Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

msfconsole ignores EICAR canary until long after its useful #14415

Closed
bcoles opened this issue Nov 21, 2020 · 1 comment · Fixed by #14475
Closed

msfconsole ignores EICAR canary until long after its useful #14415

bcoles opened this issue Nov 21, 2020 · 1 comment · Fixed by #14475
Assignees
@dwelch-r7
Labels
bug confirmed Issues confirmed by a committer

Comments

@bcoles
Copy link
Contributor

bcoles commented Nov 21, 2020

A bunch of users have reported issues with a missing .dex file causing Metasploit msfconsole to fail to start. Instead msfconsole dies with a long backtrace.

Here's one example issue I can be bothered to track down (there are many):

This issue is due to anti-virus eating the .dex file. In theory, corruption of Metasploit files by anti-virus was meant to have been detected by the is_eicar_corrupted? canary.

metasploit-framework/lib/msf/util/exe.rb

Lines 2179 to 2196 in 025950e

def self.is_eicar_corrupted?
path = ::File.expand_path(::File.join(
::File.dirname(__FILE__),"..", "..", "..", "data", "eicar.com")
)
return true unless ::File.exist?(path)
ret = false
if ::File.exist?(path)
begin
data = ::File.read(path)
unless Digest::SHA1.hexdigest(data) == "3395856ce81f2b7382dee72602f798b642f14140"
ret = true
end
rescue ::Exception
ret = true
end
end
ret
end

(Also, this is_eicar_corrupted? method is poorly written. It checks if the file exists twice.)

The problem is that this method is called here:

metasploit-framework/lib/msf/core/framework.rb

Line 42 in 025950e

EICARCorrupted = ::Msf::Util::EXE.is_eicar_corrupted?

But the canary warning is ignored. This proves to be fatal.

A few lines later module_manager is loaded. The crash due to missing .dex file occurs somewhere in here while iterating through module paths.

metasploit-framework/lib/msf/core/framework.rb

Line 58 in 025950e

require 'msf/core/module_manager'

Some time latter, cmd_banner gets called to display the banner, version and help tips. Only then does msfconsole bother to check if the canary is happy.

metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb

Lines 258 to 265 in 025950e

if ::Msf::Framework::EICARCorrupted
avdwarn = []
avdwarn << "Warning: This copy of the Metasploit Framework has been corrupted by an installed anti-virus program."
avdwarn << " We recommend that you disable your anti-virus or exclude your Metasploit installation path,"
avdwarn << " then restore the removed files from quarantine or reinstall the framework. For more info: "
avdwarn << " https://community.rapid7.com/docs/DOC-1273"
avdwarn << ""
end

This sequence of events needs to be reworked.
@bcoles bcoles added the bug label Nov 21, 2020
@bcoles bcoles mentioned this issue Nov 22, 2020
Merged
@dwelch-r7 dwelch-r7 added the confirmed Issues confirmed by a committer label Nov 25, 2020
@adfoster-r7 adfoster-r7 self-assigned this Nov 30, 2020
@dwelch-r7 dwelch-r7 assigned dwelch-r7 and unassigned adfoster-r7 Dec 4, 2020
@dwelch-r7
Copy link
Contributor

I believe the main problem here has been unintentionally fixed by landing the zeitwerk PR #14202
But I'm still going to address the rest of the issues here

@dwelch-r7 dwelch-r7 mentioned this issue Dec 9, 2020
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@dwelch-r7 dwelch-r7

Labels
bug confirmed Issues confirmed by a committer
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Make the EICAR canary useful again dwelch-r7/metasploit-framework
3 participants
@bcoles @dwelch-r7 @adfoster-r7