[framework] BUG: in windows/dcerpc/msdns_zonename (NilClass)
M.P.Sairam
msairam at intoto.com
Mon Jun 25 23:40:54 CDT 2007
Kristian Hermansen wrote:
> I tried hacking around a fixing this one today, but looks like it is a
> Ruby bug that never got worked around in MSF 3.0 for some reason? Trace
> below...
>
>
> administrator at khermans-um64:~/exploits/trunk$ svn up
> At revision 5000.
> administrator at khermans-um64:~/exploits/trunk$ ./msfconsole
>
> 888 888 d8b888
> 888 888 Y8P888
> 888 888 888
> 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
> 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888
> 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888
> 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.
> 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
> 888
> 888
> 888
>
>
> =[ msf v3.1-dev
> + -- --=[ 200 exploits - 106 payloads
> + -- --=[ 17 encoders - 5 nops
> =[ 38 aux
>
> msf > use windows/dcerpc/msdns_zonename
> msf exploit(msdns_zonename) > show options
>
> Module options:
>
> Name Current Setting Required Description
>
> ---- --------------- -------- -----------
>
> Locale English yes Locale for automatic target
> (English, French, Italian, ...)
> RHOST yes The target address
>
> RPORT 0 yes The target port
>
>
>
> Exploit target:
>
> Id Name
> -- ----
> 0 Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)
>
>
> msf exploit(msdns_zonename) > set RHOST 172.31.4.14
> RHOST => 172.31.4.14
> msf exploit(msdns_zonename) > set RPORT 53
> RPORT => 53
> msf exploit(msdns_zonename) > show targets
>
> Exploit targets:
>
> Id Name
> -- ----
> 0 Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)
> 1 Windows 2000 Server SP0-SP4+ English
> 2 Windows 2000 Server SP0-SP4+ Italian
> 3 Windows 2000 Server SP0-SP4+ French
> 4 Windows 2003 Server SP0 English
> 5 Windows 2003 Server SP0 French
> 6 Windows 2003 Server SP1-SP2 English
> 7 Windows 2003 Server SP1-SP2 French
> 8 Windows 2003 Server SP1-SP2 Italian
> 9 Windows 2003 Server SP1-SP2 German
>
>
> msf exploit(msdns_zonename) > set TARGET 6
> TARGET => 6
> msf exploit(msdns_zonename) > set PAYLOAD windows/exec
> PAYLOAD => windows/exec
> msf exploit(msdns_zonename) > show options
>
> Module options:
>
> Name Current Setting Required Description
>
> ---- --------------- -------- -----------
>
> Locale English yes Locale for automatic target
> (English, French, Italian, ...)
> RHOST 172.31.4.14 yes The target address
>
> RPORT 53 yes The target port
>
>
>
> Payload options:
>
> Name Current Setting Required Description
>
> ---- --------------- -------- -----------
>
> CMD yes The command string to execute
>
> EXITFUNC thread yes Exit technique: seh, thread,
> process
>
>
> Exploit target:
>
> Id Name
> -- ----
> 6 Windows 2003 Server SP1-SP2 English
>
>
> msf exploit(msdns_zonename) > set CMD calc
> CMD => calc
> msf exploit(msdns_zonename) > exploit
> [-] Exploit failed: undefined method `name' for nil:NilClass
> msf exploit(msdns_zonename) > show options
>
> Module options:
>
> Name Current Setting Required Description
>
> ---- --------------- -------- -----------
>
> Locale English yes Locale for automatic target
> (English, French, Italian, ...)
> RHOST 172.31.4.14 yes The target address
>
> RPORT 53 yes The target port
>
>
>
> Payload options:
>
> Name Current Setting Required Description
>
> ---- --------------- -------- -----------
>
> CMD calc yes The command string to execute
>
> EXITFUNC thread yes Exit technique: seh, thread,
> process
>
>
> Exploit target:
>
> Id Name
> -- ----
> 6 Windows 2003 Server SP1-SP2 English
>
>
>
> Relevant lines are 93 and 110. For some reason, targets does not get
> set properly and remains nil. Then, when referencing the 'name'
> attribute, we raise an exception from ruby...
>
> <snip>
> def gettarget(os)
>
> targets.each do |target|
> if ((target['OS'] =~ /#{os}/) && (target.name
> =~ /#{dat\
> astore['Locale']}/))
> return target
> end
> end
>
> return nil
> end
>
> </snip>
>
>
> <snip>
> def exploit
>
>
> # Ask the endpoint mapper to locate the port for us
>
> dport = datastore['RPORT'].to_i
>
> if ((dport != 0) && (target.name =~ /Automatic/))
> print_status("Could not use automatic target
> when the r\
> emote port is given");
> return
> end
> </snip>
>
> I found this from hdm a while back...
>
> http://www.meatsploit.com/archive/framework/msg02280.html
>
> Any ideas? I would patch it, but not really a Ruby dude at the moment.
> Heh, OK, I'll jump on the ruby wagon soon I suppose. FWIW, if I place
> a return call before references to name, the exploit returns cleanly. I
> don't know MSF3 base well enough to know the coding practices and/or the
> effect it would have for my simple hack to set target correctly when not
> using automatic target selection...
hi Kristian Hermansen ,
I am Attaching the following discussion which happened on the same
issue that you faced. The following is the discussion happened :
H D Moore wrote:
> Honestly I didn't udnerstand the patch. In the module 'target' should
> be set to targets[datastore['TARGET']] by default. Setting this
> manually means something else broke. Fabrice, can you share a little
> more about this?
I think this is the same issue I ran into last week with another module.
It took
me a while to debug it, but I finally figured out that it's a bug in
Ruby (or
maybe a just a really weird feature). Look at this code:
class Foo
attr_accessor :bar
def foo
self.bar = 1
p self.bar # prints 1
p bar # prints 1
end
end
The assignment self.bar is a method call to the setter method bar=().
The two
print statements call the bar() getter method.
class Foo
attr_accessor :bar
def foo
self.bar = 1
bar = 2
p self.bar # prints 1
p bar # prints 2
end
end
The assignment bar = 2 creates a new local variable. The second print
statement
prints the value of the local variable instead of calling the bar()
getter method.
Here comes the weird part:
class Foo
attr_accessor :bar
def foo
self.bar = 1
if false
bar = 2 # never executed
end
p self.bar # prints 1
p bar # prints nil
end
end
Even though the bar = 2 assignment is never executed, the Ruby
interpreter still
creates a local variable called bar. The second print statement prints
the value
of the local variable (which is nil because it has not been initialized).
I think that that you're seeing the exact same issue in the DNS module.
Here's
the code:
if (target.name =~ /Automatic/)
if (not schedport)
target = gettarget('2003SP12')
else
if (not schedport)
target = gettarget('2000')
else
target = gettarget('2003SP0')
end
end
end
The assignments to target inside the if statement will create a new local
variable called target. If you're using a non-automatic target, the
assignments
will not happen and the local target variable will be nil.
Alex
********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.
Intoto Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://spool.metasploit.com/pipermail/framework/attachments/20070626/f00708e7/attachment.htm
More information about the framework
mailing list