Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix File Read Assumptions and Other Bugs #9029

Merged
merged 2 commits into from Oct 12, 2017
Merged

Fix File Read Assumptions and Other Bugs #9029

merged 2 commits into from Oct 12, 2017

Conversation

h00die
Copy link
Contributor

@h00die h00die commented Oct 1, 2017
edited by acammack-r7

Similar to #8987 I put an ssh_login shell (which defaults to linux) on my Juniper SSG 5. Then went through all the linux/multi post modules to see which ones crashes.
This should catch:

  • Assuming a file can be read without verifying it will be there first
  • Force "Else" cases since this is a non-standard platform
  • Check cases are handled where a command returns nil or empty (since the command wont run on the juniper)

Verification

  • Try the modules and make sure they dont crash any more on something (like a cisco)

Details

The basic format of this is load module, run it, see crash. (fix it in a different window) rexploit to prove fix worked.

post/linux/gather/mount_cifs_creds

msf post(hashdump) > use post/linux/gather/mount_cifs_creds 
msf post(mount_cifs_creds) > run

[-] Post failed: NoMethodError undefined method `each_line' for nil:NilClass
[-] Call stack:
[-]   metasploit-framework/modules/post/linux/gather/mount_cifs_creds.rb:41:in `run'
[*] Post module execution completed
msf post(mount_cifs_creds) > rexploit

[-] Post aborted due to failure: not-found: /etc/fstab not found on system
[*] Post module execution completed

post/multi/escalate/metasploit_pcaplog

msf post(cups_root_file_read) > use post/multi/escalate/metasploit_pcaplog 
msf post(metasploit_pcaplog) > run

[*] Setting up the victim's /tmp dir
[-] Post failed: NoMethodError undefined method `lines' for nil:NilClass
[-] Call stack:
[-]   metasploit-framework/modules/post/multi/escalate/metasploit_pcaplog.rb:64:in `run'
[*] Post module execution completed
msf post(metasploit_pcaplog) > rexploit
[*] Reloading module...

[*] Setting up the victim's /tmp dir
[-] Post aborted due to failure: not-found: /etc/passwd not found on system
[*] Post module execution completed
msf post(metasploit_pcaplog) >

post/multi/gather/enum_vbox

msf post(docker_creds) > use post/multi/gather/enum_vbox 
msf post(enum_vbox) > run

[-] Post failed: TypeError no implicit conversion of nil into String
[-] Call stack:
[-]   metasploit-framework/lib/msf/core/module/ui/message.rb:34:in `+'
[-]   metasploit-framework/lib/msf/core/module/ui/message.rb:34:in `print_status'
[-]   metasploit-framework/lib/msf/core/module/ui/message/verbose.rb:16:in `vprint_status'
[-]   metasploit-framework/modules/post/multi/gather/enum_vbox.rb:58:in `run'
[*] Post module execution completed
msf post(enum_vbox) > rexploit
[*] Reloading module...
[*] Post module execution completed

post/multi/gather/lastpass_creds

msf post(jenkins_gather) > use post/multi/gather/lastpass_creds 
rumsf post(lastpass_creds) > run

[*] Searching for LastPass databases
[-] Post failed: NameError undefined local variable or method `os' for #<Msf::Modules::Mod706f73742f6d756c74692f6761746865722f6c617374706173735f6372656473::MetasploitModule:0x0056486e8c4e68>
[-] Call stack:
[-]   metasploit-framework/modules/post/multi/gather/lastpass_creds.rb:197:in `user_profiles'
[-]   metasploit-framework/modules/post/multi/gather/lastpass_creds.rb:69:in `build_account_map'
[-]   metasploit-framework/modules/post/multi/gather/lastpass_creds.rb:46:in `run'
[*] Post module execution completed
msf post(lastpass_creds) > rexploit
[*] Reloading module...

[*] Searching for LastPass databases
[-] OS not recognized: 
[*] No databases found
[*] Post module execution completed

@h00die h00die added the bug label Oct 1, 2017
@sempervictus
Copy link
Contributor

@hoodie Thanks as always. Sorta thinking this type of fix needs to be a more natural part of the api abstraction to remote ops, like in meterp sessions. We have a great post api, but its not used very consistently at the module level, and could probably benefit from your attention to detail itself since it should offer wider coverage if implemented consistently.

@h00die
Copy link
Contributor Author

h00die commented Oct 1, 2017

you're thinking def file_read should include a check to make sure the file is there first... that would save LOTS of lines of code elsewhere and seem to make sense to me as opposed to all these checks all over the place.
Attention to detail? no, more like @wvu-r7 told me to stop complaining and fix it myself (in a nice way).

@h00die h00die mentioned this pull request Oct 9, 2017
Merged
4 tasks
@acammack-r7
Copy link
Contributor

Having things in the post API that did more checks, or wrapped the exploit run in an exception handler that would catch errors like "file not found" and fail_with appropriately would be nice, but these fixes are good for now. Thanks @h00die!

@acammack-r7 acammack-r7 merged commit a676f60 into rapid7:master Oct 12, 2017
acammack-r7 added a commit that referenced this pull request Oct 12, 2017
@acammack-r7
Land #9029, Fix Linux post module file assumptions
9b219f4
@acammack-r7
Copy link
Contributor

acammack-r7 commented Oct 12, 2017
edited by jmartin-tech

Release Notes

Linux post modules no longer assume the presence of files they read.

@h00die h00die deleted the cifs_fix branch October 13, 2017 01:34
@tdoan-r7 tdoan-r7 added the rn-fix release notes fix label Nov 1, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
bug rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@h00die @sempervictus @acammack-r7 @tdoan-r7