Metasploit mailing list archives
PAYLOAD: adduser.rb - Checks on the PASS parameter
From: hdm at metasploit.com (HD Moore)
Date: Fri, 11 Sep 2009 10:21:01 -0500
On Fri, 2009-09-11 at 02:05 +0200, ChrisJohnRiley wrote:
I?m trying to implement a few checks in a custom version of the adduser.rb payload (length and password complexity rules on the PASS parameter). Although I?ve the checks are functioning (see DEBUG messages), I can?t seem to get the payload to exit out cleanly and cancel the exploit (Msf::OptionValidateError ???).
What interface are you testing with? Raising an ArgumentError from the generate function works fine for msfconsole (it stops the exploit). If you are using this with a client-side exploit where payload generation is delayed, this wouldn't show up until a client accessed the exploit service. msf exploit(handler) > exploit [-] Exploit failed: Password for the adduser payload must be 14 characters or less Besides the constraints on the basic option types, there is no other way to place a check on the raw option value before launching the exploit right now. If this becomes an issue, we can add an option_validator(oname) method to each module, which can provide a true/false return based on its own rules. -HD
Current thread:
- PAYLOAD: adduser.rb - Checks on the PASS parameter ChrisJohnRiley (Sep 10)
- PAYLOAD: adduser.rb - Checks on the PASS parameter HD Moore (Sep 11)
- PAYLOAD: adduser.rb - Checks on the PASS parameter ChrisJohnRiley (Sep 11)
- PAYLOAD: adduser.rb - Checks on the PASS parameter HD Moore (Sep 11)