一、问题呈现
(kali㉿kali)-[~]$ msfconsole /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:14:in `generate_key!': pkeys are immutable on OpenSSL 3.0 (OpenSSL::PKey::PKeyError) from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:14:in `<class:EcdsaSha2Nistp256>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:10:in `<class:ServerHostKeyAlgorithm>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:9:in `<class:Transport>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:8:in `<module:HrrRbSsh>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:7:in `<top (required)>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm.rb:19:in `<top (required)>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport.rb:16:in `<top (required)>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh.rb:15:in `<top (required)>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/lib/rex/proto/ssh/hrr_rb_ssh.rb:3:in `<top (required)>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/lib/rex/proto/ssh/connection.rb:2:in `<top (required)>' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/zeitwerk-2.6.0/lib/zeitwerk/kernel.rb:35:in `require' from /usr/share/metasploit-framework/lib/msf/core/handler/reverse_ssh.rb:146:in `default_version_string' from /usr/share/metasploit-framework/lib/msf/core/handler/reverse_ssh.rb:40:in `initialize' from /usr/share/metasploit-framework/lib/msf/base/sessions/command_shell_options.rb:16:in `initialize' from /usr/share/metasploit-framework/modules/payloads/singles/cmd/unix/reverse_ssh.rb:16:in `initialize' from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:95:in `new' from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:95:in `block (2 levels) in recalculate' from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:93:in `each_pair' from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:93:in `block in recalculate' from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:73:in `each_pair' from /usr/share/metasploit-framework/lib/msf/core/payload_set.rb:73:in `recalculate' from /usr/share/metasploit-framework/lib/msf/core/modules/loader/base.rb:258:in `block in load_modules' from /usr/share/metasploit-framework/lib/msf/core/modules/loader/base.rb:255:in `each' from /usr/share/metasploit-framework/lib/msf/core/modules/loader/base.rb:255:in `load_modules' from /usr/share/metasploit-framework/lib/msf/core/module_manager/loading.rb:170:in `block in load_modules' from /usr/share/metasploit-framework/lib/msf/core/module_manager/loading.rb:168:in `each' from /usr/share/metasploit-framework/lib/msf/core/module_manager/loading.rb:168:in `load_modules' from /usr/share/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:41:in `block in add_module_path' from /usr/share/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `each' from /usr/share/metasploit-framework/lib/msf/core/module_manager/module_paths.rb:40:in `add_module_path' from /usr/share/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:51:in `block in init_module_paths' from /usr/share/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:50:in `each' from /usr/share/metasploit-framework/lib/msf/base/simple/framework/module_paths.rb:50:in `init_module_paths' from /usr/share/metasploit-framework/lib/msf/ui/console/driver.rb:160:in `initialize' from /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:60:in `new' from /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:60:in `driver' from /usr/share/metasploit-framework/lib/metasploit/framework/command/console.rb:48:in `start' from /usr/share/metasploit-framework/lib/metasploit/framework/command/base.rb:82:in `start' from /usr/bin/msfconsole:23:in `<main>'
二、解决办法
Ubuntu (除了 Kali 之外的任何东西)
安装最新的Metasploit框架版本,该版本与较旧的opensl版本捆绑在一起:https://docs.metasploit.com/docs/using-metasploit/getting-started/nightly-installers.html
Kali
将此修补程序本地应用于/usr/share/metasploit-framework/lib/msf/core/handler/reverse_ssh.rb
diff --git a/lib/msf/core/handler/reverse_ssh.rb b/lib/msf/core/handler/reverse_ssh.rb index 9917ad4460..cf2b1bc472 100644 --- a/lib/msf/core/handler/reverse_ssh.rb +++ b/lib/msf/core/handler/reverse_ssh.rb @@ -145,8 +145,12 @@ module Msf def default_version_string require 'rex/proto/ssh/connection' Rex::Proto::Ssh::Connection.default_options['local_version'] + rescue OpenSSL::OpenSSLError => e + print_error("ReverseSSH handler did not load with OpenSSL version #{OpenSSL::VERSION}") + elog(e) + 'SSH-2.0-OpenSSH_5.3p1' rescue LoadError => e print_error("This handler requires PTY access not available on all platforms.") elog(e) 'SSH-2.0-OpenSSH_5.3p1' end
将表粗部分添加到对应reverse_ssh.rb中,可正常使用metasploit,效果如下
(kali㉿kali)-[/usr/…/lib/msf/core/handler] $ msfconsole /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: previous definition of NAME was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::PREFERENCE /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: previous definition of PREFERENCE was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::IDENTIFIER /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: previous definition of IDENTIFIER was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::NAME /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:11: warning: previous definition of NAME was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::PREFERENCE /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:12: warning: previous definition of PREFERENCE was here /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: already initialized constant HrrRbSsh::Transport::ServerHostKeyAlgorithm::EcdsaSha2Nistp256::IDENTIFIER /usr/share/metasploit-framework/vendor/bundle/ruby/3.0.0/gems/hrr_rb_ssh-0.4.2/lib/hrr_rb_ssh/transport/server_host_key_algorithm/ecdsa_sha2_nistp256.rb:13: warning: previous definition of IDENTIFIER was here `:oDFo:` ./ymM0dayMmy/. -+dHJ5aGFyZGVyIQ==+- `:sm~~Destroy.No.Data~~s:` -+h2~~Maintain.No.Persistence~~h+- `:odNo2~~Above.All.Else.Do.No.Harm~~Ndo:` ./etc/shadow.0days-Data'%20OR%201=1--.No.0MN8'/. -++SecKCoin++e.AMd` `.-://///+hbove.913.ElsMNh+- -~/.ssh/id_rsa.Des- `htN01UserWroteMe!- :dopeAW.No<nano>o :is:TЯiKC.sudo-.A: :we're.all.alike'` The.PFYroy.No.D7: :PLACEDRINKHERE!: yxp_cmdshell.Ab0: :msf>exploit -j. :Ns.BOB&ALICEes7: :---srwxrwx:-.` `MS146.52.No.Per: :<script>.Ac816/ sENbove3101.404: :NT_AUTHORITY.Do `T:/shSYSTEM-.N: :09.14.2011.raid /STFU|wall.No.Pr: :hevnsntSurb025N. dNVRGOING2GIVUUP: :#OUTHOUSE- -s: /corykennedyData: :$nmap -oS SSo.6178306Ence: :Awsm.da: /shMTl#beats3o.No.: :Ring0: `dDestRoyREXKC3ta/M: :23d: sSETEC.ASTRONOMYist: /- /yo- .ence.N:(){ :|: & };: `:Shall.We.Play.A.Game?tron/ ```-ooy.if1ghtf0r+ehUser5` ..th3.H1V3.U2VjRFNN.jMh+.` `MjM~~WE.ARE.se~~MMjMs +~KANSAS.CITY's~-` J~HAKCERS~./.` .esc:wq!:` +++ATH` ` =[ metasploit v6.2.6-dev ] + -- --=[ 2227 exploits - 1175 auxiliary - 398 post ] + -- --=[ 867 payloads - 45 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit tip: You can pivot connections over sessions started with the ssh_login modules msf6 >