From 766829c939ac2ebfa3a3b67176ef856a88d5317c Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 13:46:00 -0700 Subject: [PATCH 01/13] Fix #6008 for xmas.rb --- modules/auxiliary/scanner/portscan/xmas.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/portscan/xmas.rb b/modules/auxiliary/scanner/portscan/xmas.rb index cec2214f64..8f64a84695 100644 --- a/modules/auxiliary/scanner/portscan/xmas.rb +++ b/modules/auxiliary/scanner/portscan/xmas.rb @@ -55,9 +55,11 @@ class Metasploit3 < Msf::Auxiliary to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 + # we copy the hosts because some may not be reachable and need to be ejected + host_queue = hosts.dup # Spread the load across the hosts ports.each do |dport| - hosts.each do |dhost| + host_queue.each do |dhost| shost, sport = getsource(dhost) pcap.setfilter(getfilter(shost, sport, dhost, dport)) @@ -65,7 +67,10 @@ class Metasploit3 < Msf::Auxiliary begin probe = buildprobe(shost, sport, dhost, dport) - capture_sendto(probe, dhost) + unless capture_sendto(probe, dhost) + host_queue.delete(dhost) + next + end reply = probereply(pcap, to) From 3888b793bd14b7d735fc328d1f3983a68024f8a5 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 13:53:47 -0700 Subject: [PATCH 02/13] Fix #6008 for ack.rb --- modules/auxiliary/scanner/portscan/ack.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/portscan/ack.rb b/modules/auxiliary/scanner/portscan/ack.rb index 955ae59b8d..e020120a0e 100644 --- a/modules/auxiliary/scanner/portscan/ack.rb +++ b/modules/auxiliary/scanner/portscan/ack.rb @@ -55,9 +55,11 @@ class Metasploit3 < Msf::Auxiliary to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 + # we copy the hosts because some may not be reachable and need to be ejected + host_queue = hosts.dup # Spread the load across the hosts ports.each do |dport| - hosts.each do |dhost| + host_queue.each do |dhost| shost, sport = getsource(dhost) pcap.setfilter(getfilter(shost, sport, dhost, dport)) @@ -65,7 +67,10 @@ class Metasploit3 < Msf::Auxiliary begin probe = buildprobe(shost, sport, dhost, dport) - capture_sendto(probe, dhost) + unless capture_sendto(probe, dhost) + host_queue.delete(dhost) + next + end reply = probereply(pcap, to) From 5b1ee8c8caf4b0b76828a2ff4c096aca757e43e9 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 13:54:11 -0700 Subject: [PATCH 03/13] Fix #6008 for syn.rb --- modules/auxiliary/scanner/portscan/syn.rb | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/modules/auxiliary/scanner/portscan/syn.rb b/modules/auxiliary/scanner/portscan/syn.rb index e547ffd853..b59ee5c028 100644 --- a/modules/auxiliary/scanner/portscan/syn.rb +++ b/modules/auxiliary/scanner/portscan/syn.rb @@ -53,9 +53,11 @@ class Metasploit3 < Msf::Auxiliary to = (datastore['TIMEOUT'] || 500).to_f / 1000.0 + # we copy the hosts because some may not be reachable and need to be ejected + host_queue = hosts.dup # Spread the load across the hosts ports.each do |dport| - hosts.each do |dhost| + host_queue.each do |dhost| shost, sport = getsource(dhost) self.capture.setfilter(getfilter(shost, sport, dhost, dport)) @@ -63,7 +65,10 @@ class Metasploit3 < Msf::Auxiliary begin probe = buildprobe(shost, sport, dhost, dport) - capture_sendto(probe, dhost) + unless capture_sendto(probe, dhost) + host_queue.delete(dhost) + next + end reply = probereply(self.capture, to) From d3a41323b88e342bb3d5fe207221c1d51873d4ab Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 14:05:05 -0700 Subject: [PATCH 04/13] Fix #6008 for ipidseq.rb --- modules/auxiliary/scanner/ip/ipidseq.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/ip/ipidseq.rb b/modules/auxiliary/scanner/ip/ipidseq.rb index f7980275fb..aa3e1a9244 100644 --- a/modules/auxiliary/scanner/ip/ipidseq.rb +++ b/modules/auxiliary/scanner/ip/ipidseq.rb @@ -69,7 +69,7 @@ class Metasploit3 < Msf::Auxiliary probe = buildprobe(shost, sport, ip, rport) - capture_sendto(probe, ip) + next unless capture_sendto(probe, ip) reply = probereply(pcap, to) From 06a10e136a03a61736fa9a1e6da3d31e60c823ae Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 14:12:23 -0700 Subject: [PATCH 05/13] Fix #6008 for rogue_send --- modules/auxiliary/scanner/rogue/rogue_send.rb | 4 +--- 1 file changed, 1 insertion(+), 3 deletions(-) diff --git a/modules/auxiliary/scanner/rogue/rogue_send.rb b/modules/auxiliary/scanner/rogue/rogue_send.rb index 73b585bfdc..f9c8818c55 100644 --- a/modules/auxiliary/scanner/rogue/rogue_send.rb +++ b/modules/auxiliary/scanner/rogue/rogue_send.rb @@ -43,9 +43,7 @@ class Metasploit3 < Msf::Auxiliary pcap = self.capture - capture_sendto(build_tcp_syn(ip), ip) - - capture_sendto(build_icmp(ip), ip) + capture_sendto(build_tcp_syn(ip), ip) && capture_sendto(build_icmp(ip), ip) close_pcap end From 20ddb65ff8ed6915853fd02a2b8310f32eb76c8c Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 14:18:51 -0700 Subject: [PATCH 06/13] Fix #6008 for bnat_scan --- modules/auxiliary/bnat/bnat_scan.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/bnat/bnat_scan.rb b/modules/auxiliary/bnat/bnat_scan.rb index 8c1589a027..278b9d6d26 100644 --- a/modules/auxiliary/bnat/bnat_scan.rb +++ b/modules/auxiliary/bnat/bnat_scan.rb @@ -89,7 +89,7 @@ class Metasploit3 < Msf::Auxiliary ackbpf = "tcp [8:4] == 0x#{(p.tcp_seq + 1).to_s(16)}" pcap.setfilter("tcp and tcp[13] == 18 and not host #{ip} and src port #{p.tcp_dst} and dst port #{p.tcp_src} and #{ackbpf}") - capture_sendto(p, ip) + break unless capture_sendto(p, ip) reply = probe_reply(pcap, to) next if reply.nil? From 7b026676f1b41626fced70f5feae6ec2966f1e5e Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 14:47:05 -0700 Subject: [PATCH 07/13] Fix #6008 for avahi_portzero --- modules/auxiliary/dos/mdns/avahi_portzero.rb | 5 +---- 1 file changed, 1 insertion(+), 4 deletions(-) diff --git a/modules/auxiliary/dos/mdns/avahi_portzero.rb b/modules/auxiliary/dos/mdns/avahi_portzero.rb index b17d1b2aff..4cf177b852 100644 --- a/modules/auxiliary/dos/mdns/avahi_portzero.rb +++ b/modules/auxiliary/dos/mdns/avahi_portzero.rb @@ -45,10 +45,7 @@ class Metasploit3 < Msf::Auxiliary p.udp_dport = datastore['RPORT'].to_i p.payload = Rex::Text.rand_text(rand(0x20)) # UDP needs at least one data byte, may as well send a few. p.recalc - capture_sendto(p, rhost) - + capture_sendto(p, rhost) and print_status("Avahi should be down now") close_pcap - - print_status("Avahi should be down now") end end From 7ad7db744225ed4ea6d0f0e3463edf0387ef574c Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 14:48:58 -0700 Subject: [PATCH 08/13] Fix #6008 for rogue_send. Correctly. --- modules/auxiliary/scanner/rogue/rogue_send.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/scanner/rogue/rogue_send.rb b/modules/auxiliary/scanner/rogue/rogue_send.rb index f9c8818c55..6634ca0885 100644 --- a/modules/auxiliary/scanner/rogue/rogue_send.rb +++ b/modules/auxiliary/scanner/rogue/rogue_send.rb @@ -43,7 +43,7 @@ class Metasploit3 < Msf::Auxiliary pcap = self.capture - capture_sendto(build_tcp_syn(ip), ip) && capture_sendto(build_icmp(ip), ip) + capture_sendto(build_tcp_syn(ip), ip) and capture_sendto(build_icmp(ip), ip) close_pcap end From 989fe49750b482d0b3a488fcfe7f24def75ac667 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 14:50:59 -0700 Subject: [PATCH 09/13] Fix #6008 for synflood --- modules/auxiliary/dos/tcp/synflood.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/auxiliary/dos/tcp/synflood.rb b/modules/auxiliary/dos/tcp/synflood.rb index c0651e4a6c..0ba1568205 100644 --- a/modules/auxiliary/dos/tcp/synflood.rb +++ b/modules/auxiliary/dos/tcp/synflood.rb @@ -60,7 +60,7 @@ class Metasploit3 < Msf::Auxiliary p.tcp_sport = sport p.tcp_seq = rand(0x100000000) p.recalc - capture_sendto(p,rhost) + break unless capture_sendto(p,rhost) sent += 1 end From bbd08b84e5c816655c82328122cf250af6ed7d32 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 14:53:40 -0700 Subject: [PATCH 10/13] Fix #6008 for snort_dce_rpc --- modules/exploits/multi/ids/snort_dce_rpc.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/ids/snort_dce_rpc.rb b/modules/exploits/multi/ids/snort_dce_rpc.rb index 702b3fbadc..04491e6dc0 100644 --- a/modules/exploits/multi/ids/snort_dce_rpc.rb +++ b/modules/exploits/multi/ids/snort_dce_rpc.rb @@ -97,7 +97,7 @@ class Metasploit3 < Msf::Exploit::Remote print_status("#{rhost}:#{rport} Sending crafted SMB packet from #{shost}...") - capture_sendto(p, rhost) + return unless capture_sendto(p, rhost) handler end From bd2f73f40a3fef6da803e4a361583d879a6c8af6 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 14:55:19 -0700 Subject: [PATCH 11/13] Fix #6008 for wireshark_lwres_getaddrbyname --- modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb index 10e103dc67..ee804483e5 100644 --- a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb +++ b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname.rb @@ -204,10 +204,10 @@ class Metasploit3 < Msf::Exploit::Remote p.payload = sploit p.recalc - capture_sendto(p, rhost) + sent = capture_sendto(p, rhost) close_pcap - handler + handler if sent else print_status("Sending malformed LWRES packet to #{rhost}") connect_udp From 96e4e883ae4bc1ac255095036bac0258a474a6f7 Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 14:56:11 -0700 Subject: [PATCH 12/13] Fix #6008 for wireshark_lwres_getaddrbyname_loop --- .../exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb index 9762c192fc..18db711cc3 100644 --- a/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb +++ b/modules/exploits/multi/misc/wireshark_lwres_getaddrbyname_loop.rb @@ -215,7 +215,7 @@ class Metasploit3 < Msf::Exploit::Remote while true break if session_created? and datastore['ExitOnSession'] - capture_sendto(p, rhost) + break unless capture_sendto(p, rhost) select(nil,nil,nil,datastore['DELAY']) end From fc9a75719435f0549e86c0feca9d12df873148ba Mon Sep 17 00:00:00 2001 From: Jon Hart Date: Sun, 27 Sep 2015 15:06:29 -0700 Subject: [PATCH 13/13] Fix #6008 for the 6 modules that use scanner_spoof_send --- lib/msf/core/auxiliary/udp_scanner.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/msf/core/auxiliary/udp_scanner.rb b/lib/msf/core/auxiliary/udp_scanner.rb index d64d0c39ff..50aa154d32 100644 --- a/lib/msf/core/auxiliary/udp_scanner.rb +++ b/lib/msf/core/auxiliary/udp_scanner.rb @@ -86,7 +86,7 @@ module Auxiliary::UDPScanner p.recalc print_status("Sending #{num_packets} packet(s) to #{ip} from #{srcip}") 1.upto(num_packets) do |x| - capture_sendto(p, ip) + break unless capture_sendto(p, ip) end close_pcap end