search

rapid7 / ruby_smb

A native Ruby implementation of the SMB Protocol Family
Other
80 stars 80 forks source link

Use the correct TREE_CONNECT Response access mask #235

Closed cdelafuente-r7 closed 1 year ago

cdelafuente-r7 commented 2 years ago

Fixes https://github.com/rapid7/metasploit-framework/issues/16745

A wrong structure was used for the :maximal_access field of a TREE_CONNECT Response. Before this fix, a file_access_mask was used even for disk directory shares. Now, the structure sets either a file_access_mask or a directory_access_mask according to the share type.

This can be tested using Metasploit auxiliary/scanner/smb/smb_login module, as described in https://github.com/rapid7/metasploit-framework/issues/16745. This module checks the Tree add_file permission on the ADMIN$ share is set to detect if the user has Administrator level. The add_file field only exists in directory_access_mask, which was failing before since file_access_mask was returned by the TREE_CONNECT Response.

Before

The module successfully login with the Administrator credentials but does not report it with Administrator access level:

msf6 auxiliary(scanner/smb/smb_login) > run SMBUser=Administrator SMBPass=123456 RHOSTS=10.0.0.22 verbose=true

[*] 10.0.0.22:445   - 10.0.0.22:445 - Starting SMB login bruteforce
[+] 10.0.0.22:445   - 10.0.0.22:445 - Success: '.\Administrator:123456'
[*] 10.0.0.22:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

After

Now, it is reported with the Administrator access level:

msf6 auxiliary(scanner/smb/smb_login) > run SMBUser=Administrator SMBPass=123456 RHOSTS=10.0.0.22 verbose=true

[*] 10.0.0.22:445   - 10.0.0.22:445 - Starting SMB login bruteforce
[+] 10.0.0.22:445   - 10.0.0.22:445 - Success: '.\Administrator:123456' Administrator
[*] 10.0.0.22:445   - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed