scanner update

lib/msf/core/auxiliary/mixins.rb

@@ -32,6 +32,7 @@ require 'msf/core/auxiliary/pii'
 require 'msf/core/auxiliary/redis'
 require 'msf/core/auxiliary/sms'
 require 'msf/core/auxiliary/mms'
+
 #
 # Custom HTTP modules
 #

lib/msf/core/exploit/smb/client/pipeaudit.rb

@@ -8,14 +8,13 @@ module Exploit::Remote::SMB::Client::PipeAudit
 	register_options(
       [
         OptPath.new('NAMED_PIPES_FILE', [ true, "List of known named pipes",
-          File.join(Msf::Config.data_directory, "wordlists", "namedpipes.txt")]),
+          File.join(Msf::Config.data_directory, "wordlists", "named_pipes.txt")]),
       ])
   end
 
   def connect_to_pipe()
     accessible_pipes||=[]
-    a_pipe_handles||=[]
-    target_pipes = []
+    pipe_handles||=[]
 	pipe_file = datastore['NAMED_PIPES_FILE']
 	if (!pipe_file)
        print_error("File with named pipes is needed")
@@ -27,15 +26,14 @@ module Exploit::Remote::SMB::Client::PipeAudit
 		 vprint_status("Using pipe #{pipe_name}")
          pipe_handle = self.simple.create_pipe(pipe_name, 'o')
          print_good("Accessible pipe found: #{pipe_name}")
-	     pipe_found = 1
-	     ret_pipe = pipe_name
+		 pipe_found = true
 	     accessible_pipes << pipe_name
+		 pipe_handles << pipe_handle
        rescue Rex::Proto::SMB::Exceptions::ErrorCode => e
-	   vprint_status("Inaccessible named pipe #{pipe_name} - #{e.message}")
+         vprint_status("Inaccessible named pipe #{pipe_name} - #{e.message}")
        end
-       if pipe_found == 1
-	       vprint_status("Returning #{ret_pipe} with handle #{pipe_handle.to_s}to exploit")
-	       return ret_pipe, pipe_handle
+       if (pipe_found)
+	       return accessible_pipes, pipe_handles
        end
     end
   end

lib/msf/core/exploit/smb/client/psexec_ms17_010.rb

@@ -335,8 +335,8 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010
 
   def find_accessible_named_pipe()
     pipe_name, pipe_handle = connect_to_pipe()
-    @ctx['pipe_name'] = pipe_name
-    return pipe_handle
+    @ctx['pipe_name'] = pipe_name[0]
+    return pipe_handle[0]
 
   end
 

modules/auxiliary/scanner/smb/smb_ms17_010.rb

@@ -5,6 +5,7 @@
 
 class MetasploitModule < Msf::Auxiliary
   include Msf::Exploit::Remote::DCERPC
+  include Msf::Exploit::Remote::SMB::Client::PipeAudit
   include Msf::Exploit::Remote::SMB::Client
   include Msf::Exploit::Remote::SMB::Client::Authenticated
 
@@ -90,42 +91,8 @@ class MetasploitModule < Msf::Auxiliary
         end
 
         print_good("Host is likely VULNERABLE to MS17-010! - #{os}")
-        # Detect accessible named pipes
-        vprint_status("Checking for accessible named pipes")
-        target_pipes = [
-                'netlogon',
-                'lsarpc',
-                'samr',
-                'browser',
-                'atsvc',
-                'DAV RPC SERVICE',
-                'epmapper',
-                'eventlog',
-                'InitShutdown',
-                'keysvc',
-                'lsass',
-                'LSM_API_service',
-                'ntsvcs',
-                'plugplay',
-                'protected_storage',
-                'router',
-                'SapiServerPipeS-1-5-5-0-70123',
-                'scerpc',
-                'srvsvc',
-                'tapsrv',
-                'trkwks',
-                'W32TIME_ALT',
-                'wkssvc',
-                'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER',
-                'db2remotecmd'
-        ]
-        accessible_pipes||=[]
-        target_pipes.each do |pipe|
-          pipe_name = "#{pipe}"
-          pipe_handle = self.simple.create_pipe(pipe_name, 'o')
-          accessible_pipes << pipe
-        end
-        p_pipes = ""
+        accessible_pipes , pipe_handlers = connect_to_pipe()
+		p_pipes = ""
         if accessible_pipes.count != 0
              accessible_pipes.each do |a_pipe|
                 p_pipes += ", #{a_pipe}"