Module: Msf::Exploit::Remote::SMB::Server::Share

Includes:
Msf::Exploit::Remote::SMB::Server, HashCapture
Defined in:
lib/msf/core/exploit/remote/smb/server/share.rb

Overview

This mixin provides a minimal SMB server sharing an UNC resource. At this moment it is capable to share just one file. And the file should live in the root folder “\”.

Instance Attribute Summary collapse

Attributes included from Msf::Exploit::Remote::SocketServer

#service

Instance Method Summary collapse

Methods included from HashCapture

#bin_to_hex, #build_jtr_file_name, #on_ntlm_type3, #report_ntlm_type3, #validate_smb_hash_capture_datastore

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from Msf::Exploit::Remote::SMB::Server

#on_client_connect

Methods included from Msf::Exploit::Remote::SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #via_string

Instance Attribute Details

#file_contentsString

Returns The contents of the provided file.

Returns:

  • (String)

    The contents of the provided file



23
24
25
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 23

def file_contents
  @file_contents
end

#file_nameString

Returns The file name of the provided UNC.

Returns:

  • (String)

    The file name of the provided UNC.



20
21
22
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 20

def file_name
  @file_name
end

#folder_nameString

Returns The folder where the provided file lives.

Returns:

  • (String)

    The folder where the provided file lives.



17
18
19
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 17

def folder_name
  @folder_name
end

#shareString

Returns The share portion of the provided UNC.

Returns:

  • (String)

    The share portion of the provided UNC.



14
15
16
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 14

def share
  @share
end

Instance Method Details

#cleanupObject 



101
102
103
104
105
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 101

def cleanup
  self.service.remove_share(share) if self.service.present? && share.present?

  super
end

#get_file_contents(client:) ⇒ String

Returns the file contents for the requested file

Returns:

  • (String)

    The file contents.



97
98
99
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 97

def get_file_contents(client:)
  file_contents
end

#initialize(info = {}) ⇒ Object 



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 25

def initialize(info = {})
  super

  register_options(
    [
      OptString.new('SHARE', [ false, 'Share (Default: random); cannot contain spaces or slashes'], regex: /^[^\s\/\\]*$/),
      OptString.new('FILE_NAME', [ false, 'File name to share (Default: random)']),
      OptString.new('FOLDER_NAME', [ false, 'Folder name to share (Default: none)'])
    ], Msf::Exploit::Remote::SMB::Server::Share)
  register_advanced_options(
    [
      OptString.new('SMBDomain', [ true, 'The domain name used during SMB exchange.', 'WORKGROUP'])
    ]
  )
end

#setupObject

Setups the server configuration.



75
76
77
78
79
80
81
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 75

def setup
  super

  self.folder_name = datastore['FOLDER_NAME']
  self.share = datastore['SHARE'].present? ? datastore['SHARE'] : Rex::Text.rand_text_alpha(4 + rand(3))
  self.file_name = datastore['FILE_NAME'].present? ? datastore['FILE_NAME'] : Rex::Text.rand_text_alpha(4 + rand(3))
end

#start_service(opts = {}) ⇒ Object 



41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 41

def start_service(opts = {})
  unless opts[:gss_provider]
    ntlm_provider = Msf::Exploit::Remote::SMB::Server::HashCapture::HashCaptureNTLMProvider.new(
      allow_anonymous: true,
      allow_guests: true,
      listener: self,
      ntlm_type3_status: nil
    )

    # Set domain name for all future server responses
    ntlm_provider.dns_domain = datastore['SMBDomain']
    ntlm_provider.dns_hostname = datastore['SMBDomain']
    ntlm_provider.netbios_domain = datastore['SMBDomain']
    ntlm_provider.netbios_hostname = datastore['SMBDomain']
    opts[:gss_provider] = ntlm_provider
  end

  super(opts)

  if share.present?
    if service.shares.key?(share)
      fail_with(Msf::Module::Failure::BadConfig, "The specified SMB share '#{share}' already exists.")
    end

    virtual_disk = RubySMB::Server::Share::Provider::VirtualDisk.new(share)
    # the virtual disk expects the path to use the native File::SEPARATOR so normalize on that here
    virtual_disk.add_dynamic_file("#{@folder_name}#{File::SEPARATOR}#{@file_name}".gsub(/\/|\\/, File::SEPARATOR)) do |client, _smb_session|
      get_file_contents(client: client)
    end
    service.add_share(virtual_disk)
  end
end

#uncObject

Builds the UNC Name for the shared file



84
85
86
87
88
89
90
91
92
 
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 84

def unc
  if folder_name
    path = "\\\\#{srvhost}\\#{share}\\#{folder_name}\\#{file_name}"
  else
    path = "\\\\#{srvhost}\\#{share}\\#{file_name}"
  end

  path
end