-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
psexec smb2 support #10185
psexec smb2 support #10185
Conversation
lib/rex/proto/dcerpc/client.rb
Outdated
@@ -296,6 +296,8 @@ def call(function, data, do_recv = true) | |||
|
|||
raw_response = '' | |||
|
|||
sleep 3 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should probably be handled in a better way...
It seems like a wait needs to occur for the DCE-RPC call.
If a request is sent early, the Windows host will respond with an error code that makes it seem like everything is broken.
Jenkins test this please. |
The following will get this PR to run your first testing scenario against Windows 10, since I believe the default target selection would work.
Or you could make the change to the windows 7 target above if you want the SMBv2 test performed on that OS. |
For Windows 10 the automatic target selection attempts to use powershell, which wasn't working in my testing. How would I change the json file to select the native upload target (set target 2)? The native upload target should work on both Windows 7 and Windows 10. |
For now
|
I'll try that now 👍 |
Jenkins test this please. |
Looks like the success condition for the test has changed.
|
eed928b
to
31da00b
Compare
8cc3063
to
8e36551
Compare
Woo, it's green! Removing 'delayed' |
please see it https://github.com/hanshaze/EternalPulse sorry. |
@GreenEYESSS those comments are totally unrelated to this PR, and the second module you linked to doesn't actually work either. |
2003/XP systems seem to return this:
|
ok sorry |
71a2b0e
to
2856c46
Compare
Jenkins test this please. |
Powershell target is likely an AMSI catch. They're actually signing for the bloody architecture resolution part of the cmd invocation which we can drop and force the user to set the right arch for now. Evasions like the metasm C stuff cost space in PSH which pushes us to env-stage (something else they can search for). |
The powershell issue with Windows 10 that I was experiencing was resolved in rex-powershell. I will update the description. |
Manual test for Windows 2000:
|
Release NotesThis adds SMBv1 and SMBv2 support for the |
guy's help in this guest machine is vulnerable . [] Started reverse TCP handler on 192.168.43.119:4444 |
Description
This PR updates the module exploit/windows/smb/psexec to support SMBv2 connection with RubySMB.
SMB1 tests:
SMB2 tests:
Verification
./msfconsole
use exploit/windows/smb/psexec
set smbuser <user>
set smbpass <pass>
set target 1
set rhost <rhost>
run
set target 2
run