Open smashery opened 4 weeks ago
So we actually have a set of integration tests now that run through the meterpreter test suite on multiple different host environments, i.e. windows/ubuntu/osx, so potentially we could update these tests:
And it should automatically run through all of the meterpreters on different runtimes - which would give more confidence that things will work beyond just the unit tests that have been added
This creates a new API,
create_process
, which allows the creation of processes from an array of args, rather than from a commandline string that needs to go through a subshell. This places the escaping logic in one place, and lets module developers create more robust code.Verification
You'll need to pull in mettle, as well as the various metasploit-payloads (php, py, c, java)
https://github.com/rapid7/metasploit-payloads/pull/701 https://github.com/rapid7/mettle/pull/258
Test for each of the following:
For each of the above:
create_process
passes parameters exactly as provided. You can run it directly inirb
by setting a session, then usingcreate_process(cmd, args:[...])
. I created a test program to do this - just ask ChatGPT to write you a program that will show you what args were passed to it, each on a new linen.cmd_exec
still works as it did before (including buggy calls)cmd_exec
, and then usingcreate_process
on PHP < 7.4 (not supported)You can observe process launches (to check for the presence/absence of subshells) using:
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_exec*{ printf("pid: %d, comm: %s, args: ", pid, comm); join(args->argv); }'
Tests
Windows, new Metasploit, old Meterp
Windows, new Metasploit, new Meterp
Linux, new Metasploit, old Meterp
Linux, new Metasploit, new Meterp
Java, new Metasploit, old Meterp
Java, new Metasploit, new Meterp
Python, new Metasploit, old Meterp
Python, new Metasploit, new Meterp
PHP, new Metasploit, old Meterp
PHP, new Metasploit, new Meterp
PHP < 7.4, new Metasploit, new Meterp
Windows, Command shell
Linux, Command shell
PowerShell