Metasploit-framework: Msf::NoEncodersSucceededError in 'MS08-067 Microsoft Server Service Relative Path Stack Corruption'
I've found that MS08-067 Microsoft Server Service Relative Path Stack Corruption is failing with Msf::NoEncodersSucceededError windows/meterpreter/reverse_tcp: All encoders failed to encode when using windows/meterpreter/reverse_tcp.
Steps to reproduce
- Install Metasploit Framework 6.0.6 (I could reproduce it in Windows and Linux)
- Start the
msfconsole - Execute the following commands:
use windows/smb/ms08_067_netapi set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 127.0.0.1 set RHOST 127.0.0.1 run
- NOTE: I don't use a victim/target because it isn't needed to reproduce the issue. I attacked the
loopbackIP address because I was using Ubuntu withoutsamba(so127.0.0.1:445wasn't bound). Maybe this isn't a good idea when the issue is fixed and you do have an SMB server running on0.0.0.0:445(because you are in Windows or you are usingsamba).
- NOTE: I don't use a victim/target because it isn't needed to reproduce the issue. I attacked the
Expected behavior
The exploit should fail when trying to connect to 127.0.0.1:445 to commit the attack:
[!] You are binding to a loopback address by setting LHOST to 127.0.0.1. Did you want ReverseListenerBindAddress?
[*] Started reverse TCP handler on 127.0.0.1:4444
[-] 127.0.0.1:445 - Exploit failed [unreachable]: Rex::ConnectionRefused The connection was refused by the remote host (127.0.0.1:445).
[*] Exploit completed, but no session was created
Current behavior
The exploit fails while trying to encode the payload:
[-] 127.0.0.1:445 - Exploit failed: windows/meterpreter/reverse_tcp: All encoders failed to encode.
[*] Exploit completed, but no session was created.
Metasploit version
1ce860a3715802998701e9538afe22feb6f1c29a (HEAD -> master, origin/master, origin/HEAD) Land #14138, nexus_repo_manager_el_injection fix
Additional Information
Module/Datastore
The following global/module datastore, and database setup was configured before the issue occurred:
Collapse
[framework/core]
loglevel=3
[framework/ui/console]
ActiveModule=exploit/windows/smb/ms08_067_netapi
[windows/smb/ms08_067_netapi]
EXITFUNC=thread
WORKSPACE=
VERBOSE=false
WfsDelay=0
EnableContextEncoding=false
ContextInformationFile=
DisablePayloadHandler=false
RHOSTS=127.0.0.1
RPORT=445
SSL=false
SSLVersion=Auto
SSLVerifyMode=PEER
SSLCipher=
Proxies=
CPORT=
CHOST=
ConnectTimeout=10
TCP::max_send_size=0
TCP::send_delay=0
DCERPC::max_frag_size=4096
DCERPC::fake_bind_multi=true
DCERPC::fake_bind_multi_prepend=0
DCERPC::fake_bind_multi_append=0
DCERPC::smb_pipeio=rw
DCERPC::ReadTimeout=10
NTLM::UseNTLMv2=true
NTLM::UseNTLM2_session=true
NTLM::SendLM=true
NTLM::UseLMKey=false
NTLM::SendNTLM=true
NTLM::SendSPN=true
SMB::pipe_evasion=false
SMB::pipe_write_min_size=1
SMB::pipe_write_max_size=1024
SMB::pipe_read_min_size=1
SMB::pipe_read_max_size=1024
SMB::pad_data_level=0
SMB::pad_file_level=0
SMB::obscure_trans_pipe_level=0
SMBDirect=true
SMBUser=
SMBPass=
SMBDomain=.
SMBName=*SMBSERVER
SMB::VerifySignature=false
SMB::ChunkSize=500
SMB::Native_OS=Windows 2000 2195
SMB::Native_LM=Windows 2000 5.0
SMB::AlwaysEncrypt=true
SMBPIPE=BROWSER
PAYLOAD=windows/meterpreter/reverse_tcp
LHOST=127.0.0.1
History
The following commands were ran during the session and before this issue occurred:
Collapse
0 set loglevel 3
1 use windows/smb/ms08_067_netapi
2 set PAYLOAD windows/meterpreter/reverse_tcp
3 set LHOST 127.0.0.1
4 set RHOST 127.0.0.1
5 run
6 debug
Errors
The following errors occurred before the issue occurred:
Collapse
[09/16/2020 04:47:38] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[09/16/2020 04:47:38] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[09/16/2020 04:47:38] [e(0)] core: Unexpected output running /home/fferrari/metasploit-framework/modules/auxiliary/gather/office365userenum.py:
/usr/bin/env: ‘python’
[09/16/2020 04:47:38] [e(0)] core: Unexpected output running /home/fferrari/metasploit-framework/modules/auxiliary/gather/office365userenum.py:
: No such file or directory
[09/16/2020 04:47:38] [e(0)] core: Unable to load module /home/fferrari/metasploit-framework/modules/auxiliary/gather/office365userenum.py, unknown module type
[09/16/2020 04:47:56] [e(0)] core: Dependency for windows/x64/encrypted_shell_reverse_tcp is not supported
[09/16/2020 04:47:56] [e(0)] core: Dependency for windows/encrypted_shell_reverse_tcp is not supported
[09/16/2020 04:47:56] [e(0)] core: Dependency for windows/encrypted_reverse_tcp is not supported
[09/16/2020 04:47:56] [e(0)] core: Dependency for windows/x64/encrypted_reverse_tcp is not supported
[09/16/2020 04:48:40] [e(0)] core: Exploit failed (windows/smb/ms08_067_netapi) - Msf::NoEncodersSucceededError windows/meterpreter/reverse_tcp: All encoders failed to encode.
Call stack:
/home/fferrari/metasploit-framework/lib/msf/core/encoded_payload.rb:91:in `generate'
/home/fferrari/metasploit-framework/lib/msf/core/encoded_payload.rb:25:in `create'
/home/fferrari/metasploit-framework/lib/msf/core/exploit.rb:638:in `generate_single_payload'
/home/fferrari/metasploit-framework/lib/msf/core/exploit.rb:528:in `generate_payload'
/home/fferrari/metasploit-framework/lib/msf/core/exploit_driver.rb:160:in `run'
/home/fferrari/metasploit-framework/lib/msf/base/simple/exploit.rb:140:in `exploit_simple'
/home/fferrari/metasploit-framework/lib/msf/base/simple/exploit.rb:164:in `exploit_simple'
/home/fferrari/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:55:in `exploit_single'
/home/fferrari/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:201:in `cmd_exploit'
/home/fferrari/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in `run_command'
/home/fferrari/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in `block in run_single'
/home/fferrari/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `each'
/home/fferrari/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `run_single'
/home/fferrari/metasploit-framework/lib/rex/ui/text/shell.rb:158:in `run'
/home/fferrari/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/home/fferrari/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:23:in `<main>'
Logs
The following logs were recorded before the issue occurred:
Collapse
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: iteration 1: Encoded payload version is too large (842 bytes) with encoder x86/alpha_upper
[09/16/2020 04:48:40] [d(1)] core: Module x86/alpha_mixed is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: iteration 1: Encoded payload version is too large (836 bytes) with encoder x86/alpha_mixed
[09/16/2020 04:48:40] [d(1)] core: Module x86/unicode_upper is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/unicode_upper is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/unicode_mixed is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/unicode_mixed is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/single_static_bit is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/single_static_bit is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/service is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/service is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/opt_sub is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/opt_sub is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/context_time is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/context_time is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/context_stat is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/context_stat is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/context_cpuid is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/context_cpuid is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/bmp_polyglot is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/bmp_polyglot is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/bloxor is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/bloxor is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/avoid_utf8_tolower is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/avoid_utf8_tolower is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/avoid_underscore_tolower is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/avoid_underscore_tolower is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module x86/add_sub is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder x86/add_sub is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [d(1)] core: Module generic/eicar is compatible with windows/smb/ms08_067_netapi
[09/16/2020 04:48:40] [w(1)] core: windows/meterpreter/reverse_tcp: Encoder generic/eicar is manual ranked and was not defined as a preferred encoder.
[09/16/2020 04:48:40] [e(0)] core: Exploit failed (windows/smb/ms08_067_netapi) - Msf::NoEncodersSucceededError windows/meterpreter/reverse_tcp: All encoders failed to encode.
Call stack:
/home/fferrari/metasploit-framework/lib/msf/core/encoded_payload.rb:91:in `generate'
/home/fferrari/metasploit-framework/lib/msf/core/encoded_payload.rb:25:in `create'
/home/fferrari/metasploit-framework/lib/msf/core/exploit.rb:638:in `generate_single_payload'
/home/fferrari/metasploit-framework/lib/msf/core/exploit.rb:528:in `generate_payload'
/home/fferrari/metasploit-framework/lib/msf/core/exploit_driver.rb:160:in `run'
/home/fferrari/metasploit-framework/lib/msf/base/simple/exploit.rb:140:in `exploit_simple'
/home/fferrari/metasploit-framework/lib/msf/base/simple/exploit.rb:164:in `exploit_simple'
/home/fferrari/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:55:in `exploit_single'
/home/fferrari/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:201:in `cmd_exploit'
/home/fferrari/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:523:in `run_command'
/home/fferrari/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:474:in `block in run_single'
/home/fferrari/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `each'
/home/fferrari/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:468:in `run_single'
/home/fferrari/metasploit-framework/lib/rex/ui/text/shell.rb:158:in `run'
/home/fferrari/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
/home/fferrari/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
./msfconsole:23:in `<main>'
Version/Install
The versions and install method of your Metasploit setup:
Collapse
Framework: 6.0.7-dev-1ce860a371
Ruby: ruby 2.6.6p146 (2020-03-31 revision 67876) [x86_64-linux]
Install Root: /home/fferrari/metasploit-framework
Session Type: postgresql selected, no connection
Install Method: Git Clone
Searching the commit which introduced the error
I wanted to learn how to automate git bisect to find the commit which introduced the error, motivated by the fact that I knew that the exploit was working in metasploit-framework-5.0.27. I came up with the following documented steps, which might be useful for future reference and/or serve as the git bisect guide for metasploit-framework. It found 6f153688ffe0b7ba8eae893b8d10c265bb351aab as the first bad commit, but I don't know if this result makes any sense given my lack of knowledge in both the Ruby language and the metasploit-framework codebase.
Step by step git bisect for this issue (done in Ubuntu Server 20.04.1 LTS)
- Install the dependencies and Ruby Version Manager (RVM)
bash sudo apt-add-repository -y ppa:rael-gc/rvm && sudo apt update sudo apt install -y git autoconf build-essential libpcap-dev libpq-dev zlib1g-dev libsqlite3-dev rvm - Reboot the machine (required by RVM):
bash sudo reboot - Create the
msfconsoleautomated steps file,~/steps_to_reproduce.rc:
set loglevel 3 use windows/smb/ms08_067_netapi set PAYLOAD windows/meterpreter/reverse_tcp set LHOST 127.0.0.1 set RHOST 127.0.0.1 run exit Create the
git bisectautomated script file,~/automated_bisect.sh:#!/bin/env bash # Install and use the corresponding Ruby version version=$(cat .ruby-version) source "/etc/profile.d/rvm.sh" rvm install "$version" >/dev/null 2>&1 rvm use "$version" >/dev/null 2>&1 # Install gems/dependencies gem install bundler >/dev/null 2>&1 cd . && bundle install >/dev/null 2>&1 # Run the Metasploit Framework console with the steps to reproduce the issue ./msfconsole -r ~/steps_to_reproduce.rc >~/last_msfconsole_output.txt 2>&1 # Analyze the results if grep -F 'All encoders failed to encode' ~/last_msfconsole_output.txt; then ret=1 # bad commit (the issue is present, the payload couldn't be encoded) else if grep -F 'The connection was refused by the remote host' ~/last_msfconsole_output.txt; then ret=0 # good commit (no service bound to 127.0.0.1:445, but the payload was successfully encoded) else # Probably another unexpected or unrelated thing failed, inform this as loud as possible echo -e "\e[31m##################################################################################\e[0m" echo -e "\e[31m######################### This bisect is no longer valid #########################\e[0m" echo -e "\e[31m##################################################################################\e[0m" ret=1 fi fi exit $ret- Clone the
metasploit-frameworkrepository:
bash git clone https://github.com/rapid7/metasploit-framework.git && cd metasploit-framework - Search for the first commit where the error is found:
bash git bisect start HEAD 5.0.27 -- chmod +x ~/automated_bisect.sh git bisect run ~/automated_bisect.sh - Cleanup (optional)
bash git bisect reset git clean -f rm -f ~/automated_bisect.sh ~/steps_to_reproduce.rc ~/last_msfconsole_output.txt
franferrax
All 3 comments
It's definitely possible that the commit you found is related to the bug. I'm guessing though that the Block API changes I made are not actually breaking in the sense that they're failing to process but rather the slightly larger size is pushing it over the threshold of compatibility for that particular module. I arrived at that conclusion based on the size complaints within the logs, and the lack of any locations in the stack trace related to files I changed.
I'll have to look into this in more depth but I'd wager the payload-size increase is what broke it.
On a side note, thank you very much for the extensive work you put into this bug report. It's one of the best I've seen.
smcintyre-r7
on 16 Sep 2020
👍2
Thanks! I just tried to follow the template and to fill the bug report in the way I would like it to be filled if I were to fix it.
franferrax
on 17 Sep 2020
Alright, I've been able to reproduce this error and confirmed that you're right the commit you called out is the first in which it's broken. The issue does appear to be with the size of the generated payload, the Block API changes did increase the size just slightly. By default the ms08_067_netapi exploit is using the x86/jmp_call_additive encoder. Now from what I can tell is happening, the payload is being generated and then encoded to just over the size threshold by about 8 bytes.
The good news is that I noticed reverse_tcp is optionally adding the exit function and a reliability stub to repeat the connection that should be omitted rather than added at the cost of exploitation (a session which lacks reconnection is better than the exploit failing and no session at all). This calculation is not accounting for the increased size of any of the encoders which seems like an issue because what it's adding is then making the payload incompatible.
I should be able to get a fix for this in the next few days.
smcintyre-r7
on 23 Sep 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
ejholmes
·
3Comments
XSecr3t
·
3Comments
adrianmihalko
·
3Comments
bcoles
·
3Comments
Funeoz
·
3Comments
Most helpful comment
It's definitely possible that the commit you found is related to the bug. I'm guessing though that the Block API changes I made are not actually breaking in the sense that they're failing to process but rather the slightly larger size is pushing it over the threshold of compatibility for that particular module. I arrived at that conclusion based on the size complaints within the logs, and the lack of any locations in the stack trace related to files I changed.
I'll have to look into this in more depth but I'd wager the payload-size increase is what broke it.
On a side note, thank you very much for the extensive work you put into this bug report. It's one of the best I've seen.