Closed Te-k closed 7 years ago
After discussing on IRC, removing the tags from the meterpreter payload and adding them to all exploits seem to be the right way. What do you think msf gurus? Do you see any impact on removing these tags from php meterpreter? Is it used somewhere outside the webapp exploits?
Pardon me for not being privy to the IRC chat, and hence I might end up revisiting things already discussed.
Does it not make more sense to have the payload handle all cases itself? We do have the means to make the payloads work correctly in each environment it happens to run in, and that means that the calling exploits shouldn't have to care about it at all unless there's an exploit-specific quirk to cater for.
If you remove the tags from the payloads, what happens when you use msfvenom
to generate raw PHP payloads? Is the intent in that case for the user to manually add the tags themselves?
I still think the better way is to fix the payload itself, rather than having to fix individual exploits, adjust msfvenom, and confuse people with new payload types.
Please take a look at this small changeset, which just adds the tag + escape code to the PHP payload. I think this is all that's going to be needed.
Indeed @OJ, your solutions fixes the problem (tested with the exploit mentioned in the bug). Up to you to choose the best fix :)
Issue resolved by https://github.com/rapid7/metasploit-framework/pull/7469
Steps to reproduce
How'd you do it?
Expected behavior
There should be the php tags automatically added to the payload by exploits that need it (like wordpress upload exploits).
Current behavior
Apparently there is inconsistent handling of php tags between payloads and exploits :
While in modules/exploits/unix/webapp/ wp_wysija_newsletters_upload.rb payload.encoded is used directly :
manually adding the php tags to all upload exploit would fix this problem as the meterpreter uses the comment trick to avoid problem is the tag is added twice, but it would be better to have an option when getting the payload to add it (or not). Any idea on how to do this properly?
System stuff
Metasploit version
Installed through source : 718f36f1af66959353adff5c2e76488a9ebe551f Land #6955, DarkComet C2 Arbitrary File Download
OS
Tested on Linux Mint recently updated, ruby 2.3.0