Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Implement "set PAYLOAD" by index #12126

Merged
merged 3 commits into from Jul 31, 2019

Conversation

@wvu-r7
Copy link
Contributor

commented Jul 24, 2019

Addresses https://twitter.com/drezdenkodex/status/1154094332514721793 and fixes #11529, I hope!

msf5 > use modcopy

Matching Modules
================

   #  Name                                   Disclosure Date  Rank       Check  Description
   -  ----                                   ---------------  ----       -----  -----------
   0  exploit/unix/ftp/proftpd_modcopy_exec  2015-04-22       excellent  Yes    ProFTPD 1.3.5 Mod_Copy Command Execution


[*] Using exploit/unix/ftp/proftpd_modcopy_exec
msf5 exploit(unix/ftp/proftpd_modcopy_exec) > show payloads

Compatible Payloads
===================

   #  Name                         Disclosure Date  Rank    Check  Description
   -  ----                         ---------------  ----    -----  -----------
   0  cmd/unix/bind_awk                             normal  No     Unix Command Shell, Bind TCP (via AWK)
   1  cmd/unix/bind_perl                            normal  No     Unix Command Shell, Bind TCP (via Perl)
   2  cmd/unix/bind_perl_ipv6                       normal  No     Unix Command Shell, Bind TCP (via perl) IPv6
   3  cmd/unix/generic                              normal  No     Unix Command, Generic Command Execution
   4  cmd/unix/reverse_awk                          normal  No     Unix Command Shell, Reverse TCP (via AWK)
   5  cmd/unix/reverse_perl                         normal  No     Unix Command Shell, Reverse TCP (via Perl)
   6  cmd/unix/reverse_perl_ssl                     normal  No     Unix Command Shell, Reverse TCP SSL (via perl)
   7  cmd/unix/reverse_python                       normal  No     Unix Command Shell, Reverse TCP (via Python)
   8  cmd/unix/reverse_python_ssl                   normal  No     Unix Command Shell, Reverse TCP SSL (via python)

msf5 exploit(unix/ftp/proftpd_modcopy_exec) > set payload 0
payload => cmd/unix/bind_awk
msf5 exploit(unix/ftp/proftpd_modcopy_exec) > options

Module options (exploit/unix/ftp/proftpd_modcopy_exec):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target address range or CIDR identifier
   RPORT      80               yes       HTTP port (TCP)
   RPORT_FTP  21               yes       FTP port
   SITEPATH   /var/www         yes       Absolute writable website path
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Base path to the website
   TMPPATH    /tmp             yes       Absolute writable path
   VHOST                       no        HTTP server virtual host


Payload options (cmd/unix/bind_awk):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LPORT  4444             yes       The listen port
   RHOST                   no        The target address


Exploit target:

   Id  Name
   --  ----
   0   ProFTPD 1.3.5


msf5 exploit(unix/ftp/proftpd_modcopy_exec) >

#11652, #11724, #11819, #11880, #12023

@wvu-r7 wvu-r7 force-pushed the wvu-r7:feature/payloads branch from 3acb901 to 40b040b Jul 25, 2019

@wvu-r7 wvu-r7 changed the title [WIP] Implement "set PAYLOAD" by index Implement "set PAYLOAD" by index Jul 25, 2019

@wvu-r7 wvu-r7 removed the delayed label Jul 25, 2019

@wvu-r7 wvu-r7 marked this pull request as ready for review Jul 25, 2019

@jmartin-r7 jmartin-r7 added the msf5 label Jul 25, 2019

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 25, 2019

Labeled as msf5 due to interactions with evasion. This can be backported manually after it lands.

@wvu-r7

This comment has been minimized.

Copy link
Contributor Author

commented Jul 25, 2019

Ah, that's fair. I noticed some missing evasion checks and added them. I assume anything even referencing an MSF5 feature needs to be labeled as such?

lib/msf/ui/console/command_dispatcher/common.rb Outdated Show resolved Hide resolved
#
# TODO: Move this out of the console driver!
#
def handle_payload(val)

This comment has been minimized.

Copy link
@jmartin-r7

jmartin-r7 Jul 25, 2019

Contributor

I like this refactor! 👍

If this also took active_module and maybe even framework as parameters it becomes easier to move somewhere else. Although since it creates side-effects on these params it might need more thought.

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Jul 25, 2019

Author Contributor

Yeah, not sure about this one yet, since I simply moved it out of on_variable_set like the others. I don't like how the console driver is doing all these things, but that's another refactor for the future.

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Jul 25, 2019

Author Contributor

It should also be noted that is_payload_compatible? is not the same as checking compatible_payloads, so things like platform and arch aren't matched on.

So, it has been and still is possible to set a Linux payload on ms17_010_eternalblue, for instance. Not a fan of this behavior, so maybe we can leverage compatible_payloads here after #11768.

I'd rather do it in a separate PR.

elsif active_module && (active_module.exploit? || active_module.evasion?)
return false unless active_module.is_payload_compatible?(val)
elsif active_module
active_module.datastore.clear_non_user_defined

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Jul 25, 2019

Author Contributor

#11529 happened here.

def import_target_defaults
return unless target && target.default_options

datastore.import_options_from_hash(target.default_options, true, 'self')

This comment has been minimized.

Copy link
@wvu-r7

wvu-r7 Jul 25, 2019

Author Contributor

#11529 should be fixed with self.

Update method name for indexing from a list
Module-specific code was moved back into modules.rb and core.rb.

@jmartin-r7 jmartin-r7 merged commit da18850 into rapid7:master Jul 31, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

jmartin-r7 added a commit that referenced this pull request Jul 31, 2019

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 31, 2019

Release Notes

You can now set a payload using the index reported by show payloads.

@wvu-r7 wvu-r7 deleted the wvu-r7:feature/payloads branch Jul 31, 2019

jmartin-r7 added a commit that referenced this pull request Jul 31, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
3 participants
You can’t perform that action at this time.