Skip to content
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension


Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
21 changes: 12 additions & 9 deletions .github/workflows/command_shell_acceptance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -109,19 +109,22 @@ jobs:
tools: none

- name: Install system dependencies (Windows)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was silently broken when pointing towards the custom 6.5 branches

shell: cmd
shell: pwsh
if: runner.os == 'Windows'
run: |
REM pcap dependencies
powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
$ErrorActionPreference = 'Stop'
# pcap dependencies
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri 'https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip' -OutFile 'C:\Windows\Temp\WpdPack_4_1_2.zip' -SkipCertificateCheck
$expected = 'ea799cf2f26e4afb1892938070fd2b1ca37ce5cf75fec4349247df12b784edbd'
$actual = (Get-FileHash 'C:\Windows\Temp\WpdPack_4_1_2.zip' -Algorithm SHA256).Hash.ToLower()
if ($actual -ne $expected) { throw "WpdPack_4_1_2.zip SHA256 mismatch: expected $expected, got $actual" }

choco install 7zip.installServerCertificateValidationCallback
7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"

dir C:\\
choco install 7zip -y --no-progress
if ($LASTEXITCODE -ne 0) { throw "choco install 7zip failed with exit code $LASTEXITCODE" }

dir %WINDIR%
type %WINDIR%\\system32\\drivers\\etc\\hosts
7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
if ($LASTEXITCODE -ne 0) { throw "7z extraction failed with exit code $LASTEXITCODE" }

# The job checkout structure is:
# .
Expand Down
29 changes: 16 additions & 13 deletions .github/workflows/shared_meterpreter_acceptance.yml
Original file line number Diff line number Diff line change
Expand Up @@ -30,11 +30,11 @@ on:
type: boolean

jobs:
# Compile the Meterpreter payloads via docker if required, we can't always do this on the
# host environment (i.e. for macos). So it instead gets compiled first on a linux
# host, then the artifacts are copied back to the host later
# Compile Java Meterpreter and prepare PHP/Python payloads via docker if required, we can't
# always do this on the host environment (i.e. for macos). So it instead gets compiled first
# on a linux host, then the artifacts are copied back to the host later
meterpreter_compilation:
name: Compile Meterpreter
name: Build Meterpreter Gem (optional)
runs-on: ubuntu-latest
if: ${{ inputs.build_metasploit_payloads }}

Expand Down Expand Up @@ -141,19 +141,22 @@ jobs:
java-version: ${{ matrix.meterpreter.runtime_version }}

- name: Install system dependencies (Windows)
shell: cmd
shell: pwsh
if: runner.os == 'Windows'
run: |

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was silently broken when pointing towards the custom 6.5 branches

REM pcap dependencies
powershell -Command "[System.Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} ; [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; (New-Object System.Net.WebClient).DownloadFile('https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip', 'C:\Windows\Temp\WpdPack_4_1_2.zip')"
$ErrorActionPreference = 'Stop'
# pcap dependencies
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Invoke-WebRequest -Uri 'https://www.winpcap.org/install/bin/WpdPack_4_1_2.zip' -OutFile 'C:\Windows\Temp\WpdPack_4_1_2.zip' -SkipCertificateCheck
$expected = 'ea799cf2f26e4afb1892938070fd2b1ca37ce5cf75fec4349247df12b784edbd'
$actual = (Get-FileHash 'C:\Windows\Temp\WpdPack_4_1_2.zip' -Algorithm SHA256).Hash.ToLower()
if ($actual -ne $expected) { throw "WpdPack_4_1_2.zip SHA256 mismatch: expected $expected, got $actual" }

choco install 7zip.installServerCertificateValidationCallback
7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
choco install 7zip -y --no-progress
if ($LASTEXITCODE -ne 0) { throw "choco install 7zip failed with exit code $LASTEXITCODE" }

dir C:\\

dir %WINDIR%
type %WINDIR%\\system32\\drivers\\etc\\hosts
7z x "C:\Windows\Temp\WpdPack_4_1_2.zip" -o"C:\"
if ($LASTEXITCODE -ne 0) { throw "7z extraction failed with exit code $LASTEXITCODE" }

# The job checkout structure is:
# .
Expand Down
8 changes: 4 additions & 4 deletions Gemfile.lock
Original file line number Diff line number Diff line change
Expand Up @@ -61,9 +61,9 @@ PATH
metasploit-concern
metasploit-credential (>= 6.0.21)
metasploit-model
metasploit-payloads (= 2.0.245)
metasploit-payloads (= 2.0.246.pre.7)

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Looks like windows 2022 has been failing since pre5, but passed on pre4 - will merge this in, and resolve/debug that separately

metasploit_data_models (>= 6.0.15)
metasploit_payloads-mettle (= 1.0.46)
metasploit_payloads-mettle (= 1.0.48.pre.3)
mqtt
msgpack (~> 1.6.0)
mutex_m
Expand Down Expand Up @@ -369,7 +369,7 @@ GEM
drb
mutex_m
railties (>= 7.0, < 8.1)
metasploit-payloads (2.0.245)
metasploit-payloads (2.0.246.pre.7)
metasploit_data_models (6.0.18)
activerecord (>= 7.0, < 8.1)
activesupport (>= 7.0, < 8.1)
Expand All @@ -383,7 +383,7 @@ GEM
railties (>= 7.0, < 8.1)
recog
webrick
metasploit_payloads-mettle (1.0.46)
metasploit_payloads-mettle (1.0.48.pre.3)
method_source (1.1.0)
mime-types (3.7.0)
logger
Expand Down
2 changes: 1 addition & 1 deletion lib/msf/base/sessions/mettle_config.rb
Original file line number Diff line number Diff line change
Expand Up @@ -135,7 +135,7 @@ def generate_config(opts = {})
# Mettle reserves a fixed 8 KB slot in the binary for the config
# block. Catch the overflow here with a useful message instead of
# letting the gem's `to_binary` raise a generic "config block too
# large" baked-in EXTENSIONS= is the usual culprit.
# large" -- baked-in EXTENSIONS= is the usual culprit.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Getting rid of non-ascii chars which aren't allowed in modules

if opts[:config_block].length > MetasploitPayloads::Mettle::CONFIG_BLOCK_MAX
raise ArgumentError, "Mettle config block (#{opts[:config_block].length} bytes) exceeds the #{MetasploitPayloads::Mettle::CONFIG_BLOCK_MAX}-byte embedded slot. " \
"Drop EXTENSIONS= and `load <ext>` once the session is up."
Expand Down
10 changes: 5 additions & 5 deletions lib/msf/core/handler/reverse_http.rb
Original file line number Diff line number Diff line change
Expand Up @@ -287,14 +287,14 @@ def setup_handler
#
# * query parameter (profile: `parameter "name";`)
# * request header (profile: `header "name";`)
# * trailing path seg (default no placement directive)
# * trailing path seg (default -- no placement directive)
#
# For the path case, the URI looks like `<base>/<id>`, where `<base>`
# is the profile's per-verb `set uri` if defined, otherwise `LURI`
# (each is registered as a separate mount point in `all_uris`).
# Taking the last `/`-separated segment skips the base regardless of
# which one was used. Profile authors should not put `/` in
# prepend/append directives that would split the id across segments
# prepend/append directives -- that would split the id across segments
# and defeat this scheme.
#
# If the profile applied `prepend` / `append` / `base64` / `base64url`
Expand Down Expand Up @@ -325,7 +325,7 @@ def find_resource_id(cli, request)

# Reverse the prepend/append + base64 transforms the profile applied
# to the id on the payload side. If a declared wrapper is missing from
# the candidate, leave the candidate alone this is not a payload
# the candidate, leave the candidate alone -- this is not a payload
# request, and `process_uri_resource` will return nil for it.
def unwrap_profile_uuid(candidate, placement)
prefix = placement.prepend.map{|d| d.args[0]}.join('')
Expand Down Expand Up @@ -357,8 +357,8 @@ def add_response_headers(req, resp)

# Return the live meterpreter session whose passive dispatcher is
# registered for this bare conn_id, or nil if none matches. Used so
# MC2 traffic which Rex routes to on_request because the profile
# URI prefix outranks the session's /<conn_id> mount can still be
# MC2 traffic -- which Rex routes to on_request because the profile
# URI prefix outranks the session's /<conn_id> mount -- can still be
# delivered to the right session instead of triggering a fresh
# "orphaned attach" on every poll.
def session_for_conn_id(bare_conn_id)
Expand Down
4 changes: 2 additions & 2 deletions lib/msf/core/payload/java/meterpreter_loader.rb
Original file line number Diff line number Diff line change
Expand Up @@ -18,7 +18,7 @@ module Payload::Java::MeterpreterLoader
include Msf::Sessions::MeterpreterOptions::Java

# Resource path the stageless StagelessMain bootstrap reads. Deliberately
# innocuous no meterpreter/metasploit markers in the name.
# innocuous -- no meterpreter/metasploit markers in the name.
STAGELESS_CONFIG_RESOURCE = 'META-INF/data'.freeze
STAGELESS_MAIN_CLASS = 'com.metasploit.meterpreter.StagelessMain'.freeze

Expand All @@ -44,7 +44,7 @@ def stage_payload(opts={})
#
# When opts[:stageless] is set, returns a self-contained jar with the
# TLV config embedded as a resource and Main-Class pinned to
# StagelessMain ready to run under `java -jar`.
# StagelessMain -- ready to run under `java -jar`.
#
def stage_meterpreter(opts={})
met = MetasploitPayloads.read('meterpreter', 'meterpreter.jar')
Expand Down
4 changes: 2 additions & 2 deletions lib/msf/core/payload/malleable_c2.rb
Original file line number Diff line number Diff line change
Expand Up @@ -115,7 +115,7 @@ def tokenize(text)
# blank line
next
elsif scanner.scan(/#[^\n]*/)
# comment anchorless so it matches indented comments too
# comment -- anchorless so it matches indented comments too
# (the prior `\s+` rule has already eaten any leading
# whitespace by the time we get here)
next
Expand Down Expand Up @@ -450,7 +450,7 @@ def parse(file)
profile.sets << parse_set
elsif block_ahead?
# Any `name { ... }` is a block. We keep the ones we understand
# (http-get/http-post/etc.) and harmlessly retain the rest
# (http-get/http-post/etc.) and harmlessly retain the rest --
# unsupported CS blocks like dns-beacon/process-inject/post-ex
# are parsed for structure and simply ignored by to_tlv.
profile.sections << parse_section
Expand Down
2 changes: 1 addition & 1 deletion lib/rex/proto/http/request.rb
Original file line number Diff line number Diff line change
Expand Up @@ -219,7 +219,7 @@ def to_s

#
# Returns a hijacked version of the body that shoves the request's query string in as a
# replacement in cases where there is no body. YOLO! ¯\_(ツ)_/¯
# replacement in cases where there is no body. YOLO! (shrug)
#
def body
str = super || ''
Expand Down
2 changes: 1 addition & 1 deletion lib/rex/proto/http/server.rb
Original file line number Diff line number Diff line change
Expand Up @@ -294,7 +294,7 @@ def dispatch_request(cli, request)
p = resources[request.resource]
# This branch is reached when resource_id is nil (e.g. fetch-payload
# adapters have no find_resource_id), so the matched resource is the
# request resource itself not resource_id, which would nil-deref.
# request resource itself -- not resource_id, which would nil-deref.
len = request.resource.length
root = request.resource
else
Expand Down
4 changes: 2 additions & 2 deletions metasploit-framework.gemspec
Original file line number Diff line number Diff line change
Expand Up @@ -74,9 +74,9 @@ Gem::Specification.new do |spec|
# are needed when there's no database
spec.add_runtime_dependency 'metasploit-model'
# Needed for Meterpreter
spec.add_runtime_dependency 'metasploit-payloads', '2.0.245'
spec.add_runtime_dependency 'metasploit-payloads', '2.0.246.pre.7'
# Needed for the next-generation POSIX Meterpreter
spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.46'
spec.add_runtime_dependency 'metasploit_payloads-mettle', '1.0.48.pre.3'
# Needed by msfgui and other rpc components
# Locked until build env can handle newer version. See: https://github.com/msgpack/msgpack-ruby/issues/334
spec.add_runtime_dependency 'msgpack', '~> 1.6.0'
Expand Down
2 changes: 1 addition & 1 deletion modules/payloads/singles/php/meterpreter_reverse_http.rb
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ module MetasploitModule
include Msf::Payload::Php::ReverseHttp
include Msf::Payload::TransportConfig
include Msf::Payload::UUID::Options
include Msf::Sessions::MeterpreterOptions
include Msf::Sessions::MeterpreterOptions::Php

def initialize(info = {})
super(
Expand Down
2 changes: 1 addition & 1 deletion modules/payloads/singles/php/meterpreter_reverse_https.rb
Original file line number Diff line number Diff line change
Expand Up @@ -10,7 +10,7 @@ module MetasploitModule
include Msf::Payload::Php::ReverseHttp
include Msf::Payload::TransportConfig
include Msf::Payload::UUID::Options
include Msf::Sessions::MeterpreterOptions
include Msf::Sessions::MeterpreterOptions::Php

def initialize(info = {})
super(
Expand Down
74 changes: 74 additions & 0 deletions spec/modules/payloads_spec.rb
Original file line number Diff line number Diff line change
Expand Up @@ -1712,6 +1712,42 @@
reference_name: 'java/shell_reverse_tcp'
end

context 'java/meterpreter_bind_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'singles/java/meterpreter_bind_tcp'
],
modules_pathname: modules_pathname,
reference_name: 'java/meterpreter_bind_tcp'
end

context 'java/meterpreter_reverse_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'singles/java/meterpreter_reverse_http'
],
modules_pathname: modules_pathname,
reference_name: 'java/meterpreter_reverse_http'
end

context 'java/meterpreter_reverse_https' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'singles/java/meterpreter_reverse_https'
],
modules_pathname: modules_pathname,
reference_name: 'java/meterpreter_reverse_https'
end

context 'java/meterpreter_reverse_tcp' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'singles/java/meterpreter_reverse_tcp'
],
modules_pathname: modules_pathname,
reference_name: 'java/meterpreter_reverse_tcp'
end

context 'linux/aarch64/chmod' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
Expand Down Expand Up @@ -2987,6 +3023,44 @@
reference_name: 'php/meterpreter_reverse_tcp'
end

context 'php/meterpreter_reverse_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'singles/php/meterpreter_reverse_http'
],
modules_pathname: modules_pathname,
reference_name: 'php/meterpreter_reverse_http'
end

context 'php/meterpreter_reverse_https' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'singles/php/meterpreter_reverse_https'
],
modules_pathname: modules_pathname,
reference_name: 'php/meterpreter_reverse_https'
end

context 'php/meterpreter/reverse_http' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/php/reverse_http',
'stages/php/meterpreter'
],
modules_pathname: modules_pathname,
reference_name: 'php/meterpreter/reverse_http'
end

context 'php/meterpreter/reverse_https' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
'stagers/php/reverse_https',
'stages/php/meterpreter'
],
modules_pathname: modules_pathname,
reference_name: 'php/meterpreter/reverse_https'
end

context 'php/reverse_php' do
it_should_behave_like 'payload cached size is consistent',
ancestor_reference_names: [
Expand Down
4 changes: 1 addition & 3 deletions spec/support/acceptance/session/php.rb
Original file line number Diff line number Diff line change
Expand Up @@ -144,9 +144,7 @@ module Acceptance::Session::Php
known_failures: []
},
osx: {
known_failures: [
"[-] FAILED: should return a list of processes"
]
known_failures: []

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

},
windows: {
known_failures: []
Expand Down
Loading
Loading