Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Check global LHOST before generating it from RHOSTS #17157

Merged
merged 1 commit into from
Oct 18, 2022
Merged

Check global LHOST before generating it from RHOSTS #17157

merged 1 commit into from
Oct 18, 2022

Conversation

k0pak4
Copy link
Contributor

@k0pak4 k0pak4 commented Oct 17, 2022
edited by gwillcox-r7
Loading

Fixes #17107

This change fixes Issue 17107 by checking the global value of LHOST before generating it from RHOSTS

Verification

  • Start msfconsole
  • setg LHOST 127.0.0.1
  • setg RHOSTS 192.168.1.124 (or other host on different interface)
  • use exploit/windows/http/netgear_nms_rce (any exploit module works)
  • options
  • See global LHOST is respected 🥲

respec_lhost

@gwillcox-r7 gwillcox-r7 self-assigned this Oct 18, 2022
@gwillcox-r7
Copy link
Contributor

Before:

 ~/git/metasploit-framework │ master ?13  ./msfconsole                                                                                      ✔ │ 4s │ 3.0.2 Ruby 
                                                  
IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|\`.""'.
  II     6.     .P  :  .' / | \ `.  :
  II     'T;. .;P'  '.'  /  |  \  `.'
  II      'T; ;P'    `. /   |   \ .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v6.2.23-dev-d3486013f8               ]
+ -- --=[ 2257 exploits - 1187 auxiliary - 402 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: When in a module, use back to go 
back to the top level prompt
Metasploit Documentation: https://docs.metasploit.com/

msf6 > setg LHOST 127.0.0.1
LHOST => 127.0.0.1
msf6 > setg RHOSTS 192.168.1.124
RHOSTS => 192.168.1.124
msf6 > use exploit/windows/http/netgear_nms_rce 
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/netgear_nms_rce) > show options

Module options (exploit/windows/http/netgear_nms_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.124    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Application path
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.19.63.43     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   NETGEAR ProSafe Network Management System 300 / Windows


msf6 exploit(windows/http/netgear_nms_rce) >

After:

 ~/git/metasploit-framework │ land-pr17157:pr/17157 ?13  ./msfconsole                                                                  PIPE х │ 9s │ 3.0.2 Ruby 
                                                  

Unable to handle kernel NULL pointer dereference at virtual address 0xd34db33f
EFLAGS: 00010046
eax: 00000001 ebx: f77c8c00 ecx: 00000000 edx: f77f0001
esi: 803bf014 edi: 8023c755 ebp: 80237f84 esp: 80237f60
ds: 0018   es: 0018  ss: 0018
Process Swapper (Pid: 0, process nr: 0, stackpage=80377000)


Stack: 90909090990909090990909090
       90909090990909090990909090
       90909090.90909090.90909090
       90909090.90909090.90909090
       90909090.90909090.09090900
       90909090.90909090.09090900
       ..........................
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       ccccccccc.................
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       .................ccccccccc
       cccccccccccccccccccccccccc
       cccccccccccccccccccccccccc
       ..........................
       ffffffffffffffffffffffffff
       ffffffff..................
       ffffffffffffffffffffffffff
       ffffffff..................
       ffffffff..................
       ffffffff..................


Code: 00 00 00 00 M3 T4 SP L0 1T FR 4M 3W OR K! V3 R5 I0 N5 00 00 00 00
Aiee, Killing Interrupt handler
Kernel panic: Attempted to kill the idle task!
In swapper task - not syncing


       =[ metasploit v6.2.23-dev-aab064779c               ]
+ -- --=[ 2257 exploits - 1187 auxiliary - 402 post       ]
+ -- --=[ 951 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: Open an interactive Ruby terminal with 
irb
Metasploit Documentation: https://docs.metasploit.com/

msf6 > setg LHOST 127.0.0.1
LHOST => 127.0.0.1
msf6 > setg RHOSTS 192.168.1.124
RHOSTS => 192.168.1.124
msf6 > use exploit/windows/http/netgear_nms_rce
[*] No payload configured, defaulting to windows/meterpreter/reverse_tcp
msf6 exploit(windows/http/netgear_nms_rce) > show options

Module options (exploit/windows/http/netgear_nms_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     192.168.1.124    yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
   RPORT      8080             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /                yes       Application path
   VHOST                       no        HTTP server virtual host


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     127.0.0.1        yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   NETGEAR ProSafe Network Management System 300 / Windows


msf6 exploit(windows/http/netgear_nms_rce) >

@gwillcox-r7
Copy link
Contributor

Thanks for this PR @k0pak4 I'll get this landed now, appreciate you fixing this 👍

@gwillcox-r7 gwillcox-r7 merged commit 781ee00 into rapid7:master Oct 18, 2022
@gwillcox-r7 gwillcox-r7 added bug rn-fix release notes fix labels Oct 18, 2022
@k0pak4
Copy link
Contributor Author

k0pak4 commented Oct 18, 2022

Happy to help. Thanks @gwillcox-r7 for the quick review!

@k0pak4 k0pak4 deleted the respect-global-lhost branch October 18, 2022 15:54
@gwillcox-r7
Copy link
Contributor

Release Notes

Setting the global options to set LHOST for all modules will now be properly respected when loading a module, whereas before only the globally set RHOST option would be respected.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@gwillcox-r7 gwillcox-r7 gwillcox-r7 approved these changes

Assignees

@gwillcox-r7 gwillcox-r7

Labels
bug rn-fix release notes fix
Projects
Metasploit Kanban
Archived in project
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

setg doesn't change default LHOST
2 participants
@k0pak4 @gwillcox-r7