RFC: Pipe Wielding Shellisms

[sempervictus]

Metasploit has been around longer than a lot of, if not most Linux userspace environments in play today. Our Framework libraries rely on some assumptions in shell and mettle sessions which may not be true everywhere, such as stripped-down containerized targets for our exploits (and subsequent session context). The Post libs are designed to abstract the magic of interacting with the environment for the users, and in that spirit, i'd like to suggest a refactoring effort which would replace invocations to "binaries we assume to be present" with shell magic reading from proc and sys fs'. For example, /bin/cat might not exist in some environments, and cat /proc/cpuinfo is actually equivalent to while read l;do printf "$l\n";done</proc/cpuinfo which is "pathless" as it doesn't call any binaries to do its dirty work.
This is absolutely not glamorous, its busy work for greybeards, or a good chance for those who dont know how this stuff works to learn and solidify the skills by implementing. We're going to need this more and more as process isolation becomes more "hardcore" (@ SVIT we use raw namespacing, firejail, and other dirty tricks, including runing actual jails in hardned bsd which look like Linux userspace with a minimum attack surface, everyone else is going in similar directions).
Off the bat, i'd say this warrants a look from @busterb+team, @hdm, @egypt, @kernelsmith, @zeroSteiner, @OJ, and @bcoles (reap whats sown and all 😈 ) if those folks are able and willing.

[hdm]

shell magic is the kicker here; differences between bash, dash, and busybox limit what we can do there.

[sempervictus]

Good point sir, i figure if we start making replacement approaches to bin invocation, we will have to test against those and probably ksh to see what can and can't stick across 'em.

[bcoles]

#9854 - Related, regarding the use of cat

[bcoles]

#10119

[bcoles]

In addition to the problems outlined above, such as cat missing from the system, the current implementation of is_root? is not chroot/namespace safe.

The current code pattern for local exploits is to fail_with BadConfig if the session already has root privileges, based on the assumption that there's no reason to proceed, and proceeding may be detrimental to system stability or stealth.

However, a session within a user namespace may have root privileges, yet we may want to proceed with exploitation to break out of the namespace. This hasn't been a problem... yet... as none of the existing local exploits can be used to break out of a container [todo: fact check this].

One alternative solution is to check whether /etc/shadow is readable. This approach is also flawed, as some embedded devices, or ancient *nix systems, do not have a /etc/shadow file, instead storing the hashes in /etc/passwd. Additionally, poorly configured systems may have a readable /etc/shadow file.

As a stop-gap measure, until a reasonable solution is found, in any instances where a module can be used to break out of a namespace, rather than fail_with BadConfig, 'already root' if is_root?, the module should instead print_warning 'already root' if is_root?.

Edit: I've updated many of the Linux local modules to allow the operator to bypass the is_root? check using ForceExploit in #10949. This was kind of off topic for this issue, but documenting it here anyway.

[bcoles]

#10119 has now been merged which is a good start in this direction. It introduces the functionality described in the OP by falling back to shellisms when system commands are not available. For example, reading from files:

    # Result on systems without cat command
    session.shell_command_token("while read line; do echo $line; done <#{file_name}")