From 17a1f2ee8a4754899f59a7c04789a992fe5357f0 Mon Sep 17 00:00:00 2001 From: wchen-r7 Date: Mon, 16 Nov 2015 14:24:46 -0600 Subject: [PATCH] Fix #6242, Check nil for sock.read Fix #6242 --- modules/auxiliary/scanner/db2/discovery.rb | 44 ++++++++++--------- .../scanner/ftp/bison_ftp_traversal.rb | 5 +++ .../scanner/ftp/pcman_ftp_traversal.rb | 5 +++ .../scanner/motorola/timbuktu_udp.rb | 5 ++- .../scanner/oracle/tnspoison_checker.rb | 2 +- .../scanner/sap/sap_router_info_request.rb | 2 +- .../windows/gather/forensics/nbd_server.rb | 6 +++ modules/post/windows/manage/nbd_server.rb | 6 +++ 8 files changed, 52 insertions(+), 23 deletions(-) diff --git a/modules/auxiliary/scanner/db2/discovery.rb b/modules/auxiliary/scanner/db2/discovery.rb index 12c8692303..c94537a49b 100644 --- a/modules/auxiliary/scanner/db2/discovery.rb +++ b/modules/auxiliary/scanner/db2/discovery.rb @@ -32,33 +32,37 @@ class Metasploit3 < Msf::Auxiliary connect_udp udp_sock.put(pkt) - res = udp_sock.read(1024).split(/\x00/) + res = udp_sock.read(1024) - if (res) - report_note( - :host => ip, - :proto => 'udp', - :port => datastore['RPORT'], - :type => 'SERVICE_INFO', - :data => res[2] + "_" + res[1] - ) - report_service( - :host => ip, - :port => datastore['RPORT'], - :proto => 'udp', - :name => "ibm-db2", - :info => res[2] + "_" + res[1] - ) - print_status("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] ) - else + unless res print_error("Unable to determine version info for #{ip}") + return end - disconnect_udp + res = res.split(/\x00/) + + report_note( + :host => ip, + :proto => 'udp', + :port => datastore['RPORT'], + :type => 'SERVICE_INFO', + :data => res[2] + "_" + res[1] + ) + + report_service( + :host => ip, + :port => datastore['RPORT'], + :proto => 'udp', + :name => "ibm-db2", + :info => res[2] + "_" + res[1] + ) + + print_status("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] ) rescue ::Rex::ConnectionError rescue ::Errno::EPIPE - + ensure + disconnect_udp end end diff --git a/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb b/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb index 19f83f3bdd..4970ab3c62 100644 --- a/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb +++ b/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb @@ -71,6 +71,11 @@ class Metasploit3 < Msf::Auxiliary # read the file data from the socket that we opened response_data = sock.read(1024) + unless response_data + print_error("#{file} not found") + return + end + if response_data.length == 0 print_status("File (#{file_path})from #{peer} is empty...") return diff --git a/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb b/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb index 15e40e43b5..bcdb39565b 100644 --- a/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb +++ b/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb @@ -70,6 +70,11 @@ class Metasploit3 < Msf::Auxiliary # read the file data from the socket that we opened response_data = sock.read(1024) + unless response_data + print_error("#{file_path} not found") + return + end + if response_data.length == 0 or ! (res =~ /^150/ ) print_status("File (#{file_path})from #{peer} is empty...") return diff --git a/modules/auxiliary/scanner/motorola/timbuktu_udp.rb b/modules/auxiliary/scanner/motorola/timbuktu_udp.rb index 00e83217bd..47b57c7adf 100644 --- a/modules/auxiliary/scanner/motorola/timbuktu_udp.rb +++ b/modules/auxiliary/scanner/motorola/timbuktu_udp.rb @@ -52,8 +52,11 @@ class Metasploit3 < Msf::Auxiliary else print_error("Unable to determine info for #{ip}...") end + rescue ::Errno::EPIPE, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused => e + vprint_error(e.message) + elog("#{e.class} #{e.message}\n#{e.backtrace * "\n"}") + ensure disconnect_udp - rescue ::Errno::EPIPE, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused end end end diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb index 847ed10f9e..aab795941c 100644 --- a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb +++ b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb @@ -42,7 +42,7 @@ class Metasploit3 < Msf::Auxiliary send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))") sock.put(send_packet) packet = sock.read(100) - find_packet = packet.include? "(ERROR_STACK=(ERROR=" + find_packet = /\(ERROR_STACK=\(ERROR=/ === packet find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable") # TODO: Module should report_vuln if this finding is solid. rescue ::Rex::ConnectionError, ::Errno::EPIPE diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb index 01b3088dcc..4c95966b43 100644 --- a/modules/auxiliary/scanner/sap/sap_router_info_request.rb +++ b/modules/auxiliary/scanner/sap/sap_router_info_request.rb @@ -109,7 +109,7 @@ class Metasploit4 < Msf::Auxiliary print_good("#{host_port} - Connected to saprouter") print_good("#{host_port} - Sending ROUTER_ADM packet info request") sock.put(ni_packet) - packet_len = sock.read(4).unpack('H*')[0].to_i 16 + packet_len = sock.read(4).to_s.unpack('H*')[0].to_i 16 print_good("#{host_port} - Got INFO response") while packet_len !=0 count += 1 diff --git a/modules/post/windows/gather/forensics/nbd_server.rb b/modules/post/windows/gather/forensics/nbd_server.rb index 5da92628d6..2a029ce6a3 100644 --- a/modules/post/windows/gather/forensics/nbd_server.rb +++ b/modules/post/windows/gather/forensics/nbd_server.rb @@ -76,6 +76,12 @@ class Metasploit3 < Msf::Post while true request = rsock.read(28) + + unless request + print_error("No data received") + break + end + magic, request, nbd_handle, offset_n, length = request.unpack("NNa8a8N") if magic != 0x25609513 diff --git a/modules/post/windows/manage/nbd_server.rb b/modules/post/windows/manage/nbd_server.rb index 4ef8b99874..41f786ac8c 100644 --- a/modules/post/windows/manage/nbd_server.rb +++ b/modules/post/windows/manage/nbd_server.rb @@ -74,6 +74,12 @@ class Metasploit3 < Msf::Post while true request = rsock.read(28) + + unless request + print_error("No data received") + break + end + magic, request, nbd_handle, offset_n, length = request.unpack("NNa8a8N") if magic != 0x25609513