[SMB] NTCreateANDX quesiotn

Michael B Allen mba2000 at ioplex.com
Mon Jun 11 22:44:00 GMT 2007


On Mon, 11 Jun 2007 15:50:04 -0500
"Christopher R. Hertel" <crh at ubiqx.mn.org> wrote:

> > WordCount
> > 00000:  2a                                               |*               |
> > Words
> > 00000:  ff 00 87 00 03 00 c0 01 00 00 00 80 65 7a c2 f5  |............ez..|
> > 00010:  77 c3 01 5e 1b 3e 77 91 6c c6 01 80 65 7a c2 f5  |w..^.>w.l...ez..|
> > 00020:  77 c3 01 28 34 0f 62 2d 21 c4 01 20 00 00 00 00  |w..(4.b-!.. ....|
> > 00030:  f0 00 00 00 00 00 00 00 e8 00 00 00 00 00 00 00  |................|
> > 00040:  00 07 00 00 00 00 00 70 00 2e 00 65 00 78 00 65  |.......p...e.x.e|
> > 00050:  00 00 00 00                                      |....            |
> > Unknown
> > 00000:  00 03 81 d8 bf 03 81 20 ff 01 1f 00 00 00 00 00  |....... ........|
> > 00010:  00 00                                            |..              |
> > 
> > So I see 'p.exe' in the Words and Wireshark doesn't decode those bytes
> > so it looks like there's just garbage at the end. Meaning the WordCount
> > and the NetBIOS header payload size are incorrect (too large).
> 
> So... my next question.  Is the WordCount value 42 (0x2a) correct (for this
> packet)?  If so, then the "p.exe" string really is part of the Words.
> 
> ...but you said earlier that you thought the correct value should be closer
> to 34 (0x22).  If that were the case, the bytecount would be zero and
> 'p.exe' would not be part of the packet at all.
> 
> I am curious as to how this packet should be read.

How it "should" read is not important. What is important is the algorithm
by which you decode and encode this packet.

This packet's size is whatever the NetBIOS header says it is. There are
no Bytes in an SMB_COM_NT_CREATE_ANDX and therefore the WordCount should
just be ignored by clients and encoded by servers with the incorrect
value of 0x2a. Clients and servers should then decode / encode whatever
parts of the Words they know the format for. The remainder of the packet
should contain the user's horiscope or perhaps a fortune.

Mike

-- 
Michael B Allen
PHP Active Directory Kerberos SSO
http://www.ioplex.com/


More information about the samba-technical mailing list