search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.13k stars 13.97k forks source link

rpc.call('module.info', 'exploit', 'linux/misc/saltstack_salt_unauth_rce') error #13943

Closed sachinly closed 3 years ago

sachinly commented 4 years ago

Steps to reproduce

How'd you do it?

msfrpc client get module info, i have some errors.

>> rpc.call('module.info', 'exploit', 'linux/misc/saltstack_salt_unauth_rce')
Traceback (most recent call last):
        8: from /usr/bin/msfrpc:92:in `<main>'
        7: from /usr/share/metasploit-framework/lib/rex/ui/text/irb_shell.rb:52:in `run'
        6: from /usr/share/metasploit-framework/lib/rex/ui/text/irb_shell.rb:52:in `catch'
        5: from /usr/share/metasploit-framework/lib/rex/ui/text/irb_shell.rb:53:in `block in run'
        4: from (irb):8:in `<main>'
        3: from (irb):9:in `rescue in <main>'
        2: from /usr/share/metasploit-framework/lib/msf/core/rpc/v10/client.rb:105:in `call'
        1: from /usr/share/metasploit-framework/lib/msf/core/rpc/v10/client.rb:163:in `send_rpc_request'
RuntimeError (nil)
adfoster-r7 commented 4 years ago

Looks like there's a serialisation error with message pack:

# metasploit-framework/gems/msgpack-1.3.3/lib/msgpack/core_ext.rb:4 MessagePack::CoreExt#to_msgpack:

     1: module MessagePack
     2:   module CoreExt
     3:     def to_msgpack(packer_or_io = nil)
     4:       if packer_or_io
     5:         if packer_or_io.is_a?(MessagePack::Packer)
     6:           to_msgpack_with_packer packer_or_io
     7:         else
     8:           MessagePack.pack(self, packer_or_io)
     9:         end
    10:       else
 => 11:         MessagePack.pack(self)
    12:       end
    13:     end
    14:   end
    15: end

The rpc service is throwing the following error behind the scenes:

> MessagePack.pack(self) 
NoMethodError: undefined method `to_msgpack' for /.*/:Regexp
from /Users/adfoster/.rvm/gems/ruby-2.6.6@metasploit-framework/gems/msgpack-1.3.3/lib/msgpack.rb:46:in `write'

I believe it's the module option that the saltstack module uses, which contains a regex object:

"MINIONS"=> {
    "type"=>"regexp",
    "required"=>true,
    "advanced"=>false,
    "desc"=>"PCRE regex of minions to target",
    "default"=> /.*/
}

Interestingly JSON.pretty_generate(self) serializes regex as:

"MINIONS": {
    "type": "regexp",
    "required": true,
    "advanced": false,
    "desc": "PCRE regex of minions to target",
    "default": "(?-mix:.*)"
}
adfoster-r7 commented 4 years ago

The client doesn't get given the error either. When the service fails, the process function raises a NoMethodError - and the current exception handler only catches Msf::RPC::Exception. Therefore the client gets sent back nil as a response:

     88: def on_request_uri(cli, req)
     89:   res = Rex::Proto::Http::Response.new()
     90:   res["Content-Type"] = "binary/message-pack"
     91: 
     92:   begin
     93:     require 'pry'; binding.pry
 =>  94:     res.body = process(req).to_msgpack
     95:   rescue Msf::RPC::Exception => e
     96:     require 'pry'; binding.pry
     97:     elog('RPC Exception', error: e)
     98:     res.body = process_exception(e).to_msgpack
     99:     res.code = e.code
    100:   end
    101:   cli.send_response(res)
    102: end

[1] pry(#<Msf::RPC::Service>)> process(req).to_msgpack
NoMethodError: undefined method `to_msgpack' for /.*/:Regexp
from /Users/adfoster/.rvm/gems/ruby-2.6.6@metasploit-framework/gems/msgpack-1.3.3/lib/msgpack.rb:46:in `write'
space-r7 commented 3 years ago

Fixed in #15686