search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.73k stars 13.89k forks source link

setg doesn't change default LHOST #17107

Closed Crypto-Cat closed 1 year ago

Crypto-Cat commented 1 year ago

Steps to reproduce

How'd you do it?

  1. setg LHOST 10.10.10.10
  2. Select exploit, e.g. EternalRomance
  3. options

This section should also tell us any relevant information about the environment; for example, if an exploit that used to work is failing, tell us the victim operating system and service versions.

Were you following a specific guide/tutorial or reading documentation?

Following the setg instructions here: https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/

Expected behavior

Global variables should be set to the value provided, e.g. LHOST=10.10.10.10

Current behavior

Variables are set at their default values, e.g. LHOST=eth0-IP

Metasploit version

6.2.13-dev

Additional Information

Parrot OS 5.1 (Electro Ara) - tried multiple VMs (personal and HackTheBox PwnBox, both Parrot)

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/core] LogLevel=3 LHOST=10.10.10.10 LPORT=1337 [framework/ui/console] ActiveModule=exploit/windows/smb/ms17_010_eternalblue [windows/smb/ms17_010_eternalblue] CheckModule=auxiliary/scanner/smb/smb_ms17_010 EXITFUNC=thread WfsDelay=5 WORKSPACE= VERBOSE=false EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RHOSTS= RPORT=445 SSL=false SSLServerNameIndication= SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 SMBUser= SMBPass= SMBDomain= VERIFY_TARGET=true VERIFY_ARCH=true ProcessName=spoolsv.exe GroomAllocations=12 MaxExploitAttempts=3 GroomDelta=5 PAYLOAD=windows/x64/meterpreter/reverse_tcp LHOST=192.168.177.195 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= AutoLoadStdapi=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false MeterpreterDebugBuild=false MeterpreterDebugLogging= ```

Database Configuration

The database contains the following information:

Collapse ``` Session Type: postgresql selected, no connection ```

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 0 set LogLevel 3 1 setg LHOST 10.10.10.10 2 search eternal 3 use 0 4 options 5 setg LHOST 10.10.10.10 6 options 7 setg LPORT 1337 8 options 9 search eternal 10 use 0 11 options 12 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [10/04/2022 12:21:32] [e(0)] core: Failed to connect to the database: No database YAML file [10/04/2022 12:21:33] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [10/04/2022 12:21:34] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [10/04/2022 12:21:35] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [10/04/2022 12:21:36] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_rc4 with windows/smb/ms17_010_eternalblue]: tunnel to bind [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/bind_tcp_rc4 is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: reverse to bind [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: bind to bind [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: noconn to bind [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: none to bind [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: tunnel to bind [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/bind_tcp_uuid is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: reverse to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: bind to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: noconn to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: none to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: tunnel to tunnel [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_http is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: reverse to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: bind to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: noconn to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: none to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: tunnel to tunnel [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_https is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: reverse to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: bind to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: noconn to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: none to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: tunnel to reverse [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_tcp is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: reverse to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: bind to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: noconn to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: none to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: tunnel to reverse [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_rc4 is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: reverse to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: bind to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: noconn to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: none to reverse [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: tunnel to reverse [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: reverse to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: bind to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: noconn to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: none to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: tunnel to tunnel [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with windows/smb/ms17_010_eternalblue [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: reverse to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: bind to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: noconn to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: none to tunnel [10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: tunnel to tunnel [10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with windows/smb/ms17_010_eternalblue ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.2.13-dev Ruby: ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux-gnu] OpenSSL: OpenSSL 1.1.1k 25 Mar 2021 Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```
adfoster-r7 commented 1 year ago

From the debug output it looks like you've set the global rhosts value to 10.10.10.10, but you've also set the module's local datastore value to 192.168.177.195.

The module will only fallback to using the global setg datastore value if the module's local datastore hasn't been set

Solution: Either run set rhosts 10.10.10.10 to update the local module datastore to a new rhost value, or run unset rhosts to remove the unexpected module datastore value - letting the module fall back to using the global datastore value

Crypto-Cat commented 1 year ago

OK, so I just need to initially do setg lhost 10.10.10.10 and set lhost 10.10.10.10. Seems to work, thanks!

edit: Actually that doesn't work; still have to run unset LHOST every time I select a new exploit in order for it to use the global variable, which isn't particularly useful (just as quick to set LHOST each time) 😕

adfoster-r7 commented 1 year ago

If you initially do setg lhost 10.10.10.10 you should never need to call set lhost manually for each module.

I'll keep this open for a few more cycles until I confirm if there's an issue here :+1:

Crypto-Cat commented 1 year ago

Here's another example:

  1. msfconsole
  2. setg lhost 10.10.15.116
  3. select eternalblue exploit, has wrong LHOST
  4. unset lhost
  5. now it has the correct LHOST
  6. use a different exploit (doublepulsar), LHOST is still correct
  7. use a different exploit (backdoor/energizer_duo_payload), LHOST is back to default 192.168.x.x address, have to unset lhost to get back to the 10.10.x.x address
  8. use a different exploit (windows/smb/ms06_040_netapi) and it's back to 192.168.x.x address, need to unset lhost to correct it

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse ``` [framework/core] LogLevel=3 lhost=10.10.15.116 [framework/ui/console] ActiveModule=exploit/windows/backdoor/energizer_duo_payload [windows/backdoor/energizer_duo_payload] WORKSPACE= VERBOSE=false WfsDelay=2 EnableContextEncoding=false ContextInformationFile= DisablePayloadHandler=false RHOSTS= RPORT=7777 SSL=false SSLServerNameIndication= SSLVersion=Auto SSLVerifyMode=PEER SSLCipher= Proxies= CPORT= CHOST= ConnectTimeout=10 TCP::max_send_size=0 TCP::send_delay=0 EXE::EICAR=false EXE::Custom= EXE::Path= EXE::Template= EXE::Inject=false EXE::OldMethod=false EXE::FallBack=false MSI::EICAR=false MSI::Custom= MSI::Path= MSI::Template= MSI::UAC=false PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.177.195 LPORT=4444 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false EnableStageEncoding=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= EXITFUNC=process PayloadBindPort= AutoLoadStdapi=true AutoVerifySessionTimeout=30 InitialAutoRunScript= AutoRunScript= AutoSystemInfo=true EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= AutoUnhookProcess=false MeterpreterDebugBuild=false MeterpreterDebugLogging= ```

Database Configuration

The database contains the following information:

Collapse ``` Session Type: postgresql selected, no connection ```

History

The following commands were ran during the session and before this issue occurred:

Collapse ``` 32 set LogLevel 3 33 setg lhost 10.10.15.116 34 search eternal 35 use 0 36 options 37 unset LHOST 38 options 39 search pulsar 40 use 3 41 options 42 use exploit/windows/backdoor/energizer_duo_payload 43 options 44 debug ```

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse ``` [10/04/2022 12:21:32] [e(0)] core: Failed to connect to the database: No database YAML file [10/04/2022 12:21:33] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [10/04/2022 12:21:34] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [10/04/2022 12:21:35] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [10/04/2022 12:21:36] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [10/04/2022 13:47:21] [e(0)] core: Failed to connect to the database: No database YAML file [10/04/2022 13:47:22] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [10/04/2022 13:47:23] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [10/04/2022 13:47:24] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [10/04/2022 13:47:25] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse ``` [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_nonx_tcp with windows/backdoor/energizer_duo_payload]: tunnel to reverse [10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_nonx_tcp is compatible with windows/backdoor/energizer_duo_payload [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: reverse to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: bind to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: noconn to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: none to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: tunnel to reverse [10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_ord_tcp is compatible with windows/backdoor/energizer_duo_payload [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: reverse to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: bind to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: noconn to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: none to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: tunnel to reverse [10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp is compatible with windows/backdoor/energizer_duo_payload [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: reverse to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: bind to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: noconn to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: none to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: tunnel to reverse [10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_allports is compatible with windows/backdoor/energizer_duo_payload [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: reverse to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: bind to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: noconn to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: none to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: tunnel to reverse [10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_dns is compatible with windows/backdoor/energizer_duo_payload [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: reverse to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: bind to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: noconn to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: none to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: tunnel to reverse [10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_rc4 is compatible with windows/backdoor/energizer_duo_payload [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: reverse to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: bind to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: noconn to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: none to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: tunnel to reverse [10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_rc4_dns is compatible with windows/backdoor/energizer_duo_payload [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: reverse to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: bind to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: noconn to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: none to reverse [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: tunnel to reverse [10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_uuid is compatible with windows/backdoor/energizer_duo_payload [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: reverse to tunnel [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: bind to tunnel [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: noconn to tunnel [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: none to tunnel [10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: tunnel to tunnel [10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_winhttp is compatible with windows/backdoor/energizer_duo_payload ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse ``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse ``` Framework: 6.2.13-dev Ruby: ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux-gnu] OpenSSL: OpenSSL 1.1.1k 25 Mar 2021 Install Root: /usr/share/metasploit-framework Session Type: postgresql selected, no connection Install Method: Other - Please specify ```
adfoster-r7 commented 1 year ago

Ah, so it looks like the logic for choosing the default payload for an exploit attempts to set the best LHOST based on the configured RHOST:

https://github.com/rapid7/metasploit-framework/blob/87fa4868ccf68edb36b1c5e3f4835f9712f569ae/lib/msf/ui/console/command_dispatcher/exploit.rb#L271-L282

The above logic completely ignores any existing globally set option for LHOST, and instead chooses the best routable IP for the set RHOST, or whatever ip it takes to route to 50.50.50.50

I think most folk globally run setg rhost ..., and let lhost resolve itself automagically - so I've never run into this issue before either

Crypto-Cat commented 1 year ago

Hmmmm OK, that would be an equally good solution for me tbh but doesn't seem to be how it's working atm. When I set RHOST to 10.10.15.12, my LHOST still stays as 192.168.x.x, even though there is a tun0 adapter on the 10.10.15.x network 🤔

adfoster-r7 commented 1 year ago

I just ran through this when on a vpn with a tun0 adapter with a 10.10.0.0/16 network

Running setg rhosts 10.10.10.100:

msf6 > setg rhosts 10.10.10.100
rhosts => 10.10.10.100

Verifying:

msf6 > setg

Global
======

  Name      Value
  ----      -----
  loglevel  3
  rhosts    10.10.10.100

Using a module I've not previously used to see lhost and rhost correctly set:

msf6 exploit(windows/http/netgear_nms_rce) > options

Module options (exploit/windows/http/netgear_nms_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.100     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Application path
   VHOST                       no        HTTP server virtual host

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.9.1.147       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   NETGEAR ProSafe Network Management System 300 / Windows

And I can verify the logic that it choose to pick the default lhost from within msfconsole:

msf6 exploit(windows/http/netgear_nms_rce) > irb -e "puts active_module.datastore['RHOSTS']"
10.10.10.100
msf6 exploit(windows/http/netgear_nms_rce) > irb -e "puts Rex::Socket.source_address('10.10.10.100')"
10.9.1.147
adfoster-r7 commented 1 year ago

You can also set options inline which is handy for jumping around modules too, since you can use ctrl+r to search the history for your last run command, or use the up arrow a few times to get the previously run command:

run rhost=x.x.x.x lhost=x.x.x.x

That aside, i'll keep this issue open as it looks like a bug that should be fixed in the future :+1:

Crypto-Cat commented 1 year ago

Ah, the mistake I made was using set rhosts 10.10.x.x and expecting the LHOST to automatically switch to tun0.

I guess I need to do setg rhosts 10.10.x.x in order to ensure auto-selection of the correct adapter.

It would be good to have the setg lhost work when dealing with multiple RHOSTS but for my purposes (HTB), using setg rhosts will suffice.

Thanks 💜