Metasploit mailing list archives

Previous By Date Next
Previous By Thread Next

BUG: in windows/dcerpc/msdns_zonename (NilClass)

From: kristian.hermansen at gmail.com (Kristian Hermansen)
Date: Mon, 25 Jun 2007 21:46:03 -0400
I tried hacking around a fixing this one today, but looks like it is a
Ruby bug that never got worked around in MSF 3.0 for some reason?  Trace
below...


administrator at khermans-um64:~/exploits/trunk$ svn up
At revision 5000.
administrator at khermans-um64:~/exploits/trunk$ ./msfconsole

                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888


       =[ msf v3.1-dev
+ -- --=[ 200 exploits - 106 payloads
+ -- --=[ 17 encoders - 5 nops
       =[ 38 aux

msf > use windows/dcerpc/msdns_zonename
msf exploit(msdns_zonename) > show options

Module options:

   Name    Current Setting  Required  Description

   ----    ---------------  --------  -----------

   Locale  English          yes       Locale for automatic target
(English, French, Italian, ...)
   RHOST                    yes       The target address

   RPORT   0                yes       The target port



Exploit target:

   Id  Name
   --  ----
   0   Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)


msf exploit(msdns_zonename) > set RHOST 172.31.4.14
RHOST => 172.31.4.14
msf exploit(msdns_zonename) > set RPORT 53
RPORT => 53
msf exploit(msdns_zonename) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2)
   1   Windows 2000 Server SP0-SP4+ English
   2   Windows 2000 Server SP0-SP4+ Italian
   3   Windows 2000 Server SP0-SP4+ French
   4   Windows 2003 Server SP0 English
   5   Windows 2003 Server SP0 French
   6   Windows 2003 Server SP1-SP2 English
   7   Windows 2003 Server SP1-SP2 French
   8   Windows 2003 Server SP1-SP2 Italian
   9   Windows 2003 Server SP1-SP2 German


msf exploit(msdns_zonename) > set TARGET 6
TARGET => 6
msf exploit(msdns_zonename) > set PAYLOAD windows/exec
PAYLOAD => windows/exec
msf exploit(msdns_zonename) > show options

Module options:

   Name    Current Setting  Required  Description

   ----    ---------------  --------  -----------

   Locale  English          yes       Locale for automatic target
(English, French, Italian, ...)
   RHOST   172.31.4.14      yes       The target address

   RPORT   53               yes       The target port



Payload options:

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   CMD                        yes       The command string to execute

   EXITFUNC  thread           yes       Exit technique: seh, thread,
process


Exploit target:

   Id  Name
   --  ----
   6   Windows 2003 Server SP1-SP2 English


msf exploit(msdns_zonename) > set CMD calc
CMD => calc
msf exploit(msdns_zonename) > exploit
[-] Exploit failed: undefined method `name' for nil:NilClass
msf exploit(msdns_zonename) > show options

Module options:

   Name    Current Setting  Required  Description

   ----    ---------------  --------  -----------

   Locale  English          yes       Locale for automatic target
(English, French, Italian, ...)
   RHOST   172.31.4.14      yes       The target address

   RPORT   53               yes       The target port



Payload options:

   Name      Current Setting  Required  Description

   ----      ---------------  --------  -----------

   CMD       calc             yes       The command string to execute

   EXITFUNC  thread           yes       Exit technique: seh, thread,
process


Exploit target:

   Id  Name
   --  ----
   6   Windows 2003 Server SP1-SP2 English



Relevant lines are 93 and 110.  For some reason, targets does not get
set properly and remains nil.  Then, when referencing the 'name'
attribute, we raise an exception from ruby...

<snip>
       def gettarget(os)

                targets.each do |target|
                        if ((target['OS'] =~ /#{os}/) && (target.name
=~ /#{dat\
astore['Locale']}/))
                                return target
                        end
                end

                return nil
        end

</snip>


<snip>
         def exploit


                # Ask the endpoint mapper to locate the port for us

                dport = datastore['RPORT'].to_i

                if ((dport != 0) && (target.name =~ /Automatic/))
                        print_status("Could not use automatic target
when the r\
emote port is given");
                        return
                end
</snip>

I found this from hdm a while back...

http://www.meatsploit.com/archive/framework/msg02280.html

Any ideas?  I would patch it, but not really a Ruby dude at the moment.
 Heh, OK, I'll jump on the ruby wagon soon I suppose.  FWIW, if I place
a return call before references to name, the exploit returns cleanly.  I
don't know MSF3 base well enough to know the coding practices and/or the
effect it would have for my simple hack to set target correctly when not
using automatic target selection...
-- 
Kristian Hermansen
Previous By Date Next
Previous By Thread Next

Current thread: