Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: Add Ability to Read Files with Open Handles over SMB #1894

Open
wants to merge 12 commits into
base: master
Choose a base branch
from
Open

Fix: Add Ability to Read Files with Open Handles over SMB #1894

wants to merge 12 commits into from

Conversation

covertivy
Copy link
Contributor

@covertivy covertivy commented Feb 8, 2025
edited
Loading

Hello!

I did some research regarding some annoying STATUS_SHARING_VIOLATION and STATUS_ACCESS_DENIED errors.
I know for a fact that some files that cannot be read with smbclient can be copied aside with a command / the file explorer.
This means that theoretically it should be possible to do so over SMB!

I opened up Wireshark and played around a bit - it seems this is caused by over-restrictive share access permissions on impacket's side.
I then dug deeper and saw some mismatching flag usage in the SMBv1 implementation of the protocol so I fixed those too.

To sum up, I added the ability to READ FILES WITH OPEN HANDLES WITH (ALMOST) NO RESTRICTION!!!
The only restriction is of course for some system files (eg. SAM, SECURITY, SYSTEM and basically all files that require a ShadowCopy to allow reading them).
This means that files with "weak handles" can be read remotely WITH ABSOLUTELY NO LIMITATION!

The list contains:

  • Event Logs - *.evt / *.evtx
  • Files open by Local Users
  • Browser Files - Chrome Logins & History
  • And much much more!

Glad to suffer for all y'alls pleasure!

@covertivy
Add documentation in the comments for clearer use of NT_CREATE_ANDX f…
772cb51 
…lags.

Then sort out some mismatching flags.
@covertivy
Change default shareAccessMode in the retr file methods to allow read…
ade7dde 
…, write and delete.

I found it out when capturing network traffic and seeing I can manage to read files with open handles.
This fixes SHARE_ACCESS_DENIED errors when trying to read files with handles on them.
This is the logical thing to do when we open files for reading.
We do not want to block other processes from interacting with the file.
This may raise problems when reading files that are being written into / being deleted.
I still think this is the right move since we usually want to read the files no matter what.
@covertivy
Add ability to read files with open handles - this is related to my p…
335fb21 
…revious commits.
@covertivy
Add ability to read files that have open handles to them.
2509626 
This is related to my older commits on the subject.
@covertivy covertivy changed the title Add Ability to Read Files with Handles Add Ability to Read Files with Open Handles over SMB Feb 8, 2025
@covertivy covertivy mentioned this pull request Feb 9, 2025
Open
@covertivy covertivy changed the title Add Ability to Read Files with Open Handles over SMB Fix: Add Ability to Read Files with Open Handles over SMB Feb 10, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
1 participant
@covertivy