Bug #817
Using AIX payloads, /bin/csh will not exit when using the "exit" command
| Status: | Closed | Start date: | 02/08/2010 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assignee: | Ramon de C Valle | % Done: | 0% |
|
| Category: | payloads | |||
| Target version: | Metasploit 3.5.0 | |||
| Resolution: | invalid | Release Note: |
Description
The "exit" command does nothing! This might be due to the close() syscalls failing (as shown below).
bash-2.04# truss -p 17518
sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0
close(0) Err#9 EBADF
kfcntl(19, F_DUPFD, 0x00000000) = 0
close(1) Err#9 EBADF
kfcntl(17, 14, 0x00000001) = 1
close(2) Err#9 EBADF
kfcntl(18, 14, 0x00000002) = 2
sys_parm(0x00000000, 0x0000000E, 0x20004150, 0x20003F70, 0x00000000, 0x60000000, 0x60007FDD, 0x00000000) = 0x00000000
lseek(16, 0, 2) Err#29 ESPIPE
close(0) = 0
close(1) = 0
close(2) = 0
sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0
sigprocmask(2, 0x2FF22C60, 0x2FF22C68) = 0
Suspicions point to dup'n of sockets..
History
#1 Updated by Joshua J. Drake over 2 years ago
- Subject changed from AIX bind/reverse payloads won't exit to Using AIX payloads, /bin/csh will not exit when using the "exit" command
Clarified description
#2 Updated by HD Moore over 2 years ago
- Assignee changed from HD Moore to Ramon de C Valle
- Target version set to 18
Ramon, could you take a look?
#3 Updated by Ramon de C Valle over 2 years ago
Joshua Drake wrote:
The "exit" command does nothing! This might be due to the close() syscalls failing (as shown below).
bash-2.04# truss -p 17518
sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0
close(0) Err#9 EBADF
kfcntl(19, F_DUPFD, 0x00000000) = 0
close(1) Err#9 EBADF
kfcntl(17, 14, 0x00000001) = 1
close(2) Err#9 EBADF
kfcntl(18, 14, 0x00000002) = 2
sys_parm(0x00000000, 0x0000000E, 0x20004150, 0x20003F70, 0x00000000, 0x60000000, 0x60007FDD, 0x00000000) = 0x00000000
lseek(16, 0, 2) Err#29 ESPIPE
close(0) = 0
close(1) = 0
close(2) = 0
sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0
sigprocmask(2, 0x2FF22C60, 0x2FF22C68) = 0Suspicions point to dup'n of sockets..
Which AIX version this happens?
#4 Updated by HD Moore over 2 years ago
This was 5.1 iirc
#5 Updated by HD Moore about 2 years ago
- Target version changed from 18 to Metasploit 3.4.0
#6 Updated by Juan Sacco about 2 years ago
Ramon Valle wrote:
Joshua Drake wrote:
The "exit" command does nothing! This might be due to the close() syscalls failing (as shown below).
bash-2.04# truss -p 17518
sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0
close(0) Err#9 EBADF
kfcntl(19, F_DUPFD, 0x00000000) = 0
close(1) Err#9 EBADF
kfcntl(17, 14, 0x00000001) = 1
close(2) Err#9 EBADF
kfcntl(18, 14, 0x00000002) = 2
sys_parm(0x00000000, 0x0000000E, 0x20004150, 0x20003F70, 0x00000000, 0x60000000, 0x60007FDD, 0x00000000) = 0x00000000
lseek(16, 0, 2) Err#29 ESPIPE
close(0) = 0
close(1) = 0
close(2) = 0
sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0
sigprocmask(2, 0x2FF22C60, 0x2FF22C68) = 0Suspicions point to dup'n of sockets..
Which AIX version this happens?
There are different syscall numbers in various AIX editions. In local exploit, you can use oslevel -r to determine the AIX version, and then write in the corresponding syscall number.
Juan Sacco
#7 Updated by Joshua J. Drake about 2 years ago
Juan,
That's all handled in the payloads themselves. This problem isn't related to that I don't think... Seems like some compatibility problem between the way the pipe between the socket and the shell happens and the way csh tries to clean itself up..
#8 Updated by Ramon de C Valle about 2 years ago
I'm investigating this bug and will return with results as soon as possible.
#9 Updated by James Lee about 2 years ago
- Target version changed from Metasploit 3.4.0 to Metasploit 3.4.1
#10 Updated by James Lee almost 2 years ago
- Target version changed from Metasploit 3.4.1 to Metasploit 3.5.0
#11 Updated by Ramon de C Valle over 1 year ago
- Status changed from New to Closed
- Resolution set to invalid
I was not able to reproduce this bug.