Instantiate payload modules so parameter validation occurs

Calling .new on payload modules does not perform parameter validation, leading to a number cached sizes based on invalid parameters. Most notably, normalization does not occur either, which makes all OptBool params default to true.
rapid7 · Aug 14, 2015 · 6b1e911 · 6b1e911
1 parent 80f4150
commit 6b1e911
Show file tree

Hide file tree

Showing 86 changed files with 146 additions and 94 deletions.
diff --git a/lib/msf/util/payload_cached_size.rb b/lib/msf/util/payload_cached_size.rb
@@ -14,6 +14,27 @@ module Util
 
 class PayloadCachedSize
 
+  @opts = {
+    'Format'      => 'raw',
+    'Options'     => {
+      'CPORT' => 4444,
+      'LPORT' => 4444,
+      'LHOST' => '255.255.255.255',
+      'KHOST' => '255.255.255.255',
+      'AHOST' => '255.255.255.255',
+      'CMD' => '/bin/sh',
+      'URL' => 'http://a.com',
+      'PATH' => '/',
+      'BUNDLE' => 'data/isight.bundle',
+      'DLL' => 'external/source/byakugan/bin/XPSP2/detoured.dll',
+      'RC4PASSWORD' => 'Metasploit',
+      'DNSZONE' => 'corelan.eu',
+      'PEXEC' => '/bin/sh'
+    },
+    'Encoder'     => nil,
+    'DisableNops' => true
+  }
+
   # Insert a new CachedSize value into the text of a payload module
   #
   # @param data [String] The source code of a payload module
@@ -60,7 +81,7 @@ def self.update_module_cached_size(mod)
   # @return [Fixnum]
   def self.compute_cached_size(mod)
     return ":dynamic" if is_dynamic?(mod)
-    return mod.new.size
+    return mod.generate_simple(@opts).size
   end
 
   # Determines whether a payload generates a static sized output
@@ -69,18 +90,19 @@ def self.compute_cached_size(mod)
   # @param generation_count [Fixnum] The number of iterations to use to
   #   verify that the size is static.
   # @return [Fixnum]
-  def self.is_dynamic?(mod,generation_count=5)
-    [*(1..generation_count)].map{|x| mod.new.size}.uniq.length != 1
+  def self.is_dynamic?(mod, generation_count=5)
+    [*(1..generation_count)].map{|x|
+      mod.generate_simple(@opts).size}.uniq.length != 1
   end
 
   # Determines whether a payload's CachedSize is up to date
   #
   # @param mod [Msf::Payload] The class of the payload module to update
   # @return [Boolean]
   def self.is_cached_size_accurate?(mod)
-    return true if mod.dynamic_size?
+    return true if mod.dynamic_size? && is_dynamic?(mod)
     return false if mod.cached_size.nil?
-    mod.cached_size == mod.new.size
+    mod.cached_size == mod.generate_simple(@opts).size
   end
 
 end

diff --git a/modules/payloads/singles/bsd/x64/exec.rb b/modules/payloads/singles/bsd/x64/exec.rb
@@ -17,7 +17,7 @@
 ###
 module Metasploit3
 
-  CachedSize = 23
+  CachedSize = 31
 
   include Msf::Payload::Single
   include Msf::Payload::Bsd

diff --git a/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb b/modules/payloads/singles/bsd/x64/shell_bind_tcp.rb
@@ -40,7 +40,7 @@ def initialize(info = {})
 
   # build the shellcode payload dynamically based on the user-provided CMD
   def generate
-    cmd  = (datastore['CMD'] || '') << "\x00"
+    cmd  = (datastore['CMD'] || '') + "\x00"
     port = [datastore['LPORT'].to_i].pack('n')
     call = "\xe8" + [cmd.length].pack('V')
     payload =

diff --git a/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb b/modules/payloads/singles/bsd/x64/shell_reverse_tcp.rb
@@ -49,7 +49,7 @@ def generate
       raise ArgumentError, "LHOST must be in IPv4 format."
     end
 
-    cmd  = (datastore['CMD'] || '') << "\x00"
+    cmd  = (datastore['CMD'] || '') + "\x00"
     port = [datastore['LPORT'].to_i].pack('n')
     ipaddr = [lhost.split('.').inject(0) {|t,v| (t << 8 ) + v.to_i}].pack("N")
 

diff --git a/modules/payloads/singles/bsd/x86/exec.rb b/modules/payloads/singles/bsd/x86/exec.rb
@@ -17,7 +17,7 @@
 ###
 module Metasploit3
 
-  CachedSize = 16
+  CachedSize = 24
 
   include Msf::Payload::Single
   include Msf::Payload::Bsd

diff --git a/modules/payloads/singles/cmd/unix/generic.rb b/modules/payloads/singles/cmd/unix/generic.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 8
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse.rb b/modules/payloads/singles/cmd/unix/reverse.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 100
+  CachedSize = 130
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_awk.rb b/modules/payloads/singles/cmd/unix/reverse_awk.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 95
+  CachedSize = 110
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_lua.rb b/modules/payloads/singles/cmd/unix/reverse_lua.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 209
+  CachedSize = 224
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb b/modules/payloads/singles/cmd/unix/reverse_netcat_gaping.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 20
+  CachedSize = 35
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_nodejs.rb b/modules/payloads/singles/cmd/unix/reverse_nodejs.rb
@@ -11,7 +11,7 @@
 
 module Metasploit3
 
-  CachedSize = 1911
+  CachedSize = 1971
 
   include Msf::Payload::Single
   include Msf::Payload::NodeJS

diff --git a/modules/payloads/singles/cmd/unix/reverse_openssl.rb b/modules/payloads/singles/cmd/unix/reverse_openssl.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 152
+  CachedSize = 182
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_perl.rb b/modules/payloads/singles/cmd/unix/reverse_perl.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 219
+  CachedSize = 234
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_perl_ssl.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 129
+  CachedSize = 144
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_php_ssl.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 117
+  CachedSize = 132
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_python_ssl.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 567
+  CachedSize = 587
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_ruby.rb b/modules/payloads/singles/cmd/unix/reverse_ruby.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 118
+  CachedSize = 133
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb b/modules/payloads/singles/cmd/unix/reverse_ruby_ssl.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 170
+  CachedSize = 185
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb b/modules/payloads/singles/cmd/unix/reverse_ssl_double_telnet.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 106
+  CachedSize = 136
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/unix/reverse_zsh.rb b/modules/payloads/singles/cmd/unix/reverse_zsh.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 95
+  CachedSize = 110
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/windows/adduser.rb b/modules/payloads/singles/cmd/windows/adduser.rb
@@ -9,7 +9,7 @@
 
 module Metasploit3
 
-  CachedSize = 258
+  CachedSize = 97
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/windows/generic.rb b/modules/payloads/singles/cmd/windows/generic.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 8
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_bind_tcp.rb
@@ -11,7 +11,7 @@
 
 module Metasploit3
 
-  CachedSize = 1510
+  CachedSize = 1518
 
   include Msf::Payload::Single
   include Rex::Powershell::Command

diff --git a/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb b/modules/payloads/singles/cmd/windows/powershell_reverse_tcp.rb
@@ -11,7 +11,7 @@
 
 module Metasploit3
 
-  CachedSize = 1518
+  CachedSize = 1526
 
   include Msf::Payload::Single
   include Rex::Powershell::Command

diff --git a/modules/payloads/singles/cmd/windows/reverse_lua.rb b/modules/payloads/singles/cmd/windows/reverse_lua.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 209
+  CachedSize = 224
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/windows/reverse_perl.rb b/modules/payloads/singles/cmd/windows/reverse_perl.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 133
+  CachedSize = 148
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/windows/reverse_powershell.rb b/modules/payloads/singles/cmd/windows/reverse_powershell.rb
@@ -11,7 +11,7 @@
 
 module Metasploit3
 
-  CachedSize = 1189
+  CachedSize = 1204
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/cmd/windows/reverse_ruby.rb b/modules/payloads/singles/cmd/windows/reverse_ruby.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 111
+  CachedSize = 126
 
   include Msf::Payload::Single
   include Msf::Sessions::CommandShellOptions

diff --git a/modules/payloads/singles/firefox/exec.rb b/modules/payloads/singles/firefox/exec.rb
@@ -7,7 +7,7 @@
 
 module Metasploit3
 
-  CachedSize = :dynamic
+  CachedSize = 1019
 
   include Msf::Payload::Single
   include Msf::Payload::Firefox

diff --git a/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb b/modules/payloads/singles/java/jsp_shell_reverse_tcp.rb
@@ -11,7 +11,7 @@
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 1501
 
   include Msf::Payload::Single
   include Msf::Payload::JSP

diff --git a/modules/payloads/singles/java/shell_reverse_tcp.rb b/modules/payloads/singles/java/shell_reverse_tcp.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 7748
+  CachedSize = 7761
 
   include Msf::Payload::Single
   include Msf::Payload::Java

diff --git a/modules/payloads/singles/linux/armle/exec.rb b/modules/payloads/singles/linux/armle/exec.rb
@@ -15,7 +15,7 @@
 ###
 module Metasploit3
 
-  CachedSize = 22
+  CachedSize = 29
 
   include Msf::Payload::Single
   include Msf::Payload::Linux

diff --git a/modules/payloads/singles/linux/mipsbe/exec.rb b/modules/payloads/singles/linux/mipsbe/exec.rb
@@ -7,7 +7,7 @@
 
 module Metasploit3
 
-  CachedSize = 48
+  CachedSize = 52
 
   include Msf::Payload::Single
   include Msf::Payload::Linux

diff --git a/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb b/modules/payloads/singles/linux/mipsbe/shell_reverse_tcp.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 184
 
   include Msf::Payload::Single
   include Msf::Payload::Linux

diff --git a/modules/payloads/singles/linux/mipsle/exec.rb b/modules/payloads/singles/linux/mipsle/exec.rb
@@ -7,7 +7,7 @@
 
 module Metasploit3
 
-  CachedSize = 48
+  CachedSize = 52
 
   include Msf::Payload::Single
   include Msf::Payload::Linux

diff --git a/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb b/modules/payloads/singles/linux/mipsle/shell_reverse_tcp.rb
@@ -10,7 +10,7 @@
 
 module Metasploit3
 
-  CachedSize = 0
+  CachedSize = 184
 
   include Msf::Payload::Single
   include Msf::Payload::Linux

diff --git a/modules/payloads/singles/linux/x64/exec.rb b/modules/payloads/singles/linux/x64/exec.rb
@@ -8,7 +8,7 @@
 
 module Metasploit3
 
-  CachedSize = 40
+  CachedSize = 47
 
   include Msf::Payload::Single
   include Msf::Payload::Linux
@@ -29,7 +29,7 @@ def initialize(info = {})
   end
 
   def generate_stage(opts={})
-    cmd = (datastore['CMD'] || '') << "\x00"
+    cmd = (datastore['CMD'] || '') + "\x00"
     call = "\xe8" + [cmd.length].pack('V')
     payload =
       "\x6a\x3b"                     + # pushq  $0x3b