From b2b8824e2ee40f0d93b080acc2ed06cc46d3d061 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Tue, 22 Oct 2013 16:31:56 -0400 Subject: [PATCH 1/6] add delete and download modules for smb --- modules/auxiliary/admin/smb/delete_file.rb | 62 ++++++++++++++++ modules/auxiliary/admin/smb/download_file.rb | 75 ++++++++++++++++++++ 2 files changed, 137 insertions(+) create mode 100644 modules/auxiliary/admin/smb/delete_file.rb create mode 100644 modules/auxiliary/admin/smb/download_file.rb diff --git a/modules/auxiliary/admin/smb/delete_file.rb b/modules/auxiliary/admin/smb/delete_file.rb new file mode 100644 index 0000000000..d1bdd83262 --- /dev/null +++ b/modules/auxiliary/admin/smb/delete_file.rb @@ -0,0 +1,62 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +require 'msf/core' + + +class Metasploit3 < Msf::Auxiliary + + # Exploit mixins should be called first + include Msf::Exploit::Remote::SMB + include Msf::Exploit::Remote::SMB::Authenticated + include Msf::Auxiliary::Report + + # Aliases for common classes + SIMPLE = Rex::Proto::SMB::SimpleClient + XCEPT = Rex::Proto::SMB::Exceptions + CONST = Rex::Proto::SMB::Constants + + + def initialize + super( + 'Name' => 'SMB File Delete Utility', + 'Description' => %Q{ + This module deletes a file from a target share and path. The only reason + to use this module is if your existing SMB client is not able to support the features + of the Metasploit Framework that you need, like pass-the-hash authentication. + }, + 'Author' => + [ + 'hdm' # metasploit module + ], + 'References' => + [ + ], + 'License' => MSF_LICENSE + ) + + register_options([ + OptString.new('SMBSHARE', [true, 'The name of a share on the RHOST', 'C$']), + OptString.new('RPATH', [true, 'The name of the remote file relative to the share']) + ], self.class) + + end + + def run + + print_status("Connecting to the server...") + connect() + smb_login() + + print_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...") + self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}") + + print_status("Trying to delete #{datastore['RPATH']}...") + + simple.delete("\\#{datastore['RPATH']}") + end + +end diff --git a/modules/auxiliary/admin/smb/download_file.rb b/modules/auxiliary/admin/smb/download_file.rb new file mode 100644 index 0000000000..028baf010a --- /dev/null +++ b/modules/auxiliary/admin/smb/download_file.rb @@ -0,0 +1,75 @@ +## +# This module requires Metasploit: http//metasploit.com/download +# Current source: https://github.com/rapid7/metasploit-framework +## + + +require 'msf/core' + + +class Metasploit3 < Msf::Auxiliary + + # Exploit mixins should be called first + include Msf::Exploit::Remote::SMB + include Msf::Exploit::Remote::SMB::Authenticated + include Msf::Auxiliary::Report + + # Aliases for common classes + SIMPLE = Rex::Proto::SMB::SimpleClient + XCEPT = Rex::Proto::SMB::Exceptions + CONST = Rex::Proto::SMB::Constants + + + def initialize + super( + 'Name' => 'SMB File Download Utility', + 'Description' => %Q{ + This module downloads a file from a target share and path. The only reason + to use this module is if your existing SMB client is not able to support the features + of the Metasploit Framework that you need, like pass-the-hash authentication. + }, + 'Author' => + [ + 'hdm' # metasploit module + ], + 'References' => + [ + ], + 'License' => MSF_LICENSE + ) + + register_options([ + OptString.new('SMBSHARE', [true, 'The name of a share on the RHOST', 'C$']), + OptString.new('RPATH', [true, 'The name of the remote file relative to the share']), + OptString.new('LPATH', [false, 'The path of the local file to upload']) + ], self.class) + + end + + def run + + print_status("Connecting to the server...") + connect() + smb_login() + + print_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...") + self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}") + + print_status("Trying to download #{datastore['RPATH']}...") + + fd = simple.open("\\#{datastore['RPATH']}", 'ro') + lfile = fd.read + fd.close + + if datastore['LPATH'] + File.open("#{datastore['LPATH']}", 'w') {|f| f.write(lfile) } + print_status("The file has been downloaded to #{datastore['LPATH']}...") + else + rfilename = datastore['RPATH'].split("\\")[-1] + print_status(rfilename) + File.open(rfilename, 'w') {|f| f.write(lfile) } + print_status("LPATH not set, the file has been downloaded to #{rfilename}...") + end + end + +end From 8f3228d191d54ff53256fb2a3520d7938e268b02 Mon Sep 17 00:00:00 2001 From: Rob Fuller Date: Tue, 22 Oct 2013 21:13:30 -0400 Subject: [PATCH 2/6] chage author but basic copied from hdms upload_file --- modules/auxiliary/admin/smb/delete_file.rb | 2 +- modules/auxiliary/admin/smb/download_file.rb | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/admin/smb/delete_file.rb b/modules/auxiliary/admin/smb/delete_file.rb index d1bdd83262..64aca62e46 100644 --- a/modules/auxiliary/admin/smb/delete_file.rb +++ b/modules/auxiliary/admin/smb/delete_file.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ - 'hdm' # metasploit module + 'mubix' # copied from hdm upload_file module ], 'References' => [ diff --git a/modules/auxiliary/admin/smb/download_file.rb b/modules/auxiliary/admin/smb/download_file.rb index 028baf010a..aae96df012 100644 --- a/modules/auxiliary/admin/smb/download_file.rb +++ b/modules/auxiliary/admin/smb/download_file.rb @@ -30,7 +30,7 @@ class Metasploit3 < Msf::Auxiliary }, 'Author' => [ - 'hdm' # metasploit module + 'mubix' # copied from hdm upload_file module ], 'References' => [ From af02fd0355e479d7fc77edc3d633cdb9a2b58602 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 23 Oct 2013 12:13:05 -0500 Subject: [PATCH 3/6] Use store_loot, sorry mubix --- modules/auxiliary/admin/smb/download_file.rb | 17 +++++------------ 1 file changed, 5 insertions(+), 12 deletions(-) diff --git a/modules/auxiliary/admin/smb/download_file.rb b/modules/auxiliary/admin/smb/download_file.rb index aae96df012..9025d77f78 100644 --- a/modules/auxiliary/admin/smb/download_file.rb +++ b/modules/auxiliary/admin/smb/download_file.rb @@ -47,7 +47,6 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("Connecting to the server...") connect() smb_login() @@ -58,18 +57,12 @@ class Metasploit3 < Msf::Auxiliary print_status("Trying to download #{datastore['RPATH']}...") fd = simple.open("\\#{datastore['RPATH']}", 'ro') - lfile = fd.read + data = fd.read fd.close - - if datastore['LPATH'] - File.open("#{datastore['LPATH']}", 'w') {|f| f.write(lfile) } - print_status("The file has been downloaded to #{datastore['LPATH']}...") - else - rfilename = datastore['RPATH'].split("\\")[-1] - print_status(rfilename) - File.open(rfilename, 'w') {|f| f.write(lfile) } - print_status("LPATH not set, the file has been downloaded to #{rfilename}...") - end + + fname = datastore['RPATH'].split("\\")[-1] + path = store_loot("smb.shares.file", "application/octet-stream", rhost, data, fname) + print_good("#{fname} saved as: #{path}") end end From 83a4ac17e864c979d9262167bd8430c760aeec6e Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 23 Oct 2013 12:16:18 -0500 Subject: [PATCH 4/6] Make sure fd is closed to avoid a possible resource leak --- modules/auxiliary/admin/smb/download_file.rb | 11 ++++++++--- 1 file changed, 8 insertions(+), 3 deletions(-) diff --git a/modules/auxiliary/admin/smb/download_file.rb b/modules/auxiliary/admin/smb/download_file.rb index 9025d77f78..e102496ad9 100644 --- a/modules/auxiliary/admin/smb/download_file.rb +++ b/modules/auxiliary/admin/smb/download_file.rb @@ -47,7 +47,8 @@ class Metasploit3 < Msf::Auxiliary end def run - print_status("Connecting to the server...") + + print_status("Connecting to the #{rhost}:#{rport}...") connect() smb_login() @@ -56,9 +57,13 @@ class Metasploit3 < Msf::Auxiliary print_status("Trying to download #{datastore['RPATH']}...") + data = '' fd = simple.open("\\#{datastore['RPATH']}", 'ro') - data = fd.read - fd.close + begin + data = fd.read + ensure + fd.close + end fname = datastore['RPATH'].split("\\")[-1] path = store_loot("smb.shares.file", "application/octet-stream", rhost, data, fname) From 05008426252658671b5646ab08f962996f566807 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 23 Oct 2013 12:22:49 -0500 Subject: [PATCH 5/6] Do some exception handling --- modules/auxiliary/admin/smb/download_file.rb | 18 ++++++++++++------ 1 file changed, 12 insertions(+), 6 deletions(-) diff --git a/modules/auxiliary/admin/smb/download_file.rb b/modules/auxiliary/admin/smb/download_file.rb index e102496ad9..9bee5f77fd 100644 --- a/modules/auxiliary/admin/smb/download_file.rb +++ b/modules/auxiliary/admin/smb/download_file.rb @@ -3,10 +3,8 @@ # Current source: https://github.com/rapid7/metasploit-framework ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first @@ -40,14 +38,12 @@ class Metasploit3 < Msf::Auxiliary register_options([ OptString.new('SMBSHARE', [true, 'The name of a share on the RHOST', 'C$']), - OptString.new('RPATH', [true, 'The name of the remote file relative to the share']), - OptString.new('LPATH', [false, 'The path of the local file to upload']) + OptString.new('RPATH', [true, 'The name of the remote file relative to the share']) ], self.class) end - def run - + def smb_download print_status("Connecting to the #{rhost}:#{rport}...") connect() smb_login() @@ -70,4 +66,14 @@ class Metasploit3 < Msf::Auxiliary print_good("#{fname} saved as: #{path}") end + def run + begin + smb_download + rescue Rex::Proto::SMB::Exceptions::LoginError => e + print_error("Unable to login: #{e.message}") + rescue Rex::Proto::SMB::Exceptions::ErrorCode => e + print_error("Unable to download the file: #{e.message}") + end + end + end From 9a51dd5fc43d985c6b7f0acebc3301872d82b114 Mon Sep 17 00:00:00 2001 From: sinn3r Date: Wed, 23 Oct 2013 12:28:25 -0500 Subject: [PATCH 6/6] Do exception handling and stuff --- modules/auxiliary/admin/smb/delete_file.rb | 21 ++++++++++++++------- 1 file changed, 14 insertions(+), 7 deletions(-) diff --git a/modules/auxiliary/admin/smb/delete_file.rb b/modules/auxiliary/admin/smb/delete_file.rb index 64aca62e46..49a180101f 100644 --- a/modules/auxiliary/admin/smb/delete_file.rb +++ b/modules/auxiliary/admin/smb/delete_file.rb @@ -3,10 +3,8 @@ # Current source: https://github.com/rapid7/metasploit-framework ## - require 'msf/core' - class Metasploit3 < Msf::Auxiliary # Exploit mixins should be called first @@ -42,11 +40,9 @@ class Metasploit3 < Msf::Auxiliary OptString.new('SMBSHARE', [true, 'The name of a share on the RHOST', 'C$']), OptString.new('RPATH', [true, 'The name of the remote file relative to the share']) ], self.class) - end - def run - + def smb_delete_file print_status("Connecting to the server...") connect() smb_login() @@ -54,9 +50,20 @@ class Metasploit3 < Msf::Auxiliary print_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...") self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}") - print_status("Trying to delete #{datastore['RPATH']}...") - simple.delete("\\#{datastore['RPATH']}") + + # If there's no exception raised at this point, we assume the file has been removed. + print_status("File deleted: #{datastore['RPATH']}...") + end + + def run + begin + smb_delete_file + rescue Rex::Proto::SMB::Exceptions::LoginError => e + print_error("Unable to login: #{e.message}") + rescue Rex::Proto::SMB::Exceptions::ErrorCode => e + print_error("Cannot delete the file: #{e.message}") + end end end