-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix get_processes for some shell sessions #15328
Conversation
Note the testing steps are somewhat wrong. After you get a session you have to type |
Tests look good, first part is when the fix is applied, showing the output is returned properly. Other part is the output from
|
Release NotesThe |
This fixes instances where
#shell_read_until_token
would fail to return any output because the random token is included in the output. Since the token is random, this is very unlikely to happen with one exception and that is listing out processes. When theps aux
command is run, such as by theget_processes
method, the command that executed it, including the random token as an argument, will be included in the response. This effectively breaksget_processes
for shell commands where theps aux
command behaves this way.From my testing, it looks like the native Linux shell payloads are not affected by this, presumably because their environment variables are different. This can be verified by running
session.shell_command_token('env')
and comparing it to other sessions.The
python/shell_reverse_tcp
payload does appear to be affected by this issue however.The proposed solution here is to leverage the fact that when the ending token is echoed, it will be directly preceded by a newline which is omitted when the token itself is returned in the output as part of the
ps aux
command.Verification
List the steps needed to make sure this thing works
msfconsole
python/shell_reverse_tcp
payloadexploit/multi/sshexec
module works nicely for this, or just generate a payload and run it, that works toopry
and runsessions[#].shell_command_token('ps aux')
, see outputIssue Example
Notice how both sessions are on the same host, but the
env
lines is different.