Simplify using RubySMB LookupSids code

lib/msf/core/exploit/remote/ms_lsarpc.rb

@@ -8,7 +8,7 @@ module Msf
 
   module Exploit::Remote::MsLsarpc
 
-    include Msf::Exploit::Remote::MsIpc
+    include Msf::Exploit::Remote::SMB::Client::Ipc
 
     class MsLsarpcError < StandardError; end
     class MsLsarpcConnectionError < MsLsarpcError; end
@@ -49,26 +49,15 @@ def map_security_principal_to_string(security_principal)
       end
     end
 
-    def open_policy_2(impersonation_level, security_context_tracking_mode, access_mask)
-      object_attributes = LSARPC_ENDPOINT::LsaprObjectAttributes.new(
-        {
-          len: 24,
-          root_directory: nil,
-          object_name: nil,
-          attributes: 0,
-          security_descriptor: nil,
+    def open_policy2(impersonation_level, security_context_tracking_mode, access_mask)
+      self.lsarpc_pipe.lsar_open_policy2(
+        system_name: simple.peerhost,
+        object_attributes: {
           security_quality_of_service: {
-            len: 12,
             impersonation_level: impersonation_level,
-            security_context_tracking_mode: security_context_tracking_mode,
-            effective_only: 0
+            security_context_tracking_mode: security_context_tracking_mode
           }
-        }
-      )
-
-      self.lsarpc_pipe.lsar_open_policy_2(
-        system_name: simple.peerhost,
-        object_attributes: object_attributes,
+        },
         access_mask: access_mask
       )
     end
@@ -80,13 +69,12 @@ def query_information_policy(policy_handle, information_class)
       )
     end
 
-    def lookup_sids(policy_handle, sids_buffer, lookup_level)
+    def lookup_sids(policy_handle, sids, lookup_level)
+      sids = [sids] unless sids.is_a?(Array)
+
       self.lsarpc_pipe.lsar_lookup_sids(
         policy_handle: policy_handle,
-        sid_enum_buffer: {
-          num_entries: sids_buffer.count,
-          sid_info: sids_buffer
-        },
+        sids: sids,
         lookup_level: lookup_level
       )
     end
@@ -100,8 +88,8 @@ def close_policy(policy_handle)
     def disconnect_lsarpc
       begin
         self.lsarpc_pipe.close if self.lsarpc_pipe&.is_connected?
-      rescue RubySMB::Error::UnexpectedStatusCode => _e
-        # noop - Encountered when trying to close LSARPC pipe vs. Samba
+      rescue RubySMB::Error::UnexpectedStatusCode => e
+        wlog e
       end
     end
 

lib/msf/core/exploit/remote/ms_ipc.rb → lib/msf/core/exploit/remote/smb/client/ipc.rb

@@ -6,14 +6,14 @@
 
 module Msf
 
-  module Exploit::Remote::MsIpc
+  module Exploit::Remote::SMB::Client::Ipc
 
     include Msf::Exploit::Remote::SMB::Client::Authenticated
     include Msf::Auxiliary::Report
 
-    class MsIpcError < StandardError; end
-    class MsIpcConnectionError < MsIpcError; end
-    class MsIpcAuthenticationError < MsIpcError; end
+    class SmbIpcError < StandardError; end
+    class SmbIpcConnectionError < SmbIpcError; end
+    class SmbIpcAuthenticationError < SmbIpcError; end
 
     module_function
 
@@ -28,9 +28,9 @@ def connect_ipc
           ipc_tree = smb_login
         end
       rescue Rex::ConnectionError => e
-        raise MsIpcConnectionError, e.message
+        raise SmbIpcConnectionError, e.message
       rescue Rex::Proto::SMB::Exceptions::Error, RubySMB::Error::RubySMBError => e
-        raise MsIpcAuthenticationError, "Unable to authenticate ([#{e.class}] #{e})."
+        raise SmbIpcAuthenticationError, "Unable to authenticate ([#{e.class}] #{e})."
       end
 
       report_service(

modules/auxiliary/scanner/smb/smb_lookupsid.rb

@@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'ruby_smb/dcerpc/client'
-require 'ruby_smb/dcerpc/bind'
 
 class MetasploitModule < Msf::Auxiliary
 
@@ -65,7 +63,7 @@ def run_host(ip)
     ipc_tree = connect_ipc
     lsarpc_pipe = connect_lsarpc(ipc_tree)
     endpoint = RubySMB::Dcerpc::Lsarpc.freeze
-    policy_handle = open_policy_2(endpoint::SECURITY_IMPERSONATION, endpoint::SECURITY_CONTEXT_CONTINUOUS_UPDATES, endpoint::MAXIMUM_ALLOWED)
+    policy_handle = open_policy2(endpoint::SECURITY_IMPERSONATION, endpoint::SECURITY_CONTEXT_CONTINUOUS_UPDATES, endpoint::MAXIMUM_ALLOWED)
 
     account_policy = query_information_policy(policy_handle, endpoint::POLICY_ACCOUNT_DOMAIN_INFORMATION)
     primary_policy = query_information_policy(policy_handle, endpoint::POLICY_PRIMARY_DOMAIN_INFORMATION)
@@ -116,13 +114,16 @@ def run_host(ip)
     min_rid.upto(max_rid) do |rid|
       print "%bld%blu[*]%clr Trying RID #{rid} / #{max_rid}\r"
       begin
-        sid = { sid: "#{target_sid}-#{rid}" }
-        sids = lookup_sids(policy_handle, [sid], endpoint::LSAP_LOOKUP_WKSTA)
-        sids[:names].each do |name|
-          sids_table << [ map_security_principal_to_string(name[:use]), name[:name][:buffer], rid ]
+        sid = "#{target_sid}-#{rid}"
+        sids = lookup_sids(policy_handle, sid, endpoint::LSAP_LOOKUP_WKSTA)
+        sids.each do |sid|
+          sids_table << [ map_security_principal_to_string(sid[:type]), sid[:name], rid ]
         end
-      rescue RubySMB::Dcerpc::Error::LsarpcError => _e
+      rescue RubySMB::Dcerpc::Error::LsarpcError => e
         # Ignore unmapped RIDs
+        unless e.message.match?(/STATUS_NONE_MAPPED/) || e.message.match?(/STATUS_SOME_MAPPED/)
+          wlog e
+        end
       end
     end
 

spec/acceptance/smb_spec.rb

@@ -37,8 +37,8 @@
             all: {
               required: [
                 "PIPE(LSARPC) LOCAL",
-                "User",
-                "Group",
+                /User( *)(Administrator|nobody)/,
+                /Group( *)(None|Domain (Admins|Users|Guests|Computers))/,
               ],
             },
           }