Add find_writable_directories to Msf::Post::File#21232
Open
bcoles wants to merge 1 commit intorapid7:masterfrom
Open
Add find_writable_directories to Msf::Post::File#21232bcoles wants to merge 1 commit intorapid7:masterfrom
bcoles wants to merge 1 commit intorapid7:masterfrom
Conversation
Contributor
Author
|
Broken tests are not my fault. |
jvoisin
reviewed
Apr 4, 2026
Contributor
But you wrote the tests that are failing? 😕 |
Contributor
|
I am not a spec expert, but it passes if I add some method stubs: |
bcoles
force-pushed
the
file-find_writable_directories
branch
2 times, most recently
from
8245708 to
4e964f7
Compare
Contributor
Author
Lulled into a false sense of security by always-broken tests.
The tests passed locally without the database when run directly, although now break locally since the |
Contributor
There was a problem hiding this comment.
Pull request overview
Adds a new helper on Msf::Post::File to enumerate writable directories on Unix targets (intended for selecting staging paths during post-exploitation), plus RSpec coverage for the new behavior.
Changes:
- Add
Msf::Post::File#find_writable_directorieswhich runsfindand parses absolute-path results. - Add specs covering Windows rejection, output filtering, timeout passthrough, max_depth warnings, and user/group options.
- Update the spec file to load
spec_helper.
Reviewed changes
Copilot reviewed 2 out of 2 changed files in this pull request and generated 5 comments.
| File | Description |
|---|---|
lib/msf/core/post/file.rb |
Introduces find_writable_directories and its command construction / parsing / error handling. |
spec/lib/msf/core/post/file_spec.rb |
Adds unit tests validating the new helper’s behavior and command string expectations. |
bcoles
force-pushed
the
file-find_writable_directories
branch
from
4e964f7 to
a9f4f3c
Compare
| # Find writable directories under +path+ on a Unix system. | ||
| # | ||
| # When neither +user+ nor +group+ is specified, uses find's +-writable+ flag | ||
| # which checks effective access for the current user. When +user+ and/or |
Contributor
There was a problem hiding this comment.
which checks effective access for the current user.
I think this is a bit misleading.
I noticed that this will result in false negatives if the user has permissions to a directory via their group membership. That is, if user metasploit is part of the wheel group and the wheel group has write permission on a folder, this won't catch it.
Contributor
Author
There was a problem hiding this comment.
All we want is a writable folder so we can stop hardcoding /tmp everywhere.
# grep -rn "/tmp" modules/exploits/**/local/ modules/post/ | wc -l
239
I've removed all the user and group arguments. This was only a nice-to-have feature - not something I care enough about to maintain and rarely likely to be useful.
Add a method to discover writable directories on Unix targets using the `find` command. This is useful in post-exploitation scenarios where a module needs to locate a writable staging path. Parameters: - path: base directory to search (default: /) - max_depth: find -maxdepth limit (default: 2) - timeout: maximum seconds for cmd_exec to wait (default: 15) Raises on Windows sessions. Returns an array of absolute paths, or nil on failure. Non-absolute lines (e.g. find error messages) are filtered from the output.
bcoles
force-pushed
the
file-find_writable_directories
branch
from
a9f4f3c to
6821066
Compare
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a method to discover writable directories on Unix targets using the
findcommand. This is useful in post-exploitation scenarios where a module needs to locate a writable staging path.Parameters:
- user/group: filter by owner and/or group with -perm checksThe method uses a three-tier strategy to prevent a long-running find from tying up the session's shell channel:1. GNU coreutilstimeout- wraps the find command directly2.perlalarm() - fallback for BSD, macOS, and Solaris targets3. When neither is available, max_depth is capped at 1 and a warning is emitted to alert the operatorThe remote timeout deadline is set 5 seconds shorter than the cmd_exec deadline so the server-side kill fires first and partial results are still collected.Raises on Windows sessions. Returns an array of absolute paths, or nil on failure. Non-absolute lines (e.g. find error messages) are filtered from the output.