Closed nixawk closed 8 years ago
Let me see if I can reproduce this first...
Able to reproduce the backtrace:
[*] Upgrading session ID: 2
[-] Post failed: Rex::ArgumentParseError The argument could not be parsed correctly.
[-] Call stack:
[-] /Users/wchen/rapid7/msf/lib/msf/core/data_store.rb:103:in `each'
[-] /Users/wchen/rapid7/msf/lib/msf/core/data_store.rb:103:in `import_options_from_s'
[-] /Users/wchen/rapid7/msf/lib/msf/base/simple/module.rb:25:in `_import_extra_options'
[-] /Users/wchen/rapid7/msf/lib/msf/base/simple/payload.rb:49:in `generate_simple'
[-] /Users/wchen/rapid7/msf/lib/msf/base/simple/payload.rb:138:in `generate_simple'
[-] /Users/wchen/rapid7/msf/modules/post/multi/manage/shell_to_meterpreter.rb:344:in `generate_payload'
[-] /Users/wchen/rapid7/msf/modules/post/multi/manage/shell_to_meterpreter.rb:123:in `run'
@join-us Good news and bad news. I'll give you the bad news first: There is no great solution to this problem. The good news is: it's easy to work around this problem. You just need to manually set the LHOST option, and in this case it should be your Victim01. However, this work-around only works for the post module.
Note that sessions -u
is also the same functionality as the post module, but since you cannot pass LHOST to the sessions command, you basically can't use it in a pivot. I have filed this problem as #6830.
There is no great solution because first off, the shell_to_meterpreter post module only uses a reverse meterpreter - it requires a LHSOT. The problem here is that when you use windows/shell/bind_tcp in a pivot, that LHOST literally says "Local Pipe", and not an actual IP, so you hit Rex::ArgumentParseError
. If you use a windows/shell_reverse_tcp, it will give you an IP range, which isn't something you want for LHOST either.
There is also no way to inspect Victim02's session object and find Victim01's IP address, so this makes this problem difficult to solve.
My fix will be just checking LHOST and inform the user about the manual usage.
[Lab env]
Attacker: 192.168.1.108 [Linux x64]
Victim01: 192.168.1.104 / 10.10.10.109 [Microsoft Windows 7 Home Premium SP1]
Victim02: 10.10.10.108 [Windows 2008 x64 standard ]
Now, We've got a meterpreter session from Victim01 (192.168.1.104), and reached Victim02 (10.10.10.108) through Victim01 (pivoting) like this:
After reading shell_to_meterpreter or (sessions -u SESSION_ID), we can get the command shell to a meterpreter session.
BINGO ! shell_to_meterpreter crashs.