Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix symlink test bug when running python meterpreter on windows #18112

Merged
merged 1 commit into from Jun 14, 2023
Merged

Fix symlink test bug when running python meterpreter on windows #18112

merged 1 commit into from Jun 14, 2023

Conversation

adfoster-r7
Copy link
Contributor

@adfoster-r7 adfoster-r7 commented Jun 14, 2023
edited

Fix symlink test bug when running python Meterpreter on windows with the test/file module, available after running loadpath test/modules

Verification

Verify that test/file works on a windows python Meterpreter session

Before - test failure:

msf6 > use python/meterpreter/reverse_tcp
msf6 payload(python/meterpreter/reverse_tcp) > generate -f raw -o shell.py lhost=127.0.0.1
[*] Writing 428 bytes to shell.py...
msf6 payload(python/meterpreter/reverse_tcp) > to_handler
...
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:50555) at 2023-06-14 12:17:22 -0700
...
msf6 payload(python/meterpreter/reverse_tcp) > loadpath test/modules
Loaded 39 modules:
    14 auxiliary modules
    13 exploit modules
    12 post modules
...
msf6 post(test/file) > run session=-1

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_fs_chmod
[*] Running against session -1
[*] Session type is meterpreter and platform is windows
[+] should test for directory existence
[+] should create directories
[+] should list the directory we just made
[+] should recursively delete the directory we just made
[-] FAILED: should delete a symbolic link target
[-] Exception: Rex::Post::Meterpreter::RequestError: stdapi_sys_process_execute: Operation failed: Python exception: FileNotFoundError
[-] FAILED: should not recurse into symbolic link directories
[-] Exception: Rex::Post::Meterpreter::RequestError: stdapi_sys_process_execute: Operation failed: Python exception: FileNotFoundError
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[+] should test for file existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[-] Passed: 14; Failed: 2; Skipped: 0
[*] Post module execution completed

After - all green:

[*] Running against session -1
[*] Session type is meterpreter and platform is windows
[+] should test for directory existence
[+] should create directories
[+] should list the directory we just made
[+] should recursively delete the directory we just made
[+] should delete a symbolic link target
[+] should not recurse into symbolic link directories
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[+] should test for file existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[*] Passed: 16; Failed: 0; Skipped: 0
[*] Post module execution completed

@adfoster-r7 adfoster-r7 added rn-enhancement release notes enhancement rn-fix release notes fix and removed rn-enhancement release notes enhancement labels Jun 14, 2023
@jheysel-r7 jheysel-r7 self-assigned this Jun 14, 2023
@adfoster-r7 adfoster-r7 force-pushed the fix-symlink-test-bug-when-running-python-meterpreter-on-windows branch from 8749dfa to 2a66987 Compare June 14, 2023 19:12
adfoster-r7
adfoster-r7 commented Jun 14, 2023
View reviewed changes
test/modules/post/test/file.rb
@@ -292,7 +292,7 @@ def cleanup

def make_symlink(target, symlink)
if session.platform == 'windows'
cmd_exec("cmd.exe /c mklink #{directory?(target) ? '/D ' : ''}#{symlink} #{target}")
cmd_exec("cmd.exe", "/c mklink #{directory?(target) ? '/D ' : ''}#{symlink} #{target}")
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Before this change - we can see in procmon that it's attempting to find the file cmd.exe /c mklink ... etc on the user's filepath

image

Afterwards it will just attempt to call cmd.exe

Long term - I think we'll either want to holistically fix this edgecase in the python meterpreter / or update modules to send program name and arguments separately / add a rubocop rule to catch this edgecase

@jheysel-r7
Copy link
Contributor

Before:

msf6 post(test/file) > run session=-1

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_fs_chmod
[*] Running against session -1
[*] Session type is meterpreter and platform is windows
[+] should test for directory existence
[+] should create directories
[+] should list the directory we just made
[+] should recursively delete the directory we just made
[-] FAILED: should delete a symbolic link target
[-] Exception: Rex::Post::Meterpreter::RequestError: stdapi_sys_process_execute: Operation failed: Python exception: FileNotFoundError
[-] FAILED: should not recurse into symbolic link directories
[-] Exception: Rex::Post::Meterpreter::RequestError: stdapi_sys_process_execute: Operation failed: Python exception: FileNotFoundError
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[+] should test for file existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[-] Passed: 14; Failed: 2; Skipped: 0
[*] Post module execution completed

After:

msf6 > use python/meterpreter/reverse_tcp
msf6 payload(python/meterpreter/reverse_tcp) > generate -f raw -o shell.py lhost=192.168.123.1
[*] Writing 436 bytes to shell.py...
msf6 payload(python/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0

[*] Started reverse TCP handler on 192.168.123.1:4444
msf6 payload(python/meterpreter/reverse_tcp) > [*] Sending stage (24772 bytes) to 192.168.123.1
[*] Meterpreter session 1 opened (192.168.123.1:4444 -> 192.168.123.1:64622) at 2023-06-14 15:57:01 -0400

msf6 payload(python/meterpreter/reverse_tcp) > loadpath test/modules
Loaded 39 modules:
    14 auxiliary modules
    13 exploit modules
    12 post modules
msf6 payload(python/meterpreter/reverse_tcp) > use test/file
msf6 post(test/file) > run session=-1

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_fs_chmod
[*] Running against session -1
[*] Session type is meterpreter and platform is windows
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[+] should test for file existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[+] should test for directory existence
[+] should create directories
[+] should list the directory we just made
[+] should recursively delete the directory we just made
[-] failed to create the symbolic link
[+] should delete a symbolic link target
[+] should not recurse into symbolic link directories
[*] Passed: 16; Failed: 0; Skipped: 0
[*] Post module execution completed
msf6 post(test/file) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-8ATHH6O
OS              : Windows 10 (Build 19042)
Architecture    : x64
System Language : en_US
Meterpreter     : python/windows
meterpreter >

Hey @adfoster-r7, any idea why I'd be seeing the following failure after deploying the changes in this PR??

[-] failed to create the symbolic link

@adfoster-r7
Copy link
Contributor Author

adfoster-r7 commented Jun 14, 2023
edited

[-] failed to create the symbolic link

If you don't have write access in the current directory that can happen; I have a separate PR to fix that - #18109 - running the payload from an admin cmd prompt might resolve the issue

Python 2 is also broken on windows, it needs python 3 - rapid7/metasploit-payloads#657

Beyond that, I'm not sure else it would be - would have to put in a breakpoint or run with verbose=true to see if anything else sticks out as being the problem

@jheysel-r7
Copy link
Contributor

Thanks Alan - running from and Admin cmd prompt fixed the issue. I appreciate all the suggestions 🙇

msf6 post(test/file) > run session=-1

[!] SESSION may not be compatible with this module:
[!]  * missing Meterpreter features: stdapi_fs_chmod
[*] Running against session -1
[*] Session type is meterpreter and platform is windows
[+] should test for directory existence
[+] should create directories
[+] should list the directory we just made
[+] should recursively delete the directory we just made
[+] should delete a symbolic link target
[+] should not recurse into symbolic link directories
[+] should write binary data
[+] should read the binary data we just wrote
[+] should delete binary files
[+] should append binary data
[+] should test for file existence
[+] should create text files
[+] should read the text we just wrote
[+] should append text files
[+] should delete text files
[+] should move files
[*] Passed: 16; Failed: 0; Skipped: 0

@jheysel-r7 jheysel-r7 merged commit 2632d33 into rapid7:master Jun 14, 2023
29 of 30 checks passed
@jheysel-r7
Copy link
Contributor

Release Notes

This PR fixes a symlink test bug when running python meterpreter on windows

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@jheysel-r7 jheysel-r7

Labels
rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@adfoster-r7 @jheysel-r7