Merge pull request Pennyw0rth#404 from tiyeuse/main

NeffIsBack · web-flow · commit 754ca2d423ba · 2024-10-04T17:43:00.000+02:00
Add file write check on smb
diff --git a/nxc/protocols/smb.py b/nxc/protocols/smb.py
@@ -27,6 +27,7 @@
 from impacket.dcerpc.v5.dtypes import NULL
 from impacket.dcerpc.v5.dcomrt import DCOMConnection
 from impacket.dcerpc.v5.dcom.wmi import CLSID_WbemLevel1Login, IID_IWbemLevel1Login, IWbemLevel1Login
+from impacket.smb3structs import FILE_SHARE_WRITE, FILE_SHARE_DELETE
 
 from nxc.config import process_secret, host_info_colors
 from nxc.connection import connection, sem, requires_admin, dcom_FirewallChecker
@@ -774,6 +775,7 @@ def ps_execute(self, payload=None, get_output=False, methods=None, force_ps32=Fa
 
     def shares(self):
         temp_dir = ntpath.normpath("\\" + gen_random_string())
+        temp_file = ntpath.normpath("\\" + gen_random_string() + ".txt")
         permissions = []
 
         try:
@@ -812,6 +814,8 @@ def shares(self):
             share_info = {"name": share_name, "remark": share_remark, "access": []}
             read = False
             write = False
+            write_dir = False
+            write_file = False
             try:
                 self.conn.listPath(share_name, "*")
                 read = True
@@ -823,18 +827,40 @@ def shares(self):
             if not self.args.no_write_check:
                 try:
                     self.conn.createDirectory(share_name, temp_dir)
-                    write = True
-                    share_info["access"].append("WRITE")
+                    write_dir = True
+                    try:
+                        self.conn.deleteDirectory(share_name, temp_dir)
+                    except SessionError as e:
+                        error = get_error_string(e)
+                        if error == "STATUS_OBJECT_NAME_NOT_FOUND":
+                            pass
+                        else:
+                            self.logger.debug(f"Error DELETING created temp dir {temp_dir} on share {share_name}: {error}")
                 except SessionError as e:
                     error = get_error_string(e)
                     self.logger.debug(f"Error checking WRITE access on share {share_name}: {error}")
 
-                if write:
+                try:
+                    tid = self.conn.connectTree(share_name)
+                    fid = self.conn.createFile(tid, temp_file, desiredAccess=FILE_SHARE_WRITE, shareMode=FILE_SHARE_DELETE)
+                    self.conn.closeFile(tid, fid)
+                    write_file = True
                     try:
-                        self.conn.deleteDirectory(share_name, temp_dir)
+                        self.conn.deleteFile(share_name, temp_file)
                     except SessionError as e:
                         error = get_error_string(e)
-                        self.logger.debug(f"Error DELETING created temp dir {temp_dir} on share {share_name}: {error}")
+                        if error == "STATUS_OBJECT_NAME_NOT_FOUND":
+                            pass
+                        else:
+                            self.logger.debug(f"Error DELETING created temp file {temp_file} on share {share_name}")
+                except SessionError as e:
+                    error = get_error_string(e)
+                    self.logger.debug(f"Error checking WRITE access with file on share {share_name}: {error}")
+
+                # If we either can create a file or a directory we add the write privs to the output. Agreed on in https://github.com/Pennyw0rth/NetExec/pull/404
+                if write_dir or write_file:
+                    write = True
+                    share_info["access"].append("WRITE")
 
             permissions.append(share_info)
 
