Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add Pingback Payloads #12129

Merged
merged 80 commits into from Jul 30, 2019

Conversation

@busterb
Copy link
Member

commented Jul 26, 2019

Re-PR from #11903

A few of the Metasploit elves have been working in private on a new set of payloads that demonstrate risk without creating it. This is the public introduction to something we call pingback payloads.

What is a Pingback Payload?

Pingback payloads are designed to provide a limited-functionality payload to verify an exploit has worked. It does not provide a shell of any kind. A pingback payload creates a "random" UUID value (separate from the payload UUID) that is written to the Metasploit database along with other data. When executed on target, the payload sends back that UUID to verify that the exploit worked, but nothing else. When Framework receives that UUID, we verify the target is vulnerable to the exploit without loading an interactive shell.

This prevents traditional [W/M]ITM attacks or someone sniffing the traffic for information, as the UUID itself means nothing to a listener, and without further execution, the session itself is not particularly valuable to an attacker.

Still Left:

  • Some of the binary payloads duplicate code that does not need duplication, so we need to de-duplicate some of that assembly.
  • We need to make sure our changes to the database do no interfere with existing payloads, and here as a master branch is the place to do it.
    - The cmd payloads are apparently less portable than we would like, so we need to update those (thanks, @wvu-r7 !)

Testing:

  • Verify windows/x64/pingback_reverse_tcp

    • Verify that PingbackRetries function works
    • Verify that PingbackSleep function works
  • Verify windows/pingback_reverse_tcp

    • Verify that PingbackRetries function works
    • Verify that PingbackSleep function works
  • Verify linux/x64/pingback_reverse_tcp

    • Verify that PingbackRetries function works
    • Verify that PingbackSleep function works
  • Verify python/pingback_reverse_tcp

  • Verify ruby/pingback_reverse_tcp

  • Verify windows/x64/pingback_bind_tcp

  • Verify windows/pingback_bind_tcp

  • Verify linux/x64/pingback_bind_tcp

  • Test with local, remote and no databases

For testing, be sure to check no database, remote database, and local database. You can see what you are connected to using `db_status` and toggle with `db_disconnect`
msf5 exploit(windows/smb/psexec) > db_status
[*] Connected to remote_data_service: (https://localhost:5443). Connection type: http. Connection name: local-https-data-service.
msf5 exploit(windows/smb/psexec) > db_disconnect
Successfully disconnected from the data service: remote_data_service: (https://localhost:5443).
msf5 exploit(windows/smb/psexec) > db_status
[*] Connected to msf. Connection type: postgresql.
msf5 exploit(windows/smb/psexec) > db_disconnect
Successfully disconnected from the data service: local_db_service.
msf5 exploit(windows/smb/psexec) > db_status
[*] postgresql selected, no connection
msf5 exploit(windows/smb/psexec) > 

This payload should not work with any exploit that includes file dropper or that requires post-exploit cleanup.

asoto-r7 and others added some commits Mar 19, 2019

Use nonvolitile register for the counter
Change option name to match convention
Remove extra stuff that was part of the staged attempt at pingback.
It is no longer required because pingback is now a single.
First swing at x86 windows reverse_tcp pingback
Still issues with the looping and counters.
Remove workspace reqs from remote db payloads
The requirements had already been removed from local payloads in
865f214
end

def cleanup
if rstream

This comment has been minimized.

lib/msf/base/sessions/pingback.rb Outdated Show resolved Hide resolved
if uuid_raw
self.uuid_string = uuid_raw.each_byte.map { |b| "%02x" % b.to_i() }.join
print_status("Incoming UUID = #{uuid_string}")
if framework.db.active

This comment has been minimized.

Copy link
@bcoles

bcoles Jul 27, 2019

Contributor

Could return early.

modules/payloads/singles/python/pingback_bind_tcp.rb Outdated Show resolved Hide resolved
modules/payloads/singles/python/pingback_bind_tcp.rb Outdated Show resolved Hide resolved
modules/payloads/singles/ruby/pingback_bind_tcp.rb Outdated Show resolved Hide resolved
modules/payloads/singles/ruby/pingback_reverse_tcp.rb Outdated Show resolved Hide resolved
@acammack-r7
Copy link
Contributor

left a comment

Looks like the Ruby payloads grew a bit. I don't mind using the multi-line self-concatenating string literals for them since the finished payload need not have any newlines in it (unlike the Python ones).

Formatting like this looks is fine for strings that don't need newlines:

return "....."  \
  "......" \
  "......."

EDITED TO ADD: After thinking about it, trading the semicolons for newlines isn't too bad, but the payloads still picked up some extra spaces inside their expressions.

modules/payloads/singles/ruby/pingback_bind_tcp.rb Outdated Show resolved Hide resolved
modules/payloads/singles/ruby/pingback_reverse_tcp.rb Outdated Show resolved Hide resolved
@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2019

I think I hit the necessary changes. I think this should be in great shape to land. Please let me know if anyone sees any blockers.

@acammack-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2019

These Python payloads don't send the UUID when run with Python 3. This decoding style requires bytes and at any rate non-text encoders like hex and base64 are only supported with codecs.decode or their specific modules.

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2019

@acammack-r7 any argument to returning to the UUID embedded as a string again in the python payloads?

@acammack-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2019

As in using the \xHH escape format? I think using the binascii module might end up being smaller and AFAICT is the most compatible across versions.

acammack-r7 added some commits Jul 30, 2019

Use binascii for Python pingback UUID encoding
This gives us compatibility for Python 3.x and 1.x
@acammack-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2019

Turns out binascii + base64 was a few characters shorter than hex-encoding the whole string. Also found a few unnecessary characters in the Ruby payloads and unified the quotes.

@bwatters-r7

This comment has been minimized.

Copy link
Contributor

commented Jul 30, 2019

It appears the sanity tests pulled IPv6 addresses and died....
IP ADDRESS FOR Sanity_Win2016x64 = fe80::fd51:2373:3fda:f2f5
@jmartin, is this using the latest gepetto release?

@bwatters-r7 bwatters-r7 merged commit 517d32b into rapid7:master Jul 30, 2019

2 of 3 checks passed

Metasploit Automation - Sanity Test Execution Failed to pass tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details

bwatters-r7 added a commit that referenced this pull request Jul 30, 2019

Land #12129, Add Pingback Payloads
Merge branch 'land-12129' into upstream-master
@busterb

This comment has been minimized.

Copy link
Member Author

commented Jul 30, 2019

Release Notes

This adds a new payload type designed only to report that code execution was possible on the target, instead of creating a controllable remote shell itself. This is useful for verifying susceptibility to exploitation, in addition to opening the possibility for discrete one-way communication with a the remote target rather than creating more obvious networking fingerprints via the payload as evidence of exploitation.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
5 participants
You can’t perform that action at this time.