Spike Windows version checks in exploit targets and payloads

Author: sjanusz-r7

lib/msf/base/serializer/readable_text.rb

@@ -492,13 +492,20 @@ def self.dump_evasion_module(mod, indent = '')
   def self.dump_payload_module(mod, indent = '')
     # General
     output  = "\n"
-    output << "       Name: #{mod.name}\n"
-    output << "     Module: #{mod.fullname}\n"
-    output << "   Platform: #{mod.platform_to_s}\n"
-    output << "       Arch: #{mod.arch_to_s}\n"
-    output << "Needs Admin: " + (mod.privileged? ? "Yes" : "No") + "\n"
-    output << " Total size: #{mod.size}\n"
-    output << "       Rank: #{mod.rank_to_s.capitalize}\n"
+    output << "             Name: #{mod.name}\n"
+    output << "           Module: #{mod.fullname}\n"
+    output << "         Platform: #{mod.platform_to_s}\n"
+    output << "             Arch: #{mod.arch_to_s}\n"
+    output << "      Needs Admin: " + (mod.privileged? ? "Yes" : "No") + "\n"
+    output << "       Total size: #{mod.size}\n"
+    output << "             Rank: #{mod.rank_to_s.capitalize}\n"
+
+    required_versions = mod.instance_variable_get(:@module_info)['MinimumVersions']
+    if required_versions && required_versions.any?
+      output << "Required Versions:\n"
+      # No access to a friendly version name here
+      required_versions.map { |k, v| output << "  #{k}: #{v}\n" }
+    end
     output << "\n"
 
     # Authors

lib/msf/core/module.rb

@@ -58,6 +58,7 @@ class Module
     include Msf::Module::Ranking
     include Msf::Module::Type
     include Msf::Module::UI
+    include Msf::Module::VersionCompatibility
     include Msf::Module::UUID
     include Msf::Module::SideEffects
     include Msf::Module::Stability

lib/msf/core/module/version_compatibility.rb

@@ -0,0 +1,131 @@
+# -*- coding: binary -*-
+
+require 'rex/version'
+
+#
+# Provides version compatibility checks between exploit targets and payloads.
+#
+module Msf::Module::VersionCompatibility
+  # Check version compatibility between a payload and the current exploit target.
+  #
+  # @param payload_instance [Msf::Payload] An payload module instance.
+  # @return [Array<String>] An array of warning strings. Empty if there were no warnings and payload is compatible.
+  def version_compatibility_warnings(payload_instance)
+    warnings = []
+
+    target_versions = current_target_runtime_versions
+    return warnings unless target_versions.is_a?(Hash) && !target_versions.empty?
+
+    payload_mins = payload_minimum_versions(payload_instance)
+    return warnings unless payload_mins.is_a?(Hash) && !payload_mins.empty?
+
+    payload_mins.each do |runtime, min_version|
+      next unless target_versions.key?(runtime)
+
+      target_ver = to_version(target_versions[runtime])
+      required_ver = to_version(min_version)
+
+      if target_ver < required_ver
+        required_name = human_readable_version_string(runtime, required_ver)
+        target_name = human_readable_version_string(runtime, target_ver)
+        warnings << "Payload requires #{runtime} >= #{required_name}, but the minimum potentially provided by the target is #{target_name}"
+      end
+    end
+
+    warnings
+  end
+
+  private
+
+  # Normalize a value to Rex::Version
+  #
+  # @param value [String, Rex::Version] The version to normalize.
+  # @return [Rex::Version]
+  def to_version(value)
+    value.is_a?(Rex::Version) ? value : Rex::Version.new(value.to_s)
+  end
+
+  # Look up a human-readable name for a version number.
+  # Falls back to the raw version string if no mapping is found.
+  #
+  # @param runtime [String] The runtime key (e.g., 'Windows', 'Python').
+  # @param version [Rex::Version] The version to look up.
+  # @return [String] A human-readable string like "Windows XP Service Pack 2 (5.1.2600.2)"
+  def human_readable_version_string(runtime, version)
+    case runtime
+    when 'Windows'
+      name = windows_version_name(version)
+      return "#{name} (#{version})" if name
+    end
+
+    version.to_s
+  end
+
+  # Look up a Windows version's human-readable name from the WindowsVersion mappings.
+  #
+  # @param version [Rex::Version] The version to look up.
+  # @return [String, nil] The friendly name, or nil if not found.
+  def windows_version_name(version)
+    [
+      { klass: Msf::WindowsVersion::WorkstationSpecificVersions, mapping: Msf::WindowsVersion::WorkstationNameMapping },
+      { klass: Msf::WindowsVersion::ServerSpecificVersions, mapping: Msf::WindowsVersion::ServerNameMapping }
+    ].each do |h|
+      h[:klass].constants.each do |const|
+        return h[:mapping][const] if h[:klass].const_get(const) == version
+      end
+    end
+
+    nil
+  end
+
+  # Retrieve RuntimeVersions from the currently selected target.
+  # If the current target does not declare RuntimeVersions but other targets do,
+  # returns the lowest (most conservative) version across all targets that declare them.
+  # This handles the "Automatic" target case where the exploit may end up running
+  # against the lowest-versioned target at runtime.
+  #
+  # @return [Hash, nil] The RuntimeVersions hash from the active target, or nil.
+  def current_target_runtime_versions
+    return nil unless respond_to?(:target) && target
+
+    # If the selected target explicitly declares RuntimeVersions, use those directly
+    target_versions = target.opts['RuntimeVersions']
+    if target_versions.is_a?(Hash) && !target_versions.empty?
+      return target_versions
+    end
+
+    # Only compute the lowest common denominator for targets that are explicitly
+    # automatic (i.e., have no RuntimeVersions and are flagged as auto or named "Automatic").
+    # This avoids incorrectly triggering the fallback for non-auto targets that simply
+    # haven't been annotated with RuntimeVersions yet.
+    is_auto_target = target.opts['auto'] || target.name =~ /Automatic/i
+    return nil unless is_auto_target
+
+    # For automatic targets, compute the lowest version across all other targets
+    # that declare RuntimeVersions. This represents the worst-case scenario at runtime.
+    return nil unless respond_to?(:targets) && targets.is_a?(Array)
+
+    lowest_versions = {}
+    targets.each do |t|
+      rt = t.opts['RuntimeVersions']
+      next unless rt.is_a?(Hash)
+
+      rt.each do |runtime, version|
+        ver = to_version(version)
+        if lowest_versions[runtime].nil? || ver < lowest_versions[runtime]
+          lowest_versions[runtime] = ver
+        end
+      end
+    end
+
+    lowest_versions.empty? ? nil : lowest_versions
+  end
+
+  # Retrieve MinimumVersions from a payload instance.
+  #
+  # @param payload_instance [Msf::Payload] The payload to inspect.
+  # @return [Hash, nil] The MinimumVersions hash with OS names as the keys, or nil.
+  def payload_minimum_versions(payload_instance)
+    payload_instance.instance_variable_get(:@module_info)&.dig('MinimumVersions')
+  end
+end

lib/msf/core/payload.rb

@@ -530,6 +530,13 @@ def self.choose_payload(mod)
 
       next unless payload
 
+      # Skip payloads that don't meet the target's version requirements
+      payload_instance = mod.framework.payloads.create(payload)
+      if payload_instance
+        warnings = mod.version_compatibility_warnings(payload_instance)
+        next unless warnings.empty?
+      end
+
       return configure_payload.call(payload)
     end
 

lib/msf/core/payload/python/meterpreter_loader.rb

@@ -1,5 +1,6 @@
 # -*- coding: binary -*-
 
+require 'msf/core/payload/python/meterpreter_version'
 
 module Msf
 
@@ -25,7 +26,8 @@ def initialize(info = {})
       'Author'        => [ 'Spencer McIntyre' ],
       'Platform'      => 'python',
       'Arch'          => ARCH_PYTHON,
-      'Stager'        => {'Payload' => ""}
+      'Stager'        => {'Payload' => ""},
+      'MinimumVersions' => { 'Python' => Msf::Payload::Python::MeterpreterVersion::MINIMUM_VERSION }
     ))
 
     register_advanced_options(

lib/msf/core/payload/python/meterpreter_version.rb

@@ -0,0 +1,10 @@
+# -*- coding: binary -*-
+
+module Msf
+
+module Payload::Python::MeterpreterVersion
+  # The minimum version of Python that is able to run Meterpreter payloads. Versions below this are not supported.
+  MINIMUM_VERSION = '2.5'
+end
+
+end

lib/msf/core/payload/windows.rb

@@ -10,6 +10,7 @@
 ###
 module Msf::Payload::Windows
 
+  require 'msf/core/payload/windows/meterpreter_version'
 
   # Provides the #prepends method
   # XXX: For some unfathomable reason, the order of requires here is

lib/msf/core/payload/windows/meterpreter_loader.rb

@@ -1,6 +1,5 @@
 # -*- coding: binary -*-
 
-
 module Msf
 
 ###
@@ -26,7 +25,8 @@ def initialize(info = {})
       'Platform'      => 'win',
       'Arch'          => ARCH_X86,
       'PayloadCompat' => { 'Convention' => 'sockedi handleedi -https', },
-      'Stage'         => { 'Payload'   => "" }
+      'Stage'         => { 'Payload'   => "" },
+      'MinimumVersions' => { 'Windows' => Msf::Payload::Windows::MeterpreterVersion::MINIMUM_VERSION }
       ))
   end
 

lib/msf/core/payload/windows/meterpreter_version.rb

@@ -0,0 +1,10 @@
+# -*- coding: binary -*-
+
+module Msf
+
+module Payload::Windows::MeterpreterVersion
+  # The minimum version of Windows that is able to run Meterpreter payloads. Versions below this are not supported.
+  MINIMUM_VERSION = Msf::WindowsVersion::XP_SP2
+end
+
+end

lib/msf/core/payload/windows/x64/meterpreter_loader_x64.rb

@@ -1,6 +1,5 @@
 # -*- coding: binary -*-
 
-
 module Msf
 
 ###
@@ -27,7 +26,8 @@ def initialize(info = {})
       'Platform'      => 'win',
       'Arch'          => ARCH_X64,
       'PayloadCompat' => { 'Convention' => 'sockrdi handlerdi -https' },
-      'Stage'         => { 'Payload'   => "" }
+      'Stage'         => { 'Payload'   => "" },
+      'MinimumVersions' => { 'Windows' => Msf::Payload::Windows::MeterpreterVersion::MINIMUM_VERSION }
       ))
   end