sessions -C execute fails with a nil:NilClass

[theguly]

running meterpreter execute command using sessions -C mostly doesn't work:

[*] Running 'execute -Hif cmd -a "/c dir"' on meterpreter session 2 (192.168.1.2)
Process 1836 created.
Channel 20 created.
[-] Error running command execute: NoMethodError undefined method `fd' for nil:NilClass

on linux:

[*] Running 'execute -Hif /bin/ls' on meterpreter session 1 (192.168.1.3)
Process 19061 created.
Channel 7 created.
[-] Error running command execute: NoMethodError undefined method `fd' for nil:NilClass

running the same command in an interactive session (eg: sessions -i 1 or sessions -i 2) using execute -Hif _command_ do always (based on my tests) work.

running the same command through msfrpc, while msfconsole is interacting with that session, works:

1. spin up msfrpc api inside msfconsole (msfconsole> load msfrpc foo bar)
2. create a session with a meterpreter payload of choice
3. connect to msfrpc and run the execute command using rpc.call(), see it fails
4. confirm using sessions -iq X -C command inside msfconsole that it fails
5. interact with session in msfconsole: sessions -i X
6. run again the execute command using rpc.call() and see it works

Steps to reproduce

1. get a session with your payload of choice (i tested php/meterpreter/reverse_tcp as session 1 and windows/meterpreter/reverse_tcp as session 2)
2. put the session in background
3. execute meterpreter command using on linux: sessions -iq 1 -C 'execute -Hif /bin/ls' or on windows: session -iq 2 -C 'execute -Hif cmd -a "/c dir"'
4. interact with the two sessions and run the command:
5. session -i 1
6. execute -Hif /bin/ls
7. background
8. session -i 2
9. execute -Hif cmd -a "/c dir"

Expected behavior

i expect that execute will run in both ways

Current behavior

using execute while interacting with a session works as expected, having it run using session -C breaks

Metasploit version

6.0.42-dev

[theguly]

re-reading this, i see that it is not very well explained because main description and steps to reproduce are not aligned (mostly steps 5 and 6 of main desc with 4 and following on steps to reproduce.

to experience the same behaviour, expose msfrpc from a msfconsole (i'm using the old one msg, but it shouldn't matter here) and run a command like session -iq X -C "command" using an rpc call, see it breaks with those NoMethodError

if you interact with that session on msfconsole and run again given rpc call, the command doesn't break anymore

[timwr]

I suspect this is a won't fix, if you want to run session commands via msfrpc you can use session.meterpreter_write

[theguly]

I suspect this is a won't fix, if you want to run session commands via msfrpc you can use session.meterpreter_write

i knew it wasn't clear enough :)

let's say that the exploit is run using msfrpc (using pymetasploit3) therefore the agent is run within the same method. msfconsole exposes rpc, and receives the session.

running sessions -iq 1 -C 'execute -Hif /bin/ls' gives back that NoMethodError

i'm using a rc to automate the setup of msfrpc, this is the full output of msfconsole:

resource (msfrc)> load msgrpc ServerHost=0.0.0.0 Pass=AkDASJO4jp ServerPort=55553 SSL=True
[*] MSGRPC Service:  0.0.0.0:55553  (SSL)
[*] MSGRPC Username: msf
[*] MSGRPC Password: AkDASJO4jp
[*] Successfully loaded plugin: msgrpc
[*] Starting persistent handler(s)...

msf6 > [*] Meterpreter session 1 opened (192.168.1.1:4443 -> 192.168.1.2:45958) at 2021-05-11 07:43:04 -0400

msf6 >
msf6 > sessions

Active sessions
===============

  Id  Name  Type                   Information               Connection
  --  ----  ----                   -----------               ----------
  1         meterpreter php/linux  www-data (33) @ centos8  192.168.1.1:4443 -> 192.168.1.2:45958 (192.168.1.2)

msf6 > sessions -iq 1 -C 'execute -Hif /bin/ls'
[*] Running 'execute -Hif /bin/ls' on meterpreter session 1 (192.168.1.2)
Process 12187 created.
Channel 0 created.
[-] Error running command execute: NoMethodError undefined method `closed?' for nil:NilClass
msf6 >

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[theguly]

do you think i can help with further test?

[adfoster-r7]

Confirmed:

Opened a reverse shell against a kali vm then ran the command:

sessions -iq 1 -C 'execute -Hif /bin/ls'

Full stack trace:

[06/10/2021 21:12:59] [e(0)] meterpreter: Error running command execute: NoMethodError undefined method `fd' for nil:NilClass
[06/10/2021 21:12:59] [d(0)] meterpreter: Call stack:
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/interactive.rb:186:in `_local_fd'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/interactive.rb:204:in `interact_stream'
/Users/user/Documents/code/metasploit-framework/lib/rex/post/meterpreter/ui/console/interactive_channel.rb:25:in `_interact'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/interactive.rb:51:in `interact'
/Users/user/Documents/code/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:86:in `interact_with_channel'
/Users/user/Documents/code/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/sys.rb:253:in `cmd_execute'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:542:in `run_command'
/Users/user/Documents/code/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:103:in `run_command'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:491:in `block in run_single'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:485:in `each'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:485:in `run_single'
/Users/user/Documents/code/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:380:in `run_cmd'
/Users/user/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1491:in `block (2 levels) in cmd_sessions'
/Users/user/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1477:in `each'
/Users/user/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1477:in `block in cmd_sessions'
/Users/user/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1476:in `each'
/Users/user/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1476:in `cmd_sessions'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:542:in `run_command'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:491:in `block in run_single'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:485:in `each'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:485:in `run_single'
/Users/user/Documents/code/metasploit-framework/lib/rex/ui/text/shell.rb:157:in `run'
/Users/user/Documents/code/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/Users/user/Documents/code/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/Users/user/Documents/code/metasploit-framework/msfconsole:23:in `<top (required)>'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/cli/exec.rb:63:in `load'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/cli/exec.rb:63:in `kernel_load'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/cli/exec.rb:28:in `run'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/cli.rb:476:in `exec'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor/command.rb:27:in `run'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor/invocation.rb:127:in `invoke_command'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor.rb:399:in `dispatch'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/cli.rb:30:in `dispatch'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/vendor/thor/lib/thor/base.rb:476:in `start'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/cli.rb:24:in `start'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/gems/2.7.0/gems/bundler-2.1.4/libexec/bundle:46:in `block in <top (required)>'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/2.7.0/bundler/friendly_errors.rb:123:in `with_friendly_errors'
/Users/user/.rvm/rubies/ruby-2.7.2/lib/ruby/gems/2.7.0/gems/bundler-2.1.4/libexec/bundle:34:in `<top (required)>'
/Users/user/.rvm/rubies/ruby-2.7.2/bin/bundle:23:in `load'
/Users/user/.rvm/rubies/ruby-2.7.2/bin/bundle:23:in `<main>'
/Users/user/.rvm/gems/ruby-2.7.2@metasploit-framework/bin/ruby_executable_hooks:22:in `eval'
/Users/user/.rvm/gems/ruby-2.7.2@metasploit-framework/bin/ruby_executable_hooks:22:in `<main>'

Although running the same command in meterpreter fails for me too:

meterpreter > execute -Hif /bin/ls
Process 33 created.
Channel 3 created.
favicon.ico
index.php
robots.txt
router.php
static

[-] core_channel_write: Operation failed: 9

@theguly Just out of interest, what's the use case for what you're trying to do? 👀

[theguly]

@theguly Just out of interest, what's the use case for what you're trying to do? eyes

@adfoster-r7 i'm using msgrpc to automate some boring^Wrepetitive taskflow from external tool to metasploit modules, and it is handy to also have the possibility to interact with created sessions using msfconsole (as far as i know, it's not possible to connect msfconsole to a msgrpcd and i'm using load msgrpc inside msfconsole)

[theguly]

sorry for the ping, just to avoid github-actions bot intrusion :)