Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This creates a new API,
create_process
, which allows the creation of processes from an array of args, rather than from a commandline string that needs to go through a subshell. This places the escaping logic in one place, and lets module developers create more robust code.Verification
You'll need to pull in mettle, as well as the various metasploit-payloads (php, py, c, java)
rapid7/metasploit-payloads#701
rapid7/mettle#258
Test for each of the following:
For each of the above:
create_process
passes parameters exactly as provided. You can run it directly inirb
by setting a session, then usingcreate_process(cmd, args:[...])
. I created a test program to do this - just ask ChatGPT to write you a program that will show you what args were passed to it, each on a new linen.cmd_exec
still works as it did before (including buggy calls)cmd_exec
, and then usingcreate_process
on PHP < 7.4 (not supported)You can observe process launches (to check for the presence/absence of subshells) using:
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_exec*{ printf("pid: %d, comm: %s, args: ", pid, comm); join(args->argv); }'
Tests
Windows, new Metasploit, old Meterp
Windows, new Metasploit, new Meterp
Linux, new Metasploit, old Meterp
Linux, new Metasploit, new Meterp
Java, new Metasploit, old Meterp
Java, new Metasploit, new Meterp
Python, new Metasploit, old Meterp
Python, new Metasploit, new Meterp
PHP, new Metasploit, old Meterp
PHP, new Metasploit, new Meterp
PHP < 7.4, new Metasploit, new Meterp
Windows, Command shell
Linux, Command shell
PowerShell