Skip to content

Comments

Fix trailing backslash in shell registry operations#21004

Open
EclipseAditya wants to merge 1 commit intorapid7:masterfrom
EclipseAditya:fix/20899-registry-trailing-backslash
Open

Fix trailing backslash in shell registry operations#21004
EclipseAditya wants to merge 1 commit intorapid7:masterfrom
EclipseAditya:fix/20899-registry-trailing-backslash

Conversation

@EclipseAditya
Copy link

registry_enumkeys and other shell-based registry functions silently fail when the key path ends with a trailing backslash (\). This is because normalize_key preserves the trailing backslash, which then gets interpolated into a cmd.exe command like:

cmd.exe /c reg query "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\"

The \" at the end is interpreted by cmd.exe as an escaped double-quote, producing a malformed command. Meterpreter sessions are unaffected because they use the Windows API directly, which tolerates trailing backslashes.

This caused exploit/windows/persistence/registry (and similar modules) to incorrectly report "System does not have powershell" on shell sessions while working correctly on meterpreter sessions.

The fix:

  • Strip trailing backslash in normalize_key via .chomp("\\") — this protects all 10+ shell registry functions at the normalization layer
  • Remove trailing backslashes from all affected module callers (defense in depth)
  • Add RSpec tests for normalize_key and split_key

Fixes #20899

Verification

  • Start msfconsole
  • Obtain a shell session on a Windows target (e.g., windows/x64/shell/reverse_tcp)
  • use exploit/windows/persistence/registry
  • set SESSION <shell_session_id>
  • check
  • Verify the output is The target is vulnerable. Registry writable (not System does not have powershell)
  • Obtain a meterpreter session on the same target
  • set SESSION <meterpreter_session_id>
  • check
  • Verify the output is still The target is vulnerable. Registry writable (no regression)
  • Run bundle exec rspec spec/lib/msf/core/post/windows/registry_spec.rb
  • Verify all 19 examples pass, 0 failures

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

rn-fix release notes fix

Projects

Status: Todo

Development

Successfully merging this pull request may close these issues.

registry_enumkeys inconsistent behavior between meterpreter and shell

2 participants