search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.77k stars 13.89k forks source link

shell_to_meterpreter crashes through pivot network #5191

Closed nixawk closed 8 years ago

nixawk commented 9 years ago

[Lab env]

Attacker: 192.168.1.108 [Linux x64]
Victim01: 192.168.1.104 / 10.10.10.109 [Microsoft Windows 7 Home Premium SP1]
Victim02: 10.10.10.108 [Windows 2008 x64 standard ]

Now, We've got a meterpreter session from Victim01 (192.168.1.104), and reached Victim02 (10.10.10.108) through Victim01 (pivoting) like this:

msf post(shell_to_meterpreter) > sessions -l

Active sessions
===============

  Id  Type                   Information                                                                       Connection
  --  ----                   -----------                                                                       ----------
  6   meterpreter x86/win32  SECLAB\nfs @ SECLAB                                                               192.168.1.108:9999 -> 192.168.1.104:1426 (192.168.1.104)
  10  meterpreter x86/win32  SECLAB\nfs @ SECLAB                                                               192.168.1.108:10000 -> 192.168.1.104:1985 (192.168.1.104)
  12  meterpreter x86/win32  SECLAB\nfs @ SECLAB                                                               192.168.1.108:4443 -> 192.168.1.104:2247 (192.168.1.104)
  13  shell windows          Microsoft Windows [Version 6.0.6001] Copyright (c) 2006 Microsoft Corporation...  Local Pipe -> Remote Pipe (10.10.10.108)

After reading shell_to_meterpreter or (sessions -u SESSION_ID), we can get the command shell to a meterpreter session. 

msf post(shell_to_meterpreter) > sessions -u 13
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [13]

[*] Upgrading session: 13
[-] Post failed: Rex::ArgumentParseError The argument could not be parsed correctly.
[-] Call stack:
[-]   /home/notfound/sectools/metasploit-framework/lib/msf/core/data_store.rb:98:in `each'
[-]   /home/notfound/sectools/metasploit-framework/lib/msf/core/data_store.rb:98:in `import_options_from_s'
[-]   /home/notfound/sectools/metasploit-framework/lib/msf/base/simple/module.rb:25:in `_import_extra_options'
[-]   /home/notfound/sectools/metasploit-framework/lib/msf/base/simple/payload.rb:49:in `generate_simple'
[-]   /home/notfound/sectools/metasploit-framework/lib/msf/base/simple/payload.rb:138:in `generate_simple'
[-]   /home/notfound/sectools/metasploit-framework/modules/post/multi/manage/shell_to_meterpreter.rb:284:in `generate_payload'
[-]   /home/notfound/sectools/metasploit-framework/modules/post/multi/manage/shell_to_meterpreter.rb:95:in `run'

BINGO ! shell_to_meterpreter crashs.

wchen-r7 commented 8 years ago

Let me see if I can reproduce this first...

wchen-r7 commented 8 years ago

Able to reproduce the backtrace:

[*] Upgrading session ID: 2
[-] Post failed: Rex::ArgumentParseError The argument could not be parsed correctly.
[-] Call stack:
[-]   /Users/wchen/rapid7/msf/lib/msf/core/data_store.rb:103:in `each'
[-]   /Users/wchen/rapid7/msf/lib/msf/core/data_store.rb:103:in `import_options_from_s'
[-]   /Users/wchen/rapid7/msf/lib/msf/base/simple/module.rb:25:in `_import_extra_options'
[-]   /Users/wchen/rapid7/msf/lib/msf/base/simple/payload.rb:49:in `generate_simple'
[-]   /Users/wchen/rapid7/msf/lib/msf/base/simple/payload.rb:138:in `generate_simple'
[-]   /Users/wchen/rapid7/msf/modules/post/multi/manage/shell_to_meterpreter.rb:344:in `generate_payload'
[-]   /Users/wchen/rapid7/msf/modules/post/multi/manage/shell_to_meterpreter.rb:123:in `run'
wchen-r7 commented 8 years ago

@join-us Good news and bad news. I'll give you the bad news first: There is no great solution to this problem. The good news is: it's easy to work around this problem. You just need to manually set the LHOST option, and in this case it should be your Victim01. However, this work-around only works for the post module.

Note that sessions -u is also the same functionality as the post module, but since you cannot pass LHOST to the sessions command, you basically can't use it in a pivot. I have filed this problem as #6830.

There is no great solution because first off, the shell_to_meterpreter post module only uses a reverse meterpreter - it requires a LHSOT. The problem here is that when you use windows/shell/bind_tcp in a pivot, that LHOST literally says "Local Pipe", and not an actual IP, so you hit Rex::ArgumentParseError. If you use a windows/shell_reverse_tcp, it will give you an IP range, which isn't something you want for LHOST either.

There is also no way to inspect Victim02's session object and find Victim01's IP address, so this makes this problem difficult to solve.

My fix will be just checking LHOST and inform the user about the manual usage.