Real-time collaboration for Jupyter Notebooks, Linux Terminals, LaTeX, VS Code, R IDE, and more,
all in one place.

1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Exploit mixins should be called first
9
  include Msf::Exploit::Remote::SMB::Client
10
  include Msf::Exploit::Remote::SMB::Client::Authenticated
11
  include Msf::Exploit::Remote::SMB::Client::LocalPaths
12
  include Msf::Exploit::Remote::SMB::Client::RemotePaths
13
  include Msf::Auxiliary::Report
14
  include Msf::Auxiliary::Scanner
15
  include Msf::OptionalSession::SMB
16

17
  def initialize
18
    super(
19
      'Name'        => 'SMB File Upload Utility',
20
      'Description' => %Q{
21
        This module uploads a file to a target share and path. The only reason
22
      to use this module is if your existing SMB client is not able to support the features
23
      of the Metasploit Framework that you need, like pass-the-hash authentication.
24
      },
25
      'Author'      =>
26
        [
27
          'hdm'    # metasploit module
28
        ],
29
      'References'  =>
30
        [
31
        ],
32
      'License'     => MSF_LICENSE,
33
    )
34

35
    register_options([
36
      OptString.new('SMBSHARE', [true, 'The name of a writeable share on the server', 'C$'])
37
    ])
38

39
  end
40

41
  def run_host(_ip)
42
    validate_lpaths!
43
    validate_rpaths!
44
    begin
45
      if session
46
        print_status("Using existing session #{session.sid}")
47
        client = session.client
48
        self.simple = ::Rex::Proto::SMB::SimpleClient.new(client.dispatcher.tcp_socket, client: client)
49

50
      else
51
        vprint_status("Connecting to the server...")
52
        connect
53
        smb_login()
54
      end
55

56
      vprint_status("Mounting the remote share \\\\#{simple.address}\\#{datastore['SMBSHARE']}'...")
57
      self.simple.connect("\\\\#{simple.address}\\#{datastore['SMBSHARE']}")
58

59
      remote_path = remote_paths.first
60

61
      if local_paths.nil?
62
        print_error("Local paths not specified")
63
        return
64
      end
65

66
      local_paths.each do |local_path|
67
        begin
68
          vprint_status("Trying to upload #{local_path} to #{remote_path}...")
69

70
          fd = simple.open("#{remote_path}", 'wct', write: true)
71
          data = ::File.read(datastore['LPATH'], ::File.size(datastore['LPATH']), mode: 'rb')
72
          fd.write(data)
73
          fd.close
74

75
          print_good("#{local_path} uploaded to #{remote_path}")
76
        rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
77
          elog("Unable to upload #{local_path} to #{remote_path}", error: e)
78
          print_error("Unable to upload #{local_path} to #{remote_path} : #{e.message}")
79
        end
80
      end
81
    rescue Rex::Proto::SMB::Exceptions::LoginError => e
82
      elog("Unable to login:", error: e)
83
      print_error("Unable to login: #{e.message}")
84
    end
85
  end
86
end
87

88