Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Default module values for DisablePayloadHandler are inconsistent #12741

Closed
bcoles opened this issue Dec 17, 2019 · 2 comments · Fixed by #12832
Closed

Default module values for DisablePayloadHandler are inconsistent #12741

bcoles opened this issue Dec 17, 2019 · 2 comments · Fixed by #12832

Comments

@bcoles
Copy link
Contributor

@bcoles bcoles commented Dec 17, 2019

Use of DisablePayloadHandler appears to be alarmingly inconsistent in the framework.

Sometimes a Boolean, sometimes a quoted lower case string, and the mov_ss exploit uses a capitalized string just to be different.

DisablePayloadHandler should always be Boolean.

irb(main):001:0> 'false' == true
=> false
irb(main):002:0> 'true' == true
=> false
irb(main):003:0> 

At worst, the current implementation may not work as expected for some modules, depending on type casting performed out side of the module.

# grep -rn DisablePayloadHandler lib/
lib/msf/ui/console/command_dispatcher/common.rb:122:        print("   **DisablePayloadHandler: True   (RHOST and RPORT settings will be ignored!)**\n\n") if mod.datastore['DisablePayloadHandler'].to_s == 'true'
lib/msf/ui/console/command_dispatcher/exploit.rb:234:      unless mod.datastore["DisablePayloadHandler"]
lib/msf/util/document_generator/normalizer.rb:312:          mod.options['DisablePayloadHandler']              # Must allow this option
lib/msf/core/exploit.rb:398:        OptBool.new('DisablePayloadHandler', [ false, "Disable the handler code for the selected payload", false ])
lib/msf/core/exploit.rb:1336:    !datastore['DisablePayloadHandler']
lib/msf/core/exploit/exe.rb:44:    datastore['DisablePayloadHandler'] = true
lib/msf/core/exploit/browser_autopwn2.rb:141:      xploit.datastore['DisablePayloadHandler'] = true
lib/msf/core/exploit/fileformat.rb:24:        OptBool.new('DisablePayloadHandler', [ false, "Disable the handler code for the selected payload", true ])
lib/msf/core/exploit/smb/client/psexec.rb:259:    if datastore['PSH::persist'] and not datastore['DisablePayloadHandler']
lib/msf/core/exploit/smb/client/psexec.rb:260:      print_warning("You probably want to DisablePayloadHandler and use exploit/multi/handler with the PSH::persist option")
@wvu-r7

This comment has been minimized.

Copy link
Contributor

@wvu-r7 wvu-r7 commented Dec 17, 2019

Indeed. Unfixed as of #10989.

@bcoles

This comment has been minimized.

Copy link
Contributor Author

@bcoles bcoles commented Dec 24, 2019

Indeed. Unfixed as of #10989.

Yeah I noticed that cheeky little if mod.datastore['DisablePayloadHandler'].to_s == 'true' and wondered if that had been the case.

I vote for ignoring the underlying issue, and redefining the DisablePayloadHandler option in all modules to use a Boolean value.

This should be all affected modules:

modules/exploits/windows/local/mov_ss.rb:59:          'DisablePayloadHandler' => 'False'
modules/exploits/windows/local/ms16_016_webdav.rb:37:          'DisablePayloadHandler' => 'false'
modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb:42:            'DisablePayloadHandler' => 'false'
modules/exploits/windows/fileformat/altap_salamander_pdb.rb:34:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/vuplayer_m3u.rb:29:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/safenet_softremote_groupname.rb:32:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/xenorate_xpl_bof.rb:35:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_flatedecode_predictor02.rb:38:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/moxa_mediadbplayback.rb:30:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/ms10_004_textbytesatom.rb:43:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_flashplayer_newfunction.rb:48:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/xradio_xrl_sehbof.rb:35:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/fileformat/adobe_media_newplayer.rb:38:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/sascam_get.rb:32:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/msworks_wkspictureinterface.rb:31:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/feeddemon_opml.rb:42:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/cyberlink_lpp_bof.rb:35:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_flashplayer_button.rb:50:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/mplayer_sami_bof.rb:37:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/ca_cab.rb:31:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_jbig2decode.rb:38:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/ms10_038_excel_obj_bof.rb:42:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/fileformat/varicad_dwb.rb:42:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/netop.rb:32:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/fileformat/fdm_torrent.rb:39:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/mymp3player_m3u.rb:33:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_illustrator_v14_eps.rb:33:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/visio_dxf_bof.rb:41:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/openoffice_ole.rb:43:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/fileformat/apple_quicktime_pnsize.rb:35:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_collectemailinfo.rb:31:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/ms11_021_xlb_bof.rb:43:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/activepdf_webgrabber.rb:31:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_reader_u3d.rb:46:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/aol_phobos_bof.rb:59:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/audio_wkstn_pls.rb:32:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/ccmplayer_m3u_bof.rb:33:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/proshow_cellimage_bof.rb:31:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/ursoft_w32dasm.rb:33:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_libtiff.rb:41:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/acdsee_fotoslate_string.rb:37:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/fileformat/adobe_utilprintf.rb:31:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_geticon.rb:40:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/mini_stream_pls_bof.rb:36:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/millenium_mp3_pls.rb:33:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_u3d_meshdecl.rb:37:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/a_pdf_wav_to_mp3.rb:36:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/acdsee_xpm.rb:32:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/ms_visual_basic_vbp.rb:31:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/shadow_stream_recorder_bof.rb:36:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/fileformat/ms09_067_excel_featheader.rb:48:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/dupscout_xml.rb:31:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/fileformat/vuplayer_cue.rb:29:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/wm_downloader_m3u.rb:33:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/syncbreeze_xml.rb:32:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/fileformat/djvu_imageurl.rb:31:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/adobe_cooltype_sing.rb:39:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/emc_appextender_keyworks.rb:30:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/cytel_studio_cy3.rb:35:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/fatplayer_wav.rb:35:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/fileformat/somplplayer_m3u.rb:33:          'DisablePayloadHandler' => 'true',
modules/exploits/windows/local/persistence.rb:42:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/local/persistence_image_exec_options.rb:46:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/local/registry_persistence.rb:40:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/local/wmi_persistence.rb:46:          'DisablePayloadHandler' => 'true'
modules/exploits/windows/mysql/mysql_start_up.rb:30:          'DisablePayloadHandler' =>  'true'
modules/exploits/linux/local/apt_package_manager_persistence.rb:37:      'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },
modules/exploits/linux/local/autostart_persistence.rb:31:      'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },
modules/exploits/linux/local/rc_local_persistence.rb:31:      'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },
modules/exploits/linux/local/bash_profile_persistence.rb:32:        'DefaultOptions' => { 'WfsDelay' => 0, 'DisablePayloadHandler' => 'true' },
modules/exploits/linux/local/yum_package_manager_persistence.rb:39:                            'WfsDelay' => 0, 'DisablePayloadHandler' => 'true',
modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb:51:            'DisablePayloadHandler' => 'true'
modules/exploits/multi/http/vbulletin_widgetconfig_rce.rb:60:            'DisablePayloadHandler' => 'true'

Most make use of a single space either side of the hash rocket =>, so can easily be resolved with sed.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
2 participants
You can’t perform that action at this time.