Add module 'Shell to Meterpreter Upgrade' #3401
Conversation
|
This module includes the functionality of 'powershell_cmd_upgrade.rb' as well. CC: @Meatballs1 |
| current_lport = j.ctx[0].datastore["LPORT"] | ||
| if lhost == current_lhost and lport == current_lport.to_i | ||
| print_error("Job #{current_id} is listening on IP #{current_lhost} and port #{current_lport}") | ||
| conflict = true |
There was a problem hiding this comment.
yeah, if you don't care to track the number of conflicts you should either break here, or as @timwr said, just return true. I think idiomatic ruby would say use the break because it's harder to debug a method that has returns all over the place. I personally think that's lame however, but that's what the smarter-than-me people say...
Fixes based on response from @timwr and @kernelsmith. Retested with Ubuntu and Metasploitable 2 to validate proper payload. Also tested for port conflict detection after the change. Returning false on line 243 simplifies the if logic on line 251/252.
|
|
||
| class Metasploit3 < Msf::Post | ||
| include Exploit::Powershell | ||
| include Post::Windows::Powershell |
There was a problem hiding this comment.
urg, this is pulling in Powershell options:
Module options (post/multi/manage/shell_to_meterpreter):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER true yes Start an Exploit Multi Handler to receive the connection
LHOST no IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
PERSIST false yes Run the payload in a loop
PSH_OLD_METHOD false yes Use powershell 1.0
RUN_WOW64 false yes Execute powershell in 32bit compatibility mode, payloads need native arch
SESSION yes The session to run this module on.
Not a blocker but a bit confusing if your upgrading a linux shell
There was a problem hiding this comment.
I have hidden these options now, the fault values are currently fine in my testing.
|
sorry for the delay! this is working great on linux and windows 7. Seems to pop up cmd.exe on windows 7 though which is not ideal. |
|
Also it seems like it leaves the handler running if the upgrade fails |
|
@timwr Thanks for the feedback, I should have a chance to address and retest this weekend. |
leaving aborted = nil was causing unexpected behavior when the upload failed. Explicitly setting aborted = false by default corrects this issue.
|
@timwr I was unable to reproduce the popup on Windows 7 Home Premium 64 bit. I tried with both the PowerShell and non-PowerShell (VBS) stagers. I tried with credentials for the currently logged in user as well as another user. Can you provide any additional information about the environment that you produced this in? I was able to address the problem with the handler staying running after failed uploads. I reproduced the problem by disabling the PowerShell payload and enabling real time scanning with AV. This resulted in the module using the VBS cmdstager which AV picked up when it finished writing to disk. |
|
@timwr Is your Win 7 install test box in a domain or stand alone? Which version of PowerShell, if any, is installed? Was UAC extra high or low? Thanks |
|
@TomSellers at the moment the payload types are hard-coded - can you please make it accessible to the user via the usual PAYLOAD (and respective LHOST or RHOST) variable? Thank you. |
|
Sorry @TomSellers will hopefully find some time for this tomorrow! If I remember correctly it was a standalone windows 7 box with a windows/x64/shell/reverse_tcp exe payload. Will get back to you about the UAC and powershell version. |
|
Thanks @timwr FYI, things just got a bit crazy here so I won't be able to touch this now for 2 weeks so please don't rush. |
|
| end | ||
|
|
||
| if session_list.count > 1 | ||
| print_status("Sleeping for up 5 seconds to allow the previous handler to finish..") |
There was a problem hiding this comment.
I think you mean "Sleeping 5 seconds"
|
@timwr Thanks to your info on your testing method have reproduced the dialog box that you noticed. It is an artifact of running module against a shell opened by an interactive user. The root cause is that the function cmd_psh_payload in powershell.rb uses %COMSPEC% /B to hide the dialog box, but /B doesn't appear to be a valid switch for CMD.exe any longer. On March 2 @Meatballs1 [1] added 'start /min' to the command line output by cmd_psh_payload which changed the visual artifacts to just a quick icon flash on the taskbar. In my testing even this icon flash was hidden when adding the '/B' parameter to start. For some reason @Meatballs1 changes have not made it to Kali yet and so I modified its cmd_psh_payload to add 'start /B /min' to line 153 after /C for testing. Reference: |
| case platform | ||
| when 'win' | ||
| if have_powershell? | ||
| cmd_exec(cmd_psh_payload(payload_data)) |
There was a problem hiding this comment.
The cmd_psh_payload command will need updating to send the architecture with
cmd_psh_payload(payload.encoded, payload_instance.arch.first)
This update makes the module compatible with Meatballs' march PowerShell changes mentioned earlier (lines 112/113). It also includes changes recommended by Timwr and about 2/3 of the issues mentioned by Rubocop. I didn't make some of the Rubocop changes based on HD's comments in IRC that it was still being tuned to meet the project's requirements.
|
@timwr @Meatballs1 I think i have all of the items pointed out by you two. There is still a flash on the Windows taskbar that I will address with a separate pull request. This code will only work if the framework install contain's Meatballs' powershell updates mentioned in my previous comment. These were not in my Kali install. After the changes, I retested the session upgrades via 'session -u 8-14' against Windows 7, Windows 2008 R2, Solaris, BSD, Linux, and the Metasploitable install. Thanks again to everyone who has taken time to test and provide feedback so far. |
|
@timwr @Meatballs1 @todb-r7 Is there anything I can do to make this a better candidate for landing? |
|
@jlee-r7 you want down on this? Traditionally, and since @timwr is gonna be AFK for a bit, this would seem up your alley. At least take a look since you've worked on a lot of the related functionality such as the common file api etc. Once you've reviewed, and if you haven't landed, I'll take a shot at it |
|
I'm gonna assign this to @jlee-r7 and egypt if you don't land it, just assign to me |
|
@jlee-r7 here's a better reference for "you want down on this?" https://www.youtube.com/watch?v=dijVbM9DpxU |
|
I'm on a beach in Miami :) I'm happy to believe @timwr https://github.com/timwr's testing, and IOW, bump to @timwr https://github.com/timwr. — |
|
P.s apologies @TomSellers, awesome pr. This would be a great addition to
|
|
Processing!! |
|
Working great on:
|
Merge branch 'landing-3401' into upstream-master
|
sweeeeet, thanks timwr On Oct 22, 2014, at 2:54 PM, timwr notifications@github.com wrote:
|
The intent of this module is to add additional functionality to the 'spawn_meterpreter' script by @jduck
Goals:
The first pass at this was in PR #3302 which just added functionality to the script. Due to some limitations and inconsistencies it was suggested that a module would be a better fit.
NOTE: This PR depends on landing PR #3390 'Improve reliability of have_powershell'
Methods of use:
Upgrade a single session, auto detect platform and LHOST
Upgrade multiple sessions, auto detect platforms and LHOST, use distinct mutli/handler for each. The example below upgrades sessions 1,3,5,6,7,8.
It also operates like a standard post module that provides the ability to set LHOST and LPORT. The option 'SESSION' indicates the target session, is required, and only accepts 1 value
The following is a list of the current code's results. Each includes the starting point test exploit and shell type and then indicates the resulting meterpreter and whether or not the stage was written to disk.
Linux - Metasploitable 2
exploit: exploit/unix/misc/distcc_exec
shell: unix
meterpreter: meterpreter x86/linux
Disk write: yes, due to Bourne stager
exploit: exploit/multi/misc/java_rmi_server
shell type: java via java/shell/bind_tcp
meterpreter: meterpreter x86/linux
Disk write: yes, due to Bourne stager
Linux - Raspbian ARM6
exploit: auxiliary/scanner/ssh/ssh_login
shell type: linux
meterpreter: meterpreter python/python
Disk write: no
Linux - Ubuntu x86_64
exploit: auxiliary/scanner/ssh/ssh_login
shell type: linux
meterpreter: meterpreter x86/linux
Disk write: yes, due to Bourne stager
Windows Server 2008 R2 / 2012 R2
exploit: exploit/windows/smb/psexec
shell type: windows via windows/shell/reverse_tcp
meterpreter: meterpreter x86/win32
Disk write: No, used PowerShell to inject shellcode
Windows XP SP3
exploit: exploit/windows/smb/psexec
shell type: windows via windows/shell/reverse_tcp
meterpreter: meterpreter x86/win32
Disk write: yes
FreeBSD 10.0 (PC-BSD)
exploit: auxiliary/scanner/ssh/ssh_login
shell type: bsd
meterpreter: meterpreter python/python
Disk write: No
Solaris 11.1 (5.11) x86
exploit: auxiliary/scanner/ssh/ssh_login
shell type: solaris
meterpreter: meterpreter python/python
Disk write: No
Future work:
The function 'build_sessions_array' added to command_dispatcher/core.rb could be used with the sessions -k command to allow selective killing of multiple sessions. Additionally, the function could be expanded to provide session selection based on attributes. An example would be 'sessions -u shell:linux'