Description
Command tokenisation is failing on bash command shells.
I'm pretty sure this wasn't always the case.
I've run into this issue using bash shells on Linux (modern bash, using a reverse bash shell) and Solaris (old bash ~2013, using bash shell from ssh_login) this week.
Command output returned from cmd_exec is malformed.
Output from sessions is also malformed (see session 21).
msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
11 meterpreter x64/linux uid=1000, gid=1000, euid=1000, egid=1000 @ localhost.localdomain 172.16.redacted
12 meterpreter x64/linux uid=0, gid=0, euid=0, egid=0 @ localhost.localdomain 172.16.redacted
13 meterpreter x64/linux uid=1000, gid=1000, euid=1000, egid=1000 @ 172.16.191.211 172.16.redacted
16 meterpreter x64/linux uid=0, gid=0, euid=0, egid=0 @ 172.16.191.211 172.16.redacted
17 shell cmd/unix 172.16.redacted
18 meterpreter x64/linux uid=0, gid=0, euid=0, egid=0 @ localhost.localdomain 172.16.redacted
19 meterpreter x64/linux uid=0, gid=0, euid=0, egid=0 @ localhost.localdomain 172.16.redacted
21 shell cmd/unix msf5 exploit(linux/local/ptrace_traceme_pkexec_helper) >
Edit: This is the third time this issue has been encountered. It was fixed upon initial discovery a year or two ago, then reintroduced, then fixed, and now present again.
Clearly the test cases related to cmd_exec are inadequate. The code responsible for introducing this issue likely needs some code comments documenting the reason for using the current code pattern, and warning against modification.