Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Mac] Tab Auto Complete Crashes Metasploit #4240

Closed
ghost opened this issue Nov 20, 2014 · 11 comments
Closed

[Mac] Tab Auto Complete Crashes Metasploit #4240

ghost opened this issue Nov 20, 2014 · 11 comments
Assignees
@hdm

Comments

@ghost
Copy link

ghost commented Nov 20, 2014

OS: OSX 10.10
Ruby: ruby 1.9.3-p550
Metasploit: metasploit v4.10.1-dev [core:4.10.1.pre.dev api:1.0.0]

Description:
Tab autocomplete on any file name at the end of the directory path crashes msfconsole / meterpreter / whatever is being used at the time.

Example:
Let's say I want to set a PASS_FILE to be the value of '/Users/peleus/Bench/unix_passwords.txt'
The following occurs at each point of the file entry.

'set PASS_FILE /User[tab]' -> OK
'set PASS_FILE /Users/[tab]' -> OK
'set PASS_FILE /Users/peleus/Ben[tab]' -> OK
'set PASS_FILE /Users/peleus/Bench/u[tab]' -> Crash
'set PASS_FILE /Users/peleus/Bench/unix_passwords.txt[tab]' -> Crash

This occurs not only with modules (auxiliary / exploit's etc) but also within open meterpreter sessions (say designating a file to upload).

**Error Log (Note: File does exist) :**
set PASS_FILE /Users/peleus/Bench/u/Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:8438:in `lstat': No such file or directory - /usr/local/share/metasploit-framework/set PASS_FILE /Users/peleus/Bench/unix_passwords.txt (Errno::ENOENT)
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:8438:in `append_to_match'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:6812:in `rl_complete_internal'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:6851:in `rl_complete'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4322:in `_rl_dispatch_subseq'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4311:in `_rl_dispatch'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4727:in `readline_internal_charloop'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4801:in `readline_internal'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4823:in `readline'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/readline.rb:45:in `readline'
    from /usr/local/share/metasploit-framework/lib/rex/ui/text/input/readline.rb:86:in `pgets'
    from /usr/local/share/metasploit-framework/lib/rex/ui/text/shell.rb:184:in `run'
    from /usr/local/share/metasploit-framework/lib/metasploit/framework/command/console.rb:30:in `start'
    from /usr/local/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
    from /usr/local/share/metasploit-framework/msfconsole:48:in `<top (required)>'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@metasploit-framework/bin/msfconsole:23:in `load'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@metasploit-framework/bin/msfconsole:23:in `<main>'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@metasploit-framework/bin/ruby_executable_hooks:15:in `eval'
    from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@metasploit-framework/bin/ruby_executable_hooks:15:in `<main>'
@jagar
Copy link

jagar commented Nov 20, 2014

I have also experienced the same issue. This also occurs when using the db_import functionality. My stacktrace displays the same line numbers and files as posted above.

OS: Ubuntu 14.04.1 LTS
Ruby: ruby 1.9.3p484
Metasploit: metasploit v4.10.1-dev [core:4.10.1.pre.dev api:1.0.0]

I was able to reliably reproduce this issue. It appears that tab completing directory names works just fine, but when the tab completion will result in a unique file name, it crashes.

PoC:

msf> ls
[*] exec: ls

testdir
test.xml
test.xml2
msf> ls testdir

[*] exec: ls testdir

test.xml
test.xml2
msf> db_import /tmp/test<TAB>
test.xml   test.xml2  testdir
msf> db_import /tmp/testdir/test.xml<TAB>
test.xml   test.xml2
msf> db_import /tmp/test.<TAB>
test.xml   test.xml2
msf> db_import /tmp/test.xml2<TAB>    // Crashes msfconsole with same stacktrace

@kernelsmith
Copy link
Contributor

Workaround is to start msfconsole with the -L switch. Ruby readline has problems

-Josh

On Nov 20, 2014, at 04:13, PeleusGitHub notifications@github.com wrote:

OS: OSX 10.10
Ruby: ruby 1.9.3-p550
Metasploit: metasploit v4.10.1-dev [core:4.10.1.pre.dev api:1.0.0]

Description:
Tab autocomplete on any file name at the end of the directory path crashes msfconsole / meterpreter / whatever is being used at the time.

Example:
Let's say I want to set a PASS_FILE to be the value of '/Users/peleus/Bench/unix_passwords.txt'
The following occurs at each point of the file entry.

'set PASS_FILE /User' -> OK
'set PASS_FILE /Users/' -> OK
'set PASS_FILE /Users/peleus/Ben' -> OK
'set PASS_FILE /Users/peleus/Bench/u' -> Crash
'set PASS_FILE /Users/peleus/Bench/unix_passwords.txt' -> Crash

This occurs not only with modules (auxiliary / exploit's etc) but also within open meterpreter sessions (say designating a file to upload).

Error Log (Note: File does exist) :
set PASS_FILE /Users/peleus/Bench/u/Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:8438:in lstat': No such file or directory - /usr/local/share/metasploit-framework/set PASS_FILE /Users/peleus/Bench/unix_passwords.txt (Errno::ENOENT)
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:8438:inappend_to_match'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:6812:in rl_complete_internal'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:6851:inrl_complete'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4322:in _rl_dispatch_subseq'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4311:in_rl_dispatch'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4727:in readline_internal_charloop'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4801:inreadline_internal'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/rbreadline.rb:4823:in readline'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@global/gems/rb-readline-0.5.1/lib/readline.rb:45:inreadline'
from /usr/local/share/metasploit-framework/lib/rex/ui/text/input/readline.rb:86:in pgets'
from /usr/local/share/metasploit-framework/lib/rex/ui/text/shell.rb:184:inrun'
from /usr/local/share/metasploit-framework/lib/metasploit/framework/command/console.rb:30:in start'
from /usr/local/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:instart'
from /usr/local/share/metasploit-framework/msfconsole:48:in <top (required)>'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@metasploit-framework/bin/msfconsole:23:inload'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@metasploit-framework/bin/msfconsole:23:in

'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@metasploit-framework/bin/ruby_executable_hooks:15:ineval'
from /Users/peleus/.rvm/gems/ruby-1.9.3-p550@metasploit-framework/bin/ruby_executable_hooks:15:in `'


Reply to this email directly or view it on GitHub.

@hdm
Copy link
Contributor

hdm commented Nov 20, 2014

Looks like this is actually a bug in the upstream rb-readline library: https://github.com/luislavena/rb-readline

@hdm hdm mentioned this issue Nov 20, 2014
Closed
@hdm hdm self-assigned this Nov 20, 2014
@hdm
Copy link
Contributor

hdm commented Nov 20, 2014

This is a duplicate of #4128. Closing this ticket and tracking there.

@hdm hdm closed this as completed Nov 20, 2014
@OJ
Copy link
Contributor

OJ commented Nov 21, 2014

FWIW: @PeleusGitHub this was a great bug report. 👍

@todb-r7
Copy link

todb-r7 commented Nov 24, 2014

The short story, @PeleusGitHub , is to use Metasploit as ./msfconsole -L until we figure out what's going on with ConnorAtherton/rb-readline#111 . Also, yes, great bug report, wonderful repro steps.

ConnorAtherton pushed a commit to ConnorAtherton/rb-readline that referenced this issue Dec 31, 2014
Work around a Mac OS X crash. See rapid7/metasploit-framework#4240
19f0604
@hdm
Copy link
Contributor

hdm commented Dec 31, 2014

This is now patched in upstream rb-readline.

@hdm
Copy link
Contributor

hdm commented Dec 31, 2014

For Metasploit to get this patch, rb-readline needs to release a new gem.

@tikums
Copy link

tikums commented Apr 5, 2015

I can reproduce this on Kali Linux 1.1.0 (3.18.0-kali1-686-pae).

Ruby: ruby 1.9.3p194 (2012-04-20 revision 35410) [i486-linux]
Metasploit Framework Version: 4.11.0-2015013101

Description:
While performing 'db_import', tab autocomplete on any file name at the end of the directory path crashes msfconsole.

Example/PoC:
While trying to import XML results of an external nmap scan

msf > db_import /tmp/test.xml2<TAB>    // Crashes msfconsole with stacktrace:
/opt/metasploit/apps/pro/vendor/bundle/ruby/1.9.1/gems/rb-readline-0.5.2/lib/rbreadline.rb:8438:in `lstat': No such file or directory - /root/db_import /root/winxp (Errno::ENOENT)
    from /opt/metasploit/apps/pro/vendor/bundle/ruby/1.9.1/gems/rb-readline-0.5.2/lib/rbreadline.rb:8438:in `append_to_match'
    from /opt/metasploit/apps/pro/vendor/bundle/ruby/1.9.1/gems/rb-readline-0.5.2/lib/rbreadline.rb:6812:in `rl_complete_internal'
    from /opt/metasploit/apps/pro/vendor/bundle/ruby/1.9.1/gems/rb-readline-0.5.2/lib/rbreadline.rb:6851:in `rl_complete'
    from /opt/metasploit/apps/pro/vendor/bundle/ruby/1.9.1/gems/rb-readline-0.5.2/lib/rbreadline.rb:4322:in `_rl_dispatch_subseq'
    from /opt/metasploit/apps/pro/vendor/bundle/ruby/1.9.1/gems/rb-readline-0.5.2/lib/rbreadline.rb:4311:in `_rl_dispatch'
    from /opt/metasploit/apps/pro/vendor/bundle/ruby/1.9.1/gems/rb-readline-0.5.2/lib/rbreadline.rb:4727:in `readline_internal_charloop'
    from /opt/metasploit/apps/pro/vendor/bundle/ruby/1.9.1/gems/rb-readline-0.5.2/lib/rbreadline.rb:4801:in `readline_internal'
    from /opt/metasploit/apps/pro/vendor/bundle/ruby/1.9.1/gems/rb-readline-0.5.2/lib/rbreadline.rb:4823:in `readline'
    from /usr/share/metasploit-framework/lib/rex/ui/text/input/readline.rb:132:in `readline_with_output'
    from /usr/share/metasploit-framework/lib/rex/ui/text/input/readline.rb:86:in `pgets'
    from /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:184:in `run'
    from /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:38:in `start'
    from /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
    from /opt/metasploit/apps/pro/msf3/msfconsole:48:in `<main>'
root@kali:~#

@hdm
Copy link
Contributor

hdm commented Apr 5, 2015

This is patched in master. Is your Kali up to date? That looks like a January update version.

@tikums
Copy link

tikums commented Apr 5, 2015

Thanks, @hmoore-r7

I've updated to master and confirm that I can no longer reproduce it.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@hdm hdm

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
6 participants
@OJ @tikums @kernelsmith @todb-r7 @hdm @jagar