Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

throw exception on actual payload size violation, not formatted output size #11821

Merged
merged 2 commits into from May 9, 2019

Conversation

Projects
None yet
2 participants
@busterb
Copy link
Contributor

commented May 7, 2019

If you generate a size-constrained formatted payload with msfvenom, you can get confusing errors like so:

$ ./msfvenom -s 57 -p linux/x86/shell_bind_tcp_random_port -f elf -o test.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 57 bytes
Error: The payload exceeds the specified space

Here I said I wanted a 57 byte payload, the payload was 57 bytes, and it still failed. What we're looking at is the formatted output, which isn't actually related to payload size. For a more extreme example, look at the 'C' format, which definitely is unrelated.

This changes the failure mode to look at the encoded payload binary rather than the formatted output before throwing a size exception.

$ ./msfvenom -s 57 -p linux/x86/shell_bind_tcp_random_port -f elf -o test.elf
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 57 bytes
Final size of elf file: 141 bytes
Saved as: test.elf

Verification

List the steps needed to make sure this thing works

  • Generate payloads with constrained size above with msfvenom, using a format other than 'raw'
  • Verify that the payload is generated, and actually fails only if the payload is bigger than specified, not the formatted output.
@busterb

This comment has been minimized.

Copy link
Contributor Author

commented May 7, 2019

With the original behavior, I found that almost no dynamic-size generating payload was actually possible to generate in its 'small' version without using the 'raw' format.

make encoded payloads a little less special-case
Just operate on the raw_payload buffer so we always have the same thing to look
at in the end of generation.

@busterb busterb requested a review from asoto-r7 May 8, 2019

@asoto-r7

This comment has been minimized.

Copy link
Contributor

commented May 9, 2019

I agree the old output was confusing. 👍

@asoto-r7 asoto-r7 merged commit 745645d into rapid7:master May 9, 2019

2 of 3 checks passed

Metasploit Automation - Sanity Test Execution Build triggered for merge commit.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

asoto-r7 added a commit that referenced this pull request May 9, 2019

msjenkins-r7 added a commit that referenced this pull request May 9, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.