From a9f460a5c8a053c91436fb0be6bd41ae3f491be3 Mon Sep 17 00:00:00 2001 From: manojampalam Date: Thu, 12 May 2016 19:17:41 -0700 Subject: [PATCH] 5-12 C2 --- contrib/win32/win32compat/lsa/LsaString.cpp | 8 +- contrib/win32/win32compat/lsa/Ssh-lsa.cpp | 417 +++----------------- 2 files changed, 45 insertions(+), 380 deletions(-) diff --git a/contrib/win32/win32compat/lsa/LsaString.cpp b/contrib/win32/win32compat/lsa/LsaString.cpp index 68aebac..65fc04c 100644 --- a/contrib/win32/win32compat/lsa/LsaString.cpp +++ b/contrib/win32/win32compat/lsa/LsaString.cpp @@ -37,7 +37,6 @@ #include #endif - #include "LsaString.h" #ifdef __VS_BUILD__ @@ -89,8 +88,7 @@ fail: LsaApi.FreeLsaHeap((*lsaStr)); } - - DBG_MSG("ERROR. Cannot allocate LSA UNICODE_STRING...\n"); + } return ntStat; @@ -166,10 +164,6 @@ NTSTATUS FillUnicodeString(UNICODE_STRING *lsaStr, const Char *str) fail: - if (ntStat) - { - DBG_MSG("ERROR. Cannot fill UNICODE_STRING...\n"); - } return ntStat; } diff --git a/contrib/win32/win32compat/lsa/Ssh-lsa.cpp b/contrib/win32/win32compat/lsa/Ssh-lsa.cpp index da069bd..2a6a5cb 100644 --- a/contrib/win32/win32compat/lsa/Ssh-lsa.cpp +++ b/contrib/win32/win32compat/lsa/Ssh-lsa.cpp @@ -35,12 +35,8 @@ #define UMDF_USING_NTSTATUS #include -#include -#include #endif - - #include "Ssh-lsa.h" #ifdef __cplusplus @@ -98,8 +94,7 @@ NTSTATUS NTAPI LsaApInitializePackage(ULONG pkgId, PLSA_STRING confident, PLSA_STRING *pkgName) { - DBG_ENTRY("LsaApInitializePackage"); - + // // Save table with adresses of LSA API functions. // @@ -110,8 +105,7 @@ NTSTATUS NTAPI LsaApInitializePackage(ULONG pkgId, // Allocate buffer for package name. // - DBG_MSG("Allocating buffer for pkgName...\n"); - + *pkgName = (PLSA_STRING) LsaApi.AllocateLsaHeap(sizeof(LSA_STRING)); (*pkgName) -> Buffer = (PCHAR) LsaApi.AllocateLsaHeap(PKG_NAME_SIZE); @@ -120,29 +114,14 @@ NTSTATUS NTAPI LsaApInitializePackage(ULONG pkgId, // Fill buffer with our name. // - DBG_MSG("Setting up pkgName...\n"); - + memcpy((*pkgName) -> Buffer, PKG_NAME, PKG_NAME_SIZE); (*pkgName) -> Length = PKG_NAME_SIZE - 1; (*pkgName) -> MaximumLength = PKG_NAME_SIZE; - - // - // Initialize OpenSSL lib. - // - - DBG_MSG("Initializing OpenSSL...\n"); - - OPENSSL(SSL_library_init()); - - DBG_MSG("Initializing OpenSSL digest table...\n"); - - OPENSSL(OpenSSL_add_all_digests()); - - - DBG_LEAVE("LsaApInitializePackage"); + return STATUS_SUCCESS; } @@ -175,8 +154,7 @@ fail: if (exitCode) { - DBG_MSG("ERROR. Cannot to copy SID.\n"); - } + } return exitCode; } @@ -193,8 +171,7 @@ fail: Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token) { - DBG_ENTRY("LsaAllocTokenInfo"); - + Int exitCode = 1; DWORD cbSize = 0; @@ -215,8 +192,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token) // Allocate LSA_TOKEN_INFORMATION_V1 struct for output, // - DBG_MSG("Allocating LSA_TOKEN_INFORMATION_V1 buffer...\n"); - + tokenInfo = (PLSA_TOKEN_INFORMATION_V1) LsaApi.AllocateLsaHeap(sizeof(LSA_TOKEN_INFORMATION_V1)); @@ -228,8 +204,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token) // becouse SIDs must be allocated as separately memory blocks. // - DBG_MSG("Copying TOKEN_USER...\n"); - + GetTokenInformation(token, TokenUser, NULL, 0, &cbSize); pUserToken = (PTOKEN_USER) LocalAlloc(LPTR, cbSize); @@ -245,8 +220,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token) // Copy TOKEN_GROUPS part from input token. // - DBG_MSG("Copying TOKEN_GROUP...\n"); - + GetTokenInformation(token, TokenGroups, NULL, 0, &cbSize); pGroupsToken = (PTOKEN_GROUPS) LocalAlloc(LPTR, cbSize); @@ -275,8 +249,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token) // in this struct, so we can retrieve it directly to output buffer. // - DBG_MSG("Retrieving TOKEN_PRIVILEGES directly...\n"); - + GetTokenInformation(token, TokenPrivileges, NULL, 0, &cbSize); tokenInfo -> Privileges = (PTOKEN_PRIVILEGES) LsaApi.AllocateLsaHeap(cbSize); @@ -288,8 +261,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token) // Copy TOKEN_OWNER part from input token. // - DBG_MSG("Copying TOKEN_OWNER...\n"); - + GetTokenInformation(token, TokenOwner, NULL, 0, &cbSize); pOwnerToken = (PTOKEN_OWNER) LocalAlloc(LPTR, cbSize); @@ -303,8 +275,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token) // Copy TOKEN_PRIMARY_GROUP part from input token. // - DBG_MSG("Copying TOKEN_PRIMARY_GROUP...\n"); - + GetTokenInformation(token, TokenPrimaryGroup, NULL, 0, &cbSize); pPrimaryGroupToken = (PTOKEN_PRIMARY_GROUP) LocalAlloc(LPTR, cbSize); @@ -319,8 +290,7 @@ Int LsaAllocTokenInfo(PLSA_TOKEN_INFORMATION_V1 &tokenInfo, HANDLE token) // Copy TOKEN_DEFAULT_DACL part from input token. // - DBG_MSG("Retrieving TOKEN_DEFAULT_DACL...\n"); - + //GetTokenInformation(token, TokenDefaultDacl, NULL, 0, &cbSize); //pDaclToken = (PTOKEN_DEFAULT_DACL) LocalAlloc(LPTR, cbSize); @@ -352,153 +322,12 @@ fail: if (exitCode) { - DBG_MSG("ERROR. Cannot allocate token information.\n"); - } - - DBG_LEAVE("LsaAllocTokenInfo"); + } + return exitCode; } -// -// This function performs user authorization. -// -// homedir - user's home dir if authorized success (OUT) -// token - handle to user access token (IN) -// auth - SshLsaAuth struct with authorization data (IN) -// -// RETURNS: 0 if OK. -// - -Int AuthorizeUser(wchar_t homeDir[MAX_PATH], HANDLE token, SshLsaAuth *auth) -{ - DBG_ENTRY("AuthorizeUser"); - - Int exitCode = 1; - - Int authorized = 0; - - PROFILEINFOW profile = {sizeof(PROFILEINFOW)}; - - Key *key = NULL; - - wchar_t keyFileName[MAX_PATH]; - - wchar_t *nextFile = NULL; - - //Char homeDir[MAX_PATH]; - - DWORD homeDirSize = MAX_PATH; - - // - // Compute adressess of SshLsaAuth fields. - // - - BYTE *userPtr = (BYTE *) &(auth -> buf_); - BYTE *signPtr = (BYTE *) userPtr + auth -> userSize_; - BYTE *dataPtr = (BYTE *) signPtr + auth -> signSize_; - BYTE *blobPtr = (BYTE *) dataPtr + auth -> dataSize_; - BYTE *authPtr = (BYTE *) blobPtr + auth -> pkBlobSize_; - - // - // Create Key struct from pkBlob. - // - - DBG_MSG("Reproduce Key struct from blob...n"); - - FAIL(KeyFromBlob(key, blobPtr, auth -> pkBlobSize_)); - - FAIL(key == NULL); - - // - // Retrieve user's home directory. - // - - DBG_MSG("Retrieving user's homedir..."); - - profile.lpUserName = (wchar_t *) userPtr; - - FAIL(LoadUserProfileW(token, &profile) == FALSE); - - FAIL(GetUserProfileDirectoryW(token, homeDir, &homeDirSize) == FALSE); - - // - // Try authorize using authkey files given by ssh. - // - - nextFile = (wchar_t *) authPtr; - - for (Unsigned Int i = 0; Not(authorized) && i < auth -> authFilesCount_; i++) - { - wchar_t *fileToCheck = nextFile; - - DBG_MSG("Trying keys from [%ls]...\n", nextFile); - - // - // Expand relative paths to user homedir like openssh do. - // - - if (wcschr(nextFile, ':') == NULL) - { - DBG_MSG("Expanding relative path to user homedir.\n"); -#ifndef __VS_BUILD__ - snwprintf(keyFileName, sizeof(keyFileName), - L"%ls\\%ls", homeDir, nextFile); -#else - _snwprintf(keyFileName, sizeof(keyFileName), - L"%ls\\%ls", homeDir, nextFile); -#endif - - fileToCheck = keyFileName; - } - - // - // Try to find key in next 'authorized_key' file. - // - - if(FindKeyInFile(fileToCheck, key) == 0) - { - // - // Verify given key. - // - - DBG_MSG("Veryfing key...\n"); - - authorized = (VerifyKey(key, signPtr, auth -> signSize_, - dataPtr, auth -> dataSize_, - auth -> dataFellow_) == 0); - } - - // - // Go to next file in list. - // - - nextFile = wcschr(nextFile, 0) + sizeof(wchar_t); - } - - FAIL(Not(authorized)); - - exitCode = 0; - -fail: - - if (exitCode) - { - DBG_MSG("ERROR. Auhtorization failed (%u).\n", GetLastError()); - - // - // If authorization error clear homedir. - // - - ZeroMemory(homeDir, MAX_PATH); - } - - UnloadUserProfile(token, profile.hProfile); - - DBG_LEAVE("AuthorizeUser"); - - return exitCode; -} // // Called, when client logon process want logon user. @@ -527,8 +356,7 @@ NTSTATUS NTAPI PLSA_UNICODE_STRING *accountName, PLSA_UNICODE_STRING *authority) { - DBG_ENTRY("LsaApLogonUser"); - + NTSTATUS ntStat = STATUS_LOGON_FAILURE; Int exitCode = 1; @@ -538,8 +366,6 @@ NTSTATUS NTAPI // wchar_t *inUserName = NULL; - - SshLsaAuth *auth = (SshLsaAuth *) authData; // // Buffers used for retrieving user auth data from SAM database. @@ -579,38 +405,20 @@ NTSTATUS NTAPI // Check are input args ok? // - DBG_MSG("Checking input args...\n"); + + inUserName = (wchar_t *) (((char*)authData)+4); + - FAIL(auth == NULL); - - FAIL(auth -> buf_ == NULL); - - inUserName = (wchar_t *) auth -> buf_; - - DBG_MSG("Checking SshLsaAuth size...\n"); - - FAIL(auth -> totalSize_ != authDataSize); - - DBG_MSG("logonType = %u\n", logonType); - - DBG_MSG("userName = [%ls]\n", inUserName); - + + // // Get info about client process. // - DBG_MSG("Retreving info about client process...\n"); - + NTFAIL(LsaApi.GetClientInfo(&clientInfo)); - DBG_MSG("Client info:\n"); - DBG_MSG(" LogonId : %d\n", clientInfo.LogonId); - DBG_MSG(" ProcessID : %d\n", clientInfo.ProcessID); - DBG_MSG(" ThreadID : %d\n", clientInfo.ThreadID); - DBG_MSG(" HasTcbPrivilege : %d\n", clientInfo.HasTcbPrivilege); - DBG_MSG(" Impersonating : %d\n", clientInfo.Impersonating); - DBG_MSG(" Restricted : %d\n", clientInfo.Restricted); - + // // Fail if client has not got SeTcbPrivilege. // @@ -621,8 +429,7 @@ NTSTATUS NTAPI // Allocate buffers. // - DBG_MSG("Allocating string buffers...\n"); - + NTFAIL(LsaAllocUnicodeString(authority, MAX_ACCOUNT_NAME_SIZE)); NTFAIL(LsaAllocUnicodeString(accountName, MAX_ACCOUNT_NAME_SIZE)); NTFAIL(LsaAllocUnicodeString(&flatName, MAX_ACCOUNT_NAME_SIZE)); @@ -631,8 +438,7 @@ NTSTATUS NTAPI // Retrieve user data from SAM base. // - DBG_MSG("GetAuthDataForUser()...\n"); - + lstrcpyW(samUserBuf, inUserName); samUserBuf[MAX_ACCOUNT_NAME_SIZE] = 0x00; @@ -642,14 +448,12 @@ NTSTATUS NTAPI NTFAIL(LsaApi.GetAuthDataForUser(&samUser, SecNameFlat, NULL, &userAuth, &userAuthSize, flatName)); - DBG_MSG("userAuthSize = %u\n", userAuthSize); - + // // Create token basing on SAM data. // - DBG_MSG("ConvertAuthDataToToken()...\n"); - + memcpy (tokenSource.SourceName, "_sshlsa_", 8); AllocateLocallyUniqueId(&tokenSource.SourceIdentifier); @@ -664,28 +468,17 @@ NTSTATUS NTAPI // Print token info. // - DBG_PRINT_TOKEN(token); - // - // Perform authorization and retrieve homeDir if success. - // - - DBG_MSG("Performing authorization...\n"); - - FAIL(AuthorizeUser(homeDir, token, auth)); - // // Allocate client buffer and copy home dir to it. // - DBG_MSG("Filling profile buffer...\n"); - + NTFAIL(LsaApi.AllocateClientBuffer(request, MAX_PATH * sizeof(wchar_t), profile)); *profileSize = MAX_PATH; - DBG_MSG("homeDir = %ls\n", homeDir); - + NTFAIL(LsaApi.CopyToClientBuffer(request, MAX_PATH * sizeof(wchar_t), *profile, homeDir)); @@ -695,8 +488,7 @@ NTSTATUS NTAPI // here. // - DBG_MSG("Creating token infos for LSA output...\n"); - + PLSA_TOKEN_INFORMATION_V1 outTokenInfo; FAIL(LsaAllocTokenInfo(outTokenInfo, token)); @@ -709,24 +501,9 @@ NTSTATUS NTAPI // Duplicate token from lsa space to client space. // - DBG_MSG("Duplicating token into client space...\n"); - + NTFAIL(LsaApi.DuplicateHandle(token, &clientToken)); - // - // Create new logon session. - // - - /* - DBG_MSG("Creating new logon session...\n"); - - FAIL(AllocateLocallyUniqueId(logonId) == FALSE); - - *subStat = LsaApi.CreateLogonSession(logonId); - - FAIL(*subStat); - */ - ntStat = STATUS_SUCCESS; exitCode = 0; @@ -735,9 +512,6 @@ fail: if (exitCode) { - DBG_MSG("ERROR. Cannot logon user " - "(err = %u, ntStat = %x, subNtStat = %x).\n", - GetLastError(), ntStat, *subStat); ntStat = STATUS_LOGON_FAILURE; @@ -749,8 +523,7 @@ fail: } else { - DBG_MSG("LsaApLogonUser : OK.\n"); - } + } // // Cleanup temporary buffers. @@ -758,12 +531,10 @@ fail: CloseHandle(token); - DBG_MSG("Freeing temp buffers...\n"); - + LsaFreeUnicodeString(flatName); - DBG_LEAVE("LsaApLogonUser"); - + return ntStat; } @@ -775,8 +546,7 @@ fail: VOID NTAPI LsaApLogonTerminated(PLUID logonId) { - DBG_MSG("LsaApLogonTerminated(id = %d)...\n", *logonId); -} + } // @@ -800,18 +570,13 @@ BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpRes) // Initialize log. // - DBG_INIT(NULL); - - DBG_MSG("DllMain -> DLL_PROCESS_ATTACH\n"); - - DBG_MSG("[SSH-LSA-%s]\n", VERSION); - + + // // Load 'ntdll.dll' module. // - DBG_MSG("Loading 'ntdll.dll' module...\n"); - + NtDll = GetModuleHandle("ntdll.dll"); FAIL(NtDll == NULL); @@ -820,80 +585,12 @@ BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpRes) // Load RtlInitUnicodeString() function from 'ntdll.dll'. // - DBG_MSG("Retrieving 'RtlInitUnicodeString' address...\n"); - + RtlInitUnicodeString = (RtlInitUnicodeStringPtr) GetProcAddress(NtDll, "RtlInitUnicodeString"); FAIL(RtlInitUnicodeString == NULL); - // - // This code is code for dynamic, 'on the fly' OpenSSL libs loading. - // - - #ifdef DYNAMIC_OPENSSL - - // - // Load 'libssl.dll' module. - // - - DBG_MSG("Loading 'libssl.dll' module...\n"); - - LibSSL = LoadLibrary("libssl.dll"); - - FAIL(LibSSL == NULL); - - // - // Load 'libcrypto.dll' module. - // - - DBG_MSG("Loading 'libcrypto.dll' module...\n"); - - LibCrypto = LoadLibrary("libcrypto.dll"); - - FAIL(LibCrypto == NULL); - - // - // Load 'libSSL.dll' functions. - // - - DynSSL.SSL_library_init = (SSL_library_init_Ptr) GetProcAddress(LibSSL, "SSL_library_init"); - - // - // Load 'libcrypto.dll' functions. - // - - DynSSL.EVP_sha1 = (EVP_sha1_Ptr) GetProcAddress(LibCrypto, "EVP_sha1"); - DynSSL.EVP_DigestInit = (EVP_DigestInit_Ptr) GetProcAddress(LibCrypto, "EVP_DigestInit"); - DynSSL.EVP_DigestFinal = (EVP_DigestFinal_Ptr) GetProcAddress(LibCrypto, "EVP_DigestFinal"); - DynSSL.EVP_DigestUpdate = (EVP_DigestUpdate_Ptr) GetProcAddress(LibCrypto, "EVP_DigestUpdate"); - DynSSL.EVP_Digest = (EVP_Digest_Ptr) GetProcAddress(LibCrypto, "EVP_Digest"); - - DynSSL.EVP_get_digestbyname = (EVP_get_digestbyname_Ptr) GetProcAddress(LibCrypto, "EVP_get_digestbyname"); - - DynSSL.DSA_SIG_free = (DSA_SIG_free_Ptr) GetProcAddress(LibCrypto, "DSA_SIG_free"); - DynSSL.DSA_SIG_new = (DSA_SIG_new_Ptr) GetProcAddress(LibCrypto, "DSA_SIG_new"); - DynSSL.DSA_do_verify = (DSA_do_verify_Ptr) GetProcAddress(LibCrypto, "DSA_do_verify"); - DynSSL.DSA_new = (DSA_new_Ptr) GetProcAddress(LibCrypto, "DSA_new"); - DynSSL.DSA_free = (DSA_free_Ptr) GetProcAddress(LibCrypto, "DSA_free"); - - DynSSL.RSA_size = (RSA_size_Ptr) GetProcAddress(LibCrypto, "RSA_size"); - DynSSL.RSA_new = (RSA_new_Ptr) GetProcAddress(LibCrypto, "RSA_new"); - DynSSL.RSA_free = (RSA_free_Ptr) GetProcAddress(LibCrypto, "RSA_free"); - - DynSSL.BN_new = (BN_new_Ptr) GetProcAddress(LibCrypto, "BN_new"); - DynSSL.BN_bin2bn = (BN_bin2bn_Ptr) GetProcAddress(LibCrypto, "BN_bin2bn"); - DynSSL.BN_num_bits = (BN_num_bits_Ptr) GetProcAddress(LibCrypto, "BN_num_bits"); - DynSSL.BN_cmp = (BN_cmp_Ptr) GetProcAddress(LibCrypto, "BN_cmp"); - - DynSSL.RSA_public_decrypt = (RSA_public_decrypt_Ptr) GetProcAddress(LibCrypto, "RSA_public_decrypt"); - - DynSSL.OBJ_nid2sn = (OBJ_nid2sn_Ptr) GetProcAddress(LibCrypto, "OBJ_nid2sn"); - - DynSSL.OpenSSL_add_all_digests = (OpenSSL_add_all_digests_Ptr) GetProcAddress(LibCrypto, "OpenSSL_add_all_digests"); - - #endif - break; } @@ -903,18 +600,8 @@ BOOL APIENTRY DllMain(HINSTANCE hModule, DWORD dwReason, LPVOID lpRes) case DLL_PROCESS_DETACH: { - DBG_MSG("DllMain -> DLL_PROCESS_DETACH\n"); - + FreeModule(NtDll); - - - #ifdef DYNAMIC_OPENSSL - - FreeModule(LibCrypto); - - FreeModule(LibSSL); - - #endif } } @@ -924,18 +611,8 @@ fail: if (exitCode == FALSE) { - DBG_MSG("ERROR. Cannot initialize DLL (%u).\n", GetLastError()); - + FreeModule(NtDll); - - - #ifdef DYNAMIC_OPENSSL - - FreeModule(LibCrypto); - - FreeModule(LibSSL); - - #endif } return exitCode; @@ -953,9 +630,7 @@ NTSTATUS NTAPI LsaApCallPackagePassthrough(PLSA_CLIENT_REQUEST request, PULONG outBufSize, PNTSTATUS status) { - DBG_ENTRY("LsaApCallPackagePassthrough("); - DBG_LEAVE("LsaApCallPackagePassthrough("); - + return STATUS_NOT_IMPLEMENTED; } @@ -971,9 +646,7 @@ NTSTATUS NTAPI LsaApCallPackageUntrusted(PLSA_CLIENT_REQUEST request, PULONG outBufSize, PNTSTATUS status) { - DBG_ENTRY("LsaApCallPackageUntrusted"); - DBG_LEAVE("LsaApCallPackageUntrusted"); - + return STATUS_NOT_IMPLEMENTED; } @@ -986,9 +659,7 @@ NTSTATUS NTAPI LsaApCallPackage(PLSA_CLIENT_REQUEST request, PVOID submitBuf, PVOID *outBuf, PULONG outBufSize, PNTSTATUS status) { - DBG_ENTRY("LsaApCallPackage"); - DBG_LEAVE("LsaApCallPackage"); - + return STATUS_NOT_IMPLEMENTED; }