When something fails, the target is given a hardcoded 404 message
generated by the framework. But the user (attacker) now can configure
this. When the Custom404 option is set, the mixin will actually
redirect (302) to that URL.
There are several scenarios that can trigger a 404 by BES (custom or
default):
* When the browser doesn't allow javascript
* When the browser directly visits the exploit URL, which is forbidden.
If this actually happens, it probably means the attacker gave the
wrong URL.
* The attacker doesn't allow the browser auto-recovery to retry the
URL.
* If some browser requirements aren't met.
* The browser attempts to go to access a resource not set up by the
mixin.
Sometimes we forget the set command is context specific. For example,
if run from a module's context, it will set the value in the module's
datastore.
Fix#4641
Modify rename_file to fit the pattern of the other file methods.
Otherwise, calling this yields a backtrace in the logs and it fails.
Steps to verify:
rc script:
```
loadpath test/modules
use exploit/multi/handler
set lhost 172.28.128.1
set lport 8081
set payload windows/meterpreter/reverse_http
run -j
sleep 5
resource test/scripts/test-sessions.rc
Before:
```
[-] FAILED: should move files
[-] Exception: TypeError : true is not a symbol
log file:
[01/27/2015 13:17:23] [d(0)] core: Call stack:
/home/bcook/projects/metasploit-framework/lib/msf/core/post/file.rb:357:in
`rename_file'
/home/bcook/projects/metasploit-framework/test/modules/post/test/file.rb:115:in
`block in test_file'
/home/bcook/projects/metasploit-framework/test/lib/module_test.rb:26:in
`call'
/home/bcook/projects/metasploit-framework/test/lib/module_test.rb:26:in
`it'
...
```
After, passing sessions instead:
```
post/test/file
SESSION => 1
Setup: changing working directory to %TEMP%
[*] Running against session 1
[*] Session type is meterpreter and platform is x86/win32
[+] should test for file existence
[+] should test for directory existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[*] Passed: 11; Failed: 0
```
- Use separate names for files and directories to avoid cascading
failures if one test fails and leaves a file or directory behind.
- Use %TEMP% rather than %TMP - the former is defined on all Windows
versions, whereas the later is not defined on Windows 2012, causing
the test to fail.
- Don't assume 'HACKING' is in the current working directory, which
breaks remote test harnesses. Instead, send the source code to the
current __FILE__ as the test file to upload, since that works from
any directory or remotely.
sinn3r
James Lee
Brent Cook
Samuel Huckins
jvazquez-r7
Brent Cook
William Vu
Tod Beardsley
Jonathan Claudius