Add support for folder

lib/msf/core/exploit/smb/server/share.rb

@@ -177,7 +177,6 @@ module Msf
       attr_accessor :share
       # @!attribute path_name
       #   @return [String] The folder where the provided file lives.
-      #   @note UNSUPPORTED
       attr_accessor :path_name
       # @!attribute file_name
       #   @return [String] The file name of the provided UNC.
@@ -199,6 +198,7 @@ module Msf
           [
             OptString.new('SHARE', [ false, 'Share (Default Random)']),
             OptString.new('FILE_NAME', [ false, 'File name to share (Default Random)']),
+            OptString.new('FOLDER_NAME', [ false, 'Folder name to share (Default none)']),
             OptPath.new('FILE_CONTENTS', [ false, 'File contents (Default Random)'])
           ], Msf::Exploit::Remote::SMB::Server::Share)
       end
@@ -207,7 +207,7 @@ module Msf
       def setup
         super
 
-        self.path_name = '\\' # TODO: Add subdirectories support
+        self.path_name = datastore['FOLDER_NAME']
         self.share = datastore['SHARE'] || Rex::Text.rand_text_alpha(4 + rand(3))
         self.file_name = datastore['FILE_NAME'] || Rex::Text.rand_text_alpha(4 + rand(3))
 
@@ -224,7 +224,13 @@ module Msf
 
       # Builds the UNC Name for the shared file
       def unc
-        "\\\\#{srvhost}\\#{share}\\#{file_name}"
+        if path_name
+          path = "\\\\#{srvhost}\\#{share}\\#{path_name}\\#{file_name}"
+        else
+          path = "\\\\#{srvhost}\\#{share}\\#{file_name}"
+        end
+
+        path
       end
 
       # Builds the server address.

lib/msf/core/exploit/smb/server/share/command/nt_create_andx.rb

@@ -32,7 +32,12 @@ module Msf
               attribs = CONST::SMB_EXT_FILE_ATTR_NORMAL
               eof = file_contents.length
               is_dir = 0
-            elsif payload.eql?(path_name.downcase)
+            elsif path_name && payload.ends_with?(path_name.downcase)
+              fid = smb[:dir_id].to_i
+              attribs = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
+              eof = 0
+              is_dir = 1
+            elsif payload == "\\"
               fid = smb[:dir_id].to_i
               attribs = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
               eof = 0

lib/msf/core/exploit/smb/server/share/command/trans2.rb

@@ -87,8 +87,8 @@ module Msf
           def smb_expand(path)
             search_path = path.gsub(/<\./, '*.') # manage wildcards
             extension = File.extname(file_name)
-            if search_path == "#{path_name}*#{extension}"
-              search_path = "#{path_name}#{file_name}"
+            if search_path =~ /\\\*#{extension}$/
+              search_path.gsub!(/\\\*#{extension}$/, "\\#{file_name}")
             end
 
             search_path

lib/msf/core/exploit/smb/server/share/information_level/find.rb

@@ -21,8 +21,15 @@ module Msf
               alloc = 1048576 # Allocation Size = 1048576 || 1Mb
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
               search = 1
-            elsif path && path == path_name.downcase
-              data = Rex::Text.to_unicode(path_name)
+            elsif path && path_name && path.ends_with?(path_name.downcase)
+              data = Rex::Text.to_unicode(path)
+              length = 0
+              ea = 0x21
+              alloc = 0 # 0Mb
+              attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
+              search = 0x100
+            elsif path && path == "\\"
+              data = Rex::Text.to_unicode(path)
               length = 0
               ea = 0x21
               alloc = 0 # 0Mb
@@ -52,8 +59,10 @@ module Msf
           def smb_cmd_find_file_names_info(c, path)
             if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
-            elsif path && path == path_name.downcase
-              data = Rex::Text.to_unicode(path_name)
+            elsif path && path_name && path.ends_with?(path_name.downcase)
+              data = Rex::Text.to_unicode(path)
+            elsif path && path == "\\"
+              data = Rex::Text.to_unicode(path)
             else
               return smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_NO_SUCH_FILE, true)
             end
@@ -68,6 +77,7 @@ module Msf
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
           def smb_cmd_find_file_full_directory_info(c, path)
+
             if path && path.include?(file_name.downcase)
               data = Rex::Text.to_unicode(file_name)
               length = file_contents.length
@@ -75,8 +85,15 @@ module Msf
               alloc = 1048576 # Allocation Size = 1048576 || 1Mb
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL # File
               search = 0x100
-            elsif path && path == path_name.downcase
-              data = Rex::Text.to_unicode(path_name)
+            elsif path && path_name && path.ends_with?(path_name.downcase)
+              data = Rex::Text.to_unicode(path)
+              length = 0
+              ea = 0x21
+              alloc = 0 # 0Mb
+              attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
+              search = 1
+            elsif path && path == "\\"
+              data = Rex::Text.to_unicode(path)
               length = 0
               ea = 0x21
               alloc = 0 # 0Mb

lib/msf/core/exploit/smb/server/share/information_level/query.rb

@@ -48,15 +48,12 @@ module Msf
           # @param c [Socket] The client sending the request.
           # @param path [String] The path which the client is requesting info from.
           # @return [Fixnum] The number of bytes returned to the client as response.
-          # @todo Delete elsif comment if testing proofs it as unnecessary
           def smb_cmd_trans_query_path_info_basic(c, path)
             if path && path.ends_with?(file_name.downcase)
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
-            #elsif path && path.ends_with?(file_name + '.Local')
-              #attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
-            elsif path && path == path_name.downcase
+            elsif path && path_name && path.ends_with?(path_name.downcase)
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
-            elsif path.nil? || path.empty? || path == "\x00" # empty path
+            elsif path.nil? || path.empty? || path == "\x00" || path == "\\" # empty path
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
             else
               return smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_OBJECT_NAME_NOT_FOUND, true)
@@ -74,9 +71,9 @@ module Msf
           def smb_cmd_trans_query_path_info_standard(c, path)
             if path && path.include?(file_name.downcase)
               attrib = 0 # File attributes => file
-            elsif path && path == path_name.downcase
+            elsif path && path_name && path.ends_with?(path_name.downcase)
               attrib = 1 # File attributes => directory
-            elsif path.nil? || path.empty? || path == "\x00" # empty path
+            elsif path.nil? || path.empty? || path == "\x00" || path == "\\" # empty path
               attrib = 1 # File attributes => directory
             else
               return smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_OBJECT_NAME_NOT_FOUND, true)
@@ -101,9 +98,9 @@ module Msf
 
             if path && path.include?(file_name.downcase)
               attrib = CONST::SMB_EXT_FILE_ATTR_NORMAL
-            elsif path && path == path_name.downcase
+            elsif path && path_name && path.ends_with?(path_name.downcase)
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
-            elsif path.nil? || path.empty? || path == "\x00" # empty path
+            elsif path.nil? || path.empty? || path == "\x00" || path == "\\" # empty path
               attrib = CONST::SMB_EXT_FILE_ATTR_DIRECTORY
             else
               return smb_error(CONST::SMB_COM_TRANSACTION2, c, CONST::SMB_STATUS_OBJECT_NAME_NOT_FOUND, true)