Metasploit mailing list archives
exploitation through SSH tunnel
From: Balint Varga-Perke <vpbalint () gmail com>
Date: Mon, 18 Apr 2011 22:17:43 +0200
Dear List,I've spent hours debugging this, hope this info will save some time for others:
I'm putting together a demo where I exploit an old Veritas BackupExec bug via MSF (windows/backupexec/remote_agent). The BackupExec service port listens on TCP/10000 on the target machine. I tunnel this port using plink through SSH from an intermediate machine to the attacker box. The exploit works like charm on the clear channel, but it fails as I test it through the tunnel. Check runs properly, authentication request is sent but I get no connect back.
My final solution was to add an additional ndmp_recv() between handler and disconnect. This solves the problem. I think that the SSH tunnel maybe buffers the stagers first response, that's why the reverse connect fails. Recv seems to trigger a buffer flush. My modification doesn't affect the normal use of the module (don't know if it worth a patch?).
This is of course not a bug in the module or in the framework (if my assumption is correct), but I suggest to take this possibility into account while developing modules.
Regards, Balint _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- exploitation through SSH tunnel Balint Varga-Perke (Apr 18)
- Re: exploitation through SSH tunnel HD Moore (Apr 18)