Closed sfewer-r7 closed 2 months ago
I started looking into this and I think it's related to a larger problem of core_loadlib
returning before the extension has been fully initialized which doesn't seem great. Because of how stdlib
is a special case that's always built in, this only affects the sniffer extension as far as I know. It seems to me like we should update core_loadlib
to not return a status value until the extension's main
method has been called which is where the commands are registered. This would ensure that if the main method failed for some reason, a successful result is not returned to Metasploit.
Another report of this over here: https://github.com/rapid7/metasploit-framework/issues/19320 :+1:
I am experimenting with the sniffer extension on an embedded ARM based Linux device. I can load the extension (Thanks to #261), but the sniffer commands fail, for example:
On the framework side in
Rex::Post::Meterpreter::PacketDispatcher#send_packet_wait_response
we have this:An exception ("The command is not supported by this Meterpreter type") is thrown if the request packets method ID is not present in the array of know commands, via
commands.include?(packet.method)
I looked at the PHP Meterpreter (here) and Java Meterpreter (here), and their loadlib implementations both return a series of
TLV_TYPE_UINT
values in the response packet from a loadlib request. I cannot see where this happens for Mettle based extensions. It seems like it does not happen. The result is no new command IDs are added framework side after the extension is loaded, so you cannot then issue any extension commands successfully.On the framework side, in
Rex::Post::Meterpreter::ClientCore#use
we have the below, which loads the extension and then registers the commands returned by load_library:In the case of loading a Mettle extension, no command IDs are returned from the call to
load_library
.This was only observed with the sniffer extension, The stdapi is not loaded in the same way as other extensions, so its command IDs are retrieved via a call to
Rex::Post::Meterpreter::ClientCore#get_loaded_extension_commands
, which correctly returns the expected results. Perhaps, rather than modifying the C side of loadlib, the Ruby side, duringload_library
, can leverageget_loaded_extension_commands
as this function issues aCOMMAND_ID_CORE_ENUMEXTCMD
request which I think Mettle supports