Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Further improve / fix RHOSTS support for aux modules #11493

Merged
merged 1 commit into from Feb 28, 2019

Conversation

Projects
None yet
4 participants
@busterb
Copy link
Contributor

busterb commented Feb 27, 2019

Auxilus notes that when pulling more than a few RHOSTS targets from the database, MSF writes the intermediate results to a text file instead of leaving them in memory. The aux module check of instantiating a RangeWalker for validation is necessary but insufficient for validating 'file:' RHOSTS specifications.

msf5 auxiliary(scanner/http/title) > services -u -p 80 -R
Services
========

host            port  proto  name  state  info
----            ----  -----  ----  -----  ----
45.33.9.129    80    tcp    http  open   
192.168.8.1    80    tcp    http  open   
192.168.8.22   80    tcp    http  open   
192.168.8.25   80    tcp    http  open   
192.168.8.42   80    tcp    http  open   
192.168.8.43   80    tcp    http  open   
192.168.8.210  80    tcp    http  open   
216.58.19.142  80    tcp          open   

RHOSTS => file:/var/folders/7q/jwhmljqn6nx8lnqft8nf5w2myy7k2k/T/msf-db-rhosts-20190226-38596-b16val

msf5 auxiliary(scanner/http/title) > run
[-] Auxiliary failed: option RHOSTS failed to validate.

This clones logic used in the 'check' method in exploit modules to be able to handle file: properly. I suspect this may need to be consolidated and implemented elsewhere too.

See #11486 for related fixes.

Verification

  • Start msfconsole
  • have about a dozen hosts database that can be queried. I db_nmapped a few local hosts and websites.
  • use auxilary/scanner/http/title
  • services -u -p 80 -R or something similar to populate a large-enough RHOSTS result such that the 'services' command writes an intermediate file.
  • Verify you can run the scanner module without errors
  • use auxiliary/admin/http/hp_web_jetadmin_exec
  • services -u -p 80 -R or something similar to populate a large-enough RHOSTS result such that the 'services' command writes an intermediate file.
  • Verify you can run the admin module without errors
  • use auxiliary/server/tftp
  • Verify you can run the server module without errors
Further improve / fix RHOSTS support for aux modules
Peleus notes that when pulling more than a few RHOSTS targets from the database, MSF writes the intermediate results to a text file instead of leaving them in memory. The aux module check of instantiating a RangeWalker for validation is necessary but insufficient for validating 'file:' RHOSTS specifications.

This clones logic used in the 'check' method in exploit modules to be able to handle file: properly. I suspect this may need to be consolidated and implemented elsewhere tool.

@busterb busterb requested a review from Green-m Feb 27, 2019

rhosts_range.each do |rhost|
nmod = mod.replicant
nmod.datastore['RHOST'] = rhost
vprint_status("Running module against #{rhost}")
print_status("Running module against #{rhost}")

This comment has been minimized.

@busterb

busterb Feb 27, 2019

Author Contributor

Changed this to non-verbose like other usage in MSF. Otherwise it's completely silent out of the box.

return false
end

rhosts_range = Rex::Socket::RangeWalker.new(rhosts_opt.normalize(rhosts))

This comment has been minimized.

@busterb

busterb Feb 27, 2019

Author Contributor

the normalize call here extracts the hosts back from the file

@wvu-r7

wvu-r7 approved these changes Feb 27, 2019

Copy link
Contributor

wvu-r7 left a comment

This looks pretty sensible to me. I'll give it a test today.

@wvu-r7 wvu-r7 self-assigned this Feb 27, 2019

@busterb

This comment has been minimized.

Copy link
Contributor Author

busterb commented Feb 27, 2019

Thanks. I believe @bwatters-r7 might have some insight into how to make the sanity tests also run these three modules in some sort of automated form.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 27, 2019

msf5 auxiliary(admin/wemo/crockpot) > options

Module options (auxiliary/admin/wemo/crockpot):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   Proxies                   no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS   file:rhosts.txt  yes       The target address range or CIDR identifier
   RPORT    49152            yes       The target port (TCP)
   SSL      false            no        Negotiate SSL/TLS for outgoing connections
   TEMP     Off              yes       Temperature (Accepted: Off, Warm, Low, High)
   TIME     0                yes       Cook time in minutes
   VHOST                     no        HTTP server virtual host


Auxiliary action:

   Name  Description
   ----  -----------
   Cook  Cook stuff


msf5 auxiliary(admin/wemo/crockpot) > cat rhosts.txt
[*] exec: cat rhosts.txt

127.0.0.1
127.0.0.2
msf5 auxiliary(admin/wemo/crockpot) > run
[*] Running module against 127.0.0.1

[-] Running in defanged mode
[*] Running module against 127.0.0.2
[-] Running in defanged mode
[*] Auxiliary module execution completed
msf5 auxiliary(admin/wemo/crockpot) >

The newline in the output is misplaced.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 27, 2019

Exploits do need to be updated as explained earlier:

msf5 exploit(windows/smb/ms17_010_eternalblue) > run

[-] Exploit failed: The following options failed to validate: RHOSTS.
[*] Exploit completed, but no session was created.
msf5 exploit(windows/smb/ms17_010_eternalblue) >
@Green-m
Copy link
Contributor

Green-m left a comment

Looks good to me

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 28, 2019

@Green-m: Did you ever figure out the misplaced newline? IIRC, that was a regression from earlier that made it into master.

@Green-m

This comment has been minimized.

Copy link
Contributor

Green-m commented Feb 28, 2019

@Green-m: Did you ever figure out the misplaced newline? IIRC, that was a regression from earlier that made it into master.

I have no clue about it, though I remember you and @timwr have noticed and discussed this problem in some issue, can't find where it locates.

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 28, 2019

@Green-m: Found it in #10748. I want it addressed, but it won't be in this PR. Also, @busterb has suggested that he'll tackle file: in exploits in a subsequent PR.

@wvu-r7

wvu-r7 approved these changes Feb 28, 2019

@wvu-r7

This comment has been minimized.

Copy link
Contributor

wvu-r7 commented Feb 28, 2019

Release Notes

This fixes a validation bug in setting RHOSTS via file: in an auxiliary module.

@wvu-r7 wvu-r7 merged commit 9dbbea8 into rapid7:master Feb 28, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Feb 28, 2019

@busterb

This comment has been minimized.

Copy link
Contributor Author

busterb commented Feb 28, 2019

Thanks @wvu-r7

@busterb

This comment has been minimized.

Copy link
Contributor Author

busterb commented Feb 28, 2019

Followup file: support for exploits here: #11497

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.
You signed in with another tab or window. Reload to refresh your session. You signed out in another tab or window. Reload to refresh your session.