From 6e9a4916f53711d74f59fb931ce6d9f0679244f6 Mon Sep 17 00:00:00 2001 From: Auxilus Date: Tue, 13 Mar 2018 00:23:18 +0530 Subject: [PATCH] scanner update --- .../{namedpipes.txt => named_pipes.txt} | 0 lib/msf/core/auxiliary/mixins.rb | 1 + lib/msf/core/exploit/smb/client/pipeaudit.rb | 16 ++++---- .../exploit/smb/client/psexec_ms17_010.rb | 4 +- modules/auxiliary/scanner/smb/smb_ms17_010.rb | 39 ++----------------- 5 files changed, 13 insertions(+), 47 deletions(-) rename data/wordlists/{namedpipes.txt => named_pipes.txt} (100%) diff --git a/data/wordlists/namedpipes.txt b/data/wordlists/named_pipes.txt similarity index 100% rename from data/wordlists/namedpipes.txt rename to data/wordlists/named_pipes.txt diff --git a/lib/msf/core/auxiliary/mixins.rb b/lib/msf/core/auxiliary/mixins.rb index 573784ae6f..a74c79fc18 100644 --- a/lib/msf/core/auxiliary/mixins.rb +++ b/lib/msf/core/auxiliary/mixins.rb @@ -32,6 +32,7 @@ require 'msf/core/auxiliary/pii' require 'msf/core/auxiliary/redis' require 'msf/core/auxiliary/sms' require 'msf/core/auxiliary/mms' + # # Custom HTTP modules # diff --git a/lib/msf/core/exploit/smb/client/pipeaudit.rb b/lib/msf/core/exploit/smb/client/pipeaudit.rb index 1567070122..40d751322b 100644 --- a/lib/msf/core/exploit/smb/client/pipeaudit.rb +++ b/lib/msf/core/exploit/smb/client/pipeaudit.rb @@ -8,14 +8,13 @@ module Exploit::Remote::SMB::Client::PipeAudit register_options( [ OptPath.new('NAMED_PIPES_FILE', [ true, "List of known named pipes", - File.join(Msf::Config.data_directory, "wordlists", "namedpipes.txt")]), + File.join(Msf::Config.data_directory, "wordlists", "named_pipes.txt")]), ]) end def connect_to_pipe() accessible_pipes||=[] - a_pipe_handles||=[] - target_pipes = [] + pipe_handles||=[] pipe_file = datastore['NAMED_PIPES_FILE'] if (!pipe_file) print_error("File with named pipes is needed") @@ -27,15 +26,14 @@ module Exploit::Remote::SMB::Client::PipeAudit vprint_status("Using pipe #{pipe_name}") pipe_handle = self.simple.create_pipe(pipe_name, 'o') print_good("Accessible pipe found: #{pipe_name}") - pipe_found = 1 - ret_pipe = pipe_name + pipe_found = true accessible_pipes << pipe_name + pipe_handles << pipe_handle rescue Rex::Proto::SMB::Exceptions::ErrorCode => e - vprint_status("Inaccessible named pipe #{pipe_name} - #{e.message}") + vprint_status("Inaccessible named pipe #{pipe_name} - #{e.message}") end - if pipe_found == 1 - vprint_status("Returning #{ret_pipe} with handle #{pipe_handle.to_s}to exploit") - return ret_pipe, pipe_handle + if (pipe_found) + return accessible_pipes, pipe_handles end end end diff --git a/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb b/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb index f5b61b77e4..87c00aec38 100644 --- a/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb +++ b/lib/msf/core/exploit/smb/client/psexec_ms17_010.rb @@ -335,8 +335,8 @@ module Exploit::Remote::SMB::Client::Psexec_MS17_010 def find_accessible_named_pipe() pipe_name, pipe_handle = connect_to_pipe() - @ctx['pipe_name'] = pipe_name - return pipe_handle + @ctx['pipe_name'] = pipe_name[0] + return pipe_handle[0] end diff --git a/modules/auxiliary/scanner/smb/smb_ms17_010.rb b/modules/auxiliary/scanner/smb/smb_ms17_010.rb index eb416fb0c1..f8f9bd0b50 100644 --- a/modules/auxiliary/scanner/smb/smb_ms17_010.rb +++ b/modules/auxiliary/scanner/smb/smb_ms17_010.rb @@ -5,6 +5,7 @@ class MetasploitModule < Msf::Auxiliary include Msf::Exploit::Remote::DCERPC + include Msf::Exploit::Remote::SMB::Client::PipeAudit include Msf::Exploit::Remote::SMB::Client include Msf::Exploit::Remote::SMB::Client::Authenticated @@ -90,42 +91,8 @@ class MetasploitModule < Msf::Auxiliary end print_good("Host is likely VULNERABLE to MS17-010! - #{os}") - # Detect accessible named pipes - vprint_status("Checking for accessible named pipes") - target_pipes = [ - 'netlogon', - 'lsarpc', - 'samr', - 'browser', - 'atsvc', - 'DAV RPC SERVICE', - 'epmapper', - 'eventlog', - 'InitShutdown', - 'keysvc', - 'lsass', - 'LSM_API_service', - 'ntsvcs', - 'plugplay', - 'protected_storage', - 'router', - 'SapiServerPipeS-1-5-5-0-70123', - 'scerpc', - 'srvsvc', - 'tapsrv', - 'trkwks', - 'W32TIME_ALT', - 'wkssvc', - 'PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER', - 'db2remotecmd' - ] - accessible_pipes||=[] - target_pipes.each do |pipe| - pipe_name = "#{pipe}" - pipe_handle = self.simple.create_pipe(pipe_name, 'o') - accessible_pipes << pipe - end - p_pipes = "" + accessible_pipes , pipe_handlers = connect_to_pipe() + p_pipes = "" if accessible_pipes.count != 0 accessible_pipes.each do |a_pipe| p_pipes += ", #{a_pipe}"