Switchboard routing gets out of sync with Meterpreter and can't be flushed

[asoto-r7]

Steps to reproduce

(EDIT: Targeting a Win10 x64 SP1 fully patched VM with a meterpreter/x64/bind_tcp payload)

Immediately after my Meterpreter payload uploaded, I set up a route. Although I got an error, the route existed in msfconsole's routing table, but it couldn't be deleted:

msf5 > handler -H 192.168.1.11 -P 4444 -p windows/x64/meterpreter/bind_tcp
[*] Payload handler running as background job 2.
msf5 > 
[*] Started bind TCP handler against 192.168.1.11:4444
[*] Meterpreter session 2 opened (192.168.1.101:37409 -> 192.168.1.11:4444) at 2018-07-06 13:22:42 -0500

msf5 > route add 192.168.0.118 2
[-] Invalid :session, expected Session object got Msf::Sessions::Meterpreter_x64_Win

So I re-ran the command:

msf5 > route add 192.168.0.118 2
[*] Route already exists
msf5 > route print

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.0.118      0.0.0.0            Session 2

[*] There are currently no IPv6 routes defined.

But now I can't delete the route:

msf5 > route delete 192.168.0.118 2
[... snip -- generic route help message  ...]
msf5 > route flush
[-] Invalid :session, expected Session object got Msf::Sessions::Meterpreter_x64_Win

Expected behavior

We should wait until the payload is fully ready or, at a minimum, not update the local routing table to keep them in sync.

msf5 > handler -H 192.168.1.11 -P 4444 -p windows/x64/meterpreter/bind_tcp
[*] Payload handler running as background job 0.
msf5 > 
[*] Started bind TCP handler against 192.168.1.11:4444
[*] Sending stage (206403 bytes) to 192.168.1.11
[*] Meterpreter session 1 opened (192.168.1.101:45829 -> 192.168.1.11:4444) at 2018-07-06 13:27:30 -0500

[ wait three minutes -- just to be really, really sure ]

msf5 > route add 192.168.0.118 1
[*] Route added
msf5 > route print

IPv4 Active Routing Table
=========================

   Subnet             Netmask            Gateway
   ------             -------            -------
   192.168.0.118      0.0.0.0            Session 1

[*] There are currently no IPv6 routes defined.

Current behavior

In addition to the above error, ~/.msf4/logs/framework.log shows:

[07/06/2018 13:22:47] [e(0)] core: Invalid :session, expected Session object got Msf::Sessions::Meterpreter_x64_Win

/home/administrator/git/r7/metasploit-framework/lib/msf/core/db_manager/route.rb:10:in `report_session_route'
/home/administrator/git/r7/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:106:in `method_missing'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/framework.rb:494:in `on_session_route'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/event_dispatcher.rb:183:in `block in method_missing'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/event_dispatcher.rb:181:in `each'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/event_dispatcher.rb:181:in `method_missing'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/session.rb:426:in `<<'
/var/lib/gems/2.5.0/gems/rex-socket-0.1.14/lib/rex/socket/switch_board.rb:80:in `add_route'
/home/administrator/git/r7/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:909:in `cmd_route'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:546:in `run_command'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:508:in `block in run_single'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:502:in `each'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:502:in `run_single'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/shell.rb:208:in `run'
/home/administrator/git/r7/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/home/administrator/git/r7/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:49:in `<main>'
[07/06/2018 13:22:48] [w(0)] core: Exception caught in bind handler: NoMethodError undefined method `socket' for nil:NilClass
[07/06/2018 13:22:48] [w(0)] core: Exception caught in bind handler: NoMethodError undefined method `socket' for nil:NilClass
[ last line repeats about 15 times ]

[07/06/2018 13:23:29] [e(0)] core: Invalid :session, expected Session object got Msf::Sessions::Meterpreter_x64_Win

/home/administrator/git/r7/metasploit-framework/lib/msf/core/db_manager/route.rb:28:in `report_session_route_remove'
/home/administrator/git/r7/metasploit-framework/lib/metasploit/framework/data_service/proxy/core.rb:106:in `method_missing'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/framework.rb:500:in `on_session_route_remove'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/event_dispatcher.rb:183:in `block in method_missing'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/event_dispatcher.rb:181:in `each'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/event_dispatcher.rb:181:in `method_missing'
/home/administrator/git/r7/metasploit-framework/lib/msf/core/session.rb:431:in `delete'
/var/lib/gems/2.5.0/gems/rex-socket-0.1.14/lib/rex/socket/switch_board.rb:200:in `block in flush_routes'
/var/lib/gems/2.5.0/gems/rex-socket-0.1.14/lib/rex/socket/switch_board.rb:198:in `each'
/var/lib/gems/2.5.0/gems/rex-socket-0.1.14/lib/rex/socket/switch_board.rb:198:in `flush_routes'
/var/lib/gems/2.5.0/gems/rex-socket-0.1.14/lib/rex/socket/switch_board.rb:101:in `flush_routes'
/home/administrator/git/r7/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:931:in `cmd_route'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:546:in `run_command'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:508:in `block in run_single'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:502:in `each'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:502:in `run_single'
/home/administrator/git/r7/metasploit-framework/lib/rex/ui/text/shell.rb:208:in `run'
/home/administrator/git/r7/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/home/administrator/git/r7/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:49:in `<main>'
[07/06/2018 13:24:32] [w(0)] core: No connection received before the handler completed
[07/06/2018 13:25:56] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (2)
[07/06/2018 13:25:56] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (2)

[ last line repeats about 20 times ] 

System stuff

Metasploit version

Fully up-to-date with rapid7/metasploit-framework:master

Framework: 5.0.0-dev-ef78d70a00
Console  : 5.0.0-dev-ef78d70a00

I installed Metasploit with:

• Kali package via apt
• Omnibus installer (nightly)
• Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
• Source install (please specify ruby version): ruby 2.5.1p57 (2018-03-29 revision 63029)

OS

What OS are you running Metasploit on? Parrot Linux 4.1 (fully patched)

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[adfoster-r7]

@mubix recently ran into this in the msf slack channel, so looks like this is still an issue. Not sure on replication steps, but we should at least reduce the raise exception here to a warning:

metasploit-framework/lib/msf/core/db_manager/route.rb

Lines 15 to 17 in bb782a7

	unless s.respond_to?(:routes)
	raise ArgumentError.new("Invalid :session, expected Session object got #{session.class}")
	end

Otherwise, from what I gathered of mubix's description - it breaks your workflow entirely when the exception is raised