Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix missing return in HTTP CmdStagers #18030

Merged
merged 1 commit into from
May 30, 2023
Merged

Fix missing return in HTTP CmdStagers #18030

merged 1 commit into from
May 30, 2023

Conversation

wvu
Copy link
Contributor

@wvu wvu commented May 26, 2023
edited
Loading

Fetch payloads are cooler, but this was missed in #13426. (Edit: Because I'm a big dummy.)

FWIW, the client doesn't actually receive the payload. You can test with curl -A or wget -U and a CmdStager exploit.

@wvu
Fix missing return in HTTP CmdStagers
9528339 
Fetch payloads are cooler, but this was missed in rapid7#13426.
wvu
wvu commented May 26, 2023
View reviewed changes
lib/msf/core/exploit/cmd_stager/http.rb
@@ -42,7 +42,7 @@ def on_request_uri(cli, request)

unless user_agent =~ agent_regex
print_status("Sending 404 to #{client}")
send_not_found(cli)
return send_not_found(cli)
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's on the same line because why not. Similar return value.

@wvu
Copy link
Contributor Author

wvu commented May 26, 2023

Should we deprecate this whole feature?

@sempervictus
Copy link
Contributor

Don't think we should deprecate: there's a slew of weird targets with strange constraints out there - so long as the code maintenance burden isn't overly cumbersome, my take is to keep legacy mechanisms available for academic reasons if nothing else.

@gwillcox-r7
Copy link
Contributor

Simple change be simple. Nice job fixing this! 👍

@gwillcox-r7 gwillcox-r7 self-assigned this May 30, 2023
@gwillcox-r7 gwillcox-r7 added bug rn-fix release notes fix labels May 30, 2023
@gwillcox-r7 gwillcox-r7 merged commit 3d63d0b into rapid7:master May 30, 2023
30 checks passed
@gwillcox-r7
Copy link
Contributor

gwillcox-r7 commented May 30, 2023
edited
Loading

Release Notes

A missing return statement was added into lib/msf/core/exploit/cmd_stager/http.rb to fix a Ruby syntax error when attempting to handle a 404 not found case.

@wvu wvu deleted the patch-1 branch May 30, 2023 19:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gwillcox-r7 gwillcox-r7 gwillcox-r7 approved these changes

Assignees

@gwillcox-r7 gwillcox-r7

Labels
bug library rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@wvu @sempervictus @gwillcox-r7