setg doesn't change default LHOST

[Crypto-Cat]

Steps to reproduce

How'd you do it?

1. setg LHOST 10.10.10.10
2. Select exploit, e.g. EternalRomance
3. options

This section should also tell us any relevant information about the
environment; for example, if an exploit that used to work is failing,
tell us the victim operating system and service versions.

Were you following a specific guide/tutorial or reading documentation?

Following the setg instructions here: https://www.offensive-security.com/metasploit-unleashed/msfconsole-commands/

Expected behavior

Global variables should be set to the value provided, e.g. LHOST=10.10.10.10

Current behavior

Variables are set at their default values, e.g. LHOST=eth0-IP

Metasploit version

6.2.13-dev

Additional Information

Parrot OS 5.1 (Electro Ara) - tried multiple VMs (personal and HackTheBox PwnBox, both Parrot)

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

[framework/core]
LogLevel=3
LHOST=10.10.10.10
LPORT=1337

[framework/ui/console]
ActiveModule=exploit/windows/smb/ms17_010_eternalblue

[windows/smb/ms17_010_eternalblue]
CheckModule=auxiliary/scanner/smb/smb_ms17_010
EXITFUNC=thread
WfsDelay=5
WORKSPACE=
VERBOSE=false
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RHOSTS=
RPORT=445
SSL=false
SSLServerNameIndication=
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
SMBUser=
SMBPass=
SMBDomain=
VERIFY_TARGET=true
VERIFY_ARCH=true
ProcessName=spoolsv.exe
GroomAllocations=12
MaxExploitAttempts=3
GroomDelta=5
PAYLOAD=windows/x64/meterpreter/reverse_tcp
LHOST=192.168.177.195
LPORT=4444
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
PingbackRetries=0
PingbackSleep=30
PayloadUUIDSeed=
PayloadUUIDRaw=
PayloadUUIDName=
PayloadUUIDTracking=false
EnableStageEncoding=false
StageEncoder=
StageEncoderSaveRegisters=
StageEncodingFallback=true
PrependMigrate=false
PrependMigrateProc=
AutoLoadStdapi=true
AutoVerifySessionTimeout=30
InitialAutoRunScript=
AutoRunScript=
AutoSystemInfo=true
EnableUnicodeEncoding=false
HandlerSSLCert=
SessionRetryTotal=3600
SessionRetryWait=10
SessionExpirationTimeout=604800
SessionCommunicationTimeout=300
PayloadProcessCommandLine=
AutoUnhookProcess=false
MeterpreterDebugBuild=false
MeterpreterDebugLogging=

Database Configuration

The database contains the following information:

Collapse

Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse

0      set LogLevel 3
1      setg LHOST 10.10.10.10
2      search eternal
3      use 0
4      options
5      setg LHOST 10.10.10.10
6      options
7      setg LPORT 1337
8      options
9      search eternal
10     use 0
11     options
12     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse

[10/04/2022 12:21:32] [e(0)] core: Failed to connect to the database: No database YAML file
[10/04/2022 12:21:33] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[10/04/2022 12:21:34] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[10/04/2022 12:21:35] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[10/04/2022 12:21:36] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_rc4 with windows/smb/ms17_010_eternalblue]: tunnel to bind
[10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/bind_tcp_rc4 is compatible with windows/smb/ms17_010_eternalblue
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: reverse to bind
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: bind to bind
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: noconn to bind
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: none to bind
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/bind_tcp_uuid with windows/smb/ms17_010_eternalblue]: tunnel to bind
[10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/bind_tcp_uuid is compatible with windows/smb/ms17_010_eternalblue
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: reverse to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: bind to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: noconn to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: none to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_http with windows/smb/ms17_010_eternalblue]: tunnel to tunnel
[10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_http is compatible with windows/smb/ms17_010_eternalblue
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: reverse to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: bind to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: noconn to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: none to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_https with windows/smb/ms17_010_eternalblue]: tunnel to tunnel
[10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_https is compatible with windows/smb/ms17_010_eternalblue
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: reverse to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: bind to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: noconn to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: none to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp with windows/smb/ms17_010_eternalblue]: tunnel to reverse
[10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_tcp is compatible with windows/smb/ms17_010_eternalblue
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: reverse to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: bind to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: noconn to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: none to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_rc4 with windows/smb/ms17_010_eternalblue]: tunnel to reverse
[10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_rc4 is compatible with windows/smb/ms17_010_eternalblue
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: reverse to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: bind to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: noconn to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: none to reverse
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_tcp_uuid with windows/smb/ms17_010_eternalblue]: tunnel to reverse
[10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_tcp_uuid is compatible with windows/smb/ms17_010_eternalblue
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: reverse to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: bind to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: noconn to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: none to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttp with windows/smb/ms17_010_eternalblue]: tunnel to tunnel
[10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_winhttp is compatible with windows/smb/ms17_010_eternalblue
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: reverse to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: bind to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: noconn to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: none to tunnel
[10/04/2022 12:24:02] [d(3)] core: Checking compat [windows/x64/vncinject/reverse_winhttps with windows/smb/ms17_010_eternalblue]: tunnel to tunnel
[10/04/2022 12:24:02] [d(1)] core: Module windows/x64/vncinject/reverse_winhttps is compatible with windows/smb/ms17_010_eternalblue

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse

Framework: 6.2.13-dev
Ruby: ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux-gnu]
OpenSSL: OpenSSL 1.1.1k  25 Mar 2021
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify

[adfoster-r7]

From the debug output it looks like you've set the global rhosts value to 10.10.10.10, but you've also set the module's local datastore value to 192.168.177.195.

The module will only fallback to using the global setg datastore value if the module's local datastore hasn't been set

Solution: Either run set rhosts 10.10.10.10 to update the local module datastore to a new rhost value, or run unset rhosts to remove the unexpected module datastore value - letting the module fall back to using the global datastore value

[Crypto-Cat]

OK, so I just need to initially do setg lhost 10.10.10.10 and set lhost 10.10.10.10. Seems to work, thanks!

edit: Actually that doesn't work; still have to run unset LHOST every time I select a new exploit in order for it to use the global variable, which isn't particularly useful (just as quick to set LHOST each time) 😕

[adfoster-r7]

If you initially do setg lhost 10.10.10.10 you should never need to call set lhost manually for each module.

I'll keep this open for a few more cycles until I confirm if there's an issue here 👍

[Crypto-Cat]

Here's another example:

1. msfconsole
2. setg lhost 10.10.15.116
3. select eternalblue exploit, has wrong LHOST
4. unset lhost
5. now it has the correct LHOST
6. use a different exploit (doublepulsar), LHOST is still correct
7. use a different exploit (backdoor/energizer_duo_payload), LHOST is back to default 192.168.x.x address, have to unset lhost to get back to the 10.10.x.x address
8. use a different exploit (windows/smb/ms06_040_netapi) and it's back to 192.168.x.x address, need to unset lhost to correct it

Module/Datastore

The following global/module datastore, and database setup was configured before the issue occurred:

Collapse

[framework/core]
LogLevel=3
lhost=10.10.15.116

[framework/ui/console]
ActiveModule=exploit/windows/backdoor/energizer_duo_payload

[windows/backdoor/energizer_duo_payload]
WORKSPACE=
VERBOSE=false
WfsDelay=2
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RHOSTS=
RPORT=7777
SSL=false
SSLServerNameIndication=
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
EXE::EICAR=false
EXE::Custom=
EXE::Path=
EXE::Template=
EXE::Inject=false
EXE::OldMethod=false
EXE::FallBack=false
MSI::EICAR=false
MSI::Custom=
MSI::Path=
MSI::Template=
MSI::UAC=false
PAYLOAD=windows/meterpreter/reverse_tcp
LHOST=192.168.177.195
LPORT=4444
ReverseListenerBindPort=
ReverseAllowProxy=false
ReverseListenerComm=
ReverseListenerBindAddress=
ReverseListenerThreaded=false
StagerRetryCount=10
StagerRetryWait=5
PingbackRetries=0
PingbackSleep=30
PayloadUUIDSeed=
PayloadUUIDRaw=
PayloadUUIDName=
PayloadUUIDTracking=false
EnableStageEncoding=false
StageEncoder=
StageEncoderSaveRegisters=
StageEncodingFallback=true
PrependMigrate=false
PrependMigrateProc=
EXITFUNC=process
PayloadBindPort=
AutoLoadStdapi=true
AutoVerifySessionTimeout=30
InitialAutoRunScript=
AutoRunScript=
AutoSystemInfo=true
EnableUnicodeEncoding=false
HandlerSSLCert=
SessionRetryTotal=3600
SessionRetryWait=10
SessionExpirationTimeout=604800
SessionCommunicationTimeout=300
PayloadProcessCommandLine=
AutoUnhookProcess=false
MeterpreterDebugBuild=false
MeterpreterDebugLogging=

Database Configuration

The database contains the following information:

Collapse

Session Type: postgresql selected, no connection

History

The following commands were ran during the session and before this issue occurred:

Collapse

32     set LogLevel 3
33     setg lhost 10.10.15.116
34     search eternal
35     use 0
36     options
37     unset LHOST
38     options
39     search pulsar
40     use 3
41     options
42     use exploit/windows/backdoor/energizer_duo_payload
43     options
44     debug

Framework Errors

The following framework errors occurred before the issue occurred:

Collapse

[10/04/2022 12:21:32] [e(0)] core: Failed to connect to the database: No database YAML file
[10/04/2022 12:21:33] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[10/04/2022 12:21:34] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[10/04/2022 12:21:35] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[10/04/2022 12:21:36] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[10/04/2022 13:47:21] [e(0)] core: Failed to connect to the database: No database YAML file
[10/04/2022 13:47:22] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[10/04/2022 13:47:23] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[10/04/2022 13:47:24] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[10/04/2022 13:47:25] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported

Web Service Errors

The following web service errors occurred before the issue occurred:

Collapse

msf-ws.log does not exist.

Framework Logs

The following framework logs were recorded before the issue occurred:

Collapse

[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_nonx_tcp with windows/backdoor/energizer_duo_payload]: tunnel to reverse
[10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_nonx_tcp is compatible with windows/backdoor/energizer_duo_payload
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: reverse to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: bind to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: noconn to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: none to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_ord_tcp with windows/backdoor/energizer_duo_payload]: tunnel to reverse
[10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_ord_tcp is compatible with windows/backdoor/energizer_duo_payload
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: reverse to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: bind to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: noconn to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: none to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp with windows/backdoor/energizer_duo_payload]: tunnel to reverse
[10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp is compatible with windows/backdoor/energizer_duo_payload
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: reverse to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: bind to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: noconn to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: none to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_allports with windows/backdoor/energizer_duo_payload]: tunnel to reverse
[10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_allports is compatible with windows/backdoor/energizer_duo_payload
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: reverse to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: bind to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: noconn to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: none to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_dns with windows/backdoor/energizer_duo_payload]: tunnel to reverse
[10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_dns is compatible with windows/backdoor/energizer_duo_payload
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: reverse to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: bind to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: noconn to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: none to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4 with windows/backdoor/energizer_duo_payload]: tunnel to reverse
[10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_rc4 is compatible with windows/backdoor/energizer_duo_payload
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: reverse to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: bind to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: noconn to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: none to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_rc4_dns with windows/backdoor/energizer_duo_payload]: tunnel to reverse
[10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_rc4_dns is compatible with windows/backdoor/energizer_duo_payload
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: reverse to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: bind to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: noconn to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: none to reverse
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_tcp_uuid with windows/backdoor/energizer_duo_payload]: tunnel to reverse
[10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_tcp_uuid is compatible with windows/backdoor/energizer_duo_payload
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: reverse to tunnel
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: bind to tunnel
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: noconn to tunnel
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: none to tunnel
[10/04/2022 13:49:06] [d(3)] core: Checking compat [windows/vncinject/reverse_winhttp with windows/backdoor/energizer_duo_payload]: tunnel to tunnel
[10/04/2022 13:49:06] [d(1)] core: Module windows/vncinject/reverse_winhttp is compatible with windows/backdoor/energizer_duo_payload

Web Service Logs

The following web service logs were recorded before the issue occurred:

Collapse

msf-ws.log does not exist.

Version/Install

The versions and install method of your Metasploit setup:

Collapse

Framework: 6.2.13-dev
Ruby: ruby 2.7.4p191 (2021-07-07 revision a21a3b7d23) [x86_64-linux-gnu]
OpenSSL: OpenSSL 1.1.1k  25 Mar 2021
Install Root: /usr/share/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Other - Please specify

[adfoster-r7]

Ah, so it looks like the logic for choosing the default payload for an exploit attempts to set the best LHOST based on the configured RHOST:

metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb

Lines 271 to 282 in 87fa486

	# Select a reasonable default payload and minimally configure it
	# TODO: Move this somewhere better or make it more dynamic?
	# @param [Msf::Module] mod
	def self.choose_payload(mod)
	compatible_payloads = mod.compatible_payloads(
	excluded_platforms: ['Multi'] # We don't want to select a multi payload
	).map(&:first)
	# XXX: Determine LHOST based on RHOST or an arbitrary internet address
	lhost = Rex::Socket.source_address(mod.datastore['RHOST'] || '50.50.50.50')
	configure_payload = lambda do |payload|

The above logic completely ignores any existing globally set option for LHOST, and instead chooses the best routable IP for the set RHOST, or whatever ip it takes to route to 50.50.50.50

I think most folk globally run setg rhost ..., and let lhost resolve itself automagically - so I've never run into this issue before either

[Crypto-Cat]

Hmmmm OK, that would be an equally good solution for me tbh but doesn't seem to be how it's working atm. When I set RHOST to 10.10.15.12, my LHOST still stays as 192.168.x.x, even though there is a tun0 adapter on the 10.10.15.x network 🤔

[adfoster-r7]

I just ran through this when on a vpn with a tun0 adapter with a 10.10.0.0/16 network

Running setg rhosts 10.10.10.100:

msf6 > setg rhosts 10.10.10.100
rhosts => 10.10.10.100

Verifying:

msf6 > setg

Global
======

  Name      Value
  ----      -----
  loglevel  3
  rhosts    10.10.10.100

Using a module I've not previously used to see lhost and rhost correctly set:

msf6 exploit(windows/http/netgear_nms_rce) > options

Module options (exploit/windows/http/netgear_nms_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     10.10.10.100     yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Application path
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.9.1.147       yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   NETGEAR ProSafe Network Management System 300 / Windows

And I can verify the logic that it choose to pick the default lhost from within msfconsole:

msf6 exploit(windows/http/netgear_nms_rce) > irb -e "puts active_module.datastore['RHOSTS']"
10.10.10.100
msf6 exploit(windows/http/netgear_nms_rce) > irb -e "puts Rex::Socket.source_address('10.10.10.100')"
10.9.1.147

[adfoster-r7]

You can also set options inline which is handy for jumping around modules too, since you can use ctrl+r to search the history for your last run command, or use the up arrow a few times to get the previously run command:

run rhost=x.x.x.x lhost=x.x.x.x

That aside, i'll keep this issue open as it looks like a bug that should be fixed in the future 👍

[Crypto-Cat]

Ah, the mistake I made was using set rhosts 10.10.x.x and expecting the LHOST to automatically switch to tun0.

I guess I need to do setg rhosts 10.10.x.x in order to ensure auto-selection of the correct adapter.

It would be good to have the setg lhost work when dealing with multiple RHOSTS but for my purposes (HTB), using setg rhosts will suffice.

Thanks 💜