Method: Msf::Exploit::Remote::SMB::Client::PipeAuditor#check_named_pipes

Defined in:
lib/msf/core/exploit/remote/smb/client/pipe_auditor.rb

#check_named_pipes(check_first: [], return_first: false) ⇒ Array

Check named pipes, returning the first optionally

Parameters:

  • check_first (Array) (defaults to: [])

    Check the specified pipes first

  • return_first (Boolean) (defaults to: false)

    Return the first pipe name and handle

Returns:

  • (Array)

    The list of found pipes (name and handle)



27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
 
# File 'lib/msf/core/exploit/remote/smb/client/pipe_auditor.rb', line 27

def check_named_pipes(check_first: [], return_first: false)
  @found_pipes = []

  if check_first.is_a?(Array)
    check_first.delete_if { |pipe| pipe.blank? }
  elsif check_first.is_a?(String) && check_first.present?
    check_first = [check_first]
  else
    check_first = []
  end

  named_pipes = check_first + File.readlines(datastore['NAMED_PIPES'])

  named_pipes.each do |pipe|
    begin
      pipe_name = pipe.strip

      # Samba 3.x requires a prefixed backslash
      # Samba 4.x normalizes away backslashes
      # Windows: honey badger don't care
      unless pipe_name.start_with?('\\')
        pipe_name = "\\#{pipe_name}"
      end

      pipe_handle = self.simple.create_pipe(pipe_name, 'o')

      # If we make it this far, it succeeded
      vprint_status("Connected to named pipe: #{pipe_name}")

      # This is for exploits like ms17_010_psexec
      return pipe_name, pipe_handle if return_first

      @found_pipes << [pipe_name, pipe_handle]
    rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e
      vprint_error("Inaccessible named pipe: #{pipe_name} - #{e.message}")
    end
  end

  @found_pipes
end