search

dirtyfilthy / metassh

ssh session type for metasploit
97 stars 24 forks source link

Concurrent meterpreter session breaks metassh and framework #6

Closed sempervictus closed 12 years ago

sempervictus commented 12 years ago

Seeing the following behavior: establish ssh session with host, enter shell, get normal metass shell within the metassh session. establish reverse tcp meterpreter session, go back to metassh, enter 'shell' and it hangs This also stops execution of 'pwd' from metassh session, port forwarding, etc.

Stack trace when running shell with a meterpreter session in the framework:

metaSSH > shell Channel 2 created.

^C Terminate channel 2? [y/N] [-] Error running command shell: Interrupt /opt/metasploit4/msf4/lib/rex/ui/text/input/readline.rb:58:in sysread' /opt/metasploit4/msf4/lib/rex/ui/text/input/readline.rb:58:insysread' /opt/metasploit4/msf4/lib/rex/ui/interactive.rb:288:in prompt' /opt/metasploit4/msf4/lib/rex/ui/interactive.rb:296:inprompt_yesno' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console/interactive_channel.rb:35:in _interrupt' /opt/metasploit4/msf4/lib/rex/ui/interactive.rb:54:inrescue in interact' /opt/metasploit4/msf4/lib/rex/ui/interactive.rb:47:in interact' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console.rb:82:ininteract_with_channel' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console/command_dispatcher/stdapi/sys.rb:100:in cmd_execute' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console/command_dispatcher/stdapi/sys.rb:110:incmd_shell' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:380:in run_command' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console.rb:99:inrun_command' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:342:in block in run_single' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:ineach' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:in run_single' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console.rb:63:inblock in interact' /opt/metasploit4/msf4/lib/rex/ui/text/shell.rb:189:in call' /opt/metasploit4/msf4/lib/rex/ui/text/shell.rb:189:inrun' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console.rb:61:in interact' /opt/metasploit4/msf4/plugins/meta_ssh/lib/msf/base/sessions/meta_ssh.rb:270:in_interact' /opt/metasploit4/msf4/lib/rex/ui/interactive.rb:48:in interact' /opt/metasploit4/msf4/lib/msf/ui/console/command_dispatcher/core.rb:1565:incmd_sessions' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:380:in run_command' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:342:inblock in run_single' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:in each' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:inrun_single' /opt/metasploit4/msf4/lib/rex/ui/text/shell.rb:199:in run' /usr/local/sbin/msfconsole:134:in

'

Framework will also fail to close the channels/threads. I remember seeing a trace which stated that Thread.kill was called which doesnt exist. Will investigate further, but has anyone else seeing this behavior?

sempervictus commented 12 years ago

Got the kill issue: if i leave a channel open (shell hangs, i ctrl-z it to the background) and kill the metassh session i get this:

Session manipulation failed: undefined method kill' for #<Rex::Post::Thread:0x0000000ec29c38> ["/opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/client.rb:82:incleanup_ssh'", "/opt/metasploit4/msf4/plugins/meta_ssh/lib/msf/base/sessions/meta_ssh.rb:149:in cleanup'", "/opt/metasploit4/msf4/lib/msf/core/session_manager.rb:267:inderegister'", "/opt/metasploit4/msf4/lib/msf/core/session/interactive.rb:139:in _interact_complete'", "/opt/metasploit4/msf4/lib/rex/ui/interactive.rb:71:ininteract'", "/opt/metasploit4/msf4/lib/msf/ui/console/command_dispatcher/core.rb:1567:in cmd_sessions'", "/opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:380:inrun_command'", "/opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:342:in block in run_single'", "/opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:ineach'", "/opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:in run_single'", "/opt/metasploit4/msf4/lib/rex/ui/text/shell.rb:199:inrun'", "/usr/local/sbin/msfconsole:134:in `

'"]

These may be separate issues, which i'm just seeing in series as i try to use metassh alongside a meterpreter session. Meterpreter session can originate from the same address/host or another one - same result. Works great prior to meterp session being hooked

sempervictus commented 12 years ago

b2d42d7 appears to fix the thread.kill issue. However, metassh session established after a meterpreter session, or having a meterpreter session created while a metassh session exists, still causes metassh session to break (no shell, no execution, port forwarding, etc).

sempervictus commented 12 years ago

Seems that Thread.new in channel.rb is causing the issue

[+] Running multi/ssh/loginpassword against 192.168.10.73 [] metaSSH session 3 opened (127.0.0.1 -> 192.168.10.73:22) at 2012-02-15 16:42:36 -0500 [_] Hooked session 3 / 192.168.10.73:22 (2012-02-15)16:42 (S:2 J:3)msf auxiliary(dns_srv) > sessions -i 3 [*] Starting interaction with 3...

metaSSH > pwd /home/sempervictus metaSSH > shell [-] Error running command shell: ArgumentError wrong number of arguments(2 for 0) /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/channel.rb:42:in initialize' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/channel.rb:42:innew' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/channel.rb:42:in initialize' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console/command_dispatcher/stdapi/sys.rb:92:innew' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console/command_dispatcher/stdapi/sys.rb:92:in cmd_execute' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console/command_dispatcher/stdapi/sys.rb:110:incmd_shell' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:380:in run_command' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console.rb:99:inrun_command' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:342:in block in run_single' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:ineach' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:in run_single' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console.rb:63:inblock in interact' /opt/metasploit4/msf4/lib/rex/ui/text/shell.rb:189:in call' /opt/metasploit4/msf4/lib/rex/ui/text/shell.rb:189:inrun' /opt/metasploit4/msf4/plugins/meta_ssh/lib/rex/post/meta_ssh/ui/console.rb:61:in interact' /opt/metasploit4/msf4/plugins/meta_ssh/lib/msf/base/sessions/meta_ssh.rb:270:in_interact' /opt/metasploit4/msf4/lib/rex/ui/interactive.rb:48:in interact' /opt/metasploit4/msf4/lib/msf/ui/console/command_dispatcher/core.rb:1567:incmd_sessions' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:380:in run_command' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:342:inblock in run_single' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:in each' /opt/metasploit4/msf4/lib/rex/ui/text/dispatcher_shell.rb:336:inrun_single' /opt/metasploit4/msf4/lib/rex/ui/text/shell.rb:199:in run' /opt/metasploit4/msf4/msfconsole:134:in

'

to reproduce: start MSF, start a meterp session, then load meta_ssh, start a session, try to open a shell. Wrong thread type?

sempervictus commented 12 years ago

Fixed in pull request 7