FFM icon indicating copy to clipboard operation
FFM copied to clipboard

Published 20 hours ago verified publisher icon JusticeRage

Upload freeze

Open nbeguier opened this issue 6 years ago • 7 comments

I've got a upload freeze for both Debian & CentOS. I use docker to make test, but also real remote server. I guess it's an issue from my client, but I cannot debug it easily.

Create a server (172.18.0.2):

$ docker run -it --rm debian /bin/bash
apt-get update
apt-get install netcat -y
nc.traditional -lvvp 7777 -e /bin/bash

On my client :

$ ls
ffm.py
$ nc 172.18.0.2 7777 !bypass
$ !upload
Usage: !upload [local file] [remote destination]
Received 1 argument(s), expected 3.
$ !upload test.py test.py
Usage: !upload [local file] [remote destination]
test.py not found!
$ !upload ffm.py test.py
<FREEZE>

nbeguier avatar Jun 20 '18 15:06 nbeguier

I've just tried using a docker CentOS image and the command worked fine. One thing you can try is to use the !dbg command after you've logged into the machine. It will show you the currently expected command prompt, which in your example should be "$ ". if it's not, then the next command is likely to freeze.

Also, what OS are you using locally?

JusticeRage avatar Jun 21 '18 06:06 JusticeRage

Locally, I'm using a debian unstable (buster/sid) The command !dbg shows me my prompt ...

nbeguier avatar Jun 21 '18 12:06 nbeguier

I'll try setting up a Debian unstable VM to try it out. One last thing you can try is launch ffm.py with the --debug-input and/or --debug-output options to try and see if there is a problem with the data sent/received.

JusticeRage avatar Jun 21 '18 13:06 JusticeRage

This is kind of the same result. I have no output or input when I launch the !upload command.

$ ./ffm.py --debug-output --debug-input

███████╗███████╗███╗   ███╗   ██████╗ ██╗   ██╗
██╔════╝██╔════╝████╗ ████║   ██╔══██╗╚██╗ ██╔╝
█████╗  █████╗  ██╔████╔██║   ██████╔╝ ╚████╔╝ 
██╔══╝  ██╔══╝  ██║╚██╔╝██║   ██╔═══╝   ╚██╔╝  
██║     ██║     ██║ ╚═╝ ██║██╗██║        ██║   
╚═╝     ╚═╝     ╚═╝     ╚═╝╚═╝╚═╝        ╚═╝   

FFM enabled. Type !list to see available commands and exit to quit.
1B 5D 30 3B 6E 62 65 67 75 69 65 72 40 70 61 72 2D 50 46 30 54 31 35 59 4B 3A 20 7E 2F 77 6F 72 6B 73 70 61 63 65 2F 73 65 63 75 72 69 74 79 2F 46 46 4D 07 1B 5B 30 31 3B 33 32 6D 6E 62 65 67 75 69 65 72 40 70 61 72 2D 50 46 30 54 31 35 59 4B 1B 5B 30 30 6D 3A 5B 6D 61 73 74 65 72 5D 1B 5B 30 31 3B 33 34 6D 7E 2F 77 6F 72 6B 73 70 61 63 65 2F 73 65 63 75 72 69 74 79 2F 46 46 4D 1B 5B 30 30 6D 24 20 
$ 0D 
1B 5D 30 3B 6E 62 65 67 75 69 65 72 40 70 61 72 2D 50 46 30 54 31 35 59 4B 3A 20 7E 2F 77 6F 72 6B 73 70 61 63 65 2F 73 65 63 75 72 69 74 79 2F 46 46 4D 07 1B 5B 30 31 3B 33 32 6D 6E 62 65 67 75 69 65 72 40 70 61 72 2D 50 46 30 54 31 35 59 4B 1B 5B 30 30 6D 3A 5B 6D 61 73 74 65 72 5D 1B 5B 30 31 3B 33 34 6D 7E 2F 77 6F 72 6B 73 70 61 63 65 2F 73 65 63 75 72 69 74 79 2F 46 46 4D 1B 5B 30 30 6D 24 20 
$ 0D 
1B 5D 30 3B 6E 62 65 67 75 69 65 72 40 70 61 72 2D 50 46 30 54 31 35 59 4B 3A 20 7E 2F 77 6F 72 6B 73 70 61 63 65 2F 73 65 63 75 72 69 74 79 2F 46 46 4D 07 1B 5B 30 31 3B 33 32 6D 6E 62 65 67 75 69 65 72 40 70 61 72 2D 50 46 30 54 31 35 59 4B 1B 5B 30 30 6D 3A 5B 6D 61 73 74 65 72 5D 1B 5B 30 31 3B 33 34 6D 7E 2F 77 6F 72 6B 73 70 61 63 65 2F 73 65 63 75 72 69 74 79 2F 46 46 4D 1B 5B 30 30 6D 24 20 
$ 6E n63 c20  31 137 732 22E .31 138 82E .30 02E .32 220  37 737 737 737 720  21 !62 b79 y70 p61 a73 s73 s0D 
1B 5D 30 3B 6E 62 65 67 75 69 65 72 40 70 61 72 2D 50 46 30 54 31 35 59 4B 3A 20 7E 2F 77 6F 72 6B 73 70 61 63 65 2F 73 65 63 75 72 69 74 79 2F 46 46 4D 07 1B 5B 30 31 3B 33 32 6D 6E 62 65 67 75 69 65 72 40 70 61 72 2D 50 46 30 54 31 35 59 4B 1B 5B 30 30 6D 3A 5B 6D 61 73 74 65 72 5D 1B 5B 30 31 3B 33 34 6D 7E 2F 77 6F 72 6B 73 70 61 63 65 2F 73 65 63 75 72 69 74 79 2F 46 46 4D 1B 5B 30 30 6D 24 20 
$ nc 172.18.0.2 7777 !bypass0D 
0D 
0D 
0D 
0D 
21 !75 u70 p6C l6F o61 a64 d0D 
Usage: !upload [local file] [remote destination]
Received 1 argument(s), expected 3.
$ 0D 
0D 
0D 
0D 
21 !75 u70 p6C l6F o61 a64 d20  66 f66 f6D m2E .70 p79 y20  74 t65 e73 s74 t2E .70 p79 y0D 
<FREEZE>

nbeguier avatar Jun 25 '18 08:06 nbeguier

Well I'm stumped. What terminal are you using? I'm running terminator, could that be it? I find it very unusual that your command prompt is a simple dollar sign with a standard Debian distribution. Let's try displaying exactly what command is passed to the shell on your machine. Can you add this line:

write_str("echo \"%s\" |base64 -d |gunzip >> %s" % (b64.decode("ascii"), self.destination), LogLevel.ERROR)

...between lines 70 and 71 of upload_file.py? Also try running the same command manually, without the harness and see what happens.

JusticeRage avatar Jun 25 '18 21:06 JusticeRage

FWIW, the same thing occurs with the !py command in some cases (if the python script takes a few seconds to run it seems - for example, your nojail.py script with no arguments (so it detects IP from SSH env vars)).

0x27 avatar Jul 19 '18 07:07 0x27

The last commits have solved several harness freeze causes. Let me know if it improves the situation for any of you!

JusticeRage avatar Jul 22 '18 19:07 JusticeRage