As mentioned by @alexmurray in this post Metasploit Framework requires execstack support for some of it’s binaries. I’m requesting to add an override for Metasploit so that it can pass “Automated Review” in the future. Thanks.
Pinging… It’s been 12 days.
Mettle is an important part of Metasploit.
Can you please outline the full paths of the files which require an execstack override?
opt/metasploit-framework/embedded/lib/ruby/gems/[0-9].*/gems/metasploit_payloads-mettle-*/build/mips-linux-muslsf/bin/mettle
opt/metasploit-framework/embedded/lib/ruby/gems/[0-9].*/gems/metasploit_payloads-mettle-*/build/mips-linux-muslsf/bin/sniffer
opt/metasploit-framework/embedded/lib/ruby/gems/[0-9].*/gems/metasploit_payloads-mettle-*/build/mipsel-linux-muslsf/bin/mettle
opt/metasploit-framework/embedded/lib/ruby/gems/[0-9].*/gems/metasploit_payloads-mettle-*/build/mipsel-linux-muslsf/bin/sniffer
@phoenix - the overrides mechanism requires complete paths, not regex / globs - can you please provide the exact path names?
opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.20/build/mips-linux-muslsf/bin/mettle
opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.20/build/mips-linux-muslsf/bin/sniffer
opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.20/build/mipsel-linux-muslsf/bin/mettle
opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/metasploit_payloads-mettle-1.0.20/build/mipsel-linux-muslsf/bin/sniffer
The numbers may change with future updates.
Btw, globs are used for execstack override in the same link you provided me earlier.
Yes, sorry you are right, I completely missed that - we’ll likely either add this via regex (@pfsmorigo has a draft MR already https://code.launchpad.net/~pfsmorigo/review-tools/+git/review-tools/+merge/433530)
The MP was merged today, as soon as it is deployed in the store this should start working
Thanks @alexmurray @emitorino. Deployed to store. (:
1 Like
Hi, guys. I updated Metasploit Frameworl to core24 and the store is rejecting the builds with an Warning about exectack support. The builds are currently pending for manual review. Can you take a look into this.
Also, I was thinking that as Metasploit Framework has become a very popular snap worldwide(160 countries), is it possible that the ownership can be transferred to Canonical? Thanks.
@phoenix can you please outline the specific change that you need for the execstack override? What paths are required?
Regarding transferring to Canonical, this needs to be an internal request from a Canonical employee - so unless there is someone at Canonical who has a good reason to suggest this snap be maintained by Canonical then this is highly unlikely to occur. Note, there are many popular snaps, maintained by Canonical employees even which are not under the Canonical publisher account in the store since there is not a good business reason for them to be.
The path is:
opt/metasploit-framework/embedded/framework/data/exploits/redis/exp/exp.so
The full warning as show in my dashboard is:
Found files with executable stack. This adds PROT_EXEC to mmap(2) during mediation which may cause security denials. Either adjust your program to not require an executable stack, strip it with 'execstack --clear-execstack ...' or remove the affected file from your snap. Affected files: opt/metasploit-framework/embedded/framework/data/exploits/redis/exp/exp.so functional-snap-v2_execstack
@alexmurray ping. This snap is already live. 
+1 from me for execstack override for metasploit-framework for the path opt/metasploit-framework/embedded/framework/data/exploits/redis/exp/exp.so. Can other @reviewers please vote and action this?
+1 also from for execstack override for the path opt/metasploit-framework/embedded/framework/data/exploits/redis/exp/exp.so. MR was created Merge into master : add-metasploit-execstack-override : lp:~jslarraz/review-tools : Git : Code : review-tools
+1 also from my side as well for execstack override for the path opt/metasploit-framework/embedded/framework/data/exploits/redis/exp/exp.so
thanks
Thanks @alexmurray, @jslarraz , @0xnishit for addding the execstack override. But my dashboard still has pending builds as previous builds are pending for manual review. Can anyone kindly take a look into it?
Also, is there any shortcut through which I can join the Snapcraft team at Canonical? Thanks.
The path has been added to review-tools but a new release including this change needs to be created and deployed to the store. Thus, it will still take a few days until it will became effective