Merge pull request #404 from tiyeuse/main

Add file write check on smb
Pennyw0rth · Oct 4, 2024 · 754ca2d · 754ca2d
2 parents e1c6635 + f17a61f
commit 754ca2d
Showing 1 changed file with 31 additions and 5 deletions.
diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py
@@ -27,6 +27,7 @@
 from impacket.dcerpc.v5.dtypes import NULL
 from impacket.dcerpc.v5.dcomrt import DCOMConnection
 from impacket.dcerpc.v5.dcom.wmi import CLSID_WbemLevel1Login, IID_IWbemLevel1Login, IWbemLevel1Login
+from impacket.smb3structs import FILE_SHARE_WRITE, FILE_SHARE_DELETE
 
 from nxc.config import process_secret, host_info_colors
 from nxc.connection import connection, sem, requires_admin, dcom_FirewallChecker
@@ -774,6 +775,7 @@ def ps_execute(self, payload=None, get_output=False, methods=None, force_ps32=Fa
 
  def shares(self):
  temp_dir = ntpath.normpath("\\" + gen_random_string())
+ temp_file = ntpath.normpath("\\" + gen_random_string() + ".txt")
  permissions = []
 
  try:
@@ -812,6 +814,8 @@ def shares(self):
  share_info = {"name": share_name, "remark": share_remark, "access": []}
  read = False
  write = False
+ write_dir = False
+ write_file = False
  try:
  self.conn.listPath(share_name, "*")
  read = True
@@ -823,18 +827,40 @@ def shares(self):
  if not self.args.no_write_check:
  try:
  self.conn.createDirectory(share_name, temp_dir)
- write = True
- share_info["access"].append("WRITE")
+ write_dir = True
+ try:
+ self.conn.deleteDirectory(share_name, temp_dir)
+ except SessionError as e:
+ error = get_error_string(e)
+ if error == "STATUS_OBJECT_NAME_NOT_FOUND":
+ pass
+ else:
+ self.logger.debug(f"Error DELETING created temp dir {temp_dir} on share {share_name}: {error}")
  except SessionError as e:
  error = get_error_string(e)
  self.logger.debug(f"Error checking WRITE access on share {share_name}: {error}")
 
- if write:
+ try:
+ tid = self.conn.connectTree(share_name)
+ fid = self.conn.createFile(tid, temp_file, desiredAccess=FILE_SHARE_WRITE, shareMode=FILE_SHARE_DELETE)
+ self.conn.closeFile(tid, fid)
+ write_file = True
  try:
- self.conn.deleteDirectory(share_name, temp_dir)
+ self.conn.deleteFile(share_name, temp_file)
  except SessionError as e:
  error = get_error_string(e)
- self.logger.debug(f"Error DELETING created temp dir {temp_dir} on share {share_name}: {error}")
+ if error == "STATUS_OBJECT_NAME_NOT_FOUND":
+ pass
+ else:
+ self.logger.debug(f"Error DELETING created temp file {temp_file} on share {share_name}")
+ except SessionError as e:
+ error = get_error_string(e)
+ self.logger.debug(f"Error checking WRITE access with file on share {share_name}: {error}")
+
+ # If we either can create a file or a directory we add the write privs to the output. Agreed on in https://github.com/Pennyw0rth/NetExec/pull/404
+ if write_dir or write_file:
+ write = True
+ share_info["access"].append("WRITE")
 
  permissions.append(share_info)