# Copyright (c) 2003-2006 CORE Security Technologies

#

# This software is provided under under a slightly modified version

# of the Apache Software License. See the accompanying LICENSE file

# for more information.

#

# $Id: dcerpc.py,v 1.7 2006/05/23 22:26:51 gera Exp $

#


import array
from binascii import crc32
try:
    from Crypto.Cipher import ARC4
    from Crypto.Hash import MD4
    POW = None
except Exception:
    try:
        import POW
    except Exception:
        print "WARNING: Crypto package not found. Some features will fail."

from impacket import ntlm
from impacket import ImpactPacket
from impacket.structure import Structure,pack,unpack

# MS/RPC Constants

MSRPC_REQUEST   = 0x00
MSRPC_RESPONSE  = 0x02
MSRPC_FAULT     = 0x03
MSRPC_ACK       = 0x07
MSRPC_BIND      = 0x0B
MSRPC_BINDACK   = 0x0C
MSRPC_BINDNAK   = 0x0D
MSRPC_ALTERCTX  = 0x0E
MSRPC_AUTH3     = 0x10

# MS/RPC Packet Flags

MSRPC_FIRSTFRAG = 0x01
MSRPC_LASTFRAG  = 0x02
MSRPC_NOTAFRAG  = 0x04
MSRPC_RECRESPOND= 0x08
MSRPC_NOMULTIPLEX = 0x10
MSRPC_NOTFORIDEMP = 0x20
MSRPC_NOTFORBCAST = 0x40
MSRPC_NOUUID    = 0x80


#Reasons for rejection of a context element, included in bind_ack result reason

rpc_provider_reason = {
    0       : 'reason_not_specified',
    1       : 'abstract_syntax_not_supported',
    2       : 'proposed_transfer_syntaxes_not_supported',
    3       : 'local_limit_exceeded'
}

MSRPC_CONT_RESULT_ACCEPT = 0
MSRPC_CONT_RESULT_USER_REJECT = 1
MSRPC_CONT_RESULT_PROV_REJECT = 2

#Results of a presentation context negotiation

rpc_cont_def_result = {
    0       : 'acceptance',
    1       : 'user_rejection',
    2       : 'provider_rejection'
}

#status codes, references:

#http://msdn.microsoft.com/library/default.asp?url=/library/en-us/rpc/rpc/rpc_return_values.asp

#http://msdn.microsoft.com/library/default.asp?url=/library/en-us/randz/protocol/common_return_values.asp

#winerror.h

#http://www.opengroup.org/onlinepubs/9629399/apdxn.htm


rpc_status_codes = {
    0x00000005L : 'rpc_s_access_denied',
    0x00000008L : 'Authentication type not recognized',
    0x000006C6L : 'rpc_x_invalid_bound',                # the arrays bound are invalid

    0x000006F7L : 'rpc_x_bad_stub_data',                # the stub data is invalid, doesn't match with the IDL definition

    0x1C010001L : 'nca_s_comm_failure',                 # unable to get response from server:

    0x1C010002L : 'nca_s_op_rng_error',                 # bad operation number in call

    0x1C010003L : 'nca_s_unk_if',                       # unknown interface

    0x1C010006L : 'nca_s_wrong_boot_time',              # client passed server wrong server boot time

    0x1C010009L : 'nca_s_you_crashed',                  # a restarted server called back a client

    0x1C01000BL : 'nca_s_proto_error',                  # someone messed up the protocol

    0x1C010013L : 'nca_s_out_args_too_big ',            # output args too big

    0x1C010014L : 'nca_s_server_too_busy',              # server is too busy to handle call

    0x1C010015L : 'nca_s_fault_string_too_long',        # string argument longer than declared max len

    0x1C010017L : 'nca_s_unsupported_type ',            # no implementation of generic operation for object

    0x1C000001L : 'nca_s_fault_int_div_by_zero',
    0x1C000002L : 'nca_s_fault_addr_error ',
    0x1C000003L : 'nca_s_fault_fp_div_zero',
    0x1C000004L : 'nca_s_fault_fp_underflow',
    0x1C000005L : 'nca_s_fault_fp_overflow',
    0x1C000006L : 'nca_s_fault_invalid_tag',
    0x1C000007L : 'nca_s_fault_invalid_bound ',
    0x1C000008L : 'nca_s_rpc_version_mismatch',
    0x1C000009L : 'nca_s_unspec_reject ',
    0x1C00000AL : 'nca_s_bad_actid',
    0x1C00000BL : 'nca_s_who_are_you_failed',
    0x1C00000CL : 'nca_s_manager_not_entered ',
    0x1C00000DL : 'nca_s_fault_cancel',
    0x1C00000EL : 'nca_s_fault_ill_inst',
    0x1C00000FL : 'nca_s_fault_fp_error',
    0x1C000010L : 'nca_s_fault_int_overflow',
    0x1C000012L : 'nca_s_fault_unspec',
    0x1C000013L : 'nca_s_fault_remote_comm_failure ',
    0x1C000014L : 'nca_s_fault_pipe_empty ',
    0x1C000015L : 'nca_s_fault_pipe_closed',
    0x1C000016L : 'nca_s_fault_pipe_order ',
    0x1C000017L : 'nca_s_fault_pipe_discipline',
    0x1C000018L : 'nca_s_fault_pipe_comm_error',
    0x1C000019L : 'nca_s_fault_pipe_memory',
    0x1C00001AL : 'nca_s_fault_context_mismatch ',
    0x1C00001BL : 'nca_s_fault_remote_no_memory ',
    0x1C00001CL : 'nca_s_invalid_pres_context_id',
    0x1C00001DL : 'nca_s_unsupported_authn_level',
    0x1C00001FL : 'nca_s_invalid_checksum ',
    0x1C000020L : 'nca_s_invalid_crc',
    0x1C000021L : 'nca_s_fault_user_defined',
    0x1C000022L : 'nca_s_fault_tx_open_failed',
    0x1C000023L : 'nca_s_fault_codeset_conv_error',
    0x1C000024L : 'nca_s_fault_object_not_found ',
    0x1C000025L : 'nca_s_fault_no_client_stub'
}

class MSRPCArray:
    def __init__(self, id=0, len=0, size=0):
        self._length = len
        self._size = size
        self._id = id
        self._max_len = 0
        self._offset = 0
        self._length2 = 0
        self._name = ''

    def set_max_len(self, n):
        self._max_len = n
    def set_offset(self, n):
        self._offset = n
    def set_length2(self, n):
        self._length2 = n
    def get_size(self):
        return self._size
    def set_name(self, n):
        self._name = n
    def get_name(self):
        return self._name
    def get_id(self):
        return self._id
    def rawData(self):
        return pack('<HHLLLL', self._length, self._size, 0x12345678, self._max_len, self._offset, self._length2) + self._name.encode('utf-16le')

class MSRPCNameArray:
    def __init__(self, data = None):
        self._count = 0
        self._max_count = 0
        self._elements = []

        if data: self.load(data)

    def load(self, data):
        ptr = unpack('<L', data[:4])[0]
        index = 4
        if 0 == ptr: # No data. May be a bug in certain versions of Samba.

            return

        self._count, _, self._max_count = unpack('<LLL', data[index:index+12])
        index += 12

        # Read each object's header.

        for i in range(0, self._count):
            aindex, length, size, _ = unpack('<LHHL', data[index:index+12])
            self._elements.append(MSRPCArray(aindex, length, size))
            index += 12

        # Read the objects themselves.

        for element in self._elements:
            max_len, offset, curlen = unpack('<LLL', data[index:index+12])
            index += 12
            element.set_name(unicode(data[index:index+2*curlen], 'utf-16le'))
            element.set_max_len(max_len)
            element.set_offset(offset)
            element.set_length2(curlen)
            index += 2*curlen
            if curlen & 0x1: index += 2 # Skip padding.


    def elements(self):
        return self._elements

    def rawData(self):
        ret = pack('<LLLL', 0x74747474, self._count, 0x47474747, self._max_count)
        pos_ret = []
        for i in xrange(0, self._count):
            ret += pack('<L', self._elements[i].get_id())
            data = self._elements[i].rawData()
            ret += data[:8]
            pos_ret += data[8:]

        return ret + pos_ret

class MSRPCHeader(ImpactPacket.Header):
    _SIZE = 16
    commonHdr = ( # not used, just for doc and future use

        ('ver_major','B'),                              # 0

        ('ver_minor','B'),                              # 1

        ('type','B=MSRPC_REQUEST'),                     # 2

        ('flags','B=MSRPC_FIRSTFRAG | MSRPC_LASTFRAG'), # 3

        ('represntation','<L=0x10'),                    # 4

        ('frag_len','<H=24+len(data)+len(auth_data)'),  # 8

        ('auth_len','<H=len(auth_data)-8'),             # 10

        ('call_id','<L=1'),                             # 12    <-- Common up to here (including this)

    )

    structure = ( # not used, just for documentation and future use

        ('data',':'),                                   # 24

        ('auth_data',':'),
    )

    def __init__(self, aBuffer = None, endianness = '<'):
        ImpactPacket.Header.__init__(self, self._SIZE)

        self.endianness = endianness
        self.set_version((5, 0))
        self.set_flags(MSRPC_FIRSTFRAG | MSRPC_LASTFRAG)
        if endianness == '<':
            self.set_representation(0x10)
        else:
            self.set_representation(0x0)
        self.__frag_len_set = 0
        self.set_auth_len(0)
        self.set_call_id(1)
        self.set_auth_data('')

        if aBuffer: self.load_header(aBuffer)

    def get_version(self):
        """ This method returns a tuple in (major, minor) form."""
        return (self.get_byte(0), self.get_byte(1))
    def set_version(self, version):
        """ This method takes a tuple in (major, minor) form."""
        self.set_byte(0, version[0])
        self.set_byte(1, version[1])

    def get_type(self):
        return self.get_byte(2)
    def set_type(self, type):
        self.set_byte(2, type)

    def get_flags(self):
        return self.get_byte(3)
    def set_flags(self, flags):
        self.set_byte(3, flags)

    def get_representation(self):
        return self.get_long(4, self.endianness)
    def set_representation(self, representation):
        self.set_long(4, representation, self.endianness)

    def get_frag_len(self):
        return self.get_word(8, self.endianness)
    def set_frag_len(self, len):
        self.__frag_len_set == 1
        self.set_word(8, len, self.endianness)

    def get_auth_len(self):
        return self.get_word(10, self.endianness)
    def set_auth_len(self, len):
        self.set_word(10, len, self.endianness)
    def set_auth_data(self, data):
        self._auth_data = data

    def get_call_id(self):
        return self.get_long(12, self.endianness)
    def set_call_id(self, id):
        self.set_long(12, id, self.endianness)

    def get_header_size(self):
        return self._SIZE

    def contains(self, aHeader):
        ImpactPacket.Header.contains(self, aHeader)
        if self.child():
            self.set_op_num(self.child().OP_NUM)

    def set_alloc_hint(self, hint):
        pass

    def get_packet(self):
        if self._auth_data:
            self.set_auth_len(len(self._auth_data)-8)

        if self.child():
            contents_size = self.child().get_size()
        else:
            contents_size = 0

        contents_size += len(self._auth_data)
        if not self.__frag_len_set:
            self.set_frag_len(self.get_header_size() + contents_size)
        self.set_alloc_hint(contents_size)
        return ImpactPacket.Header.get_packet(self)+self._auth_data

class MSRPCRequestHeader(MSRPCHeader):
    _SIZE = 24

    structure = (  # not used, just for documentation and future use

        ('alloc_hint','<L=frag_len'),                   # 16

        ('ctx_id','<H=0'),                              # 20

        ('op_num','<H'),                                # 22

        ('data',':'),                                   # 24

        ('auth_data',':'),
    )

    def __init__(self, aBuffer = None, endianness = '<'):
        MSRPCHeader.__init__(self, aBuffer = aBuffer, endianness = endianness)
        self.set_type(MSRPC_REQUEST)
        self.set_ctx_id(0)
        self.set_alloc_hint(0)

    def get_alloc_hint(self):
        return self.get_long(16, self.endianness)
    def set_alloc_hint(self, len):
        self.set_long(16, len, self.endianness)

    def get_ctx_id(self):
        return self.get_word(20, self.endianness)
    def set_ctx_id(self, id):
        self.set_word(20, id, self.endianness)

    def get_op_num(self):
        return self.get_word(22, self.endianness)
    def set_op_num(self, op):
        self.set_word(22, op, self.endianness)

class MSRPCRespHeader(MSRPCHeader):
    _SIZE = 24

    structure = ( # not used, just for documentation and future use

        ('alloc_hint','<L=frag_len'),                   # 16    <-- Common up to here (including this)

        ('ctx_id','<H=0'),                              # 20

        ('cancel_count','<B'),                          # 22

        ('padding','<B=0'),                             # 23

        ('data',':'),                                   # 24

        ('auth_data',':'),
    )

    def __init__(self, aBuffer = None, endianness = '<'):
        MSRPCHeader.__init__(self, aBuffer = aBuffer, endianness = endianness)
        self.set_type(MSRPC_RESPONSE)
        self.set_ctx_id(0)
        self.set_alloc_hint(0)

    def get_alloc_hint(self):
        return self.get_long(16, self.endianness)
    def set_alloc_hint(self, len):
        self.set_long(16, len, self.endianness)

    def get_ctx_id(self):
        return self.get_word(20, self.endianness)
    def set_ctx_id(self, id):
        self.set_word(20, id, self.endianness)

    def get_cancel_count(self):
        return self.get_byte(22)

class MSRPCBind(MSRPCHeader):
    _SIZE = 72-44

    structure = ( # not used, just for documentation and future use

        ('max_tfrag','<H=4280'),
        ('max_rfrag','<H=4280'),
        ('assoc_group','<L=0'),
        ('ctx_num','B'),
    )
 
    def __init__(self, aBuffer = None, endianness = '<'):
        MSRPCHeader.__init__(self, aBuffer = aBuffer, endianness = endianness)

        self.set_type(MSRPC_BIND)
        self.set_max_tfrag(4280)
        self.set_max_rfrag(4280)
        self.set_assoc_group(0)
        self.set_ctx_num(1)

    def get_max_tfrag(self):
        return self.get_word(16, self.endianness)
    def set_max_tfrag(self, size):
        self.set_word(16, size, self.endianness)

    def get_max_rfrag(self):
        return self.get_word(18, self.endianness)
    def set_max_rfrag(self, size):
        self.set_word(18, size, self.endianness)

    def get_assoc_group(self):
        return self.get_long(20, self.endianness)
    def set_assoc_group(self, id):
        self.set_long(20, id, self.endianness)

    def get_ctx_num(self):
        return self.get_byte(24)
    def set_ctx_num(self, num):
        self._SIZE = 28+num*44
        self.set_byte(24, num)

    # --- next fields repeated for each interface to bind to

    def get_ctx_id(self, index = 0):
        return self.get_word(28+44*index, self.endianness)
    def set_ctx_id(self, id, index = 0):
        self.set_word(28+44*index, id, self.endianness)

    def get_trans_num(self, index = 0):
        return self.get_byte(30+44*index)
    def set_trans_num(self, op, index = 0):
        self.set_byte(30+44*index, op)
        self.set_byte(31+44*index, 0)

    def get_if_binuuid(self, index = 0):
        return self.get_bytes().tolist()[32+44*index:32+44*index+16]
    def set_if_binuuid(self, binuuid, index = 0):
        self.get_bytes()[32+44*index:32+len(binuuid)+44*index] = array.array('B', binuuid)

    def set_if_ver(self,ver,minor, index = 0):
        self.set_word(48+44*index, ver, self.endianness)
        self.set_word(50+44*index, minor, self.endianness)
    def get_if_ver(self, index = 0):
        return self.get_word(48+44*index, self.endianness)
    def get_if_ver_minor(self, index = 0):
        return self.get_word(50+44*index, self.endianness)
        
    def get_xfer_syntax_binuuid(self, index = 0):
        return self.get_bytes().tolist()[52+44*index:52+44*index+16]
    def set_xfer_syntax_binuuid(self, binuuid, index = 0):
        self.get_bytes()[52+44*index:52+len(binuuid)+44*index] = array.array('B', binuuid)
    
    def set_xfer_syntax_ver(self,ver, index = 0):
        self.set_long(68+44*index, ver, self.endianness)
    def get_xfer_syntax_ver(self, index = 0):
        self.get_long(68+44*index, ver, self.endianness)
        
class MSRPCBindAck(ImpactPacket.Header):
    _SIZE = 56

    def __init__(self, aBuffer = None):
        ImpactPacket.Header.__init__(self, self._SIZE)

        self.set_type(MSRPC_BINDACK)

        if aBuffer: self.load_header(aBuffer)

    def get_version(self):
        """ This method returns a tuple in (major, minor) form."""
        return (self.get_byte(0), self.get_byte(1))
    def set_version(self, version):
        """ This method takes a tuple in (major, minor) form."""
        self.set_byte(0, version[0])
        self.set_byte(1, version[1])

    def get_type(self):
        return self.get_byte(2)
    def set_type(self, type):
        self.set_byte(2, type)

    def get_flags(self):
        return self.get_byte(3)
    def set_flags(self, flags):
        self.set_byte(3, flags)

    def get_representation(self):
        return self.get_long(4, '<')
    def set_representation(self, representation):
        self.set_long(4, representation, '<')

    def get_frag_len(self):
        return self.get_word(8, '<')
    def set_frag_len(self, len):
        self.set_word(8, len, '<')

    def get_auth_len(self):
        return self.get_word(10, '<')
    def set_auth_len(self, len):
        self.set_word(10, len, '<')
    def get_auth_data(self):
        data = self.get_bytes()
        return data[-self.get_auth_len()-8:]

    def get_call_id(self):
        return self.get_long(12, '<')
    def set_call_id(self, id):
        self.set_long(12, id, '<')

    def get_max_tfrag(self):
        return self.get_word(16, '<')
    def set_max_tfrag(self, size):
        self.set_word(16, size, '<')

    def get_max_rfrag(self):
        return self.get_word(18, '<')
    def set_max_rfrag(self, size):
        self.set_word(18, size, '<')

    def get_assoc_group(self):
        return self.get_long(20, '<')
    def set_assoc_group(self, id):
        self.set_long(20, id, '<')

    def get_secondary_addr_len(self):
        return self.get_word(24, '<')
    def set_secondary_addr_len(self, len):
        self.set_word(24, len, '<')

    def get_secondary_addr(self):
        return self.get_bytes().tolist()[26:26+self.get_secondary_addr_len()]
    def set_secondary_addr(self, addr):
        self.get_bytes()[26:26+self.get_secondary_addr_len()] = array.array('B', addr)
        self.set_secondary_addr_len(len(addr))

    def _get_results_offset(self):
        answer = 26+self.get_secondary_addr_len()
        answer +=3
        answer -= answer % 4
        return answer+2
    
    def get_results_num(self):
        return self.get_byte(self._get_results_offset()-2)
    def set_results_num(self, num):
        self.set_byte(self._get_results_offset()-2, num)

    def get_result(self, index = 0):
        return self.get_word(self._get_results_offset()+2*index, '<' )
    def set_result(self, res, index = 0):
        self.set_word(self._get_results_offset()+2*index, '<' )

    def get_xfer_syntax_binuuid(self):
        return self.get_bytes().tolist()[-20:]
    def set_xfer_syntax_binuuid(self, binuuid):
        assert 20 == len(binuuid)
        self.get_bytes()[-20:] = array.array('B', binuuid)


    def get_header_size(self):
        var_size = len(self.get_bytes()) - self._SIZE
        # assert var_size > 0

        return self._SIZE + var_size

    def contains(self, aHeader):
        ImpactPacket.Header.contains(self, aHeader)
        if self.child():
            contents_size = self.child().get_size()
            self.set_op_num(self.child().OP_NUM)
            self.set_frag_len(self.get_header_size() + contents_size)
            self.set_alloc_hint(contents_size)

class MSRPCBindNak(ImpactPacket.Header):
    _SIZE = 24

    def __init__(self, aBuffer = None):
        ImpactPacket.Header.__init__(self, self._SIZE)

        self.set_type(MSRPC_BINDNAK)

        if aBuffer: self.load_header(aBuffer)

    def get_version(self):
        """ This method returns a tuple in (major, minor) form."""
        return (self.get_byte(0), self.get_byte(1))
    def set_version(self, version):
        """ This method takes a tuple in (major, minor) form."""
        self.set_byte(0, version[0])
        self.set_byte(1, version[1])

    def get_type(self):
        return self.get_byte(2)
    def set_type(self, type):
        self.set_byte(2, type)

    def get_flags(self):
        return self.get_byte(3)
    def set_flags(self, flags):
        self.set_byte(3, flags)

    def get_representation(self):
        return self.get_long(4, '<')
    def set_representation(self, representation):
        self.set_long(4, representation, '<')

    def get_frag_len(self):
        return self.get_word(8, '<')
    def set_frag_len(self, len):
        self.set_word(8, len, '<')

    def get_auth_len(self):
        return self.get_word(10, '<')
    def set_auth_len(self, len):
        self.set_word(10, len, '<')

    def get_call_id(self):
        return self.get_long(12, '<')
    def set_call_id(self, id):
        self.set_long(12, id, '<')

    def get_reason(self):
        return self.get_word(16, '<')
    def set_reason(self, reason):
        self.set_word(16, reason, '<')

    def get_assoc_group(self):
        return self.get_long(20, '<')
    def set_assoc_group(self, id):
        self.set_long(20, id, '<')


    def get_header_size(self):
        return self._SIZE

class DCERPC:
    _max_ctx = 0
    def __init__(self,transport):
        self._transport = transport
        self.set_ctx_id(0)
        self._max_frag = None
        self.set_default_max_fragment_size()

    def set_ctx_id(self, ctx_id):
        self._ctx = ctx_id

    def connect(self):
        return self._transport.connect()

    def disconnect(self):
        return self._transport.disconnect()

    def set_max_fragment_size(self, fragment_size):
        # -1 is default fragment size: 0 for v5, 1300 y pico for v4

        #  0 is don't fragment

        #    other values are max fragment size

        if fragment_size == -1:
            self.set_default_max_fragment_size()
        else:
            self._max_frag = fragment_size

    def set_default_max_fragment_size(self):
        # default is 0: don'fragment. v4 will override this method

        self._max_frag = 0

    def send(self, data): raise RuntimeError, 'virtual method. Not implemented in subclass'
    def recv(self): raise RuntimeError, 'virtual method. Not implemented in subclass'
    def alter_ctx(self, newUID, bogus_binds = ''): raise RuntimeError, 'virtual method. Not implemented in subclass'
    def set_credentials(self, username, password): pass
    def set_auth_level(self, auth_level): pass
    def get_idempotent(self): return 0
    def set_idempotent(self, flag): pass
    def call(self, function, body):
        return self.send(DCERPC_RawCall(function, str(body)))

class DCERPC_v5(DCERPC):
    endianness = '<'
    def __init__(self, transport):
        DCERPC.__init__(self, transport)
        self.__auth_level = ntlm.NTLM_AUTH_NONE
        self.__username = None
        self.__password = None
        
    def set_auth_level(self, auth_level):
        # auth level is ntlm.NTLM_AUTH_*

        self.__auth_level = auth_level

    def set_credentials(self, username, password):
        self.set_auth_level(ntlm.NTLM_AUTH_CONNECT)
        # self.set_auth_level(ntlm.NTLM_AUTH_CALL)

        # self.set_auth_level(ntlm.NTLM_AUTH_PKT_INTEGRITY)

        # self.set_auth_level(ntlm.NTLM_AUTH_PKT_PRIVACY)

        self.__username = username
        self.__password = password

    def bind(self, uuid, alter = 0, bogus_binds = 0):
        bind = MSRPCBind(endianness = self.endianness)

        syntax = '\x04\x5d\x88\x8a\xeb\x1c\xc9\x11\x9f\xe8\x08\x00\x2b\x10\x48\x60'

        if self.endianness == '>':
            syntax = unpack('<LHHBB6s', syntax)
            syntax = pack('>LHHBB6s', *syntax)

            uuid = list(unpack('<LHHBB6sHH', uuid))

            uuid[-1] ^= uuid[-2]
            uuid[-2] ^= uuid[-1]
            uuid[-1] ^= uuid[-2]
            
            uuid = pack('>LHHBB6sHH', *uuid)

        ctx = 0
        for i in range(bogus_binds):
            bind.set_ctx_id(self._ctx, index = ctx)
            bind.set_trans_num(1, index = ctx)
            bind.set_if_binuuid('A'*20, index = ctx)
            bind.set_xfer_syntax_binuuid(syntax, index = ctx)
            bind.set_xfer_syntax_ver(2, index = ctx)

            self._ctx += 1
            ctx += 1

        bind.set_ctx_id(self._ctx, index = ctx)
        bind.set_trans_num(1, index = ctx)
        bind.set_if_binuuid(uuid,index = ctx)
        bind.set_xfer_syntax_binuuid(syntax, index = ctx)
        bind.set_xfer_syntax_ver(2, index = ctx)

        bind.set_ctx_num(ctx+1)

        if alter:
            bind.set_type(MSRPC_ALTERCTX)

        if (self.__auth_level != ntlm.NTLM_AUTH_NONE):
            if (self.__username is None) or (self.__password is None):
                self.__username, self.__password, nth, lmh = self._transport.get_credentials()
            auth = ntlm.NTLMAuthNegotiate()
            auth['auth_level']  = self.__auth_level
            auth['auth_ctx_id'] = self._ctx + 79231 
            bind.set_auth_data(str(auth))

        self._transport.send(bind.get_packet())

        s = self._transport.recv()
        if s != 0:
            resp = MSRPCBindAck(s)
        else:
            return 0 #mmm why not None?


        if resp.get_type() == MSRPC_BINDNAK:
            resp = MSRPCBindNak(s)
            status_code = resp.get_reason()
            if rpc_status_codes.has_key(status_code):
                raise Exception(rpc_status_codes[status_code], resp)
            else:
                raise Exception('Unknown DCE RPC fault status code: %.8x' % status_code, resp)
            
        self.__max_xmit_size = resp.get_max_tfrag()

        if self.__auth_level != ntlm.NTLM_AUTH_NONE:
            authResp = ntlm.NTLMAuthChallenge(data = resp.get_auth_data().tostring())
            self._ntlm_challenge = authResp['challenge']
            response = ntlm.NTLMAuthChallengeResponse(self.__username,self.__password, self._ntlm_challenge)
            response['auth_ctx_id'] = self._ctx + 79231 
            response['auth_level'] = self.__auth_level

            if self.__auth_level in (ntlm.NTLM_AUTH_CONNECT, ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY):
                if self.__password:
                    key = ntlm.compute_nthash(self.__password)
                    if POW:
                        hash = POW.Digest(POW.MD4_DIGEST)
                    else:
                        hash = MD4.new()
                    hash.update(key)
                    key = hash.digest()
                else:
                    key = '\x00'*16

            if POW:
                cipher = POW.Symmetric(POW.RC4)
                cipher.encryptInit(key)
                self.cipher_encrypt = cipher.update
            else:
                cipher = ARC4.new(key)
                self.cipher_encrypt = cipher.encrypt

            if response['flags'] & ntlm.NTLMSSP_KEY_EXCHANGE:
                session_key = 'A'*16     # XXX Generate random session key

                response['session_key'] = self.cipher_encrypt(session_key)
                if POW:
                    cipher = POW.Symmetric(POW.RC4)
                    cipher.encryptInit(session_key)
                    self.cipher_encrypt = cipher.update
                else:
                    cipher = ARC4.new(session_key)
                    self.cipher_encrypt = cipher.encrypt

            self.sequence = 0

            auth3 = MSRPCHeader()
            auth3.set_type(MSRPC_AUTH3)
            auth3.set_auth_data(str(response))
            self._transport.send(auth3.get_packet(), forceWriteAndx = 1)

        return resp     # means packet is signed, if verifier is wrong it fails


    def _transport_send(self, rpc_packet, forceWriteAndx = 0, forceRecv = 0):
        if self.__auth_level == ntlm.NTLM_AUTH_CALL:
            if rpc_packet.get_type() == MSRPC_REQUEST:
                response = ntlm.NTLMAuthChallengeResponse(self.__username,self.__password, self._ntlm_challenge)
                response['auth_ctx_id'] = self._ctx + 79231 
                response['auth_level'] = self.__auth_level
                rpc_packet.set_auth_data(str(response))
                
        if self.__auth_level in [ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY]:
            verifier = ntlm.NTLMAuthVerifier()
            verifier['auth_level'] = self.__auth_level
            verifier['auth_ctx_id'] = self._ctx + 79231 
            verifier['data'] = ' '*12
            rpc_packet.set_auth_data(str(verifier))

            rpc_call = rpc_packet.child()
            if self.__auth_level == ntlm.NTLM_AUTH_PKT_PRIVACY:
                data = DCERPC_RawCall(rpc_call.OP_NUM)
                data.setData(self.cipher_encrypt(rpc_call.get_packet()))
                rpc_packet.contains(data)
            
            crc = crc32(rpc_call.get_packet())
            data = pack('<LLL',0,crc,self.sequence)     # XXX 0 can be anything: randomize

            data = self.cipher_encrypt(data)
            verifier['data'] = data
            rpc_packet.set_auth_data(str(verifier))

            self.sequence += 1

        self._transport.send(rpc_packet.get_packet(), forceWriteAndx = forceWriteAndx, forceRecv = forceRecv)

    def send(self, data):
        # This endianness does necesary have to be the same as the one used in the bind

        # however, the endianness of the stub data MUST be the same as the one in the bind

        # i.e. the endianness on the next call could be hardcoded to any

        rpc = MSRPCRequestHeader(endianness = self.endianness)

        rpc.set_ctx_id(self._ctx)

        max_frag = self._max_frag

        if data.get_size() > self.__max_xmit_size - 32:
            max_frag = self.__max_xmit_size - 32    # XXX: 32 is a safe margin for auth data


        if self._max_frag:
            max_frag = min(max_frag, self._max_frag)

        if max_frag:
            packet = str(data.get_bytes().tostring())
            offset = 0
            rawcall = DCERPC_RawCall(data.OP_NUM)

            while 1:
                toSend = packet[offset:offset+max_frag]
                if not toSend:
                    break
                flags = 0
                if offset == 0:
                    flags |= MSRPC_FIRSTFRAG
                offset += len(toSend)
                if offset == len(packet):
                    flags |= MSRPC_LASTFRAG
                rpc.set_flags(flags)

                rawcall.setData(toSend)
                rpc.contains(rawcall)
                self._transport_send(rpc, forceWriteAndx = 1, forceRecv = flags & MSRPC_LASTFRAG)
        else:
            rpc.contains(data)
            self._transport_send(rpc)

    def recv(self):
        self.response_data = self._transport.recv()
        self.response_header = MSRPCRespHeader(self.response_data)
        off = self.response_header.get_header_size()
        if self.response_header.get_type() == MSRPC_FAULT and self.response_header.get_frag_len() >= off+4:
            status_code = unpack("<L",self.response_data[off:off+4])[0]
            if rpc_status_codes.has_key(status_code):
                raise Exception(rpc_status_codes[status_code])
            else:
                raise Exception('Unknown DCE RPC fault status code: %.8x' % status_code)
        answer = self.response_data[off:]
        auth_len = self.response_header.get_auth_len()
        if auth_len:
            auth_len += 8
            auth_data = answer[-auth_len:]
            ntlmssp   = ntlm.NTLMAuthHeader(data = auth_data)
            answer = answer[:-auth_len]

            if ntlmssp['auth_level'] == ntlm.NTLM_AUTH_PKT_PRIVACY:
                answer = self.cipher_encrypt(answer)

            if ntlmssp['auth_pad_len']:
                answer = answer[:-ntlmssp['auth_pad_len']]

            if ntlmssp['auth_level'] in [ntlm.NTLM_AUTH_PKT_INTEGRITY, ntlm.NTLM_AUTH_PKT_PRIVACY]:
                ntlmssp = ntlm.NTLMAuthVerifier(data = auth_data)
                data = self.cipher_encrypt(ntlmssp['data'])
                zero, crc, sequence = unpack('<LLL', data)
                self.sequence = sequence + 1

        return answer

    def alter_ctx(self, newUID, bogus_binds = 0):
        answer = self.__class__(self._transport)

        answer.set_credentials(self.__username, self.__password)
        answer.set_auth_level(self.__auth_level)

        self._max_ctx += 1
        answer.set_ctx_id(self._max_ctx)
        
        answer.bind(newUID, alter = 1, bogus_binds = bogus_binds)
        return answer

class DCERPC_RawCall(ImpactPacket.Header):
    def __init__(self, op_num, data = ''):
        self.OP_NUM = op_num
        ImpactPacket.Header.__init__(self)
        self.setData(data)

    def setData(self, data):
        self.get_bytes()[:] = array.array('B', data)

    def get_header_size(self):
        return len(self.get_bytes())




syntax highlighted by Code2HTML, v. 0.9.1