metasploit-framework icon indicating copy to clipboard operation
metasploit-framework copied to clipboard
verified publisher icon rapid7

Bind_Named_pipe does not work

Open zerobytes999 opened this issue 3 years ago • 0 comments

Steps to reproduce

How'd you do it?

Test 1:

  1. Generate exe Bind named pipe payload (windows/x64/meterpreter/bind_named_pipe)
  2. Run bind named pipe on a windows machine
  3. Configure multi/handler with windows/x64/meterpreter/bind_named_pipe
  4. run exploit

Test 2:

  1. Generate exe Bind named pipe payload (windows/x64/meterpreter_bind_named_pipe)
  2. Run bind named pipe on a windows machine
  3. Configure multi/handler with windows/x64/meterpreter_bind_named_pipe
  4. run exploit

Were you following a specific guide/tutorial or reading documentation?

There is no documentation for bind_named_pipe in general

Expected behavior

get meterpreter session and can load modules

Current behavior

Test 1: -Payload runs without problems on windows machine -Running exploit with TLV logging on I only see that a request for (core_negotiate_tlv_encryption) but with no response -Ran the test multiple times, always the same behavior, below is the TLV log i get stuck at

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=16 command=core_negotiate_tlv_encryption>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="22148575175428230520166485036093">
  #<Rex::Post::Meterpreter::Tlv type=RSA_PUB_KEY     meta=RAW        value="0\x82\x01\"0\r\x06\t*\x86H\x86\xF7\r\x01\x01\x01\ ...">
]>

Test 2: -Payload runs without problems on windows machine -Running exploit with TLV logging on, it gets to core_loadlib and stops with no session -Disabled AutoLoadSdapi -Ran exploit again, I got a session and can run secure command to verify session working -Ran load stdapi or any other module and I get stuck at core_loadlib -Ran the test multiple times, always the same behavior, below is the TLV log i get stuck at

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=10 command=core_enumextcmd>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="36555357872638636382676477113501">
  #<Rex::Post::Meterpreter::Tlv type=UINT            meta=INT        value=1000>
  #<Rex::Post::Meterpreter::Tlv type=LENGTH          meta=INT        value=1000>
]>

RECV: #<Rex::Post::Meterpreter::Packet type=Response        tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=10 command=core_enumextcmd>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="36555357872638636382676477113501">
  #<Rex::Post::Meterpreter::Tlv type=RESULT          meta=INT        value=0>
  #<Rex::Post::Meterpreter::Tlv type=UUID            meta=RAW        value="6r,\x962\xCE\xEB&\x925\x937\xF0\xE9\xC7\x8C">
]>

SEND: #<Rex::Post::Meterpreter::Packet type=Request         tlvs=[
  #<Rex::Post::Meterpreter::Tlv type=COMMAND_ID      meta=INT        value=12 command=core_loadlib>
  #<Rex::Post::Meterpreter::Tlv type=REQUEST_ID      meta=STRING     value="67468516191056964389079927962509">
  #<Rex::Post::Meterpreter::Tlv type=DATA            meta=RAW        value="\xE8\x00\x00\x00\x00YI\x89\xC8H\x81\xC1#\v\x00\x0 ...">
  #<Rex::Post::Meterpreter::Tlv type=LIBRARY_PATH    meta=STRING     value="ext461798.x64.dll">
  #<Rex::Post::Meterpreter::Tlv type=FLAGS           meta=INT        value=2>
  #<Rex::Post::Meterpreter::Tlv type=TARGET_PATH     meta=STRING     value="/tmp/ext461798.x64.dll">
]>

Metasploit version

Latest versions from the branch -: Framework: 6.2.2-dev-24a0e7622d Console : 6.2.2-dev-24a0e7622d

zerobytes999 avatar Jul 24 '22 17:07 zerobytes999