Metasploit-framework: Metasploit Payload Options Set Command isn't present in MSF5 for Generate
Steps to reproduce
How'd you do it?
- This is a question about where the set command (-s) is that was found in msf4 as per the Offensive Security guide. https://www.offensive-security.com/metasploit-unleashed/generating-payloads/
It allows one to set a custom value for the payload options. Example command follows
- Currently, there's no way to set a custom value for a payload options. We use the following option as an example.
msf > use payload/windows/shell_bind_tcp
.
.
.
msf5 payload(windows/shell_bind_tcp) > show options
Module options (payload/windows/shell_bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC seh yes Exit technique (Accepted: '', seh, thread, process, none)
LPORT 1234 yes The listen port
RHOST no The target address
- As you can see, there's no existing command
-oforgeneratesetting the options as found in the Offensive Security guide. The current-oin msf5 specifies a file output path you want to save your payload to.
Usage: generate [options]
Generates a payload.
OPTIONS:
-E Force encoding
-O <opt> Deprecated: alias for the '-o' option
-P <opt> Total desired payload size, auto-produce approproate NOPsled length
-S <opt> The new section name to use when generating (large) Windows binaries
-b <opt> The list of characters to avoid example: '\x00\xff'
-e <opt> The encoder to use
-f <opt> Output format: bash,c,csharp,dw,dword,hex,java,js_be,js_le,num,perl,pl,powershell,ps1,py,python,raw,rb,ruby,sh,vbapplication,vbscript,asp,aspx,aspx-exe,axis2,dll,elf,elf-so,exe,exe-only,exe-service,exe-small,hta-psh,jar,jsp,loop-vbs,macho,msi,msi-nouac,osx-app,psh,psh-cmd,psh-net,psh-reflection,vba,vba-exe,vba-psh,vbs,war
-h Show this message
-i <opt> The number of times to encode the payload
-k Preserve the template behavior and inject the payload as a new thread
-n <opt> Prepend a nopsled of [length] size on to the payload
-o <opt> The output file name (otherwise stdout)
-p <opt> The platform of the payload
-s <opt> NOP sled length.
-x <opt> Specify a custom executable file to use as a template
- I can manually set the options for generate one by one as follows:
msf5 payload(windows/shell_bind_tcp) > set EXITFUNC seh
EXITFUNC => seh
- What I want to do instead is do something like set the key value whenever I generate:
msf5 payload(windows/shell_bind_tcp) > generate -o LPORT=1234,EXITFUNC=seh
Currently, -o seems to map to file output, so not sure what's the current command for setting the options for each payload.
This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.
Expected behavior
What should happen?
I should be able to find the relevant documentation for the replacement to the -o command in generate for setting options key value for the payload.
Current behavior
What happens instead?
No documented command for setting options key value for the payload upon generating the payload in msf5.
You might also want to check the last ~1k lines of
/opt/metasploit/apps/pro/engine/config/logs/framework.log or
~/.msf4/logs/framework.log for relevant stack traces
System stuff
Metasploit version
Get this with the version command in msfconsole (or git log -1 --pretty=oneline for a source install).
Framework: 5.0.41-dev-dbe856297acd2517fd601dbac34e46889d174870
Console : 5.0.41-dev-dbe856297acd2517fd601dbac34e46889d174870
I installed Metasploit with:
- [ ] Kali package via apt
- [ ] Omnibus installer (nightly)
- [*] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
- [ ] Source install (please specify ruby version)
OS
What OS are you running Metasploit on?
Latest macOS Mojave version 10.14
YazzyYaz
All 5 comments
Hi @YazzyYaz, we changed this a little while back when making the generate command behave more like msfvenom (#8999). You do not need to use a flag to set datastore options with generate anymore, something like:
msf5 payload(windows/shell_bind_tcp) > generate LPORT=1234 EXITFUNC=seh
should do what you want. With the code in front of me, though, I can see that there are a few issues with how it tries to handle backwards compatibility with -o, so I'll leave this open (cc @busterb).
Example stack trace when using -o for options:
msf5 payload(linux/x64/meterpreter_reverse_tcp) > generate -o LHOST=localhost
The -o parameter of 'generate' is now preferred to indicate the output file, like with msfvenom[-] Error while running command generate: undefined local variable or method `key' for #<Msf::Ui::Console::CommandDispatcher::Payload:0x00007fcbe95e2218>
Did you mean? keep
Call stack:
/Users/acammack/rapid7/metasploit-framework/lib/msf/ui/console/command_dispatcher/payload.rb:118:in `block in cmd_generate'
/Users/acammack/rapid7/metasploit-framework/lib/rex/parser/arguments.rb:58:in `block (3 levels) in parse'
/Users/acammack/rapid7/metasploit-framework/lib/rex/parser/arguments.rb:48:in `each_pair'
/Users/acammack/rapid7/metasploit-framework/lib/rex/parser/arguments.rb:48:in `block (2 levels) in parse'
/Users/acammack/rapid7/metasploit-framework/lib/rex/parser/arguments.rb:47:in `each'
/Users/acammack/rapid7/metasploit-framework/lib/rex/parser/arguments.rb:47:in `block in parse'
/Users/acammack/rapid7/metasploit-framework/lib/rex/parser/arguments.rb:40:in `each'
/Users/acammack/rapid7/metasploit-framework/lib/rex/parser/arguments.rb:40:in `each_with_index'
/Users/acammack/rapid7/metasploit-framework/lib/rex/parser/arguments.rb:40:in `parse'
/Users/acammack/rapid7/metasploit-framework/lib/msf/ui/console/command_dispatcher/payload.rb:99:in `cmd_generate'
/Users/acammack/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in `run_command'
/Users/acammack/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in `block in run_single'
/Users/acammack/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `each'
/Users/acammack/rapid7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `run_single'
/Users/acammack/rapid7/metasploit-framework/lib/rex/ui/text/shell.rb:151:in `run'
/Users/acammack/rapid7/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/Users/acammack/rapid7/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:49:in `<main>'
acammack-r7
on 14 Aug 2019
Ruh roh. Should have reviewed #8999 closer. Related to #12195. cc @busterb
wvu-r7
on 15 Aug 2019
@acammack-r7 thanks for the tip, generate LPORT=1234 EXITFUNC=seh is the kind of command I'm looking for here. Glad to contribute an issue ticket and continue testing metasploit!
YazzyYaz
on 15 Aug 2019
@YazzyYaz: generate -o is fixed in the above PR, but please use the new syntax! Thanks!
wvu-r7
on 15 Aug 2019
Thanks, will do 馃憤
YazzyYaz
on 15 Aug 2019
Related issues
handsomebeast
路
3Comments
bugshere
路
3Comments
wvu-r7
路
3Comments
bcoles
路
3Comments
idetest41
路
3Comments
Most helpful comment
Hi @YazzyYaz, we changed this a little while back when making the
generatecommand behave more likemsfvenom(#8999). You do not need to use a flag to set datastore options withgenerateanymore, something like:should do what you want. With the code in front of me, though, I can see that there are a few issues with how it tries to handle backwards compatibility with
-o, so I'll leave this open (cc @busterb).Example stack trace when using
-ofor options: