Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix getsockname usage in the SOCKS5 server #12927

Merged
merged 1 commit into from Feb 12, 2020
Merged

Conversation

@zeroSteiner
Copy link
Member

zeroSteiner commented Feb 12, 2020

This PR fixes the usage of getsockname / getlocalname for the SOCKS5 server when used with Rex Sockets backed by a meterpreter channel.

The underlying issue was that getlocalname was not returning appropriate information for reporting back to the SOCKS client. The hostname or IP address portion was two IP addresses joined by a dash and the port was a string instead of an integer. This fixes the issue by parsing the remote IP address out and keeping the port as an integer.

This fixes issue #11513. It should be noted that while this does allow the socks5 client to function in my testing, the information reported back in the acknowledgement of the connect command is technically inaccurate. It should, from my understanding, reflect the local bind information on the host through which metasploit is pivoting. This information is currently not exposed through meterpreter and exposing it would require adding getsockname to each of the meterpreter implementations or returning the local host and local port in the response when opening a TCP client connection.

Verification

List the steps needed to make sure this thing works

  • Start msfconsole
  • Start the SOCKS5 server module
  • Use a curl command and the --socks5 flag to validate that the SOCKS5 server is working
  • Open a session and add a route through it
  • Repeat the curl command to ensure that the SOCKS5 server is still working, this time with the session

Appendix

This script can be used to set things up for testing pretty easily. Just update the LHOST value on L9 and open a session while it's sleeping.

use auxiliary/server/socks4a 
set SRVPORT 4000
run 
use auxiliary/server/socks5 
set SRVPORT 5000
run

use payload/python/meterpreter/reverse_tcp
set LHOST 192.168.159.128
to_handler
sleep 12

route add 0.0.0.0 0.0.0.0 -1
dwelch-r7 added a commit that referenced this pull request Feb 12, 2020
@dwelch-r7 dwelch-r7 merged commit d829f2a into rapid7:master Feb 12, 2020
3 checks passed
3 checks passed
Metasploit Automation - Sanity Test Execution Successfully completed all tests.
Details
Metasploit Automation - Test Execution Successfully completed all tests.
Details
continuous-integration/travis-ci/pr The Travis CI build passed
Details
@dwelch-r7

This comment has been minimized.

Copy link
Contributor

dwelch-r7 commented Feb 12, 2020

Release notes

Fixes the usage of getsockname / getlocalname for the SOCKS5 server resolving issue #11513

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked issues

Successfully merging this pull request may close these issues.

None yet

2 participants
You can’t perform that action at this time.