Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support session -1 for ListenerComm options #16096

Merged
merged 2 commits into from
Jan 25, 2022
Merged

Support session -1 for ListenerComm options #16096

merged 2 commits into from
Jan 25, 2022

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Jan 24, 2022
edited by gwillcox-r7
Loading

This updates the implementation for the ReverseListenerComm and ListenerComm datastore options to support the -1 session like the SESSION datastore option does. This allows the user to refer to the most recently created session without having to either remember what it was or change it when a new session is created.

Verification

  • Start msfconsole
  • Open a Meterpreter session
  • Test the ReverseListenerComm datastore option
    • Use a reverse-something payload module like payload/python/meterpreter/reverse_tcp
    • Set the ReverseListenerComm option to -1
    • Run to_handler and see that the port from the LPORT option is now bound and listening on the remote host (use netstat in meterpreter or from the console)
  • Test the ListenerComm datastore option
    • Use a socket server module that uses the option like auxiliary/server/capture/http
    • Set the ListenerComm option to -1
    • Run the module and see that port from the SRVPORT option is now bound and listening on the remote host (use netstat in meterpreter or from the console)

zeroSteiner
zeroSteiner commented Jan 24, 2022
View reviewed changes
lib/msf/base/sessions/ssh_command_shell_bind.rb
@@ -200,6 +200,8 @@ def create(cid, ssh_channel, peer_host, peer_port)
}
end

attr_reader :client
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This fixes the missing via string when starting a reverse listener from an SSH session.

@zeroSteiner zeroSteiner mentioned this pull request Jan 24, 2022
Merged
7 tasks
@gwillcox-r7 gwillcox-r7 self-assigned this Jan 25, 2022
@gwillcox-r7
Copy link
Contributor

RevListenerComm 
msf6 payload(python/meterpreter/reverse_tcp) > show options

Module options (payload/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  9999             yes       The listen port

msf6 payload(python/meterpreter/reverse_tcp) > set LHOST 172.25.210.181
LHOST => 172.25.210.181
msf6 payload(python/meterpreter/reverse_tcp) > set ReverseListenerCom -1
ReverseListenerCom => -1
msf6 payload(python/meterpreter/reverse_tcp) > jobs

Jobs
====

  Id  Name                    Payload                           Payload opts
  --  ----                    -------                           ------------
  1   Exploit: multi/handler  windows/x64/meterpreter/bind_tcp

msf6 payload(python/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 2
msf6 payload(python/meterpreter/reverse_tcp) > 
[*] Started reverse TCP handler on 172.25.210.181:9999 via the meterpreter on session 1

msf6 payload(python/meterpreter/reverse_tcp) > jobs

Jobs
====

  Id  Name                    Payload                       Payload opts
  --  ----                    -------                       ------------
  1   Exploit: multi/handler  windows/x64/meterpreter/bind
                              _tcp
  2   Exploit: multi/handler  python/meterpreter/reverse_t  tcp://172.25.210.181:9999 via
                              cp                             the meterpreter on session 1

msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > netstat -h
meterpreter > netstat 

Connection list
===============

    Proto  Local addre  Remote addr  State        User  Inode  PID/Program name
           ss           ess
    -----  -----------  -----------  -----        ----  -----  ----------------
    tcp    0.0.0.0:135  0.0.0.0:*    LISTEN       0     0      408/svchost.exe
    tcp    0.0.0.0:445  0.0.0.0:*    LISTEN       0     0      4/System
    tcp    0.0.0.0:504  0.0.0.0:*    LISTEN       0     0      5448/svchost.exe
           0
    tcp    0.0.0.0:768  0.0.0.0:*    LISTEN       0     0      5532/svchost.exe
           0
    tcp    0.0.0.0:999  0.0.0.0:*    LISTEN       0     0      10036/bind_tcp_x64_4444.ex
           9                                                   e
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      804/lsass.exe
           64
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      640/wininit.exe
           65
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      1264/svchost.exe
           66
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      1632/svchost.exe
           67
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      2196/svchost.exe
           68
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      3004/spoolsv.exe
           69
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      784/services.exe
           70
    tcp    172.25.210.  0.0.0.0:*    LISTEN       0     0      4/System
           69:139
    tcp    172.25.210.  172.25.210.  ESTABLISHED  0     0      10036/bind_tcp_x64_4444.ex
           69:4444      181:40767                              e
    tcp    172.25.210.  40.83.247.1  ESTABLISHED  0     0      3256/svchost.exe
           69:49701     08:443
    tcp    172.25.210.  40.83.247.1  ESTABLISHED  0     0      3256/svchost.exe
           69:49814     08:443
    tcp    172.25.210.  40.125.120.  TIME_WAIT    0     0      0/[System Process]
           69:49957     53:443
    tcp    172.25.210.  209.197.3.8  TIME_WAIT    0     0      0/[System Process]
           69:49963     :80
    tcp    172.25.210.  20.54.24.69  ESTABLISHED  0     0      5532/svchost.exe
           69:49966     :443
    tcp    172.25.210.  52.182.143.  ESTABLISHED  0     0      10644/msedgewebview2.exe
           69:49968     208:443
    tcp    172.25.210.  52.182.143.  ESTABLISHED  0     0      10644/msedgewebview2.exe
           69:49969     208:443
    tcp6   :::135       :::*         LISTEN       0     0      408/svchost.exe
    tcp6   :::445       :::*         LISTEN       0     0      4/System
    tcp6   :::7680      :::*         LISTEN       0     0      5532/svchost.exe
    tcp6   :::9999      :::*         LISTEN       0     0      10036/bind_tcp_x64_4444.ex
                                                               e
    tcp6   :::49664     :::*         LISTEN       0     0      804/lsass.exe
    tcp6   :::49665     :::*         LISTEN       0     0      640/wininit.exe
    tcp6   :::49666     :::*         LISTEN       0     0      1264/svchost.exe
    tcp6   :::49667     :::*         LISTEN       0     0      1632/svchost.exe
    tcp6   :::49668     :::*         LISTEN       0     0      2196/svchost.exe
    tcp6   :::49669     :::*         LISTEN       0     0      3004/spoolsv.exe
    tcp6   :::49670     :::*         LISTEN       0     0      784/services.exe
    udp    0.0.0.0:505  0.0.0.0:*                 0     0      5448/svchost.exe
           0
    udp    0.0.0.0:535  0.0.0.0:*                 0     0      9832/msedge.exe
           3
    udp    0.0.0.0:535  0.0.0.0:*                 0     0      9832/msedge.exe
           3
    udp    0.0.0.0:535  0.0.0.0:*                 0     0      2008/svchost.exe
           3
    udp    0.0.0.0:535  0.0.0.0:*                 0     0      2008/svchost.exe
           5
    udp    0.0.0.0:650  0.0.0.0:*                 0     0      2008/svchost.exe
           19
    udp    127.0.0.1:1  0.0.0.0:*                 0     0      3856/svchost.exe
           900
    udp    127.0.0.1:6  0.0.0.0:*                 0     0      3104/svchost.exe
           1959
    udp    127.0.0.1:6  0.0.0.0:*                 0     0      3856/svchost.exe
           4410
    udp    172.25.210.  0.0.0.0:*                 0     0      4/System
           69:137
    udp    172.25.210.  0.0.0.0:*                 0     0      4/System
           69:138
    udp    172.25.210.  0.0.0.0:*                 0     0      3856/svchost.exe
           69:1900
    udp    172.25.210.  0.0.0.0:*                 0     0      3856/svchost.exe
           69:64409
    udp6   :::5353      :::*                      0     0      9832/msedge.exe
    udp6   :::5353      :::*                      0     0      2008/svchost.exe
    udp6   :::5355      :::*                      0     0      2008/svchost.exe
    udp6   :::65019     :::*                      0     0      2008/svchost.exe
    udp6   ::1:1900     :::*                      0     0      3856/svchost.exe
    udp6   ::1:64408    :::*                      0     0      3856/svchost.exe
    udp6   fe80::50bc:  :::*                      0     0      3856/svchost.exe
           6e8c:df16:1
           0dd:1900
    udp6   fe80::50bc:  :::*                      0     0      3856/svchost.exe
           6e8c:df16:1
           0dd:64407

meterpreter >
ListenerComm 
msf6 payload(python/meterpreter/reverse_tcp) > use auxiliary/server/capture/http
msf6 auxiliary(server/capture/http) > set ListenerComm -1
ListenerComm => -1
msf6 auxiliary(server/capture/http) > show options

Module options (auxiliary/server/capture/http):

   Name          Current Setting         Required  Description
   ----          ---------------         --------  -----------
   AUTOPWN_HOST                          no        The IP address of the browser_autopwn
                                                   service
   AUTOPWN_PORT                          no        The SRVPORT port of the browser_autopw
                                                   n service
   AUTOPWN_URI                           no        The URIPATH of the browser_autopwn ser
                                                   vice
   FORMSDIR      /home/gwillcox/git/met  no        The directory containing form snippets
                 asploit-framework/data             (example.com.txt)
                 /exploits/capture/http
                 /forms
   SITELIST      /home/gwillcox/git/met  no        The list of URLs that should be used f
                 asploit-framework/data            or cookie capture
                 /exploits/capture/http
                 /sites.txt
   SRVHOST       0.0.0.0                 yes       The local host or network interface to
                                                    listen on. This must be an address on
                                                    the local machine or 0.0.0.0 to liste
                                                   n on all addresses.
   SRVPORT       80                      yes       The local port to listen on.
   SSL           false                   no        Negotiate SSL for incoming connections
   SSLCert                               no        Path to a custom SSL certificate (defa
                                                   ult is randomly generated)
   TEMPLATE      /home/gwillcox/git/met  no        The HTML template to serve in response
                 asploit-framework/data            s
                 /exploits/capture/http
                 /index.html


Auxiliary action:

   Name     Description
   ----     -----------
   Capture  Run capture web server


msf6 auxiliary(server/capture/http) > set SRVPORT 8909
SRVPORT => 8909
msf6 auxiliary(server/capture/http) > run
[*] Auxiliary module running as background job 3.
msf6 auxiliary(server/capture/http) > 
[*] Started service listener on 0.0.0.0:8909 via the meterpreter on session 1
[*] Server started.

msf6 auxiliary(server/capture/http) > jobs

Jobs
====

  Id  Name                            Payload                           Payload opts
  --  ----                            -------                           ------------
  1   Exploit: multi/handler          windows/x64/meterpreter/bind_tcp
  3   Auxiliary: server/capture/http

msf6 auxiliary(server/capture/http) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > netstat -a

Connection list
===============

    Proto  Local addre  Remote addr  State        User  Inode  PID/Program name
           ss           ess
    -----  -----------  -----------  -----        ----  -----  ----------------
    tcp    0.0.0.0:135  0.0.0.0:*    LISTEN       0     0      408/svchost.exe
    tcp    0.0.0.0:445  0.0.0.0:*    LISTEN       0     0      4/System
    tcp    0.0.0.0:504  0.0.0.0:*    LISTEN       0     0      5448/svchost.exe
           0
    tcp    0.0.0.0:768  0.0.0.0:*    LISTEN       0     0      5532/svchost.exe
           0
    tcp    0.0.0.0:890  0.0.0.0:*    LISTEN       0     0      10036/bind_tcp_x64_4444.ex
           9                                                   e
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      804/lsass.exe
           64
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      640/wininit.exe
           65
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      1264/svchost.exe
           66
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      1632/svchost.exe
           67
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      2196/svchost.exe
           68
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      3004/spoolsv.exe
           69
    tcp    0.0.0.0:496  0.0.0.0:*    LISTEN       0     0      784/services.exe
           70
    tcp    172.25.210.  0.0.0.0:*    LISTEN       0     0      4/System
           69:139
    tcp    172.25.210.  172.25.210.  ESTABLISHED  0     0      10036/bind_tcp_x64_4444.ex
           69:4444      181:40767                              e
    tcp    172.25.210.  40.83.247.1  ESTABLISHED  0     0      3256/svchost.exe
           69:49701     08:443
    tcp    172.25.210.  40.83.247.1  ESTABLISHED  0     0      3256/svchost.exe
           69:49814     08:443
    tcp    172.25.210.  40.81.47.23  TIME_WAIT    0     0      0/[System Process]
           69:49985     1:443
    tcp    172.25.210.  52.238.248.  TIME_WAIT    0     0      0/[System Process]
           69:49991     1:443
    tcp    172.25.210.  168.62.242.  ESTABLISHED  0     0      7136/explorer.exe
           69:49992     76:443
    tcp    172.25.210.  13.69.239.7  TIME_WAIT    0     0      0/[System Process]
           69:49993     3:443
    tcp    172.25.210.  40.125.122.  TIME_WAIT    0     0      0/[System Process]
           69:49994     151:443
    tcp    172.25.210.  13.69.239.7  TIME_WAIT    0     0      0/[System Process]
           69:49995     3:443
    tcp    172.25.210.  13.69.239.7  TIME_WAIT    0     0      0/[System Process]
           69:49996     3:443
    tcp6   :::135       :::*         LISTEN       0     0      408/svchost.exe
    tcp6   :::445       :::*         LISTEN       0     0      4/System
    tcp6   :::7680      :::*         LISTEN       0     0      5532/svchost.exe
    tcp6   :::8909      :::*         LISTEN       0     0      10036/bind_tcp_x64_4444.ex
                                                               e
    tcp6   :::49664     :::*         LISTEN       0     0      804/lsass.exe
    tcp6   :::49665     :::*         LISTEN       0     0      640/wininit.exe
    tcp6   :::49666     :::*         LISTEN       0     0      1264/svchost.exe
    tcp6   :::49667     :::*         LISTEN       0     0      1632/svchost.exe
    tcp6   :::49668     :::*         LISTEN       0     0      2196/svchost.exe
    tcp6   :::49669     :::*         LISTEN       0     0      3004/spoolsv.exe
    tcp6   :::49670     :::*         LISTEN       0     0      784/services.exe
    udp    0.0.0.0:505  0.0.0.0:*                 0     0      5448/svchost.exe
           0
    udp    0.0.0.0:535  0.0.0.0:*                 0     0      9832/msedge.exe
           3
    udp    0.0.0.0:535  0.0.0.0:*                 0     0      9832/msedge.exe
           3
    udp    0.0.0.0:535  0.0.0.0:*                 0     0      2008/svchost.exe
           3
    udp    0.0.0.0:535  0.0.0.0:*                 0     0      2008/svchost.exe
           5
    udp    0.0.0.0:571  0.0.0.0:*                 0     0      2008/svchost.exe
           42
    udp    0.0.0.0:650  0.0.0.0:*                 0     0      2008/svchost.exe
           19
    udp    127.0.0.1:1  0.0.0.0:*                 0     0      3856/svchost.exe
           900
    udp    127.0.0.1:6  0.0.0.0:*                 0     0      3104/svchost.exe
           1959
    udp    127.0.0.1:6  0.0.0.0:*                 0     0      3856/svchost.exe
           4410
    udp    172.25.210.  0.0.0.0:*                 0     0      4/System
           69:137
    udp    172.25.210.  0.0.0.0:*                 0     0      4/System
           69:138
    udp    172.25.210.  0.0.0.0:*                 0     0      3856/svchost.exe
           69:1900
    udp    172.25.210.  0.0.0.0:*                 0     0      3856/svchost.exe
           69:64409
    udp6   :::5353      :::*                      0     0      9832/msedge.exe
    udp6   :::5353      :::*                      0     0      2008/svchost.exe
    udp6   :::5355      :::*                      0     0      2008/svchost.exe
    udp6   :::57142     :::*                      0     0      2008/svchost.exe
    udp6   :::65019     :::*                      0     0      2008/svchost.exe
    udp6   ::1:1900     :::*                      0     0      3856/svchost.exe
    udp6   ::1:64408    :::*                      0     0      3856/svchost.exe
    udp6   fe80::50bc:  :::*                      0     0      3856/svchost.exe
           6e8c:df16:1
           0dd:1900
    udp6   fe80::50bc:  :::*                      0     0      3856/svchost.exe
           6e8c:df16:1
           0dd:64407

meterpreter >

LGTM will land this now.

@gwillcox-r7 gwillcox-r7 merged commit 780c8d3 into rapid7:master Jan 25, 2022
@gwillcox-r7 gwillcox-r7 added the rn-enhancement release notes enhancement label Jan 25, 2022
@gwillcox-r7
Copy link
Contributor

Release Notes

The implementation of the ReverseListenerComm and ListenerComm datastore options have now been updated to support specifying -1 to refer to the most recently created session without having to either remember what it was or change it when a new session is created.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@gwillcox-r7 gwillcox-r7

Labels
easy enhancement library rn-enhancement release notes enhancement
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@zeroSteiner @gwillcox-r7 @smcintyre-r7