Open aconite33 opened 4 years ago
After working this problem with a co worker (@kerrymilan), figured out what the issue was. Since the encoding switch is turned on, it defaults to the x86/shikata_ga_nai, which breaks the x64 staging payload.
Setting the state encoding, for example:
set StageEncoder x64/xor
Will accept the x64 payload, however it will then break the x86. What is odd though, if you use a .exe format, then it will work for x64 .exe payloads (using the default x86/shikata_ga_nai). However, using the x32 .exe format and setting the encoder to x64/xor this will break the x86 .exe call back.
Definitely seems the root of the problem is that StageEncoder defaults to x86/shikata_ga_nai without first checking the architecture. (More or less shooting myself in the foot)
1) Looking at the call back, I can see the error on the wire is a SSL Error 2) Using x64.exe with the x86/shikata_ga_nai encoder works (Note, I was originally doing this with -f psh-cmd, but even setting the encoder to x64/xor it will still fail) 3) Using x32.exe with the x64/xor encoder does not work
Oh interesting! So this is an issue with the multi-listener only? That makes way more sense to me :)
Yeah, it was a really weird corner case. @kerrymilan was the one who pointed out the encoders. He fixed it up in the PR, which was pretty sweet because I thought you wouldn't be able to determine the arch before you get a full shell, apparently not.
Yeah for HTTP/S you can, because the UUID contains a platform/arch identifier 👍
Oh interesting! So this is an issue with the multi-listener only? That makes way more sense to me :)
I think the main issue is that StageEncoders don't check for arch compatibility. You can achieve the same failure by running set StageEncoder=x64/xor
alongside windows/meterpreter/reverse_https
, so it's not just an issue with the multi-listener.
You'd have to deliberately set those options in the case of windows/meterpreter
, though, while the defaults set in multi/meterpreter
can cause issues.
You can achieve the same failure by running set StageEncoder=x64/xor alongside windows/meterpreter/reverse_https, so it's not just an issue with the multi-listener.
Right that one throws me a bit. I thought we had stuff in place to make sure that staged encoders couldn't be selected if the arch didn't match. TIL!
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
I don't believe this issue has been fixed yet. I haven't reviewed this in awhile, but I don't believe this has been fixed.
Hi!
This issue has been left open with no activity for a while now.
We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Hi again!
It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.
As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.
Steps to reproduce
Generate x64 payload for Windows Powershell:
Execute in a window cmd and validate that a call back executes, but a full shell does not connect back. Looking at wireshark during connection, you can see a TLS alert 21, and then a reset of the connection.
Expected behavior
A full connection back using an x64 psh-cmd payload.
Current behavior
Connects back, but fails to complete a full connection.
System stuff
Metasploit version
I installed Metasploit with:
(I can replicate this on Kali linux as well)
OS
Running on Ubuntu18.04.4 LTS