Metasploit-framework: Fully-interactive shell from within meterpreter session?

Created on 9 Nov 2020 · 5Comments · Source: rapid7/metasploit-framework

Fully-interactive shell from within meterpreter session?

Description

It would be awesome to be able to obtain a "fully-interactive" shell from within a meterpreter session. By "fully-interactive", I mean having the ability to use arrow keys to navigate, use of CTRL commands, and things like that. It is possible to obtain such a shell using "stty" from a standard linux shell, but it does not appear to be possible from within meterpreter.

Here are the steps to obtain a fully-interactive shell using stty from a standard shell
Screen Shot 2020-11-08 at 7 15 39 PM
https://blog.ropnop.com/upgrading-simple-shells-to-fully-interactive-ttys/

If you try to do this from within meterpreter, the CTRL+Z command will land you at a meterpreter prompt, so there is no way to run stty to get the fully-interactive shell.

I was actually considering building this feature myself as a contribution to the framework, but I wanted to check if there have been any prior attempts by Rapid7 developers, and to make sure that this is even theoretically possible. Has this type of thing been attempted before? If so, was it abandoned because it is not possible?

Mockup:

I was imaging it would work something like this (open to suggestions of course):

meterpreter> full_shell -h
    -s : SHELL env variable (default: /bin/bash)
    -t : TERM env variable (default: xterm-256color)
    -r : ROWS number of rows (default: auto)
    -c : COLS number of cols (default: auto)
meterpreter> full_shell -r 38 -c 116
user@host:~$

suggestion-feature

Source

grese

Most helpful comment

@bcoles, @wvu-r7 - I'm willing to take a crack at building this if you can't think of any reason why it would be technically impossible.

It sure would be cool in the post-exploitation phase to have a fully-functioning terminal with all the normal bells and whistles provided by modern shells :)

grese on 10 Nov 2020

👍2

All 5 comments

10389

bcoles on 9 Nov 2020

👍1

10389

@bcoles - Correct me if I'm wrong, but I don't think that's exactly the same thing because arrow keys don't work with the pty shell, so it's technically not "fully interactive". I've used the pty shell and it is cool, but the piece that's missing from #10389 is _stty_, which makes it possible to use things like arrow keys. With stty support, I think you could even do things like use nano, vi, and tmux if they're available on the host.

There is some good information in that thread though. This would be kind of an extension of that feature.

grese on 9 Nov 2020

@bcoles, @wvu-r7 - I'm willing to take a crack at building this if you can't think of any reason why it would be technically impossible.

It sure would be cool in the post-exploitation phase to have a fully-functioning terminal with all the normal bells and whistles provided by modern shells :)

grese on 10 Nov 2020

👍2

We'd definitely be interested in a contribution like this. There a reason why you wouldn't want to just upgrade the existing shell command though? I suspect this would need a substantial amount of work on the Meterpreter side of things. I'd suggest you start with one implementation such as mettle or Python to pilot the idea and go from there.

There are already some TTY-related oddities within the Meterpreter shell. IIRC for example, sudo doesn't always work the way you would expect it to.

smcintyre-r7 on 10 Nov 2020

@smcintyre-r7

There a reason why you wouldn't want to just upgrade the existing shell command though?

I was thinking that it might involve a significant amount of refactoring, so I was considering doing it as a separate command just to avoid breaking any existing functionality. However, it would be really nice to have it as an option in the existing shell command, so I'll try that first.