Fixes #3466 by detecting a second null handle and breaking the loop (happens with likewise servers)
git-svn-id: file:///home/svn/framework3/trunk@11508 4d416f70-5f16-0410-b530-b9f4589650daunstable
parent
8e664b2d41
commit
e776697f38
|
@ -96,12 +96,15 @@ module Exploit::Remote::DCERPC_EPM
|
|||
# NULL handle to start with
|
||||
data = [0, 0, 0, 0, 0, 0, 0, 0, 0, 1].pack("V*")
|
||||
else
|
||||
# Use the existing handle
|
||||
# Break the loop early if we get another NULL handle
|
||||
break if hnd == [0, 0, 0, 0, 1].pack("V*")
|
||||
|
||||
# Use the existing handle if we already have one
|
||||
data = [0, 0, 0, 0, 0].pack("V*") + hnd
|
||||
end
|
||||
|
||||
ret = dce.call(2, data)
|
||||
|
||||
|
||||
if (
|
||||
dce.last_response == nil or
|
||||
dce.last_response.stub_data == nil or
|
||||
|
@ -133,7 +136,7 @@ module Exploit::Remote::DCERPC_EPM
|
|||
# Determine number of records
|
||||
rcnt = buf[soff, 2].unpack('v')[0]
|
||||
soff += 2
|
||||
|
||||
|
||||
# Parse the data from the stack
|
||||
1.upto(rcnt) do |i|
|
||||
rlen = buf[soff, 2].unpack('v')[0]
|
||||
|
@ -203,6 +206,9 @@ module Exploit::Remote::DCERPC_EPM
|
|||
info[:host].gsub!("\x00", '') if info[:host]
|
||||
|
||||
res << info
|
||||
|
||||
# Handle a buggy response from a Likewise server that can result in a loop otherwise
|
||||
break if hnd == [0, 0, 0, 0, 0, 0, 0, 0, 0, 1].pack("V*")
|
||||
end
|
||||
|
||||
rescue ::Interrupt
|
||||
|
|
Loading…
Reference in New Issue