epan/dissectors/packet-dcom-remact.c

   1 /* packet-dcom-remact.c
   2  * Routines for DCOM Remote Activation
   3  * Copyright 2001, Todd Sabin <tas@webspan.net>
   4  *
   5  * Wireshark - Network traffic analyzer
   6  * By Gerald Combs <gerald@wireshark.org>
   7  * Copyright 1998 Gerald Combs
   8  *
   9  * SPDX-License-Identifier: GPL-2.0-or-later
  10  */
  11
  12 /* see packet-dcom.c for details about DCOM */
  13
  14 #include "config.h"
  15
  16 #include <epan/packet.h>
  17 #include "packet-dcerpc.h"
  18 #include "packet-dcom.h"
  19
  20
  21 void proto_register_remact(void);
  22 void proto_reg_handoff_remact(void);
  23
  24 static int hf_remact_opnum;
  25
  26 static int hf_remact_requested_protseqs;
  27 static int hf_remact_protseqs;
  28 static int hf_remact_interfaces;
  29 static int hf_remact_mode;
  30 static int hf_remact_client_impl_level;
  31 static int hf_remact_object_name;
  32 static int hf_remact_object_storage;
  33 static int hf_remact_interface_data;
  34
  35 static int hf_remact_oxid_bindings;
  36 static int hf_remact_authn_hint;
  37
  38
  39 static int proto_remact;
  40 static int ett_remact;
  41 static e_guid_t uuid_remact = { 0x4d9f4ab8, 0x7d1c, 0x11cf, { 0x86, 0x1e, 0x00, 0x20, 0xaf, 0x6e, 0x7c, 0x57 } };
  42 static uint16_t ver_remact;
  43
  44
  45 static int
  46 dissect_remact_remote_activation_rqst(tvbuff_t *tvb, int offset,
  47                                       packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
  48 {
  49         uint32_t u32ClientImpLevel;
  50         uint32_t u32Mode;
  51         uint32_t u32Interfaces;
  52         uint32_t u32Pointer;
  53         uint32_t u32ArraySize;
  54         uint32_t u32ItemIdx;
  55         uint16_t u16ProtSeqs;
  56         e_guid_t clsid;
  57         e_guid_t iid;
  58
  59         char    szObjName[1000] = { 0 };
  60         uint32_t u32ObjNameLen = sizeof(szObjName);
  61
  62         offset = dissect_dcom_this(tvb, offset, pinfo, tree, di, drep);
  63
  64         offset = dissect_dcom_append_UUID(tvb, offset, pinfo, tree, di, drep,
  65                                           hf_dcom_clsid, -1, &clsid);
  66
  67         offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, di, drep,
  68                                              &u32Pointer);
  69         if (u32Pointer) {
  70                 offset = dissect_dcom_BSTR(tvb, offset, pinfo, tree, di, drep,
  71                                            hf_remact_object_name, szObjName, u32ObjNameLen);
  72         }
  73
  74         offset = dissect_dcom_PMInterfacePointer(tvb, offset, pinfo, tree, di, drep,
  75                                                  hf_remact_object_storage, NULL /* XXX */);
  76
  77         offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, di, drep,
  78                                     hf_remact_client_impl_level, &u32ClientImpLevel);
  79         offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, di, drep,
  80                                     hf_remact_mode, &u32Mode);
  81
  82         /* Interfaces */
  83         offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, di, drep,
  84                                     hf_remact_interfaces, &u32Interfaces);
  85         offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, di, drep,
  86                                              &u32Pointer);
  87         if (u32Pointer) {
  88                 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, di, drep,
  89                                                         &u32ArraySize);
  90                 u32ItemIdx = 1;
  91                 while (u32Interfaces--) {
  92                         offset = dissect_dcom_append_UUID(tvb, offset, pinfo, tree, di, drep,
  93                                                           hf_dcom_iid, u32ItemIdx, &iid);
  94
  95                         u32ItemIdx++;
  96                 }
  97         }
  98
  99         offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, di, drep,
 100                                    hf_remact_requested_protseqs, &u16ProtSeqs);
 101
 102         offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, di, drep,
 103                                                 &u32ArraySize);
 104         u32ItemIdx = 1;
 105         while (u32ArraySize--) {
 106                 offset = dissect_dcom_WORD(tvb, offset, pinfo, tree, di, drep,
 107                                            hf_remact_protseqs, &u16ProtSeqs);
 108                 u32ItemIdx++;
 109         }
 110
 111         return offset;
 112 }
 113
 114
 115 static int
 116 dissect_remact_remote_activation_resp(tvbuff_t *tvb, int offset,
 117                                       packet_info *pinfo, proto_tree *tree, dcerpc_info *di, uint8_t *drep)
 118 {
 119         uint32_t        u32Pointer;
 120         e_guid_t ipid;
 121         uint32_t        u32AuthnHint;
 122         uint16_t        u16VersionMajor;
 123         uint16_t        u16VersionMinor;
 124         uint32_t        u32HResult;
 125         uint32_t u32ArraySize;
 126         uint32_t u32Idx;
 127         uint32_t        u32VariableOffset;
 128
 129
 130         offset = dissect_dcom_that(tvb, offset, pinfo, tree, di, drep);
 131
 132         offset = dissect_dcom_ID(tvb, offset, pinfo, tree, di, drep,
 133                                  hf_dcom_oxid, NULL);
 134         offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, di, drep,
 135                                              &u32Pointer);
 136         if (u32Pointer) {
 137                 offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, di, drep,
 138                                                         &u32ArraySize);
 139                 offset = dissect_dcom_DUALSTRINGARRAY(tvb, offset, pinfo, tree, di, drep,
 140                                                       hf_remact_oxid_bindings, NULL);
 141         }
 142
 143         offset = dissect_dcom_UUID(tvb, offset, pinfo, tree, di, drep,
 144                                    hf_dcom_ipid, &ipid);
 145         offset = dissect_dcom_DWORD(tvb, offset, pinfo, tree, di, drep,
 146                                     hf_remact_authn_hint, &u32AuthnHint);
 147         offset = dissect_dcom_COMVERSION(tvb, offset, pinfo, tree, di, drep,
 148                                          &u16VersionMajor, &u16VersionMinor);
 149
 150         offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, di, drep,
 151                                       &u32HResult);
 152
 153         offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, di, drep,
 154                                                 &u32ArraySize);
 155         u32VariableOffset = offset + u32ArraySize * 4;
 156         while (u32ArraySize--) {
 157                 offset = dissect_dcom_dcerpc_pointer(tvb, offset, pinfo, tree, di, drep,
 158                                                      &u32Pointer);
 159                 if (u32Pointer) {
 160                         u32VariableOffset = dissect_dcom_MInterfacePointer(tvb, u32VariableOffset, pinfo, tree, di, drep,
 161                                                                            hf_remact_interface_data, NULL /* XXX */);
 162                 }
 163         }
 164         offset = u32VariableOffset;
 165
 166         offset = dissect_dcom_dcerpc_array_size(tvb, offset, pinfo, tree, di, drep,
 167                                                 &u32ArraySize);
 168         u32Idx = 1;
 169         while (u32ArraySize--) {
 170                 offset = dissect_dcom_indexed_HRESULT(tvb, offset, pinfo, tree, di, drep,
 171                                                       &u32HResult, u32Idx);
 172                 /* update column info now */
 173                 col_append_fstr(pinfo->cinfo, COL_INFO, " %s[%u]",
 174                                 val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)"),
 175                                 u32Idx);
 176                 u32Idx++;
 177         }
 178
 179         offset = dissect_dcom_HRESULT(tvb, offset, pinfo, tree, di, drep,
 180                                       &u32HResult);
 181
 182         /* update column info now */
 183         col_append_fstr(pinfo->cinfo, COL_INFO, " -> %s",
 184                         val_to_str(u32HResult, dcom_hresult_vals, "Unknown (0x%08x)"));
 185
 186         return offset;
 187 }
 188
 189
 190 static const dcerpc_sub_dissector remact_dissectors[] = {
 191         { 0, "RemoteActivation", dissect_remact_remote_activation_rqst, dissect_remact_remote_activation_resp },
 192         { 0, NULL, NULL, NULL },
 193 };
 194
 195
 196 void
 197 proto_register_remact (void)
 198 {
 199         static hf_register_info hf_remact[] = {
 200                 { &hf_remact_opnum,
 201                   { "Operation", "remact.opnum", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
 202
 203                 { &hf_remact_requested_protseqs,
 204                   { "RequestedProtSeqs", "remact.req_prot_seqs", FT_UINT16, BASE_DEC, NULL, 0x0, NULL, HFILL }},
 205                 { &hf_remact_protseqs,
 206                   { "ProtSeqs", "remact.prot_seqs", FT_UINT16, BASE_DEC, VALS(dcom_protseq_vals), 0x0, NULL, HFILL }},
 207                 { &hf_remact_interfaces,
 208                   { "Interfaces", "remact.interfaces", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
 209                 { &hf_remact_mode,
 210                   { "Mode", "remact.mode", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
 211                 { &hf_remact_client_impl_level,
 212                   { "ClientImplLevel", "remact.client_impl_level", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
 213                 { &hf_remact_object_name,
 214                   { "ObjectName", "remact.object_name", FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
 215                 { &hf_remact_object_storage,
 216                   { "ObjectStorage", "remact.object_storage", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
 217                 { &hf_remact_interface_data,
 218                   { "InterfaceData", "remact.interface_data", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
 219
 220                 { &hf_remact_oxid_bindings,
 221                   { "OxidBindings", "remact.oxid_bindings", FT_NONE, BASE_NONE, NULL, 0x0, NULL, HFILL }},
 222                 { &hf_remact_authn_hint,
 223                   { "AuthnHint", "remact.authn_hint", FT_UINT32, BASE_DEC, NULL, 0x0, NULL, HFILL }},
 224         };
 225
 226         static int *ett[] = {
 227                 &ett_remact
 228         };
 229
 230         proto_remact = proto_register_protocol ("DCOM IRemoteActivation", "REMACT", "remact");
 231         proto_register_field_array (proto_remact, hf_remact, array_length (hf_remact));
 232         proto_register_subtree_array (ett, array_length (ett));
 233 }
 234
 235 void
 236 proto_reg_handoff_remact (void)
 237 {
 238         /* Register the protocol as dcerpc */
 239         dcerpc_init_uuid (proto_remact, ett_remact, &uuid_remact, ver_remact, remact_dissectors, hf_remact_opnum);
 240 }
 241
 242 /*
 243  * Editor modelines  -  https://www.wireshark.org/tools/modelines.html
 244  *
 245  * Local variables:
 246  * c-basic-offset: 8
 247  * tab-width: 8
 248  * indent-tabs-mode: t
 249  * End:
 250  *
 251  * vi: set shiftwidth=8 tabstop=8 noexpandtab:
 252  * :indentSize=8:tabSize=8:noTabs=false:
 253  */