New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Rework session_compatible? check in post mixin, excluding ARCH_CMD modules #10972

Merged
merged 4 commits into from Nov 19, 2018

Conversation

Projects
None yet
5 participants
@wvu-r7
Contributor

wvu-r7 commented Nov 16, 2018

ARCH_CMD modules can work on a variety of platforms and archs.

msf5 exploit(unix/local/exim_perl_startup) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                Connection
  --  ----  ----                   -----------                                ----------
  1         meterpreter x64/linux  uid=0, gid=0, euid=0, egid=0 @ 172.18.0.2  [redacted]:4444 -> [redacted]:55596 (127.0.0.1)

msf5 exploit(unix/local/exim_perl_startup) > check

[!] SESSION may not be compatible with this module.
[*]  The target is not exploitable.
msf5 exploit(unix/local/exim_perl_startup) >

session_compatible? is a lie.

#7736, #7737, #10127, #10971

Limit session_compatible? check to post modules
Local exploits may define a different payload platform or arch.

@wvu-r7 wvu-r7 requested a review from bcoles Nov 16, 2018

@bcoles

This comment has been minimized.

Contributor

bcoles commented Nov 16, 2018

session_compatible? is a lie, but I don't see how this PR solves that.

Or rather, this PR makes SessionTypes redundant in local exploits. SessionTypes are not redundant in this context. There are local exploits which will work only on command shell sessions for example.

# grep -rn SessionTypes modules/exploits/**/local | grep shell | fgrep -v meterp
modules/exploits/freebsd/local/mmap.rb:31:        'SessionTypes'  => [ 'shell' ],
modules/exploits/freebsd/local/watchguard_fix_corrupt_mail.rb:34:      'SessionTypes'   => ['shell'],
modules/exploits/linux/local/hp_smhstart.rb:32:        'SessionTypes'  => [ 'shell' ],
modules/exploits/linux/local/kloxo_lxsuexec.rb:35:      'SessionTypes'  => [ 'shell' ],
modules/exploits/osx/local/rootpipe.rb:43:      'SessionTypes'   => ['shell'],
modules/exploits/osx/local/setuid_tunnelblick.rb:41:        'SessionTypes'   => [ 'shell' ],
modules/exploits/osx/local/setuid_viscosity.rb:41:        'SessionTypes'   => [ 'shell' ],
modules/exploits/osx/local/dyld_print_to_file_root.rb:38:      'SessionTypes'   => ['shell'],
modules/exploits/osx/local/tpwn.rb:35:      'SessionTypes'   => ['shell'],
modules/exploits/osx/local/rootpipe_entitlements.rb:35:      'SessionTypes'   => ['shell'],
modules/exploits/windows/local/powershell_cmd_upgrade.rb:31:        'SessionTypes'  => [ 'shell' ],
@wvu-r7

This comment has been minimized.

Contributor

wvu-r7 commented Nov 16, 2018

Short-sighted mistake at this hour. I don't want to lose out on SessionTypes. I'll try to address some of the concerns we had in #7736. session_compatible? needs work here.

@wvu-r7 wvu-r7 closed this Nov 16, 2018

@wvu-r7 wvu-r7 reopened this Nov 16, 2018

@wvu-r7 wvu-r7 changed the title from Limit session_compatible? check to post modules to Exclude ARCH_CMD modules from session_compatible? check Nov 16, 2018

Exclude ARCH_CMD modules, not local exploits
We don't want to lose SessionTypes. Brain fart.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:bug/post branch from 6fa78a4 to a58a916 Nov 16, 2018

@wvu-r7 wvu-r7 added the delayed label Nov 16, 2018

wvu-r7 added some commits Nov 16, 2018

@wvu-r7 wvu-r7 removed the delayed label Nov 16, 2018

@wvu-r7 wvu-r7 changed the title from Exclude ARCH_CMD modules from session_compatible? check to Rework session_compatible? check in post mixin, excluding ARCH_CMD modules Nov 16, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 19, 2018

The new logic makes sense to me, assuming self.platform.supports? is not a lie.

@wvu-r7 wvu-r7 force-pushed the wvu-r7:bug/post branch from a66fc89 to 4726c58 Nov 19, 2018

@bcook-r7 bcook-r7 merged commit 4726c58 into rapid7:master Nov 19, 2018

2 of 3 checks passed

Metasploit Automation - Sanity Test Execution Failed to pass tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bcook-r7 pushed a commit that referenced this pull request Nov 19, 2018

msjenkins-r7 added a commit that referenced this pull request Nov 19, 2018

@busterb

This comment has been minimized.

Contributor

busterb commented Nov 19, 2018

Release Notes

This improves session / module compatibility checking to have fewer false warnings about session incompatibility.

@wvu-r7 wvu-r7 deleted the wvu-r7:bug/post branch Nov 19, 2018

@gdavidson-r7 gdavidson-r7 added the rn-fix label Dec 5, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment