Home page logo

metasploit logo Metasploit mailing list archives

exploitation through SSH tunnel
From: Balint Varga-Perke <vpbalint () gmail com>
Date: Mon, 18 Apr 2011 22:17:43 +0200

Dear List,

I've spent hours debugging this, hope this info will save some time for others:

I'm putting together a demo where I exploit an old Veritas BackupExec bug via MSF (windows/backupexec/remote_agent). The BackupExec service port listens on TCP/10000 on the target machine. I tunnel this port using plink through SSH from an intermediate machine to the attacker box. The exploit works like charm on the clear channel, but it fails as I test it through the tunnel. Check runs properly, authentication request is sent but I get no connect back.

My final solution was to add an additional ndmp_recv() between handler and disconnect. This solves the problem. I think that the SSH tunnel maybe buffers the stagers first response, that's why the reverse connect fails. Recv seems to trigger a buffer flush. My modification doesn't affect the normal use of the module (don't know if it worth a patch?).

This is of course not a bug in the module or in the framework (if my assumption is correct), but I suggest to take this possibility into account while developing modules.



  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]