Fixes #3466 by detecting a second null handle and breaking the loop (happens with likewise servers)

git-svn-id: file:///home/svn/framework3/trunk@11508 4d416f70-5f16-0410-b530-b9f4589650da

lib/msf/core/exploit/dcerpc_epm.rb

@@ -96,12 +96,15 @@ module Exploit::Remote::DCERPC_EPM
 					# NULL handle to start with
 					data = [0, 0, 0, 0, 0, 0, 0, 0, 0, 1].pack("V*")
 				else
-					# Use the existing handle
+					# Break the loop early if we get another NULL handle
+					break if hnd == [0, 0, 0, 0, 1].pack("V*")
+					
+					# Use the existing handle if we already have one					
 					data = [0, 0, 0, 0, 0].pack("V*") + hnd
 				end
 
 				ret = dce.call(2, data)
-
+			
 				if (
 					dce.last_response == nil or
 					dce.last_response.stub_data == nil or
@@ -133,7 +136,7 @@ module Exploit::Remote::DCERPC_EPM
 				# Determine number of records
 				rcnt = buf[soff, 2].unpack('v')[0]
 				soff += 2
-
+				
 				# Parse the data from the stack
 				1.upto(rcnt) do |i|
 					rlen = buf[soff, 2].unpack('v')[0]
@@ -203,6 +206,9 @@ module Exploit::Remote::DCERPC_EPM
 				info[:host].gsub!("\x00", '') if info[:host]
 
 				res << info
+				
+				# Handle a buggy response from a Likewise server that can result in a loop otherwise
+				break if hnd == [0, 0, 0, 0, 0, 0, 0, 0, 0, 1].pack("V*")
 			end
 
 		rescue ::Interrupt