Closed zeroSteiner closed 3 weeks ago
This PR fixes a number of nil-type related stack traces that crept in as we were adding features to our LDAP work.
This fixes an exception reported to me by @bwatters-r7
msf6 auxiliary(admin/dcerpc/icpr_cert) > run [*] Running module against 192.168.108.211 [+] 3.19.108.211:445 - The requested certificate was issued. [-] 3.19.108.211:445 - Auxiliary failed: NoMethodError undefined method `empty?' for nil:NilClass [-] 3.19.108.211:445 - Call stack: [-] 3.19.108.211:445 - /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/ms_icpr.rb:214:in `do_request_cert' [-] 3.19.108.211:445 - /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/ms_icpr.rb:97:in `request_certificate' [-] 3.19.108.211:445 - /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/admin/dcerpc/icpr_cert.rb:68:in `block in action_request_cert' [-] 3.19.108.211:445 - /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/admin/dcerpc/icpr_cert.rb:83:in `with_ipc_tree' [-] 3.19.108.211:445 - /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/admin/dcerpc/icpr_cert.rb:67:in `action_request_cert' [-] 3.19.108.211:445 - /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/admin/dcerpc/icpr_cert.rb:53:in `run' [*] Auxiliary module execution completed msf6 auxiliary(admin/dcerpc/icpr_cert) >
query_ldap_server
ldap_esc_vulnerable_cert_finder
[-] Auxiliary failed: NoMethodError undefined method `empty?' for nil:NilClass [-] Call stack: [-] /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:297:in `find_esc13_vuln_cert_templates' [-] /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:474:in `block in run' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:644:in `block in open' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:716:in `block in open' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/instrumentation.rb:19:in `instrument' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:711:in `open' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:644:in `open' [-] /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/ldap.rb:114:in `ldap_open' [-] /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/ldap.rb:98:in `ldap_connect' [-] /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:457:in `run' [*] Auxiliary module execution completed
3. This fixes an issue in `gather/ldap_esc_vulnerable_cert_finder` because the module did not require a password value, but when the `nil` password was sent on to `ruby_smb`, it crashed:
[-] Auxiliary failed: NoMethodError undefined method force_encoding' for nil:NilClass [-] Call stack: [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/custom/string_encoder.rb:14:inencode_utf16le' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/rubyntlm-0.6.3/lib/net/ntlm/client/session.rb:187:in oem_or_unicode_str' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/rubyntlm-0.6.3/lib/net/ntlm/client/session.rb:172:inpassword' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:55:in ntlmv2_hash' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:63:incalculate_user_session_key!' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:20:in authenticate!' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:74:ininit_context' [-] /home/tmoose/rapid7/metasploit-framework/lib/metasploit/framework/ldap/client.rb:104:in block in ldap_auth_opts_ntlm' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/auth_adapter/sasl.rb:54:inblock in bind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/auth_adapter/sasl.rb:38:in loop' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/auth_adapter/sasl.rb:38:inbind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/connection.rb:281:in block in bind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/instrumentation.rb:19:ininstrument' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/connection.rb:278:in bind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:715:inblock in open' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/instrumentation.rb:19:in instrument' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:711:inopen' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:644:in open' [-] /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/ldap.rb:114:inldap_open' [-] /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/ldap.rb:98:in ldap_connect' [-] /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:455:inrun' [*] Auxiliary module execution completed msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >
force_encoding' for nil:NilClass [-] Call stack: [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/custom/string_encoder.rb:14:in
oem_or_unicode_str' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/rubyntlm-0.6.3/lib/net/ntlm/client/session.rb:172:in
ntlmv2_hash' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:63:in
authenticate!' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:74:in
block in ldap_auth_opts_ntlm' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/auth_adapter/sasl.rb:54:in
loop' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/auth_adapter/sasl.rb:38:in
block in bind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/instrumentation.rb:19:in
bind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:715:in
instrument' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:711:in
open' [-] /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/ldap.rb:114:in
ldap_connect' [-] /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:455:in
This PR fixes several instances where we we pass nil values rather than the types expected, causing crashes and stack traces in LDAP-related modules.
nil
This PR fixes a number of nil-type related stack traces that crept in as we were adding features to our LDAP work.
This fixes an exception reported to me by @bwatters-r7
query_ldap_server
to return an empty array rather than nil inldap_esc_vulnerable_cert_finder
[-] Auxiliary failed: NoMethodError undefined method
force_encoding' for nil:NilClass [-] Call stack: [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/custom/string_encoder.rb:14:in
encode_utf16le' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/rubyntlm-0.6.3/lib/net/ntlm/client/session.rb:187:inoem_or_unicode_str' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/rubyntlm-0.6.3/lib/net/ntlm/client/session.rb:172:in
password' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:55:inntlmv2_hash' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:63:in
calculate_user_session_key!' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:20:inauthenticate!' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/ruby_smb-3.3.5/lib/ruby_smb/ntlm/client.rb:74:in
init_context' [-] /home/tmoose/rapid7/metasploit-framework/lib/metasploit/framework/ldap/client.rb:104:inblock in ldap_auth_opts_ntlm' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/auth_adapter/sasl.rb:54:in
block in bind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/auth_adapter/sasl.rb:38:inloop' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/auth_adapter/sasl.rb:38:in
bind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/connection.rb:281:inblock in bind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/instrumentation.rb:19:in
instrument' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/connection.rb:278:inbind' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:715:in
block in open' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap/instrumentation.rb:19:ininstrument' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:711:in
open' [-] /home/tmoose/.rvm/gems/ruby-3.0.2/gems/net-ldap-0.18.0/lib/net/ldap.rb:644:inopen' [-] /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/ldap.rb:114:in
ldap_open' [-] /home/tmoose/rapid7/metasploit-framework/lib/msf/core/exploit/remote/ldap.rb:98:inldap_connect' [-] /home/tmoose/rapid7/metasploit-framework/modules/auxiliary/gather/ldap_esc_vulnerable_cert_finder.rb:455:in
run' [*] Auxiliary module execution completed msf6 auxiliary(gather/ldap_esc_vulnerable_cert_finder) >