2005-10-03 13:51:05 +00:00
|
|
|
require 'rex/proto/smb'
|
|
|
|
require 'rex/proto/dcerpc'
|
2006-06-13 21:27:01 +00:00
|
|
|
require 'rex/encoder/ndr'
|
2005-10-03 13:51:05 +00:00
|
|
|
|
|
|
|
module Msf
|
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This mixin provides utility methods for interacting with a SMB/CIFS service on
|
|
|
|
# a remote machine. These methods may generally be useful in the context of
|
|
|
|
# exploitation. This mixin extends the Tcp exploit mixin. Only one SMB
|
|
|
|
# service can be accessed at a time using this class.
|
|
|
|
#
|
|
|
|
###
|
|
|
|
|
|
|
|
module Exploit::Remote::SMB
|
|
|
|
|
|
|
|
include Exploit::Remote::Tcp
|
|
|
|
SIMPLE = Rex::Proto::SMB::SimpleClient
|
|
|
|
XCEPT = Rex::Proto::SMB::Exceptions
|
2006-09-14 05:51:24 +00:00
|
|
|
CONST = Rex::Proto::SMB::Constants
|
2005-10-03 13:51:05 +00:00
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
# Alias over the Rex DCERPC protocol modules
|
|
|
|
DCERPCPacket = Rex::Proto::DCERPC::Packet
|
|
|
|
DCERPCClient = Rex::Proto::DCERPC::Client
|
|
|
|
DCERPCResponse = Rex::Proto::DCERPC::Response
|
|
|
|
DCERPCUUID = Rex::Proto::DCERPC::UUID
|
2006-06-13 21:27:01 +00:00
|
|
|
NDR = Rex::Encoder::NDR
|
2005-12-13 06:08:40 +00:00
|
|
|
|
2005-10-03 13:51:05 +00:00
|
|
|
def initialize(info = {})
|
|
|
|
super
|
|
|
|
|
2006-04-30 19:49:27 +00:00
|
|
|
register_evasion_options(
|
2005-11-15 23:02:17 +00:00
|
|
|
[
|
2006-04-30 19:49:27 +00:00
|
|
|
OptBool.new('SMB::pipe_evasion', [ true, 'Enable segmented read/writes for SMB Pipes', 'False']),
|
|
|
|
OptInt.new('SMB::pipe_write_min_size', [ true, 'Minimum buffer size for pipe writes', 1]),
|
|
|
|
OptInt.new('SMB::pipe_write_max_size', [ true, 'Maximum buffer size for pipe writes', 1024]),
|
|
|
|
OptInt.new('SMB::pipe_read_min_size', [ true, 'Minimum buffer size for pipe reads', 1]),
|
|
|
|
OptInt.new('SMB::pipe_read_max_size', [ true, 'Maximum buffer size for pipe reads', 1024]),
|
|
|
|
OptInt.new('SMB::pad_data_level', [ true, 'Place extra padding between headers and data (level 0-3)', 0]),
|
|
|
|
OptInt.new('SMB::pad_file_level', [ true, 'Obscure path names used in open/create (level 0-3)', 0]),
|
|
|
|
OptInt.new('SMB::obscure_trans_pipe_level', [ true, 'Obscure PIPE string in TransNamedPipe (level 0-3)', 0]),
|
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
], Msf::Exploit::Remote::SMB)
|
|
|
|
|
2007-02-18 07:02:47 +00:00
|
|
|
register_advanced_options(
|
|
|
|
[
|
|
|
|
OptBool.new('SMBDirect', [ true, 'The target port is a raw SMB service (not NetBIOS)', 'True' ]),
|
|
|
|
OptString.new('SMBUser', [ false, 'The username to authenticate as', '']),
|
|
|
|
OptString.new('SMBPass', [ false, 'The password for the specified username', '']),
|
|
|
|
OptString.new('SMBDomain', [ false, 'The Windows domain to use for authentication', 'WORKGROUP']),
|
|
|
|
OptString.new('SMBName', [ true, 'The NetBIOS hostname (required for port 139 connections)', '*SMBSERVER'])
|
|
|
|
], Msf::Exploit::Remote::SMB)
|
|
|
|
|
2005-10-03 13:51:05 +00:00
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
Opt::RHOST,
|
2007-02-18 07:02:47 +00:00
|
|
|
OptInt.new('RPORT', [ true, 'Set the SMB service port', 445])
|
2005-10-03 13:51:05 +00:00
|
|
|
], Msf::Exploit::Remote::SMB)
|
|
|
|
end
|
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
def connect()
|
|
|
|
|
2005-12-31 18:03:02 +00:00
|
|
|
disconnect()
|
|
|
|
|
|
|
|
super
|
2006-01-27 05:33:08 +00:00
|
|
|
|
2005-12-13 06:08:40 +00:00
|
|
|
self.simple = SIMPLE.new(self.sock, datastore['SMBDirect'])
|
|
|
|
|
2006-01-27 05:33:08 +00:00
|
|
|
# setup pipe evasion foo
|
2006-04-30 19:49:27 +00:00
|
|
|
if datastore['SMB::pipe_evasion']
|
2006-01-27 05:33:08 +00:00
|
|
|
# XXX - insert code to change the instance of the read/write functions to do segmentation
|
|
|
|
end
|
2006-04-30 19:49:27 +00:00
|
|
|
|
|
|
|
if (datastore['SMB::pad_data_level'])
|
|
|
|
self.simple.client.evasion_opts['pad_data'] = datastore['SMB::pad_data_level']
|
|
|
|
end
|
|
|
|
|
|
|
|
if (datastore['SMB::pad_file_level'])
|
|
|
|
self.simple.client.evasion_opts['pad_file'] = datastore['SMB::pad_file_level']
|
|
|
|
end
|
|
|
|
|
|
|
|
if (datastore['SMB::obscure_trans_pipe_level'])
|
|
|
|
self.simple.client.evasion_opts['obscure_trans_pipe'] = datastore['SMB::obscure_trans_pipe_level']
|
2005-12-13 06:08:40 +00:00
|
|
|
end
|
2006-01-27 05:33:08 +00:00
|
|
|
end
|
2005-12-13 06:08:40 +00:00
|
|
|
|
2005-11-16 17:56:07 +00:00
|
|
|
# Convert a standard ASCII string to 16-bit Unicode
|
2006-04-30 19:49:27 +00:00
|
|
|
def unicode(str)
|
2005-11-26 02:34:39 +00:00
|
|
|
Rex::Text.to_unicode(str)
|
2005-11-16 17:56:07 +00:00
|
|
|
end
|
|
|
|
|
2005-11-17 04:25:30 +00:00
|
|
|
# This method establishes a SMB session over the default socket
|
2005-10-03 13:51:05 +00:00
|
|
|
def smb_login
|
|
|
|
simple.login(
|
2007-02-18 07:06:30 +00:00
|
|
|
datastore['SMBName'],
|
|
|
|
datastore['SMBUser'],
|
|
|
|
datastore['SMBPass'],
|
|
|
|
datastore['SMBDomain']
|
2005-10-03 13:51:05 +00:00
|
|
|
)
|
2005-11-15 23:02:17 +00:00
|
|
|
|
2008-03-13 15:46:33 +00:00
|
|
|
simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
|
2005-10-03 13:51:05 +00:00
|
|
|
end
|
2005-11-17 04:25:30 +00:00
|
|
|
|
|
|
|
# This method returns the native operating system of the peer
|
2005-10-03 13:51:05 +00:00
|
|
|
def smb_peer_os
|
|
|
|
self.simple.client.peer_native_os
|
|
|
|
end
|
|
|
|
|
2005-11-17 04:25:30 +00:00
|
|
|
# This method returns the native lanman version of the peer
|
2005-10-03 13:51:05 +00:00
|
|
|
def smb_peer_lm
|
|
|
|
self.simple.client.peer_native_lm
|
|
|
|
end
|
|
|
|
|
2005-11-17 04:25:30 +00:00
|
|
|
# This method opens a handle to an IPC pipe
|
2005-10-03 13:51:05 +00:00
|
|
|
def smb_create(pipe)
|
|
|
|
self.simple.create_pipe(pipe)
|
|
|
|
end
|
2005-11-15 23:02:17 +00:00
|
|
|
|
2005-11-29 02:57:04 +00:00
|
|
|
def smb_hostname
|
2007-02-18 07:06:30 +00:00
|
|
|
datastore['SMBName'] || '*SMBSERVER'
|
2005-11-29 02:57:04 +00:00
|
|
|
end
|
|
|
|
|
2005-11-15 23:02:17 +00:00
|
|
|
attr_accessor :simple
|
2005-10-03 13:51:05 +00:00
|
|
|
|
|
|
|
end
|
2007-07-03 04:20:50 +00:00
|
|
|
|
|
|
|
###
|
|
|
|
#
|
|
|
|
# This mixin provides a minimal SMB server
|
|
|
|
#
|
|
|
|
###
|
|
|
|
|
|
|
|
module Exploit::Remote::SMBServer
|
|
|
|
include Exploit::Remote::TcpServer
|
|
|
|
CONST = ::Rex::Proto::SMB::Constants
|
|
|
|
CRYPT = ::Rex::Proto::SMB::Crypt
|
|
|
|
UTILS = ::Rex::Proto::SMB::Utils
|
|
|
|
XCEPT = ::Rex::Proto::SMB::Exceptions
|
|
|
|
EVADE = ::Rex::Proto::SMB::Evasions
|
|
|
|
|
|
|
|
def initialize(info = {})
|
|
|
|
super
|
|
|
|
|
|
|
|
register_options(
|
|
|
|
[
|
|
|
|
OptPort.new('SRVPORT', [ true, "The local port to listen on.", 139 ])
|
|
|
|
], self.class)
|
|
|
|
end
|
|
|
|
|
|
|
|
def setup
|
|
|
|
super
|
|
|
|
@state = {}
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_client_connect(client)
|
|
|
|
# print_status("New SMB connection from #{client.peerhost}:#{client.peerport}")
|
|
|
|
smb_conn(client)
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_client_data(client)
|
|
|
|
# print_status("New data from #{client.peerhost}:#{client.peerport}")
|
|
|
|
smb_recv(client)
|
|
|
|
true
|
|
|
|
end
|
|
|
|
|
|
|
|
def on_client_close(client)
|
|
|
|
smb_stop(client)
|
|
|
|
end
|
|
|
|
|
|
|
|
def smb_conn(c)
|
|
|
|
@state[c] = {:name => "#{c.peerhost}:#{c.peerport}", :ip => c.peerhost, :port => c.peerport}
|
|
|
|
end
|
|
|
|
|
|
|
|
def smb_stop(c)
|
|
|
|
@state.delete(c)
|
|
|
|
end
|
|
|
|
|
|
|
|
def smb_recv(c)
|
|
|
|
smb = @state[c]
|
|
|
|
smb[:data] ||= ''
|
|
|
|
smb[:data] << c.get_once
|
|
|
|
|
|
|
|
while(smb[:data].length > 0)
|
|
|
|
|
|
|
|
return if smb[:data].length < 4
|
|
|
|
|
|
|
|
plen = smb[:data][2,2].unpack('n')[0]
|
|
|
|
|
|
|
|
return if smb[:data].length < plen+4
|
|
|
|
|
|
|
|
buff = smb[:data].slice!(0, plen+4)
|
|
|
|
|
|
|
|
pkt_nbs = CONST::NBRAW_PKT.make_struct
|
|
|
|
pkt_nbs.from_s(buff)
|
|
|
|
|
|
|
|
# print_status("NetBIOS request from #{smb[:name]} #{pkt_nbs.v['Type']} #{pkt_nbs.v['Flags']} #{buff.inspect}")
|
|
|
|
|
|
|
|
# Check for a NetBIOS name request
|
|
|
|
if (pkt_nbs.v['Type'] == 0x81)
|
|
|
|
# Accept any name they happen to send
|
|
|
|
|
|
|
|
host_dst = UTILS.nbname_decode(pkt_nbs.v['Payload'][1,32]).gsub(/[\x00\x20]+$/, '')
|
|
|
|
host_src = UTILS.nbname_decode(pkt_nbs.v['Payload'][35,32]).gsub(/[\x00\x20]+$/, '')
|
|
|
|
|
|
|
|
smb[:nbdst] = host_dst
|
|
|
|
smb[:nbsrc] = host_src
|
|
|
|
|
|
|
|
# print_status("NetBIOS session request from #{smb[:name]} (asking for #{host_dst} from #{host_src})")
|
|
|
|
c.write("\x82\x00\x00\x00")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
|
|
|
|
#
|
|
|
|
# TODO: Support AndX parameters
|
|
|
|
#
|
|
|
|
|
|
|
|
|
|
|
|
# Cast this to a generic SMB structure
|
|
|
|
pkt = CONST::SMB_BASE_PKT.make_struct
|
|
|
|
pkt.from_s(buff)
|
|
|
|
|
|
|
|
# Only response to requests, ignore server replies
|
|
|
|
if (pkt['Payload']['SMB'].v['Flags1'] & 128 != 0)
|
|
|
|
print_status("Ignoring server response from #{smb[:name]}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
|
|
|
|
cmd = pkt['Payload']['SMB'].v['Command']
|
|
|
|
begin
|
|
|
|
smb_cmd_dispatch(cmd, c, buff)
|
|
|
|
rescue ::Interrupt
|
|
|
|
raise $!
|
|
|
|
rescue ::Exception => e
|
|
|
|
print_status("Error processing request from #{smb[:name]} (#{cmd}): #{e.class} #{e.to_s} #{e.backtrace.to_s}")
|
|
|
|
next
|
|
|
|
end
|
|
|
|
end
|
|
|
|
end
|
|
|
|
|
|
|
|
def smb_cmd_dispatch(cmd, c, buff)
|
|
|
|
smb = @state[c]
|
|
|
|
print_status("Received command #{cmd} from #{smb[:name]}")
|
|
|
|
end
|
|
|
|
|
|
|
|
def smb_set_defaults(c, pkt)
|
|
|
|
smb = @state[c]
|
|
|
|
pkt['Payload']['SMB'].v['ProcessID'] = smb[:process_id].to_i
|
|
|
|
pkt['Payload']['SMB'].v['UserID'] = smb[:user_id].to_i
|
|
|
|
pkt['Payload']['SMB'].v['TreeID'] = smb[:tree_id].to_i
|
|
|
|
pkt['Payload']['SMB'].v['MultiplexID'] = smb[:multiplex_id].to_i
|
|
|
|
end
|
|
|
|
|
|
|
|
end
|
|
|
|
|
|
|
|
|
2008-10-19 21:03:39 +00:00
|
|
|
end
|