Module: Msf::Exploit::Remote::SMB::Client::PipeAuditor

Includes:
Msf::Exploit::Remote::SMB::Client
Included in:
Psexec_MS17_010
Defined in:
lib/msf/core/exploit/remote/smb/client/pipe_auditor.rb

Constant Summary

Constants included from Msf::Exploit::Remote::SMB::Client

CONST, DCERPCClient, DCERPCPacket, DCERPCResponse, DCERPCUUID, NDR, SIMPLE, XCEPT

Instance Attribute Summary

Attributes included from Msf::Exploit::Remote::SMB::Client

#simple

Attributes included from Tcp

#sock

Instance Method Summary collapse

Methods included from Msf::Exploit::Remote::SMB::Client

#connect, #domain, #domain_username_split, #smb_create, #smb_direct, #smb_enumprinters, #smb_enumprintproviders, #smb_file_exist?, #smb_file_rm, #smb_fingerprint, #smb_fingerprint_windows_lang, #smb_fingerprint_windows_sp, #smb_hostname, #smb_lanman_netshareenumall, #smb_login, #smb_lookup_share_type, #smb_netshareenumall, #smb_netsharegetinfo, #smb_open, #smb_peer_lm, #smb_peer_os, #smb_srvsvc_netshareenumall, #smb_srvsvc_netsharegetinfo, #smbhost, #splitname, #unicode

Methods included from Tcp

#chost, #cleanup, #connect, #connect_timeout, #cport, #disconnect, #handler, #lhost, #lport, #peer, #print_prefix, #proxies, #rhost, #rport, #set_tcp_evasions, #shutdown, #ssl, #ssl_cipher, #ssl_verify_mode, #ssl_version

Instance Method Details

#check_named_pipes(check_first: [], return_first: false) ⇒ Array

Check named pipes, returning the first optionally

Parameters:

  • check_first (Array) (defaults to: [])

    Check the specified pipes first

  • return_first (Boolean) (defaults to: false)

    Return the first pipe name and handle

Returns:

  • (Array)

    The list of found pipes (name and handle)

[View source] [View on GitHub]

27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
# File 'lib/msf/core/exploit/remote/smb/client/pipe_auditor.rb', line 27

def check_named_pipes(check_first: [], return_first: false)
  @found_pipes = []

  if check_first.is_a?(Array)
    check_first.delete_if { |pipe| pipe.blank? }
  elsif check_first.is_a?(String) && check_first.present?
    check_first = [check_first]
  else
    check_first = []
  end

  named_pipes = check_first + File.readlines(datastore['NAMED_PIPES'])

  named_pipes.each do |pipe|
    begin
      pipe_name = pipe.strip

      # Samba 3.x requires a prefixed backslash
      # Samba 4.x normalizes away backslashes
      # Windows: honey badger don't care
      unless pipe_name.start_with?('\\')
        pipe_name = "\\#{pipe_name}"
      end

      pipe_handle = self.simple.create_pipe(pipe_name, 'o')

      # If we make it this far, it succeeded
      vprint_status("Connected to named pipe: #{pipe_name}")

      # This is for exploits like ms17_010_psexec
      return pipe_name, pipe_handle if return_first

      @found_pipes << [pipe_name, pipe_handle]
    rescue Rex::Proto::SMB::Exceptions::ErrorCode, RubySMB::Error::RubySMBError => e
      vprint_error("Inaccessible named pipe: #{pipe_name} - #{e.message}")
    end
  end

  @found_pipes
end

#initialize(info = {}) ⇒ Object

[View source] [View on GitHub]

12
13
14
15
16
17
18
19
20
# File 'lib/msf/core/exploit/remote/smb/client/pipe_auditor.rb', line 12

def initialize(info = {})
  super

  named_pipes = File.join(Msf::Config.data_directory, 'wordlists', 'named_pipes.txt')

  register_options([
    OptPath.new('NAMED_PIPES', [true, 'List of named pipes to check', named_pipes])
  ])
end