search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.5k stars 13.84k forks source link

Argument parse issue when running post modules on meterpreter shell #16578

Closed henshin closed 1 year ago

henshin commented 2 years ago

Steps to reproduce

On a meterpreter shell, do:

meterpreter > run post/windows/manage/execute_dotnet_assembly DOTNET_EXE=/tmp/Seatbelt.exe ARGUMENTS="-group=system"

Were you following a specific guide/tutorial or reading documentation?

No

Expected behavior

Metasploit should execute the post module execute_dotnet_assembly by executing Seatbelt.exe with the arguments -group=system

Current behavior

Metasploit executes the Seatbelt.exe with the argument -group which makes Seatbelt return the error ERROR: Error running command "-group" There's seem to be a problem in the parser which cuts everything after the = (equal) sign in the ARGUMENTS parameter. This only happens when running the Post module directly on Meterpreter shell.

Metasploit version

6.1.42-dev

Additional Information

This issue does not happen if we use the post exploitation module manually. For example, this works fine:

msf6 exploit(multi/handler) > use post/windows/manage/execute_dotnet_assembly
msf6 post(windows/manage/execute_dotnet_assembly) > set DOTNET_EXE /tmp/Seatbelt.exe
DOTNET_EXE => /tmp/Seatbelt.exe
msf6 post(windows/manage/execute_dotnet_assembly) > set ARGUMENTS -group=user
ARGUMENTS => -group=user
msf6 post(windows/manage/execute_dotnet_assembly) > set SESSION 1
SESSION => 1
msf6 post(windows/manage/execute_dotnet_assembly) > run
adfoster-r7 commented 2 years ago

Thanks for raising an issue, I believe I fixed this in the past for the scenario you mention in the additional info section https://github.com/rapid7/metasploit-framework/pull/15253

I believe a similar fix would work; Or fixing the underlying import from str, which just does a naive string split

https://github.com/rapid7/metasploit-framework/blob/3d87d77b8ac28916c88b933bc79857b0a2903d41/lib/msf/core/data_store.rb#L93-L132

henshin commented 2 years ago

Yeah, I tried to locate where the parsing code was but couldn't find it. But looking at the code you mentioned on data_store.rb makes it clear that the simple split('=') is definitely the issue here.

github-actions[bot] commented 2 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

hamax97 commented 1 year ago

I can reproduce the issue using a meterpreter linux reverse shell. I'm working on a fix for this. @adfoster-r7 can you please assign this to me?

gwillcox-r7 commented 1 year ago

Resolved with https://github.com/rapid7/metasploit-framework/pull/17444