New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fs.file.expand_path does not expand paths and environment variables on Linux Meterpreter #14357
Comments
Yeah, some non-Windows meterpreter implementations do not actually expand the path. You can see here:
Updating each of those would be idea vs shelling out which would involve creating a new process and thus increase the forensics footprint but would not be a trivial task given all the places updates would need to be made. |
For the record seems like this issue may also be related: #14144 |
Also see rapid7/metasploit-payloads#269 for a little bit of historical context on this. |
No that looks different because in that case Meterpreter is not a part of the equation. That's alot easier to address locally using Ruby's standard They're related in the sense that Metasploit does not consistently expand path arguments either locally or via meterpreter. |
We should consider locking down whatever behaviour we want with tests (maybe in https://github.com/rapid7/metasploit-framework/blob/master/test/modules/post/test/get_env.rb) and then ensure they pass on all meterpreters. |
I had a look at implementing this on mettle but the API (wordexp: https://man7.org/linux/man-pages/man3/wordexp.3.html) actually ends up just invoking sh to do the expansion: http://git.musl-libc.org/cgit/musl/tree/src/misc/wordexp.c#n111 Therefore it might actually be better to do the expansion on the framework side (for non-windows environments), using some kind of pattern matching and get_env to expand the variables. We already do it this way in java: https://github.com/rapid7/metasploit-payloads/pull/345/files |
The expand_path call, as defined at
metasploit-framework/lib/msf/core/post/file.rb
Line 123 in 54b893a
client.fs.file.expand_path
, does not appropriately expand paths on Linux, particularly for the~
character., but also for environment variables such as$HOME
Steps to reproduce
How'd you do it?
irb
to get an interactive IRB shell when themeterpreter>
prompt appears. It should state that you in theclient
object.fs.file.expand_path("~")
.See below for a demonstration:
Were you following a specific guide/tutorial or reading documentation?
This was discovered whilst trying to test out #13954
Expected behavior
The
~
character should expand into the path for the user's home directory on the system we are targeting and the user we are running as.Current behavior
The path is not expanded and the
~
character stays as is.Metasploit version
v6.0.15-dev-17fb85c670 with Ruby 2.7.2
Additional Information
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
History
The following commands were ran during the session and before this issue occurred:
Collapse
Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
Version/Install
The versions and install method of your Metasploit setup:
Collapse
The text was updated successfully, but these errors were encountered: