New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Expand environment variables on Linux #15862
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a note for testers, we should determine what this will do when an environment variable can't be expanded because it doesn't exist in the target environment. We'll need to check if it'll be left in the resulting string or removed altogether.
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
Outdated
Show resolved
Hide resolved
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Overall not bad though I did have a few concerns and some suggestions.
lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb
Outdated
Show resolved
Hide resolved
Co-authored-by: Grant Willcox <63261883+gwillcox-r7@users.noreply.github.com>
Seems to be working fine, the errors were mostly cause for some reason the Meterpreter on Linux isn't picking up about 90% of my environment variables. First I thought this might be cause I'm not using bash, but even that has environment variables that aren't showing up here. |
Oh and to be clear I'm not landing this yet as the issue that is still open needs to be resolved first but once that is fixed this should be good to go and land. |
Oh and Windows is still working (forgot to test earlier):
|
One potential oddity found though:
|
@gwillcox-r7 - Yeah, a bunch of the commands didn't use the
|
Thanks @smashery, appreciate your hard work on this! I'll check this more in depth tomorrow morning as soon as I can 👍 |
All tests completed successfully. We are cleared for landing 👍 |
Release NotesUpdates have been made to Linux Meterpreter libraries to support expanding environment variables in several different commands. This should provide users with a smoother experience when using environment variables in commands such as |
This PR resolves #14357. The
expand_path
function previously only worked on Windows; with this, it also works on Unix.The approach I took was the one suggested by @timwr in the issue discussion: to do pattern-matching in the Framework itself, and then just request environment variables from Meterp, and slot them in.
The advantage of this approach is that the pattern-matching would have needed to be implemented somewhere for Mettle, since the built-in function to do it in Mettle's libc (musl) just launches
sh
, which isn't great from a forensics point of view. Doing it in Ruby rather than C lets us reduce code and leverage existing work in each of the other Meterps.Implementing this parsing manually means there are some rarer use cases that I haven't covered compared to a regular implementation of wordexp, such as escaping dollar signs (e.g. an actual folder called
$home
), or resolving home directories of other users (e.g.~root => /root
); happy to discuss if it's felt these cases are important. (Now that I'm looking at it, I can't figure out a way to do the equivalent in Windows i.e.cd
ing into a directory that is actually called%TEMP%
).Interestingly, I'd initially thought Python's
os.path.expandvars
would be an easy win for the Python meterpreter, but even that doesn't do dollar-escaping of backslashes or quotes... in short, if we wanted a completely consistent implementation, it seems like we'd need to manually implement parts of it for each of the meterp implementations anyway, so doing the pattern matching in one spot seemed much simpler overall.Verification
msfconsole
irb
fs.file.expand_path('~')
fs.file.expand_path('$HOME')
cd
,mkdir
,rmdir
,rm
,mv
,cp
,chmod
,ls
,search
,cat
,checksum
,download
,upload
,edit
%TEMP%
) still behaves