Defer loading rex/metasm/octokit/etc dependencies

Gemfile.lock

@@ -331,7 +331,7 @@ GEM
       mutex_m
       railties (~> 7.0)
       zeitwerk
-    metasploit-credential (6.0.21)
+    metasploit-credential (6.0.23)
       bigdecimal
       csv
       drb
@@ -353,17 +353,17 @@ GEM
       mutex_m
       railties (~> 7.0)
     metasploit-payloads (2.0.245)
-    metasploit_data_models (6.0.15)
-      activerecord (~> 7.0)
-      activesupport (~> 7.0)
+    metasploit_data_models (6.0.18)
+      activerecord (>= 7.0, < 8.1)
+      activesupport (>= 7.0, < 8.1)
       arel-helpers
       bigdecimal
       drb
       metasploit-concern
-      metasploit-model (~> 5.0.4)
+      metasploit-model (>= 5.0.4)
       mutex_m
       pg
-      railties (~> 7.0)
+      railties (>= 7.0, < 8.1)
       recog
       webrick
     metasploit_payloads-mettle (1.0.46)
@@ -498,7 +498,7 @@ GEM
       rex-struct2
       rex-text
     rex-core (0.1.36)
-    rex-encoder (0.1.8)
+    rex-encoder (0.1.10)
       metasm
       rex-arch
       rex-text
@@ -531,7 +531,7 @@ GEM
       metasm
       rex-core
       rex-text
-    rex-socket (0.1.64)
+    rex-socket (0.1.65)
       dnsruby
       rex-core
     rex-sslscan (0.1.13)

db/schema.rb

@@ -10,7 +10,7 @@
 #
 # It's strongly recommended that you check this file into your version control system.
 
-ActiveRecord::Schema[7.2].define(version: 2026_01_30_124052) do
+ActiveRecord::Schema[7.2].define(version: 2026_04_11_000000) do
   # These are extensions that must be enabled in order to support this database
   enable_extension "plpgsql"
 
@@ -665,6 +665,8 @@
     t.integer "session_id"
     t.integer "loot_id"
     t.text "fail_detail"
+    t.string "check_code"
+    t.text "check_detail"
   end
 
   create_table "vuln_details", id: :serial, force: :cascade do |t|

lib/metasploit/framework.rb

@@ -6,16 +6,10 @@
 #
 
 require 'active_support'
-require 'bcrypt'
 require 'json'
 require 'msgpack'
 require 'metasploit/credential'
 require 'nokogiri'
-# railties has not autorequire defined
-# rkelly-remix is a fork of rkelly, so it's autorequire is 'rkelly' and not 'rkelly-remix'
-require 'rkelly'
-require 'robots'
-require 'zip'
 require 'msf'
 #
 # Project

lib/msf/core/db_manager/user.rb

@@ -1,4 +1,3 @@
-require 'bcrypt'
 require 'securerandom'
 
 module Msf::DBManager::User

lib/msf/core/exe/segment_appender.rb

@@ -2,8 +2,6 @@
 module Msf
 module Exe
 
-  require 'metasm'
-
   class SegmentAppender < SegmentInjector
 
     def payload_stub(prefix)

lib/msf/core/exe/segment_injector.rb

@@ -2,8 +2,6 @@
 module Msf
 module Exe
 
-  require 'metasm'
-
   class SegmentInjector
 
     attr_accessor :payload

lib/msf/core/exploit/remote/smb/client.rb

@@ -1,6 +1,5 @@
 # -*- coding: binary -*-
 require 'rex/encoder/ndr'
-require 'recog'
 
 module Msf
   module Exploit::Remote::SMB

lib/msf/core/payload.rb

@@ -1,5 +1,4 @@
 # -*- coding: binary -*-
-require 'metasm'
 
 module Msf
 

lib/msf/util/document_generator/pull_request_finder.rb

@@ -1,4 +1,3 @@
-require 'octokit'
 require 'nokogiri'
 require 'net/http'
 
@@ -39,6 +38,8 @@ def initialize
             raise PullRequestFinder::Exception, 'GITHUB_OAUTH_TOKEN environment variable not set.'
           end
 
+          require 'octokit'
+
           self.owner            = 'rapid7'
           self.repository       = "#{owner}/metasploit-framework"
           self.branch           = 'master'

lib/msf/util/exe/common.rb

@@ -6,7 +6,6 @@ module Msf::Util::EXE::Common
   require 'rex/random_identifier'
   require 'rex/zip'
   require 'rex/powershell'
-  require 'metasm'
   require 'digest/sha1'
 
   def self.included(base)

lib/msf_autoload.rb

@@ -344,11 +344,16 @@ def finalize_loader(loader)
 end
 
 # global autoload of common gems
+autoload :BCrypt, 'bcrypt'
+autoload :Dnsruby, 'dnsruby'
 autoload :Faker, 'faker'
 autoload :BinData, 'bindata'
+autoload :Metasm, 'metasm'
+autoload :Recog, 'recog'
 autoload :RubySMB, 'ruby_smb'
 autoload :MetasploitPayloads, 'metasploit-payloads'
 autoload :PacketFu, 'packetfu'
+autoload :Zip, 'zip'
 autoload :DidYouMean, 'did_you_mean'
 
 require 'rexml/document'

lib/rex.rb

@@ -3,6 +3,26 @@
 module Rex
   Root = File.join(File.expand_path(File.dirname(__FILE__)), 'rex')
   LogSource = "rex"
+
+  # library for creating Powershell scripts for exploitation purposes
+  autoload :Powershell, 'rex/powershell'
+  # Library for working with OLE
+  autoload :OLE, 'rex/ole'
+  # Library for creating and/or parsing MIME messages
+  autoload :MIME, 'rex/mime'
+  # Exploit Helper Library
+  autoload :Exploitation, 'rex/exploitation'
+  # Binary parsing tools (PE, ELF, Mach-O)
+  autoload :BinTools, 'rex/bin_tools'
+  autoload :PeParsey, 'rex/peparsey'
+  autoload :PeScan, 'rex/pescan'
+  autoload :ElfParsey, 'rex/elfparsey'
+  autoload :ElfScan, 'rex/elfscan'
+  autoload :MachParsey, 'rex/machparsey'
+  autoload :MachScan, 'rex/machscan'
+  autoload :ImageSource, 'rex/image_source'
+  # SSLScan
+  autoload :SSLScan, 'rex/sslscan/scanner'
 end
 
 #
@@ -13,8 +33,6 @@ module Rex
 require 'rex/text'
 # Library for Generating Randomized strings valid as Identifiers such as variable names
 require 'rex/random_identifier'
-# library for creating Powershell scripts for exploitation purposes
-require 'rex/powershell'
 # Library for processing and creating Zip compatible archives
 require 'rex/zip'
 # Library for parsing offline Windows Registry files
@@ -23,16 +41,10 @@ module Rex
 require 'rex/java'
 # Library for creating C-style Structs
 require 'rex/struct2'
-# Library for working with OLE
-require 'rex/ole'
-# Library for creating and/or parsing MIME messages
-require 'rex/mime'
 # Library for polymorphic encoders
 require 'rex/encoder'
 # Architecture subsystem
 require 'rex/arch'
-# Exploit Helper Library
-require 'rex/exploitation'
 
 # Generic classes
 require 'rex/file'
@@ -57,10 +69,6 @@ module Rex
 # Compatibility
 require 'rex/compat'
 
-# SSLScan
-require 'rex/sslscan/scanner'
-require 'rex/sslscan/result'
-
 # Versions
 require 'rex/version'
 

lib/rex/proto/dns/packet.rb

@@ -2,7 +2,6 @@
 
 require 'net/dns'
 require 'resolv'
-require 'dnsruby'
 
 module Rex
 module Proto

lib/rex/proto/dns/resolver.rb

@@ -1,7 +1,6 @@
 # -*- coding: binary -*-
 
 require 'net/dns/resolver'
-require 'dnsruby'
 
 module Rex
 module Proto

lib/rex/proto/dns/static_hostnames.rb

@@ -13,6 +13,11 @@ module DNS
   class StaticHostnames
     extend Forwardable
 
+    # DNS record type constants (matching Dnsruby::Types::A and Dnsruby::Types::AAAA)
+    # Defined locally to avoid loading dnsruby during boot
+    TYPE_A    = 1
+    TYPE_AAAA = 28
+
     def_delegators :@hostnames, :each, :each_with_index, :length, :empty?, :sort_by
 
     # @param [Hash<String, IPAddr>] hostnames The hostnames to IP address mappings to initialize with.
@@ -57,7 +62,7 @@ def parse_hosts_file
     # @param [Integer] type The family of address to return represented as a DNS type (either A or AAAA).
     # @return Returns the IP address if it was found, otherwise nil.
     # @rtype [IPAddr, nil]
-    def get1(hostname, type = Dnsruby::Types::A)
+    def get1(hostname, type = TYPE_A)
       get(hostname, type).first
     end
 
@@ -67,7 +72,7 @@ def get1(hostname, type = Dnsruby::Types::A)
     # @param [Integer] type The family of address to return represented as a DNS type (either A or AAAA).
     # @return Returns an array of IP addresses.
     # @rtype [Array<IPAddr>]
-    def get(hostname, type = Dnsruby::Types::A)
+    def get(hostname, type = TYPE_A)
       hostname = hostname.downcase
       @hostnames.fetch(hostname, {}).fetch(type, []).dup
     end
@@ -89,9 +94,9 @@ def add(hostname, ip_address)
       hostname = hostname.downcase.delete_suffix('.')
       this_host = @hostnames.fetch(hostname, {})
       if ip_address.family == ::Socket::AF_INET
-        type = Dnsruby::Types::A
+        type = TYPE_A
       else
-        type = Dnsruby::Types::AAAA
+        type = TYPE_AAAA
       end
       this_type = this_host.fetch(type, [])
       this_type << ip_address unless this_type.include?(ip_address)
@@ -108,9 +113,9 @@ def add(hostname, ip_address)
     def delete(hostname, ip_address)
       ip_address = IPAddr.new(ip_address) if ip_address.is_a?(String) && Rex::Socket.is_ip_addr?(ip_address)
       if ip_address.family == ::Socket::AF_INET
-        type = Dnsruby::Types::A
+        type = TYPE_A
       else
-        type = Dnsruby::Types::AAAA
+        type = TYPE_AAAA
       end
 
       hostname = hostname.downcase

lib/rex/proto/http/response.rb

@@ -3,7 +3,6 @@
 require 'uri'
 
 require 'nokogiri'
-require 'rkelly'
 
 module Rex
 module Proto
@@ -121,7 +120,7 @@ def gzip_decode!
   end
 
   def gzip_decode
-    gz = Zlib::GzipReader.new(StringIO.new(self.body.to_s))    
+    gz = Zlib::GzipReader.new(StringIO.new(self.body.to_s))
 
     gz.read
   end
@@ -158,6 +157,8 @@ def get_html_meta_elements
   # @see https://github.com/tenderlove/rkelly
   # @return [Array<RKelly::Nodes::SourceElementsNode>]
   def get_html_scripts
+    require 'rkelly'
+
     n = get_html_document
     rkelly = RKelly::Parser.new
     n.search('//script').map { |s| rkelly.parse(s.text) }

modules/payloads/stagers/netware/reverse_tcp.rb

@@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'metasm'
-
 module MetasploitModule
   CachedSize = 281
 

modules/payloads/stages/netware/shell.rb

@@ -3,8 +3,6 @@
 # Current source: https://github.com/rapid7/metasploit-framework
 ##
 
-require 'metasm'
-
 module MetasploitModule
   include Msf::Sessions::CommandShellOptions
 

spec/lib/rex/proto/dns/static_hostnames_spec.rb

@@ -3,6 +3,18 @@
 require 'spec_helper'
 
 RSpec.describe Rex::Proto::DNS::StaticHostnames do
+  describe '::TYPE_A' do
+    it 'matches Dnsruby::Types::A' do
+      expect(described_class::TYPE_A).to eq Dnsruby::Types::A
+    end
+  end
+
+  describe '::TYPE_AAAA' do
+    it 'matches Dnsruby::Types::AAAA' do
+      expect(described_class::TYPE_AAAA).to eq Dnsruby::Types::AAAA
+    end
+  end
+
   describe '#parse_hosts_file' do
     context 'when parsing a file' do
       let(:subject) { described_class.new }