Metasploit-framework: android/meterpreter/reverse_tcp not working on Nougat

Strange, is this reverse_tcp or reverse_http? Can you reproduce with both?

It was reverse_tcp. I will try Http, hopefully this will work. I will try at as soon as possible :)

I can confirm this. So confused :/

is it a stager incompatibility? I've never looked closely at how these work, but I wonder if it's something to do with aarch64

I can reproduce on armv7 and aarch64. The socket is being killed (not sure why yet) before the first command completes, but after staging has completed.

For some reason reverting this: https://github.com/rapid7/metasploit-framework/pull/7993/files fixes it ¯\_(ツ)_/¯

Hmm, that seems to have been the same commit that made port forwarding with Windows meterpreter over reverse_tcp show packets out of order. This is weird.

I'm still baffled by this. Why Android 7.0 only?
@pbarry-r7 any ideas?

Oof, not off the top of my head, @timwr. :/ I tried to keep that commit simple/focused on just changing the packet-timeout logic to account for arriving, individual frames as proof that the connection is still valid and working. But there could always be a bug, I'll review the code today.

Theory, we don't actually process packets strictly in the order in which they are received. Also, apparently the handler might not always be associated with a packet right away, in which case they get requeued for a second go-round:

+            #
 +            # Also, don't bother saving incomplete packets if we have no handler.
 +            if (!pkt.in_progress and ::Time.now.to_i - pkt.packet.created_at.to_i < PACKET_TIMEOUT)
                incomplete << pkt
              end

I think the change above modifies timing by creating some new objects to manage queued packets, which causes an already fragile system to fall down a bit more.

Good point, I do recall the recent discussion w.r.t. packet ordering. I'm very open to discussion on approaches to fix (e.g. sequence each packet by number, dispatch packets 'up' by order of first-arrived-frame instead of first-completely received, other ideas...) :)

Hey! Sorry for not answering for the past days. I will be online more often at the weekend again.

@Kitt3120 don't worry about it, thanks for reporting.
I'm still confused as to why this only affects Nougat (and only Android).

Also (stupid question perhaps) shouldn't tcp ensure the packets arrive in the correct order?

I think that's one thing tcp should do. Hopefully it does. I will test the bind_tcp later.

Y'all are right about TCP, @timwr and @Kitt3120. My expectation is that TCP is "doing the right thing" for us w.r.t. managing missing and out-of-order frames when they happen on the connection between Meterpreter and MSF. I believe the issue is (and @bcook-r7 can correct me if I'm off here) above the transport layer, that MSF's code for receiving packets has an opportunity to "dispatch" completely-received TLV packets in a mis-ordered fashion to the registered consumers. And that my recent changes may have exacerbated that "chance of out-of-order" condition.

Same here on Android 7.1.1 meterpreter shell died just after shell created.

I reverted the bits in #8250. Seems that how packets are queued on the network affects whether this triggers or not.

Issue close and hw the fck can i cmnt?

Security Patched in Android 7.0

@Sameer, But my mobile is Arch64 and Android 7.0 and meterpreter works fine with my device... I guess, getting meterpreter depends on Architecture!

why meterpreter not working with Android nougat Android 7.0 - Linux 3.18.35+ (aarch64) ?
plz help me about this
any android run fine
but android 7 & 8 not work ( only help command and sysinfo )