Metasploit mailing list archives
BUG: in windows/dcerpc/msdns_zonename (NilClass)
From: msairam at intoto.com (M.P.Sairam)
Date: Tue, 26 Jun 2007 10:10:54 +0530
Kristian Hermansen wrote:
I tried hacking around a fixing this one today, but looks like it is a Ruby bug that never got worked around in MSF 3.0 for some reason? Trace below... administrator at khermans-um64:~/exploits/trunk$ svn up At revision 5000. administrator at khermans-um64:~/exploits/trunk$ ./msfconsole 888 888 d8b888 888 888 Y8P888 888 888 888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b. 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888 888 888 =[ msf v3.1-dev + -- --=[ 200 exploits - 106 payloads + -- --=[ 17 encoders - 5 nops =[ 38 aux msf > use windows/dcerpc/msdns_zonename msf exploit(msdns_zonename) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- Locale English yes Locale for automatic target (English, French, Italian, ...) RHOST yes The target address RPORT 0 yes The target port Exploit target: Id Name -- ---- 0 Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2) msf exploit(msdns_zonename) > set RHOST 172.31.4.14 RHOST => 172.31.4.14 msf exploit(msdns_zonename) > set RPORT 53 RPORT => 53 msf exploit(msdns_zonename) > show targets Exploit targets: Id Name -- ---- 0 Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2) 1 Windows 2000 Server SP0-SP4+ English 2 Windows 2000 Server SP0-SP4+ Italian 3 Windows 2000 Server SP0-SP4+ French 4 Windows 2003 Server SP0 English 5 Windows 2003 Server SP0 French 6 Windows 2003 Server SP1-SP2 English 7 Windows 2003 Server SP1-SP2 French 8 Windows 2003 Server SP1-SP2 Italian 9 Windows 2003 Server SP1-SP2 German msf exploit(msdns_zonename) > set TARGET 6 TARGET => 6 msf exploit(msdns_zonename) > set PAYLOAD windows/exec PAYLOAD => windows/exec msf exploit(msdns_zonename) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- Locale English yes Locale for automatic target (English, French, Italian, ...) RHOST 172.31.4.14 yes The target address RPORT 53 yes The target port Payload options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD yes The command string to execute EXITFUNC thread yes Exit technique: seh, thread, process Exploit target: Id Name -- ---- 6 Windows 2003 Server SP1-SP2 English msf exploit(msdns_zonename) > set CMD calc CMD => calc msf exploit(msdns_zonename) > exploit [-] Exploit failed: undefined method `name' for nil:NilClass msf exploit(msdns_zonename) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- Locale English yes Locale for automatic target (English, French, Italian, ...) RHOST 172.31.4.14 yes The target address RPORT 53 yes The target port Payload options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD calc yes The command string to execute EXITFUNC thread yes Exit technique: seh, thread, process Exploit target: Id Name -- ---- 6 Windows 2003 Server SP1-SP2 English Relevant lines are 93 and 110. For some reason, targets does not get set properly and remains nil. Then, when referencing the 'name' attribute, we raise an exception from ruby... <snip> def gettarget(os) targets.each do |target| if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{dat\ astore['Locale']}/)) return target end end return nil end </snip> <snip> def exploit # Ask the endpoint mapper to locate the port for us dport = datastore['RPORT'].to_i if ((dport != 0) && (target.name =~ /Automatic/)) print_status("Could not use automatic target when the r\ emote port is given"); return end </snip> I found this from hdm a while back... http://www.meatsploit.com/archive/framework/msg02280.html Any ideas? I would patch it, but not really a Ruby dude at the moment. Heh, OK, I'll jump on the ruby wagon soon I suppose. FWIW, if I place a return call before references to name, the exploit returns cleanly. I don't know MSF3 base well enough to know the coding practices and/or the effect it would have for my simple hack to set target correctly when not using automatic target selection...
hi Kristian Hermansen , I am Attaching the following discussion which happened on the same issue that you faced. The following is the discussion happened : H D Moore wrote:
Honestly I didn't udnerstand the patch. In the module 'target' should be set to targets[datastore['TARGET']] by default. Setting this manually means something else broke. Fabrice, can you share a little more about this?
I think this is the same issue I ran into last week with another module. It took me a while to debug it, but I finally figured out that it's a bug in Ruby (or maybe a just a really weird feature). Look at this code: class Foo attr_accessor :bar def foo self.bar = 1 p self.bar # prints 1 p bar # prints 1 end end The assignment self.bar is a method call to the setter method bar=(). The two print statements call the bar() getter method. class Foo attr_accessor :bar def foo self.bar = 1 bar = 2 p self.bar # prints 1 p bar # prints 2 end end The assignment bar = 2 creates a new local variable. The second print statement prints the value of the local variable instead of calling the bar() getter method. Here comes the weird part: class Foo attr_accessor :bar def foo self.bar = 1 if false bar = 2 # never executed end p self.bar # prints 1 p bar # prints nil end end Even though the bar = 2 assignment is never executed, the Ruby interpreter still creates a local variable called bar. The second print statement prints the value of the local variable (which is nil because it has not been initialized). I think that that you're seeing the exact same issue in the DNS module. Here's the code: if (target.name =~ /Automatic/) if (not schedport) target = gettarget('2003SP12') else if (not schedport) target = gettarget('2000') else target = gettarget('2003SP0') end end end The assignments to target inside the if statement will create a new local variable called target. If you're using a non-automatic target, the assignments will not happen and the local target variable will be nil. Alex ******************************************************************************** This email message (including any attachments) is for the sole use of the intended recipient(s) and may contain confidential, proprietary and privileged information. Any unauthorized review, use, disclosure or distribution is prohibited. If you are not the intended recipient, please immediately notify the sender by reply email and destroy all copies of the original message. Thank you. Intoto Inc. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070626/f00708e7/attachment.htm>
Current thread:
- BUG: in windows/dcerpc/msdns_zonename (NilClass) Kristian Hermansen (Jun 25)
- BUG: in windows/dcerpc/msdns_zonename (NilClass) M.P.Sairam (Jun 25)