Fix bad use of sock.get() and check() implementations

Many of these modules uses sock.get() when they meant get_once() and their HTTP-based checks were broken in some form. The response to the sock.get() was not being checked against nil, which would lead to stack traces when the service did not reply (a likely case given how malformed the HTTP requests were).
2014-06-28 16:05:05 -05:00 · 2014-06-28 16:05:05 -05:00 · 6e80481384
parent 3868348045
commit 6e80481384
12 changed files with 33 additions and 33 deletions
--- a/modules/exploits/multi/misc/java_jdwp_debugger.rb
+++ b/modules/exploits/multi/misc/java_jdwp_debugger.rb
@ -156,7 +156,7 @@ class Metasploit3 < Msf::Exploit::Remote
  # Establishes handshake with the server
  def handshake
    sock.put(HANDSHAKE)
-    return sock.get(datastore['RESPONSE_TIMEOUT'])
+    return sock.get_once(-1, datastore['RESPONSE_TIMEOUT'])
  end

  # Forges packet for JDWP protocol
@ -173,7 +173,7 @@ class Metasploit3 < Msf::Exploit::Remote

  # Reads packet response for JDWP protocol
  def read_reply(timeout = default_timeout)
-    response = sock.get(timeout)
+    response = sock.get_once(-1, timeout)
    fail_with(Failure::TimeoutExpired, "#{peer} - Not received response") unless response
    pktlen, id, flags, errcode = response.unpack('NNCn')
    response.slice!(0..10)
--- a/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb
+++ b/modules/exploits/multi/misc/veritas_netbackup_cmdexec.rb
@ -59,11 +59,11 @@ class Metasploit3 < Msf::Exploit::Remote
    buf = "\x20\x20\x201\x20\x20\x20\x20\x20\x201\necho #{sploit}\n"

    sock.put(buf)
-    banner = sock.get(3,3)
+    banner = sock.get_once

    disconnect

-    if (banner and banner =~ /#{sploit}/)
+    if banner.to_s.index(sploit)
      return Exploit::CheckCode::Vulnerable
    end
    return Exploit::CheckCode::Safe
@ -79,7 +79,7 @@ class Metasploit3 < Msf::Exploit::Remote
    buf << "\n"

    sock.put(buf)
-    res = sock.get(-1,3)
+    res = sock.get_once

    print_status(res.to_s)

--- a/modules/exploits/windows/ftp/dreamftp_format.rb
+++ b/modules/exploits/windows/ftp/dreamftp_format.rb
@ -56,9 +56,9 @@ class Metasploit3 < Msf::Exploit::Remote

  def check
    connect
-    banner = sock.get(-1,3)
+    banner = sock.get_once
    disconnect
-    if (banner =~ /Dream FTP Server/)
+    if (banner.to_s =~ /Dream FTP Server/)
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
--- a/modules/exploits/windows/http/amlibweb_webquerydll_app.rb
+++ b/modules/exploits/windows/http/amlibweb_webquerydll_app.rb
@ -68,10 +68,10 @@ class Metasploit3 < Msf::Exploit::Remote
    rand = Rex::Text.rand_text_alpha(10)

    sock.put("GET /amlibweb/webquery.dll?#{rand}= HTTP/1.0\r\n\r\n")
-    res = sock.get(-1,3)
+    res = sock.get_once
    disconnect

-    if (res =~ /<H1>BAD REQUEST<\/H1><P>Your client sent a request that this server didn't understand.<br>Request:\s(\w+)/)
+    if (res.to_s =~ /<H1>BAD REQUEST<\/H1><P>Your client sent a request that this server didn't understand.<br>Request:\s(\w+)/)
      if ($1 == rand)
        return Exploit::CheckCode::Vulnerable
      end
--- a/modules/exploits/windows/http/ca_igateway_debug.rb
+++ b/modules/exploits/windows/http/ca_igateway_debug.rb
@ -59,10 +59,10 @@ class Metasploit3 < Msf::Exploit::Remote

  def check
    connect
-    sock.put("HEAD / HTTP/1.0\r\n\r\n\r\n")
-    banner = sock.get(-1,3)
+    sock.put("HEAD / HTTP/1.0\r\nHost: #{rhost}\r\n\r\n")
+    banner = sock.get_once

-    if (banner =~ /GET and POST methods are the only methods supported at this time/) # Unique?
+    if (banner.to_s =~ /GET and POST methods are the only methods supported at this time/) # Unique?
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
--- a/modules/exploits/windows/http/mcafee_epolicy_source.rb
+++ b/modules/exploits/windows/http/mcafee_epolicy_source.rb
@ -66,12 +66,12 @@ class Metasploit3 < Msf::Exploit::Remote
    connect

    req = "GET /SITEINFO.INI HTTP/1.0\r\n"
-    req << "User-Agent: Mozilla/5.0\r\n"
-    sock.put(req + "\r\n\r\n")
+    req << "User-Agent: Mozilla/5.0\r\n\r\n"
+    sock.put(req)

-    banner = sock.get(-1,3)
+    banner = sock.get_once

-    if (banner =~ /Spipe\/1\.0/)
+    if banner.to_s =~ /Spipe\/1\.0/
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
--- a/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb
+++ b/modules/exploits/windows/http/mdaemon_worldclient_form2raw.rb
@ -68,10 +68,10 @@ class Metasploit3 < Msf::Exploit::Remote
  def check
    connect
    sock.put("GET / HTTP/1.0\r\n\r\n")
-    banner = sock.get(-1,3)
+    banner = sock.get_once
    disconnect

-    if (banner =~ /WDaemon\/6\.8\.[0-5]/)
+    if (banner.to_s =~ /WDaemon\/6\.8\.[0-5]/)
      return Exploit::CheckCode::Appears
    end

--- a/modules/exploits/windows/http/psoproxy91_overflow.rb
+++ b/modules/exploits/windows/http/psoproxy91_overflow.rb
@ -59,8 +59,8 @@ class Metasploit3 < Msf::Exploit::Remote
  def check
    connect
    sock.put("GET / HTTP/1.0\r\n\r\n")
-    banner = sock.get(-1,3)
-    if (banner =~ /PSO Proxy 0\.9/)
+    banner = sock.get_once
+    if (banner.to_s =~ /PSO Proxy 0\.9/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
--- a/modules/exploits/windows/http/servu_session_cookie.rb
+++ b/modules/exploits/windows/http/servu_session_cookie.rb
@ -75,12 +75,12 @@ class Metasploit3 < Msf::Exploit::Remote
  def check
    connect
    sock.put("\r\n\r\n") # works
-    res = sock.get(-1,3)
+    res = sock.get_once
    disconnect

-    if (res =~ /Server: Serv-U\/9\.0\.0\.5/)
+    if (res.to_s =~ /Server: Serv-U\/9\.0\.0\.5/)
      return Exploit::CheckCode::Appears
-    elsif (res =~ /Server: Serv-U/)
+    elsif (res.to_s =~ /Server: Serv-U/)
      return Exploit::CheckCode::Detected
    end
    return Exploit::CheckCode::Safe
--- a/modules/exploits/windows/http/steamcast_useragent.rb
+++ b/modules/exploits/windows/http/steamcast_useragent.rb
@ -60,10 +60,10 @@ class Metasploit3 < Msf::Exploit::Remote
  def check
    connect
    sock.put("GET / HTTP/1.0\r\n\r\n")
-    res = sock.get(-1, 3)
+    res = sock.get_once
    disconnect

-    if (res =~ /Steamcast\/0\.9\.75/)
+    if (res.to_s =~ /Steamcast\/0\.9\.75/)
      return Exploit::CheckCode::Appears
    end
    return Exploit::CheckCode::Safe
--- a/modules/exploits/windows/http/xitami_if_mod_since.rb
+++ b/modules/exploits/windows/http/xitami_if_mod_since.rb
@ -60,11 +60,11 @@ class Metasploit3 < Msf::Exploit::Remote

  def check
    connect
-    sock.put("GET / HTTP/1.1\r\n\r\n")
-    banner = sock.get(-1,3)
+    sock.put("GET / HTTP/1.1\r\nHost: #{rhost}\r\n\r\n")
+    banner = sock.get_once
    disconnect

-    if (banner =~ /Xitami/)
+    if (banner.to_s =~ /Xitami/)
      vprint_status("Banner: #{banner}")
      return Exploit::CheckCode::Detected
    end
--- a/modules/exploits/windows/scada/codesys_web_server.rb
+++ b/modules/exploits/windows/scada/codesys_web_server.rb
@ -79,14 +79,14 @@ class Metasploit3 < Msf::Exploit::Remote

  def check
    connect
-    sock.put("GET / HTTP/1.1\r\n\r\n")
-    res = sock.get(-1, 3)
+    sock.put("GET / HTTP/1.1\r\nHost: #{rhost}\r\n\r\n")
+    res = sock.get_once
    disconnect

    # Can't flag the web server as vulnerable, because it doesn't
    # give us a version
-    vprint_line(res)
-    if res =~ /3S_WebServer/
+    vprint_line(res.to_s)
+    if res.to_s =~ /3S_WebServer/
      return Exploit::CheckCode::Detected
    else
      return Exploit::CheckCode::Safe
@ -118,7 +118,7 @@ class Metasploit3 < Msf::Exploit::Remote

    print_status("Trying target #{target.name}...")
    sock.put(sploit)
-    res = sock.get_once
+    res = sock.get_once(-1, 5)
    print_line(res) unless res.nil?

    handler