View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0002220Kali LinuxKali Package Bugpublic2015-04-10 20:512020-12-01 10:48
Reporteryennefer1173 Assigned Todookie  
PrioritynormalSeveritycrashReproducibilityalways
Status resolvedResolutionfixed 
Product Version1.1.0 
Summary0002220: Metasploit Browser Exploit Method not working in the Social Engineer Toolkit.
Description

When I try to use Metasploit Browser Exploit Method in setoolkit, setoolkit crashes with the following error:
"Could not find rake-10.4.2 in any of the sources
Run bundle install to install missing gems."
So I ran bundle install in /usr/share/metasploit-framework/, but some gems required ruby 2. But Kali has only 1.9 in its repository.

Steps To Reproduce

On fully updated Kali Linux:
setoolkit >> 1) Social-Engineering Attacks >> 2) Website Attack Vectors >> 2) Metasploit Browser Exploit Method >> ...

Additional Information

I did the following to fix the issue:
I ran bundle install in /usr/share/metasploit-framework/, but some gems required ruby 2. Kali has only 1.9, so I had to update it. Here is what I did:

  1. apt-get -y install build-essential zlib1g zlib1g-dev libxml2 libxml2-dev libxslt-dev locate libreadline6-dev libcurl4-openssl-dev git-core libssl-dev libyaml-dev openssl autoconf libtool ncurses-dev bison curl wget xsel postgresql postgresql-contrib libpq-dev libapr1 libaprutil1 libsvn1 libpcap-dev libsqlite3-dev
  2. curl -sSL https://rvm.io/mpapis.asc | gpg --import -
  3. curl -L https://get.rvm.io | bash -s stable --autolibs=enabled --ruby=2.1.5
  4. source /usr/local/rvm/scripts/rvm
  5. ruby -v # See that it's 2.1.5
  6. cd /usr/share/metasploit-framework/
  7. gem install bundler
  8. in the terminal choose Edit > Profile Preferences > Title and Command > check "Run command as a login shell" in order to use ruby 2.1.5 in every terminal
  9. (BUNDLEJOBS=$(expr $(cat /proc/cpuinfo | grep vendor_id | wc -l) - 1) && bundle config --global jobs $BUNDLEJOBS)
  10. bundle install

Run setoolkit only from the terminal, if you want to use the Metasploit Browser Exploit Method. Otherwise, you can run it from the Kali menu. This method does not replace the ruby installed in Kali, which still remains 1.9. It will be a good thing if the developers release an update with a fix.

Activities

muts

muts

2015-04-11 06:05

reporter   ~0003217

Last edited: 2015-04-11 06:47

This is NOT the recommended fix as you have irreparably broken your kali install. The bug is in SET - which uses absolute paths for MSF tools, which is not the way they should be called with the new MSF package.
yennefer1173

yennefer1173

2015-04-11 06:28

reporter   ~0003218

muts, This does not break Kali because you still have your old Ruby installed. My solution only points the console to the newer ruby, without breaking any packages. If one wishes to revert to ruby 1.9, it is enough to remove the thick on "Run command as a login shell" and everything is back to normal. If you wish you can set ruby 2.1.5 to work only on the current terminal with the command "source /usr/local/rvm/scripts/rvm".
muts

muts

2015-04-11 06:31

reporter   ~0003219

Last edited: 2015-04-12 19:13

It actually does break your Kali install, as you are adding files to the filesystem which are not managed by Debian apt. This means that in future updates, when packaged files conflict with manually installed gems, things will blow up.

In these kind of cases, it is vital to understand the underlying issue - which in this case is the fact that MSF uses its own ruby2 interpreter in order to run - including some stand alone MSF tools. The solution in this case - was Rapid7 developers creating a ruby2 wrapper which could be called from the path (/usr/bin/(msfwhatever), as opposed to the absolute path of the files (/usr/share/metasploit-framework/whatever).

The proper fix, therefore, is not by messing around with your required MSF gems (which are already pre-installed), but by fixing the absolute paths used in SET.
yennefer1173

yennefer1173

2015-04-11 06:43

reporter   ~0003220

This issue was also reported to trustedsec https://github.com/trustedsec/social-engineer-toolkit/issues/117 . They say that it is going to be fixed in SET 6.3. So I guess the best thing is to wait for the update :).
relik

relik

2015-04-11 13:18

reporter   ~0003221

Greetings all - as muts stated its due to ruby2 being a requirement to launch Metasploit - SET uses ruby <path> to call this and Kali uses Ruby1.9 which causes the bundle mismatch. I removed the call from ruby directly and if /usr/bin/msfwahtever is identified it launches directly from the launches as a workaround for Metasploit.

It's released in version 6.3 as of yesterday.
dookie

dookie

2015-04-13 12:24

reporter   ~0003224

Resolved and upgraded in set_6.3.0-0kali0. It will be in the repos soon.

Thanks for the report.

Issue History

Date Modified Username Field Change
2015-04-10 20:51 yennefer1173 New Issue
2015-04-11 06:05 muts Note Added: 0003217
2015-04-11 06:28 yennefer1173 Note Added: 0003218
2015-04-11 06:31 muts Note Added: 0003219
2015-04-11 06:35 muts Note Edited: 0003219
2015-04-11 06:35 muts Note Edited: 0003219
2015-04-11 06:36 muts Note Edited: 0003219
2015-04-11 06:37 muts Note Edited: 0003219
2015-04-11 06:37 muts Note Edited: 0003219
2015-04-11 06:39 muts Note Edited: 0003219
2015-04-11 06:43 yennefer1173 Note Added: 0003220
2015-04-11 06:47 muts Note Edited: 0003217
2015-04-11 07:56 muts Note Edited: 0003219
2015-04-11 13:18 relik Note Added: 0003221
2015-04-12 19:13 muts Note Edited: 0003219
2015-04-12 19:13 muts Note Edited: 0003219
2015-04-13 12:24 dookie Note Added: 0003224
2015-04-13 12:24 dookie Status new => resolved
2015-04-13 12:24 dookie Fixed in Version => 1.1.1
2015-04-13 12:24 dookie Resolution open => fixed
2015-04-13 12:24 dookie Assigned To => dookie
2020-12-01 10:48 g0tmi1k Priority high => normal