Get it all working...

Meatballs1 · Meatballs1 · commit fde4a3ea0a48 · 2014-04-02T22:52:07.000+01:00
diff --git a/lib/msf/core/exploit/dcerpc_services.rb b/lib/msf/core/exploit/dcerpc_services.rb
@@ -9,8 +9,11 @@ module Exploit::Remote::DCERPC_SERVICES
 
   NDR = Rex::Encoder::NDR
 
+  SC_MANAGER_ALL_ACCESS = 0xF003F
   SERVICE_ALL_ACCESS = 0x0F01FF
   ERROR_SUCCESS = 0x0
+  ERROR_FILE_NOT_FOUND = 0x2
+  ERROR_ACCESS_DENIED = 0x5
   ERROR_SERVICE_EXISTS = 0x431
 
   # Calls OpenSCManagerW() to obtain a handle to the service control manager.
@@ -19,9 +22,9 @@ module Exploit::Remote::DCERPC_SERVICES
   # @param rhost [String] the target host.
   # @param access [Fixnum] the access flags requested.
   #
-  # @return [String] the handle to the service control manager or nil if
-  #   the call is not successful.
-  def dce_openscmanagerw(dcerpc, rhost, access = SERVICE_ALL_ACCESS)
+  # @return [String, Integer] the handle to the service control manager or nil if
+  #   the call is not successful and the Windows error code
+  def dce_openscmanagerw(dcerpc, rhost, access = SC_MANAGER_ALL_ACCESS)
     scm_handle = nil
     scm_status = nil
     stubdata =
@@ -40,7 +43,7 @@ def dce_openscmanagerw(dcerpc, rhost, access = SERVICE_ALL_ACCESS)
       print_error("#{peer} - Error getting scm handle: #{e}")
     end
 
-    scm_handle
+    return scm_handle, scm_status
   end
 
 
@@ -103,7 +106,7 @@ def dce_createservicew(dcerpc, scm_handle, service_name, display_name, binary_pa
     begin
       response = dcerpc.call(0x0c, stubdata)
       if response
-        svc_status = response[20,4].unpack('V').first
+        svc_status = response[24,4].unpack('V').first
 
         if svc_status == ERROR_SUCCESS
           svc_handle = response[4,20]
diff --git a/lib/msf/core/exploit/smb/psexec.rb b/lib/msf/core/exploit/smb/psexec.rb
@@ -15,8 +15,6 @@ module Exploit::Remote::SMB::Psexec
   include Msf::Exploit::Remote::DCERPC
   include Msf::Exploit::Remote::SMB::Authenticated
 
-  ERROR_FILE_NOT_FOUND = 0x2
-
   def initialize(info = {})
     super
     register_options(
@@ -102,8 +100,11 @@ def psexec(command, disconnect=true)
     vprint_status("#{peer} - Bound to #{handle} ...")
     vprint_status("#{peer} - Obtaining a service manager handle...")
 
-    scm_handle = dce_openscmanagerw(dcerpc, datastore['RHOST'])
+    scm_handle, scm_status = dce_openscmanagerw(dcerpc, datastore['RHOST'])
 
+    if scm_status == ERROR_ACCESS_DENIED
+      print_error("#{peer} - ERROR_ACCESS_DENIED opening the Service Manager")
+    end
     return false unless scm_handle
 
     vprint_status("#{peer} - Creating the service...")
@@ -161,7 +162,7 @@ def psexec(command, disconnect=true)
           end
         ensure
           vprint_status("#{peer} - Closing service handle...")
-          dce_closehandle(svc_handle)
+          dce_closehandle(dcerpc, svc_handle)
         end
       end
     end
