New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix multiple occurrences of bad pack/unpack specifiers #3484
Conversation
Ruby treats endianess in pack operators in the opposite way of python. For example, using pack('<I') actually ignores the endianess specifier. These need to be 'I<' or better yet, 'V'. The endian specify must occur after the pack specifier and multiple instances in meterpreter and exe generation were broken in thier usage. The summary: Instead of I/L or I< use V Instead of I/L or I> use N For Q, you need to always use Q< (LE) or Q> (BE) For c/s/l/i and other lowercase variants, you probably dont need or want a *signed* value, so stick with vV nN and cC.
Note that there are some cases of host-endian left, these are intentional because they operate on host-local memory or services. When in doubt, please use: ``` ri pack ```
Interesting test failure:
The extra space between LSB/MSB and "executable" is what is causing this test failure. The "corrupted section header size" output in the output of master as well. I will double check that master generates the same binaries and then fix the spec instead. |
Master does indeed fail with the same spec error. It looks like a change to file(1) output. Correcting the spec but also spot checking the generated binaries in case the corruption section header size problem is valid. |
More proof that master was going to fail this spec and there are no changes to the resulting payloads:
|
Maybe a note in hacking/contributing/wiki. Wasnt really aware of the issue |
@hmoore-r7 The corrupt header size warning is an artifact of how we build ELF files. The binaries should still work and produce sessions. |
Also, I really hate those file(1) specs, but we don't have any other reasonable means of ensuring that the generated output isn't completely insane. |
Have noticed Railgun uses Native Q: |
@hmoore-r7 do you have the regex for this to put into msftidy? |
These prevent Metasploit from working properly on big-endian architectures and a number of these have crept in over the years.