Use Rex::Proto::DCERPC::Response

2017-05-29 21:58:03 -05:00 · 2017-05-29 21:58:03 -05:00 · 6e253a5be7
parent 42b14a93b8
commit 6e253a5be7
1 changed files with 18 additions and 5 deletions
--- a/modules/exploits/windows/smb/ms17_010_eternalblue.rb
+++ b/modules/exploits/windows/smb/ms17_010_eternalblue.rb
@ -257,8 +257,10 @@ class MetasploitModule < Msf::Exploit::Remote
    return true if !datastore['VerifyArch']

    pkt = Rex::Proto::DCERPC::Packet.make_bind(
-      'e1af8308-5d1f-11c9-91a4-08002b14a0fa', '3.0', # Abstract Syntax: EPMv4 V3.0
-      '71710533-beba-4937-8319-b5dbef9ccc36', '1.0'  # Transfer Syntax[1]: 64bit NDR V1
+      # Abstract Syntax: EPMv4 V3.0
+      'e1af8308-5d1f-11c9-91a4-08002b14a0fa', '3.0',
+      # Transfer Syntax[1]: 64bit NDR V1
+      '71710533-beba-4937-8319-b5dbef9ccc36', '1.0'
    ).first

    sock = connect(false,
@ -270,13 +272,24 @@ class MetasploitModule < Msf::Exploit::Remote
    res = sock.get_once
    disconnect(sock)

-    return false if res.nil?
+    begin
+      resp = Rex::Proto::DCERPC::Response.new(res)
+    rescue Rex::Proto::DCERPC::Exceptions::InvalidPacket => e
+      print_error(e.to_s)
+      return false
+    end

    case target_arch.first
    when ARCH_X64
-      (ret = true) if res[36] == "\x00" # Ack result: Acceptance (0)
+      # Ack result: Acceptance (0)
+      if resp.ack_result.first == 0
+        ret = true
+      end
    when ARCH_X86
-      (ret = true) if res[36] != "\x00" # Ack result: Provider rejection (2)
+      # Ack result: Provider rejection (2)
+      if resp.ack_result.first != 0
+        ret = true
+      end
    end

    if ret