Add find_writable_directories to Msf::Post::File#21232
Open
bcoles wants to merge 1 commit intorapid7:masterfrom
Open
Add find_writable_directories to Msf::Post::File#21232bcoles wants to merge 1 commit intorapid7:masterfrom
bcoles wants to merge 1 commit intorapid7:masterfrom
Conversation
Add a method to discover writable directories on Unix targets using the `find` command. This is useful in post-exploitation scenarios where a module needs to locate a writable staging path. Parameters: - path: base directory to search (default: /) - max_depth: find -maxdepth limit (default: 2) - timeout: seconds before killing the remote process (default: 15) - user/group: filter by owner and/or group with -perm checks The method uses a three-tier strategy to prevent a long-running find from tying up the session's shell channel: 1. GNU coreutils `timeout` - wraps the find command directly 2. `perl` alarm() - fallback for BSD, macOS, and Solaris targets 3. When neither is available, max_depth is capped at 1 and a warning is emitted to alert the operator The remote timeout deadline is set 5 seconds shorter than the cmd_exec deadline so the server-side kill fires first and partial results are still collected. Raises on Windows sessions. Returns an array of absolute paths, or nil on failure. Non-absolute lines (e.g. find error messages) are filtered from the output.
Contributor
Author
|
Broken tests are not my fault. |
jvoisin
reviewed
Apr 4, 2026
| if timeout > 0 | ||
| if command_exists?('timeout') | ||
| # GNU coreutils timeout - common on Linux | ||
| cmd = "timeout #{timeout} #{find_cmd}" |
Contributor
There was a problem hiding this comment.
Busybox' timeout is using timeout [-t SECS] [-s SIG] PROG ARGS :/
Contributor
Author
There was a problem hiding this comment.
Rather than over-complicate it by trying to figure out which version of timeout is available, it may simply be better to strip out all the timeout/perl handling, pass the timeout argument to cmd_exec and print a warning if the depth is > 2.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
3 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a method to discover writable directories on Unix targets using the
findcommand. This is useful in post-exploitation scenarios where a module needs to locate a writable staging path.Parameters:
The method uses a three-tier strategy to prevent a long-running find from tying up the session's shell channel:
timeout- wraps the find command directlyperlalarm() - fallback for BSD, macOS, and Solaris targetsThe remote timeout deadline is set 5 seconds shorter than the cmd_exec deadline so the server-side kill fires first and partial results are still collected.
Raises on Windows sessions. Returns an array of absolute paths, or nil on failure. Non-absolute lines (e.g. find error messages) are filtered from the output.