Bug 276006

Summary:

security/metasploit: msfconsole fails to start on fresh install

Product:

Ports & Packages

Reporter:

unitrunker <unitrunker>

Component:

Individual Port(s)

Assignee:

Antoine Brodin <antoine>

Status:

Closed FIXED

Severity:

Affects Some People

CC:

antoine, tanawts

Priority:

---

Flags:

linimon: maintainer-feedback? (tanawts)

Version:

Latest

Hardware:

Any

OS:

Any

Attachments:

Description	Flags
security/metasploit: Adding patch files for Metasploit framework gemspec	none
security/metasploit: Update for Metasploit to version 6.3.50 and updates to all metasploit specific rubygems	none

Description unitrunker 2023-12-29 23:56:07 UTC

On 14.0-RELEASE with no ruby or metasploit installed ...

# pkg install metasploit

and, after successful installation ...

# msfconsole

/usr/local/lib/ruby/gems/3.1/gems/bundler-2.4.20/lib/bundler/resolver.rb:116:in `rescue in solve_versions': Could not find compatible versions (Bundler::SolveFailure)

Because every version of metasploit-framework depends on octokit ~> 4.0
  and octokit ~> 4.0 could not be found in locally installed gems,
  metasploit-framework cannot be used.
So, because Gemfile depends on metasploit-framework >= 0,
  version solving has failed.
        from /usr/local/lib/ruby/gems/3.1/gems/bundler-2.4.20/lib/bundler/resolver.rb:79:in `solve_versions'
        from /usr/local/lib/ruby/gems/3.1/gems/bundler-2.4.20/lib/bundler/resolver.rb:32:in `start'
        from /usr/local/lib/ruby/gems/3.1/gems/bundler-2.4.20/lib/bundler/definition.rb:570:in `start_resolution'
        from /usr/local/lib/ruby/gems/3.1/gems/bundler-2.4.20/lib/bundler/definition.rb:301:in `resolve'
        from /usr/local/lib/ruby/gems/3.1/gems/bundler-2.4.20/lib/bundler/definition.rb:523:in `materialize'
        from /usr/local/lib/ruby/gems/3.1/gems/bundler-2.4.20/lib/bundler/definition.rb:200:in `specs'
        from /usr/local/lib/ruby/gems/3.1/gems/bundler-2.4.20/lib/bundler/definition.rb:266:in `specs_for'

The 'octokit' error message is nonsense. 

# gem list | grep 'octo'
octokit (8.0.0, 7.2.0)

I don't know ruby well enough to chase this any further.

Comment 1 Mark Linimon freebsd_committer

2023-12-30 07:42:05 UTC

^Triage: fix Summary and assign.

Comment 2 tanawts 2024-01-03 18:12:19 UTC

Duplicate bug of 262289 - security/metasploit: Can not launch metasploit

Same documentation fix is still appliable and needs to be checked-in.

This port requires the addition of seperate gems to include the win32api.
As an unprivileged non-root user, please run "bundle install" from the /usr/local/share/metasploit directory
cd /usr/local/share/metasploit && bundle install

Comment 3 tanawts 2024-01-04 14:34:36 UTC

After further investigation, the fix will likely require more than just a doc update.  The reason that the bundle install command referenced works because it is installing  newer versions of the rubygem dependencies than are referenced by the Metasploit port.

I am attempting to update all of the referenced deps on my dev system to determine if that resolves the issue.

Some of those dependent ports will likely need to be upgraded as well and if so, I will submit port update patches for each as needed.

Thank you for your patience

P.S. if you need a workaround in the meantime and wish to run msfconsole as a non-priv user, there are some steps required:


As the non-priv user, you will need to set your Ruby GEM_HOME Path to your home dir:
export GEM_HOME="$(ruby -e 'puts Gem.user_dir')"
export PATH="$GEM_HOME/bin:$PATH"

Then, run "bundle install" from the /usr/local/share/metasploit directory:
cd /usr/local/share/metasploit && bundle install

Comment 4 tanawts 2024-01-05 04:47:00 UTC

Created attachment 247455 [details]
security/metasploit: Adding patch files for Metasploit framework gemspec

[Patch 1/2] Adding patch files for Metasploit framework gemspec

Comment 5 tanawts 2024-01-05 04:52:28 UTC

Created attachment 247456 [details]
security/metasploit: Update for Metasploit to version 6.3.50 and updates to  all metasploit specific rubygems

Updates to Metasploit and all metasploit specific ruby gems

        modified:   security/metasploit
        modified:   security/rubygem-metasploit-aggregator
        modified:   security/rubygem-metasploit-concern
        modified:   security/rubygem-metasploit-credential
        modified:   security/rubygem-metasploit-model
        modified:   security/rubygem-metasploit-payloads
        modified:   security/rubygem-metasploit_data_models
        modified:   security/rubygem-metasploit_payloads-mettle
        modified:   security/rubygem-nexpose
        modified:   security/rubygem-recog
        modified:   security/rubygem-rex-arch
        modified:   security/rubygem-rex-bin_tools
        modified:   security/rubygem-rex-core
        modified:   security/rubygem-rex-encoder
        modified:   security/rubygem-rex-exploitation
        modified:   security/rubygem-rex-java
        modified:   security/rubygem-rex-mime
        modified:   security/rubygem-rex-nop
        modified:   security/rubygem-rex-ole
        modified:   security/rubygem-rex-powershell
        modified:   security/rubygem-rex-random_identifier
        modified:   security/rubygem-rex-registry
        modified:   security/rubygem-rex-rop_builder
        modified:   security/rubygem-rex-socket
        modified:   security/rubygem-rex-sslscan
        modified:   security/rubygem-rex-struct2
        modified:   security/rubygem-rex-text
        modified:   security/rubygem-rex-zip

Comment 6 tanawts 2024-01-05 04:54:31 UTC

Permission requested from antoine@FreeBSD.org to take over port maintainer for the related specific Metasploit rubygem ports as these will most likely update in conjunction with Metasploit itself.

Comment 7 Antoine Brodin freebsd_committer

2024-01-05 07:46:44 UTC

(In reply to tanawts from comment #6)
I think it should be the reverse,  in the past years I handled most of the updates.

Comment 8 commit-hook freebsd_committer

2024-01-05 10:06:17 UTC

A commit in branch main references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=71bb03491b119a3181a4158f39c8305dafbd58c0

commit 71bb03491b119a3181a4158f39c8305dafbd58c0
Author:     Antoine Brodin <antoine@FreeBSD.org>
AuthorDate: 2024-01-05 10:04:30 +0000
Commit:     Antoine Brodin <antoine@FreeBSD.org>
CommitDate: 2024-01-05 10:05:25 +0000

    security/metasploit: fix runtime

    PR:             276006
    MFH:            2024Q1

 security/metasploit/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comment 9 commit-hook freebsd_committer

2024-01-05 10:13:20 UTC

A commit in branch 2024Q1 references this bug:

URL: https://cgit.FreeBSD.org/ports/commit/?id=b18c1349d4e4784b92291da5e864fc3a36599bf4

commit b18c1349d4e4784b92291da5e864fc3a36599bf4
Author:     Antoine Brodin <antoine@FreeBSD.org>
AuthorDate: 2024-01-05 10:04:30 +0000
Commit:     Antoine Brodin <antoine@FreeBSD.org>
CommitDate: 2024-01-05 10:12:04 +0000

    security/metasploit: fix runtime

    PR:             276006
    MFH:            2024Q1
    (cherry picked from commit 71bb03491b119a3181a4158f39c8305dafbd58c0)

 security/metasploit/Makefile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

Comment 10 tanawts 2024-02-04 21:33:25 UTC

I believe this ticket is now remediate by the affiliated code check in that was committed.

I don't seem to have the permissions to mark ticket status to closed/resolved