diff options
author | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2002-05-23 12:23:29 +0000 |
---|---|---|
committer | Ronnie Sahlberg <ronnie_sahlberg@ozemail.com.au> | 2002-05-23 12:23:29 +0000 |
commit | c33e33fb7ee43ce2cff140359f5bd188edcaf40e (patch) | |
tree | ec75dde804e42b42f8448eb1151a40164cf44119 /packet-dcerpc-mapi.c | |
parent | a6a5ff53ea2a38615ab531ac402434e5353cd885 (diff) |
Additions to the MAPI dissector. Function 02 for MAPI.
The function request/call are dissected but the main body of the function
in/out parameters consists of a unidimensional conformant and varying array of bytes which content is encrypted/obfuscated.
Whoever can tell me how to decrypt/unobfuscate these bytes will get
a case of VB next time in Sydney.
svn path=/trunk/; revision=5532
Diffstat (limited to 'packet-dcerpc-mapi.c')
-rw-r--r-- | packet-dcerpc-mapi.c | 148 |
1 files changed, 146 insertions, 2 deletions
diff --git a/packet-dcerpc-mapi.c b/packet-dcerpc-mapi.c index b2253fede1..607eea414b 100644 --- a/packet-dcerpc-mapi.c +++ b/packet-dcerpc-mapi.c @@ -2,7 +2,7 @@ * Routines for MS Exchange MAPI * Copyright 2002, Ronnie Sahlberg * - * $Id: packet-dcerpc-mapi.c,v 1.1 2002/05/23 10:00:19 sahlberg Exp $ + * $Id: packet-dcerpc-mapi.c,v 1.2 2002/05/23 12:23:29 sahlberg Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -30,9 +30,18 @@ #include <glib.h> #include <epan/packet.h> #include "packet-dcerpc.h" +#include "packet-dcerpc-nt.h" #include "packet-dcerpc-mapi.h" +#include "smb.h" /* for "NT_errors[]" */ static int proto_dcerpc_mapi = -1; +static int hf_mapi_unknown_string = -1; +static int hf_mapi_unknown_data = -1; +static int hf_mapi_unknown_short = -1; +static int hf_mapi_hnd = -1; +static int hf_mapi_rc = -1; +static int hf_mapi_encap_datalen = -1; + static gint ett_dcerpc_mapi = -1; static e_uuid_t uuid_dcerpc_mapi = { @@ -42,16 +51,149 @@ static e_uuid_t uuid_dcerpc_mapi = { static guint16 ver_dcerpc_mapi = 0; +#define DISSECT_UNKNOWN(len) \ + {\ + proto_tree_add_text(tree, tvb, offset, len,\ + "unknown data (%d byte%s)", len,\ + plurality(len, "", "s"));\ + offset += len;\ + } + + +static int +mapi_logon_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_string, -1); + + DISSECT_UNKNOWN(tvb_length_remaining(tvb, offset)); + + return offset; +} + +/* The strings in this function are decoded properly on seen captures. +There might be offsets/padding mismatched due to potential pointer expansions +or padding bytes. Captures where this code breaks will tell us about that */ +static int +mapi_logon_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_mapi_hnd, NULL, FALSE, FALSE); + + DISSECT_UNKNOWN(20); /* this is 20 bytes, unless there are pointers */ + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_string, -1); + + DISSECT_UNKNOWN(6); /* possibly 1 or 2 bytes padding here */ + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_string, -1); + + DISSECT_UNKNOWN( tvb_length_remaining(tvb, offset)-4 ); + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_mapi_rc, NULL); + + return offset; +} + +static int +mapi_unknown_02_request(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_mapi_hnd, NULL, FALSE, FALSE); + + /* this is a unidimensional varying and conformant array of + encrypted data */ + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_data, -1); + + /* length of encrypted data. */ + offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep, + hf_mapi_encap_datalen, NULL); + + offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep, + hf_mapi_unknown_short, NULL); + + return offset; +} +static int +mapi_unknown_02_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_mapi_hnd, NULL, FALSE, FALSE); + + /* this is a unidimensional varying and conformant array of + encrypted data */ + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_data, -1); + + /* length of encrypted data */ + offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep, + hf_mapi_encap_datalen, NULL); + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_mapi_rc, NULL); + + return offset; +} + + static dcerpc_sub_dissector dcerpc_mapi_dissectors[] = { - { MAPI_LOGON, "Logon", NULL, NULL }, + { MAPI_LOGON, "Logon", + mapi_logon_rqst, + mapi_logon_reply }, { MAPI_LOGOFF, "Logoff", NULL, NULL }, + { MAPI_UNKNOWN_02, "unknown_02", + mapi_unknown_02_request, + mapi_unknown_02_reply }, + {0, NULL, NULL, NULL }, }; void proto_register_dcerpc_mapi(void) { + +static hf_register_info hf[] = { + { &hf_mapi_hnd, + { "Context Handle", "mapi.hnd", FT_BYTES, BASE_NONE, + NULL, 0x0, "", HFILL }}, + + { &hf_mapi_rc, + { "Return code", "mapi.rc", FT_UINT32, BASE_HEX, + VALS (NT_errors), 0x0, "", HFILL }}, + + { &hf_mapi_unknown_string, + { "Unknown string", "mapi.unknown_string", FT_STRING, BASE_NONE, + NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }}, + + { &hf_mapi_unknown_short, + { "Unknown short", "mapi.unknown_short", FT_UINT16, BASE_HEX, + NULL, 0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }}, + + { &hf_mapi_unknown_data, + { "unknown encrypted data", "mapi.unknown_data", FT_BYTES, BASE_HEX, + NULL, 0, "Unknown data. If you know what this is, contact ethereal developers.", HFILL }}, + + { &hf_mapi_encap_datalen, + { "Length", "mapi.encap_len", FT_UINT16, BASE_DEC, + NULL, 0x0, "Length of encapsulated/encrypted data", HFILL }}, + + + }; + static gint *ett[] = { &ett_dcerpc_mapi, }; @@ -59,6 +201,8 @@ proto_register_dcerpc_mapi(void) proto_dcerpc_mapi = proto_register_protocol( "Microsoft Exchange MAPI", "MAPI", "mapi"); + proto_register_field_array(proto_dcerpc_mapi, hf, + array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); } |