Skip to content

Java meterpreter local portfwd hangs after few seconds #733

New issue
New issue
Open
Open
Java meterpreter local portfwd hangs after few seconds#733
@mikey-boy

Description

@mikey-boy
mikey-boy
opened on Nov 11, 2024

Framework Version: 6.4.34-dev
msfpc Version: 1.4.5-0kali3
Java Version: jdk8u181-b13-jre

Portfwd in a java meterpreter session works for a few seconds, then ultimately hangs. Deleting and re-adding the forwarding rule does not seem to resolve the issue.

Channel 1 is created after I actually use the local portfwd:

msf6 exploit(multi/handler) > exploit

[*] Started bind TCP handler against 87.206.90.102:4444
[*] Sending stage (58037 bytes) to 87.206.90.102
[*] Meterpreter session 4 opened (192.168.0.102:45363 -> 87.206.90.102:4444) at 2024-11-11 15:41:32 -0500

meterpreter > channel -l
No active channels.
meterpreter > portfwd add -l 8000 -r 172.16.0.10 -p 80
[*] Forward TCP relay created: (local) :8000 -> (remote) 172.16.0.10:80
meterpreter > channel -l
No active channels.
meterpreter > channel -l

    Id  Class  Type
    --  -----  ----
    1   1      stdapi_net_tcp_client

Eventually the following error appears on the java bind shell payload:

admin@www:~$ /opt/jdk8u181-b13-jre/bin/java -jar msf.jar
java.lang.IllegalArgumentException: Channel 1 does not exist.
        at com.metasploit.meterpreter.Meterpreter.getChannel(Unknown Source)
        at com.metasploit.meterpreter.stdapi.stdapi_net_socket_tcp_shutdown.execute(Unknown Source)
        at com.metasploit.meterpreter.CommandManager.executeCommand(Unknown Source)
        at com.metasploit.meterpreter.TcpTransport.dispatch(Unknown Source)
        at com.metasploit.meterpreter.Meterpreter.startExecuting(Unknown Source)
        at com.metasploit.meterpreter.Meterpreter.<init>(Unknown Source)
        at com.metasploit.meterpreter.Meterpreter.<init>(Unknown Source)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance0(Native Method)
        at sun.reflect.NativeConstructorAccessorImpl.newInstance(NativeConstructorAccessorImpl.java:62)
        at sun.reflect.DelegatingConstructorAccessorImpl.newInstance(DelegatingConstructorAccessorImpl.java:45)
        at java.lang.reflect.Constructor.newInstance(Constructor.java:423)
        at javapayload.stage.Meterpreter.start(Unknown Source)
        at sun.reflect.NativeMethodAccessorImpl.invoke0(Native Method)
        at sun.reflect.NativeMethodAccessorImpl.invoke(NativeMethodAccessorImpl.java:62)
        at sun.reflect.DelegatingMethodAccessorImpl.invoke(DelegatingMethodAccessorImpl.java:43)
        at java.lang.reflect.Method.invoke(Method.java:498)
        at metasploit.Payload.bootstrap(Unknown Source)
        at metasploit.Payload.main(Unknown Source)

The channel remains open even after flushing portfwd rules

meterpreter > portfwd list

Active Port Forwards
====================

   Index  Local         Remote          Direction
   -----  -----         ------          ---------
   1      0.0.0.0:8000  172.16.0.10:80  Forward

1 total active port forwards.

meterpreter > portfwd flush
[*] Successfully stopped TCP relay on 0.0.0.0:8000
[*] Successfully flushed 1 rules
meterpreter > channel -l

    Id  Class  Type
    --  -----  ----
    1   1      stdapi_net_tcp_client

Metadata

Metadata

Assignees

No one assigned

    Labels

    No labels
    No labels

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions