12/19/2015
Fingerprinting Meterpreter HTTP/S
Listeners DoS PoC
A couple
findings that will demonstrate an ability to identify and DoS (setup fake
malformed meterpreter stages between listener and attacker) meterpreter
https (and possibly http) listeners.
TL;DR
summary:
1. By issuing GET requests
to certain files dished out by the handler/listener and checking their
contents for a “core_patch_url” string, fingerprinting of
Reverse Handlers is possible.
2. By issuing malformed
or prematurely terminated GET requests to files dished out by the handler/listener,
the listener can be tricked into opening a Meterpreter session and forced
into a state where it stops accepting sessions. (Handler DoS)
First, the port you
set the listeners up on are accessible via a URL, by design:
There exist a number
of files, which can be requested via the listener URL, which, depending
on the file being requested, can cause the handler to behave in a number
of unexpected ways. The contents (and types) of files we can “GET”
can be used to confirm the existence of a listener running on a machine,
or launch a DoS attack against the listener by issuing “fake”
Meterpreter stage sessions via a specific URL request to the handler.
For instance, launch
a handler with a meterpreter reverse https payload:
use exploit/multi/handler
set ExitOnSession false
set LHOST 666.666.666.666
set LPORT 65535
set PAYLOAD windows/meterpreter/reverse_https
exploit -j
Once that’s running,
request a “chpwd.htm” file from the listener:
$ wget -qO- --no-check-certificate https://666.666.666.666/chpwd.htm
?����core_patch_url?��?/LUDZ6djujGbWvte_gMomnQm 7EQVgW7RJfg3xpGoDUgRe_SdhLJBud68viiiDN1UsrniHZsjxLn
9qYOo4YJIIU6K5ZnhNsuoGoPuWqKpQQVtxU6L4EQg8ka9cZ4aJ-/
We can see in the output
of the contents of the “chpwd.htm” file, the string “core_patch_url”
followed by a randomly generated string. The “core_patch_url”
will be our fingerprint.
On the listener side,
the log we see (when requesting chpwd.htm) is:
73.x.x.x:47054 (UUID: 2d40d9e9d8ee8c66/x86=1/windows=1/2015-12-19T05:50:27Z)
Redirecting stageless connection from /chpwd.htm with UA 'Wget/1.16 (linux-gnu)'
Alternatively, we can
request a file “blank.php”. This file appears to actually
be the stager generated by the listener:
$ wget --no-check-certificate https://666.666.666.666/blank.php
$ file blank.php: PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
The downloaded “blank.php”
file i’m guessing is the stager DLL generated by the handler, but
for reasons unknown, is being given a .php extension.
On the listener side,
the log we see (when requesting blank.php) is:
[*] 73.x.x.x:10458 (UUID: 376988d5161359f3/x86=1/windows=1/2015-12-19T04:44:20Z)
Staging Python payload ...
[*] Meterpreter session 57 opened (666.666.666.666:65535 -> 73.x.x.x:10458)
at 2015-12-19 04:44:20 +0000
Requesting the “blank.php”
file appears to trigger a python stage and actually opens up a meterpreter
session. (Although invalid and is soon terminated):
[-] Meterpreter session 57 is not valid and
will be closed.
The meterpreter output
from above confirms we can initialize “fake” malformed sessions
(or prematurely terminated sessions). Essentially DoS’ing the handler,
causing a timeout condition between any “true” payloads and
the handler/listener.
Aside from the “chpwd.htm”
core_patch_url file and the “blank.php” binary file, we can
find the following, are also accessible:
PoC's:
Meterpreter Listener
DoS script: meterpreter_dos.py
Meterpreter Listener
Detector script: meterpreter_fingerprint.py
Mitigation:
By default, the listeners
are configured to allow connections from any “payload” UUID.
Setting “IgnoreUnknownPayloads true” in your resource script
for the listener, or on the msfconsole command line should mitigate this,
however, the payload and listener will need to be configured in “Paranoid
Mode”.
More info here: https://github.com/rapid7/metasploit-framework/wiki/Meterpreter-Paranoid-Mode
OR, a quick iptables
allow inbound from shell IP to listener port:
iptables -I INPUT -p tcp -m tcp -s 0.0.0.0/0
–dport $LISTENER_PORT -j DROP
iptables -I INPUT -p tcp -m tcp -s $SHELL_IP –dport $LISTENER_PORT
-j ACCEPT
iptables -L
|
