Merge pull request rapid7#21341 from g0tmi1k/smb

Fix various smb/samba issues

Author: smcintyre-r7

lib/msf/core/exploit/remote/ms_samr.rb

@@ -60,7 +60,7 @@ def connect_samr(tree)
   rescue RubySMB::Dcerpc::Error::DcerpcError => e
     elog(e.message, error: e)
     raise MsSamrUnexpectedReplyError, e.message
-  rescue RubySMB::Error::RubySMBError
+  rescue RubySMB::Error::RubySMBError => e
     elog(e.message, error: e)
     raise MsSamrUnknownError, e.message
   end

modules/auxiliary/scanner/smb/psexec_loggedin_users.rb

@@ -80,6 +80,7 @@ def get_hku(ip, smbshare, cmd, text, bat)
       command = "#{cmd} /C echo reg.exe QUERY HKU ^> %SYSTEMDRIVE%#{text} > #{bat} & #{cmd} /C start cmd.exe /C #{bat}"
       out = psexec(command)
       output = get_output(ip, smbshare, text)
+      return nil unless output
       cleanout = Array.new
       output.each_line { |line| cleanout << line.chomp if line.include?("HKEY") && line.split("-").size == 8 && !line.split("-")[7].include?("_") }
       return cleanout

modules/auxiliary/scanner/smb/smb_enumshares.rb

@@ -311,7 +311,9 @@ def run_host(ip)
           connect(versions: [1, 2, 3])
         end
         smb_login
-        break unless enum_shares(ip).empty?
+        shares = enum_shares(ip)
+        next if shares.nil? || shares.empty?
+        break
       rescue ::Interrupt
         raise $ERROR_INFO
       rescue Errno::ECONNRESET => e

modules/auxiliary/scanner/smb/smb_enumusers.rb

@@ -108,7 +108,12 @@ def run_service(port, direct)
   def run_service_domain(tree, smb_domain: nil)
     @smb_domain = smb_domain
 
-    samr_con = connect_samr(tree)
+    begin
+      samr_con = connect_samr(tree)
+    rescue ::Exception => e
+      print_error("SAMR connection failed: #{e.class} #{e}")
+      return nil
+    end
 
     lockout_info = samr_con.samr.samr_query_information_domain(
       domain_handle: samr_con.domain_handle,
@@ -132,8 +137,10 @@ def run_service_domain(tree, smb_domain: nil)
       end
     end
   ensure
-    samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
-    samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
+    if samr_con
+      samr_con.samr.close_handle(samr_con.domain_handle) if samr_con.domain_handle
+      samr_con.samr.close_handle(samr_con.server_handle) if samr_con.server_handle
+    end
   end
 
   def report_username(domain, username)

modules/auxiliary/scanner/smb/smb_login.rb

@@ -270,10 +270,6 @@ def report_creds(ip, port, result)
     # Private can be nil if we authenticated with Kerberos and a cached ticket was used. No need to report this.
     return unless result.credential.private
 
-    if !datastore['RECORD_GUEST'] && (result.access_level == Metasploit::Framework::LoginScanner::SMB::AccessLevels::GUEST)
-      return
-    end
-
     service_data = {
       address: ip,
       port: port,
@@ -282,6 +278,14 @@ def report_creds(ip, port, result)
       workspace_id: myworkspace_id
     }
 
+    report_service(
+      host: service_data[:address],
+      port: service_data[:port],
+      proto: service_data[:protocol],
+      name: service_data[:service_name]
+    )
+    return if !datastore['RECORD_GUEST'] && result.access_level == Metasploit::Framework::LoginScanner::SMB::AccessLevels::GUEST
+
     credential_data = {
       module_fullname: fullname,
       origin_type: :service,

modules/auxiliary/scanner/smb/smb_lookupsid.rb

@@ -177,6 +177,7 @@ def format_results(results)
 
     # Each result contains 0 or more arrays containing: SID Type, Name, RID
     results.compact.each do |result_set|
+      next unless result_set.respond_to?(:each)
       result_set.each { |result| sids_table << result }
     end
 
@@ -195,7 +196,9 @@ def run_host(_ip)
     results_table = format_results(results)
     results_table.rows = results_table.rows.uniq # Remove potentially duplicate entries from port 139 & 445
 
-    print_line
-    print_line results_table.to_s
+    unless results_table.rows.empty?
+      print_line
+      print_line results_table.to_s
+    end
   end
 end

modules/auxiliary/scanner/smb/smb_uninit_cred.rb

@@ -127,6 +127,9 @@ def is_vulnerable?(ip)
            ::Rex::Proto::SMB::Exceptions::InvalidWordCount,
            ::Rex::Proto::SMB::Exceptions::NoReply => e
       elog(e)
+    rescue ::Rex::Proto::DCERPC::Exceptions::Fault => e
+      elog(e)
+      return false
     rescue ::Exception => e
       if e.to_s =~ /execution expired/i
         # So what happens here is that when you trigger the buggy code path, you hit this:
@@ -204,33 +207,34 @@ def maybe_vulnerable?(samba_version)
 
   # Check command
   def check_host(ip)
-    samba_info = ''
+    @samba_info = ''
     smb_ports = [445, 139]
     smb_ports.each do |port|
+      # Update line prefix, as port changes
+      remove_instance_variable(:@print_prefix) if instance_variable_defined?(:@print_prefix)
       @smb_port = port
-      samba_info = get_samba_info
-      vprint_status("Samba version: #{samba_info}")
+      @samba_info = get_samba_info
+      vprint_status("Samba version: #{@samba_info}")
 
-      if samba_info !~ /^samba/i
+      if @samba_info !~ /^samba/i
         vprint_status("Target isn't Samba, no check will run.")
         return Exploit::CheckCode::Safe('Target is not running Samba')
       end
 
       if datastore['PASSIVE']
-        if maybe_vulnerable?(samba_info)
-          flag_vuln_host(ip, samba_info)
+        if maybe_vulnerable?(@samba_info)
+          flag_vuln_host(ip, @samba_info)
           return Exploit::CheckCode::Appears('Samba version appears to be vulnerable based on version check')
         end
       else
         # Explicit: Actually triggers the bug
         if is_vulnerable?(ip)
-          flag_vuln_host(ip, samba_info)
-          return Exploit::CheckCode::Vulnerable('Samba uninitialized credential vulnerability confirmed')
+          flag_vuln_host(ip, @samba_info)
         end
       end
     end
 
-    return Exploit::CheckCode::Detected('Samba detected but vulnerability could not be confirmed') if samba_info =~ /^samba/i
+    return Exploit::CheckCode::Detected('Samba detected but vulnerability could not be confirmed') if @samba_info =~ /^samba/i
 
     Exploit::CheckCode::Safe('Target does not appear to be running Samba')
   end
@@ -249,7 +253,8 @@ def flag_vuln_host(ip, samba_version)
 
   def run_host(ip)
     peer = "#{ip}:#{rport}"
-    case check_host(ip)
+    result = check_host(ip)
+    case result
     when Exploit::CheckCode::Vulnerable
       print_good("The target is vulnerable to CVE-2015-0240.")
     when Exploit::CheckCode::Appears
@@ -259,5 +264,14 @@ def run_host(ip)
     else
       print_status("The target appears to be safe")
     end
+
+    report_service(
+      :host  => ip,
+      :port  => rport,
+      :proto => 'tcp',
+      :name  => 'smb',
+      :info  => @samba_info.to_s
+    ) if [Exploit::CheckCode::Vulnerable, Exploit::CheckCode::Appears, Exploit::CheckCode::Detected].include?(result)
   end
 end
+

modules/auxiliary/scanner/smb/smb_version.rb

@@ -318,7 +318,7 @@ def run_host(ip)
             })
           end
 
-          # Report the service with a friendly banner
+          # Report the service with a detailed friendly banner
           report_service(
             host: ip,
             port: rport,
@@ -338,20 +338,21 @@ def run_host(ip)
           )
         elsif smb1_fingerprint['native_os'] || smb1_fingerprint['native_lm']
           desc = "#{smb1_fingerprint['native_os']} (#{smb1_fingerprint['native_lm']})"
-          report_service(host: ip, port: rport, name: 'smb', info: desc)
+
+          # Report the service with a friendly banner
+          report_service(
+            host: ip,
+            port: rport,
+            proto: 'tcp',
+            name: 'smb',
+            info: desc
+          )
+
           lines << { type: :status, message: "  Host could not be identified: #{desc}" }
         else
           lines << { type: :status, message: '  Host could not be identified', verbose: true }
         end
 
-        report_service(
-          host: ip,
-          port: rport,
-          proto: 'tcp',
-          name: 'smb',
-          info: "#{smb_desc}. #{os_desc}"
-        )
-
         # Report a smb.fingerprint hash of attributes for OS fingerprinting
         report_note(
           host: ip,