I am working on a project using Samba 3.6.25. When I follow the "smbclient" source code trying to create my own utility for listing the SMB server, I come across a strange thing:
When I call the function, it skips my first parameter and fills it with a second and then a second third, since it is on.
Function called: cli_rpc_pipe_open_noauth_transport () in cli_pipe.c . I have added some debugging codes:
NTSTATUS cli_rpc_pipe_open_noauth_transport(struct cli_state *cli, enum dcerpc_transport_t transport, const struct ndr_syntax_id *interface, struct rpc_pipe_client **presult) { struct rpc_pipe_client *result; struct pipe_auth_data *auth; NTSTATUS status; status = cli_rpc_pipe_open(cli, transport, interface, &result); _DEBUG("cli = %p", cli); _DEBUG("transport = %p", transport); _DEBUG("interface = %p", interface); _DEBUG("presult = %p", presult); _DEBUG("cli->desthost = %p", cli->desthost); _DEBUG("cli->desthost = \"%s\"", cli->desthost); if (!NT_STATUS_IS_OK(status)) { return status; } β¦β¦
And here is what I call this function:
NTSTATUS _pipe_open_noauth(struct cli_state *cli, const struct ndr_syntax_id *intf, struct rpc_pipe_client **presult) { SMBD_DEBUG("cli = %p", cli); SMBD_DEBUG("intf = %p", intf); SMBD_DEBUG("presult = %p", presult); SMBD_DEBUG("cli->desthost = %p", cli->desthost); SMBD_DEBUG("cli->desthost = \"%s\"", cli->desthost); return cli_rpc_pipe_open_noauth_transport(cli, 1, intf, presult); }
Here is what I get in the console:
--- SMBD (util_smbclient.c, 117): cli = 0xdb2b20 --- SMBD (util_smbclient.c, 118): intf = 0xda31c0 --- SMBD (util_smbclient.c, 119): presult = 0x7fe9fdc8 --- SMBD (util_smbclient.c, 120): cli->desthost = 0xdd3a50 --- SMBD (util_smbclient.c, 121): cli->desthost = "192.168.1.125" === Samba (rpc_client/cli_pipe.c, 2873): cli = 0x1 === Samba (rpc_client/cli_pipe.c, 2874): transport = 0xda31c0 === Samba (rpc_client/cli_pipe.c, 2875): interface = 0x7fe9fdc8 === Samba (rpc_client/cli_pipe.c, 2876): presult = 0xdaf3d0
That didn't make sense! I noticed that the four parameters that I went through are: 0xdb2b20, 0x1, 0xda31c0, 0x7fe9fdc8 But what happened cli_rpc_pipe_open_noauth_transport () : 0x1, 0xda31c0, 0x7fe9fdc8, 0xdaf3d0
It was quite obvious that the first parameter β0xdb2b20β was absent, and the second took its place.
Does anyone know what is happening and how can I fix it?
Thank you in advance!
--- Additional Information:
The toolchain I used was mipsel-linux-uclibc-cc / ld / ar. I tried objdump several target files to see what was happening.
I dumped my own program, here are the assemblies calling the function. I noticed that four parameters were transferred sequentially: a0, a1, a2, a3:
409bf0: 8fdc0010 lw gp,16(s8) 409bf4: 8fc40020 lw a0,32(s8) 409bf8: 24050001 li a1,1 # store "1" in a1 409bfc: 8fc60024 lw a2,36(s8) 409c00: 8fc70028 lw a3,40(s8) 409c04: 8f99ab74 lw t9,-21644(gp) 409c08: 00000000 nop 409c0c: 0320f809 jalr t9 409c10: 00000000 nop 409c14: 8fdc0010 lw gp,16(s8) 409c18: 03c0e821 move sp,s8 409c1c: 8fbf001c lw ra,28(sp) 409c20: 8fbe0018 lw s8,24(sp) 409c24: 03e00008 jr ra 409c28: 27bd0020 addiu sp,sp,32
Then I threw out smbclient, which also called cli_rpc_pipe_open_noauth_transport () . Here a problem arose: it seemed that a0 was NOT used to pass the parameter !!!
<cli_rpc_pipe_open_noauth>: β¦ 487840: 8fdc0018 lw gp,24(s8) 487844: 8fc2003c lw v0,60(s8) 487848: 00000000 nop 48784c: afa20010 sw v0,16(sp) 487850: 02002021 move a0,s0 487854: 8fc50034 lw a1,52(s8) 487858: 24060001 li a2,1
Finally, I dump cli_rpc_pipe_open_noauth_transport () , it seems like it worked like this: smbclient :
0053bdac <cli_rpc_pipe_open_noauth_transport>: 53bdac: 3c1c0087 lui gp,0x87 53bdb0: 279c3624 addiu gp,gp,13860 53bdb4: 0399e021 addu gp,gp,t9 53bdb8: 27bdffc0 addiu sp,sp,-64 53bdbc: afbf0038 sw ra,56(sp) 53bdc0: afbe0034 sw s8,52(sp) 53bdc4: afb00030 sw s0,48(sp) 53bdc8: 03a0f021 move s8,sp 53bdcc: afbc0018 sw gp,24(sp) 53bdd0: afc40040 sw a0,64(s8) 53bdd4: afc50044 sw a1,68(s8) 53bdd8: afc60048 sw a2,72(s8) 53bddc: afc7004c sw a3,76(s8) 53bde0: 8f848080 lw a0,-32640(gp) 53bde4: 00000000 nop 53bde8: 24844da0 addiu a0,a0,19872 53bdec: 24050b39 li a1,2873 53bdf0: 8fc60044 lw a2,68(s8) 53bdf4: 8f99cab0 lw t9,-13648(gp) 53bdf8: 00000000 nop 53bdfc: 0320f809 jalr t9 <ββ invoke cli_rpc_pipe_open() 53be00: 00000000 nop
Additional Information No. 2 - How to compile my program
- I downloaded Samba from an official FTP server.
- configure and do it (cross compilation)
- Find all .o files in the "source3" directory and then archive them all together in a single .a file.
- Create my own application, call the Samba function, like its own smbclient program, with many -I options that provide compilation of work
- The libsmbclient.a link officially provided by Samba and my own .a archive in step 3.
Additional Information No.3
Full source of this repository: https://github.com/Andrew-MC/SMB-CIFS_discovery