Exec methods do not clean up as intended resulting in hanging indefinitely

[NeffIsBack]

Version(s)

• lsassy : 3.1.11
• NXC: github latest

Describe the bug

While testing our test suite at NetExec i encountered the problem, that the lsassy module keeps hanging indefinitely when it fails.
Taking some time to debug it appears that exec_methods, once executed, aren't "cleaned up" properly (the clean() function of the exec method is never called. This leads to the dcom connection staying open and therefore the weird dcom timer stopping the main thread from executing (see screenshots below).

This can be solved by simply adding exec_method.clean() after execution in line 291:

lsassy/lsassy/dumpmethod/__init__.py

Line 291 in 0b59a5b

res = exec_method.exec(exec_command)

This will call the clean up and therefore termination of the dcom connection and its timer.

Expected behavior

The connection being terminated for each exec method.

Additional Info

As i am not that deep into lsassy i can't say that adding that line won't break any exec_method, as clean() is not implemented in the exec protocol interface IExec. This should probably get added there.

Screenshots

Without calling clean():

With the added exec_method.clean() line:

Debugging:

Added print statement for debugging:

[NeffIsBack]

Can be reproduced by executing nxc smb <ip> -u <user> -p <password> -M lsassy. The lsassy debug logs can be (re-)enabled in the logger.py file of netexec

[Hackndo]

Hey there @NeffIsBack
The clean() method should be called inside the exec modules. So it shouldn't be needed to call it again, in the __init__.py file.

wmiexec.py

For wmiexec.py, it's either closed in the try block

lsassy/lsassy/exec/wmi.py

Lines 68 to 69 in 0b59a5b

	self.iWbemServices.disconnect()
	self.dcom.disconnect()

Or self.clean() is called in the except blocks

lsassy/lsassy/exec/wmi.py

Line 72 in 0b59a5b

self.clean()

lsassy/lsassy/exec/wmi.py

Line 76 in 0b59a5b

self.clean()

So it should always execute

self.iWbemServices.disconnect()
self.dcom.disconnect()

at some point.

So this method shouldn't be blocking.

mmc.py

Regarding mmc.py, there's a missing cleaning call, you're right, and a missing raise call.

A raise call should be called after the Exception:

lsassy/lsassy/exec/mmc.py

Lines 140 to 142 in 0b59a5b

	except Exception as e:
	lsassy_logger.debug("Error : {}".format(e), exc_info=True)
	self.clean()

As such:

        except Exception as e:
            lsassy_logger.debug("Error : {}".format(e), exc_info=True)
            self.clean()
            raise Exception(e)

Then, a clean() should be called at the end of the function, right before the return True statement

lsassy/lsassy/exec/mmc.py

Lines 170 to 176 in 0b59a5b

	arg3['_varUnion']['bstrVal']['asData'] = '7'
	dispParams['rgvarg'].append(arg3)
	dispParams['rgvarg'].append(arg2)
	dispParams['rgvarg'].append(arg1)
	dispParams['rgvarg'].append(arg0)
	self.__executeShellCommand[0].Invoke(self.__executeShellCommand[1], 0x409, DISPATCH_METHOD, dispParams, 0, [], [])
	return True

As such:

        self.__executeShellCommand[0].Invoke(self.__executeShellCommand[1], 0x409, DISPATCH_METHOD, dispParams, 0, [], [])
        self.clean()
        return True

Conclusion

If you add the raise statement and a self.clean() in mmc.py as explained, does it solve your issue?

[Hackndo]

Hey there, I just tried my fix, and it seems to be working fine. If you have any other issue, please let me know.
Thank you for your detailed issue, it helped a lot to figure out what was hapenning.

[NeffIsBack]

Sorry, didn't have the time to get back to you.
This indeed fixes the issue, thanks!

Thank you for your detailed issue, it helped a lot to figure out what was hapenning.

Glad i could help :)