Closed PhilipWerlau closed 7 years ago
Have had similar :o
Observed the same behavior. Could it be caused by robots hitting the handler and somehow breaking it ?
@valerianrossigneux Are you ok with tracking this issue here, instead of the new issue you created? in #7513
cc @OJ @bperry-r7 - since you guys are working pretty deep on Met* right now. Any ideas?
@mubix yes sorry poor bug creation hygiene on my side, let's track it here as it is more comprehensive.
I've created a simple script to track when it fails without having too much crazy happen on the handler side (I like my logs clean). It's pretty jenky but it gets the job done. I'm curious how long it is before it breaks. See if we can get a consensus going "mean time to failure"
#!/usr/bin/env ruby
require 'net/smtp'
def issue_alert
thetimeitfailed = Time.now
message = <<MESSAGE_END
From: HANDLERCHECKIN <root@metasploithandler>
To: Rob Fuller <mubix@hak5.org>
Subject: Handler Checkin
The handler failed at #{thetimeitfailed}
MESSAGE_END
Net::SMTP.start('localhost') do |smtp|
smtp.send_message message, 'root@metasploithandler',
'mubix@hak5.org'
end
puts "[-] Handler failed at #{thetimeitfailed}"
end
def do_test
result = %x[timeout 3 openssl s_client -showcerts -connect MyHandlerIPAddressHere:443 2>&1]
if result =~ /MetasploitCertificateOutputRegexHere/
print "[*] Handler still active - #{Time.now}\r"
$stdout.flush
return true
else
issue_alert
return false
end
end
test = true
puts "[*] Beginning Test..."
loop do
test = do_test
break if test == false
select(nil,nil,nil,5)
end
I'm grabbing PCAPs while I wait for the handlers to fail. I have one clean PCAP already (small amount of packets) - I'm waiting for the handler to fail again to do some kind of comparison one what might be causing it
I've seen this a bit in the field as well. Thanks for the repro script @mubix, I'm still hoping to get to this soon.
Any lead on the pcap-of-death @mubix ?
I believe we fixed this with https://github.com/rapid7/rex-socket/pull/1 . There could be even better fixes by handling the accept processing in a thread or not blocking in the first place. If anyone can reproduce with the latest release, would love to hear about it.
Hi, I'm on Kali Linux, how do I get this update ? Can I get it through apt-get ?
We haven't tagged 4.13.1 yet, which is the next release that will have this fix.
You'd need to be running the git version or nightly builds.
thanks, what is the ETA for that ?
Every Friday at noon CST. Are you able to hit the issue reliably in your environment?
Yes it's quite consistent, after 3-4 days usually I cannot connect anymore and I have to restart the listener.
@busterb thanks for looking into this, I will post if I run into it again
How do you install 4.13.2 on Kali ? Should I add some apt resources ? Mine says: metasploit-framework is already the newest version (4.13.0-0kali1)
You have to download or clone directly from the git repo
Setup
Using Armitage
Resource script
To summarize, I have 3 reverse HTTPS listeners listening on the same LHOST and LPORT but different LURI. I have a custom made module called "dropper" which is just a simple web server and a SOCKS4a server running. Meterpreter is installed on the victim machine via USB Rubber Ducky which uses powershell to download the primary payload from the dropper module. The payload contains the meterpreter shellcode and a modified version of the Powersploit shellcode injector, which proceeds to inject the shellcode into explorer.exe.
Steps to reproduce
Unknown. Everything functions properly for an undetermined period of time. Active connections are made to the listeners and I am able to interact with them as expected. Randomly the listeners will stop accepting connections. Occasionally I will see one last session attempt to connect only to be closed for being invalid. Metasploit will show no indication that anything is wrong. The jobs list still show them as running, as does the threads list. The web server also still works, serving the payload as expected.
I've tried to replicate the problem, but have had no luck. The last time it happened after ~3 hours of uptime and handling 4 sessions. The time before that it happened after 5 days of uptime and handling over 40 sessions. I also noticed netstat showed a lot of the no longer active sessions still had established connections.
Error Log Snippets
Info
Metasploit version: 4.12.12-dev
OS: Linux k 4.5.0-kali1-amd64 #1 SMP Debian 4.5.5.-1kali1 (2016-06-06) x86_64 GNU/Linux