Metasploit-framework: Aux and post modules should have actions instead of targets

Created on 24 Jul 2019  路  6Comments  路  Source: rapid7/metasploit-framework

Targets are supported by exploit and evasion modules.

wvu@kharak:/rapid7/metasploit-framework:master$ git grep -l 'Targets.*=>' modules/{auxiliary,post}
modules/auxiliary/admin/http/pfadmin_set_protected_alias.rb
modules/auxiliary/admin/http/scadabr_credential_dump.rb
modules/auxiliary/admin/http/telpho10_credential_dump.rb
modules/auxiliary/admin/http/typo3_news_module_sqli.rb
modules/auxiliary/admin/mssql/mssql_findandsampledata.rb
modules/auxiliary/admin/mssql/mssql_idf.rb
modules/auxiliary/admin/mssql/mssql_ntlm_stealer_sqli.rb
modules/auxiliary/gather/ie_sandbox_findfiles.rb
modules/auxiliary/gather/ms14_052_xmldom.rb
modules/auxiliary/gather/safari_file_url_navigation.rb
modules/auxiliary/scanner/http/iis_shortname_scanner.rb
modules/auxiliary/scanner/http/wp_arbitrary_file_deletion.rb
modules/auxiliary/scanner/ssh/apache_karaf_command_execution.rb
modules/post/linux/dos/xen_420_dos.rb
modules/post/linux/manage/sshkey_persistence.rb
modules/post/multi/escalate/metasploit_pcaplog.rb
modules/post/osx/gather/apfs_encrypted_volume_passwd.rb
modules/post/windows/escalate/unmarshal_cmd_exec.rb
modules/post/windows/manage/powershell/build_net_code.rb
wvu@kharak:/rapid7/metasploit-framework:master$

Update - @busterb
Any existing targets on aux and post modules are currently ignored by Metasploit framework. Someone should look at the ones that got added and decide:

  • Do these look like 'Actions', and we can convert the Target to an Action?
  • Or are these accidentally added because of copy-paste, and we can simply delete them from the module?

I think almost all are in the second category. Also note that, if a module only does one thing, there's not usually much functional benefit to adding an 'Action' at all, unless it's somehow unclear to the user what the module will actually do. For instance, if a module is literally called 'spoof/cisco/cdp', it probably doesn't matter if you add an action called 'Spoof', since it's pretty clear from the name that's what its purpose in life is.

bug module newbie-friendly
Source
picture wvu-r7

All 6 comments

So long as nobody is mixing in exploit code depending on target into their aux module (strictly inline processing in the module itself), this shouldn't be too rough to undo, and would be a significant cleanup of a very user-visible sharp edge.

sempervictus picture sempervictus on 26 Jul 2019
👍1

It should be an easy update. I've marked it newbie-friendly in case someone new wants to take it on. I know at least one person interested.

wvu-r7 picture wvu-r7 on 26 Jul 2019

@wvu-r7 I think I can take this one ! Not sure to understand what the bug is right now, but I'll investigate that. Will come back to you if I got any question (or results) !

hkerma picture hkerma on 28 Jul 2019
👍1

Sounds good!

wvu-r7 picture wvu-r7 on 28 Jul 2019

And nice bike. :-)

wvu-r7 picture wvu-r7 on 29 Jul 2019
😄1

I think there's a secondary thing at play here, too..... I am going to guess that some people assigned Target as a way to only run a POST module on a supported system. We should check to see that if a Target is mentioned in the Hash, we may want to add a check to verify that the system the POST module is running on matches that OS.

So maybe the first step is to divide this into three groups:
Modules that don't need Target defined.
Modules that change behavior on Target Value and need to be migrated to an Action Value
Modules that thought Target was somehow verified, so we need to add verification code.

bwatters-r7 picture bwatters-r7 on 12 Sep 2019
Was this page helpful?
0 / 5 - 0 ratings

Related issues

BaconBombz picture BaconBombz  路  3Comments
fluit105 picture fluit105  路  3Comments
felipee07 picture felipee07  路  3Comments
0x27 picture 0x27  路  3Comments
Sonya2010 picture Sonya2010  路  3Comments