New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
New process launch API #19108
base: master
Are you sure you want to change the base?
New process launch API #19108
Conversation
So we actually have a set of integration tests now that run through the meterpreter test suite on multiple different host environments, i.e. windows/ubuntu/osx, so potentially we could update these tests: And it should automatically run through all of the meterpreters on different runtimes - which would give more confidence that things will work beyond just the unit tests that have been added |
# @option Subshell [Boolean] Execute process in a subshell | ||
# @option Pty [Boolean] Execute process in a pty (if available) | ||
# @option ParentId [Integer] Spoof the parent PID (if possible) | ||
# @option InMemory [Boolean,String] Execute from memory (`path` is treated as a local file to upload, and the actual path passed |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems strange InMemory
could be both a String and a Boolean, this could lead to some confusion. Does it need to be a String?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Definitely agree that it's strange. For clarity, I didn't change the expected types - I'm just commenting the existing (admittedly confusing) behaviour.
This creates a new API,
create_process
, which allows the creation of processes from an array of args, rather than from a commandline string that needs to go through a subshell. This places the escaping logic in one place, and lets module developers create more robust code.Verification
You'll need to pull in mettle, as well as the various metasploit-payloads (php, py, c, java)
rapid7/metasploit-payloads#701
rapid7/mettle#258
Test for each of the following:
For each of the above:
create_process
passes parameters exactly as provided. You can run it directly inirb
by setting a session, then usingcreate_process(cmd, args:[...])
. I created a test program to do this - just ask ChatGPT to write you a program that will show you what args were passed to it, each on a new linen.cmd_exec
still works as it did before (including buggy calls)cmd_exec
, and then usingcreate_process
on PHP < 7.4 (not supported)You can observe process launches (to check for the presence/absence of subshells) using:
sudo bpftrace -e 'tracepoint:syscalls:sys_enter_exec*{ printf("pid: %d, comm: %s, args: ", pid, comm); join(args->argv); }'
Tests
Windows, new Metasploit, old Meterp
Windows, new Metasploit, new Meterp
Linux, new Metasploit, old Meterp
Linux, new Metasploit, new Meterp
Java, new Metasploit, old Meterp
Java, new Metasploit, new Meterp
Python, new Metasploit, old Meterp
Python, new Metasploit, new Meterp
PHP, new Metasploit, old Meterp
PHP, new Metasploit, new Meterp
PHP < 7.4, new Metasploit, new Meterp
Windows, Command shell
Linux, Command shell
PowerShell