Fixes #263. Correct the max read() size for DCERPC over SMB
git-svn-id: file:///home/svn/framework3/trunk@6007 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
1485e0564e
commit
cb8230f817
|
@ -141,6 +141,10 @@ require 'rex/proto/smb/exceptions'
|
||||||
if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
|
if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
|
||||||
begin
|
begin
|
||||||
|
|
||||||
|
# Max SMB read is 65535, cap it at 64000
|
||||||
|
max_read = [64000, max_read].min
|
||||||
|
min_read = [64000, min_read].min
|
||||||
|
|
||||||
read_limit = nil
|
read_limit = nil
|
||||||
|
|
||||||
while(true)
|
while(true)
|
||||||
|
@ -152,9 +156,9 @@ require 'rex/proto/smb/exceptions'
|
||||||
read_cnt = raw_response.length - read_limit
|
read_cnt = raw_response.length - read_limit
|
||||||
end
|
end
|
||||||
end
|
end
|
||||||
|
|
||||||
data = self.socket.read( read_cnt, rand(1024)+1)
|
data = self.socket.read( read_cnt, rand(1024)+1)
|
||||||
last if not data.length
|
break if not (data and data.length > 0)
|
||||||
raw_response += data
|
raw_response += data
|
||||||
|
|
||||||
# Keep reading until we have at least the DCERPC header
|
# Keep reading until we have at least the DCERPC header
|
||||||
|
|
|
@ -112,6 +112,8 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
|
|
||||||
print_status("Created \\#{filename}...")
|
print_status("Created \\#{filename}...")
|
||||||
|
|
||||||
|
# Disconnect from the ADMIN$
|
||||||
|
simple.disconnect("ADMIN$")
|
||||||
|
|
||||||
# Connect to the IPC service
|
# Connect to the IPC service
|
||||||
simple.connect("IPC$")
|
simple.connect("IPC$")
|
||||||
|
|
|
@ -143,7 +143,9 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
fd.close
|
fd.close
|
||||||
print_status("Created \\#{filename}...")
|
print_status("Created \\#{filename}...")
|
||||||
|
|
||||||
|
# Disconnect from the ADMIN$
|
||||||
|
rclient.disconnect("ADMIN$")
|
||||||
|
|
||||||
print_status("Connecting to the Service Control Manager...")
|
print_status("Connecting to the Service Control Manager...")
|
||||||
rclient.connect("IPC$")
|
rclient.connect("IPC$")
|
||||||
|
|
||||||
|
@ -276,11 +278,13 @@ class Metasploit3 < Msf::Exploit::Remote
|
||||||
response = dcerpc.call(0x0, svc_handle)
|
response = dcerpc.call(0x0, svc_handle)
|
||||||
rescue ::Exception => e
|
rescue ::Exception => e
|
||||||
print_status("Error: #{e}")
|
print_status("Error: #{e}")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
rclient.disconnect("IPC$")
|
||||||
|
|
||||||
print_status("Deleting \\#{filename}...")
|
print_status("Deleting \\#{filename}...")
|
||||||
simple.connect("ADMIN$")
|
rclient.connect("ADMIN$")
|
||||||
simple.delete("\\#{filename}")
|
rclient.delete("\\#{filename}")
|
||||||
end
|
end
|
||||||
|
|
||||||
|
|
||||||
|
|
Loading…
Reference in New Issue