Fixes #263. Correct the max read() size for DCERPC over SMB

git-svn-id: file:///home/svn/framework3/trunk@6007 4d416f70-5f16-0410-b530-b9f4589650da
unstable
HD Moore 2008-12-11 03:50:30 +00:00
parent 1485e0564e
commit cb8230f817
3 changed files with 16 additions and 6 deletions

View File

@ -141,6 +141,10 @@ require 'rex/proto/smb/exceptions'
if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
begin
# Max SMB read is 65535, cap it at 64000
max_read = [64000, max_read].min
min_read = [64000, min_read].min
read_limit = nil
while(true)
@ -152,9 +156,9 @@ require 'rex/proto/smb/exceptions'
read_cnt = raw_response.length - read_limit
end
end
data = self.socket.read( read_cnt, rand(1024)+1)
last if not data.length
break if not (data and data.length > 0)
raw_response += data
# Keep reading until we have at least the DCERPC header

View File

@ -112,6 +112,8 @@ class Metasploit3 < Msf::Exploit::Remote
print_status("Created \\#{filename}...")
# Disconnect from the ADMIN$
simple.disconnect("ADMIN$")
# Connect to the IPC service
simple.connect("IPC$")

View File

@ -143,7 +143,9 @@ class Metasploit3 < Msf::Exploit::Remote
fd.close
print_status("Created \\#{filename}...")
# Disconnect from the ADMIN$
rclient.disconnect("ADMIN$")
print_status("Connecting to the Service Control Manager...")
rclient.connect("IPC$")
@ -276,11 +278,13 @@ class Metasploit3 < Msf::Exploit::Remote
response = dcerpc.call(0x0, svc_handle)
rescue ::Exception => e
print_status("Error: #{e}")
end
end
rclient.disconnect("IPC$")
print_status("Deleting \\#{filename}...")
simple.connect("ADMIN$")
simple.delete("\\#{filename}")
rclient.connect("ADMIN$")
rclient.delete("\\#{filename}")
end