impacket
impacket copied to clipboard
fortra
Can't connect to Windows Server 2000 with WMI
Hi all, need help)) I have a problem connecting to Windows Server 2000 SP4 with WMI.
My simple code:
from logging import DEBUG, basicConfig
from impacket import LOG
from impacket.dcerpc.v5.dcom.wmi import (CLSID_WbemLevel1Login,
IID_IWbemLevel1Login)
from impacket.dcerpc.v5.dcomrt import DCOMConnection
basicConfig(level=DEBUG)
my_host = "" # some IP here
my_user = "" # some user here
my_pass = "" # some password here
dcom = DCOMConnection(
my_host,
my_user,
my_pass
)
interface = dcom.CoCreateInstanceEx(
CLSID_WbemLevel1Login,
IID_IWbemLevel1Login
)
Result:
$ python3 test.py
ERROR:impacket:unpack_from requires a buffer of at least 2 bytes for unpacking 2 bytes at offset 0 (actual buffer size is 0)
ERROR:impacket:Error unpacking field 'Data | <H=0 | b'''
ERROR:impacket:unpack_from requires a buffer of at least 2 bytes for unpacking 2 bytes at offset 0 (actual buffer size is 0)
ERROR:impacket:Error unpacking field 'wTowerId | <class 'impacket.dcerpc.v5.ndr.NDRUSHORT'> | b'''
Traceback (most recent call last):
File "test.py", line 31, in <module>
interface = dcom.CoCreateInstanceEx(
File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1061, in CoCreateInstanceEx
iInterface = scm.RemoteCreateInstance(clsid, iid)
File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/dcomrt.py", line 1880, in RemoteCreateInstance
binding = STRINGBINDING(strBindings)
File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/ndr.py", line 72, in __init__
self.fromString(data)
File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/ndr.py", line 1158, in fromString
offset += self.unpack(fieldName, fieldTypeOrClass, data, offset)
File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/ndr.py", line 298, in unpack
return self.fields[fieldName].fromString(data, offset)
File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/ndr.py", line 259, in fromString
offset += self.unpack(fieldName, fieldTypeOrClass, data, offset)
File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/ndr.py", line 303, in unpack
return self.unpack(fieldName, two[0], data, offset)
File "/usr/local/lib/python3.8/site-packages/impacket/dcerpc/v5/ndr.py", line 315, in unpack
self.fields[fieldName] = unpack_from(fieldTypeOrClass, data, offset)[0]
struct.error: unpack_from requires a buffer of at least 2 bytes for unpacking 2 bytes at offset 0 (actual buffer size is 0)
Lib version:
$ python3 -m pip list | grep impacket
impacket 0.9.22
Python version:
$ python3 -V
Python 3.8.6
System info:
$ uname -a
Linux a1aab651c4a0 4.9.0-9-amd64 #1 SMP Debian 4.9.168-1+deb9u5 (2019-08-11) x86_64 GNU/Linux
Additional context:
I'm not sure, but it looks like that real CustomHeader size can differ from its payload size. So that after payload sometimes CustomHeader contains some garbage bytes. Impacket current version ignores this bytes and starts parse next structure — Property. So we get errors like struct.error.
We can to take into account this garbage and add its size to CustomHeader, for this we need calculate payload size and substract it from headerSize field value (headerSize is one of CustomHeader fields). I made a little patch overriding a method fromStringReferent in CustomHeader class, it works for me fine:
def fromStringReferent(self, data, offset=0):
return (
TypeSerialization1.fromStringReferent(self, data, offset) +
self['headerSize'] -
len(TypeSerialization1.getData(self, 0)) -
len(TypeSerialization1.getDataReferents(self, 0))
)
Binary data example with garbage in CommonHeader:
2.2.18 OBJREF:
│
├ signature: 4d 45 4f 57
├ flags: 04 00 00 00
├ iid: a3 01 00 00
│ 00 00 00 00
│ c0 00 00 00
│ 00 00 00 46
│
└ u_objref (2.2.18.6 OBJREF_CUSTOM):
│
├ clsid: 39 03 00 00
│ 00 00 00 00
│ c0 00 00 00
│ 00 00 00 46
├ cbExtension: 00 00 00 00
├ reserved: a8 03 00 00
│
└ pObjectData (2.2.22 Activation Properties BLOB):
│
├ dwSize: a0 03 00 00
├ dwReserved: 00 00 00 00
├ 2.2.22.1 CustomHeader:
│ │
│ ├ CommonHeader: # CommonHeader starts here
│ │ │
│ │ ├ version: 01
│ │ ├ endianness: 10
│ │ ├ commonHeaderLength: 08 00 (0x04)
│ │ └ filler: cc cc cc cc (0x08)
│ │
│ ├ PrivateHeader:
│ │ │
│ │ ├ ObjectBufferLength: 60 00 00 00 (0x0c)
│ │ └ filler: 00 00 00 00 (0x10)
│ │
│ ├ totalSize: a0 03 00 00 (0x14)
│ ├ headerSize: 90 00 00 00 (0x18) # CustomHeader size with garbage
│ ├ dwReserved: 00 00 00 00 (0x1c)
│ ├ destCtx: 02 00 00 00 (0x20)
│ ├ cIfs: 02 00 00 00 (0x24)
│ ├ pclsid: 00 00 00 00 (0x28)
│ │ 00 00 00 00 (0x2c)
│ │ 00 00 00 00 (0x30)
│ │ 00 00 00 00 (0x34)
│ │
│ ├ pclsid:
│ │ │
│ │ ├ filler: d4 5a 4a 00 (0x38)
│ │ │ 74 5b 4a 00 (0x3c)
│ │ │ 00 00 00 00 (0x40)
│ │ │
│ │ ├ length: 02 00 00 00 (0x44)
│ │ ├ 1st item: 39 03 00 00 (0x48)
│ │ │ 00 00 00 00 (0x4c)
│ │ │ c0 00 00 00 (0x50)
│ │ │ 00 00 00 46 (0x54)
│ │ └ 2nd item: b6 01 00 00 (0x58)
│ │ 00 00 00 00 (0x5c)
│ │ c0 00 00 00 (0x60)
│ │ 00 00 00 46 (0x64)
│ │
│ ├ pSizes:
│ │ │
│ │ ├ length: 02 00 00 00 (0x68)
│ │ ├ 1st item: 08 01 00 00 (0x6c)
│ │ └ 2nd item: 08 02 00 00 (0x70) # payload last bytes
│ │
│ └ garbage: 72 00 6f 00 (0x74) # garbage starts here,
│ 67 00 72 00 (0x78) # current lib version ignores
│ 61 00 6d 00 (0x7c) # garbage and starts parsing Property
│ 20 00 46 00 (0x80)
│ 69 00 6c 00 (0x84) # needs to take into account real
│ 65 00 73 00 (0x88) # CommonHeader size (not only payload),
│ 5c 00 53 00 (0x8c) # it is contained in headerSize field
│ 69 00 65 00 (0x90)
│
└ Property: # Property starts here
│
├ 1st item:
│ │
│ ├ CommonHeader:
│ │ │
│ │ ├ version: 01
│ │ ├ endianness: 10
│ │ ├ commonHeaderLength: 08 00
│ │ └ filler: cc cc cc cc
│ │
│ ├ PrivateHeader:
│ │ │
│ │ ├ ObjectBufferLength: f0 00 00 00
│ │ └ filler: 00 00 00 00
… …
Hi @zexusx26! I can't reproduce this issue. I'm using a Windows Server SP4 (5.00.2195.6717)... Could you provide us a PCAP capture?
Thanks for the capture and clarification. We'll review this in detail after the next release. In the meantime, I'll put this ticket on hold.
