Fixes #263. Correct the max read() size for DCERPC over SMB

git-svn-id: file:///home/svn/framework3/trunk@6007 4d416f70-5f16-0410-b530-b9f4589650da

lib/rex/proto/dcerpc/client.rb

@@ -141,6 +141,10 @@ require 'rex/proto/smb/exceptions'
 		if (self.socket.class == Rex::Proto::SMB::SimpleClient::OpenPipe)
 			begin
 	
+				# Max SMB read is 65535, cap it at 64000
+				max_read = [64000, max_read].min
+				min_read = [64000, min_read].min
+	
 				read_limit = nil
 
 				while(true)
@@ -152,9 +156,9 @@ require 'rex/proto/smb/exceptions'
 							read_cnt = raw_response.length - read_limit
 						end
 					end
-
+					
 					data = self.socket.read( read_cnt, rand(1024)+1)
-					last if not data.length
+					break if not (data and data.length > 0)
 					raw_response += data
 
 					# Keep reading until we have at least the DCERPC header

modules/exploits/windows/smb/psexec.rb

@@ -112,6 +112,8 @@ class Metasploit3 < Msf::Exploit::Remote
 		
 		print_status("Created \\#{filename}...")
 		
+		# Disconnect from the ADMIN$
+		simple.disconnect("ADMIN$")
 		
 		# Connect to the IPC service
 		simple.connect("IPC$")

modules/exploits/windows/smb/smb_relay.rb

@@ -143,7 +143,9 @@ class Metasploit3 < Msf::Exploit::Remote
 		fd.close
 		print_status("Created \\#{filename}...")
 		
-
+		# Disconnect from the ADMIN$
+		rclient.disconnect("ADMIN$")
+				
 		print_status("Connecting to the Service Control Manager...")
 		rclient.connect("IPC$")
 
@@ -276,11 +278,13 @@ class Metasploit3 < Msf::Exploit::Remote
 			response = dcerpc.call(0x0, svc_handle)
 		rescue ::Exception => e
 			print_status("Error: #{e}")
-		end			
+		end
+		
+		rclient.disconnect("IPC$")
 
 		print_status("Deleting \\#{filename}...")
-		simple.connect("ADMIN$")
+		rclient.connect("ADMIN$")
-		simple.delete("\\#{filename}")
+		rclient.delete("\\#{filename}")
 	end