Metasploit-framework: "getuid" appears to be broken on Linux Meterpreter

Created on 6 Aug 2020  路  5Comments  路  Source: rapid7/metasploit-framework

Steps to reproduce

How'd you do it?

  1. Use multi/handler and set the payload to linux/x64/meterpreter/bind_tcp
  2. Configure multi/handler options
  3. Launch multi/handler and get a shell on a Ubuntu 20.04 x64 VM.
  4. Run getuid within the Meterpreter shell
  5. See something similar to the following:
msf5 exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.27.129.4:56965
[*] Sending stage (3012516 bytes) to 172.27.129.4
[*] Meterpreter session 2 opened (0.0.0.0:0 -> 172.27.129.4:56965) at 2020-08-05 18:44:20 -0500

meterpreter > getuid
Server username: no-user @ gwillcox-Virtual-Machine (uid=0, gid=0, euid=0, egid=0)
meterpreter >

Expected behavior

Edit: Originally I said the GUIDs and UIDs were not showing up properly. This is incorrect. In reality only the username is showing up incorrectly.

Considering in this case the shell was running as root as can be seen below, I would expect the server to return the user as being root, not no-user.

meterpreter > shell
Process 30421 created.
Channel 1 created.
whoami
root
exit
meterpreter >

Current behavior

We instead get the current user as no-user instead of the name of the actual user who we have gotten the shell as.

System stuff

Metasploit version

5.0.102-dev-29050882a7

I installed Metasploit with:

  • [ ] Source install (ruby 2.6.6p146 (2020-03-31 revision 67876) [x86_64-linux])

OS

What OS are you running Metasploit on?

WSLv1 running Ubuntu 20.04 LTS

bug meterpreter
Source
picture gwillcox-r7

Most helpful comment

fyi this was fixed by https://github.com/rapid7/mettle/pull/198 (and https://github.com/rapid7/mettle/pull/200) but the gem in framework has not been updated yet.

picture timwr on 6 Aug 2020
👍2

All 5 comments

Isn't root UID 0 on Ubuntu 20.04, or is it something else now? What is the output of id -u from the shell command?

busterb picture busterb on 6 Aug 2020

@busterb it was showing it as well when it wasn't running as a root user which I think is the real issue here. For interest I reran this on the latest updates (not the original older version of Metasploit I had earlier) and these were my results:

msf5 exploit(multi/handler) > set RHOST 172.27.129.4
RHOST => 172.27.129.4
msf5 exploit(multi/handler) > set LPORT 6688
LPORT => 6688
msf5 exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.27.129.4:6688
[*] Sending stage (3012516 bytes) to 172.27.129.4
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.27.129.4:6688) at 2020-08-06 00:07:30 -0500

meterpreter > getuid
Server username: no-user @ gwillcox-Virtual-Machine (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter > shell
Process 40092 created.
Channel 1 created.
id -u
1000
id
uid=1000(gwillcox) gid=1000(gwillcox) groups=1000(gwillcox),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),120(lpadmin),131(lxd),132(sambashare)
whoami
gwillcox
exit
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.27.129.4 - Meterpreter session 1 closed.  Reason: User exit
msf5 exploit(multi/handler) > version
Framework: 5.0.102-dev-29050882a7
Console  : 5.0.102-dev-29050882a7
msf5 exploit(multi/handler) >

So yes you are right the IDs are showing up correctly, that was my bad. The issue here is rather that the username doesn't show up correctly. Let me fix up my issue's description to fix this.

gwillcox-r7 picture gwillcox-r7 on 6 Aug 2020

fyi this was fixed by https://github.com/rapid7/mettle/pull/198 (and https://github.com/rapid7/mettle/pull/200) but the gem in framework has not been updated yet.

timwr picture timwr on 6 Aug 2020
👍2

Cool, so likely came with the payloads updates that merged with MSF6 a little while ago. Thanks @timwr

busterb picture busterb on 6 Aug 2020

Confirmed this is fixed with recent updates that were merged in with MSF6. Thanks @timwr for pointing this out!

msf6 > use multi/handler
s[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > set payload linux/x64/meterpreter/bind_tcp
payload => linux/x64/meterpreter/bind_tcp
msf6 exploit(multi/handler) > set LPORT 6688
LPORT => 6688
msf6 exploit(multi/handler) > set RHOST 172.28.174.6
RHOST => 172.28.174.6
msf6 exploit(multi/handler) > exploit

[*] Started bind TCP handler against 172.28.174.6:6688
[*] Sending stage (3008420 bytes) to 172.28.174.6
[*] Meterpreter session 1 opened (0.0.0.0:0 -> 172.28.174.6:6688) at 2020-08-06 14:10:49 -0500

meterpreter > getuid
Server username: gwillcox @ gwillcox-Virtual-Machine (uid=1000, gid=1000, euid=1000, egid=1000)
meterpreter >
gwillcox-r7 picture gwillcox-r7 on 6 Aug 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Acidical picture Acidical  路  3Comments
miholtz picture miholtz  路  3Comments
wvu-r7 picture wvu-r7  路  3Comments
handsomebeast picture handsomebeast  路  3Comments
notdodo picture notdodo  路  3Comments