Lubricy / armitage

Automatically exported from code.google.com/p/armitage
0 stars 0 forks source link

Certain Cortana Scripts fail when launched via java, works fine from inside Armitage #172

Open GoogleCodeExporter opened 9 years ago

GoogleCodeExporter commented 9 years ago
What steps will reproduce the problem?
1. Create script:

on ready {

        $console = console();

        cmd($console, "use multi/handler");

        cmd_set($console, %(ReverseListenerThreaded => "True", PAYLOAD => "windows/meterpreter/reverse_tcp", LHOST => "0.0.0.0", LPORT => "443", ExitOnSession => "false", EnableStageEncoding => "true", StageEncoder => "x86/shikata_ga_nai"));

        elog("restarts the listener");

        cmd($console, "jobs -K");

        cmd($console, "run -j -z");

        cmd_stop($console);

        quit();

}

2. Log into teamserver, load script from inside Armitage
3. Observe that the script works.
4. Kill the listener job created by the script, and create another one on any 
port.
5. Create the login file (local.prop), so that Cortana bots can log in
6. Launch the Cortana bot using java -jar <cortana jar> <login file> <script 
file>
7. Observe that the Bot successfully logs in, and performs the "elog" claiming 
to have restarted the listener. However, check the job settings using "jobs -v" 
and observe that the job from step 4 was not killed, and that the new listener 
(if it was created) is on a totally random port instead of the 443 port 
specified by the script.

What is the expected output? What do you see instead?
The expected output is that the Cortana java bot executes the script exactly 
like when it is launched from inside Armitage. Bad output is detailed in step 7.

What version of Metasploit are you using (type: svn info)? On which
operating system?
Kali with all dist-upgrades and msfupdates

Which database are you using?
postgresql (default kali)

Please provide any additional information below.

I've tried modifying the script in several ways, and java still fails. For 
example, I tried using the handler() function with all the settings specified 
within it, and also tried setting each setting using separate cmd() commands.

I wrote another script that elogs the uid of any new meterpreter session, and 
it works fine on both armitage and java methods. Source below:

on session_sync {
   m_cmd($1, "getuid");
}

on meterpreter_getuid {
   elog("$3");
}

Original issue reported on code.google.com by XtAk...@gmail.com on 3 Oct 2014 at 11:48