search

rapid7 / metasploit-payloads

Unified repository for different Metasploit Framework payloads
Other
1.75k stars 674 forks source link

Extensions: incognito: incognito_list_tokens memory leak #584

Closed bcoles closed 2 years ago

bcoles commented 2 years ago

There's a leak somewhere in client.incognito.incognito_list_tokens and each invocation uses more memory than the last. This quickly becomes apparent after 10 executions as whatever is being leaked increases more than double with each execution.

To reproduce, run the following in a local exploit module context or post module context multiple times:

  def exploit
    client.core.use('incognito')
    client.incognito.incognito_list_tokens(0)
    client.incognito.incognito_list_tokens(1)
  end

# or run this once:

  def exploit
    client.core.use('incognito')
    20.times do
      client.incognito.incognito_list_tokens(0)
      client.incognito.incognito_list_tokens(1)
    end
  end

On a Windows Server 2008 SP1 (x64) system with 1 CPU core and 1GB RAM, running the above 13 times will use 500MB+ of memory, eventually rendering the session mostly inoperable.

toast

[*] Sending stage (200774 bytes) to 192.168.200.218
[*] Meterpreter session 20 opened (192.168.200.130:1337 -> 192.168.200.218:56622) at 2022-08-27 22:56:14 -0400

msf6 exploit(windows/local/test) > set session 20
session => 20
unmsf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > sessions -i 20
[*] Starting interaction with 20...

meterpreter > getuid
Server username: CORP\user
meterpreter > 
Background session 20? [y/N]  
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] Exploit completed, but no session was created.
msf6 exploit(windows/local/test) > sessions -i 20
[*] Starting interaction with 20...

meterpreter > getuid
Server username: CORP\user
meterpreter > 
Background session 20? [y/N]  

msf6 exploit(windows/local/test) > 
msf6 exploit(windows/local/test) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
^C[-] Exploit failed [user-interrupt]: Interrupt 
[-] run: Interrupted
msf6 exploit(windows/local/test) > sessions -i 20
[*] Starting interaction with 20...

meterpreter > getuid
^C[-] Error running command getuid: Interrupt 
meterpreter > sysinfo 
^C[-] Error running command sysinfo: Interrupt 
meterpreter > pwd
C:\Users\user\Desktop
meterpreter > ls
Listing: C:\Users\user\Desktop
==============================

Mode              Size   Type  Last modified              Name
----              ----   ----  -------------              ----
100666/rw-rw-rw-  282    fil   2022-07-21 06:31:40 -0400  desktop.ini
100777/rwxrwxrwx  7168   fil   2022-07-21 21:51:19 -0400  reverse.shell.x64.1338.exe
100777/rwxrwxrwx  73802  fil   2022-07-21 06:43:36 -0400  reverse.shell.x86.1338.exe
100777/rwxrwxrwx  7168   fil   2022-07-21 06:44:11 -0400  reverse.x64.1337.exe
100777/rwxrwxrwx  73802  fil   2022-07-21 06:44:00 -0400  reverse.x86.1337.exe

meterpreter > getuid
[-] Error running command getuid: Rex::TimeoutError Operation timed out.
meterpreter >
bcoles commented 2 years ago

This issue can also be reproduced by running list_tokens from within a Meterpreter session, although memory usage increases gradually rather than doubling.

meterpreter > load incognito
Loading extension incognito...Success.
meterpreter > list_tokens -g
[...]
meterpreter > list_tokens -g
[...]
meterpreter > list_tokens -g
[...]
meterpreter > list_tokens -g
[...]