Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support more named pipes? #10

Closed
moshekaplan opened this issue Feb 6, 2019 · 5 comments
Closed

Support more named pipes? #10

moshekaplan opened this issue Feb 6, 2019 · 5 comments
Assignees
@deus-ex-silicium
Labels
enhancement

Comments

@moshekaplan
Copy link

Metasploit uses the following list of named pipes:

netlogon
lsarpc
samr
browser
atsvc
DAV RPC SERVICE
epmapper
eventlog
InitShutdown
keysvc
lsass
LSM_API_service
ntsvcs
plugplay
protected_storage
router
SapiServerPipeS-1-5-5-0-70123
scerpc
srvsvc
tapsrv
trkwks
W32TIME_ALT
wkssvc
PIPE_EVENTROOT\CIMV2SCM EVENT PROVIDER
db2remotecmd

Would it make sense to add support for all of these named pipes?

The reason I ask is because I received the following output when running eternalblue_checker.py:

Target OS: Windows 7 Professional 7601 Service Pack 1
The target is not patched

=== Testing named pipes ===
spoolss: STATUS_ACCESS_DENIED
samr: STATUS_ACCESS_DENIED
netlogon: STATUS_ACCESS_DENIED
lsarpc: STATUS_ACCESS_DENIED
browser: STATUS_ACCESS_DENIED
@3ndG4me
Copy link
Owner

3ndG4me commented Feb 8, 2019
edited

Yeah definitely. Should be fairly simple to convert those over to this checker script. Good idea. If you're interested in taking this on go for it! I'd be happy to pull it in. If not I will be sure to get on top of this ASAP.

@moshekaplan
Copy link
Author

Better if you do it. I don't foresee having the time.

@deus-ex-silicium
Copy link
Contributor

deus-ex-silicium commented Sep 2, 2019
edited

Eternalblue does not need a named pipe, only access to IPC$, it's the other eternals that need a named pipe to work. I can make a merge request with an updated mysmb.py with more pipe support and an improved zzz_exploit.py that does not use eternalblue but the other eternal vulnerabilities for getting a semi-interactive shell. @3ndG4me how does that sound ?

@3ndG4me
Copy link
Owner

3ndG4me commented Sep 4, 2019
edited

@deus-ex-silicium you are absolutely correct. I was interested in this originally just from the scanner perspective, but this repo is so commonly used I think it's time we made some Proof-of-Concept improvements.

So, in short, that all sounds great to me!

I would also suggest pulling in PoCs for the other eternal exploits if you'd like. I was planning on doing that anyway as the original source (https://github.com/worawit/MS17-010) contains all the PoC exploits, but I was wanting to vet and test them first like I have with Eternal Blue (albeit zzz_exploit.py is basically all that's needed, the rest are just PoCs for controlling RIP).

Either way bringing in the named pipe support and the zzz_exploit.py to use them is a good start (and a good motivator for me to add the rest in if relevant enough).

@deus-ex-silicium deus-ex-silicium mentioned this issue Sep 5, 2019
Merged
@3ndG4me
Copy link
Owner

3ndG4me commented Sep 8, 2019

Merged in the PR. Looks good, everything I tested worked out 👍

@3ndG4me 3ndG4me closed this as completed Sep 8, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@deus-ex-silicium deus-ex-silicium

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@moshekaplan @deus-ex-silicium @3ndG4me