mailing list archives
exploitation through SSH tunnel
From: Balint Varga-Perke <vpbalint () gmail com>
Date: Mon, 18 Apr 2011 22:17:43 +0200
I've spent hours debugging this, hope this info will save some time for
I'm putting together a demo where I exploit an old Veritas BackupExec
bug via MSF (windows/backupexec/remote_agent). The BackupExec service
port listens on TCP/10000 on the target machine. I tunnel this port
using plink through SSH from an intermediate machine to the attacker
box. The exploit works like charm on the clear channel, but it fails as
I test it through the tunnel. Check runs properly, authentication
request is sent but I get no connect back.
My final solution was to add an additional ndmp_recv() between handler
and disconnect. This solves the problem. I think that the SSH tunnel
maybe buffers the stagers first response, that's why the reverse connect
fails. Recv seems to trigger a buffer flush. My modification doesn't
affect the normal use of the module (don't know if it worth a patch?).
This is of course not a bug in the module or in the framework (if my
assumption is correct), but I suggest to take this possibility into
account while developing modules.
- exploitation through SSH tunnel Balint Varga-Perke (Apr 18)