Linux meterpreter payload to_handler fails with invalid opcode arguments error

zeroSteiner commented 6 years ago

Steps to reproduce

The linux/x64/meterpreter/reverse_tcp payload fails to start a handler when issued the to_handler command. The exception it throws is invalid opcode arguments (see below). The output then (incorrectly) states that a job has been started.

Reproduce with the following steps

Start msfconsole
use payload/linux/x64/meterpreter/reverse_tcp
set LHOST x.x.x.x
to_handler

Expected behavior

The to_handler command should start a handler for the specified payload.

Current behavior

metasploit-framework (S:0 J:1) payload(python/meterpreter/reverse_tcp) > use payload/linux/x64/meterpreter/reverse_tcp
metasploit-framework (S:0 J:1) payload(linux/x64/meterpreter/reverse_tcp) > show options 

Module options (payload/linux/x64/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port

metasploit-framework (S:0 J:1) payload(linux/x64/meterpreter/reverse_tcp) > set LHOST 192.168.254.130 
LHOST => 192.168.254.130
metasploit-framework (S:0 J:1) payload(linux/x64/meterpreter/reverse_tcp) > to_handler 

[-] [2018.04.14-17:59:58] Exploit failed: invalid opcode arguments "push", allowed : [[:reg], [:modrm], [:i], [:i8], [:seg3A]] near "push" at "\"<unk>\"" line 17
[*] Payload Handler Started as Job 
metasploit-framework (S:0 J:1) payload(linux/x64/meterpreter/reverse_tcp) >

System stuff

Metasploit version

Commit 47a324815d57d11989d2bbf5d0704e3bb096f3cb.

I installed Metasploit with:

[ ] Kali package via apt
[ ] Omnibus installer (nightly)
[ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
[X] Source install (Ruby version 2.5.1)

OS

Fedora 27 x64

bcoles commented 6 years ago

I've encountered a similar issue with Linux x64 Meterpreter.

Selecting Linux x64 Meterpreter payload and running the module will work the first time. Running the module a second time, without changing anything, will raise invalid opcode arguments "push".

timwr commented 6 years ago

Total guess but I wonder if one of the arguments to push end up as nil: e.g https://github.com/rapid7/metasploit-framework/blob/47a324815d57d11989d2bbf5d0704e3bb096f3cb/lib/msf/core/payload/linux/x64/reverse_tcp.rb#L108 I can dig deeper tomorrow (on mobile).

wvu commented 6 years ago

I ran into this a few days ago. Not necessarily with to_handler, but I can confirm this error is coming up.

timwr commented 6 years ago

I had quick play with this and retry_count is indeed nil. If it's just this payload we could just duct tape fix it (set it to 0 if nil), but I'm not sure why it's not being set yet.

wvu commented 6 years ago

Anyone wanna git bisect this? Seems like a regression from recent-ish payload work.

wvu commented 6 years ago

This is biting me right now while testing #9876.

busterb commented 6 years ago

I'll bisect (tired after walking all day on the beach :)

busterb commented 6 years ago

Yep definitely an issue since db2e3f2ddd2c7db9dcd8ba533427ee4aa1a03ee3 . I should have caught that 8 months ago. @bwatters-r7 / @jmartin-r7 could you make sure this is in the payload test matrix?

busterb commented 6 years ago

Thanks all.

rapid7 / metasploit-framework