Land rapid7#18680, Shared SMB Service

Merge branch 'land-18680' into upstream-master

Author: bwatters-r7

Gemfile

@@ -52,3 +52,4 @@ group :test do
   # Manipulate Time.now in specs
   gem 'timecop'
 end
+

Gemfile.lock

@@ -474,7 +474,7 @@ GEM
     ruby-progressbar (1.13.0)
     ruby-rc4 (0.1.5)
     ruby2_keywords (0.0.5)
-    ruby_smb (3.3.1)
+    ruby_smb (3.3.2)
       bindata
       openssl-ccm
       openssl-cmac

lib/msf/core/exploit/remote/smb/server.rb

@@ -7,38 +7,6 @@ module Server
       include ::Msf::Exploit::Remote::SocketServer
       include ::Msf::Exploit::Remote::SMB::LogAdapter
 
-      module ServiceMixin
-        def start
-          if Rex::Socket.is_ipv6?(@socket.localhost)
-            localinfo = "[#{@socket.localhost}]:#{@socket.localport}"
-          else
-            localinfo = "#{@socket.localhost}:#{@socket.localport}"
-          end
-
-          self.listener_thread = Rex::ThreadFactory.spawn("SMBServerListener(#{localinfo})", false) do
-            begin
-              run do |server_client|
-                on_client_connect_proc.call(server_client) if on_client_connect_proc
-                true
-              end
-            rescue IOError => e
-              # this 'IOError: stream closed in another thread' is expected, so disregard it
-              wlog("#{e.class}: #{e.message}")
-            end
-          end
-        end
-
-        def stop
-          @socket.close
-        end
-
-        def wait
-          listener_thread.join if listener_thread
-        end
-
-        attr_accessor :listener_thread, :on_client_connect_proc
-      end
-
       def initialize(info = {})
         super
 
@@ -49,60 +17,34 @@ def initialize(info = {})
       end
 
       def start_service(opts = {})
-        @rsock = Rex::Socket::Tcp.create(
-          'LocalHost' => bindhost,
-          'LocalPort' => bindport,
-          'Comm' => _determine_server_comm(bindhost),
-          'Server' => true,
-          'Context' =>
-            {
-              'Msf' => framework,
-              'MsfExploit' => self
-            }
-        )
-
         unless opts[:logger]
           log_device = LogAdapter::LogDevice::Framework.new(framework)
           opts[:logger] = LogAdapter::Logger.new(self, log_device)
         end
 
-        thread_factory = Proc.new do |server_client, &block|
-          Rex::ThreadFactory.spawn("SMBServerClient(#{server_client.peerhost}->#{server_client.dispatcher.tcp_socket.localhost})", false, &block)
-        end
-
-        server = RubySMB::Server.new(
-          server_sock: @rsock,
+        self.service = Rex::ServiceManager.start(
+          Rex::Proto::SMB::Server,
+          (opts['ServerPort'] || bindport).to_i,
+          opts['ServerHost'] || bindhost,
+          {
+            'Msf'        => framework,
+            'MsfExploit' => self,
+          },
+          opts['Comm'] || _determine_server_comm(opts['ServerHost'] || bindhost),
           gss_provider: opts[:gss_provider],
-          logger: opts[:logger],
-          thread_factory: thread_factory
+          logger: opts[:logger]
         )
 
-        server.extend(ServiceMixin)
-        server.on_client_connect_proc = Proc.new { |client|
+        service.on_client_connect_proc = Proc.new { |client|
           on_client_connect(client)
         }
-        self.service = server
-        self.service.start
 
         print_status("Server is running. Listening on #{bindhost}:#{bindport}")
       end
 
       def on_client_connect(client)
         vprint_status("Received SMB connection from #{client.peerhost}")
       end
-
-      def cleanup_service
-        if service
-          begin
-            self.service.stop
-            self.service.wait
-            true
-          rescue ::Exception => e
-            print_error(e.message)
-            false
-          end
-        end
-      end
     end
   end
 end

lib/msf/core/exploit/remote/smb/server/share.rb

@@ -28,9 +28,9 @@ def initialize(info = {})
         register_options(
           [
             OptPort.new('SRVPORT',    [ true, 'The local port to listen on.', 445 ]),
-            OptString.new('SHARE', [ false, 'Share (Default Random)']),
-            OptString.new('FILE_NAME', [ false, 'File name to share (Default Random)']),
-            OptString.new('FOLDER_NAME', [ false, 'Folder name to share (Default none)'])
+            OptString.new('SHARE', [ false, 'Share (Default: random); cannot contain spaces or slashes'], regex: /^[^\s\/\\]*$/),
+            OptString.new('FILE_NAME', [ false, 'File name to share (Default: random)']),
+            OptString.new('FOLDER_NAME', [ false, 'Folder name to share (Default: none)'])
           ], Msf::Exploit::Remote::SMB::Server::Share)
         register_advanced_options(
           [
@@ -58,21 +58,27 @@ def start_service(opts = {})
 
         super(opts)
 
-        virtual_disk = RubySMB::Server::Share::Provider::VirtualDisk.new(@share)
-        # the virtual disk expects the path to use the native File::SEPARATOR so normalize on that here
-        virtual_disk.add_dynamic_file("#{@folder_name}#{File::SEPARATOR}#{@file_name}".gsub(/\/|\\/, File::SEPARATOR)) do |client, _smb_session|
-          get_file_contents(client: client)
+        if share.present?
+          if service.shares.key?(share)
+            fail_with(Msf::Module::Failure::BadConfig, "The specified SMB share '#{share}' already exists.")
+          end
+
+          virtual_disk = RubySMB::Server::Share::Provider::VirtualDisk.new(share)
+          # the virtual disk expects the path to use the native File::SEPARATOR so normalize on that here
+          virtual_disk.add_dynamic_file("#{@folder_name}#{File::SEPARATOR}#{@file_name}".gsub(/\/|\\/, File::SEPARATOR)) do |client, _smb_session|
+            get_file_contents(client: client)
+          end
+          service.add_share(virtual_disk)
         end
-        service.add_share(virtual_disk)
       end
 
       # Setups the server configuration.
       def setup
         super
 
         self.folder_name = datastore['FOLDER_NAME']
-        self.share = datastore['SHARE'] || Rex::Text.rand_text_alpha(4 + rand(3))
-        self.file_name = datastore['FILE_NAME'] || Rex::Text.rand_text_alpha(4 + rand(3))
+        self.share = datastore['SHARE'].present? ? datastore['SHARE'] : Rex::Text.rand_text_alpha(4 + rand(3))
+        self.file_name = datastore['FILE_NAME'].present? ? datastore['FILE_NAME'] : Rex::Text.rand_text_alpha(4 + rand(3))
       end
 
       # Builds the UNC Name for the shared file
@@ -92,6 +98,12 @@ def unc
       def get_file_contents(client:)
         file_contents
       end
+
+      def cleanup
+        self.service.remove_share(share) if share.present?
+
+        super
+      end
     end
   end
 end

lib/rex/proto/smb/server.rb

@@ -0,0 +1,112 @@
+# -*- coding: binary -*-
+require 'forwardable'
+require 'rex/socket'
+
+
+module Rex
+module Proto
+module SMB
+
+###
+#
+# Acts as an SMB server, processing requests and dispatching them to
+# registered procs.
+#
+###
+class Server
+
+  include Proto
+  extend Forwardable
+
+  def_delegators :@rubysmb_server, :dialects, :guid, :shares, :add_share, :remove_share
+
+  def initialize(port = 445, listen_host = '0.0.0.0', context = {}, comm = nil, gss_provider: nil, logger: nil)
+    self.listen_host     = listen_host
+    self.listen_port     = port
+    self.context         = context
+    self.comm            = comm
+    @gss_provider        = gss_provider
+    @logger              = logger
+    self.listener        = nil
+    @listener_thread     = nil
+    @rubysmb_server      = nil
+  end
+
+  # @return [String]
+  def inspect
+    "#<#{self.class} smb://#{listen_host}:#{listen_port} >"
+  end
+
+  #
+  # Returns the hardcore alias for the SMB service
+  #
+  def self.hardcore_alias(*args, **kwargs)
+    gss_alias = ''
+    if (gss_provider = kwargs[:gss_provider])
+      gss_alias << "#{gss_provider.class}("
+      attrs = {}
+      if gss_provider.is_a?(RubySMB::Gss::Provider::NTLM)
+        allows = []
+        allows << 'ANONYMOUS' if gss_provider.allow_anonymous
+        allows << 'GUESTS' if gss_provider.allow_guests
+        attrs['allow'] = allows.join('|') unless allows.empty?
+        attrs['default_domain'] = gss_provider.default_domain if gss_provider.respond_to?(:default_domain) && gss_provider.default_domain.present?
+        attrs['ntlm_status'] = gss_provider.ntlm_type3_status.name if gss_provider.respond_to?(:ntlm_type3_status) && gss_provider.ntlm_type3_status.present?
+      end
+      gss_alias << attrs.map { |k,v| "#{k}=#{v}"}.join(', ')
+      gss_alias << ')'
+    end
+    "#{(args[0] || '')}-#{(args[1] || '')}-#{args[3] || ''}-#{gss_alias}"
+  end
+
+  def alias
+    super || "SMB Server"
+  end
+
+  def start
+    self.listener = Rex::Socket::TcpServer.create(
+      'LocalHost'      => self.listen_host,
+      'LocalPort'      => self.listen_port,
+      'Context'        => self.context,
+      'Comm'           => self.comm
+    )
+
+    thread_factory = Proc.new do |server_client, &block|
+      Rex::ThreadFactory.spawn("SMBServerClient(#{server_client.peerhost}->#{server_client.dispatcher.tcp_socket.localhost})", false, &block)
+    end
+
+    @rubysmb_server = RubySMB::Server.new(
+      server_sock: self.listener,
+      gss_provider: @gss_provider,
+      logger: @logger,
+      thread_factory: thread_factory
+    )
+
+    localinfo = Rex::Socket.to_authority(self.listener.localhost, self.listener.localport)
+    @listener_thread = Rex::ThreadFactory.spawn("SMBServerListener(#{localinfo})", false) do
+      begin
+        @rubysmb_server.run do |server_client|
+          on_client_connect_proc.call(server_client) if on_client_connect_proc
+          true
+        end
+      rescue IOError => e
+        # this 'IOError: stream closed in another thread' is expected, so disregard it
+        wlog("#{e.class}: #{e.message}")
+      end
+    end
+  end
+
+  def stop
+    self.listener.close
+  end
+
+  def wait
+    @listener_thread.join if @listener_thread
+  end
+
+  attr_accessor :context, :comm, :listener, :listen_host, :listen_port, :on_client_connect_proc
+end
+
+end
+end
+end

lib/rex/service_manager.rb

@@ -20,15 +20,15 @@ class ServiceManager < Hash
   #
   # Calls the instance method to start a service.
   #
-  def self.start(klass, *args)
-    self.instance.start(klass, *args)
+  def self.start(klass, *args, **kwargs)
+    self.instance.start(klass, *args, **kwargs)
   end
 
   #
   # Calls the instance method to stop a service.
   #
-  def self.stop(klass, *args)
-    self.instance.stop(klass, *args)
+  def self.stop(klass, *args, **kwargs)
+    self.instance.stop(klass, *args, **kwargs)
   end
 
   #
@@ -48,9 +48,9 @@ def self.stop_service(service)
   #
   # Starts a service and assigns it a unique name in the service hash.
   #
-  def start(klass, *args)
+  def start(klass, *args, **kwargs)
     # Get the hardcore alias.
-    hals = "#{klass}" + klass.hardcore_alias(*args)
+    hals = "#{klass}" + klass.hardcore_alias(*args, **kwargs)
 
     # Has a service already been constructed for this guy?  If so, increment
     # its reference count like it aint no thang.
@@ -59,7 +59,7 @@ def start(klass, *args)
       return inst
     end
 
-    inst = klass.new(*args)
+    inst = klass.new(*args, **kwargs)
     als  = inst.alias
 
     # Find an alias that isn't taken.
@@ -93,8 +93,8 @@ def start(klass, *args)
   # what was originally passed to start exactly.  If the reference count of
   # the service drops to zero the service will be destroyed.
   #
-  def stop(klass, *args)
-    stop_service(hals[hardcore_alias(klass, *args)])
+  def stop(klass, *args, **kwargs)
+    stop_service(hals[hardcore_alias(klass, *args, **kwargs)])
   end
 
   #