Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ensure metasploit rpc service is warmed and healthy up before accepting requests #15022

Merged
merged 2 commits into from
Apr 16, 2021
Merged

Ensure metasploit rpc service is warmed and healthy up before accepting requests #15022

merged 2 commits into from
Apr 16, 2021

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Apr 9, 2021
edited by cgranleese-r7
Loading

Before

The metasploit service boots up, and defers creating a framework object until the first request to the running RPC service is received. This then triggers database connections, migrations, etc, which can raise errors:

After

The sinatra application is first warmed up, and verified that it has successfully booted up before attempting to bind the rpc service on the host and allow connections.

Verification

Run the application and ensure it works:

bundle exec thin --rackup msf-json-rpc.ru --address 0.0.0.0 --port 8081 --environment production --tag msf-json-rpc start

With Puma:

bundle exec puma msf-json-rpc.ru --port 8081 --environment production --tag msf-json-rpc start

Now break something within the rpc service, easiest solution is modifying anywhere in framework to raise an unexpected exception. I divided by zero in the core/framework.rb initialize method for instance:

bundle exec thin --rackup msf-json-rpc.ru --address 0.0.0.0 --port 8081 --environment production --tag msf-json-rpc start

[-] There was an error executing the RPC: divided by 0.
    Call Stack:
...
msf-json-rpc.ru:52:in `block (2 levels) in <main>': Metasploit JSON RPC did not successfully start up. Unexpected response returned: {"jsonrpc":"2.0","error":{"code":-32603,"message":"Internal JSON-RPC error: divided by 0"},"id":null} (RuntimeError)

Ensure that curl requests still work:

curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
  --data '{
        "jsonrpc": "2.0",
        "method": "db.workspaces",
        "id": 1,
        "params": []
}'

Curling the health check:

curl --request POST \
  --url http://localhost:8081/api/v1/json-rpc \
  --header 'Content-Type: application/json' \
  --data '{
        "jsonrpc": "2.0",
        "method": "health.check",
        "id": 1,
        "params": []
}'

Verifying RPC client

Run the the server:

bundle exec ruby ./msfrpcd -P foo -f

[*] MSGRPC starting on 0.0.0.0:55553 (SSL):Msg...
[*] MSGRPC ready at 2021-04-14 23:28:04 +0100.

Connect with the client and confirm that the new method works as expected:

bundle exec ruby ./msfrpc -P foo -a 127.0.0.1
rpc.call('health.check')[*] The 'rpc' object holds the RPC client interface
[*] Use rpc.call('group.command') to make RPC calls

>> rpc.call('health.check')
=> {"status"=>"UP"}

adfoster-r7
adfoster-r7 commented Apr 9, 2021
View reviewed changes
msf-json-rpc.ru Outdated Show resolved Hide resolved
@adfoster-r7 adfoster-r7 changed the title Ensure meatsploit rpc service is warmed and healthy up before accepting requests Ensure metasploit rpc service is warmed and healthy up before accepting requests Apr 9, 2021
@cgranleese-r7 cgranleese-r7 self-assigned this Apr 14, 2021
@adfoster-r7 adfoster-r7 force-pushed the ensure-metasploit-rpc-service-is-warmed-up branch 10 times, most recently from bc835a0 to 12f2ffe Compare April 16, 2021 00:38
@adfoster-r7 adfoster-r7 force-pushed the ensure-metasploit-rpc-service-is-warmed-up branch from 12f2ffe to c92ee4a Compare April 16, 2021 00:45
@adfoster-r7 adfoster-r7 force-pushed the ensure-metasploit-rpc-service-is-warmed-up branch from c92ee4a to 7fe97cf Compare April 16, 2021 00:59
@adfoster-r7
Copy link
Contributor Author

@msjenkins-r7 retest this please

@cgranleese-r7
Copy link
Contributor

Before

image

After

Ran the application and everything works as expected:

image

Ran with Puma:

image

Breaking something within the rpc service:

image

Ensure that curl requests still work:

image

Curling the health check:

image

Run the the server:

image

Connect with the client and confirm that the new method works as expected:

image

All looks good to me 👍

@cgranleese-r7 cgranleese-r7 merged commit 1745bda into rapid7:master Apr 16, 2021
@cgranleese-r7 cgranleese-r7 added the rn-fix release notes fix label Apr 16, 2021
@cgranleese-r7
Copy link
Contributor

cgranleese-r7 commented Apr 16, 2021
edited by pbarry-r7
Loading

Release Notes

Fixed errors which could occur on the first call to the Metasploit JSON RPC service. Now we ensure that the Metasploit JSON RPC service is warmed and healthy up before accepting requests.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@erran-r7 erran-r7 erran-r7 approved these changes

Assignees

@cgranleese-r7 cgranleese-r7

Labels
rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@adfoster-r7 @cgranleese-r7 @erran-r7