Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Exploit mixins should be called first
9
  include Msf::Exploit::Remote::SMB::Client
10
  include Msf::Exploit::Remote::SMB::Client::Authenticated
11
  include Msf::Exploit::Remote::SMB::Client::RemotePaths
12
  include Msf::Auxiliary::Report
13
  include Msf::Auxiliary::Scanner
14
  include Msf::OptionalSession::SMB
15

16
  def initialize
17
    super(
18
      'Name'        => 'SMB File Download Utility',
19
      'Description' => %Q{
20
        This module downloads a file from a target share and path. The usual reason
21
      to use this module is to work around limitations in an existing SMB client that may not
22
      be able to take advantage of pass-the-hash style authentication.
23
      },
24
      'Author'      =>
25
        [
26
          'mubix' # copied from hdm upload_file module
27
        ],
28
      'License'     => MSF_LICENSE,
29
    )
30

31
    register_options([
32
      OptString.new('SMBSHARE', [true, 'The name of a share on the RHOST', 'C$'])
33
    ])
34
  end
35

36
  def smb_download
37
    vprint_status("Connecting...")
38
    if session
39

40
      print_status("Using existing session #{session.sid}")
41
      client = session.client
42
      self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)
43
    else
44
      connect
45
      smb_login()
46
    end
47

48
    vprint_status("Mounting the remote share \\\\#{simple.address}\\#{datastore['SMBSHARE']}'...")
49
    self.simple.connect("\\\\#{simple.address}\\#{datastore['SMBSHARE']}")
50

51
    remote_paths.each do |remote_path|
52
      begin
53
        vprint_status("Trying to download #{remote_path}...")
54

55
        data = ''
56
        fd = simple.open("#{remote_path}", 'o')
57
        begin
58
          data = fd.read
59
        ensure
60
          fd.close
61
        end
62

63
        fname = remote_path.split("\\")[-1]
64
        path = store_loot("smb.shares.file", "application/octet-stream", rhost, data, fname)
65
        print_good("#{remote_path} saved as: #{path}")
66
      rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
67
        elog("Unable to download #{remote_path}:", error: e)
68
        print_error("Unable to download #{remote_path}: #{e.message}")
69
      end
70
    end
71
  end
72

73
  def run_host(ip)
74
    validate_rpaths!
75

76
    begin
77
      smb_download
78
    rescue Rex::Proto::SMB::Exceptions::LoginError => e
79
      elog("Unable to login: #{e.message}", error: e)
80
      print_error("Unable to login: #{e.message}")
81
    end
82
  end
83
end
84

85