Fixes de-registering datastore options validation by cgranleese-r7 · Pull Request #21529 · rapid7/metasploit-framework

cgranleese-r7 · 2026-06-03T13:34:53Z

This PR addresses #21319.

The goal here was to address:

When a module deregisters an option, the validation process should ensure that it is not present when the module runs. It datastore['DEREGISTERED_OPTION'] should probably be nil but at the very least it should be #blank?.
Allowing the caller to pass datastore options that the module explicitly deregistered can break the module authors assumption of how library methods will behave.

This comment calls out some example modules that replicates the issue (thanks for writing those up @zeroSteiner, they were super helpful).

Before

After

Shell to Meterpreter

Tested this locally and still works with the new changes:

msf payload(python/shell_reverse_tcp) > sessions

Active sessions
===============

  Id  Name  Type                 Information  Connection
  --  ----  ----                 -----------  ----------
  1         shell python/python               xxx.xxx.xxx.xxx:4444 -> xxx.xxx.xxx.xxx:57164 (xxx.xxx.xxx.xxx)

msf payload(python/shell_reverse_tcp) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: python. This module works with: Linux, OSX, Unix, Solaris, BSD, Windows.
[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on xxx.xxx.xxx.xxx:4433
[*] Sending stage (23408 bytes) to xxx.xxx.xxx.xxx
[*] Meterpreter session 2 opened (xxx.xxx.xxx.xxx:4433 -> xxx.xxx.xxx.xxx:57176) at 2026-06-08 10:15:06 +0100

msf payload(python/shell_reverse_tcp) >
msf payload(python/shell_reverse_tcp) > sessions

Active sessions
===============

  Id  Name  Type                      Information  Connection
  --  ----  ----                      -----------  ----------
  1         shell python/python                    xxx.xxx.xxx.xxx:4444 -> xxx.xxx.xxx.xxx:57164 (xxx.xxx.xxx.xxx)
  2         meterpreter python/linux  kali @ kali  xxx.xxx.xxx.xxx:4433 -> xxx.xxx.xxx.xxx:57176 (xxx.xxx.xxx.xxx)

msf payload(python/shell_reverse_tcp) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ls
Listing: /home/kali/Desktop
===========================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100755/rwxr-xr-x  416   fil   2026-06-08 10:13:44 +0100  python_payload.py

meterpreter > pwd
/home/kali/Desktop
meterpreter >

Shell to Meterpreter with override options

msf post(multi/manage/shell_to_meterpreter) > run session=-1 payload_override=python/meterpreter/reverse_tcp platform_override=python lhost=xxx.xxx.xxx.xxx
[!] SESSION may not be compatible with this module:
[!]  * incompatible session platform: python. This module works with: Linux, OSX, Unix, Solaris, BSD, Windows.
[*] Upgrading session ID: -1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on xxx.xxx.xxx.xxx:4433
[*] Sending stage (23408 bytes) to xxx.xxx.xxx.xxx
[*] Meterpreter session 2 opened (xxx.xxx.xxx.xxx:4433 -> xxx.xxx.xxx.xxx:51960) at 2026-06-15 10:44:16 +0100
[*] Post module execution completed
msf post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type                      Information  Connection
  --  ----  ----                      -----------  ----------
  1         shell python/python                    xxx.xxx.xxx.xxx:4444 -> xxx.xxx.xxx.xxx:51918 (xxx.xxx.xxx.xxx)
  2         meterpreter python/linux  kali @ kali  xxx.xxx.xxx.xxx:4433 -> xxx.xxx.xxx.xxx:51960 (xxx.xxx.xxx.xxx)

msf payload(python/shell_reverse_tcp) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ls
Listing: /home/kali/Desktop
===========================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100755/rwxr-xr-x  416   fil   2026-06-08 10:13:44 +0100  python_payload.py

meterpreter > pwd
/home/kali/Desktop
meterpreter > exit

Notes

Specs were added so we if the implementation is changed in the future we will know if options start leaking back in. I also added a spec to cover the shell to Meterpreter workflows.

TODO LIST

Run Pros test suite and fix any issues

Verification

Manually test the shell to Meterpreter workflows
Pro test suite goes green
Test modules work as expected
Code changes are sane

jenkins-eks-metasploit · 2026-06-03T13:37:53Z

Additional test pipeline started ⌛
Note: build results only accessible to maintainers.

jenkins-eks-metasploit · 2026-06-03T14:00:14Z

Pipeline results available

Slice summary:

No test slices found.

Note: build results only accessible to maintainers.

jenkins-eks-metasploit · 2026-06-05T10:08:39Z

Additional test pipeline started ⌛
Note: build results only accessible to maintainers.

Copilot

Pull request overview

This PR addresses metasploit-framework issue #21319 by preventing options that a module has explicitly deregistered from being written into or read back out of a module’s datastore, and adds RSpec coverage to guard against regressions in common workflows (including shell-to-meterpreter handler/payload datastore sharing).

Changes:

Add tracking of deregistered option keys inside Msf::ModuleDataStore and filter reads/writes for those keys.
Ensure deregistration state is copied alongside datastore state (copy_state) and cleared when a key is re-registered (import_options).
Add a new spec suite covering direct assignment, _import_extra_options, framework datastore fallback reads, re-registering previously-deregistered options, and share_datastore shell-to-meterpreter patterns.

Impact Analysis:

Blast radius: high — Msf::ModuleDataStore is core infrastructure used broadly across module execution and inter-module workflows.
Data and contract effects: changes datastore semantics for deregistered keys (they should no longer be observable); interactions with datastore merging/sharing/copying are particularly sensitive.
Rollback and test focus: focus on module invocation from other modules, handler/payload datastore workflows, and any code paths that merge/copy datastores (e.g., console handler flows); rollback should be straightforward (single core file + specs) but correctness should be validated via the full test suite and targeted manual runs mentioned in the PR description.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
`lib/msf/core/module_data_store.rb`	Adds deregistered-key tracking and filtering hooks to prevent deregistered options from being set or resolved (including via framework datastore fallback).
`spec/lib/msf/core/module_data_store_filter_spec.rb`	Adds regression specs for deregistered option filtering across assignment/import/fallback/copy/share and re-registering scenarios.

jenkins-eks-metasploit · 2026-06-05T11:46:57Z

Pipeline results available

Slice summary:

Test slice 1 - 🔴
Test slice 3 - 🔴
Test slice 4 - 🔴

Note: build results only accessible to maintainers.

Copilot

Pull request overview

Copilot reviewed 2 out of 2 changed files in this pull request and generated 2 comments.

jenkins-eks-metasploit · 2026-06-05T12:48:51Z

Additional test pipeline started ⌛
Note: build results only accessible to maintainers.

jenkins-eks-metasploit · 2026-06-05T15:58:19Z

Pipeline results available

Slice summary:

Test slice 1 - 🔴
Test slice 2 - 🟢
Test slice 4 - 🔴

Note: build results only accessible to maintainers.

jenkins-eks-metasploit · 2026-06-08T08:38:50Z

Additional test pipeline started ⌛
Note: build results only accessible to maintainers.

jenkins-eks-metasploit · 2026-06-08T11:48:33Z

Pipeline results available

Slice summary:

Test slice 1 - 🔴
Test slice 2 - 🟢
Test slice 4 - 🔴

Note: build results only accessible to maintainers.

jenkins-eks-metasploit · 2026-06-08T16:16:11Z

Additional test pipeline started ⌛
Note: build results only accessible to maintainers.

jenkins-eks-metasploit · 2026-06-08T19:35:18Z

Pipeline results available

Slice summary:

Test slice 1 - 🔴
Test slice 2 - 🟢
Test slice 4 - 🔴

Note: build results only accessible to maintainers.

cgranleese-r7 · 2026-06-09T13:47:59Z

Potentially revert this once this is merged: #17911

jenkins-eks-metasploit · 2026-06-16T09:51:17Z

Additional test pipeline started ⌛
Note: build results only accessible to maintainers.

jenkins-eks-metasploit · 2026-06-16T13:01:17Z

Pipeline results available

Slice summary:

Test slice 1 - 🟢
Test slice 2 - 🟢
Test slice 4 - 🟢

Note: build results only accessible to maintainers.

cgranleese-r7 added the rn-fix release notes fix label Jun 3, 2026

smcintyre-r7 added this to Metasploit Kanban Jun 3, 2026

github-project-automation Bot moved this to Todo in Metasploit Kanban Jun 3, 2026

cgranleese-r7 added the additional-testing-required label Jun 3, 2026

cgranleese-r7 force-pushed the improve-deregistered-datastore-options-validation branch from 7b85389 to 4dab3fc Compare June 5, 2026 09:49

cgranleese-r7 requested a review from Copilot June 5, 2026 10:03

Copilot started reviewing on behalf of cgranleese-r7 June 5, 2026 10:03 View session

Copilot AI reviewed Jun 5, 2026

View reviewed changes

Comment thread lib/msf/core/module_data_store.rb

Comment thread lib/msf/core/module_data_store.rb Outdated

Comment thread lib/msf/core/module_data_store.rb Outdated

Comment thread spec/lib/msf/core/module_data_store_filter_spec.rb Outdated

cgranleese-r7 force-pushed the improve-deregistered-datastore-options-validation branch from 4dab3fc to dfb1ebb Compare June 5, 2026 12:17

cgranleese-r7 requested a review from Copilot June 5, 2026 12:17

Copilot started reviewing on behalf of cgranleese-r7 June 5, 2026 12:18 View session

Copilot AI reviewed Jun 5, 2026

View reviewed changes

Comment thread lib/msf/core/module_data_store.rb

Comment thread lib/msf/core/module_data_store.rb

cgranleese-r7 force-pushed the improve-deregistered-datastore-options-validation branch from dfb1ebb to 184334b Compare June 5, 2026 12:24

Improves deregistering datastore options validation

96b43d5

cgranleese-r7 force-pushed the improve-deregistered-datastore-options-validation branch from 184334b to 96b43d5 Compare June 5, 2026 12:28

cgranleese-r7 added 3 commits June 11, 2026 09:47

Adds keyword args

6bb0b51

New approach

89ef698

Reverts lib/msf/core/exploit/remote/smtp_deliver.rb

008e8ac

Conversation

cgranleese-r7 commented Jun 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Before

After

Shell to Meterpreter

Shell to Meterpreter with override options

Notes

TODO LIST

Verification

Uh oh!

jenkins-eks-metasploit Bot commented Jun 3, 2026

Uh oh!

jenkins-eks-metasploit Bot commented Jun 3, 2026

Uh oh!

jenkins-eks-metasploit Bot commented Jun 5, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Reviewed changes

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

jenkins-eks-metasploit Bot commented Jun 5, 2026

Uh oh!

Copilot AI left a comment

Choose a reason for hiding this comment

Pull request overview

Uh oh!

Uh oh!

Uh oh!

jenkins-eks-metasploit Bot commented Jun 5, 2026

Uh oh!

jenkins-eks-metasploit Bot commented Jun 5, 2026

Uh oh!

jenkins-eks-metasploit Bot commented Jun 8, 2026

Uh oh!

jenkins-eks-metasploit Bot commented Jun 8, 2026

Uh oh!

jenkins-eks-metasploit Bot commented Jun 8, 2026

Uh oh!

jenkins-eks-metasploit Bot commented Jun 8, 2026

Uh oh!

cgranleese-r7 commented Jun 9, 2026

Uh oh!

jenkins-eks-metasploit Bot commented Jun 16, 2026

Uh oh!

jenkins-eks-metasploit Bot commented Jun 16, 2026

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

4 participants

cgranleese-r7 commented Jun 3, 2026 •

edited

Loading