search

rapid7 / metasploit-payloads

Unified repository for different Metasploit Framework payloads
Other
1.71k stars 666 forks source link

Meterpreter crashes with repeated connections in `portfwd` #280

Open asoto-r7 opened 6 years ago

asoto-r7 commented 6 years ago

In my testing, as little as 5 repeated connections, spaced apart by 5 seconds, caused x64 Meterpreter to crash.

It's possible this is related to some Meterpreter issues with portfwd, but I have no evidence to support/contradict that theory yet.

Steps to reproduce

  1. Drop a windows/x64/meterpreter/bind_tcp payload, in my case on a Windows 10 x64 target (fully patched).

  2. In msfconsole, run handler -p windows/x64/meterpreter/bind_tcp -H TARGET_IP_ADDRESS -P 4444

  3. Setup a forwarded port, in my case to rapid7.com: sessions -C 'portfwd add -r 52.85.208.191 -p 80 -l 8000'

  4. In a new terminal, set netcat to slowly simmer: i=1; while true; do echo -n "ATTEMPT $i: "; nc -zn 127.0.0.1 8000; sleep 5; let i=$i+1; echo; done

  5. Wait for Meterpreter session 1 closed. Reason: Died.

Note: Ignore the tracebacks, they're part of the above, cited Meterpreter issue:

Click here for (potentially unrelated) tracebacks ``` /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:323:in `pack': no implicit conversion of nil into Integer (TypeError) # terminated with exception (report_on_exception is true): Traceback (most recent call last): 17: from /Users/asoto/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn' 16: from /Users/asoto/git/r7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn' 15: from /Users/asoto/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `block in monitor_rsock' 14: from /Users/asoto/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `loop' 13: from /Users/asoto/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:188:in `block (2 levels) in monitor_rsock' 12: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:90:in `close_write' 11: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:106:in `shutdown' 10: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:172:in `send_request' 9: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:200:in `send_packet_wait_response' 8: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:133:in `send_packet' 7: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:823:in `to_r' 6: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:823:in `call' 5: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:595:in `to_r' 4: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:453:in `each' 3: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:453:in `each' 2: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:596:in `block in to_r' 1: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:323:in `to_r' /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:323:in `pack': no implicit conversion of nil into Integer (TypeError) # terminated with exception (report_on_exception is true): Traceback (most recent call last): 7: from /Users/asoto/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn' 6: from /Users/asoto/git/r7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn' 5: from /Users/asoto/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `block in monitor_rsock' 4: from /Users/asoto/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `loop' 3: from /Users/asoto/.rbenv/versions/2.5.1/lib/ruby/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:188:in `block (2 levels) in monitor_rsock' 2: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:90:in `close_write' 1: from /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:106:in `shutdown' ```
asoto-r7 commented 6 years ago

I recreated this in a fresh environment and it's still happening. I also get a traceback in msfconsole which conveniently duplicates #10160, so we'll ignore that.

Also, I get a traceback afterward Meterpreter dies, which may be an after-effect and not anything actually helpful. But just in case:

msf5 exploit(windows/license/sentinel_lm7_udp) > [*] 192.168.1.11 - Meterpreter session 3 closed.  Reason: Died
Interrupt: use the 'exit' command to quit
msf5 exploit(windows/license/sentinel_lm7_udp) > #<Thread:0x00007f7ed0729498@/home/administrator/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:93 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
    7: from /home/administrator/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
    6: from /home/administrator/git/r7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
    5: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `block in monitor_rsock'
    4: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `loop'
    3: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:188:in `block (2 levels) in monitor_rsock'
    2: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:90:in `close_write'
    1: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:106:in `shutdown'
/home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:177:in `send_request': Operation timed out. (Rex::TimeoutError)
asoto-r7 commented 6 years ago

TL;DR: This is still an issue.

  1. Run on attacker VM:

    msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=ATTACKER_IP_ADDRESS -f exe -o bind_tcp_192.168.199.134_4444.exe
msfconsole -qx 'handler -p windows/x64/meterpreter/bind_tcp -H TARGET_IP_ADDRESS -P 4444
background
sessions -C 'portfwd add -r 216.146.43.71 -p 80 -l 8000'

  2. Launch the bind_tcp payload on a Win10 x64 box:

  3. On another terminal on the attacker box:

    while true; do curl 127.0.0.1:8000; sleep 1; done

  4. Observe the above traceback.

ADDENDUM: In addition to the above traceback (which just kills the remote Meterpreter process and reports a timeout), we have another exception if the address we're trying to connect to doesn't respond:

#<Thread:0x00007f1b980b16b0@/home/administrator/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:93 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
    17: from /home/administrator/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
    16: from /home/administrator/git/r7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
    15: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `block in monitor_rsock'
    14: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `loop'
    13: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:188:in `block (2 levels) in monitor_rsock'
    12: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:90:in `close_write'
    11: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:106:in `shutdown'
    10: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:172:in `send_request'
     9: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:200:in `send_packet_wait_response'
     8: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:133:in `send_packet'
     7: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:823:in `to_r'
     6: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:823:in `call'
     5: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:595:in `to_r'
     4: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:453:in `each'
     3: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:453:in `each'
     2: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:596:in `block in to_r'
     1: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:323:in `to_r'
/home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:323:in `pack': no implicit conversion of nil into Integer (TypeError)