diff options
| -rw-r--r-- | packet-dcerpc-mapi.c | 148 | ||||
| -rw-r--r-- | packet-dcerpc-mapi.h | 3 | ||||
| -rw-r--r-- | packet-dcerpc-nt.c | 14 | ||||
| -rw-r--r-- | packet-dcerpc.c | 4 | ||||
| -rw-r--r-- | packet-dcerpc.h | 3 | ||||
| -rw-r--r-- | packet-smb.c | 3 |
6 files changed, 161 insertions, 14 deletions
diff --git a/packet-dcerpc-mapi.c b/packet-dcerpc-mapi.c index b2253fede1..607eea414b 100644 --- a/packet-dcerpc-mapi.c +++ b/packet-dcerpc-mapi.c @@ -2,7 +2,7 @@ * Routines for MS Exchange MAPI * Copyright 2002, Ronnie Sahlberg * - * $Id: packet-dcerpc-mapi.c,v 1.1 2002/05/23 10:00:19 sahlberg Exp $ + * $Id: packet-dcerpc-mapi.c,v 1.2 2002/05/23 12:23:29 sahlberg Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -30,9 +30,18 @@ #include <glib.h> #include <epan/packet.h> #include "packet-dcerpc.h" +#include "packet-dcerpc-nt.h" #include "packet-dcerpc-mapi.h" +#include "smb.h" /* for "NT_errors[]" */ static int proto_dcerpc_mapi = -1; +static int hf_mapi_unknown_string = -1; +static int hf_mapi_unknown_data = -1; +static int hf_mapi_unknown_short = -1; +static int hf_mapi_hnd = -1; +static int hf_mapi_rc = -1; +static int hf_mapi_encap_datalen = -1; + static gint ett_dcerpc_mapi = -1; static e_uuid_t uuid_dcerpc_mapi = { @@ -42,16 +51,149 @@ static e_uuid_t uuid_dcerpc_mapi = { static guint16 ver_dcerpc_mapi = 0; +#define DISSECT_UNKNOWN(len) \ + {\ + proto_tree_add_text(tree, tvb, offset, len,\ + "unknown data (%d byte%s)", len,\ + plurality(len, "", "s"));\ + offset += len;\ + } + + +static int +mapi_logon_rqst(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_string, -1); + + DISSECT_UNKNOWN(tvb_length_remaining(tvb, offset)); + + return offset; +} + +/* The strings in this function are decoded properly on seen captures. +There might be offsets/padding mismatched due to potential pointer expansions +or padding bytes. Captures where this code breaks will tell us about that */ +static int +mapi_logon_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_mapi_hnd, NULL, FALSE, FALSE); + + DISSECT_UNKNOWN(20); /* this is 20 bytes, unless there are pointers */ + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_string, -1); + + DISSECT_UNKNOWN(6); /* possibly 1 or 2 bytes padding here */ + + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_string, -1); + + DISSECT_UNKNOWN( tvb_length_remaining(tvb, offset)-4 ); + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_mapi_rc, NULL); + + return offset; +} + +static int +mapi_unknown_02_request(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_mapi_hnd, NULL, FALSE, FALSE); + + /* this is a unidimensional varying and conformant array of + encrypted data */ + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_data, -1); + + /* length of encrypted data. */ + offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep, + hf_mapi_encap_datalen, NULL); + + offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep, + hf_mapi_unknown_short, NULL); + + return offset; +} +static int +mapi_unknown_02_reply(tvbuff_t *tvb, int offset, + packet_info *pinfo, proto_tree *tree, char *drep) +{ + offset = dissect_nt_policy_hnd(tvb, offset, pinfo, tree, drep, + hf_mapi_hnd, NULL, FALSE, FALSE); + + /* this is a unidimensional varying and conformant array of + encrypted data */ + offset = dissect_ndr_pointer(tvb, offset, pinfo, tree, drep, + dissect_ndr_nt_STRING_string, NDR_POINTER_REF, + "", hf_mapi_unknown_data, -1); + + /* length of encrypted data */ + offset = dissect_ndr_uint16 (tvb, offset, pinfo, tree, drep, + hf_mapi_encap_datalen, NULL); + + offset = dissect_ntstatus(tvb, offset, pinfo, tree, drep, + hf_mapi_rc, NULL); + + return offset; +} + + static dcerpc_sub_dissector dcerpc_mapi_dissectors[] = { - { MAPI_LOGON, "Logon", NULL, NULL }, + { MAPI_LOGON, "Logon", + mapi_logon_rqst, + mapi_logon_reply }, { MAPI_LOGOFF, "Logoff", NULL, NULL }, + { MAPI_UNKNOWN_02, "unknown_02", + mapi_unknown_02_request, + mapi_unknown_02_reply }, + {0, NULL, NULL, NULL }, }; void proto_register_dcerpc_mapi(void) { + +static hf_register_info hf[] = { + { &hf_mapi_hnd, + { "Context Handle", "mapi.hnd", FT_BYTES, BASE_NONE, + NULL, 0x0, "", HFILL }}, + + { &hf_mapi_rc, + { "Return code", "mapi.rc", FT_UINT32, BASE_HEX, + VALS (NT_errors), 0x0, "", HFILL }}, + + { &hf_mapi_unknown_string, + { "Unknown string", "mapi.unknown_string", FT_STRING, BASE_NONE, + NULL, 0, "Unknown string. If you know what this is, contact ethereal developers.", HFILL }}, + + { &hf_mapi_unknown_short, + { "Unknown short", "mapi.unknown_short", FT_UINT16, BASE_HEX, + NULL, 0, "Unknown short. If you know what this is, contact ethereal developers.", HFILL }}, + + { &hf_mapi_unknown_data, + { "unknown encrypted data", "mapi.unknown_data", FT_BYTES, BASE_HEX, + NULL, 0, "Unknown data. If you know what this is, contact ethereal developers.", HFILL }}, + + { &hf_mapi_encap_datalen, + { "Length", "mapi.encap_len", FT_UINT16, BASE_DEC, + NULL, 0x0, "Length of encapsulated/encrypted data", HFILL }}, + + + }; + static gint *ett[] = { &ett_dcerpc_mapi, }; @@ -59,6 +201,8 @@ proto_register_dcerpc_mapi(void) proto_dcerpc_mapi = proto_register_protocol( "Microsoft Exchange MAPI", "MAPI", "mapi"); + proto_register_field_array(proto_dcerpc_mapi, hf, + array_length(hf)); proto_register_subtree_array(ett, array_length(ett)); } diff --git a/packet-dcerpc-mapi.h b/packet-dcerpc-mapi.h index fd8cc55381..6c30842c0c 100644 --- a/packet-dcerpc-mapi.h +++ b/packet-dcerpc-mapi.h @@ -2,7 +2,7 @@ * Routines for MS Exchange MAPI dissection * Copyright 2002, Ronnie Sahlberg * - * $Id: packet-dcerpc-mapi.h,v 1.1 2002/05/23 10:00:19 sahlberg Exp $ + * $Id: packet-dcerpc-mapi.h,v 1.2 2002/05/23 12:23:29 sahlberg Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -28,5 +28,6 @@ #define MAPI_LOGON 0x00 #define MAPI_LOGOFF 0x01 +#define MAPI_UNKNOWN_02 0x02 #endif diff --git a/packet-dcerpc-nt.c b/packet-dcerpc-nt.c index d0ff90aaf3..460550db17 100644 --- a/packet-dcerpc-nt.c +++ b/packet-dcerpc-nt.c @@ -2,7 +2,7 @@ * Routines for DCERPC over SMB packet disassembly * Copyright 2001, Tim Potter <tpot@samba.org> * - * $Id: packet-dcerpc-nt.c,v 1.35 2002/05/15 03:28:43 tpot Exp $ + * $Id: packet-dcerpc-nt.c,v 1.36 2002/05/23 12:23:29 sahlberg Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -542,28 +542,28 @@ dissect_ndr_nt_STRING_string (tvbuff_t *tvb, int offset, } offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, - hf_nt_str_len, &len); + hf_nt_str_max_len, &max_len); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, hf_nt_str_off, &off); offset = dissect_ndr_uint32 (tvb, offset, pinfo, tree, drep, - hf_nt_str_max_len, &max_len); + hf_nt_str_len, &len); old_offset=offset; hfi = proto_registrar_get_nth(di->hf_index); switch(hfi->type){ case FT_STRING: - offset = prs_uint8s(tvb, offset, pinfo, tree, max_len, + offset = prs_uint8s(tvb, offset, pinfo, tree, len, &text_offset, NULL); - text = tvb_get_ptr(tvb, text_offset, max_len); + text = tvb_get_ptr(tvb, text_offset, len); proto_tree_add_string_format(tree, di->hf_index, tvb, old_offset, offset-old_offset, text, "%s: %s", hfi->name, text); break; case FT_BYTES: text = NULL; - proto_tree_add_item(tree, di->hf_index, tvb, offset, max_len, FALSE); - offset += max_len; + proto_tree_add_item(tree, di->hf_index, tvb, offset, len, FALSE); + offset += len; break; default: text = NULL; diff --git a/packet-dcerpc.c b/packet-dcerpc.c index b2c4bd49aa..545ea3cc65 100644 --- a/packet-dcerpc.c +++ b/packet-dcerpc.c @@ -2,7 +2,7 @@ * Routines for DCERPC packet disassembly * Copyright 2001, Todd Sabin <tas@webspan.net> * - * $Id: packet-dcerpc.c,v 1.48 2002/05/07 10:07:55 sahlberg Exp $ + * $Id: packet-dcerpc.c,v 1.49 2002/05/23 12:23:29 sahlberg Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -795,7 +795,7 @@ dissect_ndr_pointer(tvbuff_t *tvb, gint offset, packet_info *pinfo, /*TOP LEVEL REFERENCE POINTER*/ if( pointers_are_top_level - && (type==NDR_POINTER_REF) ){ + &&(type==NDR_POINTER_REF) ){ add_pointer_to_list(pinfo, tree, fnct, 0xffffffff, hf_index, levels); goto after_ref_id; } diff --git a/packet-dcerpc.h b/packet-dcerpc.h index e073639dbf..5bff1fae32 100644 --- a/packet-dcerpc.h +++ b/packet-dcerpc.h @@ -1,7 +1,7 @@ /* packet-dcerpc.h * Copyright 2001, Todd Sabin <tas@webspan.net> * - * $Id: packet-dcerpc.h,v 1.15 2002/05/10 02:30:22 tpot Exp $ + * $Id: packet-dcerpc.h,v 1.16 2002/05/23 12:23:29 sahlberg Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -140,6 +140,7 @@ typedef int (dcerpc_dissect_fnct_t)(tvbuff_t *tvb, int offset, packet_info *pinf #define NDR_POINTER_REF 1 #define NDR_POINTER_UNIQUE 2 #define NDR_POINTER_PTR 3 + int dissect_ndr_pointer (tvbuff_t *tvb, gint offset, packet_info *pinfo, proto_tree *tree, char *drep, dcerpc_dissect_fnct_t *fnct, int type, char *text, int hf_index, int levels); diff --git a/packet-smb.c b/packet-smb.c index 21c9076776..ed0f5406b8 100644 --- a/packet-smb.c +++ b/packet-smb.c @@ -3,7 +3,7 @@ * Copyright 1999, Richard Sharpe <rsharpe@ns.aus.com> * 2001 Rewrite by Ronnie Sahlberg and Guy Harris * - * $Id: packet-smb.c,v 1.259 2002/05/16 23:36:43 guy Exp $ + * $Id: packet-smb.c,v 1.260 2002/05/23 12:23:29 sahlberg Exp $ * * Ethereal - Network traffic analyzer * By Gerald Combs <gerald@ethereal.com> @@ -13523,6 +13523,7 @@ const value_string NT_errors[] = { { 0x80000024, "STATUS_SERVER_HAS_OPEN_HANDLES" }, { 0x80000025, "STATUS_ALREADY_DISCONNECTED" }, { 0x80000026, "STATUS_LONGJUMP" }, + { 0x80040111, "MAPI_E_LOGON_FAILED" }, { 0x80090300, "SEC_E_INSUFFICIENT_MEMORY" }, { 0x80090301, "SEC_E_INVALID_HANDLE" }, { 0x80090302, "SEC_E_UNSUPPORTED_FUNCTION" }, |