Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add executable path for command payloads #17255

Merged
merged 1 commit into from
Dec 8, 2022
Merged

Add executable path for command payloads #17255

merged 1 commit into from
Dec 8, 2022

Conversation

JustAnda7
Copy link
Contributor

Fixes #17204 and makes changes as per PR #17232.

This PR adds a PATH executable as a advanced option to the cmd payloads.

This change has been observed in metasploit v6.2.25-dev-ff508d14af
on Linux kali 5.18 (x86_64) with kernel version 5.18.0-kali5-amd64

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • use exploit/windows/smb/ms08_067_netapi or any other exploit
  • set payload <a payload that is modified>
  • run show advanced
  • Verify the new path options available

Screenshot_1

@JustAnda7
Copy link
Contributor Author

@jmartin-r7 Thank you for pointing my mistakes

@JustAnda7
Copy link
Contributor Author

Please check if any changes are required

@JustAnda7 JustAnda7 force-pushed the feature/master/#17204_exec_path_for_cmd_payloads branch 2 times, most recently from b7f628b to aa156d7 Compare November 14, 2022 15:40
@gwillcox-r7 gwillcox-r7 self-assigned this Nov 16, 2022
gwillcox-r7
gwillcox-r7 suggested changes Nov 16, 2022
View reviewed changes
documentation/modules/payload/cmd/unix/bind_busybox_telnetd.md Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_jjs.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_ksh.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_openssl.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_socat_udp.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_ssh.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_zsh.rb Outdated Show resolved Hide resolved
@JustAnda7 JustAnda7 force-pushed the feature/master/#17204_exec_path_for_cmd_payloads branch 2 times, most recently from 11deb1b to 079d3b4 Compare November 22, 2022 15:47
@JustAnda7 JustAnda7 requested review from bcoles and gwillcox-r7 and removed request for gwillcox-r7 and bcoles December 4, 2022 09:34
gwillcox-r7
gwillcox-r7 suggested changes Dec 7, 2022
View reviewed changes
modules/payloads/singles/cmd/unix/reverse_bash_udp.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/bind_jjs.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_ncat_ssl.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_openssl.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/unix/bind_jjs.rb Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_jjs.rb Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_python.rb Show resolved Hide resolved
modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb Outdated Show resolved Hide resolved
modules/payloads/singles/cmd/windows/jjs_reverse_tcp.rb Outdated Show resolved Hide resolved
@gwillcox-r7
Copy link
Contributor

Alright changes look good @JustAnda7 thanks for your patience on this! I'll get this landed shortly 👍

@gwillcox-r7
Copy link
Contributor

Changes seem to be working:

msf6 exploit(windows/http/manageengine_adselfservice_plus_cve_2022_28810) > use exploit/unix/http/pfsense_group_member_exec 
[*] Using configured payload cmd/unix/reverse_openssl
msf6 exploit(unix/http/pfsense_group_member_exec) > show options

Module options (exploit/unix/http/pfsense_group_member_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  pfsense          no        Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT     443              yes       The target port (TCP)
   SSL       true             no        Negotiate SSL/TLS for outgoing connections
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (cmd/unix/reverse_openssl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf6 exploit(unix/http/pfsense_group_member_exec) > set PAYLOAD cmd/unix/reverse_perl
PAYLOAD => cmd/unix/reverse_perl
msf6 exploit(unix/http/pfsense_group_member_exec) > show options

Module options (exploit/unix/http/pfsense_group_member_exec):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD  pfsense          no        Password to login with
   Proxies                    no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT     443              yes       The target port (TCP)
   SSL       true             no        Negotiate SSL/TLS for outgoing connections
   USERNAME  admin            yes       User to login with
   VHOST                      no        HTTP server virtual host


Payload options (cmd/unix/reverse_perl):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Target



View the full module info with the info, or info -d command.

msf6 exploit(unix/http/pfsense_group_member_exec) > show advanced

Module advanced options (exploit/unix/http/pfsense_group_member_exec):

   Name                     Current Setting                              Required  Description
   ----                     ---------------                              --------  -----------
   ContextInformationFile                                                no        The information file that contains context information
   DOMAIN                   WORKSTATION                                  yes       The domain to use for Windows authentication
   DigestAuthIIS            true                                         no        Conform to IIS, should work for most servers. Only set to false for non-IIS se
                                                                                   rvers
   DisablePayloadHandler    false                                        no        Disable the handler code for the selected payload
   EnableContextEncoding    false                                        no        Use transient context when encoding payloads
   FingerprintCheck         true                                         no        Conduct a pre-exploit fingerprint verification
   HttpClientTimeout                                                     no        HTTP connection and receive timeout
   HttpPassword                                                          no        The HTTP password to specify for authentication
   HttpRawHeaders                                                        no        Path to ERB-templatized raw headers to append to existing headers
   HttpTrace                false                                        no        Show the raw HTTP requests and responses
   HttpTraceColors          red/blu                                      no        HTTP request and response colors for HttpTrace (unset to disable)
   HttpTraceHeadersOnly     false                                        no        Show HTTP headers only in HttpTrace
   HttpUsername                                                          no        The HTTP username to specify for authentication
   SSLServerNameIndication                                               no        SSL/TLS Server Name Indication (SNI)
   SSLVersion               Auto                                         yes       Specify the version of SSL/TLS to be used (Auto, TLS and SSL23 are auto-negoti
                                                                                   ate) (Accepted: Auto, TLS, SSL23, SSL3, TLS1, TLS1.1, TLS1.2)
   UserAgent                Mozilla/5.0 (Windows NT 10.0; Win64; x64) A  no        The User-Agent header to use for all requests
                            ppleWebKit/537.36 (KHTML, like Gecko) Chrom
                            e/98.0.4758.81 Safari/537.36
   VERBOSE                  false                                        no        Enable detailed status messages
   WORKSPACE                                                             no        Specify the workspace for this module
   WfsDelay                 2                                            no        Additional delay in seconds to wait for a session


Payload advanced options (cmd/unix/reverse_perl):

   Name                        Current Setting  Required  Description
   ----                        ---------------  --------  -----------
   AutoRunScript                                no        A script to run automatically on session creation.
   AutoVerifySession           true             yes       Automatically verify and drop invalid sessions
   CommandShellCleanupCommand                   no        A command to run before the session is closed
   CreateSession               true             no        Create a new session for every successful login
   InitialAutoRunScript                         no        An initial script to run on session creation (before AutoRunScript)
   PerlPath                    perl             yes       The path to the Perl executable
   ReverseAllowProxy           false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to L
                                                          HOST
   ReverseListenerBindAddress                   no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                      no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                          no        The specific communication channel to use for this listener
   ReverseListenerThreaded     false            yes       Handle every connection in a new thread (experimental)
   StagerRetryCount            10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait             5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                     false            no        Enable detailed status messages
   WORKSPACE                                    no        Specify the workspace for this module


View the full module info with the info, or info -d command.

msf6 exploit(unix/http/pfsense_group_member_exec) >

@gwillcox-r7 gwillcox-r7 force-pushed the feature/master/#17204_exec_path_for_cmd_payloads branch from 18d4caf to 293a203 Compare December 8, 2022 18:19
@gwillcox-r7
Copy link
Contributor

Squashed commit history down to make it neater, once tests pass will be landed.

@JustAnda7
Copy link
Contributor Author

Thank you for helping me land this contribution and for pointing out my mistakes.

@gwillcox-r7 gwillcox-r7 merged commit 70b9b94 into rapid7:master Dec 8, 2022
@gwillcox-r7 gwillcox-r7 added the rn-enhancement release notes enhancement label Dec 8, 2022
@gwillcox-r7
Copy link
Contributor

Release Notes

The command payloads have been updated to allow specifying the file system path for several of their commands within datastore options. This should allow users to specify these commands locations should they not be contained within the searchable PATH.

@gwillcox-r7 gwillcox-r7 changed the title Feature/master/#17204-Add-executable-path-for-cmd-payloads Add executable path for command payloads Dec 8, 2022
@JustAnda7 JustAnda7 deleted the feature/master/#17204_exec_path_for_cmd_payloads branch May 19, 2023 13:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bcoles bcoles bcoles left review comments

@gwillcox-r7 gwillcox-r7 gwillcox-r7 approved these changes

Assignees

@gwillcox-r7 gwillcox-r7

Labels
enhancement payload rn-enhancement release notes enhancement
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Add executable _PATH options for all cmd payloads
3 participants
@JustAnda7 @gwillcox-r7 @bcoles