Map the GKDI endpoint as a workaround

Author: zeroSteiner

lib/msf/core/exploit/remote/ms_gkdi.rb

@@ -65,16 +65,32 @@ def connect_gkdi(opts = {})
   end
 
   def bind_gkdi(dcerpc_client)
-    dcerpc_client.connect
-    vprint_status('Binding to GKDI...')
+    tower = gkdi_get_endpoints.first
+    dcerpc_client.connect(port: tower[:port])
+    vprint_status("Binding to GKDI via #{tower[:endpoint]}...")
     dcerpc_client.bind(
-      endpoint: RubySMB::Dcerpc::Gkdi,
       auth_level: RubySMB::Dcerpc::RPC_C_AUTHN_LEVEL_PKT_PRIVACY,
       auth_type: RubySMB::Dcerpc::RPC_C_AUTHN_WINNT
     )
     vprint_status('Bound to GKDI')
   end
 
+  def gkdi_get_endpoints(opts = {})
+    vprint_status('Mapping GKDI endpoints...')
+    dcerpc_client = RubySMB::Dcerpc::Client.new(
+      opts.fetch(:rhost) { rhost },
+      RubySMB::Dcerpc::Epm
+    )
+    dcerpc_client.connect
+    dcerpc_client.bind
+    # This works around an odd error where if the target has just booted, then no towers (endpoint connection infos)
+    # will be returned if max_towers is set to 1. Here we map it our self and set max_towers to a higher number to work
+    # around the behavior. Subsequent mapping attempts will work with max_towers set to 1, but 4 will always work.
+    towers = dcerpc_client.ept_map_endpoint(RubySMB::Dcerpc::Gkdi, max_towers: 4)
+    dcerpc_client.close
+    towers
+  end
+
   def gkdi_compute_kek(gke, key_identifier)
     l2_key = gkdi_compute_l2_key(gke, key_identifier)