Module: Msf::Exploit::Remote::SMB::Server::Share

Includes:

Msf::Exploit::Remote::SMB::Server, HashCapture

Defined in:

lib/msf/core/exploit/remote/smb/server/share.rb

Overview

This mixin provides a minimal SMB server sharing an UNC resource. At this moment it is capable to share just one file. And the file should live in the root folder “\”.

Instance Attribute Summary

• #file_contents ⇒ String

  The contents of the provided file.

• #file_name ⇒ String

  The file name of the provided UNC.

• #folder_name ⇒ String

  The folder where the provided file lives.

• #share ⇒ String

  The share portion of the provided UNC.

Attributes included from Msf::Exploit::Remote::SocketServer

#service

Instance Method Summary

• #get_file_contents(client:) ⇒ String

  Returns the file contents for the requested file.

• #initialize(info = {}) ⇒ Object
• #setup ⇒ Object

  Setups the server configuration.

• #start_service(opts = {}) ⇒ Object
• #unc ⇒ Object

  Builds the UNC Name for the shared file.

Methods included from HashCapture

#bin_to_hex, #build_jtr_file_name, #on_ntlm_type3, #report_ntlm_type3, #validate_smb_hash_capture_datastore

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from Msf::Exploit::Remote::SMB::Server

#cleanup_service, #on_client_connect

Methods included from Msf::Exploit::Remote::SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #via_string

Instance Attribute Details

#file_contents ⇒ String

Returns The contents of the provided file.

Returns:

• (String) —

  The contents of the provided file

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 23

def file_contents
  @file_contents
end

#file_name ⇒ String

Returns The file name of the provided UNC.

Returns:

• (String) —

  The file name of the provided UNC.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 20

def file_name
  @file_name
end

#folder_name ⇒ String

Returns The folder where the provided file lives.

Returns:

• (String) —

  The folder where the provided file lives.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 17

def folder_name
  @folder_name
end

#share ⇒ String

Returns The share portion of the provided UNC.

Returns:

• (String) —

  The share portion of the provided UNC.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 14

def share
  @share
end

Instance Method Details

#get_file_contents(client:) ⇒ String

Returns the file contents for the requested file

Returns:

• (String) —

  The file contents.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 92

def get_file_contents(client:)
  file_contents
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 25

def initialize(info = {})
  super

  register_options(
    [
      OptPort.new('SRVPORT',    [ true, 'The local port to listen on.', 445 ]),
      OptString.new('SHARE', [ false, 'Share (Default Random)']),
      OptString.new('FILE_NAME', [ false, 'File name to share (Default Random)']),
      OptString.new('FOLDER_NAME', [ false, 'Folder name to share (Default none)'])
    ], Msf::Exploit::Remote::SMB::Server::Share)
  register_advanced_options(
    [
      OptString.new('SMBDomain', [ true, 'The domain name used during SMB exchange.', 'WORKGROUP'])
    ]
  )
end

#setup ⇒ Object

Setups the server configuration.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 70

def setup
  super

  self.folder_name = datastore['FOLDER_NAME']
  self.share = datastore['SHARE'] || Rex::Text.rand_text_alpha(4 + rand(3))
  self.file_name = datastore['FILE_NAME'] || Rex::Text.rand_text_alpha(4 + rand(3))
end

#start_service(opts = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 42

def start_service(opts = {})
  unless opts[:gss_provider]
    ntlm_provider = Msf::Exploit::Remote::SMB::Server::HashCapture::HashCaptureNTLMProvider.new(
      allow_anonymous: true,
      allow_guests: true,
      listener: self,
      ntlm_type3_status: nil
    )

    # Set domain name for all future server responses
    ntlm_provider.dns_domain = datastore['SMBDomain']
    ntlm_provider.dns_hostname = datastore['SMBDomain']
    ntlm_provider.netbios_domain = datastore['SMBDomain']
    ntlm_provider.netbios_hostname = datastore['SMBDomain']
    opts[:gss_provider] = ntlm_provider
  end

  super(opts)

  virtual_disk = RubySMB::Server::Share::Provider::VirtualDisk.new(@share)
  # the virtual disk expects the path to use the native File::SEPARATOR so normalize on that here
  virtual_disk.add_dynamic_file("#{@folder_name}#{File::SEPARATOR}#{@file_name}".gsub(/\/|\\/, File::SEPARATOR)) do |client, _smb_session|
    get_file_contents(client: client)
  end
  service.add_share(virtual_disk)
end

#unc ⇒ Object

Builds the UNC Name for the shared file

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 79

def unc
  if folder_name
    path = "\\\\#{srvhost}\\#{share}\\#{folder_name}\\#{file_name}"
  else
    path = "\\\\#{srvhost}\\#{share}\\#{file_name}"
  end

  path
end