search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.33k stars 14.02k forks source link

Not able to find a proper encoder with Fetch Payloads #18572

Closed cdelafuente-r7 closed 10 months ago

cdelafuente-r7 commented 1 year ago

This issue came out while working on this PR. This comment gives more details.

When some BadChars are set, Framework tries to find a suitable encoder according to the platform and the architecture. With a fetch payload, it fails:

[-] Exploit failed: cmd/linux/http/x64/meterpreter/reverse_tcp: All encoders failed to encode.

When setting the payload to a standard command payload (e.g. cmd/unix/reverse_bash), it works.

I found out the payload platforms are all set to linux platforms:

From: /Users/cdelafuente/dev/src/metasploit-framework/lib/msf/core/encoded_payload.rb:567 Msf::EncodedPayload#compatible_encoders:

    562: def compatible_encoders
    563:   arch = reqs['Arch'] || pinst.arch
    564:   platform = reqs['Platform'] || pinst.platform
    565:   require 'pry';binding.pry
    566:
 => 567:   encoders = []
    568:
    569:   framework.encoders.each_module_ranked(
    570:     'Arch' => arch, 'Platform' => platform) { |name, mod|
    571:     encoders << [ name, mod ]
    572:   }
    573:
    574:   encoders
    575: end

[1] pry(#<Msf::EncodedPayload>)> pinst.platform
=> #<Msf::Module::PlatformList:0x00007fbf69abf1f0 @platforms=[Msf::Module::Platform::Linux, Msf::Module::Platform::Linux]>
[2] pry(#<Msf::EncodedPayload>)> pinst.arch
=> ["cmd"]

So, no encoder is found with both a cmd architecture and a linux platform:

[1] pry(#<Msf::EncodedPayload>)> encoders
=> [["generic/none", Msf::Modules::Encoder__Generic__None::MetasploitModule], ["generic/eicar", Msf::Modules::Encoder__Generic__Eicar::MetasploitModule]]

While with a command payload, the unix platform is correctly set:

[1] pry(#<Msf::EncodedPayload>)> pinst.platform
=> #<Msf::Module::PlatformList:0x00007fbf68dd6ce0 @platforms=[Msf::Module::Platform::Unix]>

Steps to reproduce

  1. Use an exploit that supports Fetch Payloads (e.g. linux/http/vinchin_backup_recovery_cmd_inject)
  2. Make sure some BadChars are specified in the info hash (e.g. 'Payload' => { 'BadChars' => "\"'<>&" })
  3. Do: set payload cmd/linux/http/x64/meterpreter/reverse_tcp
  4. set the required options
  5. Do: exploit

Try again with a command payload cmd/unix/reverse_bash. It should work now.

Expected behavior

The exploit should execute without encoding errors.

Current behavior

It fails with this error:

[-] Exploit failed: cmd/linux/http/x64/meterpreter/reverse_tcp: All encoders failed to encode.
smcintyre-r7 commented 1 year ago

Easiest way to fix this might be to check if you can add linux as a platform to the existing encoders where unix is already listed.

github-actions[bot] commented 11 months ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.