New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Prepend python path #10951

Merged
merged 3 commits into from Nov 12, 2018

Conversation

Projects
None yet
6 participants
@jrobles-r7
Contributor

jrobles-r7 commented Nov 12, 2018

Prepend metasploit python module path.
Fixes #10933

Verification

  • Patch in a $stderr.puts self.env after the change
  • PYTHONPATH=/tmp/path:$PYTHONPATH ./msfconsole -q
  • use exploit/windows/smb/ms17_010_eternalblue_win8
  • Verify module path is prepended to PYTHONPATH
@acammack-r7

This comment has been minimized.

Contributor

acammack-r7 commented Nov 12, 2018

Thanks for picking this up @jrobles-r7! Having an extra path separator at the end of the PYTHONPATH won't cause any issues, so you you can remove the special case. Also looks like the golang bridge is also susceptible to the same sort of path mixup.

@jrobles-r7

This comment has been minimized.

Contributor

jrobles-r7 commented Nov 12, 2018

The file separator at the end seems to include the current path in the PYTHONPATH as well.
/home/msfdev/git/metasploit-framework in the following example.

$ PYTHONPATH='/tmp/blah': python -c "import sys; print(sys.path)"
['', '/tmp/blah', '/home/msfdev/git/metasploit-framework', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/home/msfdev/.local/lib/python2.7/site-packages', '/usr/local/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages/gtk-2.0']
[ruby-2.5.1@metasploit-framework]
msfdev@simulator:~/git/metasploit-framework
$ PYTHONPATH='/tmp/blah' python -c "import sys; print(sys.path)"
['', '/tmp/blah', '/usr/lib/python2.7', '/usr/lib/python2.7/plat-x86_64-linux-gnu', '/usr/lib/python2.7/lib-tk', '/usr/lib/python2.7/lib-old', '/usr/lib/python2.7/lib-dynload', '/home/msfdev/.local/lib/python2.7/site-packages', '/usr/local/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages', '/usr/lib/python2.7/dist-packages/gtk-2.0']
[ruby-2.5.1@metasploit-framework]
@jrobles-r7

This comment has been minimized.

Contributor

jrobles-r7 commented Nov 12, 2018

Although the current path should be included anyways so it shouldn't matter

@acammack-r7

This comment has been minimized.

Contributor

acammack-r7 commented Nov 12, 2018

The current directory is always searched, even if it is not explicitly part of the PYTHONPATH. Try:

cd lib/msf/core/modules/external/python
PYTHONPATH='' python -c 'import metasploit'
cd /tmp
PYTHONPATH='' python -c 'import metasploit'

Only the second one should error.

Edit: ninja'd

@jrobles-r7

This comment has been minimized.

Contributor

jrobles-r7 commented Nov 12, 2018

^True. @acammack-r7 I updated the Go path portion as well

@jrobles-r7

This comment has been minimized.

Contributor

jrobles-r7 commented Nov 12, 2018

I removed the conditional as well

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 12, 2018

Ah, thanks!

@busterb busterb self-assigned this Nov 12, 2018

@bcook-r7 bcook-r7 merged commit 1b44fd0 into rapid7:master Nov 12, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bcook-r7 pushed a commit that referenced this pull request Nov 12, 2018

@jrobles-r7 jrobles-r7 deleted the jrobles-r7:ext-paths branch Nov 13, 2018

@jmartin-r7 jmartin-r7 added the msf5 label Nov 13, 2018

@jmartin-r7

This comment has been minimized.

Contributor

jmartin-r7 commented Nov 13, 2018

This change interacts with Go support that is currently msf5 only.

@acammack-r7

This comment has been minimized.

Contributor

acammack-r7 commented Nov 13, 2018

I think that was a mistake. I see nothing in that PR that needed to be msf5. At least we need the Python change in 4.x.

@jmartin-r7

This comment has been minimized.

Contributor

jmartin-r7 commented Nov 14, 2018

I believe for GoLang support it was a lets bake this a bit on "msf5" tag. We can create a compatible PR directly to 4.x or manual cherry-pick here. Otherwise we need to bring in the GoLang PRs to be able to merge this clean on 4.x

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 14, 2018

Release Notes

This fixes an issue with Python and Go support where internal Metasploit libraries could be overridden by external system libraries.

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 14, 2018

I'm fine with unmasking golang support for msf4 too.

@jmartin-r7 jmartin-r7 removed the msf5 label Nov 14, 2018

msjenkins-r7 added a commit that referenced this pull request Nov 14, 2018

@gdavidson-r7 gdavidson-r7 added the rn-fix label Nov 16, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment