See PR rapid7#981.Only real change is to retry on ENOBUF

Author: HD Moore

modules/auxiliary/scanner/scada/digi_addp_reboot.rb

@@ -41,8 +41,6 @@ def initialize
 		], self.class)
 	end
 
-
-	# Define our batch size
 	def run_batch_size
 		datastore['BATCHSIZE'].to_i
 	end
@@ -51,7 +49,6 @@ def rport
 		datastore['RPORT'].to_i
 	end
 
-	# Fingerprint a single host
 	def run_batch(batch)
 
 		print_status("Finding ADDP nodes within #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
@@ -68,16 +65,23 @@ def run_batch(batch)
 
 			batch.each do |ip|
 				begin
-
 					# Try all currently-known magic probe values
 					Rex::Proto::ADDP.request_config_all.each do |pkt|
-						udp_sock.sendto(pkt, ip, rport, 0)
+						begin
+							udp_sock.sendto(pkt, ip, rport, 0)
+						rescue ::Errno::ENOBUFS
+							print_status("Socket buffers are full, waiting for them to flush...")
+							while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
+								parse_reply(r)
+							end
+							select(nil, nil, nil, 0.25)
+							retry
+						end					
 					end
 
 				rescue ::Interrupt
 					raise $!
-				rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
-					nil
+				rescue ::Rex::ConnectionError
 				end
 
 				if (idx % 30 == 0)
@@ -103,7 +107,18 @@ def run_batch(batch)
 				info = Rex::Proto::ADDP.reply_to_string(res)
 				print_status("#{ip}:#{rport} Sending reboot request to device with MAC #{res[:mac]}...")
 				pkt = Rex::Proto::ADDP.request_reboot(res[:magic], res[:mac], datastore['ADDP_PASSWORD'])
-				udp_sock.sendto(pkt, ip, rport, 0)
+				
+				begin
+					udp_sock.sendto(pkt, ip, rport, 0)
+				rescue ::Errno::ENOBUFS
+					print_status("Socket buffers are full, waiting for them to flush...")
+					while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
+						parse_reply(r)
+					end
+					select(nil, nil, nil, 0.25)
+					retry
+				end
+							
 				while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
 					parse_reply(r)
 				end
@@ -115,12 +130,6 @@ def run_batch(batch)
 
 		rescue ::Interrupt
 			raise $!
-		rescue ::Errno::ENOBUFS
-			print_status("Socket buffers are full, waiting for them to flush...")
-			while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
-				parse_reply(r)
-			end
-			select(nil, nil, nil, 0.25)
 		rescue ::Exception => e
 			print_error("Unknown error: #{e.class} #{e} #{e.backtrace}")
 		end

modules/auxiliary/scanner/scada/digi_addp_version.rb

@@ -40,8 +40,6 @@ def initialize
 		], self.class)
 	end
 
-
-	# Define our batch size
 	def run_batch_size
 		datastore['BATCHSIZE'].to_i
 	end
@@ -50,7 +48,6 @@ def rport
 		datastore['RPORT'].to_i
 	end
 
-	# Fingerprint a single host
 	def run_batch(batch)
 
 		print_status("Sending Digi ADDP probes to #{batch[0]}->#{batch[-1]} (#{batch.length} hosts)")
@@ -70,13 +67,21 @@ def run_batch(batch)
 
 					# Try all currently-known magic probe values
 					Rex::Proto::ADDP.request_config_all.each do |pkt|
-						udp_sock.sendto(pkt, ip, rport, 0)
+						begin
+							udp_sock.sendto(pkt, ip, rport, 0)
+						rescue ::Errno::ENOBUFS
+							print_status("Socket buffers are full, waiting for them to flush...")
+							while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
+								parse_reply(r)
+							end
+							select(nil, nil, nil, 0.25)
+							retry
+						end					
 					end
 
 				rescue ::Interrupt
 					raise $!
-				rescue ::Rex::HostUnreachable, ::Rex::ConnectionTimeout, ::Rex::ConnectionRefused
-					nil
+				rescue ::Rex::ConnectionError
 				end
 
 				if (idx % 30 == 0)
@@ -94,12 +99,6 @@ def run_batch(batch)
 
 		rescue ::Interrupt
 			raise $!
-		rescue ::Errno::ENOBUFS
-			print_status("Socket buffers are full, waiting for them to flush...")
-			while (r = udp_sock.recvfrom(65535, 0.1) and r[1])
-				parse_reply(r)
-			end
-			select(nil, nil, nil, 0.25)
 		rescue ::Exception => e
 			print_error("Unknown error: #{e.class} #{e} #{e.backtrace}")
 		end