Module: Msf::Exploit::Remote::SMB::Server::Share

Includes:
Msf::Exploit::Remote::SMB::Server, HashCapture
Defined in:
lib/msf/core/exploit/remote/smb/server/share.rb

Overview

This mixin provides a minimal SMB server sharing an UNC resource. At this moment it is capable to share just one file. And the file should live in the root folder “\”.

Instance Attribute Summary collapse

Attributes included from Msf::Exploit::Remote::SocketServer

#service

Instance Method Summary collapse

Methods included from HashCapture

#bin_to_hex, #build_jtr_file_name, #on_ntlm_type3, #report_ntlm_type3, #validate_smb_hash_capture_datastore

Methods included from Auxiliary::Report

#active_db?, #create_cracked_credential, #create_credential, #create_credential_and_login, #create_credential_login, #db, #db_warning_given?, #get_client, #get_host, #inside_workspace_boundary?, #invalidate_login, #mytask, #myworkspace, #myworkspace_id, #report_auth_info, #report_client, #report_exploit, #report_host, #report_loot, #report_note, #report_service, #report_vuln, #report_web_form, #report_web_page, #report_web_site, #report_web_vuln, #store_cred, #store_local, #store_loot

Methods included from Metasploit::Framework::Require

optionally, optionally_active_record_railtie, optionally_include_metasploit_credential_creation, #optionally_include_metasploit_credential_creation, optionally_require_metasploit_db_gem_engines

Methods included from Msf::Exploit::Remote::SMB::Server

#cleanup_service, #on_client_connect

Methods included from Msf::Exploit::Remote::SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvport, #via_string

Instance Attribute Details

#file_contentsString

Returns The contents of the provided file.

Returns:

  • (String)

    The contents of the provided file



23
24
25
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 23

def file_contents
  @file_contents
end

#file_nameString

Returns The file name of the provided UNC.

Returns:

  • (String)

    The file name of the provided UNC.



20
21
22
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 20

def file_name
  @file_name
end

#folder_nameString

Returns The folder where the provided file lives.

Returns:

  • (String)

    The folder where the provided file lives.



17
18
19
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 17

def folder_name
  @folder_name
end

#shareString

Returns The share portion of the provided UNC.

Returns:

  • (String)

    The share portion of the provided UNC.



14
15
16
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 14

def share
  @share
end

Instance Method Details

#get_file_contents(client:) ⇒ String

Returns the file contents for the requested file

Returns:

  • (String)

    The file contents.



92
93
94
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 92

def get_file_contents(client:)
  file_contents
end

#initialize(info = {}) ⇒ Object



25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 25

def initialize(info = {})
  super

  register_options(
    [
      OptPort.new('SRVPORT',    [ true, 'The local port to listen on.', 445 ]),
      OptString.new('SHARE', [ false, 'Share (Default Random)']),
      OptString.new('FILE_NAME', [ false, 'File name to share (Default Random)']),
      OptString.new('FOLDER_NAME', [ false, 'Folder name to share (Default none)'])
    ], Msf::Exploit::Remote::SMB::Server::Share)
  register_advanced_options(
    [
      OptString.new('SMBDomain', [ true, 'The domain name used during SMB exchange.', 'WORKGROUP'])
    ]
  )
end

#setupObject

Setups the server configuration.



70
71
72
73
74
75
76
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 70

def setup
  super

  self.folder_name = datastore['FOLDER_NAME']
  self.share = datastore['SHARE'] || Rex::Text.rand_text_alpha(4 + rand(3))
  self.file_name = datastore['FILE_NAME'] || Rex::Text.rand_text_alpha(4 + rand(3))
end

#start_service(opts = {}) ⇒ Object



42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 42

def start_service(opts = {})
  unless opts[:gss_provider]
    ntlm_provider = Msf::Exploit::Remote::SMB::Server::HashCapture::HashCaptureNTLMProvider.new(
      allow_anonymous: true,
      allow_guests: true,
      listener: self,
      ntlm_type3_status: nil
    )

    # Set domain name for all future server responses
    ntlm_provider.dns_domain = datastore['SMBDomain']
    ntlm_provider.dns_hostname = datastore['SMBDomain']
    ntlm_provider.netbios_domain = datastore['SMBDomain']
    ntlm_provider.netbios_hostname = datastore['SMBDomain']
    opts[:gss_provider] = ntlm_provider
  end

  super(opts)

  virtual_disk = RubySMB::Server::Share::Provider::VirtualDisk.new(@share)
  # the virtual disk expects the path to use the native File::SEPARATOR so normalize on that here
  virtual_disk.add_dynamic_file("#{@folder_name}#{File::SEPARATOR}#{@file_name}".gsub(/\/|\\/, File::SEPARATOR)) do |client, _smb_session|
    get_file_contents(client: client)
  end
  service.add_share(virtual_disk)
end

#uncObject

Builds the UNC Name for the shared file



79
80
81
82
83
84
85
86
87
# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 79

def unc
  if folder_name
    path = "\\\\#{srvhost}\\#{share}\\#{folder_name}\\#{file_name}"
  else
    path = "\\\\#{srvhost}\\#{share}\\#{file_name}"
  end

  path
end