-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Read full response on smtp send/recv #16153
Conversation
For anyone interested in what extra values are return on
This does look to match the expectations for an Updated: The socket read has been move before any auth attempt. |
1541b03
to
02116d5
Compare
May want to test it against the smtp capture server as well. Just to make sure the two work together |
When connecting to an SMTP server after `HELO` and auth complete there can be additional data sent from the client that sits in the socket queue. Adding a `get_once` after connection has settled ensure any pending for extension responses are cleared.
02116d5
to
5bc60f5
Compare
After some further discussion, revision here forces read from the socket until a empty queue returns |
When dealing with SMTP servers the communication needs to flow a known protocol. To ensure the socket is in the correct state after a send and receive it needs to be read until a line return a response code followed by a `space` and additional data and `\r\n` or the response code immediately followed by `\r\n` is returned.
* define smtp_send_recv expectations
Docker failure is upstream CDN:
Need to run again in a few hours. |
@@ -244,6 +246,9 @@ def raw_send_recv(cmd, nsock=self.sock) | |||
begin | |||
nsock.put(cmd) | |||
res = nsock.get_once | |||
while !(res =~ /(^|\r\n)\d{3}( .*|)\r\n$/) && chunk = nsock.get_once |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Not a blocker:
I think there would be benefits to this method having an extra line or three of validation added, to handle the scenarios:
- Reading half of a multiline response
- Reading a multiline response successfully - but also having additional unrelated status codes in the buffer
- Getting timeouts from
nsock.get_once
In certain scenarios this won't cause any issue, and in others it could lead to unexpected behavior that is hard to debug from stack traces alone.
This is of course an existing problem with this module, but it feels like something we could resolve given we've identified problems with the SMTP library already
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I added a RuntimeError
when the response is incomplete or has extra data, I am not 100% sure this will work out well with the smtp_relay
module. I am really not interested in building out a full SMTP client in this mixin, if we need more it may be better to bring in the net-smtp gem and adjust to inject a Rex::Socket
. If we convert to net-smtp
there may be a need for some sort of raw
socket proxy to support the smtp_relay
module though.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good to me from a quick pass 🎉
Will have to find a cycle to test it, or if anyone else wants to grab it before then - that works for me too! 🚢
Ran into some issues with the verification steps as the test server I used didn't support the
Docker setup used:
|
Release NotesThis fixes a bug in the |
changes in rapid7#16153 adjusted modules that were not utilizing `Exploit::Remote::SMTPDeliver` in error restore calls to `raw_send_recv` that is no longer shadowed by in `SMTPDeliver`.
changes in rapid7#16153 adjusted modules that were not utilizing `Exploit::Remote::SMTPDeliver` in error restore calls to `raw_send_recv` that is no longer shadowed by in `SMTPDeliver`.
When connecting to an SMTP server after
EHLO
and before auththere can be additional data sent from the client that sits in the socket
queue. Adding a
get_once
after connection has settled ensures anypending
banner
for extension responses are cleared.Verification
List the steps needed to make sure this thing works
Testing utilizes https://github.com/kura/blackhole/
msfconsole
use emailer
set RHOSTS 127.0.0.1
run
Previous results:
Revised results: