msfconsole,OpenSSL::PKey::PKeyError報錯解決辦法

L1119發表於2022-08-17

一、問題呈現

(kali㉿kali)-[~]$ msfconsole                
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:14:in `generate_key!': pkeys are immutable on OpenSSL 3.0 (OpenSSL::PKey::PKeyError)
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:14:in `<class:EcdsaSha2Nistp256>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:10:in `<class:ServerHostKeyAlgorithm>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:9:in `<class:Transport>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:8:in `<module:HrrRbSsh>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:7:in `<top (required)>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm.rb:19:in `<top (required)>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport.rb:16:in `<top (required)>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh.rb:15:in `<top (required)>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/lib/rex/proto/ssh/hrr_rb_ssh.rb:3:in `<top (required)>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/lib/rex/proto/ssh/connection.rb:2:in `<top (required)>'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require'
        from /usr/share/metasploit-framework/lib/msf/core/handler/reverse_ssh.rb:146:in `default_version_string'
        from /usr/share/metasploit-framework/lib/msf/core/handler/reverse_ssh.rb:40:in `initialize'
        from /usr/share/metasploit-framework/lib/msf/base/sessions/command_shell_options.rb:16:in `initialize'
        from /usr/share/metasploit-framework/modules/payloads/singles/cmd/unix/reverse_ssh.rb:16:in `initialize'
        from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:95:in `new'
        from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:95:in `block (2 levels) in recalculate'
        from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:93:in `each_pair'
        from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:93:in `block in recalculate'
        from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:73:in `each_pair'
        from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:73:in `recalculate'
        from /usr/share/metasploit-framework/lib/msf/core/modules/loader/base.rb:258:in `block in load_modules'
        from /usr/share/metasploit-framework/lib/msf/core/modules/loader/base.rb:255:in `each'
        from /usr/share/metasploit-framework/lib/msf/core/modules/loader/base.rb:255:in `load_modules'
        from /usr/share/metasploit-framework/lib/msf/core/module_manager/loading.rb:170:in `block in load_modules'
        from /usr/share/metasploit-framework/lib/msf/core/module_manager/loading.rb:168:in `each'
        from /usr/share/metasploit-framework/lib/msf/core/module_manager/loading.rb:168:in `load_modules'
        from /usr/share/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:41:in `block in add_module_path'
        from /usr/share/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `each'
        from /usr/share/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `add_module_path'
        from /usr/share/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:51:in `block in init_module_paths'
        from /usr/share/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:50:in `each'
        from /usr/share/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:50:in `init_module_paths'
        from /usr/share/metasploit-framework/lib/msf/ui/console/driver.rb:160:in `initialize'
        from /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:60:in `new'
        from /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:60:in `driver'
        from /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start'
        from /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start'
        from /usr/bin/msfconsole:23:in `<main>'

二、解決辦法

Ubuntu (除了 Kali 之外的任何東西)

Kali

將此修補程式本地應用於/usr/share/metasploit-framework/lib/msf/core/handler/reverse_ssh.rb

diff --git a/lib/msf/core/handler/reverse_ssh.rb b/lib/msf/core/handler/reverse_ssh.rb
index 9917ad4460..cf2b1bc472 100644
--- a/lib/msf/core/handler/reverse_ssh.rb
+++ b/lib/msf/core/handler/reverse_ssh.rb
@@ -145,8 +145,12 @@ module Msf
       def default_version_string         
           require 'rex/proto/ssh/connection'
         Rex::Proto::Ssh::Connection.default_options['local_version']
+          rescue OpenSSL::OpenSSLError => e
+        print_error("ReverseSSH handler did not load with OpenSSL version #{OpenSSL::VERSION}")
+        elog(e)
+        'SSH-2.0-OpenSSH_5.3p1'
       rescue LoadError => e        
       print_error("This handler requires PTY access not available on all platforms.")
         elog(e)
         'SSH-2.0-OpenSSH_5.3p1'
       end

將表粗部分新增到對應reverse_ssh.rb中,可正常使用metasploit,效果如下

(kali㉿kali)-[/usr/…/lib/msf/core/handler]
$ msfconsole 
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: previous definition of NAME was here
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::PREFERENCE
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: previous definition of PREFERENCE was here
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::IDENTIFIER
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: previous definition of IDENTIFIER was here
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: previous definition of NAME was here
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::PREFERENCE
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: previous definition of PREFERENCE was here
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::IDENTIFIER
/usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: previous definition of IDENTIFIER was here
                                                  
                                              `:oDFo:`                            
                                           ./ymM0dayMmy/.                                                           
                                        -+dHJ5aGFyZGVyIQ==+-                                                        
                                    `:sm~~Destroy.No.Data~~s:`                                                     
                                 -+h2~~Maintain.No.Persistence~~h+-                                                 
                             `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:`                                              
                          ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/.                                          
                       -++SecKCoin++e.AMd`       `.-://///+hbove.913.ElsMNh+-                                       
                      -~/.ssh/id_rsa.Des-                  `htN01UserWroteMe!-                                      
                      :dopeAW.No<nano>o                     :is:TЯiKC.sudo-.A:                                      
                      :we're.all.alike'`                     The.PFYroy.No.D7:                                      
                      :PLACEDRINKHERE!:                      yxp_cmdshell.Ab0:                                      
                      :msf>exploit -j.                       :Ns.BOB&ALICEes7:                                      
                      :---srwxrwx:-.`                        `MS146.52.No.Per:                                      
                      :<script>.Ac816/                        sENbove3101.404:                                      
                      :NT_AUTHORITY.Do                        `T:/shSYSTEM-.N:                                      
                      :09.14.2011.raid                       /STFU|wall.No.Pr:                                      
                      :hevnsntSurb025N.                      dNVRGOING2GIVUUP:                                      
                      :#OUTHOUSE-  -s:                       /corykennedyData:                                      
                      :$nmap -oS                              SSo.6178306Ence:                                      
                      :Awsm.da:                            /shMTl#beats3o.No.:                                      
                      :Ring0:                             `dDestRoyREXKC3ta/M:                                      
                      :23d:                               sSETEC.ASTRONOMYist:                                      
                       /-                        /yo-    .ence.N:(){ :|: & };:                                      
                                                 `:Shall.We.Play.A.Game?tron/                                       
                                                 ```-ooy.if1ghtf0r+ehUser5`                                         
                                               ..th3.H1V3.U2VjRFNN.jMh+.`                                           
                                              `MjM~~WE.ARE.se~~MMjMs                                                
                                               +~KANSAS.CITY's~-`                                                   
                                                J~HAKCERS~./.`                                                      
                                                .esc:wq!:`                                                          
                                                 +++ATH`                                                            
                                                  `                                                                 
                                                                                                                    

       =[ metasploit v6.2.6-dev                           ]
+ -- --=[ 2227 exploits - 1175 auxiliary - 398 post       ]
+ -- --=[ 867 payloads - 45 encoders - 11 nops            ]
+ -- --=[ 9 evasion                                       ]

Metasploit tip: You can pivot connections over sessions 
started with the ssh_login modules

msf6 >


相關文章