Bug #817
Using AIX payloads, /bin/csh will not exit when using the "exit" command
| Status: | New | Start: | 02/08/2010 | |
|---|---|---|---|---|
| Priority: | Low | Due date: | ||
| Assigned to: | Ramon Valle | % Done: | 0% |
|
| Category: | payloads | |||
| Target version: | Metasploit 3.5 | |||
| Resolution: |
Description
The "exit" command does nothing! This might be due to the close() syscalls failing (as shown below).
bash-2.04# truss -p 17518
sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0
close(0) Err#9 EBADF
kfcntl(19, F_DUPFD, 0x00000000) = 0
close(1) Err#9 EBADF
kfcntl(17, 14, 0x00000001) = 1
close(2) Err#9 EBADF
kfcntl(18, 14, 0x00000002) = 2
sys_parm(0x00000000, 0x0000000E, 0x20004150, 0x20003F70, 0x00000000, 0x60000000, 0x60007FDD, 0x00000000) = 0x00000000
lseek(16, 0, 2) Err#29 ESPIPE
close(0) = 0
close(1) = 0
close(2) = 0
sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0
sigprocmask(2, 0x2FF22C60, 0x2FF22C68) = 0
Suspicions point to dup'n of sockets..
History
Updated by Joshua J. Drake 7 months ago
- Subject changed from AIX bind/reverse payloads won't exit to Using AIX payloads, /bin/csh will not exit when using the "exit" command
Clarified description
Updated by HD Moore 7 months ago
- Assigned to changed from HD Moore to Ramon Valle
- Target version set to 18
Ramon, could you take a look?
Updated by Ramon Valle 7 months ago
Joshua Drake wrote:
The "exit" command does nothing! This might be due to the close() syscalls failing (as shown below).
bash-2.04# truss -p 17518 sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0 close(0) Err#9 EBADF kfcntl(19, F_DUPFD, 0x00000000) = 0 close(1) Err#9 EBADF kfcntl(17, 14, 0x00000001) = 1 close(2) Err#9 EBADF kfcntl(18, 14, 0x00000002) = 2 sys_parm(0x00000000, 0x0000000E, 0x20004150, 0x20003F70, 0x00000000, 0x60000000, 0x60007FDD, 0x00000000) = 0x00000000 lseek(16, 0, 2) Err#29 ESPIPE close(0) = 0 close(1) = 0 close(2) = 0 sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0 sigprocmask(2, 0x2FF22C60, 0x2FF22C68) = 0
Suspicions point to dup'n of sockets..
Which AIX version this happens?
Updated by Juan Sacco 6 months ago
Ramon Valle wrote:
Joshua Drake wrote:
The "exit" command does nothing! This might be due to the close() syscalls failing (as shown below).
bash-2.04# truss -p 17518 sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0 close(0) Err#9 EBADF kfcntl(19, F_DUPFD, 0x00000000) = 0 close(1) Err#9 EBADF kfcntl(17, 14, 0x00000001) = 1 close(2) Err#9 EBADF kfcntl(18, 14, 0x00000002) = 2 sys_parm(0x00000000, 0x0000000E, 0x20004150, 0x20003F70, 0x00000000, 0x60000000, 0x60007FDD, 0x00000000) = 0x00000000 lseek(16, 0, 2) Err#29 ESPIPE close(0) = 0 close(1) = 0 close(2) = 0 sigprocmask(0, 0x2FF22C60, 0x2FF22C68) = 0 sigprocmask(2, 0x2FF22C60, 0x2FF22C68) = 0
Suspicions point to dup'n of sockets..
Which AIX version this happens?
There are different syscall numbers in various AIX editions. In local exploit, you can use oslevel -r to determine the AIX version, and then write in the corresponding syscall number.
Juan Sacco
Updated by Joshua J. Drake 6 months ago
Juan,
That's all handled in the payloads themselves. This problem isn't related to that I don't think... Seems like some compatibility problem between the way the pipe between the socket and the shell happens and the way csh tries to clean itself up..
Updated by Ramon Valle 6 months ago
I'm investigating this bug and will return with results as soon as possible.
Updated by James Lee about 1 month ago
- Target version changed from Metasploit 3.4.1 to Metasploit 3.5