1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Exploit mixins should be called first
9
  include Msf::Exploit::Remote::SMB::Client
10
  include Msf::Exploit::Remote::SMB::Client::Authenticated
11
  include Msf::Auxiliary::Scanner
12
  include Msf::Auxiliary::Report
13

14
  # Aliases for common classes
15
  SIMPLE = Rex::Proto::SMB::SimpleClient
16
  XCEPT = Rex::Proto::SMB::Exceptions
17
  CONST = Rex::Proto::SMB::Constants
18

19
  def initialize
20
    super(
21
      'Name' => 'SMB Scanner Check File/Directory Utility',
22
      'Description' => %(
23
        This module is useful when checking an entire network
24
        of SMB hosts for the presence of a known file or directory.
25
        An example would be to scan all systems for the presence of
26
        antivirus or known malware outbreak. Typically you must set
27
        RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.
28
      ),
29
      'Author' => [
30
        'aushack',
31
        'j0hn__f'
32
      ],
33
      'References' => [
34
      ],
35
      'License' => MSF_LICENSE,
36
      'Notes' => {
37
        'Stability' => [CRASH_SAFE],
38
        'SideEffects' => [IOC_IN_LOGS],
39
        'Reliability' => []
40
      }
41
    )
42

43
    register_options([
44
      OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$']),
45
      OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share'])
46
    ])
47
  end
48

49
  def check_path(path)
50
    begin
51
      if (fd = simple.open("\\#{path}", 'o')) # mode is open only - do not create/append/write etc
52
        print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
53
        fd.close
54
      end
55
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
56
      error_name = e.get_error(e.error_code)
57
    rescue ::RubySMB::Error::UnexpectedStatusCode => e
58
      error_name = e.status_code.name
59
    end
60
    if error_name
61
      case error_name
62
      when 'STATUS_FILE_IS_A_DIRECTORY'
63
        print_good("Directory FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
64
      when 'STATUS_OBJECT_NAME_NOT_FOUND'
65
        vprint_error("Object \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
66
      when 'STATUS_OBJECT_PATH_NOT_FOUND'
67
        vprint_error("Object PATH \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
68
      when 'STATUS_ACCESS_DENIED'
69
        vprint_error('Host reports access denied.')
70
      when 'STATUS_BAD_NETWORK_NAME'
71
        vprint_error("Host is NOT connected to #{datastore['SMBDomain']}!")
72
      when 'STATUS_INSUFF_SERVER_RESOURCES'
73
        vprint_error('Host rejected with insufficient resources!')
74
      when 'STATUS_OBJECT_NAME_INVALID'
75
        vprint_error("opening \\#{path} bad filename")
76
      else
77
        raise e
78
      end
79
    end
80
  end
81

82
  def run_host(_ip)
83
    vprint_status('Connecting to the server...')
84

85
    begin
86
      connect
87
      smb_login
88

89
      vprint_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...")
90
      simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")
91
      vprint_status("Checking for file/folder #{datastore['RPATH']}...")
92

93
      datastore['RPATH'].each_line do |path|
94
        check_path(path.chomp)
95
      end
96
    rescue ::Rex::HostUnreachable
97
      vprint_error('Host offline.')
98
    rescue ::Rex::Proto::SMB::Exceptions::LoginError
99
      print_error('Host login error.')
100
    rescue ::Rex::ConnectionRefused
101
      print_error 'Unable to connect - connection refused'
102
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
103
      print_error "Unable to connect to share #{datastore['SMBSHARE']}"
104
    end
105
  end
106
end
107

108