Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Don't use length for freeing. #18076

Merged
merged 1 commit into from Jun 9, 2023
Merged

Don't use length for freeing. #18076

merged 1 commit into from Jun 9, 2023

Conversation

smashery
Copy link
Contributor

@smashery smashery commented Jun 8, 2023

This is the associated PR to rapid7/metasploit-payloads#656.

The call can never succeed with anything other than 0, so we shouldn't provide users the freedom to do the wrong thing.

Created as a draft for now until the new version of metasploit-payloads is built and ready to be referenced.

@smashery
Don't use length for freeing.
717ceae 
MSDN says this will never succeed - should always be zero.
@adfoster-r7 adfoster-r7 added breaking change Features that are great, but will cause breaking changes and should be deployed on a large release. and removed breaking change Features that are great, but will cause breaking changes and should be deployed on a large release. labels Jun 8, 2023
@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Jun 8, 2023
edited

Removing the breaking change label, since it looks like the get_tlv_value_uint will return 0 if msfconsole didn't send it to older meterpreters - https://github.com/rapid7/metasploit-payloads/blob/cbf451bcde93fbe3fce9b793f2004d98392d929a/c/meterpreter/source/metsrv/core.c#L870

@smcintyre-r7 smcintyre-r7 merged commit 296a7af into rapid7:master Jun 9, 2023
31 checks passed
@smcintyre-r7 smcintyre-r7 self-assigned this Jun 9, 2023
@smcintyre-r7
Copy link
Contributor

I was able to reproduce the original issue and validate that the proposed changes fix it.

Before

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
[*] Sending stage (200774 bytes) to 192.168.159.10
[*] Meterpreter session 6 opened (192.168.159.128:4444 -> 192.168.159.10:58317) at 2023-06-09 10:09:08 -0400

meterpreter > pry
[*] Starting Pry shell...
[*] You are in the "client" (session) object

[1] pry(#<Msf::Sessions::Meterpreter_x64_Win>)> proc = sys.process.open(sys.process.getpid)
=> #<#<Class:0x00007ffbacacbfc0>:0x00007ffbacaa2350
 @aliases=
  {"image"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image:0x00007ffbacaa21e8 @process=#<#<Class:0x00007ffbacacbfc0>:0x00007ffbacaa2350 ...>>,
   "io"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO:0x00007ffbacaa2198 @process=#<#<Class:0x00007ffbacacbfc0>:0x00007ffbacaa2350 ...>>,
   "memory"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory:0x00007ffbacaa2148 @process=#<#<Class:0x00007ffbacacbfc0>:0x00007ffbacaa2350 ...>>,
   "thread"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread:0x00007ffbacaa20f8 @process=#<#<Class:0x00007ffbacacbfc0>:0x00007ffbacaa2350 ...>>},
 @channel=nil,
 @client=#<Session:meterpreter 192.168.159.10:58317 (192.168.159.10) "NT AUTHORITY\SYSTEM @ DC">,
 @handle=2496,
 @pid=4392>
[2] pry(#<Msf::Sessions::Meterpreter_x64_Win>)> mem = proc.memory.allocate(0x1000)
=> 1176489164800
[3] pry(#<Msf::Sessions::Meterpreter_x64_Win>)> proc.memory.free(mem)

[*] 192.168.159.10 - Meterpreter session 6 closed.  Reason: Died

After

msf6 exploit(windows/smb/psexec) > run

[*] Started reverse TCP handler on 192.168.159.128:4444 
[*] 192.168.159.10:445 - Connecting to the server...
[*] 192.168.159.10:445 - Authenticating to 192.168.159.10:445 as user 'smcintyre'...
[*] 192.168.159.10:445 - Selecting PowerShell target
[*] 192.168.159.10:445 - Executing the payload...
[+] 192.168.159.10:445 - Service start timed out, OK if running a command or non-service executable...
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/metsrv.x64.dll is being used
[*] Sending stage (222278 bytes) to 192.168.159.10
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_stdapi.x64.dll is being used
WARNING: Local file /home/smcintyre/.msf4/payloads/meterpreter/ext_server_priv.x64.dll is being used
[*] Meterpreter session 5 opened (192.168.159.128:4444 -> 192.168.159.10:58314) at 2023-06-09 10:08:05 -0400

meterpreter > pry
[*] Starting Pry shell...
[*] You are in the "client" (session) object

[1] pry(#<Msf::Sessions::Meterpreter_x64_Win>)> proc = sys.process.open(sys.process.getpid)
=> #<#<Class:0x00007ffbadc14ef8>:0x00007ffbac759ce8
 @aliases=
  {"image"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Image:0x00007ffbac759b80 @process=#<#<Class:0x00007ffbadc14ef8>:0x00007ffbac759ce8 ...>>,
   "io"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::IO:0x00007ffbac759b30 @process=#<#<Class:0x00007ffbadc14ef8>:0x00007ffbac759ce8 ...>>,
   "memory"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Memory:0x00007ffbac759ae0 @process=#<#<Class:0x00007ffbadc14ef8>:0x00007ffbac759ce8 ...>>,
   "thread"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::ProcessSubsystem::Thread:0x00007ffbac759a90 @process=#<#<Class:0x00007ffbadc14ef8>:0x00007ffbac759ce8 ...>>},
 @channel=nil,
 @client=#<Session:meterpreter 192.168.159.10:58314 (192.168.159.10) "NT AUTHORITY\SYSTEM @ DC">,
 @handle=2464,
 @pid=5796>
[2] pry(#<Msf::Sessions::Meterpreter_x64_Win>)> mem = proc.memory.allocate(0x1000)
=> 2890272800768
[3] pry(#<Msf::Sessions::Meterpreter_x64_Win>)> proc.memory.free(mem)
=> true
[4] pry(#<Msf::Sessions::Meterpreter_x64_Win>)> exit
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > sysinfo
Computer        : DC
OS              : Windows 2016+ (10.0 Build 17763).
Architecture    : x64
System Language : en_US
Domain          : MSFLAB
Logged On Users : 7
Meterpreter     : x64/windows
meterpreter >

@smcintyre-r7
Copy link
Contributor

Release Notes

This fixes a bug in the Windows Meterpreter's memory free API.

@adfoster-r7 adfoster-r7 added the rn-fix release notes fix label Jun 16, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@smcintyre-r7 smcintyre-r7

Labels
bug rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@smashery @adfoster-r7 @smcintyre-r7