Fix rapid7#4866, msfvenom not properly handling platform & arch

wchen-r7 · wchen-r7 · commit 56793d11c89e · 2015-04-09T16:01:11.000-05:00
This fixes rapid7#4866, an issue with msfvenom not properly handling special cases with generic payloads. So the story behind this fix is that we have these two problems: Problem 1: The current payload selection design relies on the payload module in order to set the platform and arch. Almost all MSF payloads contain a default platform and arch, however, the bind and reverse generic payloads don't. Problem 2: By default, Msf::Payload::Generic also explicitly sets the PLATFORM and ARCH datastore options to nil. So there is no way the payload generator can figure out what platform and arch to use. As a result of these problems, msfvenom will actually end up getting a Msf::Module::Platform as the default platform, which doesn't actually represent any valid platform we can use (such as Msf::Module::Platform::Windows). And the first item of ARCH_ALL for the arch. In addition, msfvenom has these two arguments that the user can use: --platform and --arch. In most cases, these arguments are used more like checks than actually setting anything. Because remember: Framework's payload selector retreives the platform & arch from the module (trusted), not the user input (untrusted). But from the user's perspective it's impossible to know this. After experimenting different ways to fix this, I came up with this patch. It feels sort of more like a hack than a real fix, but as far as I can tell, this is the best you can get unless you want to redesign generic payload selection.
diff --git a/lib/msf/core/payload_generator.rb b/lib/msf/core/payload_generator.rb
@@ -144,8 +144,10 @@ def choose_arch(mod)
       if arch.blank?
         @arch = mod.arch.first
         cli_print "No Arch selected, selecting Arch: #{arch} from the payload"
+        datastore['ARCH'] = arch if mod.kind_of?(Msf::Payload::Generic)
         return mod.arch.first
       elsif mod.arch.include? arch
+        datastore['ARCH'] = arch if mod.kind_of?(Msf::Payload::Generic)
         return arch
       else
         return nil
@@ -157,14 +159,28 @@ def choose_arch(mod)
     # @param mod [Msf::Payload] The module class to choose a platform for
     # @return [Msf::Module::PlatformList] The selected platform list
     def choose_platform(mod)
+      # By default, platform_list will at least return Msf::Module::Platform
+      # if there is absolutely no pre-configured platform info at all
       chosen_platform = platform_list
+
       if chosen_platform.platforms.empty?
         chosen_platform = mod.platform
         cli_print "No platform was selected, choosing #{chosen_platform.platforms.first} from the payload"
         @platform = mod.platform.platforms.first.to_s.split("::").last
       elsif (chosen_platform & mod.platform).empty?
         chosen_platform = Msf::Module::PlatformList.new
       end
+
+      begin
+        platform_object = Msf::Module::Platform.find_platform(platform)
+      rescue ArgumentError
+        platform_object = nil
+      end
+
+      if mod.kind_of?(Msf::Payload::Generic) && mod.send(:module_info)['Platform'].empty? && platform_object
+        datastore['PLATFORM'] = platform
+      end
+
       chosen_platform
     end
 
