Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Exploit mixins should be called first
9
  include Msf::Exploit::Remote::SMB::Client
10
  include Msf::Exploit::Remote::SMB::Client::Authenticated
11
  include Msf::Auxiliary::Scanner
12
  include Msf::Auxiliary::Report
13

14
  # Aliases for common classes
15
  SIMPLE = Rex::Proto::SMB::SimpleClient
16
  XCEPT  = Rex::Proto::SMB::Exceptions
17
  CONST  = Rex::Proto::SMB::Constants
18

19

20
  def initialize
21
    super(
22
      'Name'        => 'SMB Scanner Check File/Directory Utility',
23
      'Description' => %Q{
24
        This module is useful when checking an entire network
25
        of SMB hosts for the presence of a known file or directory.
26
        An example would be to scan all systems for the presence of
27
        antivirus or known malware outbreak. Typically you must set
28
        RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.
29
      },
30
      'Author'      =>
31
        [
32
          'aushack',
33
          'j0hn__f'
34
        ],
35
      'References'  =>
36
        [
37
        ],
38
      'License'     => MSF_LICENSE
39
    )
40

41
    register_options([
42
      OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$']),
43
      OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share'])
44
    ])
45

46
  end
47

48
  def check_path(path)
49
    begin
50
      if (fd = simple.open("\\#{path}", 'o')) # mode is open only - do not create/append/write etc
51
        print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
52
        fd.close
53
      end
54
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
55
      error_name = e.get_error(e.error_code)
56
    rescue ::RubySMB::Error::UnexpectedStatusCode => e
57
      error_name = e.status_code.name
58
    end
59
    if error_name
60
      case error_name
61
      when "STATUS_FILE_IS_A_DIRECTORY"
62
        print_good("Directory FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
63
      when "STATUS_OBJECT_NAME_NOT_FOUND"
64
        vprint_error("Object \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
65
      when "STATUS_OBJECT_PATH_NOT_FOUND"
66
        vprint_error("Object PATH \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
67
      when "STATUS_ACCESS_DENIED"
68
        vprint_error("Host reports access denied.")
69
      when "STATUS_BAD_NETWORK_NAME"
70
        vprint_error("Host is NOT connected to #{datastore['SMBDomain']}!")
71
      when "STATUS_INSUFF_SERVER_RESOURCES"
72
        vprint_error("Host rejected with insufficient resources!")
73
      when "STATUS_OBJECT_NAME_INVALID"
74
        vprint_error("opening \\#{path} bad filename")
75
      else
76
        raise e
77
      end
78
    end
79
  end
80

81
  def run_host(ip)
82
    vprint_status("Connecting to the server...")
83

84
    begin
85
      connect
86
      smb_login
87

88
      vprint_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...")
89
      self.simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")
90
      vprint_status("Checking for file/folder #{datastore['RPATH']}...")
91

92
      datastore['RPATH'].each_line do |path|
93
        check_path(path.chomp)
94
      end #end do
95
    rescue ::Rex::HostUnreachable
96
      vprint_error("Host offline.")
97
    rescue ::Rex::Proto::SMB::Exceptions::LoginError
98
      print_error("Host login error.")
99
    rescue ::Rex::ConnectionRefused
100
      print_error "Unable to connect - connection refused"
101
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
102
      print_error "Unable to connect to share #{datastore['SMBSHARE']}"
103
    end # end begin
104
  end # end def
105
end
106

107