Fix rapid7#4119 - SMB lost search ID (sid) in find_first method

wchen-r7 · wchen-r7 · commit 719db5d2b101 · 2014-11-11T12:35:07.000-06:00
This will fix issue rapid7#4119. A bug in the find_first method in rex SMB. When the SMB client requests a TRANS2_FIND_FIRST2 for retriving information about what items a directory has, the server returns a response that contains an SID - a search identifier for the transaction. If the SMB client wants more data, it must send a TRANS2_FIND_NEXT2 request with the same SID. And then the server will continue sending more until it runs out. The root cause of this bug is that after the TRANS2_FIND_FIRST2 request is sent, our SMB's find_first method forgets the SID at the end of the loop (out of scope).
diff --git a/lib/rex/proto/smb/client.rb b/lib/rex/proto/smb/client.rb
@@ -1872,6 +1872,7 @@ def queryfs_fs_attribute
 
   # Enumerates a specific path on the mounted tree
   def find_first(path)
+    sid = nil
     files = { }
     parm = [
       26,  # Search for ALL files
