[cifs-protocol] Cannot uncompress SMB3 LZ77 payload
Matthieu Suiche
msuiche at gmail.com
Thu Jul 4 19:52:03 UTC 2019
Isn't it using the LZXPRESS algorithm instead?
On Thu, Jul 4, 2019, 8:14 PM Aurélien Aptel via cifs-protocol <
cifs-protocol at lists.samba.org> wrote:
>
> Hello,
>
> I've been able to trigger a LZ77 compressed Read response against the
> latest
> Windows Server 2019 but I am unable to decompress it.
>
> Request
> =======
>
> SMB2 (Server Message Block Protocol version 2)
> [....]
> Read Request (0x08)
> StructureSize: 0x0031
> 0000 0000 0011 000. = Fixed Part Length: 24
> .... .... .... ...1 = Dynamic Part: True
> Padding: 0x00
> Flags: 0x02, Compressed
> .... ...0 = Unbuffered: Client is NOT asking for UNBUFFERED
> read
> .... ..1. = Compressed: Client is asking for COMPRESSED data
> Read Length: 131072
> File Offset: 0
> GUID handle File: a
> File Id: 00000012-0004-0000-0100-000004000000
> [Frame handle opened: 52]
> Min Count: 0
> Channel: None (0x00000000)
> Remaining Bytes: 0
> Blob Offset: 0x00000000
> Blob Length: 0
> Channel Info Blob: NO DATA
>
>
> Response
> ========
>
> 0000 fc 53 4d 42 00 00 02 00 02 00 00 00 50 00 00 00 .SMB.... ....P...
> 0010 fe 53 4d 42 40 00 02 00 00 00 00 00 08 00 0a 00 .SMB at ... ........
> 0020 01 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ........ ........
> 0030 ff fe 00 00 01 00 00 00 35 00 00 00 00 10 00 00 ........ 5.......
> 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
> 0050 11 00 50 00 00 00 02 00 00 00 00 00 00 00 00 00 ..P..... ........
> 0060 ff ff ff 7f ff 07 00 0f ff 00 00 fc ff 01 00 ........ .......
>
> NetBIOS Session Service
> Message Type: Session message (0x00)
> Length: 111
> SMB2 (Server Message Block Protocol version 2)
> SMB2 Compression Transform Header
> ProtocolId: fc534d42
> OriginalSize: 131072
> CompressionAlgorithm: LZ77 (0x0002)
> Reserved: 0000
> Offset: 0x00000050
>
>
> Let's look again and annotate...
>
>
> 0000 fc 53 4d 42 00 00 02 00 02 00 00 00 50 00 00 00 .SMB.... ....P...
> ^^^^^^^^^^^ ^^^^^^^^^^^
> compression transform header compressed data offset = 0x50
>
>
> SMB2 header follows READ
> vvvvvvvvvvv vvvvv
> 0010 fe 53 4d 42 40 00 02 00 00 00 00 00 08 00 0a 00 .SMB at ... ........
> 0020 01 00 00 00 00 00 00 00 07 00 00 00 00 00 00 00 ........ ........
> 0030 ff fe 00 00 01 00 00 00 35 00 00 00 00 10 00 00 ........ 5.......
> 0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ........ ........
> 0050 11 00 50 00 00 00 02 00 00 00 00 00 00 00 00 00 ..P..... ........
> ^^
> read data offset from SMB2 header is 0x50 again
>
>
> 0060 ff ff ff 7f ff 07 00 0f ff 00 00 fc ff 01 00 ........ .......
> ^^
> compressed data starts here (0x10 + 0x50 = 0x60)
>
> So the LZ77 compressed data is
>
> ff ff ff 7f ff 07 00 0f ff 00 00 fc ff 01 00
>
> I've tried to decode it using [MS-XCA] 2.4.4 "Plain LZ77 Decompression"
> [1] which has pseudo code that is easily runnable in python. I can
> decode the examples on that page fine:
>
> >>> decode(bytes.fromhex(" ff ff ff 1f 61 62 63 17 00 0f ff 26 01"))
>
> bytearray(b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc'+
>
> b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc'+
>
> b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc'+
>
> b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc'+
> b'abcabcabcabcabcabcabcabcabcabcabcabcabcabcabcabc')
>
> But if I try to decode my compressed payload it is invalid:
>
> >>> decode(bytes.fromhex(" ff ff ff 7f ff 07 00 0f ff 00 00 fc ff 01
> 00"))
> Traceback (most recent call last):
> File "<stdin>", line 1, in <module>
> File "lz.py", line 54, in decode
> raise Exception("error")
>
> This corresponds to this line in the pseudo-code:
>
> If MatchLength < 15 + 7
> Return error.
>
> And it fails in the very beggining after only outputting 1 byte
> (ff). The uncompressed payload should be all 0xFF.
>
> You can see and run the script online here [2].
>
> So, any ideas on what I'm missing? Is the LZ77 encoding used in the
> packet different? Am I missinterpreting some fields?
>
> 1:
> https://docs.microsoft.com/en-us/openspecs/windows_protocols/ms-xca/34cb9ab9-5ce6-42d7-a518-107c1c7c65e7
> 2: https://ideone.com/7Lr6tN
>
> Cheers,
> --
> Aurélien Aptel / SUSE Labs Samba Team
> GPG: 1839 CB5F 9F5B FB9B AA97 8C99 03C8 A49B 521B D5D3
> SUSE Linux GmbH, Maxfeldstraße 5, 90409 Nürnberg, Germany
> GF: Felix Imendörffer, Mary Higgins, Sri Rasiah HRB 21284 (AG Nürnberg)
>
>
> _______________________________________________
> cifs-protocol mailing list
> cifs-protocol at lists.samba.org
> https://lists.samba.org/mailman/listinfo/cifs-protocol
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.samba.org/pipermail/cifs-protocol/attachments/20190704/33b763f3/attachment.htm>
More information about the cifs-protocol
mailing list