Differentiate failed binds from connects, closes rapid7#4169

This change adds two new Rex exceptions and changes the local comm to raise the right one depending on the circumstances. The problem with the existing model is
that failed binds and failed connections both raised the same exception. This change is backwards compatible with modules that rescue Rex::AddressInUse in additi
on to Rex::ConnectionError. There were two corner cases that rescued Rex::AddressInUse specifically:

1. The 'r'-services mixin and modules caught the old exception when handling bind errors. These have been updated to use BindFailed
2. The meterpreter client had a catch for the old exception when the socket reports a bad destination (usually a network connection dropped). This has been updat
ed to use InvalidDestination as that was the intention prior to this change.

Since AddressInUse was part of ConnectionError, modules and mixins which caught both in the same rescue have been updated to just catch ConnectionError.

Author: HD Moore

lib/metasploit/framework/login_scanner/ftp.rb

@@ -41,7 +41,7 @@ def attempt_login(credential)
 
           begin
             success = connect_login(credential.public, credential.private)
-          rescue ::EOFError, Errno::ECONNRESET,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
             result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
             success = false
           end

lib/metasploit/framework/login_scanner/telnet.rb

@@ -92,7 +92,7 @@ def attempt_login(credential)
               end
 
             end
-          rescue ::EOFError, Errno::ECONNRESET,  Rex::AddressInUse, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
+          rescue ::EOFError, Errno::ECONNRESET, Rex::ConnectionError, Rex::ConnectionTimeout, ::Timeout::Error
             result_options[:status] = Metasploit::Model::Login::Status::UNABLE_TO_CONNECT
           end
 

lib/msf/core/auxiliary/rservices.rb

@@ -35,7 +35,7 @@ def connect_from_privileged_port(start_port = 1023)
       begin
         sd = connect(true, { 'CPORT' => cport })
 
-      rescue Rex::AddressInUse
+      rescue Rex::BindFailed
         # Ignore and try again
         #vprint_error("Unable to connect: #{$!}")
 

lib/msf/core/auxiliary/scanner.rb

@@ -57,6 +57,7 @@ def run
 
   threads_max = datastore['THREADS'].to_i
   @tl = []
+  @scan_errors = []
 
   #
   # Sanity check threading given different conditions
@@ -87,17 +88,22 @@ def run
   begin
 
   if (self.respond_to?('run_range'))
-    # No automated progress reporting for run_range
+    # No automated progress reporting or error handling for run_range
     return run_range(datastore['RHOSTS'])
   end
 
   if (self.respond_to?('run_host'))
 
-    @tl = []
-
     loop do
+      # Stop scanning if we hit a fatal error
+      break if @scan_errors.length > 0
+
       # Spawn threads for each host
       while (@tl.length < threads_max)
+
+        # Stop scanning if we hit a fatal error
+        break if @scan_errors.length > 0
+
         ip = ar.next_ip
         break if not ip
 
@@ -108,6 +114,10 @@ def run
 
           begin
             nmod.run_host(targ)
+          rescue ::Rex::BindFailed
+            if datastore['CHOST']
+              @scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable"
+            end
           rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error, ::EOFError
           rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError
             raise $!
@@ -120,6 +130,9 @@ def run
         end
       end
 
+      # Stop scanning if we hit a fatal error
+      break if @scan_errors.length > 0
+
       # Exit once we run out of hosts
       if(@tl.length == 0)
         break
@@ -139,6 +152,7 @@ def run
       scanner_show_progress() if @show_progress
     end
 
+    scanner_report_fatal_errors
     return
   end
 
@@ -153,10 +167,12 @@ def run
 
     ar = Rex::Socket::RangeWalker.new(datastore['RHOSTS'])
 
-    @tl = []
-
     while(true)
       nohosts = false
+
+      # Stop scanning if we hit a fatal error
+      break if @scan_errors.length > 0
+
       while (@tl.length < threads_max)
 
         batch = []
@@ -178,6 +194,10 @@ def run
             mybatch = bat.dup
             begin
               nmod.run_batch(mybatch)
+          rescue ::Rex::BindFailed
+            if datastore['CHOST']
+              @scan_errors << "The source IP (CHOST) value of #{datastore['CHOST']} was not usable"
+            end
             rescue ::Rex::ConnectionError, ::Rex::ConnectionProxyError, ::Errno::ECONNRESET, ::Errno::EINTR, ::Rex::TimeoutError, ::Timeout::Error
             rescue ::Interrupt,::NoMethodError, ::RuntimeError, ::ArgumentError, ::NameError
               raise $!
@@ -197,6 +217,9 @@ def run
         end
       end
 
+      # Stop scanning if we hit a fatal error
+      break if @scan_errors.length > 0
+
       # Exit if there are no more pending threads
       if (@tl.length == 0)
         break
@@ -218,6 +241,7 @@ def run
       scanner_show_progress() if @show_progress
     end
 
+    scanner_report_fatal_errors
     return
   end
 
@@ -240,6 +264,20 @@ def seppuko!
   end
 end
 
+def scanner_report_fatal_errors
+  return unless @scan_errors && @scan_errors.length > 0
+  return unless @tl
+
+  # First kill any running threads
+  @tl.each {|t| t.kill if t.alive? }
+
+  # Show the unique errors triggered by the scan
+  @scan_errors.uniq.each do |emsg|
+    print_error("Fatal: #{emsg}")
+  end
+  print_status("Scan terminated due to one or more fatal errors")
+end
+
 def scanner_progress
   return 0 unless @range_done and @range_count
   pct = (@range_done / @range_count.to_f) * 100

lib/rex/exceptions.rb

@@ -213,25 +213,57 @@ def to_s
   end
 end
 
+###
+#
+# This connection error is raised when an attempt is made to connect
+# to a broadcast or network address.
+#
+###
+class InvalidDestination < ConnectionError
+  include SocketError
+  include HostCommunicationError
+
+  def to_s
+    "The destination is invalid: #{addr_to_s}."
+  end
+end
 
 ###
 #
 # This exception is raised when an attempt to use an address or port that is
-# already in use occurs, such as binding to a host on a given port that is
-# already in use.  Note that Windows raises this in some cases when attempting
-# to connect to addresses that it can't handle, e.g. "0.0.0.0".  Thus, this is
-# a ConnectionError.
+# already in use or onot available occurs. such as binding to a host on a
+# given port that is already in use, or when a bind address is specified that
+# is not available to the host.
 #
 ###
+class BindFailed < ::ArgumentError
+  include SocketError
+  include HostCommunicationError
+
+  def to_s
+    "The address is already in use or unavailable: #{addr_to_s}."
+  end
+end
+
+##
+#
+# This exception is listed for backwards compatibility. We had been
+# using AddressInUse as the exception for both bind errors and connection
+# errors triggered by connection attempts to broadcast and network addresses.
+# The two classes above have split this into their respective sources, but
+# callers may still expect the old behavior.
+#
+##
 class AddressInUse < ConnectionError
   include SocketError
   include HostCommunicationError
 
   def to_s
-    "The address is already in use #{addr_to_s}."
+    "The address is already in use or unavailable: #{addr_to_s}."
   end
 end
 
+
 ###
 #
 # This exception is raised when an unsupported internet protocol is specified.

lib/rex/post/meterpreter/ui/console.rb

@@ -106,7 +106,7 @@ def run_command(dispatcher, method, arguments)
       log_error("Operation timed out.")
     rescue RequestError => info
       log_error(info.to_s)
-    rescue Rex::AddressInUse => e
+    rescue Rex::InvalidDestination => e
       log_error(e.message)
     rescue ::Errno::EPIPE, ::OpenSSL::SSL::SSLError, ::IOError
       self.client.kill

lib/rex/socket/comm/local.rb

@@ -195,7 +195,7 @@ def self.create_by_type(param, type, proto = 0)
 
       rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE
         sock.close
-        raise Rex::AddressInUse.new(param.localhost, param.localport), caller
+        raise Rex::BindFailed.new(param.localhost, param.localport), caller
       end
     end
 
@@ -295,7 +295,7 @@ def self.create_by_type(param, type, proto = 0)
 
         rescue ::Errno::EADDRNOTAVAIL,::Errno::EADDRINUSE
           sock.close
-          raise Rex::AddressInUse.new(ip, port), caller
+          raise Rex::InvalidDestination.new(ip, port), caller
 
         rescue Errno::ETIMEDOUT
           sock.close

modules/auxiliary/gather/xerox_pwd_extract.rb

@@ -96,7 +96,7 @@ def write
     begin
       connect(true, 'RPORT' => jport)
       sock.put(create_print_job)
-    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
+    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
       print_error("#{rhost}:#{jport} - Error connecting to #{rhost}")
     ensure
       disconnect
@@ -113,7 +113,7 @@ def retrieve
       res = sock.get_once || ''
       passwd = res.match(/\r\n\s(.+?)\n/)
       return passwd ? passwd[1] : ''
-    rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse, EOFError
+    rescue ::EOFError, ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, ::EOFError
       print_error("#{rhost}:#{jport} - Error getting password from #{rhost}")
       return
     ensure
@@ -150,7 +150,7 @@ def remove
     begin
       connect(true, 'RPORT' => jport)
       sock.put(remove_print_job)
-    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout, Rex::AddressInUse
+    rescue ::Timeout::Error, Rex::ConnectionError, Rex::ConnectionRefused, Rex::HostUnreachable, Rex::ConnectionTimeout
       print_error("#{rhost}:#{jport} - Error removing print job from #{rhost}")
     ensure
       disconnect

modules/auxiliary/scanner/rservices/rexec_login.rb

@@ -151,7 +151,7 @@ def listen_on_port(stderr_port)
     begin
       sd = Rex::Socket.create_tcp_server('LocalPort' => stderr_port)
 
-    rescue Rex::AddressInUse
+    rescue Rex::BindFailed
       # Ignore and try again
 
     end

modules/auxiliary/scanner/rservices/rsh_login.rb

@@ -201,7 +201,7 @@ def listen_on_privileged_port
       begin
         sd = Rex::Socket.create_tcp_server('LocalPort' => lport)
 
-      rescue Rex::AddressInUse
+      rescue Rex::BindFailed
         # Ignore and try again
 
       end