search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.15k stars 13.98k forks source link

Bugs associated with rservices modules - rsh_login/rlogin_login/rexec_login #17076

Closed cgranleese-r7 closed 1 year ago

cgranleese-r7 commented 2 years ago

These issues were found when implementing fixes for the rservices modules sessions. See #17073 for more context.

The following issues were spotted with rsh_login, rlogin_login, rexec_login:

Each issue will be broken down in subsections below.

Can't open multiple sessions

Example: image

Due to this change in rex-socket.

Original metasploit framework PR.

The bind method returns successfully when binding to port 1022, but will later fail in the connect method with a ::Errno::EADDRNOTAVAIL/::Errno::EADDRINUSE error - which is incorrectly treated as a destination/connection error.

Rexec module does not authenticate correctly

Example: image

Issue seems to be that "\x01" is being passed when it expects "\x00". Code being referred to image

Steps to reproduce

See above examples.

Were you following a specific guide/tutorial or reading documentation?

Following docs for each corresponding module found at documentation/modules/auxiliary/scanner/rservices.

Expected behavior

Multiple sessions should be able to be opened. Rexec should authenticate properly.

Current behavior

Only one session can be open at a time or it crashes. Rexec doesn't authenticate properly.

Metasploit version

Framework: 6.2.20-dev-730746f873
Console  : 6.2.20-dev-730746f873

Module/Datastore

An error occurred when trying to build this section:

Collapse ``` Failed to extract Datastore: NoMethodError - undefined method `empty?' for #"true", "loglevel"=>"3"}> Call stack: /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/ui/debug.rb:349:in `add_hash_to_ini_group' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/ui/debug.rb:125:in `datastore' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/ui/debug.rb:102:in `all' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/ui/console/command_dispatcher/core.rb:347:in `cmd_debug' /Users/cgranleese/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command' /Users/cgranleese/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single' /Users/cgranleese/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each' /Users/cgranleese/Documents/code/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single' /Users/cgranleese/Documents/code/metasploit-framework/lib/rex/ui/text/shell.rb:162:in `run' /Users/cgranleese/Documents/code/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start' /Users/cgranleese/Documents/code/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start' ./msfconsole:23:in `
' ```

Database Configuration

The database contains the following information:

Collapse ``` Session Type: Connected to msf. Connection type: postgresql. ``` | ID | Hosts | Vulnerabilities | Notes | Services | |-:|-:|-:|-:|-:| | 1 **(Current)** | 7 | 4 | 19 | 6 | | **Total (1)** | **7** | **4** | **19** | **6** |

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 2000 run 2001 set loglevel 3 2002 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [09/29/2022 12:19:30] [e(0)] core: DB.connect threw an exception - ActiveRecord::ConnectionNotEstablished connection to server at "127.0.0.1", port 5433 failed: Connection refused Is the server running on that host and accepting TCP/IP connections? Call stack: /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/postgresql_adapter.rb:83:in `rescue in new_client' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/postgresql_adapter.rb:77:in `new_client' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/postgresql_adapter.rb:37:in `postgresql_connection' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:882:in `public_send' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:882:in `new_connection' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:926:in `checkout_new_connection' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:905:in `try_to_checkout_new_connection' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:866:in `acquire_connection' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:588:in `checkout' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:428:in `connection' /Users/cgranleese/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/activerecord-6.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:459:in `with_connection' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/core/db_manager/migration.rb:35:in `migrate' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/core/db_manager/connection.rb:18:in `after_establish_connection' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/core/db_manager/connection.rb:64:in `connect' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/core/db_manager.rb:207:in `init_db' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/core/framework.rb:287:in `get_db' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/core/framework.rb:203:in `block in db' /Users/cgranleese/.rvm/rubies/ruby-3.0.2/lib/ruby/3.0.0/monitor.rb:202:in `synchronize' /Users/cgranleese/.rvm/rubies/ruby-3.0.2/lib/ruby/3.0.0/monitor.rb:202:in `mon_synchronize' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/core/framework.rb:202:in `db' /Users/cgranleese/Documents/code/metasploit-framework/lib/msf/ui/console/driver.rb:136:in `initialize' /Users/cgranleese/Documents/code/metasploit-framework/lib/metasploit/framework/command/console.rb:60:in `new' /Users/cgranleese/Documents/code/metasploit-framework/lib/metasploit/framework/command/console.rb:60:in `driver' /Users/cgranleese/Documents/code/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start' /Users/cgranleese/Documents/code/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start' ./msfconsole:23:in `
' [09/29/2022 12:19:30] [e(0)] core: Failed to connect to the database: connection to server at "127.0.0.1", port 5433 failed: Connection refused Is the server running on that host and accepting TCP/IP connections? [09/29/2022 12:19:32] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [09/29/2022 12:19:32] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [09/29/2022 12:19:34] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [09/29/2022 12:19:34] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [09/29/2022 12:22:53] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [09/29/2022 12:22:53] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [09/29/2022 12:22:55] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [09/29/2022 12:22:56] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/armle/meterpreter have incompatible platforms: ["OSX"] - ["Linux"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsbe/shell have incompatible platforms: ["OSX"] - ["Linux"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage linux/mipsbe/meterpreter have incompatible platforms: ["OSX"] - ["Linux"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage php/meterpreter have incompatible platforms: ["OSX"] - ["PHP"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage bsd/x86/shell have incompatible platforms: ["OSX"] - ["BSD"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage java/shell have incompatible platforms: ["OSX"] - ["Java"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage java/meterpreter have incompatible platforms: ["OSX"] - ["Java"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage multi/meterpreter have incompatible platforms: ["OSX"] - ["Multi"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage netware/shell have incompatible platforms: ["OSX"] - ["Netware"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage python/meterpreter have incompatible platforms: ["OSX"] - ["Python"] [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x86/isight have incompatible architectures: armle - x86 [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x86/bundleinject have incompatible architectures: armle - x86 [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x86/vforkshell have incompatible architectures: armle - x86 [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/ppc/shell have incompatible architectures: armle - ppc [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x64/meterpreter have incompatible architectures: armle - x64 [09/29/2022 12:22:56] [d(2)] core: Stager osx/armle/reverse_tcp and stage osx/x64/dupandexecve have incompatible architectures: armle - x64 [09/29/2022 12:22:56] [d(1)] core: Module is compatible with [09/29/2022 12:22:56] [d(2)] core: Built staged payload osx/armle/execute/reverse_tcp. [09/29/2022 12:22:56] [d(1)] core: Module is compatible with [09/29/2022 12:22:56] [d(2)] core: Built staged payload osx/armle/shell/reverse_tcp. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/exploits/linux/smtp/haraka.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/smb/impacket/wmiexec.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/smb/impacket/dcomexec.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/smb/impacket/secretsdump.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/http/rdp_web_login.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/http/onion_omega2_login.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/wproxy/att_open_proxy.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/teradata/teradata_odbc_login.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/ssl/bleichenbacher_oracle.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/admin/http/cisco_7937g_ssh_privesc.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/admin/http/grafana_auth_bypass.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/admin/teradata/teradata_odbc_sql.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/dos/smb/smb_loris.rb has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/dos/http/slowloris.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/dos/tcp/claymore_dos.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/dos/cisco/cisco_7937g_dos.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/dos/cisco/cisco_7937g_dos_reboot.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/gather/get_user_spns.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/gather/mikrotik_winbox_fileread.py has not changed. [09/29/2022 12:22:57] [d(2)] core: Cached module from /Users/cgranleese/Documents/code/metasploit-framework/modules/auxiliary/gather/office365userenum.py has not changed. [09/29/2022 12:22:57] [d(0)] core: HistoryManager.push_context name: :msfconsole [09/29/2022 12:23:04] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1) [09/29/2022 12:23:04] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1) [09/29/2022 12:23:04] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1) [09/29/2022 12:23:04] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1) [09/29/2022 12:23:04] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1) [09/29/2022 12:23:04] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1) ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.2.20-dev-730746f873 Ruby: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-darwin21] OpenSSL: OpenSSL 1.1.1q 5 Jul 2022 Install Root: /Users/cgranleese/Documents/code/metasploit-framework Session Type: Connected to msf. Connection type: postgresql. Install Method: Git Clone ```
github-actions[bot] commented 2 years ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] commented 1 year ago

Thanks for your contribution to Metasploit Framework! We've looked at this issue, and unfortunately we do not currently have the bandwidth to prioritize this issue.

We've labeled this as attic and closed it for now. If you believe this issue has been closed in error, or that it should be prioritized, please comment with additional information.