Open WangYihang opened 6 years ago
wvu
commented
6 years ago It just reads the initial output from the buffer. With bash -i, that gets you a shell prompt. Something like uname -a might be more appropriate, but then we're getting into the territory of automatically writing and reading commands before interaction.
wvu
commented
6 years ago And no, I don't think it'd crash. It's very doable. You could probably hammer out a prototype in a few minutes.
wvu
commented
6 years ago wvu@kharak:~/metasploit-framework:master$ git diff
diff --git a/lib/msf/base/sessions/command_shell.rb b/lib/msf/base/sessions/command_shell.rb
index fcb8e1b7af..e96221284b 100644
--- a/lib/msf/base/sessions/command_shell.rb
+++ b/lib/msf/base/sessions/command_shell.rb
@@ -233,7 +233,8 @@ class CommandShell
initial_output.strip!
# Set the inital output to .info
- self.info = initial_output
+ #self.info = initial_output
+ self.info = run_cmd('uname -a')
end
end
wvu@kharak:~/metasploit-framework:master$
sempervictus
commented
6 years ago Agree with the notion of improving this output. That's probably best done as an optional autorun script. We don't want to hard code predictable behaviors immediately upon attaining session - the HIDS stalkers might take an interest.
wvu
commented
6 years ago @sempervictus: Precisely why I hesitated about this! Automatically running predefined commands before you interact with the session is another way of saying "do some things before you're necessarily ready," IMHO. It should at least be an option to disable.
sempervictus
commented
6 years ago @wvu: I've become predictable, damn. ;-) The autorun stuff is effectively such a logical barrier to default execution, its opt-in by the user so detection is on them for it. I have similar concerns about how libsigar and metsrv do things, but without function hooking or some other runtime introspection, the blue team folks won't catch that as easily (and we should bail early when observed anyway).
timwr
commented
6 years ago Perhaps we should just clean the output of dodgy looking characters?
wvu
commented
6 years ago Any dodgy characters we're seeing are probably ANSI escape sequences. Reminds me of cleaning script(1) typescripts. :/
WangYihang
commented
6 years ago @sempervictus yeah, you are right, HIDS may be interested in this, it may make our attack detected, I did not think about this problem before, thank you for your revelation, I think it can be used as a user-optional parameter, maybe it's a better way.
WangYihang
commented
6 years ago @timwr @wvu-r7 I didn't test the reverse shell on windows(or any other system), so I am not sure what does the information field look like. If we decide to clean (Parse) the output, maybe we should treat differently to different OS system...
github-actions[bot]
commented
4 years ago Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Steps to reproduce
Information field somethings will be wrong while executing sessions command: (victim used the interactive shell, eg
bash -i)Should we gather some information (execute these commands first once get a reverse shell session) from the target system, like
Linux :
cat /etc/issue | base64Windows:verthen we can parse the output of these commands... I am not sure whether it will works... maybe it will lead to some unexpected crash?Expected behavior
Current behavior
System stuff
Metasploit version
I installed Metasploit with:
ruby 2.5.1p57 (2018-03-29 revision 63029) [x86_64-linux-gnu])OS