2013-10-04 14:41:00 +10:00
|
|
|
/*!
|
|
|
|
|
* @file base.c
|
|
|
|
|
* @brief Definitions that apply to almost any Meterpreter component.
|
|
|
|
|
*/
|
2012-11-19 16:46:07 -06:00
|
|
|
#include "common.h"
|
|
|
|
|
|
|
|
|
|
// Local remote request implementors
|
2015-04-28 20:20:40 +10:00
|
|
|
extern DWORD remote_request_core_console_write(Remote *remote, Packet *packet);
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2015-04-28 20:20:40 +10:00
|
|
|
extern DWORD remote_request_core_channel_open(Remote *remote, Packet *packet);
|
|
|
|
|
extern DWORD remote_request_core_channel_write(Remote *remote, Packet *packet);
|
|
|
|
|
extern DWORD remote_request_core_channel_read(Remote *remote, Packet *packet);
|
|
|
|
|
extern DWORD remote_request_core_channel_close(Remote *remote, Packet *packet);
|
|
|
|
|
extern DWORD remote_request_core_channel_seek(Remote *remote, Packet *packet);
|
|
|
|
|
extern DWORD remote_request_core_channel_eof(Remote *remote, Packet *packet);
|
|
|
|
|
extern DWORD remote_request_core_channel_tell(Remote *remote, Packet *packet);
|
|
|
|
|
extern DWORD remote_request_core_channel_interact(Remote *remote, Packet *packet);
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2013-11-06 15:30:11 -06:00
|
|
|
extern BOOL remote_request_core_shutdown(Remote *remote, Packet *packet, DWORD* pResult);
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2015-05-04 11:18:48 +10:00
|
|
|
extern DWORD remote_request_core_transport_set_timeouts(Remote * remote, Packet * packet);
|
2015-04-13 10:07:15 +10:00
|
|
|
|
2015-04-06 12:53:57 +10:00
|
|
|
extern DWORD remote_request_core_transport_getcerthash(Remote* remote, Packet* packet);
|
|
|
|
|
extern DWORD remote_request_core_transport_setcerthash(Remote* remote, Packet* packet);
|
|
|
|
|
|
2015-05-13 10:10:16 +10:00
|
|
|
extern BOOL remote_request_core_transport_sleep(Remote* remote, Packet* packet, DWORD* result);
|
2015-05-04 11:18:48 +10:00
|
|
|
extern DWORD remote_request_core_transport_list(Remote* remote, Packet* packet);
|
2015-05-13 10:10:16 +10:00
|
|
|
extern BOOL remote_request_core_transport_change(Remote* remote, Packet* packet, DWORD* result);
|
2015-04-28 20:20:40 +10:00
|
|
|
extern BOOL remote_request_core_transport_next(Remote* remote, Packet* packet, DWORD* result);
|
|
|
|
|
extern BOOL remote_request_core_transport_prev(Remote* remote, Packet* packet, DWORD* result);
|
|
|
|
|
extern DWORD remote_request_core_transport_add(Remote* remote, Packet* packet);
|
2015-06-16 11:37:09 +10:00
|
|
|
extern DWORD remote_request_core_transport_remove(Remote* remote, Packet* packet);
|
2015-04-28 20:20:40 +10:00
|
|
|
|
|
|
|
|
extern BOOL remote_request_core_migrate(Remote *remote, Packet *packet, DWORD* pResult);
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2017-06-20 17:50:58 +10:00
|
|
|
extern DWORD request_negotiate_aes_key(Remote* remote, Packet* packet);
|
|
|
|
|
|
2012-11-19 16:46:07 -06:00
|
|
|
// Local remote response implementors
|
2015-04-28 20:20:40 +10:00
|
|
|
extern DWORD remote_response_core_console_write(Remote *remote, Packet *packet);
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2015-04-28 20:20:40 +10:00
|
|
|
extern DWORD remote_response_core_channel_open(Remote *remote, Packet *packet);
|
|
|
|
|
extern DWORD remote_response_core_channel_close(Remote *remote, Packet *packet);
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2015-04-28 20:20:40 +10:00
|
|
|
DWORD remote_request_core_console_write(Remote *remote, Packet *packet)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-28 20:20:40 +10:00
|
|
|
DWORD remote_response_core_console_write(Remote *remote, Packet *packet)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2015-04-28 20:20:40 +10:00
|
|
|
BOOL command_is_inline(Command *command, Packet *packet);
|
|
|
|
|
Command* command_locate(Packet *packet);
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
DWORD command_validate_arguments(Command *command, Packet *packet);
|
2015-04-28 20:20:40 +10:00
|
|
|
DWORD THREADCALL command_process_thread(THREAD * thread);
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2013-09-26 08:05:05 +10:00
|
|
|
/*!
|
|
|
|
|
* @brief Base RPC dispatch table.
|
2012-11-19 16:46:07 -06:00
|
|
|
*/
|
2013-11-21 13:28:31 +10:00
|
|
|
Command baseCommands[] =
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
|
|
|
|
// Console commands
|
2015-03-09 18:25:55 +10:00
|
|
|
{ "core_console_write",
|
2015-04-28 20:20:40 +10:00
|
|
|
{ remote_request_core_console_write, NULL, { TLV_META_TYPE_STRING }, 1 | ARGUMENT_FLAG_REPEAT },
|
|
|
|
|
{ remote_response_core_console_write, NULL, EMPTY_TLV },
|
2012-11-19 16:46:07 -06:00
|
|
|
},
|
|
|
|
|
|
|
|
|
|
// Native Channel commands
|
2013-10-18 06:30:31 +10:00
|
|
|
// this overloads the "core_channel_open" in the base command list
|
2015-03-09 18:25:55 +10:00
|
|
|
COMMAND_REQ_REP("core_channel_open", remote_request_core_channel_open, remote_response_core_channel_open),
|
|
|
|
|
COMMAND_REQ("core_channel_write", remote_request_core_channel_write),
|
|
|
|
|
COMMAND_REQ_REP("core_channel_close", remote_request_core_channel_close, remote_response_core_channel_close),
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
|
2012-11-19 16:46:07 -06:00
|
|
|
// Buffered/Pool channel commands
|
2015-03-09 18:25:55 +10:00
|
|
|
COMMAND_REQ("core_channel_read", remote_request_core_channel_read),
|
2012-11-19 16:46:07 -06:00
|
|
|
// Pool channel commands
|
2015-03-09 18:25:55 +10:00
|
|
|
COMMAND_REQ("core_channel_seek", remote_request_core_channel_seek),
|
|
|
|
|
COMMAND_REQ("core_channel_eof", remote_request_core_channel_eof),
|
|
|
|
|
COMMAND_REQ("core_channel_tell", remote_request_core_channel_tell),
|
2012-11-19 16:46:07 -06:00
|
|
|
// Soon to be deprecated
|
2015-03-09 18:25:55 +10:00
|
|
|
COMMAND_REQ("core_channel_interact", remote_request_core_channel_interact),
|
2017-06-20 17:50:58 +10:00
|
|
|
// Packet Encryption
|
2017-07-03 16:51:57 +10:00
|
|
|
COMMAND_REQ("core_negotiate_tlv_encryption", request_negotiate_aes_key),
|
2015-04-13 10:07:15 +10:00
|
|
|
// timeouts
|
2015-05-04 11:18:48 +10:00
|
|
|
COMMAND_REQ("core_transport_set_timeouts", remote_request_core_transport_set_timeouts),
|
2016-10-02 06:23:58 -05:00
|
|
|
|
2015-04-06 12:53:57 +10:00
|
|
|
COMMAND_REQ("core_transport_getcerthash", remote_request_core_transport_getcerthash),
|
|
|
|
|
COMMAND_REQ("core_transport_setcerthash", remote_request_core_transport_setcerthash),
|
2016-10-02 06:23:58 -05:00
|
|
|
|
2015-05-04 11:18:48 +10:00
|
|
|
COMMAND_REQ("core_transport_list", remote_request_core_transport_list),
|
2015-05-13 10:10:16 +10:00
|
|
|
COMMAND_INLINE_REQ("core_transport_sleep", remote_request_core_transport_sleep),
|
2015-04-28 20:20:40 +10:00
|
|
|
COMMAND_INLINE_REQ("core_transport_change", remote_request_core_transport_change),
|
|
|
|
|
COMMAND_INLINE_REQ("core_transport_next", remote_request_core_transport_next),
|
|
|
|
|
COMMAND_INLINE_REQ("core_transport_prev", remote_request_core_transport_prev),
|
|
|
|
|
COMMAND_REQ("core_transport_add", remote_request_core_transport_add),
|
2015-06-16 11:37:09 +10:00
|
|
|
COMMAND_REQ("core_transport_remove", remote_request_core_transport_remove),
|
2012-11-19 16:46:07 -06:00
|
|
|
// Migration
|
2015-03-09 18:25:55 +10:00
|
|
|
COMMAND_INLINE_REQ("core_migrate", remote_request_core_migrate),
|
2012-11-19 16:46:07 -06:00
|
|
|
// Shutdown
|
2015-03-09 18:25:55 +10:00
|
|
|
COMMAND_INLINE_REQ("core_shutdown", remote_request_core_shutdown),
|
2012-11-19 16:46:07 -06:00
|
|
|
// Terminator
|
2013-09-26 08:05:05 +10:00
|
|
|
COMMAND_TERMINATOR
|
2012-11-19 16:46:07 -06:00
|
|
|
};
|
|
|
|
|
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
/*!
|
|
|
|
|
* @brief Dynamically registered command extensions.
|
|
|
|
|
* @details A linked list of commands registered on the fly by reflectively-loaded extensions.
|
|
|
|
|
*/
|
2015-03-09 18:25:55 +10:00
|
|
|
Command* extensionCommands = NULL;
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2013-09-26 08:05:05 +10:00
|
|
|
/*!
|
|
|
|
|
* @brief Register a full list of commands with meterpreter.
|
|
|
|
|
* @param commands The array of commands that are to be registered for the module/extension.
|
|
|
|
|
*/
|
2013-10-04 18:03:35 +10:00
|
|
|
void command_register_all(Command commands[])
|
2013-09-26 08:05:05 +10:00
|
|
|
{
|
|
|
|
|
DWORD index;
|
|
|
|
|
|
|
|
|
|
for (index = 0; commands[index].method; index++)
|
2013-11-21 13:28:31 +10:00
|
|
|
{
|
|
|
|
|
command_register(&commands[index]);
|
|
|
|
|
}
|
2015-03-09 23:39:06 +10:00
|
|
|
|
|
|
|
|
#ifdef DEBUGTRACE
|
|
|
|
|
Command* command;
|
|
|
|
|
|
|
|
|
|
dprintf("[COMMAND LIST] Listing current extension commands");
|
|
|
|
|
for (command = extensionCommands; command; command = command->next)
|
|
|
|
|
{
|
|
|
|
|
dprintf("[COMMAND LIST] Found: %s", command->method);
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2013-09-26 08:05:05 +10:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*!
|
|
|
|
|
* @brief Dynamically register a custom command handler
|
|
|
|
|
* @param command Pointer to the command that should be registered.
|
|
|
|
|
* @return `ERROR_SUCCESS` when command registers successfully, otherwise returns the error.
|
2012-11-19 16:46:07 -06:00
|
|
|
*/
|
|
|
|
|
DWORD command_register(Command *command)
|
|
|
|
|
{
|
|
|
|
|
Command *newCommand;
|
|
|
|
|
|
|
|
|
|
dprintf("Registering a new command (%s)...", command->method);
|
|
|
|
|
if (!(newCommand = (Command *)malloc(sizeof(Command))))
|
2015-03-09 23:39:06 +10:00
|
|
|
{
|
2012-11-19 16:46:07 -06:00
|
|
|
return ERROR_NOT_ENOUGH_MEMORY;
|
2015-03-09 23:39:06 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
|
|
|
|
dprintf("Allocated memory...");
|
|
|
|
|
memcpy(newCommand, command, sizeof(Command));
|
|
|
|
|
|
|
|
|
|
dprintf("Setting new command...");
|
2013-11-21 13:28:31 +10:00
|
|
|
if (extensionCommands)
|
|
|
|
|
{
|
|
|
|
|
extensionCommands->prev = newCommand;
|
|
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2013-11-21 13:28:31 +10:00
|
|
|
dprintf("Fixing next/prev... %p", newCommand);
|
|
|
|
|
newCommand->next = extensionCommands;
|
|
|
|
|
newCommand->prev = NULL;
|
|
|
|
|
extensionCommands = newCommand;
|
2012-11-19 16:46:07 -06:00
|
|
|
|
|
|
|
|
dprintf("Done...");
|
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
|
}
|
|
|
|
|
|
2013-09-26 08:05:05 +10:00
|
|
|
/*!
|
|
|
|
|
* @brief Deregister a full list of commands from meterpreter.
|
|
|
|
|
* @param commands The array of commands that are to be deregistered from the module/extension.
|
|
|
|
|
*/
|
2013-10-04 18:03:35 +10:00
|
|
|
void command_deregister_all(Command commands[])
|
2013-09-26 08:05:05 +10:00
|
|
|
{
|
|
|
|
|
DWORD index;
|
|
|
|
|
|
|
|
|
|
for (index = 0; commands[index].method; index++)
|
2013-11-21 13:28:31 +10:00
|
|
|
{
|
2013-10-04 18:03:35 +10:00
|
|
|
command_deregister(&commands[index]);
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2013-09-26 08:05:05 +10:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*!
|
|
|
|
|
* @brief Dynamically deregister a custom command handler
|
|
|
|
|
* @param command Pointer to the command that should be deregistered.
|
|
|
|
|
* @return `ERROR_SUCCESS` when command deregisters successfully, otherwise returns the error.
|
2012-11-19 16:46:07 -06:00
|
|
|
*/
|
|
|
|
|
DWORD command_deregister(Command *command)
|
|
|
|
|
{
|
|
|
|
|
Command *current, *prev;
|
|
|
|
|
DWORD res = ERROR_NOT_FOUND;
|
2013-09-26 08:05:05 +10:00
|
|
|
|
2012-11-19 16:46:07 -06:00
|
|
|
// Search the extension list for the command
|
2013-11-21 13:28:31 +10:00
|
|
|
for (current = extensionCommands, prev = NULL;
|
2013-09-26 08:05:05 +10:00
|
|
|
current;
|
|
|
|
|
prev = current, current = current->next)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
|
|
|
|
if (strcmp(command->method, current->method))
|
|
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
if (prev)
|
2013-11-21 13:28:31 +10:00
|
|
|
{
|
2012-11-19 16:46:07 -06:00
|
|
|
prev->next = current->next;
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
else
|
2013-11-21 13:28:31 +10:00
|
|
|
{
|
|
|
|
|
extensionCommands = current->next;
|
|
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
|
|
|
|
if (current->next)
|
2013-11-21 13:28:31 +10:00
|
|
|
{
|
2012-11-19 16:46:07 -06:00
|
|
|
current->next->prev = prev;
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
|
|
|
|
// Deallocate it
|
|
|
|
|
free(current);
|
2013-09-26 08:05:05 +10:00
|
|
|
|
2012-11-19 16:46:07 -06:00
|
|
|
res = ERROR_SUCCESS;
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return res;
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-26 06:56:34 +10:00
|
|
|
/*! @brief A list of all command threads currenlty executing. */
|
2012-11-19 16:46:07 -06:00
|
|
|
LIST * commandThreadList = NULL;
|
|
|
|
|
|
2013-10-04 14:41:00 +10:00
|
|
|
/*!
|
|
|
|
|
* @brief Block untill all running command threads have finished.
|
|
|
|
|
*/
|
2013-11-21 13:28:31 +10:00
|
|
|
VOID command_join_threads(VOID)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
2013-11-21 13:28:31 +10:00
|
|
|
while (list_count(commandThreadList) > 0)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
2013-11-21 13:28:31 +10:00
|
|
|
THREAD * thread = (THREAD *)list_get(commandThreadList, 0);
|
|
|
|
|
if (thread)
|
|
|
|
|
{
|
|
|
|
|
thread_join(thread);
|
|
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2013-10-04 14:41:00 +10:00
|
|
|
/*!
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
* @brief Process a command directly on the current thread.
|
2013-11-21 13:28:31 +10:00
|
|
|
* @param baseCommand Pointer to the \c Command in the base command list to be executed.
|
|
|
|
|
* @param extensionCommand Pointer to the \c Command in the extension command list to be executed.
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
* @param remote Pointer to the \c Remote endpoint for this command.
|
|
|
|
|
* @param packet Pointer to the \c Packet containing the command detail.
|
|
|
|
|
* @returns Boolean value indicating if the server should continue processing.
|
|
|
|
|
* @retval TRUE The server can and should continue processing.
|
|
|
|
|
* @retval FALSE The server should stop processing and shut down.
|
|
|
|
|
* @sa command_handle
|
|
|
|
|
* @sa command_process_thread
|
2013-11-21 13:28:31 +10:00
|
|
|
* @remarks The \c baseCommand is always executed first, but if there is an \c extensionCommand
|
|
|
|
|
* then the result of the \c baseCommand processing is ignored and the result of
|
|
|
|
|
* \c extensionCommand is returned instead.
|
2013-10-04 14:41:00 +10:00
|
|
|
*/
|
2013-11-21 13:28:31 +10:00
|
|
|
BOOL command_process_inline(Command *baseCommand, Command *extensionCommand, Remote *remote, Packet *packet)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
DWORD result;
|
|
|
|
|
BOOL serverContinue = TRUE;
|
|
|
|
|
Tlv requestIdTlv;
|
|
|
|
|
PCHAR requestId;
|
|
|
|
|
PacketTlvType packetTlvType;
|
2013-11-21 13:28:31 +10:00
|
|
|
Command *commands[2] = { baseCommand, extensionCommand };
|
|
|
|
|
Command *command = NULL;
|
|
|
|
|
DWORD dwIndex;
|
2013-11-22 12:12:48 +10:00
|
|
|
LPCSTR lpMethod = NULL;
|
2012-11-19 16:46:07 -06:00
|
|
|
|
|
|
|
|
__try
|
|
|
|
|
{
|
|
|
|
|
do
|
|
|
|
|
{
|
2013-11-21 13:28:31 +10:00
|
|
|
for (dwIndex = 0; dwIndex < 2; ++dwIndex)
|
|
|
|
|
{
|
|
|
|
|
command = commands[dwIndex];
|
|
|
|
|
|
|
|
|
|
if (command == NULL)
|
|
|
|
|
{
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
2013-11-22 12:12:48 +10:00
|
|
|
lpMethod = command->method;
|
|
|
|
|
dprintf("[COMMAND] Executing command %s", lpMethod);
|
2013-11-21 13:28:31 +10:00
|
|
|
|
|
|
|
|
// Impersonate the thread token if needed (only on Windows)
|
2015-04-06 12:53:57 +10:00
|
|
|
if (remote->server_token != remote->thread_token)
|
2013-11-21 13:28:31 +10:00
|
|
|
{
|
2015-04-06 12:53:57 +10:00
|
|
|
if (!ImpersonateLoggedOnUser(remote->thread_token))
|
2013-11-21 13:28:31 +10:00
|
|
|
{
|
2013-11-22 12:12:48 +10:00
|
|
|
dprintf("[COMMAND] Failed to impersonate thread token (%s) (%u)", lpMethod, GetLastError());
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
2013-09-26 08:05:05 +10:00
|
|
|
|
2015-01-12 13:00:52 -06:00
|
|
|
// Validate the arguments, if requested. Always make sure argument
|
2013-11-21 13:28:31 +10:00
|
|
|
// lengths are sane.
|
|
|
|
|
if (command_validate_arguments(command, packet) != ERROR_SUCCESS)
|
|
|
|
|
{
|
2015-12-02 13:30:22 +10:00
|
|
|
dprintf("[COMMAND] Command arguments failed to validate");
|
2013-11-21 13:28:31 +10:00
|
|
|
continue;
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
}
|
2013-11-21 13:28:31 +10:00
|
|
|
|
|
|
|
|
packetTlvType = packet_get_type(packet);
|
2017-07-03 16:51:57 +10:00
|
|
|
dprintf("[DISPATCH] Packet type for %s is %u", lpMethod, packetTlvType);
|
2013-11-21 13:28:31 +10:00
|
|
|
switch (packetTlvType)
|
|
|
|
|
{
|
|
|
|
|
case PACKET_TLV_TYPE_REQUEST:
|
|
|
|
|
case PACKET_TLV_TYPE_PLAIN_REQUEST:
|
|
|
|
|
if (command->request.inline_handler) {
|
2013-11-22 12:12:48 +10:00
|
|
|
dprintf("[DISPATCH] executing inline request handler %s", lpMethod);
|
|
|
|
|
serverContinue = command->request.inline_handler(remote, packet, &result) && serverContinue;
|
2015-04-28 17:39:55 +10:00
|
|
|
dprintf("[DISPATCH] executed %s, continue %s", lpMethod, serverContinue ? "yes" : "no");
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2013-11-22 12:12:48 +10:00
|
|
|
dprintf("[DISPATCH] executing request handler %s", lpMethod);
|
2013-11-21 13:28:31 +10:00
|
|
|
result = command->request.handler(remote, packet);
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case PACKET_TLV_TYPE_RESPONSE:
|
|
|
|
|
case PACKET_TLV_TYPE_PLAIN_RESPONSE:
|
|
|
|
|
if (command->response.inline_handler)
|
|
|
|
|
{
|
2013-11-22 12:12:48 +10:00
|
|
|
dprintf("[DISPATCH] executing inline response handler %s", lpMethod);
|
|
|
|
|
serverContinue = command->response.inline_handler(remote, packet, &result) && serverContinue;
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
2013-11-22 12:12:48 +10:00
|
|
|
dprintf("[DISPATCH] executing response handler %s", lpMethod);
|
2013-11-21 13:28:31 +10:00
|
|
|
result = command->response.handler(remote, packet);
|
|
|
|
|
}
|
|
|
|
|
break;
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
|
|
|
|
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
dprintf("[COMMAND] Calling completion handlers...");
|
2013-09-26 08:05:05 +10:00
|
|
|
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
// Get the request identifier if the packet has one.
|
2013-11-21 13:28:31 +10:00
|
|
|
if (packet_get_tlv_string(packet, TLV_TYPE_REQUEST_ID, &requestIdTlv) == ERROR_SUCCESS)
|
|
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
requestId = (PCHAR)requestIdTlv.buffer;
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
|
|
|
|
// Finally, call completion routines for the provided identifier
|
2013-11-21 13:28:31 +10:00
|
|
|
if (((packetTlvType == PACKET_TLV_TYPE_RESPONSE) || (packetTlvType == PACKET_TLV_TYPE_PLAIN_RESPONSE)) && requestId)
|
|
|
|
|
{
|
|
|
|
|
packet_call_completion_handlers(remote, packet, requestId);
|
|
|
|
|
}
|
2013-11-22 12:12:48 +10:00
|
|
|
|
2017-08-09 13:03:12 +10:00
|
|
|
dprintf("[COMMAND] Completion handlers finished for %s.", lpMethod);
|
2013-11-21 13:28:31 +10:00
|
|
|
} while (0);
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
2013-11-21 13:28:31 +10:00
|
|
|
__except (EXCEPTION_EXECUTE_HANDLER)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
2013-11-22 12:12:48 +10:00
|
|
|
dprintf("[COMMAND] Exception hit in command %s", lpMethod);
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
|
|
|
|
|
2015-10-15 19:04:23 +10:00
|
|
|
if (!packet->local)
|
|
|
|
|
{
|
2017-08-09 13:03:12 +10:00
|
|
|
dprintf("[COMMAND] Packet is not local, destroying");
|
2015-10-15 19:04:23 +10:00
|
|
|
packet_destroy(packet);
|
2017-08-09 13:03:12 +10:00
|
|
|
dprintf("[COMMAND] Packet destroyed");
|
2015-10-15 19:04:23 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2017-08-09 13:03:12 +10:00
|
|
|
dprintf("[COMMAND] Command processing finishing. Returning: %s", (serverContinue ? "TRUE" : "FALSE"));
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
return serverContinue;
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
|
|
|
|
|
2013-11-21 13:28:31 +10:00
|
|
|
/*!
|
|
|
|
|
* @brief Attempt to locate a command in the base command list.
|
|
|
|
|
* @param method String that identifies the command.
|
|
|
|
|
* @returns Pointer to the command entry in the base command list.
|
|
|
|
|
* @retval NULL Indicates that no command was found for the given method.
|
|
|
|
|
* @retval NON-NULL Pointer to the command that can be executed.
|
|
|
|
|
*/
|
|
|
|
|
Command* command_locate_base(const char* method)
|
|
|
|
|
{
|
|
|
|
|
DWORD index;
|
|
|
|
|
|
|
|
|
|
dprintf("[COMMAND EXEC] Attempting to locate base command %s", method);
|
|
|
|
|
for (index = 0; baseCommands[index].method; ++index)
|
|
|
|
|
{
|
|
|
|
|
if (strcmp(baseCommands[index].method, method) == 0)
|
|
|
|
|
{
|
|
|
|
|
return &baseCommands[index];
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dprintf("[COMMAND EXEC] Couldn't find base command %s", method);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*!
|
|
|
|
|
* @brief Attempt to locate a command in the extensions command list.
|
|
|
|
|
* @param method String that identifies the command.
|
|
|
|
|
* @returns Pointer to the command entry in the extensions command list.
|
|
|
|
|
* @retval NULL Indicates that no command was found for the given method.
|
|
|
|
|
* @retval NON-NULL Pointer to the command that can be executed.
|
|
|
|
|
*/
|
|
|
|
|
Command* command_locate_extension(const char* method)
|
|
|
|
|
{
|
|
|
|
|
Command* command;
|
|
|
|
|
|
|
|
|
|
dprintf("[COMMAND EXEC] Attempting to locate extension command %s (%p)", method, extensionCommands);
|
|
|
|
|
for (command = extensionCommands; command; command = command->next)
|
|
|
|
|
{
|
|
|
|
|
if (strcmp(command->method, method) == 0)
|
|
|
|
|
{
|
|
|
|
|
return command;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
dprintf("[COMMAND EXEC] Couldn't find extension command %s", method);
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
/*!
|
|
|
|
|
* @brief Handle an incoming command.
|
|
|
|
|
* @param remote Pointer to the \c Remote instance associated with this command.
|
|
|
|
|
* @param packet Pointer to the \c Packet containing the command data.
|
|
|
|
|
* @retval TRUE The server can and should continue processing.
|
|
|
|
|
* @retval FALSE The server should stop processing and shut down.
|
|
|
|
|
* @remark This function was incorporate to help support two things in meterpreter:
|
|
|
|
|
* -# A way of allowing a command to be processed directly on the main server
|
|
|
|
|
* thread and not on another thread (which in some cases can cause problems).
|
|
|
|
|
* -# A cleaner way of shutting down the server so that container processes
|
|
|
|
|
* can shutdown cleanly themselves, where appropriate.
|
|
|
|
|
*
|
|
|
|
|
* This function will look at the command definition and determine if it should
|
|
|
|
|
* be executed inline or on a new command thread.
|
|
|
|
|
* @sa command_process_inline
|
|
|
|
|
* @sa command_process_thread
|
2012-11-19 16:46:07 -06:00
|
|
|
*/
|
2013-11-21 13:28:31 +10:00
|
|
|
BOOL command_handle(Remote *remote, Packet *packet)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
BOOL result = TRUE;
|
|
|
|
|
THREAD* cpt = NULL;
|
2013-11-21 13:28:31 +10:00
|
|
|
Command* baseCommand = NULL;
|
|
|
|
|
Command* extensionCommand = NULL;
|
|
|
|
|
Command** commands = NULL;
|
2013-11-13 13:50:23 +10:00
|
|
|
Packet* response = NULL;
|
2013-11-21 13:28:31 +10:00
|
|
|
PCHAR lpMethod = NULL;
|
|
|
|
|
Tlv methodTlv;
|
2012-11-19 16:46:07 -06:00
|
|
|
|
|
|
|
|
do
|
|
|
|
|
{
|
2013-11-21 13:28:31 +10:00
|
|
|
if (packet_get_tlv_string(packet, TLV_TYPE_METHOD, &methodTlv) != ERROR_SUCCESS)
|
|
|
|
|
{
|
|
|
|
|
dprintf("[COMMAND] Unable to extract method from packet.");
|
|
|
|
|
break;
|
|
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2013-11-21 13:28:31 +10:00
|
|
|
lpMethod = (PCHAR)methodTlv.buffer;
|
|
|
|
|
|
|
|
|
|
baseCommand = command_locate_base(lpMethod);
|
|
|
|
|
extensionCommand = command_locate_extension(lpMethod);
|
|
|
|
|
|
2018-08-09 21:51:53 +10:00
|
|
|
if (baseCommand == NULL && extensionCommand == NULL)
|
|
|
|
|
{
|
2013-11-21 13:28:31 +10:00
|
|
|
dprintf("[DISPATCH] Command not found: %s", lpMethod);
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
// We have no matching command for this packet, so it won't get handled. We
|
2013-11-13 13:50:23 +10:00
|
|
|
// need to send an empty response and clean up here before exiting out.
|
2013-11-21 13:28:31 +10:00
|
|
|
response = packet_create_response(packet);
|
2016-03-23 22:21:54 +10:00
|
|
|
if (packet->local)
|
|
|
|
|
{
|
|
|
|
|
packet_add_tlv_uint(response, TLV_TYPE_RESULT, ERROR_NOT_SUPPORTED);
|
|
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
packet_transmit_response(ERROR_NOT_SUPPORTED, remote, response);
|
|
|
|
|
packet_destroy(packet);
|
|
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
break;
|
|
|
|
|
}
|
2013-11-21 13:28:31 +10:00
|
|
|
|
|
|
|
|
// if either command is registered as inline, run them inline
|
|
|
|
|
if ((baseCommand && command_is_inline(baseCommand, packet))
|
2015-10-15 19:04:23 +10:00
|
|
|
|| (extensionCommand && command_is_inline(extensionCommand, packet))
|
|
|
|
|
|| packet->local)
|
2013-11-21 13:28:31 +10:00
|
|
|
{
|
|
|
|
|
dprintf("[DISPATCH] Executing inline: %s", lpMethod);
|
|
|
|
|
result = command_process_inline(baseCommand, extensionCommand, remote, packet);
|
2017-08-09 13:03:12 +10:00
|
|
|
dprintf("[DISPATCH] Executed inline: result %u (%x)", result, result);
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
|
|
|
|
else
|
|
|
|
|
{
|
|
|
|
|
dprintf("[DISPATCH] Executing in thread: %s", lpMethod);
|
|
|
|
|
|
|
|
|
|
commands = (Command**)malloc(sizeof(Command*) * 2);
|
|
|
|
|
*commands = baseCommand;
|
|
|
|
|
*(commands + 1) = extensionCommand;
|
|
|
|
|
|
|
|
|
|
cpt = thread_create(command_process_thread, remote, packet, commands);
|
|
|
|
|
if (cpt)
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
{
|
2013-11-21 13:28:31 +10:00
|
|
|
dprintf("[DISPATCH] created command_process_thread 0x%08X, handle=0x%08X", cpt, cpt->handle);
|
|
|
|
|
thread_run(cpt);
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
2013-11-21 13:28:31 +10:00
|
|
|
} while (0);
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
|
|
|
|
|
return result;
|
|
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
/*!
|
|
|
|
|
* @brief Process a single command in a seperate thread of execution.
|
|
|
|
|
* @param thread Pointer to the thread to execute.
|
|
|
|
|
* @return Result of thread execution (not the result of the command).
|
|
|
|
|
* @sa command_handle
|
2013-11-21 13:28:31 +10:00
|
|
|
* @sa command_process_inline
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
*/
|
2013-11-21 13:28:31 +10:00
|
|
|
DWORD THREADCALL command_process_thread(THREAD * thread)
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
{
|
2013-11-21 13:28:31 +10:00
|
|
|
Command** commands = NULL;
|
|
|
|
|
Remote * remote = NULL;
|
|
|
|
|
Packet * packet = NULL;
|
|
|
|
|
|
|
|
|
|
dprintf("[COMMAND] executing in thread %p", thread);
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2013-11-21 13:28:31 +10:00
|
|
|
if (thread == NULL)
|
|
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
return ERROR_INVALID_HANDLE;
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
remote = (Remote *)thread->parameter1;
|
2013-11-21 13:28:31 +10:00
|
|
|
if (remote == NULL)
|
|
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
return ERROR_INVALID_HANDLE;
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
packet = (Packet *)thread->parameter2;
|
2013-11-21 13:28:31 +10:00
|
|
|
if (packet == NULL)
|
|
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
return ERROR_INVALID_DATA;
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2013-11-21 13:28:31 +10:00
|
|
|
commands = (Command**)thread->parameter3;
|
|
|
|
|
if (commands == NULL)
|
|
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
return ERROR_INVALID_DATA;
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
|
2013-11-21 13:28:31 +10:00
|
|
|
if (commandThreadList == NULL)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
commandThreadList = list_create();
|
2013-11-21 13:28:31 +10:00
|
|
|
if (commandThreadList == NULL)
|
|
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
return ERROR_INVALID_HANDLE;
|
2013-11-21 13:28:31 +10:00
|
|
|
}
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
|
|
|
|
|
2013-11-21 13:28:31 +10:00
|
|
|
list_add(commandThreadList, thread);
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
|
2013-11-21 13:28:31 +10:00
|
|
|
// invoke processing inline, passing in both commands
|
|
|
|
|
dprintf("[COMMAND] About to execute inline -> Commands: %p Command1: %p Command2: %p", commands, *commands, *(commands + 1));
|
|
|
|
|
command_process_inline(*commands, *(commands + 1), remote, packet);
|
|
|
|
|
dprintf("[COMMAND] Executed inline -> Commands: %p Command1: %p Command2: %p", commands, *commands, *(commands + 1));
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
|
2013-11-21 13:28:31 +10:00
|
|
|
if (list_remove(commandThreadList, thread))
|
|
|
|
|
{
|
|
|
|
|
thread_destroy(thread);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
// free things up now that the command stuff has been finished
|
|
|
|
|
dprintf("[COMMAND] Cleaning up commands");
|
|
|
|
|
free(commands);
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
|
|
|
|
|
return ERROR_SUCCESS;
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
|
|
|
|
|
2013-10-04 14:41:00 +10:00
|
|
|
/*!
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
* @brief Determine if a given command/packet combination should be invoked inline.
|
|
|
|
|
* @param command Pointer to the \c Command being invoked.
|
|
|
|
|
* @param packet Pointer to the \c Packet being received/sent.
|
|
|
|
|
* @returns Boolean indication of whether the command should be executed inline.
|
|
|
|
|
* @retval TRUE The command should be executed inline on the current thread.
|
|
|
|
|
* @retval FALSE The command should be executed on a new thread.
|
2012-11-19 16:46:07 -06:00
|
|
|
*/
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
BOOL command_is_inline( Command *command, Packet *packet )
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
switch (packet_get_type( packet ))
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
2013-09-26 08:05:05 +10:00
|
|
|
case PACKET_TLV_TYPE_REQUEST:
|
|
|
|
|
case PACKET_TLV_TYPE_PLAIN_REQUEST:
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
if (command->request.inline_handler)
|
|
|
|
|
return TRUE;
|
2013-09-26 08:05:05 +10:00
|
|
|
case PACKET_TLV_TYPE_RESPONSE:
|
|
|
|
|
case PACKET_TLV_TYPE_PLAIN_RESPONSE:
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
if (command->response.inline_handler)
|
|
|
|
|
return TRUE;
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
|
|
|
|
|
Command refactor for clean shutdown + inline calls
This work contains a bunch of changes around command dispatching. The
goals for this bit of work were to:
* Provide the ability for commands to be executed on the same thread as
the server rather than always creating new threads and executing them on
those threads.
* Have the means for _special_ commands, such as `exit` and `migrate` to
shut down the server cleanly without having to rely on signalling across
threads or by doing brutal thread termination via shared global handles.
This should not only fix the dirty shutdown problem on Windows which
leaves tasks dangling (or based on the prior attempt at fixing, crashing
stuff as well), it should also help clean up the shutdown process in
POSIX.
These changes hit a very important part of Meterpreter and so should be
reviewed with intense scrutnity. I expect this PR to garner a log of
critique and most likely a number of changes before being included in the
main line.
The `PacketDispatcher` was modified to include a new function pointer
called an `inline_handler`. This new member indicates that there's a
handler which should be invoked inline. While this sits alongside the
existing `handler`, they are actually mutually exclusive. If an
`inline_handler` is specified then the `handler` is ignored and it is
assumed that the command is intended to be handled inline. The signature
of the inline handler is different to the standard handler, and this is
why a new function pointer was added rather than a simple flag. Addition of
this parameter meant that the basic command structure changed, and that
obviously affects all of the extensions and their respective commands.
This changeset therefore updates each of those command declarations so
that they use the new macros that hide this detail.
Other things to be mindful of:
* This version of the code reads the command's `method` prior to invoking
any other function, and after that the command itself is passed around to
the threaded or non-threaded routes for invocation. An extra thread
parameter was included as as result, and an overload for the
`thread_create` function was added which supported this new parameter.
This was named `thread_create3` because
`thread_create_with_another_paramter` sounded a bit crap.
* The migration code, which originally had a `thread_kill` and an event
wait once the new meterpreter session had been created, has been modified
to not do any waiting at all. Instead it finishes execution as fast as
possible and returns control to the server which should respond by
shutting down in a clean way.
* Originally the code always attempted to call a command handler in the
base command list and then, if found, would also call an "overload" in
the extension commands list. From the investigation that I did, it
appears that the overloaded methods did nothing in the base (they'd
early out during invocation). As a result, the new way of doing things
acts like a 'true' overload in that the extension commands are searched
first, and if one is found this is the command that is executed. Any
base commands with the same method name will not get executed. In the
case where there is no extension command found, the base command list is
then queried. If a command is found that command is instead invoked.
* The POSIX version still compiles cleanly, but I've never been able to
build a version that runs on my machines. I'm not sure if there's a
trick to getting POSIX builds to run, and if there is I don't know it.
Whoever scrutinises this build should make sure that the POSIX version
that they build can still run and (hopefully) exit cleanly.
I've added lots of documentation, but there's always room for improvement.
Hopefully this will fix the `*_tcp` side of Redmine 8438.
Bring on the feedback!
2013-10-17 12:34:55 +10:00
|
|
|
return FALSE;
|
|
|
|
|
}
|
|
|
|
|
|
2013-10-04 14:41:00 +10:00
|
|
|
/*!
|
|
|
|
|
* @brief Validate command arguments
|
|
|
|
|
* @return Indication of whether the commands are valid or not.
|
|
|
|
|
* @retval ERROR_SUCCESS All arguments are valid.
|
|
|
|
|
* @retval ERROR_INVALID_PARAMETER An invalid parameter exists.
|
|
|
|
|
*/
|
2012-11-19 16:46:07 -06:00
|
|
|
DWORD command_validate_arguments(Command *command, Packet *packet)
|
|
|
|
|
{
|
|
|
|
|
PacketDispatcher *dispatcher = NULL;
|
|
|
|
|
PacketTlvType type = packet_get_type(packet);
|
2015-01-12 13:00:52 -06:00
|
|
|
DWORD res = ERROR_SUCCESS,
|
2012-11-19 16:46:07 -06:00
|
|
|
packetIndex, commandIndex;
|
|
|
|
|
Tlv current;
|
|
|
|
|
|
|
|
|
|
// Select the dispatcher table
|
|
|
|
|
if ((type == PACKET_TLV_TYPE_RESPONSE) ||
|
2013-09-26 08:05:05 +10:00
|
|
|
(type == PACKET_TLV_TYPE_PLAIN_RESPONSE))
|
2012-11-19 16:46:07 -06:00
|
|
|
dispatcher = &command->response;
|
|
|
|
|
else
|
|
|
|
|
dispatcher = &command->request;
|
|
|
|
|
|
|
|
|
|
// Enumerate the arguments, validating the meta types of each
|
|
|
|
|
for (commandIndex = 0, packetIndex = 0;
|
2013-10-04 18:03:35 +10:00
|
|
|
((packet_enum_tlv(packet, packetIndex, TLV_TYPE_ANY, ¤t) == ERROR_SUCCESS)
|
|
|
|
|
&& (res == ERROR_SUCCESS));
|
|
|
|
|
commandIndex++, packetIndex++)
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
|
|
|
|
TlvMetaType tlvMetaType;
|
|
|
|
|
|
|
|
|
|
// Check to see if we've reached the end of the command arguments
|
|
|
|
|
if ((dispatcher->numArgumentTypes) &&
|
2013-09-26 08:05:05 +10:00
|
|
|
(commandIndex == (dispatcher->numArgumentTypes & ARGUMENT_FLAG_MASK)))
|
2012-11-19 16:46:07 -06:00
|
|
|
{
|
|
|
|
|
// If the repeat flag is set, reset the index
|
|
|
|
|
if (commandIndex & ARGUMENT_FLAG_REPEAT)
|
|
|
|
|
commandIndex = 0;
|
|
|
|
|
else
|
|
|
|
|
break;
|
|
|
|
|
}
|
2013-09-26 08:05:05 +10:00
|
|
|
|
2012-11-19 16:46:07 -06:00
|
|
|
// Make sure the argument is at least one of the meta types
|
|
|
|
|
tlvMetaType = packet_get_tlv_meta(packet, ¤t);
|
|
|
|
|
|
|
|
|
|
// Validate argument meta types
|
|
|
|
|
switch (tlvMetaType)
|
|
|
|
|
{
|
2013-09-26 08:05:05 +10:00
|
|
|
case TLV_META_TYPE_STRING:
|
2013-10-15 16:14:39 +10:00
|
|
|
if (packet_is_tlv_null_terminated(¤t) != ERROR_SUCCESS)
|
2015-12-02 13:30:22 +10:00
|
|
|
{
|
|
|
|
|
dprintf("[COMMAND] string is not null terminated");
|
2013-09-26 08:05:05 +10:00
|
|
|
res = ERROR_INVALID_PARAMETER;
|
2015-12-02 13:30:22 +10:00
|
|
|
}
|
2013-09-26 08:05:05 +10:00
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
2012-11-19 16:46:07 -06:00
|
|
|
}
|
2013-09-26 08:05:05 +10:00
|
|
|
|
2015-01-12 13:00:52 -06:00
|
|
|
if ((res != ERROR_SUCCESS) &&
|
2013-09-26 08:05:05 +10:00
|
|
|
(commandIndex < dispatcher->numArgumentTypes))
|
2012-11-19 16:46:07 -06:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return res;
|
|
|
|
|
}
|