Passive/aggressive modules that are neither

[Joshua TAYLOR <joshuaaaron () gmail com>]

Hi all
I've noticed that some modules end up with a module_into['Stance']
that is neither Msf::Exploit::Stance::Aggressive nor
Msf::Exploit::Stance::Passive, but rather an array containing both.
For instance,

exploit/multi/http/jboss_maindeployer specifes

'Stance'      => Msf::Exploit::Stance::Aggressive,

in its initialization, but (as I understand it, though I haven't
tracked it all down precisely, but I think it's because
merge_check_key, called from merge_info, coerces the non-array value
to an array and adds the incoming value) because it includes both
exploits with passive and aggressive stances, and ends up such that

module_info['Stance'] == ["aggressive", "passive"].

This has two significant effects:

1) module_info['Stance'] isn't always one of
Msf::Exploit::Stance::{Passive, Aggressive}, and
2) methods that assume that module_info['Stance'] is one of those
values have unexpected results.   For instance, while the module is,
in some sense, passive and aggressive, both Exploit.aggressive? and
Exploit.passive? are false, because they're defined as

        def aggressive?
                (stance == Stance::Aggressive)
        end

        def passive?
                (stance == Stance::Passive)
        end

It appears that there are seven such modules that stances of
["aggressive", "passive"], and two that have stances of ["passive"] (I
haven't looked as closely at the latter, but I suspect it's the same
sort of issue). Is this something that's expected and OK, or a
surprise?  (That a module might be both passive and aggressive seems
like it could be OK, but then I'd expect both passive? and aggressive?
to be true.)

-- 
Joshua Taylor, http://www.cs.rpi.edu/~tayloj/
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework