rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.09k stars 13.96k forks source link

Exception on receiving http request in mswhale_checkforupdates #7520

Closed ptresearch closed 7 years ago

ptresearch commented 8 years ago

Steps to reproduce

  1. use exploit/windows/browser/mswhale_checkforupdates
  2. set URIPATH /msf
  3. run
  4. make a http get request from a remote pc to msf: http://x.x.x.x:8080/msf
  5. see unhandled exception on line 98: NoMethodError: undefined method `opts' for #

Some other modules are also seem to be affected: exploit/windows/browser/baofeng_storm_onbeforevideodownload exploit/windows/browser/symantec_altirisdeployment_runcmd exploit/windows/browser/ibmegath_getxmlvalue

Metasploit version

msf > version Framework: 4.12.40-dev Console : 4.12.40-dev

OS version

Ubuntu 15.10 (GNU/Linux 4.2.0-35-generic x86_64)

wvu commented 8 years ago

https://zuts.wordpress.com/tag/there-be-whales-here/

bcook-r7 commented 7 years ago

I went back a couple of years, and still couldn't find when this exploit last worked. Got to the point where installing ruby 1.8 was required :P.

I hate to sound like a jerk, but perhaps that's grounds for removing the module.

wvu commented 7 years ago

I wondered if this bug was related to #2545, but I wasn't able to go back far enough to test. :/

wvu commented 7 years ago

2545 is almost certainly the cause of this. Looks like some of these modules were never updated.

wvu commented 7 years ago

Looks like that PR changed the behavior of js_heap_spray to return ObfuscateJS#obfuscate (an obfuscated JS string) instead of the ObfuscateJS instance itself, which has the opts accessor.

wvu commented 7 years ago

Seems like something @wchen-r7 would know about or be able to fix. I'm going to back off this, since I have too many tickets still.

wchen-r7 commented 7 years ago

Ok, I will take a look :-) Thanks!

wvu commented 7 years ago

Thank you, @wchen-r7!

wchen-r7 commented 7 years ago

I have submitted a fix here: https://github.com/rapid7/rex-exploitation/pull/2

There are about 19 modules that use the heap_spray method. All of them treat the return value as Rex::Exploitation::ObfuscateJS, so this patch should address it properly.

wvu commented 7 years ago

Thanks again, @wchen-r7. :)