob
end
--####################################################################--
--[[
void TestPrimTypesPacking2(
[in] small _small,
[in] short _short,
[in] long _long,
[in] small _s1
[in] hyper _hyper
);
--]]
---Prints out all of the type values on the server side. We are testing for valid
--NDR prim types packing, as well as IDL to NDR mappings.
-- @param smbstate The smb object.
-- @return (status, result)
--* status == true -> result is a blob that represents
--* status == false -> result is a error message that caused the fuzz.
-- @see [DRAZEN_SVC.idl]
--####################################################################--
function DRAZEN_SVC_TestPrimTypesPacking2(smbstate, sm, sh, l, s1, h)
--sanity check
--lua to ndr mappings
local sm_ndr, sh_ndr, l_ndr, s1_ndr, h_ndr
sm_ndr = NDR_Small:new(sm)
sh_ndr = NDR_Short:new(sh)
l_ndr = NDR_Long:new(l)
s1_ndr = NDR_Small:new(s1)
h_ndr = NDR_Hyper:new(h)
--pack the request
local tptp2_ndr;
tptp2_ndr = NDR:new()
tptp2_ndr:push_small(sm_ndr)
tptp2_ndr:push_short(sh_ndr)
tptp2_ndr:push_long(l_ndr)
tptp2_ndr:push_small(s1_ndr)
tptp2_ndr:push_hyper(h_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestPrimTypesPacking2'],
tptp2_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestPrimTypesPacking2: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestPrimTypesPacking2'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--return value NDR
local ret_ndr
ret_ndr = NDR_Struct:new(nil, pt_tptp2_struct_t)
--pull the reply
tptp2_ndr.pull_blob = call_result.arguments
tptp2_ndr:pull_struct(ret_ndr)
return true, ret_ndr:getVal()
end
--####################################################################--
--[[
void TestPrimTypesPacking3(
[in] enum _enum_test1 e1);
--]]
---Prints out all of the type values on the server side. We are testing for valid
--NDR prim types packing, as well as IDL to NDR mappings.
-- @param smbstate The smb object.
-- @return (status, result)
--* status == true -> result is a blob that represents
--* status == false -> result is a error message that caused the fuzz.
-- @see [DRAZEN_SVC.idl]
--####################################################################--
function DRAZEN_SVC_TestPrimTypesPacking3(smbstate, e1)
--sanity check
--lua to ndr mappings
local e1_ndr
e1_ndr = NDR_Enum:new(e1)
--pack the request
local tptp3_ndr;
tptp3_ndr = NDR:new()
tptp3_ndr:push_enum(e1_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestPrimTypesPacking3'],
tptp3_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestPrimTypesPacking3: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestPrimTypesPacking3'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--return value NDR
local ret_ndr
ret_ndr = NDR_Enum:new(nil)
--pull the reply
tptp3_ndr.pull_blob = call_result.arguments
tptp3_ndr:pull_enum(ret_ndr)
return true, ret_ndr:getVal()
end
--####################################################################--
--[[
void TestUniFixedArray(
[in] small _s1,
[in] long _longs[16],
[in] small _s2,
[in] short _shorts[16],
[in] small _s3,
[in] threes_t _threes[16]
);
--]]
---Prints out all of the type values on the server side. We are testing for valid
--NDR unidimensional fixed array type packing, as well as IDL to NDR mappings.
-- @param smbstate The smb object.
-- @return (status, result)
--* status == true -> result is a blob that represents
--* status == false -> result is a error message that caused the fuzz.
-- @see [DRAZEN_SVC.idl]
--####################################################################--
function DRAZEN_SVC_TestUniFixedArray(smbstate, s1, longs, s2, shorts, s3, threes)
--sanity check
--local prototypes
local pt_longs, pt_shorts
pt_longs = PT_FixedArr:new({{16},pt_long})
pt_shorts = PT_FixedArr:new({{16},pt_short})
pt_threes = PT_FixedArr:new({{16},pt_three})
--lua to ndr mappings
local s1_ndr, longs_ndr, s2_ndr, shorts_ndr, s3_ndr, threes_ndr
s1_ndr = NDR_Small:new(s1)
longs_ndr = NDR_FixedArr:new(longs, pt_longs)
s2_ndr = NDR_Small:new(s2)
shorts_ndr = NDR_FixedArr:new(shorts, pt_shorts)
s3_ndr = NDR_Small:new(s3)
threes_ndr = NDR_FixedArr:new(threes, pt_threes)
--pack the request
local tufa_ndr;
tufa_ndr = NDR:new()
tufa_ndr:push_small(s1_ndr)
tufa_ndr:push_fixed_arr(longs_ndr)
tufa_ndr:push_small(s2_ndr)
tufa_ndr:push_fixed_arr(shorts_ndr)
tufa_ndr:push_small(s3_ndr)
tufa_ndr:push_fixed_arr(threes_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestUniFixedArray'],
tufa_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestUniFixedArray: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestUniFixedArray'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
tufa_ndr.pull_blob = call_result.arguments
--pull the out arguments
tufa_ndr:pull_fixed_arr(longs_ndr)
longs_ndr:getVal(longs)
tufa_ndr:pull_fixed_arr(shorts_ndr)
shorts_ndr:getVal(shorts)
tufa_ndr:pull_fixed_arr(threes_ndr)
threes_ndr:getVal(threes)
--return value NDR
local ret_ndr
ret_ndr = NDR_Struct:new(nil, pt_tufa_struct_t)
--pull the reply
tufa_ndr:pull_struct(ret_ndr)
return true, ret_ndr:getVal()
end
--####################################################################--
--[[
void TestUniConfArray(
[in] small _s1,
[in, size_is(_s1)] long _longs[],
[in] small _s2,
[in, size_is(_s2)] short _shorts[],
[in] small _s3,
[in, size_is(_s3)] threes_t _threes[]
);
--]]
---Prints out all of the type values on the server side. We are testing for valid
--NDR unidimensional conformant array type packing, as well as IDL to NDR mappings.
-- @param smbstate The smb object.
-- @return (status, result)
--* status == true -> result is a blob that represents
--* status == false -> result is a error message that caused the fuzz.
-- @see [DRAZEN_SVC.idl]
--####################################################################--
function DRAZEN_SVC_TestUniConfArray(smbstate, ptr_s1, longs, ptr_s2, shorts, ptr_s3, threes)
--sanity check
--local prototypes
local pt_longs, pt_shorts, pt_threes ,pt_ptr_s1, pt_ptr_s2, pt_ptr_s3
pt_longs = PT_ConfArr:new({{ptr_s1.ref}, pt_long})
pt_shorts = PT_ConfArr:new({{ptr_s2.ref}, pt_short})
pt_threes = PT_ConfArr:new({{ptr_s3.ref}, pt_three})
pt_ptr_s1 = PT_UniPtr:new(pt_small)
pt_ptr_s2 = PT_UniPtr:new(pt_small)
pt_ptr_s3 = PT_UniPtr:new(pt_small)
--lua to ndr mappings
local ptr_s1_ndr, longs_ndr, ptr_s2_ndr, shorts_ndr, ptr_s3_ndr, threes_ndr
ptr_s1_ndr = NDR_UniPtr:new(ptr_s1, pt_ptr_s1)
longs_ndr = NDR_ConfArr:new(longs, pt_longs)
ptr_s2_ndr = NDR_UniPtr:new(ptr_s2, pt_ptr_s2)
shorts_ndr = NDR_ConfArr:new(shorts, pt_shorts)
ptr_s3_ndr = NDR_UniPtr:new(ptr_s3, pt_ptr_s3)
threes_ndr = NDR_ConfArr:new(threes, pt_threes)
--pack the request
local tuca_ndr;
tuca_ndr = NDR:new()
tuca_ndr:push_uni_ptr(ptr_s1_ndr)
tuca_ndr:push_conf_arr(longs_ndr)
tuca_ndr:push_uni_ptr(ptr_s2_ndr)
tuca_ndr:push_conf_arr(shorts_ndr)
tuca_ndr:push_uni_ptr(ptr_s3_ndr)
tuca_ndr:push_conf_arr(threes_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestUniConfArray'],
tuca_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestUniConfArray: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestUniConfArray'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
tuca_ndr.pull_blob = call_result.arguments
--pull the out arguments
tuca_ndr:pull_uni_ptr(ptr_s1_ndr)
ptr_s1_ndr:getVal(ptr_s1)
tuca_ndr:pull_conf_arr(longs_ndr)
longs_ndr:getVal(longs)
tuca_ndr:pull_uni_ptr(ptr_s2_ndr)
ptr_s2_ndr:getVal(ptr_s2)
tuca_ndr:pull_conf_arr(shorts_ndr)
shorts_ndr:getVal(shorts)
tuca_ndr:pull_uni_ptr(ptr_s3_ndr)
ptr_s3_ndr:getVal(ptr_s3)
tuca_ndr:pull_conf_arr(threes_ndr)
threes_ndr:getVal(threes)
--return value NDR
local pt_ptr_tuca_struct_t
pt_ptr_tuca_struct_t = PT_UniPtr:new(pt_tuca_struct_t)
local ret_ndr
ret_ndr = NDR_UniPtr:new(nil, pt_ptr_tuca_struct_t)
tuca_ndr:pull_uni_ptr(ret_ndr)
return true, ret_ndr:getVal()
end
--####################################################################--
--[[
void TestUniVarArray(
[in] small _s1,
[in, length_is(_s1)] long _longs[16],
[in] small _s2,
[in, length_is(_s2)] short _shorts[16],
[in] small _s3,
[in, length_is(_s3)] threes_t _threes[16]
);
--]]
---Prints out all of the type values on the server side. We are testing for valid
--NDR unidimensional varying array type packing, as well as IDL to NDR mappings.
-- @param smbstate The smb object.
-- @return (status, result)
--* status == true -> result is a blob that represents
--* status == false -> result is a error message that caused the fuzz.
-- @see [DRAZEN_SVC.idl]
--####################################################################--
function DRAZEN_SVC_TestUniVarArray(smbstate, s1, longs, s2, shorts, s3, threes)
--sanity check
--local prototypes
local pt_longs, pt_shorts, pt_threes
pt_longs = PT_VarArr:new({{s1} ,pt_long})
pt_shorts = PT_VarArr:new({{s2}, pt_short})
pt_threes = PT_VarArr:new({{s3}, pt_three})
--lua to ndr mappings
local s1_ndr, longs_ndr, s2_ndr, shorts_ndr, s3_ndr, threes_ndr
s1_ndr = NDR_Small:new(s1)
longs_ndr = NDR_VarArr:new(longs, pt_longs)
s2_ndr = NDR_Small:new(s2)
shorts_ndr = NDR_VarArr:new(shorts, pt_shorts)
s3_ndr = NDR_Small:new(s3)
threes_ndr = NDR_VarArr:new(threes, pt_threes)
--pack the request
local tuva_ndr;
tuva_ndr = NDR:new()
tuva_ndr:push_small(s1_ndr)
tuva_ndr:push_conf_arr(longs_ndr)
tuva_ndr:push_small(s2_ndr)
tuva_ndr:push_conf_arr(shorts_ndr)
tuva_ndr:push_small(s3_ndr)
tuva_ndr:push_conf_arr(threes_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestUniVarArray'],
tuva_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestUniVarArray: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestUniVarArray'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
tuva_ndr.pull_blob = call_result.arguments
--pull the out arguments
tuva_ndr:pull_var_arr(longs_ndr)
longs_ndr:getVal(longs)
tuva_ndr:pull_var_arr(shorts_ndr)
shorts_ndr:getVal(shorts)
tuva_ndr:pull_var_arr(threes_ndr)
threes_ndr:getVal(threes)
--return value NDR
local ret_ndr
ret_ndr = NDR_Struct:new(nil, pt_tuva_struct_t)
tuva_ndr:pull_struct(ret_ndr)
return true, ret_ndr:getVal()
end
--####################################################################--
--[[
void TestUniConfVarArray(
[in] small _s1,
[in, size_is(_s1), length_is(_s1)] long _longs[],
[in] small _s2,
[in, size_is(_s2), length_is(_s2)] short _shorts[],
[in] small _s3,
[in, size_is(_s3), length_is(_s3)] threes_t _threes[]
);
--]]
---Prints out all of the type values on the server side. We are testing for valid
--NDR unidimensional conformant and varying array type packing, as well as IDL to NDR mappings.
-- @param smbstate The smb object.
-- @return (status, result)
--* status == true -> result is a blob that represents
--* status == false -> result is a error message that caused the fuzz.
-- @see [DRAZEN_SVC.idl]
--####################################################################--
function DRAZEN_SVC_TestUniConfVarArray(smbstate, s1, longs, s2, shorts, s3, threes)
--sanity checks
--local prototypes
local pt_longs, pt_shorts, pt_threes
pt_longs = PT_ConfVarArr:new({{s1}, pt_long})
pt_shorts = PT_ConfVarArr:new({{s2}, pt_short})
pt_threes = PT_ConfVarArr:new({{s3}, pt_three})
--lua to ndr mappings
local s1_ndr, longs_ndr, s2_ndr, shorts_ndr, s3_ndr, threes_ndr
s1_ndr = NDR_Small:new(s1)
longs_ndr = NDR_ConfVarArr:new(longs, pt_longs)
s2_ndr = NDR_Small:new(s2)
shorts_ndr = NDR_ConfVarArr:new(shorts, pt_shorts)
s3_ndr = NDR_Small:new(s3)
threes_ndr = NDR_ConfVarArr:new(threes, pt_threes)
--pack the request
local tucva_ndr;
tucva_ndr = NDR:new()
tucva_ndr:push_small(s1_ndr)
tucva_ndr:push_conf_var_arr(longs_ndr)
tucva_ndr:push_small(s2_ndr)
tucva_ndr:push_conf_var_arr(shorts_ndr)
tucva_ndr:push_small(s3_ndr)
tucva_ndr:push_conf_var_arr(threes_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestUniConfVarArray'],
tucva_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestUniConfVarArray: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestUniConfVarArray'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
tucva_ndr.pull_blob = call_result.arguments
--pull the out arguments
tucva_ndr:pull_var_arr(longs_ndr)
longs_ndr:getVal(longs)
tucva_ndr:pull_var_arr(shorts_ndr)
shorts_ndr:getVal(shorts)
tucva_ndr:pull_var_arr(threes_ndr)
threes_ndr:getVal(threes)
--return value NDR
return true
end
function DRAZEN_SVC_TestFixedMulDimArray(smbstate, s1, shorts)
--sanity checks
--local prototypes
local pt_shorts
pt_shorts = PT_FixedArr:new({{3,3,3}, pt_short})
--lua to ndr mappings
local s1_ndr, shorts_ndr
s1_ndr = NDR_Small:new(s1)
shorts_ndr = NDR_FixedArr:new(shorts, pt_shorts)
--pack the request
local tfmda_ndr;
tfmda_ndr = NDR:new()
tfmda_ndr:push_small(s1_ndr)
tfmda_ndr:push_fixed_arr(shorts_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestFixedMulDimArray'],
tfmda_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestFixedMulDimArray: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestFixedMulDimArray'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
tfmda_ndr.pull_blob = call_result.arguments
--pull the out arguments
tfmda_ndr:pull_fixed_arr(shorts_ndr)
shorts_ndr:getVal(shorts)
--return value NDR
return true
end
function DRAZEN_SVC_TestConfMulDimArray(smbstate, s1, shorts)
--sanity checks
--local prototypes
local pt_shorts
pt_shorts = PT_ConfArr:new({{s1,s1,s1}, pt_short})
--lua to ndr mappings
local s1_ndr, shorts_ndr
s1_ndr = NDR_Small:new(s1)
shorts_ndr = NDR_ConfArr:new(shorts, pt_shorts)
--pack the request
local tcmda_ndr;
tcmda_ndr = NDR:new()
tcmda_ndr:push_small(s1_ndr)
tcmda_ndr:push_conf_arr(shorts_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestConfMulDimArray'],
tcmda_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestConfMulDimArray: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestConfMulDimArray'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
tcmda_ndr.pull_blob = call_result.arguments
--pull the out arguments
tcmda_ndr:pull_conf_arr(shorts_ndr)
shorts_ndr:getVal(shorts)
--return value NDR
return true
end
function DRAZEN_SVC_TestVarMulDimArray(smbstate, s1, shorts)
--sanity checks
--local prototypes
local pt_shorts
pt_shorts = PT_VarArr:new({{s1,s1,s1}, pt_short})
--lua to ndr mappings
local s1_ndr, shorts_ndr
s1_ndr = NDR_Small:new(s1)
shorts_ndr = NDR_VarArr:new(shorts, pt_shorts)
--pack the request
local tvmda_ndr;
tvmda_ndr = NDR:new()
tvmda_ndr:push_small(s1_ndr)
tvmda_ndr:push_var_arr(shorts_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestVarMulDimArray'],
tvmda_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestVarMulDimArray: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestVarMulDimArray'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
tvmda_ndr.pull_blob = call_result.arguments
--pull the out arguments
tvmda_ndr:pull_var_arr(shorts_ndr)
shorts_ndr:getVal(shorts)
--return value NDR
return true
end
function DRAZEN_SVC_TestConfVarMulDimArray(smbstate, s1, shorts)
--sanity checks
--local prototypes
local pt_shorts
pt_shorts = PT_ConfVarArr:new({{s1,s1,s1}, pt_short})
--lua to ndr mappings
local s1_ndr, shorts_ndr
s1_ndr = NDR_Small:new(s1)
shorts_ndr = NDR_ConfVarArr:new(shorts, pt_shorts)
--pack the request
local tcvmda_ndr;
tcvmda_ndr = NDR:new()
tcvmda_ndr:push_small(s1_ndr)
tcvmda_ndr:push_conf_var_arr(shorts_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestConfVarMulDimArray'],
tcvmda_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestConfVarMulDimArray: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestConfVarMulDimArray'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
tcvmda_ndr.pull_blob = call_result.arguments
--pull the out arguments
tcvmda_ndr:pull_conf_var_arr(shorts_ndr)
shorts_ndr:getVal(shorts)
--return value NDR
return true
end
function DRAZEN_SVC_TestStructure1(smbstate, s1, ptr_s_ts1)
--sanity checks
--local prototypes
local pt_ptr_s_ts1
pt_ptr_s_ts1 = PT_RefPtr:new(pt_ts1_struct_t)
--lua to ndr mappings
local s1_ndr, ptr_s_ts1_ndr
s1_ndr = NDR_Small:new(s1)
ptr_s_ts1_ndr = NDR_RefPtr:new(ptr_s_ts1, pt_ptr_s_ts1)
--pack the request
local ts1_ndr;
ts1_ndr = NDR:new()
ts1_ndr:push_small(s1_ndr)
ts1_ndr:push_ref_ptr(ptr_s_ts1_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestStructure1'],
ts1_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestStructure1: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestStructure1'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
ts1_ndr.pull_blob = call_result.arguments
--pull the out arguments
ts1_ndr:pull_ref_ptr(ptr_s_ts1_ndr)
ptr_s_ts1_ndr:getVal(ptr_s_ts1)
--return value NDR
return true, nil
end
function DRAZEN_SVC_TestStructure2(smbstate, s1, ptr_s_ts2)
--sanity checks
--local prototypes
local pt_ptr_s_ts2
pt_ptr_s_ts2 = PT_RefPtr:new(pt_ts2_struct_t)
--lua to ndr mappings
local s1_ndr, ptr_s_ts2_ndr
s1_ndr = NDR_Small:new(s1)
ptr_s_ts2_ndr = NDR_RefPtr:new(ptr_s_ts2, pt_ptr_s_ts2)
--pack the request
local ts2_ndr;
ts2_ndr = NDR:new()
ts2_ndr:push_small(s1_ndr)
ts2_ndr:push_ref_ptr(ptr_s_ts2_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestStructure2'],
ts2_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestStructure2: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestStructure2'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
ts2_ndr.pull_blob = call_result.arguments
--pull the out arguments
--ts2_ndr:pull_ref_ptr(ptr_s_ts2_ndr)
--ptr_s_ts2_ndr:getVal(ptr_s_ts2)
--return value NDR
local pt_ret_ndr
pt_ret_ndr = PT_UniPtr:new(pt_ts2_struct_t)
local ret_ndr
ret_ndr = NDR_UniPtr:new(nil, pt_ret_ndr)
ts2_ndr:pull_ref_ptr(ret_ndr)
return true, ret_ndr:getVal()
end
function DRAZEN_SVC_TestStructure3(smbstate, sh1, ts6_struct)
--sanity checks
--local prototypes
--lua to ndr mappings
local sh1_ndr, ts6_struct_ndr
sh1_ndr = NDR_Small:new(sh1)
ts6_struct_ndr = NDR_Struct:new(ts6_struct, pt_test_struct_6)
--pack the request
local ts6_ndr;
ts6_ndr = NDR:new()
ts6_ndr:push_short(sh1_ndr)
ts6_ndr:push_struct(ts6_struct_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestStructure3'],
ts6_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestStructure3: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestStructure3'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
local rep_blob
rep_blob = call_result
return true, rep_blob
end
function DRAZEN_SVC_TestStructure4(smbstate, sh1, ts7_struct)
--sanity checks
--local prototypes
--lua to ndr mappings
local sh1_ndr, ts7_struct_ndr
sh1_ndr = NDR_Small:new(sh1)
ts7_struct_ndr = NDR_Struct:new(ts7_struct, pt_test_struct_7)
--pack the request
local ts7_ndr;
ts7_ndr = NDR:new()
ts7_ndr:push_short(sh1_ndr)
ts7_ndr:push_struct(ts7_struct_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestStructure4'],
ts7_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestStructure4: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestStructure4'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
local rep_blob
rep_blob = call_result
return true, rep_blob
end
function DRAZEN_SVC_TestRefPtr1(smbstate, ps, psh, pl, phypers_fix, phypers_conf, phypers_var, phypers_conf_var)
--sanity check
--local prototypes
local pt_ps, pt_psh, pt_pl, pt_phypers_fix, pt_phypers_conf, pt_phypers_var,
pt_phypers_conf_var, pt_hypers_fix, pt_hypers_conf, pt_hypers_var, pt_hypers_conf_var
pt_ps = PT_RefPtr:new(pt_small)
pt_psh = PT_RefPtr:new(pt_short)
pt_pl = PT_RefPtr:new(pt_long)
pt_hypers_fix = PT_FixedArr:new(pt_hyper)
pt_hypers_conf = PT_ConfArr:new(pt_hyper)
pt_hypers_var = PT_VarArr:new(pt_hyper)
pt_hypers_conf_var = PT_ConfVarArr:new(pt_hyper)
pt_phypers_fix = PT_RefPtr:new(pt_hypers_fix)
pt_phypers_conf = PT_RefPtr:new(pt_hypers_conf)
pt_phypers_var = PT_RefPtr:new(pt_hypers_var)
pt_phypers_conf_var = PT_RefPtr:new(pt_hypers_conf_var)
--lua to ndr mappings
local ps_ndr, psh_ndr, pl_ndr, phypers_fix_ndr, phypers_conf_ndr, phypers_var_ndr,
phypers_conf_var_ndr
ps_ndr = NDR_RefPtr:new(ps, pt_ps)
psh_ndr = NDR_RefPtr:new(psh, pt_psh)
pl_ndr = NDR_RefPtr:new(pl, pt_pl)
phypers_fix_ndr = NDR_RefPtr:new(phypers_fix, pt_phypers_fix)
phypers_conf_ndr = NDR_RefPtr:new(phypers_conf, pt_phypers_conf)
phypers_var_ndr = NDR_RefPtr:new(phypers_var, pt_phypers_var)
phypers_conf_var_ndr = NDR_RefPtr:new(phypers_conf_var, pt_phypers_conf_var)
--pack the request
local trp1_ndr;
trp1_ndr = NDR:new()
trp1_ndr:push_ref_ptr(ps_ndr)
trp1_ndr:push_ref_ptr(psh_ndr)
trp1_ndr:push_ref_ptr(pl_ndr)
trp1_ndr:push_ref_ptr(phypers_fix_ndr)
trp1_ndr:push_ref_ptr(phypers_conf_ndr)
trp1_ndr:push_ref_ptr(phypers_var_ndr)
trp1_ndr:push_ref_ptr(phypers_conf_var_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestRefPtr1'],
trp1_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestRefPtr1: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestRefPtr1'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
local rep_blob
rep_blob = call_result
return true, rep_blob
end
function DRAZEN_SVC_TestRefPtr2(smbstate, trp1t)
--sanity checks
--local prototypes
--lua to ndr mappings
local trp1t_ndr
trp1t_ndr = NDR_Struct:new(trp1t, pt_test_refptr_1)
--pack the request
local trp2_ndr;
trp2_ndr = NDR:new()
trp2_ndr:push_struct(trp1t_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestRefPtr2'],
trp2_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestRefPtr2: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestRefPtr2'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
local rep_blob
rep_blob = call_result
return true, rep_blob
end
function DRAZEN_SVC_TestAll1(smbstate, sm, smptrs, ptal1, ptal2)
--sanity check
--local prototypes
local pt_psmall, pt_smptrs, pt_ptal1, pt_ptal2
pt_psmall = PT_RefPtr:new(pt_small)
pt_smptrs = PT_FixedArr:new(pt_psmall)
pt_ptal1 = PT_FullPtr:new(pt_test_all_1)
pt_ptal2 = PT_UniPtr:new(pt_test_all_1)
--lua to ndr mappings
local sm_ndr, smptrs_ndr, ptal1_ndr, ptal2_ndr
sm_ndr = NDR_Small:new(sm)
smptrs_ndr = NDR_FixedArr:new(smptrs, pt_smptrs)
ptal1_ndr = NDR_FullPtr:new(ptal1, pt_ptal1)
ptal2_ndr = NDR_UniPtr:new(ptal2, pt_ptal2)
--pack the request
local ta1_ndr;
ta1_ndr = NDR:new()
ta1_ndr:push_small(sm_ndr)
ta1_ndr:push_fixed_arr(smptrs_ndr)
ta1_ndr:push_full_ptr(ptal1_ndr)
ta1_ndr:push_uni_ptr(ptal2_ndr)
--call the function
local status, call_result
status, call_result = msrpc.call_function(
smbstate,
DRAZEN_SVC_Opnums['TestAll1'],
ta1_ndr.push_blob)
--sanity check
if(status == false) then
local error_msg
error_msg = string.format(
"DRAZEN_SVC_TestAll1: Call function [%d] failed: %s",
DRAZEN_SVC_Opnums['TestAll1'],
call_result)
stdnse.print_debug(DRAZEN_SVC_DEBUG_LVL, error_msg)
return false, call_result
end
--pull the reply
local rep_blob
rep_blob = call_result
return true, rep_blob
end