Bug in auxiliary/admin/backupexec/dump

[Robin Wood <robin () digininja org>]

There is a bug in the auxiliary/admin/backupexec/dump module. In this
code if the length is less than 4 then get_once is called but as the
length is less than 4 when 4 is subtracted you are requesting a
negative length:

        def ndmp_recv(nsock = self.sock)
                # Attempt to read at least four bytes (the length value)

                if (self.recv_buff.length < 4)                  
                        self.recv_buff << ( sock.get_once(self.recv_buff.length - 4, 5) || '' )
                end

This is the exception thrown in my situation as the initial length is
0 so a length of -4 is requested.

msf auxiliary(dump) > exploit

[*] Attempting to retrieve C:\boot.ini...
[-] Auxiliary failed: ArgumentError negative length -4 given
[-] Call stack:
[-]   /Users/robin/src/msf/lib/rex/io/stream.rb:71:in `read_nonblock'
[-]   /Users/robin/src/msf/lib/rex/io/stream.rb:71:in `read'
[-]   /Users/robin/src/msf/lib/rex/io/stream.rb:201:in `get_once'
[-]   /Users/robin/src/msf/lib/msf/core/exploit/ndmp.rb:91:in `ndmp_recv'
[-]   (eval):85:in `run'
[*] Auxiliary module execution completed

It either needs to request a correct length or this if needs removing
and the next one that just returns if length is less than 4 left in.

Robin
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework