metasploit-framework/modules/auxiliary/scanner/smb/smb_enumshares.rb

##
# $Id$
##

##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# web site for more information on licensing and terms of use.
#   http://metasploit.com/
##


require 'msf/core'


class Metasploit3 < Msf::Auxiliary

	# Exploit mixins should be called first
	include Msf::Exploit::Remote::SMB
	include Msf::Exploit::Remote::SMB::Authenticated

	include Msf::Exploit::Remote::DCERPC

	# Scanner mixin should be near last
	include Msf::Auxiliary::Report
	include Msf::Auxiliary::Scanner

	def initialize
		super(
			'Name'        => 'SMB Share Enumeration',
			'Version'     => '$Revision$',
			'Description' => 'Determine what shares are provided by the SMB service',
			'Author'      => 'hdm',
			'License'     => MSF_LICENSE,
			'DefaultOptions' => {
				'DCERPC::fake_bind_multi' => false
			}
		)

		register_advanced_options(
			[
				OptBool.new('USE_SRVSVC_ONLY', [true, "By default a netshareenum request is done on the lanman pipe and if fails a second try is done on srvsvc", false])
			], self.class)

		deregister_options('RPORT', 'RHOST')
	end

	def share_type(val)
		stypes = [
			'DISK',
			'PRINTER',
			'DEVICE',
			'IPC',
			'SPECIAL',
			'TEMPORARY'
		]

		if val > (stypes.length - 1)
			return 'UNKNOWN'
		end

		stypes[val]
	end

	def lanman_netshareenum
		begin
		res = self.simple.client.trans(
			"\\PIPE\\LANMAN",
			(
				[0x00].pack('v') +
				"WrLeh\x00"   +
				"B13BWz\x00"  +
				[0x01, 65406].pack("vv")
			)
		)
		rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
			#STATUS_NOT_SUPPORTED
			if( e.error_code == 0xC00000BB ) 
				srvsvc_netshareenum
				return
			end
		end

		lerror, lconv, lentries, lcount = res['Payload'].to_s[
			res['Payload'].v['ParamOffset'],
			res['Payload'].v['ParamCount']
		].unpack("v4")

		data = res['Payload'].to_s[
			res['Payload'].v['DataOffset'],
			res['Payload'].v['DataCount']
		]

		0.upto(lentries - 1) do |i|
			sname,tmp = data[(i * 20) +  0, 14].split("\x00")
			stype     = data[(i * 20) + 14, 2].unpack('v')[0]
			scoff     = data[(i * 20) + 16, 2].unpack('v')[0]
			if ( lconv != 0)
				scoff -= lconv
			end
			scomm,tmp = data[scoff, data.length - scoff].split("\x00")

			@shares << [ sname, share_type(stype), scomm]
		end
	end

	def srvsvc_netshareenum

		simple.connect("IPC$")
		handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"])
		dcerpc_bind(handle)

		stubdata =
			NDR.uwstring("\\\\#{rhost}") +
			NDR.long(1)  	#level

		ref_id = stubdata[0,4].unpack("V")[0]
		ctr = [1, ref_id + 4 , 0, 0].pack("VVVV")

		stubdata << ctr
		stubdata << NDR.align(ctr)
		stubdata << ["FFFFFFFF"].pack("H*")
		stubdata << [ref_id + 8, 0].pack("VV")
		response = dcerpc.call(0x0f, stubdata)
		res = response.dup
		win_error = res.slice!(-4, 4).unpack("V")[0]
		if win_error != 0
			raise "DCE/RPC error : Win_error = #{win_error + 0}"
		end
		#remove some uneeded data
		res.slice!(0,12) # level, CTR header, Reference ID of CTR
		share_count = res.slice!(0, 4).unpack("V")[0]
		res.slice!(0,4) # Reference ID of CTR1
		share_max_count = res.slice!(0, 4).unpack("V")[0]
		
		raise "Dce/RPC error : Unknow situation encountered count != count max (#{share_count}/#{share_max_count})" if share_max_count != share_count
		
		types = res.slice!(0, share_count * 12).scan(/.{12}/n).map{|a| a[4,2].unpack("v")[0]}  # RerenceID / Type / ReferenceID of Comment

		share_count.times do |t|
			length, offset, max_length = res.slice!(0, 12).unpack("VVV")
			raise "Dce/RPC error : Unknow situation encountered offset != 0 (#{offset})" if offset != 0
			raise "Dce/RPC error : Unknow situation encountered length !=max_length (#{length}/#{max_length})" if length != max_length
			name = res.slice!(0, 2 * length).gsub('\x00','')
			res.slice!(0,2) if length % 2 == 1 # pad

			comment_length, comment_offset, comment_max_length = res.slice!(0, 12).unpack("VVV")
			raise "Dce/RPC error : Unknow situation encountered comment_offset != 0 (#{comment_offset})" if comment_offset != 0
			if comment_length != comment_max_length
				raise "Dce/RPC error : Unknow situation encountered comment_length != comment_max_length (#{comment_length}/#{comment_max_length})" 
			end
			comment = res.slice!(0, 2 * comment_length).gsub('\x00','')
			res.slice!(0,2) if comment_length % 2 == 1 # pad

			@shares << [ name, share_type(types[t]), comment]
		end
	end

	def run_host(ip)

		@shares = []

		[[139, false], [445, true]].each do |info|

		datastore['RPORT'] = info[0]
		datastore['SMBDirect'] = info[1]

		begin
			connect
			smb_login
			if datastore['USE_SRVSVC_ONLY']
				srvsvc_netshareenum
			else
				#If not implemented by target, will fall back to srvsvc_netshareenum
				lanman_netshareenum
			end

			if not @shares.empty?
				print_status("#{ip}:#{rport} #{@shares.map{|x| "#{x[0]} - #{x[2]} (#{x[1]})" }.join(", ")}")
				report_note(
					:host => ip,
					:proto => 'tcp',
					:port => rport,
					:type => 'smb.shares',
					:data => { :shares => @shares },
					:update => :unique_data
				)
			end

			disconnect
			return
		rescue ::Timeout::Error
		rescue ::Interrupt
			raise $!
		rescue ::Rex::ConnectionError
		rescue ::Rex::Proto::SMB::Exceptions::LoginError
			next
		rescue ::Exception => e
			print_line("Error: #{ip} #{e.class} #{e}")
		end
		end
	end


end
SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`##`
			`# $Id$`
			`##`

			`##`
			`# This file is part of the Metasploit Framework and may be subject to`
			`# redistribution and commercial restrictions. Please see the Metasploit`
Fix up the boilerplate comment to use a better url 2012-02-21 01:40:50 +00:00			`# web site for more information on licensing and terms of use.`
			`# http://metasploit.com/`
SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`##`


			`require 'msf/core'`


			`class Metasploit3 < Msf::Auxiliary`

			`# Exploit mixins should be called first`
			`include Msf::Exploit::Remote::SMB`
Create a new mixin that changes SMBUser/SMBPass to normal options, include this mixin within SMB modules that more often than not require authentication git-svn-id: file:///home/svn/framework3/trunk@9981 4d416f70-5f16-0410-b530-b9f4589650da 2010-08-12 15:00:58 +00:00			`include Msf::Exploit::Remote::SMB::Authenticated`

SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`include Msf::Exploit::Remote::DCERPC`

			`# Scanner mixin should be near last`
			`include Msf::Auxiliary::Report`
			`include Msf::Auxiliary::Scanner`

			`def initialize`
			`super(`
			`'Name' => 'SMB Share Enumeration',`
			`'Version' => '$Revision$',`
			`'Description' => 'Determine what shares are provided by the SMB service',`
			`'Author' => 'hdm',`
			`'License' => MSF_LICENSE,`
			`'DefaultOptions' => {`
			`'DCERPC::fake_bind_multi' => false`
			`}`
			`)`

Squashed commit of the following: commit a0b50c394962fc90afc8d6232e1875588ed7ecb3 Author: Alexandre Maloteaux <a.maloteaux@gmail.com> Date: Fri Apr 20 01:45:06 2012 +0100 enumshare: add srvsvc netshareenum request for compatibility with win 7 / 2008r2 [Closes #346] 2012-04-30 23:38:42 +00:00			`register_advanced_options(`
			`[`
			`OptBool.new('USE_SRVSVC_ONLY', [true, "By default a netshareenum request is done on the lanman pipe and if fails a second try is done on srvsvc", false])`
			`], self.class)`

SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`deregister_options('RPORT', 'RHOST')`
			`end`

			`def share_type(val)`
Fixes #4626 by checking for an out of bounds value before using the type as an array index git-svn-id: file:///home/svn/framework3/trunk@12809 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-01 23:47:16 +00:00			`stypes = [`
SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`'DISK',`
			`'PRINTER',`
			`'DEVICE',`
			`'IPC',`
			`'SPECIAL',`
			`'TEMPORARY'`
Fixes #4626 by checking for an out of bounds value before using the type as an array index git-svn-id: file:///home/svn/framework3/trunk@12809 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-01 23:47:16 +00:00			`]`
msftidy on aux modules, see #5749 2011-11-20 02:12:07 +00:00
Fixes #4626 by checking for an out of bounds value before using the type as an array index git-svn-id: file:///home/svn/framework3/trunk@12809 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-01 23:47:16 +00:00			`if val > (stypes.length - 1)`
			`return 'UNKNOWN'`
			`end`
msftidy on aux modules, see #5749 2011-11-20 02:12:07 +00:00
Fixes #4626 by checking for an out of bounds value before using the type as an array index git-svn-id: file:///home/svn/framework3/trunk@12809 4d416f70-5f16-0410-b530-b9f4589650da 2011-06-01 23:47:16 +00:00			`stypes[val]`
SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`end`

Squashed commit of the following: commit a0b50c394962fc90afc8d6232e1875588ed7ecb3 Author: Alexandre Maloteaux <a.maloteaux@gmail.com> Date: Fri Apr 20 01:45:06 2012 +0100 enumshare: add srvsvc netshareenum request for compatibility with win 7 / 2008r2 [Closes #346] 2012-04-30 23:38:42 +00:00			`def lanman_netshareenum`
			`begin`
			`res = self.simple.client.trans(`
			`"\\PIPE\\LANMAN",`
			`(`
			`[0x00].pack('v') +`
			`"WrLeh\x00" +`
			`"B13BWz\x00" +`
			`[0x01, 65406].pack("vv")`
			`)`
			`)`
			`rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e`
			`#STATUS_NOT_SUPPORTED`
			`if( e.error_code == 0xC00000BB )`
			`srvsvc_netshareenum`
			`return`
			`end`
			`end`

			`lerror, lconv, lentries, lcount = res['Payload'].to_s[`
			`res['Payload'].v['ParamOffset'],`
			`res['Payload'].v['ParamCount']`
			`].unpack("v4")`

			`data = res['Payload'].to_s[`
			`res['Payload'].v['DataOffset'],`
			`res['Payload'].v['DataCount']`
			`]`

			`0.upto(lentries - 1) do \|i\|`
			`sname,tmp = data[(i * 20) + 0, 14].split("\x00")`
			`stype = data[(i * 20) + 14, 2].unpack('v')[0]`
			`scoff = data[(i * 20) + 16, 2].unpack('v')[0]`
			`if ( lconv != 0)`
			`scoff -= lconv`
			`end`
			`scomm,tmp = data[scoff, data.length - scoff].split("\x00")`

			`@shares << [ sname, share_type(stype), scomm]`
			`end`
			`end`

			`def srvsvc_netshareenum`

			`simple.connect("IPC$")`
			`handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"])`
			`dcerpc_bind(handle)`

			`stubdata =`
			`NDR.uwstring("\\\\#{rhost}") +`
			`NDR.long(1) #level`

			`ref_id = stubdata[0,4].unpack("V")[0]`
			`ctr = [1, ref_id + 4 , 0, 0].pack("VVVV")`

			`stubdata << ctr`
			`stubdata << NDR.align(ctr)`
			`stubdata << ["FFFFFFFF"].pack("H*")`
			`stubdata << [ref_id + 8, 0].pack("VV")`
			`response = dcerpc.call(0x0f, stubdata)`
			`res = response.dup`
			`win_error = res.slice!(-4, 4).unpack("V")[0]`
			`if win_error != 0`
			`raise "DCE/RPC error : Win_error = #{win_error + 0}"`
			`end`
			`#remove some uneeded data`
			`res.slice!(0,12) # level, CTR header, Reference ID of CTR`
			`share_count = res.slice!(0, 4).unpack("V")[0]`
			`res.slice!(0,4) # Reference ID of CTR1`
			`share_max_count = res.slice!(0, 4).unpack("V")[0]`

			`raise "Dce/RPC error : Unknow situation encountered count != count max (#{share_count}/#{share_max_count})" if share_max_count != share_count`

			`types = res.slice!(0, share_count * 12).scan(/.{12}/n).map{\|a\| a[4,2].unpack("v")[0]} # RerenceID / Type / ReferenceID of Comment`

			`share_count.times do \|t\|`
			`length, offset, max_length = res.slice!(0, 12).unpack("VVV")`
			`raise "Dce/RPC error : Unknow situation encountered offset != 0 (#{offset})" if offset != 0`
			`raise "Dce/RPC error : Unknow situation encountered length !=max_length (#{length}/#{max_length})" if length != max_length`
			`name = res.slice!(0, 2 * length).gsub('\x00','')`
			`res.slice!(0,2) if length % 2 == 1 # pad`

			`comment_length, comment_offset, comment_max_length = res.slice!(0, 12).unpack("VVV")`
			`raise "Dce/RPC error : Unknow situation encountered comment_offset != 0 (#{comment_offset})" if comment_offset != 0`
			`if comment_length != comment_max_length`
			`raise "Dce/RPC error : Unknow situation encountered comment_length != comment_max_length (#{comment_length}/#{comment_max_length})"`
			`end`
			`comment = res.slice!(0, 2 * comment_length).gsub('\x00','')`
			`res.slice!(0,2) if comment_length % 2 == 1 # pad`

			`@shares << [ name, share_type(types[t]), comment]`
			`end`
			`end`

SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`def run_host(ip)`

Squashed commit of the following: commit a0b50c394962fc90afc8d6232e1875588ed7ecb3 Author: Alexandre Maloteaux <a.maloteaux@gmail.com> Date: Fri Apr 20 01:45:06 2012 +0100 enumshare: add srvsvc netshareenum request for compatibility with win 7 / 2008r2 [Closes #346] 2012-04-30 23:38:42 +00:00			`@shares = []`

SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`[[139, false], [445, true]].each do \|info\|`

			`datastore['RPORT'] = info[0]`
			`datastore['SMBDirect'] = info[1]`

			`begin`
			`connect`
			`smb_login`
Squashed commit of the following: commit a0b50c394962fc90afc8d6232e1875588ed7ecb3 Author: Alexandre Maloteaux <a.maloteaux@gmail.com> Date: Fri Apr 20 01:45:06 2012 +0100 enumshare: add srvsvc netshareenum request for compatibility with win 7 / 2008r2 [Closes #346] 2012-04-30 23:38:42 +00:00			`if datastore['USE_SRVSVC_ONLY']`
			`srvsvc_netshareenum`
			`else`
			`#If not implemented by target, will fall back to srvsvc_netshareenum`
			`lanman_netshareenum`
SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`end`

Squashed commit of the following: commit a0b50c394962fc90afc8d6232e1875588ed7ecb3 Author: Alexandre Maloteaux <a.maloteaux@gmail.com> Date: Fri Apr 20 01:45:06 2012 +0100 enumshare: add srvsvc netshareenum request for compatibility with win 7 / 2008r2 [Closes #346] 2012-04-30 23:38:42 +00:00			`if not @shares.empty?`
			`print_status("#{ip}:#{rport} #{@shares.map{\|x\| "#{x[0]} - #{x[2]} (#{x[1]})" }.join(", ")}")`
SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`report_note(`
			`:host => ip,`
			`:proto => 'tcp',`
			`:port => rport,`
			`:type => 'smb.shares',`
Squashed commit of the following: commit a0b50c394962fc90afc8d6232e1875588ed7ecb3 Author: Alexandre Maloteaux <a.maloteaux@gmail.com> Date: Fri Apr 20 01:45:06 2012 +0100 enumshare: add srvsvc netshareenum request for compatibility with win 7 / 2008r2 [Closes #346] 2012-04-30 23:38:42 +00:00			`:data => { :shares => @shares },`
SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`:update => :unique_data`
			`)`
			`end`

			`disconnect`
			`return`
Remove the stack traces from these scanners git-svn-id: file:///home/svn/framework3/trunk@9024 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-06 03:57:22 +00:00			`rescue ::Timeout::Error`
SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`rescue ::Interrupt`
			`raise $!`
			`rescue ::Rex::ConnectionError`
			`rescue ::Rex::Proto::SMB::Exceptions::LoginError`
			`next`
			`rescue ::Exception => e`
Remove the stack traces from these scanners git-svn-id: file:///home/svn/framework3/trunk@9024 4d416f70-5f16-0410-b530-b9f4589650da 2010-04-06 03:57:22 +00:00			`print_line("Error: #{ip} #{e.class} #{e}")`
SMB share enumeration git-svn-id: file:///home/svn/framework3/trunk@8813 4d416f70-5f16-0410-b530-b9f4589650da 2010-03-14 03:44:50 +00:00			`end`
			`end`
			`end`


			`end`