1
##
2
# This module requires Metasploit: https://metasploit.com/download
3
# Current source: https://github.com/rapid7/metasploit-framework
4
##
5

6
class MetasploitModule < Msf::Auxiliary
7

8
  # Exploit mixins should be called first
9
  include Msf::Exploit::Remote::SMB::Client
10
  include Msf::Exploit::Remote::SMB::Client::Authenticated
11
  include Msf::Auxiliary::Scanner
12
  include Msf::Auxiliary::Report
13

14
  # Aliases for common classes
15
  SIMPLE = Rex::Proto::SMB::SimpleClient
16
  XCEPT = Rex::Proto::SMB::Exceptions
17
  CONST = Rex::Proto::SMB::Constants
18

19
  def initialize
20
    super(
21
      'Name' => 'SMB Scanner Check File/Directory Utility',
22
      'Description' => %(
23
        This module is useful when checking an entire network
24
        of SMB hosts for the presence of a known file or directory.
25
        An example would be to scan all systems for the presence of
26
        antivirus or known malware outbreak. Typically you must set
27
        RPATH, SMBUser, SMBDomain and SMBPass to operate correctly.
28
      ),
29
      'Author' => [
30
        'aushack',
31
        'j0hn__f'
32
      ],
33
      'References' => [
34
        [ 'ATT&CK', Mitre::Attack::Technique::T1021_002_SMB_WINDOWS_ADMIN_SHARES ]
35
      ],
36
      'License' => MSF_LICENSE,
37
      'Notes' => {
38
        'Stability' => [CRASH_SAFE],
39
        'SideEffects' => [IOC_IN_LOGS],
40
        'Reliability' => []
41
      }
42
    )
43

44
    register_options([
45
      OptString.new('SMBSHARE', [true, 'The name of an accessible share on the server', 'C$']),
46
      OptString.new('RPATH', [true, 'The name of the remote file/directory relative to the share'])
47
    ])
48
  end
49

50
  def check_path(path)
51
    begin
52
      if (fd = simple.open("\\#{path}", 'o')) # mode is open only - do not create/append/write etc
53
        print_good("File FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
54
        fd.close
55
      end
56
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
57
      error_name = e.get_error(e.error_code)
58
    rescue ::RubySMB::Error::UnexpectedStatusCode => e
59
      error_name = e.status_code.name
60
    end
61
    if error_name
62
      case error_name
63
      when 'STATUS_FILE_IS_A_DIRECTORY'
64
        print_good("Directory FOUND: \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path}")
65
      when 'STATUS_OBJECT_NAME_NOT_FOUND'
66
        vprint_error("Object \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
67
      when 'STATUS_OBJECT_PATH_NOT_FOUND'
68
        vprint_error("Object PATH \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{path} NOT found!")
69
      when 'STATUS_ACCESS_DENIED'
70
        vprint_error('Host reports access denied.')
71
      when 'STATUS_BAD_NETWORK_NAME'
72
        vprint_error("Host is NOT connected to #{datastore['SMBDomain']}!")
73
      when 'STATUS_INSUFF_SERVER_RESOURCES'
74
        vprint_error('Host rejected with insufficient resources!')
75
      when 'STATUS_OBJECT_NAME_INVALID'
76
        vprint_error("opening \\#{path} bad filename")
77
      else
78
        raise e
79
      end
80
    end
81
  end
82

83
  def run_host(_ip)
84
    vprint_status('Connecting to the server...')
85

86
    begin
87
      connect
88
      smb_login
89

90
      vprint_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...")
91
      simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}")
92
      vprint_status("Checking for file/folder #{datastore['RPATH']}...")
93

94
      datastore['RPATH'].each_line do |path|
95
        check_path(path.chomp)
96
      end
97
    rescue ::Rex::HostUnreachable
98
      vprint_error('Host offline.')
99
    rescue ::Rex::Proto::SMB::Exceptions::LoginError
100
      print_error('Host login error.')
101
    rescue ::Rex::ConnectionRefused
102
      print_error 'Unable to connect - connection refused'
103
    rescue ::Rex::Proto::SMB::Exceptions::ErrorCode
104
      print_error "Unable to connect to share #{datastore['SMBSHARE']}"
105
    end
106
  end
107
end
108

109