search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
32.92k stars 13.71k forks source link

Fix recursive call to `ldap_open` #19138

Closed dwelch-r7 closed 2 weeks ago

dwelch-r7 commented 2 weeks ago

The certifried module seems to have been broken since this PR https://github.com/rapid7/metasploit-framework/pull/18197/files#diff-b7c1aff5ecd40aff88dfb3e8186dcf9b5c82c767ffb28cd69d083545a536609bR112

Issue is caused by both the mixin and the module defining ldap_open then when ldap_connect is called it ends up calling the ldap_open in the module rather than in the mixin, this is just a simple name change to avoid that

Before: 

msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run
[*] Running module against 127.0.0.1

[*] 192.168.176.3:445 - Requesting the ms-DS-MachineAccountQuota value to see if we can add any computer accounts...
[-] 192.168.176.3:445 - Auxiliary failed: ArgumentError wrong number of arguments (given 1, expected 0)
[-] 192.168.176.3:445 - Call stack:
[-] 192.168.176.3:445 -   /Users/dwelch/dev/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:293:in `ldap_open'
[-] 192.168.176.3:445 -   /Users/dwelch/dev/metasploit-framework/lib/msf/core/exploit/remote/ldap.rb:99:in `ldap_connect'
[-] 192.168.176.3:445 -   /Users/dwelch/dev/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:305:in `ldap_open'
[-] 192.168.176.3:445 -   /Users/dwelch/dev/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:261:in `can_add_computer?'
[-] 192.168.176.3:445 -   /Users/dwelch/dev/metasploit-framework/modules/auxiliary/admin/dcerpc/cve_2022_26923_certifried.rb:100:in `run'
[*] Auxiliary module execution completed

After:

msf6 auxiliary(admin/dcerpc/cve_2022_26923_certifried) > run
[*] Running module against 127.0.0.1

[*] 127.0.0.1:445 - Requesting the ms-DS-MachineAccountQuota value to see if we can add any computer accounts...
[-] 127.0.0.1:445 - 127.0.0.1:445 LDAP error 49: Invalid Credentials - 8009030C: LdapErr: DSID-0C0904DC, comment: AcceptSecurityContext error, data 51f, v1db1
[!] 127.0.0.1:445 - Received no result when trying to obtain ms-DS-MachineAccountQuota. Adding a computer account may not work.
[*] 127.0.0.1:445 - Connecting SMB with vagrant.windomain.local:vagrant
[-] 127.0.0.1:445 - Auxiliary aborted due to failure: unreachable: The connection was refused by the remote host (127.0.0.1:445).
[*] Auxiliary module execution completed

Verification Steps:

adfoster-r7 commented 2 weeks ago

Release Notes

Fixes a crash in the cve_2022_26923_certifried module