Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Meterpreter - portfwd combined with http scanner module hangs #539

Open
AlanFoster opened this issue Feb 19, 2022 · 7 comments
Open

Meterpreter - portfwd combined with http scanner module hangs #539

AlanFoster opened this issue Feb 19, 2022 · 7 comments

Comments

@AlanFoster
Copy link

AlanFoster commented Feb 19, 2022
edited
Loading

Run an http server on the host:

python3 -m http.server --directory ./

Open msfconsole:

use payload/python/meterpreter_reverse_tcp
generate -o shell.py -f raw lhost=127.0.0.1 PythonMeterpreterDebug=true MeterpreterTryToFork=false
to_handler

Run the payload in a separate tab:

python3 shell.py

Add a route for the newly opened session:

route add 172.16.83.1 255.255.255.0 -1

Run the scanner/http/title module:

use auxiliary/scanner/http/title
run http://172.16.83.1:8000

Current behavior:

msf6 payload(python/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:60296 ) at 2022-02-19 01:09:39 +0000
route add 172.16.83.1 255.255.255.0 -1
[*] Route added
msf6 payload(python/meterpreter_reverse_tcp) > use auxiliary/scanner/http/title
msf6 auxiliary(scanner/http/title) > run http://172.16.83.1:8000

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Expected behavior:

msf6 auxiliary(scanner/http/title) > run http://172.16.83.1:8000

[+] [172.16.83.1:8000] [C:200] [R:] [S:SimpleHTTP/0.6 Python/3.9.10] Directory listing for /
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

However if we turn on the packet logging support, either manually within the packet_dispatcher or after this lands: rapid7/metasploit-framework#16135 we can see meterpreter indefinitely writes back to msfconsole:

msf6 auxiliary(scanner/http/title) > run http://172.16.83.1:8000
SEND: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=brokentlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=4 command=core_channel_open>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="05710070912043229142334751606882">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_TYPE    meta=STRING     value="stdapi_net_tcp_client">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_CLASS   meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=FLAGS           meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=PEER_HOST       meta=STRING     value="172.16.83.1">
  #<Rex::Post::Meterpreter::Tlv type=PEER_PORT       meta=INT        value=8000>
  #<Rex::Post::Meterpreter::Tlv type=LOCAL_HOST      meta=STRING     value="0.0.0.0">
  #<Rex::Post::Meterpreter::Tlv type=LOCAL_PORT      meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=CONNECT_RETRIES meta=INT        value=0>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_RESPONSE session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=4 command=core_channel_open>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=LOCAL_HOST      meta=STRING     value="172.16.83.1">
  #<Rex::Post::Meterpreter::Tlv type=LOCAL_PORT      meta=INT        value=60239>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="05710070912043229142334751606882">
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
]>

SEND: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=brokentlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="57805927998792939922754736722457">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="GET / HTTP/1.1\r\nHost: 172.16.83.1:8000\r\nUser- ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=175>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_RESPONSE session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=175>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="57805927998792939922754736722457">
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="mwtwesnhvbcqqhuhinrxemqttmqdxemh">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
]>

SEND: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=brokentlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="00000040907641824206821064750466">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="dnwrfvbgfcywieeiduemqlwyogdforih">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=452>
]>

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/title) >  <----------------------------- End of module here, unexpected responses here:
RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_RESPONSE session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="00000040907641824206821064750466">
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="dnwrfvbgfcywieeiduemqlwyogdforih">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=452>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="dnwrfvbgfcywieeiduemqlwyogdforih">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=452>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="dnwrfvbgfcywieeiduemqlwyogdforih">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=452>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="dnwrfvbgfcywieeiduemqlwyogdforih">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=452>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="dnwrfvbgfcywieeiduemqlwyogdforih">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=452>
]>

The RECV packets are received indefinitely, I haven't looked into this behavior further
@AlanFoster
Copy link
Author

PHP Meterpreter hangs indefinitely

msf6 auxiliary(scanner/http/title) > run http://172.16.83.1:8000

SEND: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=brokentlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=4 command=core_channel_open>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="14215605748848928763444781793261">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_TYPE    meta=STRING     value="stdapi_net_tcp_client">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_CLASS   meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=FLAGS           meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=PEER_HOST       meta=STRING     value="172.16.83.1">
  #<Rex::Post::Meterpreter::Tlv type=PEER_PORT       meta=INT        value=8000>
  #<Rex::Post::Meterpreter::Tlv type=LOCAL_HOST      meta=STRING     value="0.0.0.0">
  #<Rex::Post::Meterpreter::Tlv type=LOCAL_PORT      meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=CONNECT_RETRIES meta=INT        value=0>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_RESPONSE session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=4 command=core_channel_open>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="14215605748848928763444781793261">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x98\b\xE0I\xC5\x85\x87\xAB\xF4\xC3\xFD\xCC\x96\x ...">
]>

SEND: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=brokentlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="89114505427813768067462086075199">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="GET / HTTP/1.1\r\nHost: 172.16.83.1:8000\r\nUser- ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=175>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_RESPONSE session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="89114505427813768067462086075199">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=175>
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x98\b\xE0I\xC5\x85\x87\xAB\xF4\xC3\xFD\xCC\x96\x ...">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=452>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="nhoyljfnuxzeawkffdezjykqcoqviwqj">
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x98\b\xE0I\xC5\x85\x87\xAB\xF4\xC3\xFD\xCC\x96\x ...">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="xuvkpxxyjlfdiwtqckfjjwpjpxiphret">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x98\b\xE0I\xC5\x85\x87\xAB\xF4\xC3\xFD\xCC\x96\x ...">
]>

SEND: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=brokentlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1026 command=stdapi_net_socket_tcp_shutdown>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="14659866992571727989219287165823">
  #<Rex::Post::Meterpreter::Tlv type=SHUTDOWN_HOW    meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=0>
]>

@AlanFoster
Copy link
Author

Windows meterpreter scans the title correctly:

msf6 payload(windows/x64/meterpreter_reverse_tcp) > use auxiliary/scanner/http/title
msf6 auxiliary(scanner/http/title) > run http://172.16.83.1:8000

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=4 command=core_channel_open>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="57717958602243161342901866856435">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-TYPE    meta=STRING     value="stdapi_net_tcp_client">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-CLASS   meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=FLAGS           meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=unknown-67036   meta=STRING     value="172.16.83.1">
  #<Rex::Post::Meterpreter::Tlv type=unknown-132573  meta=INT        value=8000>
  #<Rex::Post::Meterpreter::Tlv type=unknown-67038   meta=STRING     value="0.0.0.0">
  #<Rex::Post::Meterpreter::Tlv type=unknown-132575  meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=unknown-132576  meta=INT        value=0>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=4 command=core_channel_open>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="57717958602243161342901866856435">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=unknown-67038   meta=STRING     value="172.16.83.3">
  #<Rex::Post::Meterpreter::Tlv type=unknown-132575  meta=INT        value=49804>
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="41676103023365491594302860824088">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-DATA    meta=RAW        value="GET / HTTP/1.1\r\nHost: 172.16.83.1:8000\r\nUser- ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=184>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="41676103023365491594302860824088">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=184>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="JLEwx;+?o9bH`\"|6r%BoXCQ\\+e@+i^z">
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-DATA    meta=RAW        value="<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="o&j69B>5b\"[($V'j)MN0ll\\r;#<'Y';">
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1026 command=stdapi_net_socket_tcp_shutdown>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="15143222584893693853103313778630">
  #<Rex::Post::Meterpreter::Tlv type=unknown-132602  meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1026 command=stdapi_net_socket_tcp_shutdown>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="15143222584893693853103313778630">
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=6>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="09258193764073534270440120000425">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
]>

[+] [172.16.83.1:8000] [C:200] [R:] [S:SimpleHTTP/0.6 Python/3.9.10] Directory listing for /
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/title) >

Then proceeds to write channel closed forever:

[+] [172.16.83.1:8000] [C:200] [R:] [S:SimpleHTTP/0.6 Python/3.9.10] Directory listing for /
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/title) > 
RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="09258193764073534270440120000425">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="}8%X9=]rPgn<5;S{oM4s9*}Lv-M/x|H">
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="}8%X9=]rPgn<5;S{oM4s9*}Lv-M/x|H">
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="}8%X9=]rPgn<5;S{oM4s9*}Lv-M/x|H">
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="}8%X9=]rPgn<5;S{oM4s9*}Lv-M/x|H">
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="}8%X9=]rPgn<5;S{oM4s9*}Lv-M/x|H">
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

@AlanFoster
Copy link
Author

mettle osx hangs indefinitely similar to php meterpreter:

msf6 payload(osx/x64/meterpreter_reverse_tcp) > use auxiliary/scanner/http/title
msf6 auxiliary(scanner/http/title) > run http://172.16.83.1:8000

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=4 command=core_channel_open>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="36918669190317404025703265289214">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-TYPE    meta=STRING     value="stdapi_net_tcp_client">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-CLASS   meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=FLAGS           meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=unknown-67036   meta=STRING     value="172.16.83.1">
  #<Rex::Post::Meterpreter::Tlv type=unknown-132573  meta=INT        value=8000>
  #<Rex::Post::Meterpreter::Tlv type=unknown-67038   meta=STRING     value="0.0.0.0">
  #<Rex::Post::Meterpreter::Tlv type=unknown-132575  meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=unknown-132576  meta=INT        value=0>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xC8\x87o\x98\x16\x11\xE3ig\x1An\x18\x05\n(\xF7">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=4 command=core_channel_open>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="36918669190317404025703265289214">
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=unknown-67038   meta=STRING     value="172.16.83.1">
  #<Rex::Post::Meterpreter::Tlv type=unknown-132575  meta=INT        value=60567>
]>

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="88026509932553797226028090225822">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-DATA    meta=RAW        value="GET / HTTP/1.1\r\nHost: 172.16.83.1:8000\r\nUser- ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=184>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xC8\x87o\x98\x16\x11\xE3ig\x1An\x18\x05\n(\xF7">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="88026509932553797226028090225822">
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=184>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xC8\x87o\x98\x16\x11\xE3ig\x1An\x18\x05\n(\xF7">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="channel-req-1">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=155>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xC8\x87o\x98\x16\x11\xE3ig\x1An\x18\x05\n(\xF7">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="channel-req-1">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-DATA    meta=RAW        value="<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01//EN ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=297>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xC8\x87o\x98\x16\x11\xE3ig\x1An\x18\x05\n(\xF7">
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="channel-req-1">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
]>

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1026 command=stdapi_net_socket_tcp_shutdown>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="66444014756502103463341603379956">
  #<Rex::Post::Meterpreter::Tlv type=unknown-132602  meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
]>

@sjanusz-r7
Copy link
Contributor

sjanusz-r7 commented May 3, 2022
edited by adfoster-r7
Loading

After some sync-up with Alan above, we concluded that this issue can be separated out into the following parts:

Python Meterpreter Issue

We do not get the HTTP title as expected python's ordering of the channel close, and writing the http response happen out of order:

SEND: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=brokentlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="00000040907641824206821064750466">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=PACKET_TYPE_REQUEST session=00000000000000000000000000000000tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=8 command=core_channel_write>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\xE2\x9B\xA3\xE5V\xAB\xC9U\x12O\a[p_+\a">
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="dnwrfvbgfcywieeiduemqlwyogdforih">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL_DATA    meta=RAW        value="HTTP/1.0 200 OK\r\nServer: SimpleHTTP/0.6 Python/ ...">
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=452>
]>

This results in the data not being available in time for msfconsole:

msf6 payload(python/meterpreter_reverse_tcp) > [*] Meterpreter session 1 opened (127.0.0.1:4444 -> 127.0.0.1:60296 ) at 2022-02-19 01:09:39 +0000
route add 172.16.83.1 255.255.255.0 -1
[*] Route added
msf6 payload(python/meterpreter_reverse_tcp) > use auxiliary/scanner/http/title
msf6 auxiliary(scanner/http/title) > run http://172.16.83.1:8000

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

solution: We would need to swap the data write, and the data close, to have the expected http response appear. This is the approach taken by the PHP and Mettle Meterpreters - which have a different issue.

PHP and Mettle Meterpreter

There is a deadlock for these Meterpreters between the packet handler, closing the channel and socket, and waiting for the channel_close reply from our Meterpreter session.

The deadlock occurs when msfconsole receives a channel close request from Meterpreter, msfconsole tries to initiate a tcp shutdown request back to Meterpreter. Waiting for the tcp shutdown request, hangs indefinitely as the channel close request is blocking the main dispatch thread - so the incoming tcpshutdown response isn't handled.

Thread dump for the blocked msfconsole:

Dispatcher thread

/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/rex-core-0.1.28/lib/rex/io/socket_abstraction.rb:121:in `join'
/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/rex-core-0.1.28/lib/rex/io/socket_abstraction.rb:121:in `close'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/channel/socket_abstraction.rb:61:in `close'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/channels/socket_abstraction.rb:83:in `dio_close_handler'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/channel.rb:357:in `dio_handler'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/channel.rb:81:in `request_handler'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:645:in `block in dispatch_inbound_packet'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:637:in `each'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:637:in `dispatch_inbound_packet'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:433:in `block (2 levels) in monitor_socket'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:430:in `each'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:430:in `block in monitor_socket'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
/Users/sjanusz/Rapid7/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'
/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/logging-2.3.0/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'

HTTP Parser

/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/rex-core-0.1.28/lib/rex/io/socket_abstraction.rb:57:in `join'
/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/rex-core-0.1.28/lib/rex/io/socket_abstraction.rb:57:in `cleanup_abstraction'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/channel/socket_abstraction.rb:62:in `close'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/proto/http/client.rb:196:in `close'
/Users/sjanusz/Rapid7/metasploit-framework/lib/msf/core/exploit/remote/http_client.rb:326:in `disconnect'
/Users/sjanusz/Rapid7/metasploit-framework/lib/msf/core/exploit/remote/http_client.rb:390:in `send_request_raw'
/Users/sjanusz/Rapid7/metasploit-framework/lib/msf/core/exploit/remote/http_client.rb:430:in `send_request_cgi'
/Users/sjanusz/Rapid7/metasploit-framework/modules/auxiliary/scanner/http/title.rb:43:in `run_host'
/Users/sjanusz/Rapid7/metasploit-framework/lib/msf/core/auxiliary/scanner.rb:135:in `block (2 levels) in run'
/Users/sjanusz/Rapid7/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'
/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/logging-2.3.0/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'

TCP Client Channel thread

Thread TID-g04
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:104:in `sleep'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:104:in `wait'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:104:in `block in wait'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:98:in `synchronize'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_response_waiter.rb:98:in `wait'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:248:in `send_packet_wait_response'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/packet_dispatcher.rb:185:in `send_request'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:116:in `shutdown'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/post/meterpreter/extensions/stdapi/net/socket_subsystem/tcp_client_channel.rb:97:in `close_write'
/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/rex-core-0.1.28/lib/rex/io/socket_abstraction.rb:206:in `block (2 levels) in monitor_rsock'
/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/rex-core-0.1.28/lib/rex/io/socket_abstraction.rb:138:in `loop'
/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/rex-core-0.1.28/lib/rex/io/socket_abstraction.rb:138:in `block in monitor_rsock'
/Users/sjanusz/Rapid7/metasploit-framework/lib/rex/thread_factory.rb:22:in `block in spawn'
/Users/sjanusz/Rapid7/metasploit-framework/lib/msf/core/thread_manager.rb:105:in `block in spawn'
/Users/sjanusz/.rvm/gems/ruby-3.0.2@metasploit-framework/gems/logging-2.3.0/lib/logging/diagnostic_context.rb:474:in `block in create_with_logging_context'

Windows Meterpreter

The windows Meterpreter does not close the channel before msfconsole initiates the tcp shutdown request. However, the shutdown channel handler is never registered - and so the packet is logged to the screen in a loop. This isn't a big issue, everything continues to work as expected - it just burns CPU cycles, and produces verbose logging:

[+] [172.16.83.1:8000] [C:200] [R:] [S:SimpleHTTP/0.6 Python/3.9.10] Directory listing for /
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf6 auxiliary(scanner/http/title) > 
RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="09258193764073534270440120000425">
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND-ID      meta=INT        value=1 command=core_channel_close>
  #<Rex::Post::Meterpreter::Tlv type=CHANNEL-ID      meta=INT        value=1>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST-ID      meta=STRING     value="}8%X9=]rPgn<5;S{oM4s9*}Lv-M/x|H">
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="\x99\v \x8F\e\x8Fs\x10+}*\x7FIm`\x92">
]>

... ad infinitum - duplicate packets 'received' ...

The logging happens in a continuous loop, as the packet isn't handled correctly, so it loops until it is handled. The logging just makes it seem like multiple packets are received from Meterpreter:

https://github.com/rapid7/metasploit-framework/blob/1d2a9fa523300f0832baaace4da9840d9f217c16/lib/rex/post/meterpreter/packet_dispatcher.rb#L579-L582

This functionality has been broken on non-windows Meterpreters for at least 2 years, from at least Metasploit 5.0.101

@adfoster-r7 adfoster-r7 mentioned this issue May 4, 2022
Merged
@gwillcox-r7
Copy link
Contributor

@AlanFoster Is this fixed with #570? Or does that only fix the Python side of this?

@adfoster-r7
Copy link
Contributor

adfoster-r7 commented Jun 6, 2022
edited
Loading

That PR fixed one of the issues described. The latest information is:

  • Deadlock still occurs for the http scanner module
  • The infinite console logging is less of an issue than originally thought, it's just a by-product of logging the same unhandled Meterpreter packets multiple times until they expires - rather than being a Meterpreter bug with sending multiple network requests.

@gwillcox-r7
Copy link
Contributor

@AlanFoster Is this perhaps related to the errors I'm still encountering testing rapid7/metasploit-framework#16583 and the scanner module r.e your first point?

@adfoster-r7 adfoster-r7 changed the title Python Meterpreter - stdapi_net_tcp_client channel indefinitely writes to msfconsole Meterpreter - portfwd combined with http scanner module hangs Nov 23, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@AlanFoster @adfoster-r7 @gwillcox-r7 @sjanusz-r7