Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix payloads not being encoded in exploits when BadChars contains whitespace #14002

Merged
merged 1 commit into from
Aug 15, 2020
Merged

Fix payloads not being encoded in exploits when BadChars contains whitespace #14002

merged 1 commit into from
Aug 15, 2020

Conversation

wvu
Copy link
Contributor

@wvu wvu commented Aug 15, 2020
edited
Loading

msfvenom is not affected by this regression due to its separate pre-flight checks.

wvu@kharak:~/rapid7/metasploit-framework:master$ ./msfvenom -p cmd/unix/generic -b " " CMD="uname -a"
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
Found 5 compatible encoders
Attempting to encode payload with 1 iterations of cmd/echo
cmd/echo succeeded with size 61 (iteration=0)
cmd/echo chosen with final size 61
Payload size: 61 bytes
/bin/echo${IFS}-ne${IFS}'\x75\x6e\x61\x6d\x65\x20\x2d\x61'|sh
wvu@kharak:~/rapid7/metasploit-framework:master$

Verification

See #13415. Test with whitespace.

Testing

msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > git diff
[*] exec: git diff

diff --git a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb
index ba475e14d9..5a1fa69989 100644
--- a/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb
+++ b/modules/exploits/multi/misc/ibm_tm1_unauth_rce.rb
@@ -76,8 +76,8 @@ class MetasploitModule < Msf::Exploit::Remote
               'Arch'      => [ARCH_CMD],
               'Payload'   =>
               {
-                # only one bad char in Linux, baby! (that we know of...)
-                'BadChars'  => "\x27",
+                # lol
+                'BadChars'  => "\x20",
               }
             }
           ],
@@ -390,6 +390,8 @@ class MetasploitModule < Msf::Exploit::Remote
   end

   def exploit
+    return p payload.encoded
+
     # first let's check if SRVHOST is valid
     if datastore['SRVHOST'] == "0.0.0.0"
       fail_with(Failure::Unknown, "Please enter a valid IP address for SRVHOST")
msf6 exploit(multi/misc/ibm_tm1_unauth_rce) >

master

msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > rerun
[*] Reloading module...

[+] uname -a
"uname -a"
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/ibm_tm1_unauth_rce) >

Patch

msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > rerun
[*] Reloading module...

[+] uname -a
"/bin/echo${IFS}-ne${IFS}'\\x75\\x6e\\x61\\x6d\\x65\\x20\\x2d\\x61'|sh"
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/ibm_tm1_unauth_rce) >

Fixes #13415. Needed in #14000.

@wvu wvu requested a review from acammack-r7 August 15, 2020 01:17
@pbarry-r7 pbarry-r7 self-assigned this Aug 15, 2020
@wvu wvu marked this pull request as draft August 15, 2020 01:35
@wvu wvu changed the title Fix encoding when BadChars contains whitespace Fix payload encoding in exploits when BadChars contains whitespace Aug 15, 2020
@pbarry-r7 pbarry-r7 removed their assignment Aug 15, 2020
@wvu wvu changed the title Fix payload encoding in exploits when BadChars contains whitespace Fix payloads not being encoded in exploits when BadChars contains whitespace Aug 15, 2020
@wvu wvu marked this pull request as ready for review August 15, 2020 01:52
@pbarry-r7 pbarry-r7 self-assigned this Aug 15, 2020
acammack-r7
acammack-r7 approved these changes Aug 15, 2020
View reviewed changes
Copy link
Contributor

@acammack-r7 acammack-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Not sure how I blanked out about whitespace-only badchar sets. LGTM 👍

pbarry-r7
pbarry-r7 approved these changes Aug 15, 2020
View reviewed changes
Copy link
Contributor

@pbarry-r7 pbarry-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code LGTM, tests well:

Original:

msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > set target 3
target => 3
msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > set cmd uname -a
cmd => uname -a
msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > run
"uname -a"

New+improved:

msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > set target 3
target => 3
msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > set cmd uname -a
cmd => uname -a
msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > run
"/bin/echo${IFS}-ne${IFS}'\\x75\\x6e\\x61\\x6d\\x65\\x20\\x2d\\x61'|sh"

@pbarry-r7 pbarry-r7 merged commit db38cce into rapid7:master Aug 15, 2020
@wvu
Copy link
Contributor Author

wvu commented Aug 15, 2020

Just to prove that encoding is still smart:

msf6 exploit(multi/misc/ibm_tm1_unauth_rce) > rerun
[*] Reloading module...

[+] id
"id"
[*] Exploit completed, but no session was created.
msf6 exploit(multi/misc/ibm_tm1_unauth_rce) >

It won't encode unconditionally, so #13415 still holds.

@wvu wvu deleted the bug/badchars branch August 15, 2020 02:23
@wvu
Copy link
Contributor Author

wvu commented Aug 17, 2020
edited by pbarry-r7
Loading

Release Notes

Fixed a regression in payload encoding where whitespace bad characters were not being encoded away.

@adfoster-r7 adfoster-r7 added the rn-fix release notes fix label Aug 24, 2020
This pull request was closed.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@acammack-r7 acammack-r7 acammack-r7 approved these changes

@pbarry-r7 pbarry-r7 pbarry-r7 approved these changes

Assignees

@pbarry-r7 pbarry-r7

Labels
bug library rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@wvu @acammack-r7 @pbarry-r7 @adfoster-r7