exploitation through SSH tunnel

[Balint Varga-Perke <vpbalint () gmail com>]

Dear List,

I've spent hours debugging this, hope this info will save some time for 
others:

I'm putting together a demo where I exploit an old Veritas BackupExec 
bug via MSF (windows/backupexec/remote_agent). The BackupExec service 
port listens on TCP/10000 on the target machine. I tunnel this port 
using plink through SSH from an intermediate machine to the attacker 
box. The exploit works like charm on the clear channel, but it fails as 
I test it through the tunnel. Check runs properly, authentication 
request is sent but I get no connect back.

My final solution was to add an additional ndmp_recv() between handler 
and disconnect. This solves the problem. I think that the SSH tunnel 
maybe buffers the stagers first response, that's why the reverse connect 
fails. Recv seems to trigger a buffer flush. My modification doesn't 
affect the normal use of the module (don't know if it worth a patch?).

This is of course not a bug in the module or in the framework (if my 
assumption is correct), but I suggest to take this possibility into 
account while developing modules.

Regards,

Balint
_______________________________________________
https://mail.metasploit.com/mailman/listinfo/framework