Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use the proper bytes type when building search response TLVs #445

Merged
merged 1 commit into from
Nov 6, 2020
Merged

Use the proper bytes type when building search response TLVs #445

merged 1 commit into from
Nov 6, 2020

Conversation

zeroSteiner
Copy link
Contributor

@zeroSteiner zeroSteiner commented Oct 27, 2020
edited by gwillcox-r7

The Python meterpreter needs to explicitly specified bytes() when building TLV response groups. This is already the case when enumerating processes and network interfaces, however the filesystem search functionality does not do this. The result is on Python 3.x versions, the search command is broken due to the inability to append bytes and string types.

Before the patch:

meterpreter > search -f *.pdf
[-] 1013: Operation failed: Python exception: TypeError

After the patch:

meterpreter > search -f *.pdf
Found 3 results...
    ./data/exploits/CVE-2018-9948/template.pdf (3115 bytes)
    ./data/exploits/CVE-2010-1240/template.pdf (618 bytes)
    ./documentation/developers_guide.pdf (458889 bytes)

Testing

I used a test harness and PyEnv to test all supported versions of Python (2.5-2.7 & 3.1-3.8).

  • Load msfconsole and use payload/python/meterpreter/reverse_tcp
  • Set the LHOST option as appropriate and generate the payload using generate -f raw -o /path/to/meterpreter.py
  • Start the handler with to_handler
  • From the working directory of the metasploit-framework, run the payload stage in Python 3.x to get a session
    • The working directory is just so the results are deterministic
  • From the meterpreter > prompt run search -f *.pdf and see results instead of a Python exception

@gwillcox-r7 gwillcox-r7 self-assigned this Nov 5, 2020
@gwillcox-r7
Copy link
Contributor

Confirmed its working fine:

msf6 > use payload/python/meterpreter/reverse_tcp
msf6 payload(python/meterpreter/reverse_tcp) > generate -f raw -o test.py
[-] Payload generation failed: One or more options failed to validate: LHOST.
msf6 payload(python/meterpreter/reverse_tcp) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf6 payload(python/meterpreter/reverse_tcp) > generate -f raw -o test.py
[*] Writing 493 bytes to test.py...
msf6 payload(python/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(python/meterpreter/reverse_tcp) > 
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Sending stage (39324 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55916) at 2020-11-05 17:18:35 -0600
[*] Sending stage (39328 bytes) to 127.0.0.1
WARNING: Local file /home/gwillcox/.msf4/payloads/meterpreter/ext_server_stdapi.py is being used
WARNING: Local files may be incompatible with the Metasploit Framework
[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:55918) at 2020-11-05 17:18:35 -0600
[*] Sending stage (39328 bytes) to 127.0.0.1
[*] Meterpreter session 3 opened (127.0.0.1:4444 -> 127.0.0.1:55920) at 2020-11-05 17:18:35 -0600
[*] Sending stage (39324 bytes) to 127.0.0.1
[*] Meterpreter session 4 opened (127.0.0.1:4444 -> 127.0.0.1:55922) at 2020-11-05 17:18:36 -0600
[*] Sending stage (39324 bytes) to 127.0.0.1
[*] Meterpreter session 5 opened (127.0.0.1:4444 -> 127.0.0.1:55924) at 2020-11-05 17:18:36 -0600
[*] Sending stage (39328 bytes) to 127.0.0.1
[*] Meterpreter session 6 opened (127.0.0.1:4444 -> 127.0.0.1:55926) at 2020-11-05 17:18:37 -0600
[*] Sending stage (39328 bytes) to 127.0.0.1
[*] Meterpreter session 7 opened (127.0.0.1:4444 -> 127.0.0.1:55928) at 2020-11-05 17:18:37 -0600

msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 1 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 2 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 3 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 4 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 5 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 6 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 7
[*] Starting interaction with 7...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 7 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) >

Results from harness:

 ~/git/metasploit-payloads │ land-pr445:pr/445 ?2  ./harness test.py                                                         ✔ │ 2.6.6 Ruby 
[*] [2.5.0  ] Running...
[+] [2.5.0  ] Status: SUCCESSFUL
[*] [2.6.6  ] Running...
[+] [2.6.6  ] Status: SUCCESSFUL
[*] [2.7.18 ] Running...
[+] [2.7.18 ] Status: SUCCESSFUL
[*] [2.7.8  ] Running...
[+] [2.7.8  ] Status: SUCCESSFUL
[*] [3.1.0  ] Running...
[+] [3.1.0  ] Status: SUCCESSFUL
[*] [3.2.0  ] Running...
[+] [3.2.0  ] Status: SUCCESSFUL
[*] [3.9.0  ] Running...
[+] [3.9.0  ] Status: SUCCESSFUL
 ~/git/metasploit-payloads │ land-pr445:pr/445 ?2

Harness contents were copied from rapid7/metasploit-framework#14325 (review)

Finally results before the changes were applied:

msf6 > use payload/python/meterpreter/reverse_tcp
msf6 payload(python/meterpreter/reverse_tcp) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf6 payload(python/meterpreter/reverse_tcp) > to_handler
[*] Payload Handler Started as Job 0
msf6 payload(python/meterpreter/reverse_tcp) > 
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444 
[*] Sending stage (39328 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:55946) at 2020-11-05 17:24:05 -0600
[*] Sending stage (39324 bytes) to 127.0.0.1
[*] Meterpreter session 2 opened (127.0.0.1:4444 -> 127.0.0.1:55948) at 2020-11-05 17:24:05 -0600
[*] Sending stage (39328 bytes) to 127.0.0.1
[*] Meterpreter session 3 opened (127.0.0.1:4444 -> 127.0.0.1:55950) at 2020-11-05 17:24:06 -0600
[*] Sending stage (39328 bytes) to 127.0.0.1
[*] Meterpreter session 4 opened (127.0.0.1:4444 -> 127.0.0.1:55952) at 2020-11-05 17:24:06 -0600
[*] Sending stage (39328 bytes) to 127.0.0.1
[*] Meterpreter session 5 opened (127.0.0.1:4444 -> 127.0.0.1:55954) at 2020-11-05 17:24:06 -0600
[*] Sending stage (39324 bytes) to 127.0.0.1
[*] Meterpreter session 6 opened (127.0.0.1:4444 -> 127.0.0.1:55956) at 2020-11-05 17:24:07 -0600
[*] Sending stage (39324 bytes) to 127.0.0.1
[*] Meterpreter session 7 opened (127.0.0.1:4444 -> 127.0.0.1:55958) at 2020-11-05 17:24:07 -0600

msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > search -f *.pdf
[-] Unknown command: search.
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 1 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > 
[*] Sending stage (39328 bytes) to 127.0.0.1
[*] Meterpreter session 8 opened (127.0.0.1:4444 -> 127.0.0.1:55962) at 2020-11-05 17:24:48 -0600

msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 2 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 3
[*] Starting interaction with 3...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 3 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 4 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 5
[*] Starting interaction with 5...

meterpreter > search -f *.pdf
[-] 1013: Operation failed: Python exception: TypeError
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 5 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 6
[*] Starting interaction with 6...

meterpreter > search -f *.pdf
[-] 1013: Operation failed: Python exception: TypeError
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 6 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 7
[*] Starting interaction with 7...

meterpreter > search -f *.pdf
[-] 1013: Operation failed: Python exception: TypeError
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 7 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) > sessions -i 8
[*] Starting interaction with 8...

meterpreter > search -f *.pdf
Found 1 result...
    ./c/meterpreter/source/extensions/stdapi/server/railgun/railgun_manual.pdf (77383 bytes)
meterpreter > exit
[*] Shutting down Meterpreter...

[*] 127.0.0.1 - Meterpreter session 8 closed.  Reason: User exit
msf6 payload(python/meterpreter/reverse_tcp) >

@gwillcox-r7 gwillcox-r7 merged commit 491ec7e into rapid7:master Nov 6, 2020
@gwillcox-r7 gwillcox-r7 mentioned this pull request Nov 6, 2020
Merged
2 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees

@gwillcox-r7 gwillcox-r7

Labels
bug python
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@zeroSteiner @gwillcox-r7