-
Notifications
You must be signed in to change notification settings - Fork 13.8k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fixes issues with encrypted payloads by moving session bootstrap logic #15600
Conversation
This seems sane to me at first glance, but @smcintyre-r7 will definitely be more aware of the nuances than me 🕵️ |
e99c229
to
f8b4833
Compare
2c76740
to
45d8737
Compare
45d8737
to
81a8637
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Thanks for fixing this @agalway-r7! I left a few minor comments for you to review. I will start testing now and let you know if I run into issues. Thanks!
Thanks for updating this @agalway-r7 ! I tested the four encrypted payloads and verified a valid session was created with and without Example outputReverse encrypted shell (x64 - staged)
Reverse encrypted shell (x64 - single)
Reverse encrypted shell (x86 - staged)
Reverse encrypted shell (x86 - single)
Non-encrypted reverse shell (x64 - staged)
|
Release NotesThis fixes an issue with encrypted payloads during session setup. The logic that gathers session info is now located in the bootstrap method, which ensures that this functionality is always carried out before any commands are sent. |
Fixes #15145
The encrypted payloads make use of a ChaCha Cipher that, in this current implementation, depends on a read/write cycle. IE msfconsole writes, then it reads a response. Performing two writes or reads in a row will break the cipher during session setup.
By moving the logic that gathers session info for the
command_shell
's initial communication with msfconsole from theprocess_autorun
method to thebootstrap
method, we ensure that this functionality is always carried out before any commands are sent to a victim. This is better functionality forcommand_shell
s in general.This change also ensures that an encrypted shell will update it's cipher with a new key and nonce, before calling the inherited
command_shell
bootstrap
method assuper
to read the initial communication from the victim correctly, and auto verify the session accurately if the datastore variable is set.These changes also have the added benefit of populating the info field of a session. This means the information field is now populated for encrypted and regular shells when running the
sessions
command (it's cut off after 77 chars IIRC):This above functionality is a freebie.
The changes made to line 800-806 however are a new addition. It means that the banner will be displayed every time a session is interacted with IF it was captured correctly:
![image](https://user-images.githubusercontent.com/54621924/132337387-9fd12ed4-812e-4df7-b251-eda274522ca2.png)
Have also added warning to encrypted payloads that will warn the user that the DB is not available, and the required mingw install is not present:
![image](https://user-images.githubusercontent.com/54621924/132889184-0f192f02-05e7-413c-a2af-6ef4976cec8e.png)
Tested with the following payloads, each with
AutoVerifySession
set to true and false on Windows 7:Verification
List the steps needed to make sure this thing works
msfconsole
to_handler
withAutoVerifySession
set to truejobs -K
to_handler
withAutoVerifySession
set to falseThanks to @space-r7 for the assists!
TODO:
to_handler
do not inform users that a session has been createdmulti/handler
doesn't work with any of the above shells when using ageneric
payloadnonce
andkey
values and they don't handle them atmsessions -u
with an encrypted session