Module: Msf::Exploit::Remote::SMB::Server::Share

Includes:

Relay::NTLM::HashCapture, Msf::Exploit::Remote::SMB::Server

Defined in:

lib/msf/core/exploit/remote/smb/server/share.rb

Overview

This mixin provides a minimal SMB server sharing an UNC resource. At this moment it is capable to share just one file. And the file should live in the root folder “\”.

Instance Attribute Summary

• #file_contents ⇒ String

  The contents of the provided file.

• #file_name ⇒ String

  The file name of the provided UNC.

• #folder_name ⇒ String

  The folder where the provided file lives.

• #share ⇒ String

  The share portion of the provided UNC.

Attributes included from Msf::Exploit::Remote::SocketServer

#service

Instance Method Summary

• #cleanup ⇒ Object
• #get_file_contents(client:) ⇒ String

  Returns the file contents for the requested file.

• #initialize(info = {}) ⇒ Object
• #setup ⇒ Object

  Setups the server configuration.

• #start_service(opts = {}) ⇒ Object
• #unc ⇒ Object

  Builds the UNC Name for the shared file.

Methods included from Msf::Exploit::Remote::SMB::Server

#on_client_connect

Methods included from Msf::Exploit::Remote::SocketServer

#_determine_server_comm, #bindhost, #bindport, #cleanup_service, #exploit, #on_client_data, #primer, #regenerate_payload, #srvhost, #srvhost_addr, #srvport, #via_string

Instance Attribute Details

#file_contents ⇒ String

Returns The contents of the provided file.

Returns:

• (String) —

  The contents of the provided file

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 23

def file_contents
  @file_contents
end

#file_name ⇒ String

Returns The file name of the provided UNC.

Returns:

• (String) —

  The file name of the provided UNC.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 20

def file_name
  @file_name
end

#folder_name ⇒ String

Returns The folder where the provided file lives.

Returns:

• (String) —

  The folder where the provided file lives.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 17

def folder_name
  @folder_name
end

#share ⇒ String

Returns The share portion of the provided UNC.

Returns:

• (String) —

  The share portion of the provided UNC.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 14

def share
  @share
end

Instance Method Details

#cleanup ⇒ Object

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 103

def cleanup
  self.service.remove_share(share) if self.service.present? && share.present?

  super
end

#get_file_contents(client:) ⇒ String

Returns the file contents for the requested file

Returns:

• (String) —

  The file contents.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 99

def get_file_contents(client:)
  file_contents
end

#initialize(info = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 25

def initialize(info = {})
  super

  register_options(
    [
      OptAddressRoutable.new('SRVHOST', [false, 'The local host to listen on and use for incoming connections.']),
      OptString.new('SHARE', [ false, 'Share (Default: random); cannot contain spaces or slashes'], regex: /^[^\s\/\\]*$/),
      OptString.new('FILE_NAME', [ false, 'File name to share (Default: random)']),
      OptString.new('FOLDER_NAME', [ false, 'Folder name to share (Default: none)'])
    ], Msf::Exploit::Remote::SMB::Server::Share)
  register_advanced_options(
    [
      OptString.new('SMBDomain', [ true, 'The domain name used during SMB exchange.', 'WORKGROUP'])
    ]
  )
end

#setup ⇒ Object

Setups the server configuration.

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 77

def setup
  super

  self.folder_name = datastore['FOLDER_NAME']
  self.share = datastore['SHARE'].present? ? datastore['SHARE'] : Rex::Text.rand_text_alpha(4 + rand(3))
  self.file_name = datastore['FILE_NAME'].present? ? datastore['FILE_NAME'] : Rex::Text.rand_text_alpha(4 + rand(3))
end

#start_service(opts = {}) ⇒ Object

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 42

def start_service(opts = {})
  unless opts[:gss_provider]
    ntlm_provider = Msf::Exploit::Remote::Relay::NTLM::HashCapture::HashCaptureNTLMProvider.new(
      allow_anonymous: true,
      allow_guests: true,
      listener: self,
      ntlm_type3_status: nil,
      service_name: 'SMB'
    )

    # Set domain name for all future server responses
    ntlm_provider.dns_domain = datastore['SMBDomain']
    ntlm_provider.dns_hostname = datastore['SMBDomain']
    ntlm_provider.netbios_domain = datastore['SMBDomain']
    ntlm_provider.netbios_hostname = datastore['SMBDomain']
    opts[:gss_provider] = ntlm_provider
  end

  super(opts)

  if share.present?
    if service.shares.key?(share)
      fail_with(Msf::Module::Failure::BadConfig, "The specified SMB share '#{share}' already exists.")
    end

    virtual_disk = RubySMB::Server::Share::Provider::VirtualDisk.new(share)
    # the virtual disk expects the path to use the native File::SEPARATOR so normalize on that here
    virtual_disk.add_dynamic_file("#{@folder_name}#{File::SEPARATOR}#{@file_name}".gsub(/\/|\\/, File::SEPARATOR)) do |client, _smb_session|
      get_file_contents(client: client)
    end
    service.add_share(virtual_disk)
  end
end

#unc ⇒ Object

Builds the UNC Name for the shared file

# File 'lib/msf/core/exploit/remote/smb/server/share.rb', line 86

def unc
  if folder_name
    path = "\\\\#{srvhost}\\#{share}\\#{folder_name}\\#{file_name}"
  else
    path = "\\\\#{srvhost}\\#{share}\\#{file_name}"
  end

  path
end