Metasploit mailing list archives
PAYLOAD: adduser.rb - Checks on the PASS parameter
From: chris.riley at c22.cc (ChrisJohnRiley)
Date: Fri, 11 Sep 2009 17:43:19 +0200
Right now I'm testing using msfconsole (with a modified version of ms08_067_netapi) and msfpayload. I'll take a look at raising an ArguementError and see how it effects things. As you said on Twitter though, looks like a hook method to enable custom validators might be the best method in the long run. Question is though, is this the only case where custom validation has come up as a requirement, and can you envisage it coming up in the future ? Useful yes, but worth the additional work ? -- Chris -----Original Message----- From: framework-bounces at spool.metasploit.com [mailto:framework-bounces at spool.metasploit.com] On Behalf Of HD Moore Sent: 11 September 2009 17:21 To: framework at spool.metasploit.com Subject: Re: [framework] PAYLOAD: adduser.rb - Checks on the PASS parameter On Fri, 2009-09-11 at 02:05 +0200, ChrisJohnRiley wrote:
I?m trying to implement a few checks in a custom version of the adduser.rb payload (length and password complexity rules on the PASS parameter). Although I?ve the checks are functioning (see DEBUG messages), I can?t seem to get the payload to exit out cleanly and cancel the exploit (Msf::OptionValidateError ???).
What interface are you testing with? Raising an ArgumentError from the generate function works fine for msfconsole (it stops the exploit). If you are using this with a client-side exploit where payload generation is delayed, this wouldn't show up until a client accessed the exploit service. msf exploit(handler) > exploit [-] Exploit failed: Password for the adduser payload must be 14 characters or less Besides the constraints on the basic option types, there is no other way to place a check on the raw option value before launching the exploit right now. If this becomes an issue, we can add an option_validator(oname) method to each module, which can provide a true/false return based on its own rules. -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- PAYLOAD: adduser.rb - Checks on the PASS parameter ChrisJohnRiley (Sep 10)
- PAYLOAD: adduser.rb - Checks on the PASS parameter HD Moore (Sep 11)
- PAYLOAD: adduser.rb - Checks on the PASS parameter ChrisJohnRiley (Sep 11)
- PAYLOAD: adduser.rb - Checks on the PASS parameter HD Moore (Sep 11)