Fix #6242, Check nil for sock.read

Fix #6242
2015-11-16 14:24:46 -06:00 · 2015-11-16 14:24:46 -06:00 · 17a1f2ee8a
parent f0da09090d
commit 17a1f2ee8a
8 changed files with 52 additions and 23 deletions
--- a/modules/auxiliary/scanner/db2/discovery.rb
+++ b/modules/auxiliary/scanner/db2/discovery.rb
@ -32,33 +32,37 @@ class Metasploit3 < Msf::Auxiliary

      connect_udp
      udp_sock.put(pkt)
-      res = udp_sock.read(1024).split(/\x00/)
+      res = udp_sock.read(1024)

-      if (res)
-        report_note(
-          :host   => ip,
-          :proto  => 'udp',
-          :port   => datastore['RPORT'],
-          :type   => 'SERVICE_INFO',
-          :data   => res[2] + "_" + res[1]
-          )
-        report_service(
-          :host => ip,
-          :port => datastore['RPORT'],
-          :proto => 'udp',
-          :name => "ibm-db2",
-          :info => res[2] + "_" + res[1]
-          )
-        print_status("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] )
-      else
+      unless res
        print_error("Unable to determine version info for #{ip}")
+        return
      end

-      disconnect_udp
+      res = res.split(/\x00/)
+
+      report_note(
+        :host   => ip,
+        :proto  => 'udp',
+        :port   => datastore['RPORT'],
+        :type   => 'SERVICE_INFO',
+        :data   => res[2] + "_" + res[1]
+        )
+
+      report_service(
+        :host => ip,
+        :port => datastore['RPORT'],
+        :proto => 'udp',
+        :name => "ibm-db2",
+        :info => res[2] + "_" + res[1]
+      )
+
+      print_status("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] )

    rescue ::Rex::ConnectionError
    rescue ::Errno::EPIPE
-
+    ensure
+      disconnect_udp
    end

  end
--- a/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
+++ b/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
@ -71,6 +71,11 @@ class Metasploit3 < Msf::Auxiliary
      # read the file data from the socket that we opened
      response_data = sock.read(1024)

+      unless response_data
+        print_error("#{file} not found")
+        return
+      end
+
      if response_data.length == 0
        print_status("File (#{file_path})from #{peer} is empty...")
        return
--- a/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb
+++ b/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb
@ -70,6 +70,11 @@ class Metasploit3 < Msf::Auxiliary
      # read the file data from the socket that we opened
      response_data = sock.read(1024)

+      unless response_data
+        print_error("#{file_path} not found")
+        return
+      end
+
      if response_data.length == 0 or ! (res =~ /^150/ )
        print_status("File (#{file_path})from #{peer} is empty...")
        return
--- a/modules/auxiliary/scanner/motorola/timbuktu_udp.rb
+++ b/modules/auxiliary/scanner/motorola/timbuktu_udp.rb
@ -52,8 +52,11 @@ class Metasploit3 < Msf::Auxiliary
        else
          print_error("Unable to determine info for #{ip}...")
        end
+    rescue ::Errno::EPIPE, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused => e
+      vprint_error(e.message)
+      elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}")
+    ensure
      disconnect_udp
-    rescue ::Errno::EPIPE, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
    end
  end
 end
--- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb
+++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb
@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary
      send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")
      sock.put(send_packet)
      packet = sock.read(100)
-      find_packet = packet.include? "(ERROR_STACK=(ERROR="
+      find_packet = /\(ERROR_STACK=\(ERROR=/ === packet
      find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable")
      # TODO: Module should report_vuln if this finding is solid.
      rescue ::Rex::ConnectionError, ::Errno::EPIPE
--- a/modules/auxiliary/scanner/sap/sap_router_info_request.rb
+++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
@ -109,7 +109,7 @@ class Metasploit4 < Msf::Auxiliary
      print_good("#{host_port} - Connected to saprouter")
      print_good("#{host_port} - Sending ROUTER_ADM packet info request")
      sock.put(ni_packet)
-      packet_len = sock.read(4).unpack('H*')[0].to_i 16
+      packet_len = sock.read(4).to_s.unpack('H*')[0].to_i 16
      print_good("#{host_port} - Got INFO response")
      while packet_len !=0
        count += 1
--- a/modules/post/windows/gather/forensics/nbd_server.rb
+++ b/modules/post/windows/gather/forensics/nbd_server.rb
@ -76,6 +76,12 @@ class Metasploit3 < Msf::Post

    while true
      request = rsock.read(28)
+
+      unless request
+        print_error("No data received")
+        break
+      end
+
      magic, request, nbd_handle, offset_n, length = request.unpack("NNa8a8N")

      if magic != 0x25609513
--- a/modules/post/windows/manage/nbd_server.rb
+++ b/modules/post/windows/manage/nbd_server.rb
@ -74,6 +74,12 @@ class Metasploit3 < Msf::Post

    while true
      request = rsock.read(28)
+
+      unless request
+        print_error("No data received")
+        break
+      end
+
      magic, request, nbd_handle, offset_n, length = request.unpack("NNa8a8N")

      if magic != 0x25609513