Land #10217, keep bind_named_pipe with SMBv1

2018-07-02 14:54:00 -05:00 · 2018-07-02 14:54:00 -05:00 · 0543dfc95c
parent 0606f65d90 bbf26c66f6
commit 0543dfc95c
3 changed files with 13 additions and 7 deletions
--- a/lib/msf/core/handler/bind_named_pipe.rb
+++ b/lib/msf/core/handler/bind_named_pipe.rb
@ -194,7 +194,8 @@ class SimpleClientPipe < Rex::Proto::SMB::SimpleClient
  def create_pipe(path)
    pkt = self.client.create_pipe(path, Rex::Proto::SMB::Constants::CREATE_ACCESS_EXIST)
    file_id = pkt['Payload'].v['FileID']
-    self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id, simple: self,
+    versions = [1]              # requires rex so SMB1 only
+    self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id, versions, simple: self,
                                 server_max_buffer_size: self.server_max_buffer_size)
  end
 end
@ -329,14 +330,19 @@ module Msf
          while (stime + ctimeout > Time.now.to_i)
            begin
              pipe = simple.create_pipe("\\"+pipe_name)
-            rescue
+            rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e
+              error_name = e.get_error(e.error_code)
+              unless ['STATUS_OBJECT_NAME_NOT_FOUND', 'STATUS_PIPE_NOT_AVAILABLE'].include? error_name
+                print_error("Error connecting to #{pipe_name}: #{error_name}")
+                return
+              end
              Rex::ThreadSafe.sleep(1.0)
            end
            break if pipe
          end

          if not pipe
-            print_error("Failed to connect to pipe #{smbshare}")
+            print_error("Failed to connect to pipe \\#{pipe_name} on #{rhost}")
            return
          end

--- a/lib/msf/core/payload/windows/bind_named_pipe.rb
+++ b/lib/msf/core/payload/windows/bind_named_pipe.rb
@ -286,11 +286,11 @@ module Payload::Windows::BindNamedPipe

      ; something failed so free up memory
        pop ecx
-        push 0x4000             ; MEM_DECOMMIT
+        push 0x8000             ; MEM_RELEASE
        push 0                  ; dwSize, 0 to decommit whole block
        push ecx                ; lpAddress
        push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')}
-        call ebp                ; VirtualFree(payload, 0, MEM_DECOMMIT)
+        call ebp                ; VirtualFree(payload, 0, MEM_RELEASE)

      cleanup_file:
      ; cleanup the pipe handle
--- a/lib/msf/core/payload/windows/x64/bind_named_pipe.rb
+++ b/lib/msf/core/payload/windows/x64/bind_named_pipe.rb
@ -296,12 +296,12 @@ module Payload::Windows::BindNamedPipe_x64
      ; something failed so free up memory
        push r15
        pop rcx                 ; lpAddress
-        push 0x4000             ; MEM_DECOMMIT
+        push 0x8000             ; MEM_RELEASE
        pop r8                  ; dwFreeType
        push 0                  ; 0 to decommit whole block
        pop rdx                 ; dwSize
        mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')}
-        call rbp                ; VirtualFree(payload, 0, MEM_DECOMMIT)
+        call rbp                ; VirtualFree(payload, 0, MEM_RELEASE)

      cleanup_file:
      ; clean up the pipe handle