From ecfe3d0235772a74fe69a85221593607591cd393 Mon Sep 17 00:00:00 2001
From: zerosum0x0 <zerosum0x0@gmail.com>
Date: Fri, 11 Aug 2017 11:36:59 -0600
Subject: [PATCH] added optional DoublePulsar check

---
 modules/auxiliary/scanner/smb/smb_ms17_010.rb | 29 ++++++++++++-------
 1 file changed, 18 insertions(+), 11 deletions(-)

diff --git a/modules/auxiliary/scanner/smb/smb_ms17_010.rb b/modules/auxiliary/scanner/smb/smb_ms17_010.rb
index fac2307b8f..9ea9cf4615 100644
--- a/modules/auxiliary/scanner/smb/smb_ms17_010.rb
+++ b/modules/auxiliary/scanner/smb/smb_ms17_010.rb
@@ -47,6 +47,11 @@ class MetasploitModule < Msf::Auxiliary
         ],
       'License'        => MSF_LICENSE
     ))
+
+    register_options(
+      [
+        OptBool.new('CHECK_DOPU', [true, 'Check for DOUBLEPULSAR on vulnerable hosts', true])
+      ])
   end
 
   # algorithm to calculate the XOR Key for DoublePulsar knocks
@@ -80,18 +85,20 @@ class MetasploitModule < Msf::Auxiliary
         )
 
         # vulnerable to MS17-010, check for DoublePulsar infection
-        code, signature1, signature2 = do_smb_doublepulsar_probe(tree_id)
+        if datastore['CHECK_DOPU']
+          code, signature1, signature2 = do_smb_doublepulsar_probe(tree_id)
 
-        if code == 0x51
-          xor_key = calculate_doublepulsar_xor_key(signature1).to_s(16).upcase
-          arch = calculate_doublepulsar_arch(signature2)
-          print_warning("Host is likely INFECTED with DoublePulsar! - Arch: #{arch}, XOR Key: 0x#{xor_key}")
-          report_vuln(
-            host: ip,
-            name: "MS17-010 DoublePulsar Infection",
-            refs: self.references,
-            info: "MultiPlexID += 0x10 on Trans2 request - Arch: #{arch}, XOR Key: 0x#{xor_key}"
-          )
+          if code == 0x51
+            xor_key = calculate_doublepulsar_xor_key(signature1).to_s(16).upcase
+            arch = calculate_doublepulsar_arch(signature2)
+            print_warning("Host is likely INFECTED with DoublePulsar! - Arch: #{arch}, XOR Key: 0x#{xor_key}")
+            report_vuln(
+              host: ip,
+              name: "MS17-010 DoublePulsar Infection",
+              refs: self.references,
+              info: "MultiPlexID += 0x10 on Trans2 request - Arch: #{arch}, XOR Key: 0x#{xor_key}"
+            )
+          end
         end
       elsif status == "STATUS_ACCESS_DENIED" or status == "STATUS_INVALID_HANDLE"
         # STATUS_ACCESS_DENIED (Windows 10) and STATUS_INVALID_HANDLE (others)