Land rapid7#4177, @hmoore-r7's fix for rapid7#4169

Author: jhart-r7

lib/metasploit/framework/login_scanner/ftp.rb

@@ -41,7 +41,7 @@ def attempt_login(credential)
 
           begin
             success = connect_login(credential.public, credential.private)
-          rescue ::EOFError, Errno::ECONNRESET,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
             result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
             success = false
           end

lib/metasploit/framework/login_scanner/telnet.rb

@@ -92,7 +92,7 @@ def attempt_login(credential)
               end
 
             end
-          rescue ::EOFError, Errno::ECONNRESET,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
             result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
           end
 

lib/msf/core/auxiliary/rservices.rb

@@ -35,7 +35,7 @@ def connect_from_privileged_port(start_port = 1023)
       begin
         sd = connect(true, { 'CPORT' => cport })
 
-      rescue Rex::AddressInUse
+      rescue Rex::BindFailed
         # Ignore and try again
         #vprint_error("Unable to connect: #{$!}")
 

lib/msf/core/auxiliary/scanner.rb

@@ -57,6 +57,7 @@ def run
 
   threads_max = datastore['THREADS'].to_i
   @tl = []
+  @scan_errors = []
 
   #
   # Sanity check threading given different conditions
@@ -87,17 +88,22 @@ def run
   begin
 
   if (self.respond_to?('run_range'))
-    # No automated progress reporting for run_range
+    # No automated progress reporting or error handling for run_range
     return run_range(datastore['RHOSTS'])
   end
 
   if (self.respond_to?('run_host'))
 
-    @tl = []
-
     loop do
+      # Stop scanning if we hit a fatal error
+      break if has_fatal_errors?
+
       # Spawn threads for each host
       while (@tl.length < threads_max)
+
+        # Stop scanning if we hit a fatal error
+        break if has_fatal_errors?
+
         ip = ar.next_ip
         break if not ip
 
@@ -108,6 +114,10 @@ def run
 
           begin
             nmod.run_host(targ)
+          rescue ::Rex::BindFailed
+            if datastore['CHOST']
+              @scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable"
+            end
           rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError
           rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError
             raise $!
@@ -120,6 +130,9 @@ def run
         end
       end
 
+      # Stop scanning if we hit a fatal error
+      break if has_fatal_errors?
+
       # Exit once we run out of hosts
       if(@tl.length == 0)
         break
@@ -139,6 +152,7 @@ def run
       scanner_show_progress() if @show_progress
     end
 
+    scanner_handle_fatal_errors
     return
   end
 
@@ -153,10 +167,12 @@ def run
 
     ar = Rex::Socket::RangeWalker.new(datastore['RHOSTS'])
 
-    @tl = []
-
     while(true)
       nohosts = false
+
+      # Stop scanning if we hit a fatal error
+      break if has_fatal_errors?
+
       while (@tl.length < threads_max)
 
         batch = []
@@ -178,6 +194,10 @@ def run
             mybatch = bat.dup
             begin
               nmod.run_batch(mybatch)
+          rescue ::Rex::BindFailed
+            if datastore['CHOST']
+              @scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable"
+            end
             rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error
             rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError
               raise $!
@@ -197,6 +217,9 @@ def run
         end
       end
 
+      # Stop scanning if we hit a fatal error
+      break if has_fatal_errors?
+
       # Exit if there are no more pending threads
       if (@tl.length == 0)
         break
@@ -218,6 +241,7 @@ def run
       scanner_show_progress() if @show_progress
     end
 
+    scanner_handle_fatal_errors
     return
   end
 
@@ -240,12 +264,33 @@ def seppuko!
   end
 end
 
+def has_fatal_errors?
+  @scan_errors && !@scan_errors.empty?
+end
+
+def scanner_handle_fatal_errors
+  return unless has_fatal_errors?
+  return unless @tl
+
+  # First kill any running threads
+  @tl.each {|t| t.kill if t.alive? }
+
+  # Show the unique errors triggered by the scan
+  uniq_errors = @scan_errors.uniq
+  uniq_errors.each do |emsg|
+    print_error("Fatal: #{emsg}")
+  end
+  print_error("Scan terminated due to #{uniq_errors.size} fatal error(s)")
+end
+
 def scanner_progress
   return 0 unless @range_done and @range_count
   pct = (@range_done / @range_count.to_f) * 100
 end
 
 def scanner_show_progress
+  # it should already be in the process of shutting down if there are fatal errors
+  return if has_fatal_errors?
   pct = scanner_progress
   if pct >= (@range_percent + @show_percent)
     @range_percent = @range_percent + @show_percent

lib/rex/exceptions.rb

@@ -213,25 +213,57 @@ def to_s
   end
 end
 
+###
+#
+# This connection error is raised when an attempt is made to connect
+# to a broadcast or network address.
+#
+###
+class InvalidDestination < ConnectionError
+  include SocketError
+  include HostCommunicationError
+
+  def to_s
+    "The destination is invalid: #{addr_to_s}."
+  end
+end
 
 ###
 #
 # This exception is raised when an attempt to use an address or port that is
-# already in use occurs, such as binding to a host on a given port that is
-# already in use.  Note that Windows raises this in some cases when attempting
-# to connect to addresses that it can't handle, e.g. "0.0.0.0".  Thus, this is
-# a ConnectionError.
+# already in use or onot available occurs. such as binding to a host on a
+# given port that is already in use, or when a bind address is specified that
+# is not available to the host.
 #
 ###
+class BindFailed < ::ArgumentError
+  include SocketError
+  include HostCommunicationError
+
+  def to_s
+    "The address is already in use or unavailable: #{addr_to_s}."
+  end
+end
+
+##
+#
+# This exception is listed for backwards compatibility. We had been
+# using AddressInUse as the exception for both bind errors and connection
+# errors triggered by connection attempts to broadcast and network addresses.
+# The two classes above have split this into their respective sources, but
+# callers may still expect the old behavior.
+#
+##
 class AddressInUse < ConnectionError
   include SocketError
   include HostCommunicationError
 
   def to_s
-    "The address is already in use #{addr_to_s}."
+    "The address is already in use or unavailable: #{addr_to_s}."
   end
 end
 
+
 ###
 #
 # This exception is raised when an unsupported internet protocol is specified.

lib/rex/post/meterpreter/ui/console.rb

@@ -106,7 +106,7 @@ def run_command(dispatcher, method, arguments)
       log_error("Operation timed out.")
     rescue RequestError => info
       log_error(info.to_s)
-    rescue Rex::AddressInUse => e
+    rescue Rex::InvalidDestination => e
       log_error(e.message)
     rescue ::Errno::EPIPE, ::OpenSSL::SSL::SSLError, ::IOError
       self.client.kill

lib/rex/socket/comm/local.rb

@@ -195,7 +195,7 @@ def self.create_by_type(param, type, proto = 0)
 
       rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE
         sock.close
-        raise Rex::AddressInUse.new(param.localhost, param.localport), caller
+        raise Rex::BindFailed.new(param.localhost, param.localport), caller
       end
     end
 
@@ -295,7 +295,7 @@ def self.create_by_type(param, type, proto = 0)
 
         rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE
           sock.close
-          raise Rex::AddressInUse.new(ip, port), caller
+          raise Rex::InvalidDestination.new(ip, port), caller
 
         rescue Errno::ETIMEDOUT
           sock.close

modules/auxiliary/gather/xerox_pwd_extract.rb

@@ -96,7 +96,7 @@ def write
     begin
       connect(true, 'RPORT' => jport)
       sock.put(create_print_job)
-    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
+    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
       print_error("#{rhost}:#{jport} - Error connecting to #{rhost}")
     ensure
       disconnect
@@ -113,7 +113,7 @@ def retrieve
       res = sock.get_once || ''
       passwd = res.match(/\r\n\s(.+?)\n/)
       return passwd ? passwd[1] : ''
-    rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse, EOFError
+    rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, ::EOFError
       print_error("#{rhost}:#{jport} - Error getting password from #{rhost}")
       return
     ensure
@@ -150,7 +150,7 @@ def remove
     begin
       connect(true, 'RPORT' => jport)
       sock.put(remove_print_job)
-    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
+    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
       print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}")
     ensure
       disconnect

modules/auxiliary/scanner/rservices/rexec_login.rb

@@ -151,7 +151,7 @@ def listen_on_port(stderr_port)
     begin
       sd = Rex::Socket.create_tcp_server('LocalPort' => stderr_port)
 
-    rescue Rex::AddressInUse
+    rescue Rex::BindFailed
       # Ignore and try again
 
     end

modules/auxiliary/scanner/rservices/rsh_login.rb

@@ -201,7 +201,7 @@ def listen_on_privileged_port
       begin
         sd = Rex::Socket.create_tcp_server('LocalPort' => lport)
 
-      rescue Rex::AddressInUse
+      rescue Rex::BindFailed
         # Ignore and try again
 
       end