-
Notifications
You must be signed in to change notification settings - Fork 13.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple local exploit suggester enhancements #16413
Multiple local exploit suggester enhancements #16413
Conversation
e6abc49
to
0bc1e25
Compare
1c26b3a
to
7f9d6a9
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Updates fit the desired functionality. I noted some ideas on approach that are optional and may reduce the need to impact the core post_mixin.rb
code.
273ac9e
to
b2c589d
Compare
70f4473
to
f161721
Compare
Was that pihole commit supposed to be in here? Just checking |
f161721
to
372697d
Compare
372697d
to
ebba5fd
Compare
ebba5fd
to
cbf8808
Compare
cbf8808
to
c0b60fa
Compare
0506af8
to
7103a61
Compare
@@ -37,15 +46,18 @@ def all_platforms | |||
|
|||
def is_module_arch?(mod) | |||
mod_arch = mod.target.arch || mod.arch | |||
mod_arch.include? session.arch | |||
mod_arch.include? session.native_arch | |||
end |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Fixes module suggestions for Python/Java meterpreters
@@ -60,8 +72,36 @@ def is_module_platform?(mod) | |||
return false | |||
end | |||
|
|||
def is_session_type_compat?(mod) | |||
mod.session_compatible? session.sid |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Note we no longer call the post mixin implementation of session_compatible?
as the functionality isn't quite right for our use case. It doesn't handle native_arch, or the concept of targets correctly - which this module now does.
This module has also broken in unintended ways when folk change the post_mixin implementation, which we want to avoid. We'll have to circle back and re-evaluate the post_mixin logic individually with these requirements in mind.
f89dfbe
to
fbac2ae
Compare
result = { | ||
has_check: true, | ||
is_module_platform: (@validate_platform ? is_module_platform?(mod) : true), | ||
is_module_arch: (@validate_arch ? is_module_arch?(mod) : true), |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
not a blocker: This should probably be is_session_arch
/ is_session_platform
I like that the incompatible table makes it very easy to identify that our session compatibilty checks are still bit too weak. For instance with a windows powershell session:
The exploit suggester won't run modules which only specify a sessiontype of
Not a massive deal since 99.9% of our Windows LPEs are Meterpreter only |
ab60600
to
6b1faf0
Compare
Release NotesUpdates the |
This PR requires rapid7/metasploit-payloads#570 to ensure Python Meterpreter compatibility.
This PR also moves the
get_drives
function towindows.rb
, which prevents issues such as #15949 where many modules were not checked as they were reported asincompatible
due to missing Railgun.This PR also adds in advanced options that allow the user to specify if different parameters should be validated, e.g.
ValidateArch
,ValidatePlatform
, andValidateMeterpreterCommands
.It also adds in a
valid
andinvalid
tables that store the modules which were and weren't tried against the current session. This is color-coded by default and can be configured or disabled to improve visual clarity.It also adds a real-time counter of how many exploits are being tried, to show to the user that the module is doing something.
It uses the
native_arch
functionality rather thanarch
as that was found to be more reliable. Python'sarch
was being reported asPython
which no modules considered as viable.We no longer rely on the
session_incompatibility_reasons
from thepost_mixin.rb
, as we have realised that wasn't covering all bases. For example, it wasn't setting the module target at all, meaning some exploits could be marked as unwanted as the target architecture/platform could be mismatched. Instead, the setting of targets and validation of modules is done in the exploit suggester itself, and the solution implemented is more robust.Tested against Kali, using Mettle, Java and Python Meterpreter
Verification
msfconsole -q
use payload/linux/x64/meterpreter/reverse_tcp
set lhost {lhost}
generate -f elf -o mettle.elf
(We use Mettle here as it has no Railgun support.)chmod +x mettle.elf
./mettle.elf
on a Kali machine and get a sessionuse post/multi/recon/local_exploit_suggester
run session=-1 validatearch=true validateplatform=true validatemeterpretercommands=true
valid
,run session=-1 verbose=true
Before
After
Without validation checks
With validation checks