Merge pull request #1122 from Pennyw0rth/marshall_smb_snipped_vuln_fix

Marshall-Hallenbeck · web-flow · commit c7dc286ba65d · 2026-02-23T09:48:47.000-05:00
fix(snipped): properly parse and set output file for saved screenshots
diff --git a/nxc/modules/snipped.py b/nxc/modules/snipped.py
@@ -1,6 +1,7 @@
 import ntpath
 import os
 from os.path import join, getsize, exists
+from pathlib import PurePosixPath
 from nxc.helpers.misc import CATEGORY
 from nxc.paths import NXC_PATH
 
@@ -84,9 +85,12 @@ def on_admin_login(self, context, connection):
                                 continue
 
                             remote_file_path = ntpath.join(screenshot_path, remote_file_name)
-                            sanitized_path = screenshot_path.replace("\\", "_").replace("/", "_")
-                            local_file_name = f"{folder_name}_{sanitized_path}_{remote_file_name}"
-                            local_file_path = join(user_output_dir, local_file_name)
+                            # replace \\ with underscores and ignore absolute path or path traversal attempts
+                            clean_screenshot_path = "_".join(p for p in PurePosixPath(screenshot_path.replace("\\", "/")).parts if p not in ("..", ".", "/"))
+                            clean_file = "_".join(p for p in PurePosixPath(remote_file_name.replace("\\", "/")).parts if p not in ("..", ".", "/"))
+
+                            local_file_path = join(user_output_dir, f"{clean_screenshot_path}_{clean_file}")
+                            context.log.debug(f"{local_file_path=}")
 
                             try:
                                 with open(local_file_path, "wb") as local_file:
@@ -107,7 +111,7 @@ def on_admin_login(self, context, connection):
                                 context.log.debug(f"Failed to download '{remote_file_path}' for user {folder_name}: {e}")
 
         if total_files_downloaded > 0 and host_output_path:
-            context.log.success(f"{total_files_downloaded} file(s) downloaded from host {connection.host} to {host_output_path}.")
+            context.log.success(f"{total_files_downloaded} file(s) downloaded from host {connection.host} to {host_output_path}/")
 
     def find_screenshots_folders(self, user_folder_name):
         """
