Skip to content

post/windows/manage/rpcapd_start: run_rpcapd(cmdline) method does not run rpcapd with cmdline #20158

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
bcoles opened this issue May 9, 2025 · 0 comments
Open

post/windows/manage/rpcapd_start: run_rpcapd(cmdline) method does not run rpcapd with cmdline #20158

bcoles opened this issue May 9, 2025 · 0 comments
Labels
bug

Comments

@bcoles
Copy link
Contributor

bcoles commented May 9, 2025

The post/windows/manage/rpcapd_start module describes p and prog parameters to be used in the run_rpcapd method.

metasploit-framework/modules/post/windows/manage/rpcapd_start.rb

Lines 63 to 87 in b5129fe

prog = get_env('ProgramFiles') << '\\winpcap\\rpcapd.exe'
if start_type != START_TYPE_AUTO
print_status("Setting rpcapd as 'auto' service")
service_change_startup('rpcapd', START_TYPE_AUTO)
end
if datastore['ACTIVE']
if datastore['RHOST'].nil?
print_error('RHOST is not set ')
return
end
p = prog << " -d -a #{datastore['RHOST']},#{datastore['PORT']} -v "
print_status("Installing rpcap in ACTIVE mode (remote port: #{datastore['PORT']})")
else
fw_enable(prog)
print_status("Installing rpcap in PASSIVE mode (local port: #{datastore['PORT']}) ")
p = prog << " -d -p #{datastore['PORT']} "
end
if datastore['NULLAUTH']
p << '-n'
end
run_rpcapd(p)
end

The program file path prog is used to add a firewall rule. The p value is unused, then passed to the run_rpcapd method as cmdline, where it is used only in a print message:

metasploit-framework/modules/post/windows/manage/rpcapd_start.rb

Lines 89 to 98 in b5129fe

def run_rpcapd(cmdline)
service_name = 'rpcapd'
if service_restart(service_name)
print_good("Rpcapd started successfully: #{cmdline}")
else
print_error('There was an error restarting rpcapd.exe.')
end
rescue StandardError => e
print_error("The following error was encountered: #{e.class} #{e}")
end

Perhaps the intention was for users to manually run the command printed to terminal? The module does not do it. Despite claiming that it is installing pcap in passive or active mode, no action is taken:

metasploit-framework/modules/post/windows/manage/rpcapd_start.rb

Lines 74 to 80 in b5129fe

p = prog << " -d -a #{datastore['RHOST']},#{datastore['PORT']} -v "
print_status("Installing rpcap in ACTIVE mode (remote port: #{datastore['PORT']})")
else
fw_enable(prog)
print_status("Installing rpcap in PASSIVE mode (local port: #{datastore['PORT']}) ")
p = prog << " -d -p #{datastore['PORT']} "
end

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
Metasploit Kanban
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@bcoles