Open digininja opened 5 years ago
any details on what the service was? I just ran against a netcat listener and didn't get the same crash.
I was able to reproduce the Unable to parse encryption req during pre-login, this may not be a MSSQL server
error, but not the stack trace.
The stack trace implies mssql_send_recv
or proxy.send_recv
is returning false, which should only ever happen in one of these socket reads:
lib/metasploit/framework/mssql/client.rb
head = sock.get_once(8, timeout)
if !(head && head.length == 8)
return false
end
lib/metasploit/framework/mssql/tdssslproxy.rb
head = @ssl_socket.read(8)
if !(head and head.length == 8)
return false
end
I did manage to hang the module and achieve sustained ~100% CPU with nc -vlp 1337 < /dev/urandom
though.
Unrelated stack trace, presumably due to ^C the netcat listener part way through the connection.
^[[Amsf5 auxiliary(scanner/mssql/mssql_login) > run
[*] 127.0.0.1:1337 - 127.0.0.1:1337 - MSSQL - Starting authentication scanner.
[-] 127.0.0.1:1337 - Auxiliary failed: NoMethodError undefined method `each' for nil:NilClass
[-] 127.0.0.1:1337 - Call stack:
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:479:in `mssql_parse_tds_row'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:375:in `mssql_parse_reply'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:276:in `mssql_login'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/mssql.rb:50:in `attempt_login'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:231:in `block in scan!'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:154:in `block in each_credential'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/metasploit/framework/credential_collection.rb:121:in `each'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:141:in `each_credential'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:205:in `scan!'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/modules/auxiliary/scanner/mssql/mssql_login.rb:71:in `run_host'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:111:in `block (2 levels) in run'
[-] 127.0.0.1:1337 - /root/Desktop/metasploit-framework/lib/msf/core/thread_manager.rb:106:in `block in spawn'
[*] Auxiliary module execution completed
And spoof a fake successful login:
msf5 auxiliary(scanner/mssql/mssql_login) > run
[*] 127.0.0.1:1337 - 127.0.0.1:1337 - MSSQL - Starting authentication scanner.
[!] 127.0.0.1:1337 - No active DB -- Credential data will not be saved!
[+] 127.0.0.1:1337 - 127.0.0.1:1337 - Login Successful: WORKSTATION\asdf:asdf
[*] 127.0.0.1:1337 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf5 auxiliary(scanner/mssql/mssql_login) > run
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
I'm in the same area at the minute looking at mssql modules. If there's replication steps available I could throw up a PR for this 👀
I've just tried with my original steps and the latest master and the error isn't happening any more. It is giving inconsistent results which may be worth looking at.
Pointed at a box that has a closed port 1433:
msf6 auxiliary(scanner/mssql/mssql_login) > run
[*] 192.168.0.8:1433 - 192.168.0.8:1433 - MSSQL - Starting authentication scanner.
[!] 192.168.0.8:1433 - No active DB -- Credential data will not be saved!
[-] 192.168.0.8:1433 - 192.168.0.8:1433 - LOGIN FAILED: WORKSTATION\sa: (Unable to Connect: )
[*] 192.168.0.8:1433 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Pointed at an open port 80 on the same box, just so it had something to connect to:
msf6 auxiliary(scanner/mssql/mssql_login) > run
[*] 192.168.0.8:80 - 192.168.0.8:80 - MSSQL - Starting authentication scanner.
[*] 192.168.0.8:80 - Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
On the first one, the login did fail, but technically it failed because there is no service listening on the port so I'd expect a more prominent connection failed
rather than login failed
error.
The initial bug does look like it has been fixed though.
I'm in the same area at the minute looking at mssql modules. If there's replication steps available I could throw up a PR for this eyes
This issue, while not exactly the same as OP, still exists: https://github.com/rapid7/metasploit-framework/issues/11341#issuecomment-466662091
Reproduce:
nc -lvp 1433 < /dev/random
msf6 auxiliary(scanner/mssql/mssql_login) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 auxiliary(scanner/mssql/mssql_login) > set rport
rport => 1433
msf6 auxiliary(scanner/mssql/mssql_login) > run
[*] 127.0.0.1:1433 - 127.0.0.1:1433 - MSSQL - Starting authentication scanner.
[-] 127.0.0.1:1433 - Auxiliary failed: NoMethodError undefined method `each' for nil:NilClass
[-] 127.0.0.1:1433 - Call stack:
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:479:in `mssql_parse_tds_row'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:375:in `mssql_parse_reply'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/mssql/client.rb:276:in `mssql_login'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/mssql.rb:50:in `attempt_login'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:231:in `block in scan!'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:154:in `block in each_credential'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/credential_collection.rb:82:in `block in each_filtered'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/credential_collection.rb:229:in `each_unfiltered'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/credential_collection.rb:79:in `each_filtered'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:141:in `each_credential'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/metasploit/framework/login_scanner/base.rb:205:in `scan!'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/modules/auxiliary/scanner/mssql/mssql_login.rb:72:in `run_host'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'
[-] 127.0.0.1:1433 - /root/Desktop/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'
[-] 127.0.0.1:1433 - /var/lib/gems/3.0.0/gems/logging-2.3.1/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/mssql/mssql_login) > run
[*] 127.0.0.1:1433 - 127.0.0.1:1433 - MSSQL - Starting authentication scanner.
3a. The stack trace can be reproduced by waiting for the connection to complete (a few seconds). 3b. The 100% CPU usage can be reproduced by watching netcat for the connection then ctrl+c killing netcat before Metasploit finishes reading from the socket.
I wonder if it didn't get enough traffic to fail with my attempt at connecting to port 80.
Glad you managed to reproduce it rather than just listen to me and close it.
I wonder if it didn't get enough traffic to fail with my attempt at connecting to port 80.
Glad you managed to reproduce it rather than just listen to me and close it.
It's a different bug. I'm not sure why you were getting Auxiliary failed: NoMethodError undefined method `[]' for false:FalseClass
. I was never able to reproduce this issue, but suspect it comes from the socket reading as per https://github.com/rapid7/metasploit-framework/issues/11341#issuecomment-466661623.
Thanks! :+1:
Pull request to catch an unhandled error, log it, and continue as normal: https://github.com/rapid7/metasploit-framework/pull/16746
Steps to reproduce
How'd you do it?
This section should also tell us any relevant information about the environment; for example, if an exploit that used to work is failing, tell us the victim operating system and service versions.
Expected behavior
Should continue past the invalid box
Current behavior
falls over with this error:
I've had similar errors with other mssql modules but haven't tried those since I upgraded to the latest version.
System stuff
Metasploit version
I installed Metasploit with:
OS
Kali