Land rapid7#9573, fixes for bind_named_pipe

busterb · busterb · commit 310ab9c11d5c · 2018-02-18T20:47:20.000-06:00
diff --git a/lib/msf/core/handler/bind_named_pipe.rb b/lib/msf/core/handler/bind_named_pipe.rb
@@ -6,11 +6,9 @@
 #
 # KNOWN ISSUES
 #
-# 1) Interactive channels (ie shell) do not work well/at all. Neither do pivots. Issue
-#    seems to be multiple threads writing to the pipe or some writes not being synchronized
-#    and bypassing the OpenPipeSock methods.
-# 2) A peek named pipe operation is carried out before every read to prevent blocking. This
-#    generates extra traffic.
+# 1) A peek named pipe operation is carried out before every read to prevent blocking. This
+#    generates extra traffic. SMB echo requests are also generated to force the packet
+#    dispatcher to perform a read.
 #
 
 #
@@ -22,22 +20,27 @@
 # an issue when there are multiple writes since it will cause select to return which
 # triggers a read, but there is nothing to read since the pipe will already have read
 # the response. This read will then hold the mutex while the socket read waits to timeout.
+# A peek operation on the pipe fixes this.
 #
 class OpenPipeSock < Rex::Proto::SMB::SimpleClient::OpenPipe
-  attr_accessor :mutex, :chunk_size, :last_comm, :write_queue, :write_thread, :read_buff
+  attr_accessor :mutex, :last_comm, :write_queue, :write_thread, :read_buff, :echo_thread, :server_max_buffer_size
 
-  def initialize(*args)
+  STATUS_BUFFER_OVERFLOW = 0x80000005
+
+  def initialize(*args, server_max_buffer_size:)
     super(*args)
     self.client = args[0]
     self.mutex = Mutex.new      # synchronize read/writes
     self.last_comm = Time.now   # last successfull read/write
     self.write_queue = Queue.new # queue message to send
     self.write_thread = Thread.new { dispatcher }
+    self.echo_thread = Thread.new { force_read }
     self.read_buff = ''
+    self.server_max_buffer_size = server_max_buffer_size
+    self.chunk_size = server_max_buffer_size - 260
   end
 
-  # Check if there are any bytes to read and return number available.
-  # Access must be synchronized.
+  # Check if there are any bytes to read and return number available. Access must be synchronized.
   def peek_named_pipe
     # 0x23 is the PeekNamedPipe operation. Last 16 bits is our pipes file id (FID).
     setup = [0x23, self.file_id].pack('vv')
@@ -46,11 +49,34 @@ def peek_named_pipe
     avail = 0
     begin
       avail = pkt.to_s[pkt['Payload'].v['ParamOffset']+4, 2].unpack('v')[0]
+      self.last_comm = Time.now
     rescue
     end
+
+    if (avail == 0) and (pkt['Payload']['SMB'].v['ErrorClass'] == STATUS_BUFFER_OVERFLOW)
+      avail = self.client.default_max_buffer_size
+    end
+
     avail
   end
 
+  # Send echo request to force select() to return in the packet dispatcher and read from the socket.
+  # This allows "channel -i" and "shell" to work.
+  def force_read
+    wait = 0.5                  # smaller is faster but generates more traffic
+    while true
+      elapsed = Time.now - self.last_comm
+      if elapsed > wait
+        self.mutex.synchronize do
+          self.client.echo()
+          self.last_comm = Time.now
+        end
+      else
+        Rex::ThreadSafe.sleep(wait-elapsed)
+      end
+    end
+  end
+
   # Runs as a thread and synchronizes writes. Allows write operations to return
   # immediately instead of waiting for the mutex.
   def dispatcher
@@ -74,8 +100,8 @@ def dispatcher
   def close
     # Give the meterpreter shutdown command a chance
     self.write_queue.close
-    while self.write_queue.size > 0
-      sleep(0.1)
+    if self.write_queue.size > 0
+      sleep(1.0)
     end
     self.write_thread.kill
 
@@ -90,25 +116,32 @@ def close
   def read(count)
     data = ''
     begin
-      self.mutex.synchronize do
-        avail = peek_named_pipe 
-        if avail > 0
-          while count > 0
-            buff = super([count, self.chunk_size].min)
-            self.last_comm = Time.now
-            count -= buff.length
-            data += buff
+      if count > self.read_buff.length
+        # need more data to satisfy request
+        self.mutex.synchronize do
+          avail = peek_named_pipe 
+          if avail > 0
+            left = [count-self.read_buff.length, avail].max
+            while left > 0
+              buff = super([left, self.chunk_size].min)
+              self.last_comm = Time.now
+              left -= buff.length
+              self.read_buff += buff
+            end
           end
         end
       end
     rescue
     end
 
+    data = self.read_buff[0, [count, self.read_buff.length].min]
+    self.read_buff = self.read_buff[data.length..-1]
+
     if data.length == 0
       # avoid full throttle polling
-      Rex::ThreadSafe.sleep(0.1)
+      Rex::ThreadSafe.sleep(0.2)
     end
-    return data
+    data
   end
 
   def put (data)
@@ -157,7 +190,7 @@ def initialize(*args)
   def create_pipe(path)
     pkt = self.client.create_pipe(path, Rex::Proto::SMB::Constants::CREATE_ACCESS_EXIST)
     file_id = pkt['Payload'].v['FileID']
-    self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id)
+    self.pipe = OpenPipeSock.new(self.client, path, self.client.last_tree_id, file_id, server_max_buffer_size: self.server_max_buffer_size)
   end
 end
 
@@ -202,7 +235,6 @@ def initialize(info={})
         register_advanced_options(
           [
             OptString.new('SMBDirect', [true, 'The target port is a raw SMB service (not NetBIOS)', true]),
-            OptInt.new('CHUNKSIZE', [false, 'Max pipe read/write size per request', 4096]) # > 4096 is unreliable
           ], Msf::Handler::BindNamedPipe)
 
         self.conn_threads = []
@@ -236,7 +268,6 @@ def start_handler
         smbdomain = datastore['SMBDomain']
         smbdirect = datastore['SMBDirect']
         smbshare = "\\\\#{rhost}\\IPC$"
-        chunk_size = datastore['CHUNKSIZE']
 
         # Ignore this if one of the required options is missing
         return if not rhost
@@ -304,7 +335,6 @@ def start_handler
             return
           end
           
-          pipe.chunk_size = chunk_size
           vprint_status("Opened pipe \\#{pipe_name}")
 
           # Increment the has connection counter
diff --git a/lib/msf/core/payload/windows/x64/bind_named_pipe.rb b/lib/msf/core/payload/windows/x64/bind_named_pipe.rb
@@ -26,7 +26,11 @@ module Payload::Windows::BindNamedPipe_x64
   #
   def initialize(*args)
     super
-    register_advanced_options(Msf::Opt::stager_retry_options)
+    register_advanced_options(
+      [
+        OptInt.new('WAIT_TIMEOUT', [false, 'Seconds pipe will wait for a connection', 10])
+      ]
+    )
   end
 
   #
@@ -36,8 +40,7 @@ def generate
     conf = {
       name:        datastore['PIPENAME'],
       host:        datastore['PIPEHOST'],
-      retry_count: datastore['StagerRetryCount'],
-      retry_wait:  datastore['StagerRetryWait'],
+      timeout:     datastore['WAIT_TIMEOUT'],
       reliable:    false,
     }
 
@@ -136,14 +139,14 @@ def asm_send_uuid(uuid=nil)
   # @option opts [String]  :exitfunk The exit method to use if there is an error, one of process, thread, or seh
   # @option opts [Bool]    :reliable Whether or not to enable error handling code
   # @option opts [String]  :name Pipe name to create
-  # @option opts [Integer] :retry_count The number of times to retry a failed request before giving up
-  # @option opts [Integer] :retry_wait The seconds to wait before retry a new request
+  # @option opts [Int]     :timeout Seconds to wait for pipe connection
   #
   def asm_bind_named_pipe(opts={})
 
     reliable       = opts[:reliable]
-    retry_count    = [opts[:retry_count].to_i, 1].max
-    retry_wait     = [opts[:retry_wait].to_i, 1].max * 1000 # kernel32!Sleep takes millisecs
+    timeout        = opts[:timeout] * 1000 # convert to millisecs
+    retry_wait     = 500
+    retry_count    = timeout / retry_wait
     full_pipe_name = "\\\\\\\\.\\\\pipe\\\\#{opts[:name]}"  # double escape -> \\.\pipe\name
     chunk_size     = 0x10000    # pipe buffer size
     cleanup_funk   = reliable ? 'cleanup_file' : 'failure'
diff --git a/lib/rex/proto/smb/simpleclient.rb b/lib/rex/proto/smb/simpleclient.rb
@@ -23,7 +23,7 @@ class SimpleClient
 EVADE = Rex::Proto::SMB::Evasions
 
 # Public accessors
-attr_accessor :last_error
+attr_accessor :last_error, :server_max_buffer_size
 
 # Private accessors
 attr_accessor :socket, :client, :direct, :shares, :last_share
@@ -34,6 +34,7 @@ def initialize(socket, direct = false)
     self.direct = direct
     self.client = Rex::Proto::SMB::Client.new(socket)
     self.shares = { }
+    self.server_max_buffer_size = 1024 # 4356 (workstation) or 16644 (server) expected
   end
 
   def login(name = '', user = '', pass = '', domain = '',
@@ -55,7 +56,8 @@ def login(name = '', user = '', pass = '', domain = '',
       self.client.use_lanman_key =  use_lanman_key
       self.client.send_ntlm = send_ntlm
 
-      self.client.negotiate
+      ok = self.client.negotiate
+      self.server_max_buffer_size = ok['Payload'].v['MaxBuff']
 
       # Disable NTLMv2 Session for Windows 2000 (breaks authentication on some systems)
       # XXX: This in turn breaks SMB auth for Windows 2000 configured to enforce NTLMv2
