Land rapid7#6243, check nil for sock.read

lsato-r7 · lsato-r7 · commit 493e476a43b7 · 2015-11-23T11:15:51.000-06:00
diff --git a/modules/auxiliary/scanner/db2/discovery.rb b/modules/auxiliary/scanner/db2/discovery.rb
@@ -32,33 +32,37 @@ def run_host(ip)
 
       connect_udp
       udp_sock.put(pkt)
-      res = udp_sock.read(1024).split(/\x00/)
-
-      if (res)
-        report_note(
-          :host   => ip,
-          :proto  => 'udp',
-          :port   => datastore['RPORT'],
-          :type   => 'SERVICE_INFO',
-          :data   => res[2] + "_" + res[1]
-          )
-        report_service(
-          :host => ip,
-          :port => datastore['RPORT'],
-          :proto => 'udp',
-          :name => "ibm-db2",
-          :info => res[2] + "_" + res[1]
-          )
-        print_status("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] )
-      else
+      res = udp_sock.read(1024)
+
+      unless res
         print_error("Unable to determine version info for #{ip}")
+        return
       end
 
-      disconnect_udp
+      res = res.split(/\x00/)
+
+      report_note(
+        :host   => ip,
+        :proto  => 'udp',
+        :port   => datastore['RPORT'],
+        :type   => 'SERVICE_INFO',
+        :data   => "#{res[2]}_#{res[1]}"
+        )
+
+      report_service(
+        :host => ip,
+        :port => datastore['RPORT'],
+        :proto => 'udp',
+        :name => "ibm-db2",
+        :info => "#{res[2]}_#{res[1]}"
+      )
+
+      print_status("Host #{ip} node name is " + res[2] + " with a product id of " + res[1] )
 
     rescue ::Rex::ConnectionError
     rescue ::Errno::EPIPE
-
+    ensure
+      disconnect_udp
     end
 
   end
diff --git a/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb b/modules/auxiliary/scanner/ftp/bison_ftp_traversal.rb
@@ -71,6 +71,11 @@ def run_host(target_host)
       # read the file data from the socket that we opened
       response_data = sock.read(1024)
 
+      unless response_data
+        print_error("#{file} not found")
+        return
+      end
+
       if response_data.length == 0
         print_status("File (#{file_path})from #{peer} is empty...")
         return
diff --git a/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb b/modules/auxiliary/scanner/ftp/pcman_ftp_traversal.rb
@@ -70,6 +70,11 @@ def run_host(target_host)
       # read the file data from the socket that we opened
       response_data = sock.read(1024)
 
+      unless response_data
+        print_error("#{file_path} not found")
+        return
+      end
+
       if response_data.length == 0 or ! (res =~ /^150/ )
         print_status("File (#{file_path})from #{peer} is empty...")
         return
diff --git a/modules/auxiliary/scanner/motorola/timbuktu_udp.rb b/modules/auxiliary/scanner/motorola/timbuktu_udp.rb
@@ -52,8 +52,8 @@ def run_host(ip)
         else
           print_error("Unable to determine info for #{ip}...")
         end
+    ensure
       disconnect_udp
-    rescue ::Errno::EPIPE, ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
     end
   end
 end
diff --git a/modules/auxiliary/scanner/oracle/tnspoison_checker.rb b/modules/auxiliary/scanner/oracle/tnspoison_checker.rb
@@ -42,7 +42,7 @@ def run_host(ip)
       send_packet = tns_packet("(CONNECT_DATA=(COMMAND=service_register_NSGR))")
       sock.put(send_packet)
       packet = sock.read(100)
-      find_packet = packet.include? "(ERROR_STACK=(ERROR="
+      find_packet = /\(ERROR_STACK=\(ERROR=/ === packet
       find_packet == true ? print_error("#{ip}:#{rport} is not vulnerable ") : print_good("#{ip}:#{rport} is vulnerable")
       # TODO: Module should report_vuln if this finding is solid.
       rescue ::Rex::ConnectionError, ::Errno::EPIPE
diff --git a/modules/auxiliary/scanner/sap/sap_router_info_request.rb b/modules/auxiliary/scanner/sap/sap_router_info_request.rb
@@ -109,7 +109,11 @@ def run_host(ip)
       print_good("#{host_port} - Connected to saprouter")
       print_good("#{host_port} - Sending ROUTER_ADM packet info request")
       sock.put(ni_packet)
-      packet_len = sock.read(4).unpack('H*')[0].to_i 16
+      sock_res = sock.read(4)
+      unless sock_res
+        fail_with(Failure::Unknown, 'Unable to get the packet length')
+      end
+      packet_len = sock_res.unpack('H*')[0].to_i 16
       print_good("#{host_port} - Got INFO response")
       while packet_len !=0
         count += 1
diff --git a/modules/post/windows/gather/forensics/nbd_server.rb b/modules/post/windows/gather/forensics/nbd_server.rb
@@ -76,6 +76,12 @@ def run
 
     while true
       request = rsock.read(28)
+
+      unless request
+        print_error("No data received")
+        break
+      end
+
       magic, request, nbd_handle, offset_n, length = request.unpack("NNa8a8N")
 
       if magic != 0x25609513
diff --git a/modules/post/windows/manage/nbd_server.rb b/modules/post/windows/manage/nbd_server.rb
@@ -74,6 +74,12 @@ def run
 
     while true
       request = rsock.read(28)
+
+      unless request
+        print_error("No data received")
+        break
+      end
+
       magic, request, nbd_handle, offset_n, length = request.unpack("NNa8a8N")
 
       if magic != 0x25609513
