Merge branch 'smb_fixes' of git://github.com/alexmaloteaux/metasploit-framework into alexmaloteaux-smb_fixes

Author: sinn3r

lib/rex/proto/smb/client.rb

@@ -1046,6 +1046,7 @@ def tree_connect(share = 'IPC$', pass = '', do_recv = true)
 
 		pkt = CONST::SMB_TREE_CONN_PKT.make_struct
 		self.smb_defaults(pkt['Payload']['SMB'])
+		pkt['Payload']['SMB'].v['TreeID'] = 0
 
 		pkt['Payload']['SMB'].v['Command'] = CONST::SMB_COM_TREE_CONNECT_ANDX
 		pkt['Payload']['SMB'].v['Flags1'] = 0x18

modules/auxiliary/admin/smb/list_directory.rb

@@ -68,7 +68,7 @@ def run
 			connect()
 			smb_login()
 			print_status("Mounting the remote share \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}'...")
-						self.simple.connect("#{datastore['SMBSHARE']}")
+						self.simple.connect("\\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}")
 			if datastore['RPATH']
 				print_status("Listing \\\\#{datastore['RHOST']}\\#{datastore['SMBSHARE']}\\#{datastore['RPATH']}'...")
 			end

modules/auxiliary/admin/smb/psexec_command.rb

@@ -150,7 +150,7 @@ def check_cleanup(smbshare, ip, text)
 	# Instead of uploading and runing a binary.  This method runs a single windows command fed into the COMMAND paramater
 	def psexec(command)
 
-		simple.connect("IPC$")
+		simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
 
 		handle = dcerpc_handle('367abb81-9844-35f1-ad32-98f038001003', '2.0', 'ncacn_np', ["\\svcctl"])
 		vprint_status("#{peer} - Binding to #{handle} ...")

modules/auxiliary/scanner/smb/smb_enumshares.rb

@@ -107,7 +107,7 @@ def lanman_netshareenum
 
 	def srvsvc_netshareenum
 
-		simple.connect("IPC$")
+		simple.connect("\\\\#{rhost}\\IPC$")
 		handle = dcerpc_handle('4b324fc8-1670-01d3-1278-5a47bf6ee188', '3.0', 'ncacn_np', ["\\srvsvc"])
 		begin
 			dcerpc_bind(handle)

modules/exploits/windows/smb/psexec.rb

@@ -172,11 +172,11 @@ def exploit
 				folder_list = smbshare.split(/[\\\/]/)
 				smbshare = folder_list[0]
 				fileprefix = folder_list[1..-1].map {|a| a + "\\"}.join.gsub(/\\$/,"") if folder_list.length > 1
-				simple.connect(smbshare)
+				simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
 				fd = smb_open("\\#{fileprefix}\\#{filename}", 'rwct')
 			else
 				subfolder = false
-				simple.connect(smbshare)
+				simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
 				fd = smb_open("\\#{filename}", 'rwct')
 			end
 			exe = ''
@@ -196,10 +196,9 @@ def exploit
 			end
 
 			# Disconnect from the share
-			simple.disconnect(smbshare)
-
+			simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}")
 			# Connect to the IPC service
-			simple.connect("IPC$")
+			simple.connect("\\\\#{datastore['RHOST']}\\IPC$")
 
 
 			# Bind to the service
@@ -350,10 +349,10 @@ def exploit
 			select(nil, nil, nil, 1.0)
 			#This is not really useful but will prevent double \\ on the wire :)
 			if datastore['SHARE'] =~ /.[\\\/]/
-				simple.connect(smbshare)
+				simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
 				simple.delete("\\#{fileprefix}\\#{filename}")
 			else
-				simple.connect(smbshare)
+				simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
 				simple.delete("\\#{filename}")
 			end