Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Update report api to return nil when no active db #17345

Merged
merged 1 commit into from
Dec 9, 2022
Merged

Update report api to return nil when no active db #17345

merged 1 commit into from
Dec 9, 2022

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Dec 7, 2022
edited

Fixes a crash when using the report API when verbose mode enabled, and there is no active db enabled

When testing https://github.com/rapid7/metasploit-framework/pull/17236/files I ran into this issue

The following module code, with verbose=true, and no active db would result in a crash:

Module code:

credential_login = create_credential_and_login(credential_data)
credential_login&.core_id

Due to the following code returning a string when the db is not active:

metasploit-framework/lib/msf/core/auxiliary/report.rb

Lines 54 to 61 in c218063

def create_credential_and_login(opts={})
if active_db?
opts = { :task_id => mytask.id }.merge(opts) if mytask
framework.db.create_credential_and_login(opts)
elsif !db_warning_given?
vprint_warning('No active DB -- Credential data will not be saved!')
end
end

Generated error:

[-] 192.168.123.13:445 - Auxiliary failed: NoMethodError undefined method `core_id' for "\e[1m\e[33m[!]\e[0m 192.168.123.13:445 - No active DB -- Credential data will not be saved!\n":String

The crash only happens when verbose mode is enabled and there's no DB attached

Verification

Disconnect from the database

Master

msf6 > use auxiliary/gather/windows_secrets_dump
msf6 auxiliary(gather/windows_secrets_dump) > db_disconnect
Successfully disconnected from the data service: local_db_service.
msf6 auxiliary(gather/windows_secrets_dump) > irb -e 'mod = self.active_module.replicant; mod.datastore["VERBOSE"] = true; puts mod.create_credential_and_login({})&.core_id.inspect'

[!] 127.0.0.1:445 - No active DB -- Credential data will not be saved!
[-] Error while running command irb: undefined method `core_id' for "\e[1m\e[33m[!]\e[0m 127.0.0.1:445 - No active DB -- Credential data will not be saved!\n":String

Call stack:
(eval):1:in `block in cmd_irb'
/Users/adfoster/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/developer.rb:149:in `eval'
/Users/adfoster/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/developer.rb:149:in `block in cmd_irb'
/Users/adfoster/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/developer.rb:149:in `each'
/Users/adfoster/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/developer.rb:149:in `cmd_irb'
/Users/adfoster/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'
/Users/adfoster/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'
/Users/adfoster/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'
/Users/adfoster/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'
/Users/adfoster/Documents/code/metasploit-framework/lib/rex/ui/text/shell.rb:162:in `run'
/Users/adfoster/Documents/code/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/Users/adfoster/Documents/code/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:23:in `<main>'

This branch

No crash occurs

msf6 auxiliary(gather/windows_secrets_dump) > use auxiliary/gather/windows_secrets_dump
msf6 auxiliary(gather/windows_secrets_dump) > db_disconnect
Successfully disconnected from the data service: local_db_service.
msf6 auxiliary(gather/windows_secrets_dump) > irb -e 'mod = self.active_module.replicant; mod.datastore["VERBOSE"] = true; puts mod.create_credential_and_login({})&.core_id.inspect'

[!] 127.0.0.1:445 - No active DB -- Credential data will not be saved!
nil

@gwillcox-r7 gwillcox-r7 self-assigned this Dec 9, 2022
@gwillcox-r7 gwillcox-r7 added the bug label Dec 9, 2022
@gwillcox-r7
Copy link
Contributor

I think this is a good change, but one thing I am concerned on is that most callers of these functions are not checking the results. That being said this probably out of scope of this PR since this is only trying to fix the library related code, however if we start getting error reports, this may be something to look into further.

@gwillcox-r7
Copy link
Contributor

Changes look good and confirmed fix works as shown in demos. Will land this now.

@gwillcox-r7 gwillcox-r7 added the rn-fix release notes fix label Dec 9, 2022
@gwillcox-r7 gwillcox-r7 merged commit c84b2a6 into rapid7:master Dec 9, 2022
@gwillcox-r7
Copy link
Contributor

Release Notes

A crash has been fixed when using the report API when verbose mode enabled, and there is no active DB enabled.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gwillcox-r7 gwillcox-r7 gwillcox-r7 approved these changes

Assignees

@gwillcox-r7 gwillcox-r7

Labels
bug rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@adfoster-r7 @gwillcox-r7