mailing list archives
Re: exploitation through SSH tunnel
From: HD Moore <hdm () metasploit com>
Date: Mon, 18 Apr 2011 15:58:44 -0500
On 4/18/2011 3:17 PM, Balint Varga-Perke wrote:
My final solution was to add an additional ndmp_recv() between handler
and disconnect. This solves the problem. I think that the SSH tunnel
maybe buffers the stagers first response, that's why the reverse connect
fails. Recv seems to trigger a buffer flush. My modification doesn't
affect the normal use of the module (don't know if it worth a patch?).
This is of course not a bug in the module or in the framework (if my
assumption is correct), but I suggest to take this possibility into
account while developing modules.
Thanks for investigating and sharing - I have updated the code (r12359)
in two ways that might help and would appreciate it if you could test.
The first change was to modify how ndmp_recv() itself worked.
Previously, this function would try to read a blob from the server,
unpack the length header, then see if it got the whole thing. Since the
ndmp_recv() method was only called once, there was a strong chance of
the header being received but the rest of the data still pending,
especially when going through another proxy. We intentionally disable
NAGLE on our own sockets, but this goes out the window when going
through a TCP proxy like SOCKS. The new code first tries to retrieve the
four byte length header, then does a second receive to get the remaining
data. This should prevent the first ndmp_recv() from leaving data on the
socket for a typical NDMP "banner". The correct solution is actually to
do: while not ndmp_recv; end (loop until it reads the full reply), but I
don't want to check this without more testing.
The second change was to add a ndmp_recv after the ndmp_send and before
the handler. This should NOT be necessary with the previous change, but
since I don't have a test environment and this shouldn't hurt anything,
I added it anyways for now.
If you first try the module as-is, then remove the last ndmp_recv, then
change the first ndmp_recv to that loop (with a timeout or max count),
it would be appreciated. Thanks!