sniffer extension fails to load for Mettle on armv5l-linux-musleabi

[sfewer-r7]

Overview

I am writing an exploit against an embedded Linux ARM device. I can successfully get a Meterpreter session, via the fetch payload cmd/linux/http/armle/meterpreter_reverse_tcp. When I try to use the sniffer extension, the extension fails to load unexpectedly, as shown below:

meterpreter > sysinfo 
Computer     : REDACTED
OS           :  REDACTED
Architecture : armv5tejl
BuildTuple   : armv5l-linux-musleabi
Meterpreter  : armle/linux
meterpreter > use sniffer 
Loading extension sniffer...
[-] Failed to load extension: The "sniffer" extension is not supported by this Meterpreter type (armle/linux)
[-] The "sniffer" extension is supported by the following Meterpreter payloads:
[-]   - windows/x64/meterpreter*
[-]   - windows/meterpreter*
[-]   - apple_ios/aarch64/meterpreter*
[-]   - linux/aarch64/meterpreter*
[-]   - apple_ios/armle/meterpreter*
[-]   - linux/armbe/meterpreter*
[-]   - linux/armle/meterpreter*
[-]   - linux/x86/meterpreter*
[-]   - linux/mips64/meterpreter*
[-]   - linux/mipsle/meterpreter*
[-]   - linux/mipsbe/meterpreter*
[-]   - linux/ppc64le/meterpreter*
[-]   - linux/ppce500v2/meterpreter*
[-]   - linux/ppc/meterpreter*
[-]   - linux/zarch/meterpreter*
[-]   - osx/x64/meterpreter*
[-]   - linux/x64/meterpreter*
meterpreter >

As the payload is a Mettle based Meterpreter for the armv5l-linux-musleabi build tuple, I inspected the folder where I expect both the mettle bin and the sniffer bin to be located and the sniffer extension is present as expected.

sfewer@sfewer-ubuntu-vm:/usr/share/rvm/gems/ruby-3.1.5@metasploit-framework/gems/metasploit_payloads-mettle-1.0.26/build/armv5l-linux-musleabi/bin$ ls -al
total 3028
drwxrwsr-x 2 sfewer rvm    4096 Jun 12 12:24 .
drwxrwsr-x 3 sfewer rvm    4096 Jun 12 12:24 ..
-rwxr-xr-x 1 sfewer rvm 1059664 Jun 12 12:24 mettle
-rw-r--r-- 1 sfewer rvm  935360 Jun 12 12:24 mettle.bin
-rwxr-xr-x 1 sfewer rvm  555048 Jun 12 12:24 sniffer
-rw-r--r-- 1 sfewer rvm  535572 Jun 12 12:24 sniffer.bin

It seems like this should work, but the framework fails to resolve and load the extension. (perhaps using a fetch payload adapter affects the extension resolution logic)

Metasploit version

msf6 > version
Framework: 6.4.11-dev-4b5078b8f2
Console  : 6.4.11-dev-4b5078b8f2

[sfewer-r7]

In case it's useful, the call stack from framework.log is as follows:

[07/04/2024 17:15:25] [e(0)] core: MetasploitPayloads::Mettle::NotFoundError armv5l-linux-musleabi/sniffer. not found
Call stack:
/usr/share/rvm/gems/ruby-3.1.5@metasploit-framework/gems/metasploit_payloads-mettle-1.0.26/lib/metasploit_payloads/mettle.rb:209:in `load_extension'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/client_core.rb:358:in `use'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1204:in `block in cmd_load'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1174:in `each'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1174:in `cmd_load'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1274:in `cmd_use'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:102:in `run_command'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:64:in `block in interact'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:160:in `block in run'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:33:in `with_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:62:in `interact'
/home/sfewer/git/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:574:in `_interact'
/home/sfewer/git/metasploit-framework/lib/rex/ui/interactive.rb:53:in `interact'
/home/sfewer/git/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1749:in `cmd_sessions'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/home/sfewer/git/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:198:in `cmd_exploit'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:33:in `with_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/home/sfewer/git/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start'
/home/sfewer/git/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
msfconsole:23:in `<main>'
[07/04/2024 17:15:25] [e(0)] meterpreter: Failed to load extension: The "sniffer" extension is not supported by this Meterpreter type (armle/linux)
[07/04/2024 17:15:25] [d(0)] meterpreter: Call stack:
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1204:in `block in cmd_load'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1174:in `each'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1174:in `cmd_load'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1274:in `cmd_use'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:102:in `run_command'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:64:in `block in interact'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:160:in `block in run'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:33:in `with_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/home/sfewer/git/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:62:in `interact'
/home/sfewer/git/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:574:in `_interact'
/home/sfewer/git/metasploit-framework/lib/rex/ui/interactive.rb:53:in `interact'
/home/sfewer/git/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1749:in `cmd_sessions'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/home/sfewer/git/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:198:in `cmd_exploit'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:582:in `run_command'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:531:in `block in run_single'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `each'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:525:in `run_single'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:165:in `block in run'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell/history_manager.rb:33:in `with_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'
/home/sfewer/git/metasploit-framework/lib/rex/ui/text/shell.rb:133:in `run'
/home/sfewer/git/metasploit-framework/lib/metasploit/framework/command/console.rb:54:in `start'
/home/sfewer/git/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'