-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Better Handling For Incompatible Meterpreter Extensions and Commands #14617
Better Handling For Incompatible Meterpreter Extensions and Commands #14617
Conversation
def self.get_extension_id(name) | ||
k = self.get_extension_klass(name) | ||
begin | ||
k = self.get_extension_klass(name) | ||
rescue RuntimeError | ||
return nil | ||
end | ||
|
||
k.extension_id | ||
end | ||
|
||
def self.get_extension_name(id) | ||
self.get_extension_names.each do |name| | ||
self.get_extension_names.find do |name| | ||
begin | ||
klass = self.get_extension_klass(name) | ||
rescue RuntimeError | ||
next | ||
end | ||
return name if klass.extension_id == id | ||
|
||
klass.extension_id == id |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
These changes here update these two methods to both return nil
when the ID or name is unknown. Previously id would raise a RuntimeError and name would return a list. This allows them to be used to easily query whether or not the ID and name are valid which I was doing while experimenting with some ways to suggest extensions. The get_extension_module
and get_extension_klass
method both still raise RuntimeError
when the name is invalid.
@msjenkins-r7 test this please. |
I'm pretty sure that the sanity tests are failing because the required Windows Meterpreter binaries have not been included since the Windows side of things hasn't been merged yet. |
@zeroSteiner, you are correct failure looks to be that old payloads are not compatible with this code. That suggests this is a breaking change for windows meterperter at this time. The code either needs to be able to account for both payloads or we should increment the version to represent that existing payloads will fail. |
As a work around, I can put all the platform fingerprinting code back in and leverage that when the |
Commit b4005de should fix that by clearing the command requirements when the platform is Windows. |
PR to incorporate the changes needed to test this is now up at #14665. Once this is landed the |
PR should be ready to be tested now, just needs to rebase with upstream to pull in the metasploit-payloads 2.0.28 gem. |
c6e1530
to
cf24492
Compare
Alright so some quick tests:
|
Quick test with Java which shows that it now recognizes that we don't support
|
Gah looks like
|
Also I don't know if this helps but r.e above this is what I get on the compromised user's console:
|
On the plus side it seems most of the usual commands are now being marked as not supported by Python:
|
Quick confirmation that Java is working as expected minus the same potential case of
Edit: I did however see some oddities with
|
Gah also seeing some other errors here as well:
|
Also seem to have encountered a bug when trying to tab complete
|
Know you mentioned you couldn't replicate this Spencer, so here are my tests again from tonight showing I was still able to replicate this issue:
|
Edit: Moving the previous contents of this comment as this issue seems to be specific to Java Meterpreter and is not related to this PR's changes. |
cf24492
to
6a19e39
Compare
Filtering via command IDs would be a backwards incompatible change, so skip it on Windows until the payloads gem has had a major version bump.
Defining the commands in the cmds hash is necessary for them to be filtered and then reported to the user as incompatible when applicable. This moves their special compatibility checks into the actual command handler.
6a19e39
to
7c51dd0
Compare
Rebased to include the recent Gem bump update, should now be ready for testing. |
Python and Java seem to be working fine: Windows 10 x64 with Python and Java Payloads
Also the Windows x64 payload is working well: Windows 10 x64 with x64 payload
Also working with x86 on a Windows 10 x64 system: Windows 10 x64 with x86 payload
|
Output from PHP tests look good as well: Looks like we are also not showing commands which aren't supported by a given implementation as can be seen below where the Overall this looks good to land, will merge this in now, nice work @zeroSteiner! |
Release NotesUpdated the core Meterpreter and console libraries to better handle cases where a given implementation of Meterpreter may not support a certain command. Now, instead of each version of Meterpreter trying to handle invalid commands which previously lead to errors, a check is made to verify that the command is one the Meterpreter supports, with an error message provided if not. Additionally, the output from running the |
This requires rapid7/metasploit-payloads#451 to be landed first and the gem to be bumped.
This makes a number of changes to offer better handling for Meterpreter extensions and commands that are incompatible with a particular session. This for example will handle when the user attempts to
migrate
using a Python Meterpreter, or load thekiwi
extension on the PHP Meterpreter. Currently in both of these cases, the user will get an error basically implying that Metasploit has no idea what that command or extension is. This could easily confuse someone less familiar with Metasploit that may not realize thatmigrate
isn't supported on all Meterpreters, or that not all Meterpreters have the same extensions. With these changes in place, the user will get a more descriptive error message stating that the command1 or extension is incompatible with the current session type (which is printed in the output to make our jobs easier when troubleshooting issues opened by users).One of the major changes made to facilitate this is to enumerate the command IDs that are supported by the Meterpreter core since not all of them support all of the same core commands. With this in place, Metasploit is able to rely on Meterpreter informing it of which core commands it can handle and use that information to filter commands. This is a much better solution than the platform fingerprinting that is in place now. It is also how commands for extensions like
stdapi
are currently filtered. There's a good amount of code that was refactored in this PR to rely on the enumerated core commands instead of fingerprinting the platform which isn't super consistent.This PR also updates the
post/test/meterpreter
module to incorporate a new test that ensures that the core command IDs can be enumerated as the extension ones can be.1 For a Meterpreter command to be reported as incompatible, the extension that provides it must have been loaded. For example, if a user attempts to run
creds_all
without loadingkiwi
, they'll still get an error that the command is unknown.Testing
msfconsole
and runloadpath test/modules
to load the test modulesexploit/windows/smb/psexec
and set the options to target a Windows systemAutoRunScript
option to automatically runpost/test/meterpreter
migrate
,ssl_verify
, etc.) (extensions:python
,kiwi
,powershell
, etc.)help
output and are not suggested for tab completionDemo
In this example, the Python Meterpreter is used which lacks support for the
migrate
command and does not have thekiwi
extension.Fixes #14610