warn when lhost set to 127.0.0.1 #8041
Conversation
|
thanks @bermannoah . I think we may want to move this validation somewhere else. It seems odd to have this in the middle of the command dispatcher, since you can set LHOST from various places. |
| ip = args[1] | ||
|
|
||
| if (name.upcase == "LHOST" && ip == "127.0.0.1") | ||
| print_error("You may experience errors with this choice of address for LHOST.") |
There was a problem hiding this comment.
Wherever we decide to put this check, if print_warning is available, please use that instead. Thanks.
There was a problem hiding this comment.
@wvu-r7: made the change -- thanks!
|
@busterb: is there any place in particular you'd recommend moving it? I tried to find a more widely available place to put it and this seemed the most... succinct? |
|
hi @bermannoah , I would suggest instead putting the warning inside of lib/msf/core/handler/reverse.rb inside of setup_handler right after it successfully sets up a listening socket, so it warns when it actually starts listening, rather than assignment from the UI. That will also allow it to warn from other contexts as well. That also puts the warning where the actual networking code lives. You could also check for 127.0.0.0/8 or ::1 instead of just the single IPv4 loopback address. |
|
Might need to go in |
|
I think you're right @rwhitcroft. |
|
I think adding the test here is appropriate so you catch all of the loopback IPs: https://github.com/rapid7/metasploit-framework/pull/8063/files#r104604972 I also think I see the root cause for session instability in the original bug report. If you're port forwarding over a tunnel, you probably want to set ReverseListenerBindAddress to 127.0.0.1, but leave LHOST (which gets embedded into your payload) as an externally routable IP. Otherwise, your staged payload will likely be connecting to the wrong address, unless you're a developer testing payloads. So, the message might say 'You are attempting to listen on a loopback address by setting LHOST to #{address}, did you mean to set ReverseListenerBindAddress instead?' . |
|
I have a solution to this but I don't know how to pull @bermannoah 's fork as a remote, and send him a pull request on his topic branch. |
|
@itsmeroy2012 you can pull down my repo and push to the |
|
I have done the work on my repo. @busterb told me to make suggestions on here rather than hijacking with an alternate PR and I'm new to github so I'm unable to pull down your repo and push to the 'lhost-setting-warning' branch. Could you guide me through it? |
|
@itsmeroy2012 yup! Here's a high level overview, let me know if it doesn't match your system setup. Basically: 1 - 2 - cd into the repo directory 3 - just in case, run 4 - 5 - you'll need to go into the 6 - make the changes you have in mind. make sure they work etc etc 7 - do all the usual Let me know if that works for you or if you run into any troubles! |
|
When I run 'git checkout lhost-setting-warning && git pull origin lhost-setting-warning ' there is a fatal error. Will this be a problem later?
|
|
And then there is this. I think I don't have the rights to write into the repository. |
|
@itsmeroy2012 oh shoot, I'm sorry. It looks like your branch is up to date so you won't need to run git pull. For the future though it looks like you're leaving out Let me know if you have any more questions! Good luck! :) |
|
Everything ran successfully until this error popped out while executing the command "git push origin lhost-setting-warning" remote: Permission to bermannoah/metasploit-framework.git denied to itsmeroy2012. |
|
@itsmeroy2012 i'll add you as a contributor, one sec |
|
root@kali:~/bermannoah/metasploit-framework# git remote -v |
|
@itsmeroy2012 awesome -- added you as a contributor to my repo. try again? |
|
Do I need to repeat the steps again? Because the same error pops out , the one I mentioned above. |
|
@itsmeroy2012 did you accept the contributor invite? |
|
Thanks a lot for your precious time. I think it is done. |
| @@ -55,6 +55,17 @@ def bind_port | |||
| (port > 0) ? port : datastore['LPORT'].to_i | |||
| end | |||
|
|
|||
| # Checking if LHOST is a loopback address | |||
| def is_loopback_address(address) | |||
There was a problem hiding this comment.
This method needs to be named is_loopback_address?. Fixing myself.
There was a problem hiding this comment.
And for the record, this code is @busterb's: #8063 (comment).
| @@ -82,12 +93,16 @@ def setup_handler | |||
| 'MsfPayload' => self, | |||
| 'MsfExploit' => assoc_exploit | |||
| }) | |||
|
|
|||
| if is_loopback_address(ip) | |||
| print_warning ("You are attempting to listen on a loopback address by setting LHOST to #{ip}, did you mean to set ReverseListenerBindAddress instead?") | |||
There was a problem hiding this comment.
Extraneous whitespace and comma splice. Fixing.
This does not work. |
|
Yeah, that's exactly the opposite of what this was intended to alert on. |
|
When we give the command: - 'set reverselistenerbindaddress 127.0.0.1' , the 'ip' variable in the file lib/msf/core/handler/reverse.rb changes in the following code:- if is_loopback_address(ip) Why is this happening and does the same variable stores both the lhost and the reverselistenerbindaddress? |
|
@itsmeroy2012: It's looping through each bind address. Look at the code just above that. |
|
You're talking about this part right? @wvu-r7 bind_addresses.each do |ip| |
|
@itsmeroy2012: Correct. |
|
What's the complexity of this issue now? Is it still under 'newbie-friendly' ? @wvu-r7 |
|
This seems to solve the problem specified above. But there's one flaw, the user has to specify a value for LPORT else the callback_host stores the value '172.16.176.36' for some reason. Should I push the change? @wvu-r7 bind_addresses.each do |ip| |
|
Please see af3cd18 for edification. |
|
What was the fix?? @wvu-r7 |
|
Read the commit!! |
Release NotesA warning now displays when the use of loopback addresses may be unintentional and lead to undesired/unexpected behavior. |
|
hey, i am stuck with this problem.. someone help me in solving this problem.......plzzzz |
|
@Alex942: What problem? Don't comment on old tickets for support. Go to IRC. |
|
@wvu-r7 my metasploit showing error when i am setting my lhost to 127.0.0.1......i am unable to fix this |
|
Not an error. It works fine, just not suggested. |
|
@wvu-r7 can you please explain me step by step how to fix it.......... |
|
@Alex942 You're not listening. This is not an error, so there's nothing to fix. You are telling Metasploit you want to listen on the local address (127.0.0.1) which means no clients will be able to connect to you. Metasploit thinks that's weird, so it shows you this warning. Please stop posting in this thread. Also, some suggested reading for you: https://en.wikipedia.org/wiki/Localhost |
|
@rwhitcroft i just want my metasploit to start a meterpreter session when i choose 127.0.0.1 as local host. That all.............i know you all are pro of this area and you know many times more than me thats why i am asking............... |
|
@Alex942: You have provided close to zero details about your problem. How can we help? This isn't even the right place still. Please ask on IRC. I don't want to lock this thread. If you want to catch a shell on localhost, your payload needs to connect back to that address. Basically, |
See issue #7188. This pull request adds an alert if you set LHOST to a loopback address (e.g. 127.0.01). Please let me know if there is any additional behavior desired or if I ought to change the warning message. I set the alert to a
print_warningas requested.Verification
The steps needed to make sure this thing works:
./msfconsoleuse exploit/multi/handlerset payload android/meterpreter/reverse_tcpset lhost 127.0.0.1set lport 4444exploitlhostto127.0.0.1but it will print a warning: "You are attempting to listen on a loopback address by setting LHOST to 127.0.0.1, did you mean to set ReverseListenerBindAddress instead?"set lhost 0.0.0.0exportlhostto that address with no warnings. (Unless you use a different address that produces a warning.)rake specto test that all tests still pass.Console Output