Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

nmod fix for non-scanner aux RHOSTS #12111

Merged
merged 1 commit into from
Jul 22, 2019
Merged

nmod fix for non-scanner aux RHOSTS #12111

merged 1 commit into from
Jul 22, 2019

Conversation

Green-m
Copy link
Contributor

@Green-m Green-m commented Jul 21, 2019

I think this bug is an unintentionally typo in #11551.

Thanks to @fd0 to report this bug in #12102

Ping @busterb @wvu-r7

@wvu wvu self-assigned this Jul 21, 2019
@fd0
Copy link

fd0 commented Jul 21, 2019

Heh, I'm very glad to have helped (a bit at least) finding the underlying issue! Thanks for your work!

@wvu wvu mentioned this pull request Jul 22, 2019
Closed
6 tasks
@wvu
Copy link
Contributor

wvu commented Jul 22, 2019
edited
Loading

It looks like this fixes the nmod bug but not the one from #12102.

Before this patch

msf5 auxiliary(gather/java_rmi_registry) > run
[*] Running module against 127.0.0.1

[*] Sending RMI Header...
[-] Auxiliary failed: SocketError getaddrinfo: nodename nor servname provided, or not known
[-] Call stack:
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:189:in `gethostbyname'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:189:in `getaddresses'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:173:in `getaddress'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:263:in `resolv_nbo'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:277:in `resolv_nbo_i'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/switch_board.rb:233:in `best_comm'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/switch_board.rb:127:in `best_comm'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/parameters.rb:195:in `initialize'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/parameters.rb:38:in `new'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/parameters.rb:38:in `from_hash'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/tcp.rb:28:in `create'
[-]   /rapid7/metasploit-framework/lib/msf/core/exploit/tcp.rb:106:in `connect'
[-]   /rapid7/metasploit-framework/modules/auxiliary/gather/java_rmi_registry.rb:36:in `run'
[*] Running module against 127.0.0.2
[*] Sending RMI Header...
[-] Auxiliary failed: SocketError getaddrinfo: nodename nor servname provided, or not known
[-] Call stack:
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:189:in `gethostbyname'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:189:in `getaddresses'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:173:in `getaddress'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:263:in `resolv_nbo'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:277:in `resolv_nbo_i'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/switch_board.rb:233:in `best_comm'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/switch_board.rb:127:in `best_comm'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/parameters.rb:195:in `initialize'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/parameters.rb:38:in `new'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/parameters.rb:38:in `from_hash'
[-]   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/tcp.rb:28:in `create'
[-]   /rapid7/metasploit-framework/lib/msf/core/exploit/tcp.rb:106:in `connect'
[-]   /rapid7/metasploit-framework/modules/auxiliary/gather/java_rmi_registry.rb:36:in `run'
[*] Auxiliary module execution completed
msf5 auxiliary(gather/java_rmi_registry) >

After this patch

msf5 auxiliary(gather/java_rmi_registry) > run
[*] Running module against 127.0.0.1

[*] 127.0.0.1:1099 - Sending RMI Header...
[-] 127.0.0.1:1099 - Failed to negotiate RMI protocol
[*] Running module against 127.0.0.2
[*] 127.0.0.2:1099 - Sending RMI Header...
[-] 127.0.0.2:1099 - Auxiliary failed: Rex::ConnectionTimeout The connection timed out (127.0.0.2:1099).
[-] 127.0.0.2:1099 - Call stack:
[-] 127.0.0.2:1099 -   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/comm/local.rb:291:in `rescue in create_by_type'
[-] 127.0.0.2:1099 -   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/comm/local.rb:263:in `create_by_type'
[-] 127.0.0.2:1099 -   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/comm/local.rb:33:in `create'
[-] 127.0.0.2:1099 -   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket.rb:49:in `create_param'
[-] 127.0.0.2:1099 -   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/tcp.rb:37:in `create_param'
[-] 127.0.0.2:1099 -   /Users/wvu/.rbenv/versions/2.6.2/lib/ruby/gems/2.6.0/gems/rex-socket-0.1.17/lib/rex/socket/tcp.rb:28:in `create'
[-] 127.0.0.2:1099 -   /rapid7/metasploit-framework/lib/msf/core/exploit/tcp.rb:106:in `connect'
[-] 127.0.0.2:1099 -   /rapid7/metasploit-framework/modules/auxiliary/gather/java_rmi_registry.rb:36:in `run'
[*] Auxiliary module execution completed
msf5 auxiliary(gather/java_rmi_registry) >

The server did not receive a second connection.

wvu@kharak:~$ ncat -lkv 1099
Ncat: Version 7.70 ( https://nmap.org/ncat )
Ncat: Listening on :::1099
Ncat: Listening on 0.0.0.0:1099
Ncat: Connection from 127.0.0.1.
Ncat: Connection from 127.0.0.1:50542.
JRMIK

@Green-m
Copy link
Contributor Author

Green-m commented Jul 22, 2019

@wvu-r7 Oh, overlook the following bugs, will drill it down.

@fd0
Copy link

fd0 commented Jul 22, 2019

I'm glad I took some time to write up instructions to reproduce the issue without having to run two Java RMI services :P

@wvu
Copy link
Contributor

wvu commented Jul 22, 2019

@fd0: Can you open a new issue for #12102? I'm going to land this, since it fixes a different bug.

@wvu wvu changed the title Fix bug to solve aux rhosts issue. nmod fix for non-scanner aux RHOSTS Jul 22, 2019
@wvu wvu merged commit 9203a0a into rapid7:master Jul 22, 2019
wvu added a commit that referenced this pull request Jul 22, 2019
@wvu
Land #12111, nmod fix for non-scanner aux RHOSTS
dd4033b 
Credit to @fd0 for finding the bug in java_rmi_registry.
@wvu
Copy link
Contributor

wvu commented Jul 22, 2019

Release Notes

This fixes a typo in RHOSTS handling for non-scanner auxiliary modules.

@jmartin-tech
Copy link
Contributor

Tagged as Global RHOSTS is still an msf5 feature.

@Green-m Green-m deleted the issue/rhosts_aux branch July 23, 2019 03:25
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@wvu wvu wvu left review comments

Assignees

@wvu wvu

Labels
bug library msf5
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@Green-m @fd0 @wvu @jmartin-tech