sempervictus
diff --git a/‎Gemfile.lock
Lines changed: 2 additions & 2 deletions b/‎Gemfile.lock
Lines changed: 2 additions & 2 deletions
diff --git a/‎lib/msf/core/handler/bind_named_pipe.rb
Lines changed: 358 additions & 0 deletions b/‎lib/msf/core/handler/bind_named_pipe.rb
Lines changed: 358 additions & 0 deletions
diff --git a/‎lib/msf/core/payload/transport_config.rb
Lines changed: 11 additions & 0 deletions b/‎lib/msf/core/payload/transport_config.rb
Lines changed: 11 additions & 0 deletions
@@ -18,7 +18,7 @@ PATH
       metasploit-concern
       metasploit-credential
       metasploit-model
-      metasploit-payloads (= 1.3.28)
+      metasploit-payloads (= 1.3.29)
       metasploit_data_models
       metasploit_payloads-mettle (= 0.3.7)
       mqtt
@@ -179,7 +179,7 @@ GEM
       activemodel (~> 4.2.6)
       activesupport (~> 4.2.6)
       railties (~> 4.2.6)
-    metasploit-payloads (1.3.28)
+    metasploit-payloads (1.3.29)
     metasploit_data_models (2.0.16)
       activerecord (~> 4.2.6)
       activesupport (~> 4.2.6)
 
@@ -0,0 +1,358 @@
+# -*- coding: binary -*-
+require 'thread'
+require 'msf/core/post_mixin'
+require 'rex/proto/smb/simpleclient'
+
+#
+# KNOWN ISSUES
+#
+# 1) Interactive channels (ie shell) do not work well/at all. Neither do pivots. Issue
+#    seems to be multiple threads writing to the pipe or some writes not being synchronized
+#    and bypassing the OpenPipeSock methods.
+# 2) A peek named pipe operation is carried out before every read to prevent blocking. This
+#    generates extra traffic.
+#
+
+#
+# Socket interface for named pipes. Because of the way named pipes work, reads and writes
+# each require both a sock.send (read/write request) and a sock.recv (read/write response).
+# So, pipe.read and pipe.write need to be synchronized so the responses arent mixed up.
+#
+# The packet dispatcher calls select on the socket to check for packets to read. This is
+# an issue when there are multiple writes since it will cause select to return which
+# triggers a read, but there is nothing to read since the pipe will already have read
+# the response. This read will then hold the mutex while the socket read waits to timeout.
+#
+class OpenPipeSock < Rex::Proto::SMB::SimpleClient::OpenPipe
+  attr_accessor :mutex, :chunk_size, :last_comm, :write_queue, :write_thread, :read_buff
+
+  def initialize(*args)
+    super(*args)
+    self.client = args[0]
+    self.mutex = Mutex.new      # synchronize read/writes
+    self.last_comm = Time.now   # last successfull read/write
+    self.write_queue = Queue.new # queue message to send
+    self.write_thread = Thread.new { dispatcher }
+    self.read_buff = ''
+  end
+
+  # Check if there are any bytes to read and return number available.
+  # Access must be synchronized.
+  def peek_named_pipe
+    # 0x23 is the PeekNamedPipe operation. Last 16 bits is our pipes file id (FID).
+    setup = [0x23, self.file_id].pack('vv')
+    # Must ignore errors since we expect STATUS_BUFFER_OVERFLOW
+    pkt = self.client.trans_maxzero('\\PIPE\\', '', '', 2, setup, false, true, true)
+    avail = 0
+    begin
+      avail = pkt.to_s[pkt['Payload'].v['ParamOffset']+4, 2].unpack('v')[0]
+    rescue
+    end
+    avail
+  end
+
+  # Runs as a thread and synchronizes writes. Allows write operations to return
+  # immediately instead of waiting for the mutex.
+  def dispatcher
+    while true
+      data = self.write_queue.pop
+      self.mutex.synchronize do
+        sent = 0
+        while sent < data.length
+          count = [self.chunk_size, data.length-sent].min
+          buf = data[sent, count]
+          Rex::Proto::SMB::SimpleClient::OpenPipe.instance_method(:write).bind(self).call(buf)
+          self.last_comm = Time.now
+          sent += count
+        end
+      end
+    end
+  end
+
+  # Intercepts the socket.close from the session manager when the session dies.
+  # Cleanly terminates the SMB session and closes the socket.
+  def close
+    # Give the meterpreter shutdown command a chance
+    self.write_queue.close
+    while self.write_queue.size > 0
+      sleep(0.1)
+    end
+    self.write_thread.kill
+
+    begin
+      # close pipe
+      super
+    rescue => e
+    end
+    self.client.socket.close
+  end
+
+  def read(count)
+    data = ''
+    begin
+      self.mutex.synchronize do
+        avail = peek_named_pipe 
+        if avail > 0
+          while count > 0
+            buff = super([count, self.chunk_size].min)
+            self.last_comm = Time.now
+            count -= buff.length
+            data += buff
+          end
+        end
+      end
+    rescue
+    end
+
+    if data.length == 0
+      # avoid full throttle polling
+      Rex::ThreadSafe.sleep(0.1)
+    end
+    return data
+  end
+
+  def put (data)
+    write(data)
+  end
+
+  def write (data)
+    self.write_queue.push(data)
+    data.length
+  end
+
+  #
+  # The session manager expects a socket object so we must implement
+  # fd, localinfo, and peerinfo. fd is passed to select while localinfo
+  # and peerinfo are used to report the addresses and ports of the
+  # connection.
+  #
+  def fd
+    self.client.socket.fd
+  end
+
+  def localinfo
+    self.client.socket.localinfo
+  end
+
+  def peerinfo
+    self.client.socket.peerinfo
+  end
+
+end
+
+#
+# SimpleClient for named pipe comms. Uses OpenPipe wrapper to provide
+# a socket interface required by the packet dispatcher.
+#
+class SimpleClientPipe < Rex::Proto::SMB::SimpleClient
+  attr_accessor :pipe
+
+  def initialize(*args)
+    super(*args)
+    self.pipe = nil
+  end
+
+  # Copy of SimpleClient.create_pipe except OpenPipeSock is used instead of OpenPipe.
+  # This is because we need to implement our own read/write.
+  def create_pipe(path)
+    pkt = self.client.create_pipe(path, Rex::Proto::SMB::Constants::CREATE_ACCESS_EXIST)
+    file_id = pkt['Payload'].v['FileID']
+    self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id)
+  end
+end
+
+module Msf
+  module Handler
+    module BindNamedPipe
+
+      include Msf::Handler
+
+      #
+      # Returns the string representation of the handler type, in this case
+      # 'reverse_named_pipe'.
+      #
+      def self.handler_type
+        "bind_named_pipe"
+      end
+
+      #
+      # Returns the connection-described general handler type, in this case
+      # 'reverse'.
+      #
+      def self.general_handler_type
+        "bind"
+      end
+
+      #
+      # Initializes the reverse handler and ads the options that are required
+      # for reverse named pipe payloads.
+      #
+      def initialize(info={})
+        super
+
+        register_options(
+          [
+            OptString.new('PIPENAME', [true, 'Name of the pipe to connect to', 'msf-pipe']),
+            OptString.new('RHOST', [false, 'Host of the pipe to connect to', '']),
+            OptPort.new('LPORT', [true, 'SMB port', 445]),
+            OptString.new('SMBUser', [false, 'The username to authenticate as', '']),
+            OptString.new('SMBPass', [false, 'The password for the specified username', '']),
+            OptString.new('SMBDomain', [false, 'The Windows domain to use for authentication', '.']),
+          ], Msf::Handler::BindNamedPipe)
+        register_advanced_options(
+          [
+            OptString.new('SMBDirect', [true, 'The target port is a raw SMB service (not NetBIOS)', true]),
+            OptInt.new('CHUNKSIZE', [false, 'Max pipe read/write size per request', 4096]) # > 4096 is unreliable
+          ], Msf::Handler::BindNamedPipe)
+
+        self.conn_threads = []
+        self.listener_threads = []
+      end
+
+      # A string suitable for displaying to the user
+      #
+      # @return [String]
+      def human_name
+        "bind named pipe"
+      end
+
+      #
+      # Starts monitoring for an inbound connection.
+      #
+      def start_handler
+        # Maximum number of seconds to run the handler
+        ctimeout = 150
+
+        if (exploit_config and exploit_config['active_timeout'])
+          ctimeout = exploit_config['active_timeout'].to_i
+        end
+
+        # Take a copy of the datastore options
+        rhost = datastore['RHOST']
+        lport = datastore['LPORT'].to_i
+        pipe_name = datastore['PIPENAME']
+        smbuser = datastore['SMBUser']
+        smbpass = datastore['SMBPass']
+        smbdomain = datastore['SMBDomain']
+        smbdirect = datastore['SMBDirect']
+        smbshare = "\\\\#{rhost}\\IPC$"
+        chunk_size = datastore['CHUNKSIZE']
+
+        # Ignore this if one of the required options is missing
+        return if not rhost
+        return if not lport
+
+        # Start a new handling thread
+        self.listener_threads << framework.threads.spawn("BindNamedPipeHandlerListener-#{pipe_name}", false) {
+          sock = nil
+          print_status("Started bind pipe handler")
+
+          # First, create a socket and connect to the SMB service
+          vprint_status("Connecting to #{rhost}:#{lport}")
+          begin
+            sock = Rex::Socket::Tcp.create(
+              'PeerHost' => rhost,
+              'PeerPort' => lport.to_i,
+              'Proxies'  => datastore['Proxies'],
+              'Context'  =>
+              {
+                'Msf'        => framework,
+                'MsfPayload' => self,
+                'MsfExploit' => assoc_exploit
+              })
+          rescue Rex::ConnectionRefused
+          rescue ::Exception
+            wlog("Exception caught in bind handler: #{$!.class} #{$!}")
+          end
+
+          if not sock
+            print_error("Failed to connect socket #{rhost}:#{lport}")
+            return
+          end
+
+          # Perform SMB logon
+          simple = SimpleClientPipe.new(sock, smbdirect)
+
+          begin
+            simple.login('*SMBSERVER', smbuser, smbpass, smbdomain)
+            vprint_status("SMB login Success #{smbdomain}\\#{smbuser}:#{smbpass} #{rhost}:#{lport}")
+          rescue
+            print_error("SMB login Failure #{smbdomain}\\#{smbuser}:#{smbpass} #{rhost}:#{lport}")
+            return
+          end
+
+          # Connect to the IPC$ share so we can use named pipes.
+          simple.connect(smbshare)
+          vprint_status("Connected to #{smbshare}")
+
+          # Make several attempts to connect to the stagers named pipe. Authenticating and
+          # connecting to IPC$ should be possible pre stager so we only retry this operation.
+          # The stager creates the pipe with a default ACL which provides r/w to the creator
+          # and administrators.
+          stime = Time.now.to_i
+          while (stime + ctimeout > Time.now.to_i)
+            begin
+              pipe = simple.create_pipe("\\"+pipe_name)
+            rescue
+              Rex::ThreadSafe.sleep(1.0)
+            end
+            break if pipe
+          end
+
+          if not pipe
+            print_error("Failed to connect to pipe #{smbshare}")
+            return
+          end
+          
+          pipe.chunk_size = chunk_size
+          vprint_status("Opened pipe \\#{pipe_name}")
+
+          # Increment the has connection counter
+          self.pending_connections += 1
+
+          # Timeout and datastore options need to be passed through to the client
+          opts = {
+            :datastore    => datastore,
+            :expiration   => datastore['SessionExpirationTimeout'].to_i,
+            :comm_timeout => datastore['SessionCommunicationTimeout'].to_i,
+            :retry_total  => datastore['SessionRetryTotal'].to_i,
+            :retry_wait   => datastore['SessionRetryWait'].to_i
+          }
+
+          conn_threads << framework.threads.spawn("BindNamedPipeHandlerSession", false, simple) { |simple_copy|
+            begin
+              session = handle_connection(simple_copy.pipe, opts)
+            rescue => e
+              elog("Exception raised from BindNamedPipe.handle_connection: #{$!}")
+            end
+          }
+        }
+      end
+
+      #
+      # Stop
+      #
+      def stop_handler
+        self.listener_threads.each do |t|
+          t.kill
+        end
+        self.listener_threads = []
+      end
+
+      #
+      # Cleanup
+      #
+      def cleanup_handler
+        self.conn_threads.each { |t|
+          t.kill
+        }
+      end
+
+      protected
+
+      attr_accessor :conn_threads
+      attr_accessor :listener_threads
+
+    end
+  end
+end
@@ -104,6 +104,17 @@ def transport_config_reverse_named_pipe(opts={})
     }.merge(timeout_config(opts))
   end
 
+  def transport_config_bind_named_pipe(opts={})
+    ds = opts[:datastore] || datastore
+    {
+      scheme:     'pipe',
+      lhost:      '.',
+      uri:        "/#{ds['PIPENAME']}",
+    }.merge(timeout_config(opts))
+    
+  end
+
+
 private
 
   def get_custom_headers(ds)