Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add option for running cmd_execute in a subshell #15540

Merged
merged 1 commit into from
Aug 16, 2021
Merged

Add option for running cmd_execute in a subshell #15540

merged 1 commit into from
Aug 16, 2021

Conversation

dwelch-r7
Copy link
Contributor

This PR adds the option to cmd_execute to have the command run in a subshell by meterpreter

I've also updated the default switches for running a PTY to run in a subshell since it's currently required (except by the python meterpreter)

As a side effect of this running shell -t from a native linux meterpreter (mettle) now works

Verification steps

  • Get a native linux (mettle) meterpreter shell
  • Run shell -t
  • It should drop you into a PTY (i.e. sudo should work)

@timwr timwr self-assigned this Aug 11, 2021
@smcintyre-r7
Copy link
Contributor

Are there scenarios we can think of where users wouldn't want to run this command in a subshell?

@timwr
Copy link
Contributor

timwr commented Aug 11, 2021

Looks good, I can confirm this fixes sudo within meterpreter > shell -t on macOS and Ubuntu.

Before fix

*** macOS:
meterpreter > shell -t
[*] env TERM=xterm HISTFILE= /usr/bin/script -q /dev/null /bin/bash
Process 620 created.
Channel 2 created.
sudo id
[-] core_channel_write: Operation failed: 9

*** Ubuntu:
meterpreter > shell -t
[*] env TERM=xterm HISTFILE= /usr/bin/script -qc /bin/bash /dev/null
Process 1498 created.
Channel 2 created.
meterpreter >

After fix:

*** macOS:
meterpreter > shell -t
[*] env TERM=xterm HISTFILE= /usr/bin/script -q /dev/null /bin/bash
Process 647 created.
Channel 2 created.

The default interactive shell is now zsh.
To update your account to use zsh, please run `chsh -s /bin/zsh`.
For more details, please visit https://support.apple.com/kb/HT208050.
bash-3.2$ sudo id
sudo id
Password:hunter2

uid=0(root) gid=0(wheel) groups=0(wheel),1(daemon),2(kmem),3(sys),4(tty),5(operator),8(procview),9(procmod),12(everyone),20(staff),29(certusers),61(localaccounts),80(admin),33(_appstore),98(_lpadmin),100(_lpoperator),204(_developer),250(_analyticsusers),395(com.apple.access_ftp),398(com.apple.access_screensharing),399(com.apple.access_ssh),400(com.apple.access_remote_ae),701(com.apple.sharepoint.group.1)


*** Ubuntu:
meterpreter > shell -t
[*] env TERM=xterm HISTFILE= /usr/bin/script -qc /bin/bash /dev/null
Process 1932 created.
Channel 2 created.
user@user-vm:~$ sudo id
sudo id
[sudo] password for user: hunter2

uid=0(root) gid=0(root) groups=0(root)
user@user-vm:~$

@dwelch-r7
Copy link
Contributor Author

Are there scenarios we can think of where users wouldn't want to run this command in a subshell?

I believe this particular command is one that doesn't work outside of a subshell

@timwr
Copy link
Contributor

timwr commented Aug 11, 2021

I think users nearly always intend a command to be run in a subshell, however I can think of a few cases why they wouldn't want cmd_execute to default to a subshell:

  • They are intending to execute a single file without arguments. e.g execute just ps instead of /bin/sh -c 'ps'
  • The arguments have lots characters that would require shell escaping (e.g &, ;)?
  • The platform has no shell (e.g iOS has no /bin/sh etc).

I wonder if make sense to add a new option for a command that would be run under a subshell, e.g:
execute echo test
or
execute -C 'echo test'
the -f file -a args part of cmd_execute can be confusing

@smcintyre-r7
Copy link
Contributor

@timwr thanks, those scenarios make sense.

I wonder if make sense to add a new option for a command that would be run under a subshell

Instead of a new command, what if we updated the shell command to take the same relevant arguments as execute but run the command within a subshell. I think that might be a little more intuitive.

@dwelch-r7
Copy link
Contributor Author

@msjenkins-r7 test this please

@jmartin-tech
Copy link
Contributor

@msjenkins-r7 test this please.

@dwelch-r7
Copy link
Contributor Author

I wonder if make sense to add a new option for a command that would be run under a subshell

Instead of a new command, what if we updated the shell command to take the same relevant arguments as execute but run the command within a subshell. I think that might be a little more intuitive.

@smcintyre-r7 sorry but I'm not really sure I understand what the ask is here, since the shell command sometimes needs to be in a subshell (like a majority of the time when creating a PTY) but for example when using the Python meterpreter it needs to not be in a subshell so we could get sudo to work

@timwr
Copy link
Contributor

timwr commented Aug 16, 2021

I'm happy to land this as-is and make further changes in a new pull request.

@timwr timwr merged commit f33bd8b into rapid7:master Aug 16, 2021
@jmartin-tech
Copy link
Contributor

Release Notes

This adds an option to cmd_execute to have the command run in a subshell by meterpreter.

@jmartin-tech jmartin-tech added the rn-enhancement release notes enhancement label Aug 20, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@timwr timwr timwr approved these changes

Assignees

@timwr timwr

Labels
bug enhancement rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@dwelch-r7 @smcintyre-r7 @timwr @jmartin-tech