Skip to content

Commit 5a185c0

Browse files
committed
Resolve test failures for c2 branch
1 parent 069b108 commit 5a185c0

14 files changed

Lines changed: 115 additions & 31 deletions

File tree

.github/workflows/command_shell_acceptance.yml

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -27,7 +27,7 @@ on:
2727
metasploitPayloadsCommit:
2828
description: 'metasploit-payloads branch you want to test'
2929
required: true
30-
default: 'master'
30+
default: '6.5'
3131
mettleCommit:
3232
description: 'mettle branch you want to test'
3333
required: true

.github/workflows/meterpreter_acceptance.yml

Lines changed: 7 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -27,11 +27,11 @@ on:
2727
metasploit_payloads_commit:
2828
description: 'metasploit-payloads branch you want to test'
2929
required: true
30-
default: 'master'
30+
default: '6.5'
3131
mettle_commit:
3232
description: 'mettle branch you want to test'
3333
required: true
34-
default: 'master'
34+
default: '6.5'
3535
push:
3636
branches-ignore:
3737
- gh-pages
@@ -61,7 +61,8 @@ jobs:
6161
build:
6262
uses: ./.github/workflows/shared_meterpreter_acceptance.yml
6363
with:
64-
metasploit_payloads_commit: ${{ github.event.inputs.metasploit_payloads_commit }}
65-
mettle_commit: ${{ github.event.inputs.mettle_commit }}
66-
build_metasploit_payloads: ${{ contains(github.event.pull_request.labels.*.name, 'payload-testing-branch') }}
67-
build_mettle: ${{ contains(github.event.pull_request.labels.*.name, 'payload-testing-mettle-branch') }}
64+
metasploit_payloads_repo: adfoster-r7/metasploit-payloads
65+
metasploit_payloads_commit: update-php-meterpreter-errors
66+
mettle_commit: ${{ github.event.inputs.mettle_commit || '6.5' }}
67+
build_metasploit_payloads: true
68+
build_mettle: true

.github/workflows/shared_meterpreter_acceptance.yml

Lines changed: 11 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -13,6 +13,11 @@ on:
1313
default: ''
1414
required: false
1515
type: string
16+
metasploit_payloads_repo:
17+
description: "metasploit-payloads repository to build with (e.g. a fork: myuser/metasploit-payloads)"
18+
default: 'rapid7/metasploit-payloads'
19+
required: false
20+
type: string
1621
mettle_commit:
1722
description: "mettle commit to build with"
1823
default: ''
@@ -30,19 +35,19 @@ on:
3035
type: boolean
3136

3237
jobs:
33-
# Compile the Meterpreter payloads via docker if required, we can't always do this on the
34-
# host environment (i.e. for macos). So it instead gets compiled first on a linux
35-
# host, then the artifacts are copied back to the host later
38+
# Compile Java Meterpreter and prepare PHP/Python payloads via docker if required, we can't
39+
# always do this on the host environment (i.e. for macos). So it instead gets compiled first
40+
# on a linux host, then the artifacts are copied back to the host later
3641
meterpreter_compilation:
37-
name: Compile Meterpreter
42+
name: Build Meterpreter Gem (optional)
3843
runs-on: ubuntu-latest
3944
if: ${{ inputs.build_metasploit_payloads }}
4045

4146
steps:
4247
- name: Checkout metasploit-payloads
4348
uses: actions/checkout@v4
4449
with:
45-
repository: rapid7/metasploit-payloads
50+
repository: ${{ inputs.metasploit_payloads_repo }}
4651
path: metasploit-payloads
4752
ref: ${{ inputs.metasploit_payloads_commit }}
4853

@@ -265,7 +270,7 @@ jobs:
265270
if: ${{ inputs.build_metasploit_payloads && matrix.meterpreter.name != 'mettle' }}
266271
uses: actions/checkout@v4
267272
with:
268-
repository: rapid7/metasploit-payloads
273+
repository: ${{ inputs.metasploit_payloads_repo }}
269274
path: metasploit-payloads
270275
ref: ${{ inputs.metasploit_payloads_commit }}
271276

lib/msf/base/sessions/mettle_config.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -135,7 +135,7 @@ def generate_config(opts = {})
135135
# Mettle reserves a fixed 8 KB slot in the binary for the config
136136
# block. Catch the overflow here with a useful message instead of
137137
# letting the gem's `to_binary` raise a generic "config block too
138-
# large" baked-in EXTENSIONS= is the usual culprit.
138+
# large" -- baked-in EXTENSIONS= is the usual culprit.
139139
if opts[:config_block].length > MetasploitPayloads::Mettle::CONFIG_BLOCK_MAX
140140
raise ArgumentError, "Mettle config block (#{opts[:config_block].length} bytes) exceeds the #{MetasploitPayloads::Mettle::CONFIG_BLOCK_MAX}-byte embedded slot. " \
141141
"Drop EXTENSIONS= and `load <ext>` once the session is up."

lib/msf/core/handler/reverse_http.rb

Lines changed: 5 additions & 5 deletions
Original file line numberDiff line numberDiff line change
@@ -287,14 +287,14 @@ def setup_handler
287287
#
288288
# * query parameter (profile: `parameter "name";`)
289289
# * request header (profile: `header "name";`)
290-
# * trailing path seg (default no placement directive)
290+
# * trailing path seg (default -- no placement directive)
291291
#
292292
# For the path case, the URI looks like `<base>/<id>`, where `<base>`
293293
# is the profile's per-verb `set uri` if defined, otherwise `LURI`
294294
# (each is registered as a separate mount point in `all_uris`).
295295
# Taking the last `/`-separated segment skips the base regardless of
296296
# which one was used. Profile authors should not put `/` in
297-
# prepend/append directives that would split the id across segments
297+
# prepend/append directives -- that would split the id across segments
298298
# and defeat this scheme.
299299
#
300300
# If the profile applied `prepend` / `append` / `base64` / `base64url`
@@ -325,7 +325,7 @@ def find_resource_id(cli, request)
325325

326326
# Reverse the prepend/append + base64 transforms the profile applied
327327
# to the id on the payload side. If a declared wrapper is missing from
328-
# the candidate, leave the candidate alone this is not a payload
328+
# the candidate, leave the candidate alone -- this is not a payload
329329
# request, and `process_uri_resource` will return nil for it.
330330
def unwrap_profile_uuid(candidate, placement)
331331
prefix = placement.prepend.map{|d| d.args[0]}.join('')
@@ -357,8 +357,8 @@ def add_response_headers(req, resp)
357357

358358
# Return the live meterpreter session whose passive dispatcher is
359359
# registered for this bare conn_id, or nil if none matches. Used so
360-
# MC2 traffic which Rex routes to on_request because the profile
361-
# URI prefix outranks the session's /<conn_id> mount can still be
360+
# MC2 traffic -- which Rex routes to on_request because the profile
361+
# URI prefix outranks the session's /<conn_id> mount -- can still be
362362
# delivered to the right session instead of triggering a fresh
363363
# "orphaned attach" on every poll.
364364
def session_for_conn_id(bare_conn_id)

lib/msf/core/payload/java/meterpreter_loader.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -18,7 +18,7 @@ module Payload::Java::MeterpreterLoader
1818
include Msf::Sessions::MeterpreterOptions::Java
1919

2020
# Resource path the stageless StagelessMain bootstrap reads. Deliberately
21-
# innocuous no meterpreter/metasploit markers in the name.
21+
# innocuous -- no meterpreter/metasploit markers in the name.
2222
STAGELESS_CONFIG_RESOURCE = 'META-INF/data'.freeze
2323
STAGELESS_MAIN_CLASS = 'com.metasploit.meterpreter.StagelessMain'.freeze
2424

@@ -44,7 +44,7 @@ def stage_payload(opts={})
4444
#
4545
# When opts[:stageless] is set, returns a self-contained jar with the
4646
# TLV config embedded as a resource and Main-Class pinned to
47-
# StagelessMain ready to run under `java -jar`.
47+
# StagelessMain -- ready to run under `java -jar`.
4848
#
4949
def stage_meterpreter(opts={})
5050
met = MetasploitPayloads.read('meterpreter', 'meterpreter.jar')

lib/msf/core/payload/macho.rb

Lines changed: 7 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -5,6 +5,7 @@
55
class Msf::Payload::MachO
66

77
def initialize(data)
8+
@raw_data = data.dup
89
@macho = MachO::MachOFile.new_from_bin(data)
910
end
1011

@@ -59,7 +60,12 @@ def to_dylib(name)
5960
# See: https://developer.apple.com/forums/thread/702351
6061
# See: https://github.com/apple-oss-distributions/Security/blob/e4ea024c9bbd3bfda30ec6df270bfb4c7438d1a9/SecurityTool/sharedTool/codesign.c#L323
6162
def sign
62-
raw_data = @macho.serialize
63+
# Use the original binary data rather than @macho.serialize. On Linux,
64+
# ruby-macho's serialize can reorder or drop sections for newer macOS
65+
# load commands (LC_DYLD_CHAINED_FIXUPS, LC_DYLD_EXPORTS_TRIE), which
66+
# causes the LC_CODE_SIGNATURE.dataoff to point to the wrong location
67+
# in the reconstructed output.
68+
raw_data = @raw_data.dup
6369
code_signature_index = @macho[:LC_CODE_SIGNATURE][0].dataoff
6470
code_signature = raw_data[code_signature_index..]
6571
s_magic, s_length, s_count, code_indexes = code_signature.unpack("N3a*")

lib/msf/core/payload/malleable_c2.rb

Lines changed: 2 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -115,7 +115,7 @@ def tokenize(text)
115115
# blank line
116116
next
117117
elsif scanner.scan(/#[^\n]*/)
118-
# comment anchorless so it matches indented comments too
118+
# comment -- anchorless so it matches indented comments too
119119
# (the prior `\s+` rule has already eaten any leading
120120
# whitespace by the time we get here)
121121
next
@@ -450,7 +450,7 @@ def parse(file)
450450
profile.sets << parse_set
451451
elsif block_ahead?
452452
# Any `name { ... }` is a block. We keep the ones we understand
453-
# (http-get/http-post/etc.) and harmlessly retain the rest
453+
# (http-get/http-post/etc.) and harmlessly retain the rest --
454454
# unsupported CS blocks like dns-beacon/process-inject/post-ex
455455
# are parsed for structure and simply ignored by to_tlv.
456456
profile.sections << parse_section

lib/rex/proto/http/request.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -219,7 +219,7 @@ def to_s
219219

220220
#
221221
# Returns a hijacked version of the body that shoves the request's query string in as a
222-
# replacement in cases where there is no body. YOLO! ¯\_(ツ)_/¯
222+
# replacement in cases where there is no body. YOLO! (shrug)
223223
#
224224
def body
225225
str = super || ''

lib/rex/proto/http/server.rb

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -294,7 +294,7 @@ def dispatch_request(cli, request)
294294
p = resources[request.resource]
295295
# This branch is reached when resource_id is nil (e.g. fetch-payload
296296
# adapters have no find_resource_id), so the matched resource is the
297-
# request resource itself not resource_id, which would nil-deref.
297+
# request resource itself -- not resource_id, which would nil-deref.
298298
len = request.resource.length
299299
root = request.resource
300300
else

0 commit comments

Comments
 (0)