Module: Msf::Exploit::Remote::SMB::Client::PipeAuditor

Includes:
Msf::Exploit::Remote::SMB::Client
Included in:
Psexec_MS17_010
Defined in:
lib/msf/core/exploit/smb/client/pipe_auditor.rb

Constant Summary

Constants included from Msf::Exploit::Remote::SMB::Client

CONST, DCERPCClient, DCERPCPacket, DCERPCResponse, DCERPCUUID, NDR, SIMPLE, XCEPT

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::SMB::Client

#simple

Attributes included from Tcp

#sock

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::SMB::Client

#connect, #domain, #domain_username_split, #smb_create, #smb_direct, #smb_enumprinters, #smb_enumprintproviders, #smb_file_exist?, #smb_file_rm, #smb_fingerprint, #smb_fingerprint_windows_lang, #smb_fingerprint_windows_sp, #smb_hostname, #smb_lanman_netshareenumall, #smb_login, #smb_lookup_share_type, #smb_netshareenumall, #smb_netsharegetinfo, #smb_open, #smb_peer_lm, #smb_peer_os, #smb_srvsvc_netshareenumall, #smb_srvsvc_netsharegetinfo, #smbhost, #splitname, #unicode

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #deregister_tcp_options, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Method Details

#check_named_pipes(check_first: [], return_first: false) ⇒ Array

Check named pipes, returning the first optionally

Parameters:

  • check_first (Array) (defaults to: [])

    Check the specified pipes first

  • return_first (Boolean) (defaults to: false)

    Return the first pipe name and handle

Returns:

  • (Array)

    The list of found pipes (name and handle)


27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/msf/core/exploit/smb/client/pipe_auditor.rb', line 27

def check_named_pipes(check_first: [], return_first: false)
  @found_pipes = []

  if check_first.is_a?(Array)
    check_first.delete_if { |pipe| pipe.blank? }
  elsif check_first.is_a?(String) && check_first.present?
    check_first = [check_first]
  else
    check_first = []
  end

  named_pipes = check_first + File.readlines(datastore['NAMED_PIPES'])

  named_pipes.each do |pipe|
    begin
      pipe_name = pipe.strip

      # Samba 3.x requires a prefixed backslash
      # Samba 4.x normalizes away backslashes
      # Windows: honey badger don't care
      unless pipe_name.start_with?('\\')
        pipe_name = "\\#{pipe_name}"
      end

      pipe_handle = self.simple.create_pipe(pipe_name, 'o')

      # If we make it this far, it succeeded
      vprint_status("Connected to named pipe: #{pipe_name}")

      # This is for exploits like ms17_010_psexec
      return pipe_name, pipe_handle if return_first

      @found_pipes << [pipe_name, pipe_handle]
    rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e
      vprint_error("Inaccessible named pipe: #{pipe_name} - #{e.message}")
    end
  end

  @found_pipes
end

#initialize(info = {}) ⇒ Object


12
13
14
15
16
17
18
19
20
# File 'lib/msf/core/exploit/smb/client/pipe_auditor.rb', line 12

def initialize(info = {})
  super

  named_pipes = File.join(Msf::Config.data_directory, 'wordlists', 'named_pipes.txt')

  register_options([
    OptPath.new('NAMED_PIPES', [true, 'List of named pipes to check', named_pipes])
  ])
end