Module: Msf::Handler::BindNamedPipe

Includes:

Msf::Handler

Defined in:

lib/msf/core/handler/bind_named_pipe.rb

Constant Summary

Constants included from Msf::Handler

Claimed, Unused

Instance Attribute Summary

• #conn_threads ⇒ Object protected

  Returns the value of attribute conn_threads.

• #listener_pairs ⇒ Object protected

  Returns the value of attribute listener_pairs.

• #listener_threads ⇒ Object protected

  Returns the value of attribute listener_threads.

Attributes included from Msf::Handler

#exploit_config, #parent_payload, #pending_connections, #session_waiter_event, #sessions

Class Method Summary

• .general_handler_type ⇒ Object

  Returns the connection-described general handler type, in this case ‘bind’.

• .handler_type ⇒ Object

  Returns the string representation of the handler type, in this case ‘bind_named_pipe’.

Instance Method Summary

• #cleanup_handler ⇒ Object

  Cleanup.

• #human_name ⇒ String

  A string suitable for displaying to the user.

• #initialize(info = {}) ⇒ Object

  Initializes the handler and ads the options that are required for bind named pipe payloads.

• #start_handler ⇒ Object

  Starts monitoring for an inbound connection.

• #stop_handler ⇒ Object

  Stop.

Methods included from Msf::Handler

#add_handler, #create_session, #handle_connection, #handler, #handler_name, #interrupt_wait_for_session, #register_session, #setup_handler, #wait_for_session, #wfs_delay

Instance Attribute Details

#conn_threads ⇒ Object (protected)

Returns the value of attribute conn_threads.

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 385

def conn_threads
  @conn_threads
end

#listener_pairs ⇒ Object (protected)

Returns the value of attribute listener_pairs.

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 387

def listener_pairs
  @listener_pairs
end

#listener_threads ⇒ Object (protected)

Returns the value of attribute listener_threads.

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 386

def listener_threads
  @listener_threads
end

Class Method Details

.general_handler_type ⇒ Object

Returns the connection-described general handler type, in this case ‘bind’.

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 194

def self.general_handler_type
  "bind"
end

.handler_type ⇒ Object

Returns the string representation of the handler type, in this case ‘bind_named_pipe’.

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 186

def self.handler_type
  "bind_named_pipe"
end

Instance Method Details

#cleanup_handler ⇒ Object

Cleanup

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 377

def cleanup_handler
  self.conn_threads.each { |t|
    t.kill
  }
end

#human_name ⇒ String

A string suitable for displaying to the user

Returns:

• (String)

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 227

def human_name
  "bind named pipe"
end

#initialize(info = {}) ⇒ Object

Initializes the handler and ads the options that are required for bind named pipe payloads.

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 202

def initialize(info={})
  super

  register_options(
    [
      OptString.new('PIPENAME', [true, 'Name of the pipe to connect to', 'msf-pipe']),
      OptString.new('RHOST', [false, 'Host of the pipe to connect to', '']),
      OptPort.new('LPORT', [true, 'SMB port', 445]),
      OptString.new('SMBUser', [false, 'The username to authenticate as', ''], fallbacks: ['USERNAME']),
      OptString.new('SMBPass', [false, 'The password for the specified username', ''], fallbacks: ['PASSWORD']),
      OptString.new('SMBDomain', [false, 'The Windows domain to use for authentication', '.'], fallbacks: ['DOMAIN']),
    ], Msf::Handler::BindNamedPipe)
  register_advanced_options(
    [
      OptString.new('SMBDirect', [true, 'The target port is a raw SMB service (not NetBIOS)', true]),
    ], Msf::Handler::BindNamedPipe)

  self.conn_threads = []
  self.listener_threads = []
  self.listener_pairs = {}
end

#start_handler ⇒ Object

Starts monitoring for an inbound connection.

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 234

def start_handler
  # Maximum number of seconds to run the handler
  ctimeout = 150

  if (exploit_config and exploit_config['active_timeout'])
    ctimeout = exploit_config['active_timeout'].to_i
  end

  # Take a copy of the datastore options
  rhost = datastore['RHOST']
  lport = datastore['LPORT'].to_i
  pipe_name = datastore['PIPENAME']
  smbuser = datastore['SMBUser']
  smbpass = datastore['SMBPass']
  smbdomain = datastore['SMBDomain']
  smbdirect = datastore['SMBDirect']
  smbshare = "\\\\#{rhost}\\IPC$"

  # Ignore this if one of the required options is missing
  return if not rhost
  return if not lport

  # dont spawn multiple handlers for same host and pipe
  pair = rhost + ":" + lport.to_s + ":" + pipe_name
  return if self.listener_pairs[pair]
  self.listener_pairs[pair] = true

  # Start a new handling thread
  self.listener_threads << framework.threads.spawn("BindNamedPipeHandlerListener-#{pipe_name}", false) {
    sock = nil
    print_status("Started #{human_name} handler against #{rhost}:#{lport}")

    # First, create a socket and connect to the SMB service
    vprint_status("Connecting to #{rhost}:#{lport}")
    begin
      sock = Rex::Socket::Tcp.create(
        'PeerHost' => rhost,
        'PeerPort' => lport.to_i,
        'Proxies'  => datastore['Proxies'],
        'Context'  =>
        {
          'Msf'        => framework,
          'MsfPayload' => self,
          'MsfExploit' => assoc_exploit
        })
    rescue Rex::ConnectionError => e
      vprint_error(e.message)
    rescue
      wlog("Exception caught in bind handler: #{$!.class} #{$!}")
    end

    if not sock
      print_error("Failed to connect socket #{rhost}:#{lport}")
      interrupt_wait_for_session
      Thread.exit
    end

    # Perform SMB logon
    simple = SimpleClientPipe.new(sock, smbdirect)

    begin
      simple.login('*SMBSERVER', smbuser, smbpass, smbdomain)
      vprint_status("SMB login Success #{smbdomain}\\#{smbuser}:#{smbpass} #{rhost}:#{lport}")
    rescue
      print_error("SMB login Failure #{smbdomain}\\#{smbuser}:#{smbpass} #{rhost}:#{lport}")
      interrupt_wait_for_session
      Thread.exit
    end

    # Connect to the IPC$ share so we can use named pipes.
    simple.connect(smbshare)
    vprint_status("Connected to #{smbshare}")

    # Make several attempts to connect to the stagers named pipe. Authenticating and
    # connecting to IPC$ should be possible pre stager so we only retry this operation.
    # The stager creates the pipe with a default ACL which provides r/w to the creator
    # and administrators.
    stime = Time.now.to_i
    while (stime + ctimeout > Time.now.to_i)
      begin
        pipe = simple.create_pipe("\\"+pipe_name)
      rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
        error_name = e.get_error(e.error_code)
        unless ['STATUS_OBJECT_NAME_NOT_FOUND', 'STATUS_PIPE_NOT_AVAILABLE'].include? error_name
          print_error("Error connecting to #{pipe_name}: #{error_name}")
          interrupt_wait_for_session
          Thread.exit
        else
          # Stager pipe may not be ready
          vprint_status("Error connecting to #{pipe_name}: #{error_name}")
        end
        Rex::ThreadSafe.sleep(1.0)
      rescue RubySMB::Error::RubySMBError => e
        print_error("Error connecting to #{pipe_name}: #{e.message}")
        Rex::ThreadSafe.sleep(1.0)
      end
      break if pipe
    end

    if not pipe
      print_error("Failed to connect to pipe \\#{pipe_name} on #{rhost}")
      interrupt_wait_for_session
      Thread.exit
    end

    vprint_status("Opened pipe \\#{pipe_name}")

    # Increment the has connection counter
    self.pending_connections += 1

    # Timeout and datastore options need to be passed through to the client
    opts = {
      :datastore    => datastore,
      :expiration   => datastore['SessionExpirationTimeout'].to_i,
      :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
      :retry_total  => datastore['SessionRetryTotal'].to_i,
      :retry_wait   => datastore['SessionRetryWait'].to_i
    }

    conn_threads << framework.threads.spawn("BindNamedPipeHandlerSession", false, simple) { |simple_copy|
      begin
        session = handle_connection(simple_copy.pipe, opts)
      rescue => e
        elog('Exception raised from BindNamedPipe.handle_connection', error: e)
      end
    }
  }
end

#stop_handler ⇒ Object

Stop

# File 'lib/msf/core/handler/bind_named_pipe.rb', line 366

def stop_handler
  self.listener_threads.each do |t|
    t.kill
  end
  self.listener_threads = []
  self.listener_pairs = {}
end