Support rhosts in auxiliary module

[Green-m]

For now, the rhosts option is not usable in auxiliary modules except scanners, it would throw an error like SocketError getaddrinfo.

And in exploit module, same error occurred when rhosts set to 8.8.8.8/32.

Fix #10693
Related: #9246

Steps to reproduce

Auxiliary module

msf5 auxiliary(scanner/http/apache_activemq_source_disclosure) > use admin/http/joomla_registration_privesc
msf5 auxiliary(admin/http/joomla_registration_privesc) > options

Module options (auxiliary/admin/http/joomla_registration_privesc):

   Name       Current Setting        Required  Description
   ----       ---------------        --------  -----------
   EMAIL      example@youremail.com  yes       Email to receive the activation code for the account
   PASSWORD   expl0it3r              yes       Password for the username
   Proxies                           no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.181.0.122/24        yes       The target address range or CIDR identifier
   RPORT      80                     yes       The target port (TCP)
   SSL        false                  no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                      yes       The relative URI of the Joomla instance
   USERNAME   expl0it3r              yes       Username that will be created
   VHOST                             no        HTTP server virtual host

msf5 auxiliary(admin/http/joomla_registration_privesc) > set verbose true
verbose => true
msf5 auxiliary(admin/http/joomla_registration_privesc) > run

[-] Auxiliary failed: SocketError getaddrinfo: nodename nor servname provided, or not known
[-] Call stack:
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket.rb:189:in `gethostbyname'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket.rb:189:in `getaddresses'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket.rb:173:in `getaddress'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket.rb:263:in `resolv_nbo'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket.rb:277:in `resolv_nbo_i'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket/switch_board.rb:233:in `best_comm'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket/switch_board.rb:127:in `best_comm'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket/parameters.rb:195:in `initialize'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket/parameters.rb:38:in `new'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket/parameters.rb:38:in `from_hash'
[-]   /Users/green/.rvm/gems/ruby-2.5.3@metasploit-framework/gems/rex-socket-0.1.15/lib/rex/socket/tcp.rb:28:in `create'
[-]   /Users/green/msfdev/metasploit-framework/lib/rex/proto/http/client.rb:177:in `connect'
[-]   /Users/green/msfdev/metasploit-framework/lib/rex/proto/http/client.rb:244:in `send_request'
[-]   /Users/green/msfdev/metasploit-framework/lib/rex/proto/http/client.rb:229:in `_send_recv'
[-]   /Users/green/msfdev/metasploit-framework/lib/rex/proto/http/client.rb:210:in `send_recv'
[-]   /Users/green/msfdev/metasploit-framework/lib/msf/core/exploit/http/client.rb:367:in `send_request_cgi'
[-]   /Users/green/msfdev/metasploit-framework/modules/auxiliary/admin/http/joomla_registration_privesc.rb:45:in `check'
[-]   /Users/green/msfdev/metasploit-framework/modules/auxiliary/admin/http/joomla_registration_privesc.rb:79:in `run'
[*] Auxiliary module execution completed

exploit module

msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set lhost 10.103.0.30
lhost => 10.103.0.30
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set rhosts 8.8.8.8/32
rhosts => 8.8.8.8/32
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > run

[*] Started reverse TCP handler on 10.103.0.30:4444
[-] Exploit failed: SocketError getaddrinfo: nodename nor servname provided, or not known
[*] Exploit completed, but no session was created.
msf5 exploit(linux/http/apache_couchdb_cmd_exec) >

After fix

Auxiliary module

msf5 auxiliary(gather/drupal_openid_xxe) > use auxiliary/gather/drupal_openid_xxe

msf5 auxiliary(gather/drupal_openid_xxe) > run

[*] Using URL: http://0.0.0.0:8080/w7fTsjuxSFJ
[*] Local IP: http://10.103.0.30:8080/w7fTsjuxSFJ
[*] Server started.
[*] Server stopped.
[*] Using URL: http://0.0.0.0:8080/rqQ0HJoQ6muwk9
[*] Local IP: http://10.103.0.30:8080/rqQ0HJoQ6muwk9
[*] Server started.
[*] Server stopped.
[*] Auxiliary module execution completed

exploit module

msf5 exploit(linux/http/apache_couchdb_cmd_exec) > set lhost 10.103.0.30
lhost => 10.103.0.30
msf5 exploit(linux/http/apache_couchdb_cmd_exec) > run

[*] Started reverse TCP handler on 10.103.0.30:4444
[-] Exploit aborted due to failure: unknown: Something went horribly wrong and we couldn't continue to exploit.
[*] Exploit completed, but no session was created.

[jmartin-tech]

The sanity test failures here are genuine. This PR breaks exploit/multi/handler at this time.

From the sanity test:

[-] ***
[-] * WARNING: No database support: No database YAML file
[-] ***
[*] Processing /home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter_reverse_tcp-192x168x16x182-30004.rc for ERB directives.
resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter_reverse_tcp-192x168x16x182-30004.rc)> use exploit/multi/handler
resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter_reverse_tcp-192x168x16x182-30004.rc)> set payload windows/meterpreter_reverse_tcp
payload => windows/meterpreter_reverse_tcp
resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter_reverse_tcp-192x168x16x182-30004.rc)> set LHOST 192.168.15.31
LHOST => 192.168.15.31
resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter_reverse_tcp-192x168x16x182-30004.rc)> set LPORT 30004
LPORT => 30004
resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter_reverse_tcp-192x168x16x182-30004.rc)> show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter_reverse_tcp):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   EXITFUNC    process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   EXTENSIONS                   no        Comma-separate list of extensions to load
   EXTINIT                      no        Initialization strings for extensions
   LHOST       192.168.15.31    yes       The listen address (an interface may be specified)
   LPORT       30004            yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter_reverse_tcp-192x168x16x182-30004.rc)> Ruby Code (13 bytes)
resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter_reverse_tcp-192x168x16x182-30004.rc)> run -z
[-] Error while running command run: undefined method `refname' for nil:NilClass

Call stack:
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:59:in `rescue in exploit_single'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:54:in `exploit_single'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:203:in `cmd_exploit'
/home/msfuser/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:502:in `run_command'
/home/msfuser/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:453:in `block in run_single'
/home/msfuser/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:447:in `each'
/home/msfuser/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:447:in `run_single'
/home/msfuser/rapid7/metasploit-framework/lib/rex/ui/text/resource.rb:70:in `load_resource'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/driver.rb:183:in `block in initialize'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/driver.rb:182:in `each'
/home/msfuser/rapid7/metasploit-framework/lib/msf/ui/console/driver.rb:182:in `initialize'
/home/msfuser/rapid7/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `new'
/home/msfuser/rapid7/metasploit-framework/lib/metasploit/framework/command/console.rb:62:in `driver'
/home/msfuser/rapid7/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/home/msfuser/rapid7/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:49:in `<main>'
[*] resource (/home/msfuser/rapid7/test_artifacts/test_rc/windows-meterpreter_reverse_tcp-192x168x16x182-30004.rc)> Ruby Code (82 bytes)

From a local test on macOS as well:

msf5 > use exploit/multi/handler
msf5 exploit(multi/handler) > set LHOST en0
LHOST => en0
msf5 exploit(multi/handler) > run
[-] Error while running command run: undefined method `refname' for nil:NilClass

Call stack:
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:59:in `rescue in exploit_single'
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:54:in `exploit_single'
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:203:in `cmd_exploit'
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:502:in `run_command'
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:453:in `block in run_single'
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:447:in `each'
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:447:in `run_single'
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/Users/jmartin/rapid7/src/r7-source/metasploit/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:49:in `<main>'
msf5 exploit(multi/handler) > exit

[Green-m]

@jmartin-r7 Thanks, fixed that.

[Green-m]

I think this is a serious issue, could someone in R7 pick this up? It also occurs in the latest msf5 release.

[busterb]

Thanks for the ping @Green-m, taking a look.

[busterb]

Aside from the inability to hit 'Ctrl^C' to cancel the module run, this worked as advertised. Do you want me to land it as-is, or would you like to look at what we need to do to allow canceling a module run across a subnet from the console?

[Green-m]

@busterb Thanks for picking this up! I have updated the code for cancel the module by 'Ctrl^C'

[Green-m]

The Sanity Test failed again, have no clue about it. : (

[jmartin-tech]

@msjenkins-r7 test this please.

@Green-m, Sanity test looks like one of the 4 sessions did not connect, re-testing now.

[busterb]

Thanks, looking good.

[busterb]

Release Notes

This adds RHOSTS multiple-host targeting support to all auxiliary modules. It also corrects a bug targeting a single host from an exploit module using the syntax IP/32.