Land #10217, keep bind_named_pipe with SMBv1

lib/msf/core/handler/bind_named_pipe.rb

@@ -194,7 +194,8 @@ class SimpleClientPipe < Rex::Proto::SMB::SimpleClient
   def create_pipe(path)
     pkt = self.client.create_pipe(path, Rex::Proto::SMB::Constants::CREATE_ACCESS_EXIST)
     file_id = pkt['Payload'].v['FileID']
-    self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id, simple: self,
+    versions = [1]              # requires rex so SMB1 only
+    self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id, versions, simple: self,
                                  server_max_buffer_size: self.server_max_buffer_size)
   end
 end
@@ -329,14 +330,19 @@ module Msf
           while (stime + ctimeout > Time.now.to_i)
             begin
               pipe = simple.create_pipe("\\"+pipe_name)
-            rescue
+            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
+              error_name = e.get_error(e.error_code)
+              unless ['STATUS_OBJECT_NAME_NOT_FOUND', 'STATUS_PIPE_NOT_AVAILABLE'].include? error_name
+                print_error("Error connecting to #{pipe_name}: #{error_name}")
+                return
+              end
               Rex::ThreadSafe.sleep(1.0)
             end
             break if pipe
           end
 
           if not pipe
-            print_error("Failed to connect to pipe #{smbshare}")
+            print_error("Failed to connect to pipe \\#{pipe_name} on #{rhost}")
             return
           end
 

lib/msf/core/payload/windows/bind_named_pipe.rb

@@ -286,11 +286,11 @@ module Payload::Windows::BindNamedPipe
 
       ; something failed so free up memory
         pop ecx
-        push 0x4000             ; MEM_DECOMMIT
+        push 0x8000             ; MEM_RELEASE
         push 0                  ; dwSize, 0 to decommit whole block
         push ecx                ; lpAddress
         push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')}
-        call ebp                ; VirtualFree(payload, 0, MEM_DECOMMIT)
+        call ebp                ; VirtualFree(payload, 0, MEM_RELEASE)
 
       cleanup_file:
       ; cleanup the pipe handle

lib/msf/core/payload/windows/x64/bind_named_pipe.rb

@@ -296,12 +296,12 @@ module Payload::Windows::BindNamedPipe_x64
       ; something failed so free up memory
         push r15
         pop rcx                 ; lpAddress
-        push 0x4000             ; MEM_DECOMMIT
+        push 0x8000             ; MEM_RELEASE
         pop r8                  ; dwFreeType
         push 0                  ; 0 to decommit whole block
         pop rdx                 ; dwSize
         mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')}
-        call rbp                ; VirtualFree(payload, 0, MEM_DECOMMIT)
+        call rbp                ; VirtualFree(payload, 0, MEM_RELEASE)
 
       cleanup_file:
       ; clean up the pipe handle