-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix session crashing when unsetting smbuser or smbpass for a smb module #15982
Fix session crashing when unsetting smbuser or smbpass for a smb module #15982
Conversation
This change makes sense (and the tests pass). Tentatively approved. I'm not sure if there are historical reasons why we do not allow blank usernames in SMB client. I believe SMB/samba requires a username. On the other hand, comments in the auth brute library imply a blank username or blank password are permitted. metasploit-framework/lib/msf/core/auxiliary/auth_brute.rb Lines 549 to 552 in 56b19e5
In the test output above you tested when both What happens when:
|
Hey @bcoles , yep that really makes sense. Because, it may seem so that SMB would require a username somehow.. But again, going through the comments in auth library, it says that we would be lucky if blank username/password works. I guess that means we can attempt to setup an exploit even in blank usernames? When smbpass is set but smbuser is unset, log:
I believe the bug #15916 was about the when both smbuser and smbpass were unset? If smbuser would be unset and smbpass would be set, it should produce the correct error message, as it is producing now right? Or should it be someway other? What do you think? Any changes to be done? |
Any updates @bcoles ? |
I'm fine with these changes too. A blank username and password should be treated as a |
Hey @cdelafuente-r7 , thanks for the update.. The Null session makes sense.. |
Hey @bcoles @cdelafuente-r7 , can we have some updates? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yeah I agree with the others that this makes sense. If user
is nil, this normalizes it into a string which is what is done for pass
already.
Using psexec as an example, before these changes:
msf6 exploit(windows/smb/psexec) > unset SMBUser
Unsetting SMBUser...
msf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user ''...
[-] 192.168.159.10:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: undefined method `encode' for nil:NilClass
Did you mean? encode_tlv
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) >
After these changes:
sf6 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.159.128:4444
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user ''...
[-] 192.168.159.10:445 - Exploit failed [no-access]: Rex::Proto::SMB::Exceptions::LoginError Login Failed: (0xc000006d) STATUS_LOGON_FAILURE: The attempted logon is invalid. This is either due to a bad username or authentication information.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/psexec) >
Thanks @3V3RYONE for tracking this down and fixing it! 🎉 |
Release NotesThis fixes a bug where modules using the SMB client would crash when the |
It was my pleasure working on it! I love the community and look forward to contribute more! :) |
This PR fixes #15916
Cause of bug:
The cause of this issue was that, the
login_scanner.rb
code checked for either valued creds or empty strings before applyingforce_encoding
method on them. There was no check on nil values explicitly. So unsetting the smbuser and smbpass makes the creds nil values which raises theundefined method force_encoding
exception.Approach:
So one solution was to have a check on the nil values explicitly in the
login_scanner.rb
code. However, I figured out thatlogin_scanner.rb
always referenced tosimple_client.rb
while attempting a login on the creds. And in thesimple_client.rb
code, there was a check on the smbpass, which made it assign to an empty string if it was a nil value. Jackpot, So here I just added the same condition for smbuser as well, which solved the bug!I chose to change the
simple_client.rb
because instead of applying the nil check condition on all files which have smbuser creds, it would be better to change in the sole root file which they always reference to for attempting a login.Before:
After:
Verification
msfconsole
use exploit/windows/smb/ms07_029_msdns_zonename
unset smbuser
unset smbpass
set RHOSTS TARGET_IP_ADDR
run
run
completes the exploit successfully even though no session is createdrun
does not crash or raise an exception.