From 1ed49c6eb06de0845d4b7685e5fab9ba7507af1a Mon Sep 17 00:00:00 2001
From: VakarisZ <vakarisz@yahoo.com>
Date: Tue, 26 May 2020 11:50:01 +0300
Subject: [PATCH] Fixed smb exploiter bug where vulnerable port was not passed

---
 monkey/infection_monkey/exploit/smbexec.py | 11 ++++++++---
 1 file changed, 8 insertions(+), 3 deletions(-)

diff --git a/monkey/infection_monkey/exploit/smbexec.py b/monkey/infection_monkey/exploit/smbexec.py
index 86839c027..3188890d8 100644
--- a/monkey/infection_monkey/exploit/smbexec.py
+++ b/monkey/infection_monkey/exploit/smbexec.py
@@ -6,7 +6,7 @@ from impacket.smbconnection import SMB_DIALECT
 from infection_monkey.exploit.HostExploiter import HostExploiter
 from infection_monkey.exploit.tools.helpers import get_target_monkey, get_monkey_depth, build_monkey_commandline
 from infection_monkey.exploit.tools.smb_tools import SmbTools
-from infection_monkey.model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDLINE_DETACHED_WINDOWS
+from infection_monkey.model import MONKEY_CMDLINE_DETACHED_WINDOWS, DROPPER_CMDLINE_DETACHED_WINDOWS, VictimHost
 from infection_monkey.network.smbfinger import SMBFinger
 from infection_monkey.network.tools import check_tcp_port
 from common.utils.exploit_enum import ExploitType
@@ -37,13 +37,11 @@ class SmbExploiter(HostExploiter):
         if not self.host.os.get('type'):
             is_smb_open, _ = check_tcp_port(self.host.ip_addr, 445)
             if is_smb_open:
-                self.vulnerable_port = 445
                 smb_finger = SMBFinger()
                 smb_finger.get_host_fingerprint(self.host)
             else:
                 is_nb_open, _ = check_tcp_port(self.host.ip_addr, 139)
                 if is_nb_open:
-                    self.vulnerable_port = 139
                     self.host.os['type'] = 'windows'
             return self.host.os.get('type') in self._TARGET_OS_TYPE
         return False
@@ -102,6 +100,7 @@ class SmbExploiter(HostExploiter):
             LOG.debug("Exploiter SmbExec is giving up...")
             return False
 
+        self.set_vulnerable_port(self.host)
         # execute the remote dropper in case the path isn't final
         if remote_full_path.lower() != self._config.dropper_target_path_win_32.lower():
             cmdline = DROPPER_CMDLINE_DETACHED_WINDOWS % {'dropper_path': remote_full_path} + \
@@ -164,3 +163,9 @@ class SmbExploiter(HostExploiter):
         self.add_vuln_port("%s or %s" % (SmbExploiter.KNOWN_PROTOCOLS['139/SMB'][1],
                                          SmbExploiter.KNOWN_PROTOCOLS['445/SMB'][1]))
         return True
+
+    def set_vulnerable_port(self, host: VictimHost):
+        if 'tcp-445' in self.host.services:
+            self.vulnerable_port = "445"
+        elif 'tcp-139' in self.host.services:
+            self.vulnerable_port = "139"