Metasploit mailing list archives
Re: exploitation through SSH tunnel
From: HD Moore <hdm () metasploit com>
Date: Mon, 18 Apr 2011 15:58:44 -0500
On 4/18/2011 3:17 PM, Balint Varga-Perke wrote:
My final solution was to add an additional ndmp_recv() between handler and disconnect. This solves the problem. I think that the SSH tunnel maybe buffers the stagers first response, that's why the reverse connect fails. Recv seems to trigger a buffer flush. My modification doesn't affect the normal use of the module (don't know if it worth a patch?). This is of course not a bug in the module or in the framework (if my assumption is correct), but I suggest to take this possibility into account while developing modules.
Hello, Thanks for investigating and sharing - I have updated the code (r12359) in two ways that might help and would appreciate it if you could test. The first change was to modify how ndmp_recv() itself worked. Previously, this function would try to read a blob from the server, unpack the length header, then see if it got the whole thing. Since the ndmp_recv() method was only called once, there was a strong chance of the header being received but the rest of the data still pending, especially when going through another proxy. We intentionally disable NAGLE on our own sockets, but this goes out the window when going through a TCP proxy like SOCKS. The new code first tries to retrieve the four byte length header, then does a second receive to get the remaining data. This should prevent the first ndmp_recv() from leaving data on the socket for a typical NDMP "banner". The correct solution is actually to do: while not ndmp_recv; end (loop until it reads the full reply), but I don't want to check this without more testing. The second change was to add a ndmp_recv after the ndmp_send and before the handler. This should NOT be necessary with the previous change, but since I don't have a test environment and this shouldn't hurt anything, I added it anyways for now. If you first try the module as-is, then remove the last ndmp_recv, then change the first ndmp_recv to that loop (with a timeout or max count), it would be appreciated. Thanks! -HD _______________________________________________ https://mail.metasploit.com/mailman/listinfo/framework
Current thread:
- exploitation through SSH tunnel Balint Varga-Perke (Apr 18)
- Re: exploitation through SSH tunnel HD Moore (Apr 18)