search

rapid7 / metasploit-payloads

Unified repository for different Metasploit Framework payloads
Other
1.75k stars 673 forks source link

Fix an issue with filesystem enumeration #718

Closed zeroSteiner closed 1 month ago

zeroSteiner commented 1 month ago

This intends to fix rapid7/metasploit-framework#19496.

File.list can return an array with null members. In this case File.listFiles will fail entirely. This updates uses to use File.list and to check for and skip null members when they occur. It's important to note that both instances with and with wildcards required separate fixes. The wildcard versions dispatch to stdapi_fs_search while the a simple ls without wildcards is handled by stdapi_ls_search, both needed to be updated.

Old and Broken

msf6 payload(java/meterpreter/bind_tcp) > sessions -i -1
[*] Starting interaction with 18...

meterpreter > cd /
meterpreter > ls
[-] stdapi_fs_ls: Operation failed: 1
meterpreter > ls *
[-] stdapi_fs_ls: Operation failed: 1
meterpreter > ls in*
[-] stdapi_fs_ls: Operation failed: 1
meterpreter >

New and Fixed

eterpreter > cd /
meterpreter > ls
Listing: /
==========

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100444/r--r--r--  0        fil   2024-05-13 09:00:39 -0400  s!
100444/r--r--r--  0        fil   2023-09-11 09:16:08 -0400  
100444/r--r--r--  0        fil   2024-06-17 02:04:22 -0400  #VJ3G
100444/r--r--r--  0        fil   2023-11-13 08:09:14 -0500  $^
100444/r--r--r--  0        fil   2022-07-17 15:46:05 -0400  *#E
100444/r--r--r--  0        fil   2022-08-22 09:18:56 -0400  ,
100445/r--r--r-x  0        fil   2020-08-19 21:47:59 -0400  .Wc*
100444/r--r--r--  0        fil   2024-05-27 06:53:22 -0400  3h5~
100444/r--r--r--  0        fil   2013-10-29 17:46:28 -0400  6Rp9b3sssspLLL
100444/r--r--r--  0        fil   2024-08-04 14:51:19 -0400  7h
100444/r--r--r--  0        fil   2024-08-11 13:14:37 -0400  7{D
100444/r--r--r--  0        fil   2021-11-15 09:17:42 -0500  8
100444/r--r--r--  0        fil   2022-10-09 22:25:17 -0400  :K
100444/r--r--r--  0        fil   2024-08-18 11:38:50 -0400  KKKKKK
100444/r--r--r--  0        fil   2020-07-08 20:26:12 -0400  MB]D_e~*Q
100444/r--r--r--  0        fil   2021-11-08 11:12:31 -0500  Oq
100444/r--r--r--  0        fil   2021-07-13 14:57:16 -0400  QV:
100444/r--r--r--  0        fil   2022-02-07 03:48:56 -0500  YPzI1C*
100444/r--r--r--  0        fil   2021-05-12 05:24:01 -0400  a
100444/r--r--r--  0        fil   2021-11-15 09:17:42 -0500  ad
100444/r--r--r--  0        fil   2021-11-15 09:17:42 -0500  adpDup
040444/r--r--r--  4096     dir   2012-05-13 23:35:33 -0400  bin
040444/r--r--r--  1024     dir   2013-10-04 22:19:08 -0400  boot
100444/r--r--r--  0        fil   2024-05-20 08:29:30 -0400  c*pZ
040444/r--r--r--  4096     dir   2010-03-16 18:55:51 -0400  cdrom
040444/r--r--r--  13740    dir   2024-10-07 13:18:44 -0400  dev
040444/r--r--r--  4096     dir   2024-10-07 13:18:48 -0400  etc
100444/r--r--r--  0        fil   2024-08-25 10:01:23 -0400  f
100444/r--r--r--  0        fil   2013-11-13 16:43:54 -0500  h]6
040444/r--r--r--  4096     dir   2010-04-16 02:16:02 -0400  home
040444/r--r--r--  4096     dir   2010-03-16 18:57:40 -0400  initrd
100444/r--r--r--  7965652  fil   2013-10-04 22:15:31 -0400  initrd.img
040444/r--r--r--  4096     dir   2012-05-13 23:35:22 -0400  lib
040000/---------  16384    dir   2010-03-16 18:55:15 -0400  lost+found
040444/r--r--r--  4096     dir   2010-03-16 18:55:52 -0400  media
040444/r--r--r--  4096     dir   2010-04-28 16:16:56 -0400  mnt
100000/---------  41150    fil   2024-10-07 13:18:49 -0400  nohup.out
040444/r--r--r--  4096     dir   2010-03-16 18:57:39 -0400  opt
100444/r--r--r--  0        fil   2013-10-18 16:39:46 -0400  pUL{Z}PcpoU?6
040444/r--r--r--  0        dir   2024-10-07 13:21:36 -0400  proc
100444/r--r--r--  0        fil   2013-11-02 15:03:51 -0400  q_6
040444/r--r--r--  4096     dir   2024-10-07 13:18:49 -0400  root
040444/r--r--r--  4096     dir   2013-10-04 21:49:24 -0400  sbin
040444/r--r--r--  4096     dir   2010-03-16 18:57:38 -0400  srv
040444/r--r--r--  0        dir   2024-10-07 13:21:37 -0400  sys
040666/rw-rw-rw-  12288    dir   2024-10-07 13:27:05 -0400  tmp
040444/r--r--r--  4096     dir   2010-04-28 00:06:37 -0400  usr
100444/r--r--r--  0        fil   2022-12-12 05:39:21 -0500  v
040444/r--r--r--  4096     dir   2012-05-20 17:30:19 -0400  var
100444/r--r--r--  1987288  fil   2008-04-10 12:55:41 -0400  vmlinuz
100444/r--r--r--  0        fil   2022-05-09 07:35:54 -0400  z

meterpreter > ls *
Listing: *
==========

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
100444/r--r--r--  0        fil   2024-05-13 09:00:39 -0400  s!
100444/r--r--r--  0        fil   2023-09-11 09:16:08 -0400  
100444/r--r--r--  0        fil   2024-06-17 02:04:22 -0400  #VJ3G
100444/r--r--r--  0        fil   2023-11-13 08:09:14 -0500  $^
100444/r--r--r--  0        fil   2022-07-17 15:46:05 -0400  *#E
100444/r--r--r--  0        fil   2022-08-22 09:18:56 -0400  ,
100445/r--r--r-x  0        fil   2020-08-19 21:47:59 -0400  .Wc*
100444/r--r--r--  0        fil   2024-05-27 06:53:22 -0400  3h5~
100444/r--r--r--  0        fil   2013-10-29 17:46:28 -0400  6Rp9b3sssspLLL
100444/r--r--r--  0        fil   2024-08-04 14:51:19 -0400  7h
100444/r--r--r--  0        fil   2024-08-11 13:14:37 -0400  7{D
100444/r--r--r--  0        fil   2021-11-15 09:17:42 -0500  8
100444/r--r--r--  0        fil   2022-10-09 22:25:17 -0400  :K
100444/r--r--r--  0        fil   2024-08-18 11:38:50 -0400  KKKKKK
100444/r--r--r--  0        fil   2020-07-08 20:26:12 -0400  MB]D_e~*Q
100444/r--r--r--  0        fil   2021-11-08 11:12:31 -0500  Oq
100444/r--r--r--  0        fil   2021-07-13 14:57:16 -0400  QV:
100444/r--r--r--  0        fil   2022-02-07 03:48:56 -0500  YPzI1C*
100444/r--r--r--  0        fil   2021-05-12 05:24:01 -0400  a
100444/r--r--r--  0        fil   2021-11-15 09:17:42 -0500  ad
100444/r--r--r--  0        fil   2021-11-15 09:17:42 -0500  adpDup
040444/r--r--r--  4096     dir   2012-05-13 23:35:33 -0400  bin
040444/r--r--r--  1024     dir   2013-10-04 22:19:08 -0400  boot
100444/r--r--r--  0        fil   2024-05-20 08:29:30 -0400  c*pZ
040444/r--r--r--  4096     dir   2010-03-16 18:55:51 -0400  cdrom
040444/r--r--r--  13740    dir   2024-10-07 13:18:44 -0400  dev
040444/r--r--r--  4096     dir   2024-10-07 13:18:48 -0400  etc
100444/r--r--r--  0        fil   2024-08-25 10:01:23 -0400  f
100444/r--r--r--  0        fil   2013-11-13 16:43:54 -0500  h]6
040444/r--r--r--  4096     dir   2010-04-16 02:16:02 -0400  home
040444/r--r--r--  4096     dir   2010-03-16 18:57:40 -0400  initrd
100444/r--r--r--  7965652  fil   2013-10-04 22:15:31 -0400  initrd.img
040444/r--r--r--  4096     dir   2012-05-13 23:35:22 -0400  lib
040000/---------  16384    dir   2010-03-16 18:55:15 -0400  lost+found
040444/r--r--r--  4096     dir   2010-03-16 18:55:52 -0400  media
040444/r--r--r--  4096     dir   2010-04-28 16:16:56 -0400  mnt
100000/---------  41150    fil   2024-10-07 13:18:49 -0400  nohup.out
040444/r--r--r--  4096     dir   2010-03-16 18:57:39 -0400  opt
100444/r--r--r--  0        fil   2013-10-18 16:39:46 -0400  pUL{Z}PcpoU?6
040444/r--r--r--  0        dir   2024-10-07 13:21:36 -0400  proc
100444/r--r--r--  0        fil   2013-11-02 15:03:51 -0400  q_6
040444/r--r--r--  4096     dir   2024-10-07 13:18:49 -0400  root
040444/r--r--r--  4096     dir   2013-10-04 21:49:24 -0400  sbin
040444/r--r--r--  4096     dir   2010-03-16 18:57:38 -0400  srv
040444/r--r--r--  0        dir   2024-10-07 13:21:37 -0400  sys
040666/rw-rw-rw-  12288    dir   2024-10-07 13:27:05 -0400  tmp
040444/r--r--r--  4096     dir   2010-04-28 00:06:37 -0400  usr
100444/r--r--r--  0        fil   2022-12-12 05:39:21 -0500  v
040444/r--r--r--  4096     dir   2012-05-20 17:30:19 -0400  var
100444/r--r--r--  1987288  fil   2008-04-10 12:55:41 -0400  vmlinuz
100444/r--r--r--  0        fil   2022-05-09 07:35:54 -0400  z

meterpreter > ls in*
Listing: in*
============

Mode              Size     Type  Last modified              Name
----              ----     ----  -------------              ----
040444/r--r--r--  4096     dir   2010-03-16 18:57:40 -0400  initrd
100444/r--r--r--  7965652  fil   2013-10-04 22:15:31 -0400  initrd.img

meterpreter >
adfoster-r7 commented 1 month ago

I believe this PR causes acceptance tests to fail:

https://github.com/rapid7/metasploit-framework/pull/19543

  1) Meterpreter java staged java/meterpreter/reverse_tcp windows post/test/search windows/java meterpreter successfully opens a session for the "java/meterpreter/reverse_tcp" payload and passes the "post/test/search" tests

For visibility to @dledda-r7 - as I'm not sure you've seen these modules or not, but there's some docs on how to run the post module tests against sessions locally over here: https://docs.metasploit.com/docs/development/quality/loading-test-modules.html

Just a second question - was it possible to recreate the crash against a fresh env locally too? If so is it possible to extend our session tests to include this scenario to ensure the other meterpreters also work as expected? 🤞

zeroSteiner commented 1 month ago

I wasn't able to reproduce the issue locally. I can, however, now reproduce the post/test/search failures with the changes that I introduced, so I'll look at getting those fixed.