Metasploit mailing list archives
BUG: in windows/dcerpc/msdns_zonename (NilClass)
From: msairam at intoto.com (M.P.Sairam)
Date: Tue, 26 Jun 2007 10:10:54 +0530
Kristian Hermansen wrote:
I tried hacking around a fixing this one today, but looks like it is a
Ruby bug that never got worked around in MSF 3.0 for some reason? Trace
below...
administrator at khermans-um64:~/exploits/trunk$ svn up
At revision 5000.
administrator at khermans-um64:~/exploits/trunk$ ./msfconsole
888 888 d8b888
888 888 Y8P888
888 888 888
88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888
888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888
888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b.
888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
888
888
888
=[ msf v3.1-dev
+ -- --=[ 200 exploits - 106 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 38 aux
msf > use windows/dcerpc/msdns_zonename
msf exploit(msdns_zonename) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Locale English yes Locale for automatic target
(English, French, Italian, ...)
RHOST yes The target address
RPORT 0 yes The target port
Exploit target:
Id Name
-- ----
0 Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)
msf exploit(msdns_zonename) > set RHOST 172.31.4.14
RHOST => 172.31.4.14
msf exploit(msdns_zonename) > set RPORT 53
RPORT => 53
msf exploit(msdns_zonename) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)
1 Windows 2000 Server SP0-SP4+ English
2 Windows 2000 Server SP0-SP4+ Italian
3 Windows 2000 Server SP0-SP4+ French
4 Windows 2003 Server SP0 English
5 Windows 2003 Server SP0 French
6 Windows 2003 Server SP1-SP2 English
7 Windows 2003 Server SP1-SP2 French
8 Windows 2003 Server SP1-SP2 Italian
9 Windows 2003 Server SP1-SP2 German
msf exploit(msdns_zonename) > set TARGET 6
TARGET => 6
msf exploit(msdns_zonename) > set PAYLOAD windows/exec
PAYLOAD => windows/exec
msf exploit(msdns_zonename) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Locale English yes Locale for automatic target
(English, French, Italian, ...)
RHOST 172.31.4.14 yes The target address
RPORT 53 yes The target port
Payload options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD yes The command string to execute
EXITFUNC thread yes Exit technique: seh, thread,
process
Exploit target:
Id Name
-- ----
6 Windows 2003 Server SP1-SP2 English
msf exploit(msdns_zonename) > set CMD calc
CMD => calc
msf exploit(msdns_zonename) > exploit
[-] Exploit failed: undefined method `name' for nil:NilClass
msf exploit(msdns_zonename) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
Locale English yes Locale for automatic target
(English, French, Italian, ...)
RHOST 172.31.4.14 yes The target address
RPORT 53 yes The target port
Payload options:
Name Current Setting Required Description
---- --------------- -------- -----------
CMD calc yes The command string to execute
EXITFUNC thread yes Exit technique: seh, thread,
process
Exploit target:
Id Name
-- ----
6 Windows 2003 Server SP1-SP2 English
Relevant lines are 93 and 110. For some reason, targets does not get
set properly and remains nil. Then, when referencing the 'name'
attribute, we raise an exception from ruby...
<snip>
def gettarget(os)
targets.each do |target|
if ((target['OS'] =~ /#{os}/) && (target.name
=~ /#{dat\
astore['Locale']}/))
return target
end
end
return nil
end
</snip>
<snip>
def exploit
# Ask the endpoint mapper to locate the port for us
dport = datastore['RPORT'].to_i
if ((dport != 0) && (target.name =~ /Automatic/))
print_status("Could not use automatic target
when the r\
emote port is given");
return
end
</snip>
I found this from hdm a while back...
http://www.meatsploit.com/archive/framework/msg02280.html
Any ideas? I would patch it, but not really a Ruby dude at the moment.
Heh, OK, I'll jump on the ruby wagon soon I suppose. FWIW, if I place
a return call before references to name, the exploit returns cleanly. I
don't know MSF3 base well enough to know the coding practices and/or the
effect it would have for my simple hack to set target correctly when not
using automatic target selection...
hi Kristian Hermansen ,
I am Attaching the following discussion which happened on the same
issue that you faced. The following is the discussion happened :
H D Moore wrote:
Honestly I didn't udnerstand the patch. In the module 'target' should be set to targets[datastore['TARGET']] by default. Setting this manually means something else broke. Fabrice, can you share a little more about this?
I think this is the same issue I ran into last week with another module.
It took
me a while to debug it, but I finally figured out that it's a bug in
Ruby (or
maybe a just a really weird feature). Look at this code:
class Foo
attr_accessor :bar
def foo
self.bar = 1
p self.bar # prints 1
p bar # prints 1
end
end
The assignment self.bar is a method call to the setter method bar=().
The two
print statements call the bar() getter method.
class Foo
attr_accessor :bar
def foo
self.bar = 1
bar = 2
p self.bar # prints 1
p bar # prints 2
end
end
The assignment bar = 2 creates a new local variable. The second print
statement
prints the value of the local variable instead of calling the bar()
getter method.
Here comes the weird part:
class Foo
attr_accessor :bar
def foo
self.bar = 1
if false
bar = 2 # never executed
end
p self.bar # prints 1
p bar # prints nil
end
end
Even though the bar = 2 assignment is never executed, the Ruby
interpreter still
creates a local variable called bar. The second print statement prints
the value
of the local variable (which is nil because it has not been initialized).
I think that that you're seeing the exact same issue in the DNS module.
Here's
the code:
if (target.name =~ /Automatic/)
if (not schedport)
target = gettarget('2003SP12')
else
if (not schedport)
target = gettarget('2000')
else
target = gettarget('2003SP0')
end
end
end
The assignments to target inside the if statement will create a new local
variable called target. If you're using a non-automatic target, the
assignments
will not happen and the local target variable will be nil.
Alex
********************************************************************************
This email message (including any attachments) is for the sole use of the intended recipient(s)
and may contain confidential, proprietary and privileged information. Any unauthorized review,
use, disclosure or distribution is prohibited. If you are not the intended recipient,
please immediately notify the sender by reply email and destroy all copies of the original message.
Thank you.
Intoto Inc.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20070626/f00708e7/attachment.htm>
Current thread:
- BUG: in windows/dcerpc/msdns_zonename (NilClass) Kristian Hermansen (Jun 25)
- BUG: in windows/dcerpc/msdns_zonename (NilClass) M.P.Sairam (Jun 25)