1
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-03-12 12:14:29 +01:00

388 lines
12 KiB
C
Raw Normal View History

#include "precomp.h"
2012-03-06 15:34:09 -07:00
#ifdef _WIN32
#include <iptypes.h>
#include <ws2ipdef.h>
2012-03-06 15:34:09 -07:00
#endif
#ifdef _WIN32
DWORD get_interfaces_windows_mib(Remote *remote, Packet *response)
{
DWORD result = ERROR_SUCCESS;
DWORD tlv_cnt;
Tlv entries[6];
PMIB_IPADDRTABLE table = NULL;
DWORD tableSize = sizeof(MIB_IPADDRROW) * 33;
DWORD index;
DWORD mtu_bigendian;
DWORD interface_index_bigendian;
MIB_IFROW iface;
do
{
// Allocate memory for reading addresses into
if (!(table = (PMIB_IPADDRTABLE)malloc(tableSize)))
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
// Get the IP address table
if (GetIpAddrTable(table, &tableSize, TRUE) != NO_ERROR)
{
result = GetLastError();
break;
}
// Enumerate the entries
for (index = 0; index < table->dwNumEntries; index++)
{
tlv_cnt = 0;
interface_index_bigendian = htonl(table->table[index].dwIndex);
entries[tlv_cnt].header.length = sizeof(DWORD);
entries[tlv_cnt].header.type = TLV_TYPE_INTERFACE_INDEX;
entries[tlv_cnt].buffer = (PUCHAR)&interface_index_bigendian;
tlv_cnt++;
entries[tlv_cnt].header.length = sizeof(DWORD);
entries[tlv_cnt].header.type = TLV_TYPE_IP;
entries[tlv_cnt].buffer = (PUCHAR)&table->table[index].dwAddr;
tlv_cnt++;
entries[tlv_cnt].header.length = sizeof(DWORD);
entries[tlv_cnt].header.type = TLV_TYPE_NETMASK;
entries[tlv_cnt].buffer = (PUCHAR)&table->table[index].dwMask;
tlv_cnt++;
iface.dwIndex = table->table[index].dwIndex;
// If interface information can get gotten, use it.
if (GetIfEntry(&iface) == NO_ERROR)
{
entries[tlv_cnt].header.length = iface.dwPhysAddrLen;
entries[tlv_cnt].header.type = TLV_TYPE_MAC_ADDR;
entries[tlv_cnt].buffer = (PUCHAR)iface.bPhysAddr;
tlv_cnt++;
mtu_bigendian = htonl(iface.dwMtu);
entries[tlv_cnt].header.length = sizeof(DWORD);
entries[tlv_cnt].header.type = TLV_TYPE_INTERFACE_MTU;
entries[tlv_cnt].buffer = (PUCHAR)&mtu_bigendian;
tlv_cnt++;
if (iface.bDescr)
{
entries[tlv_cnt].header.length = iface.dwDescrLen + 1;
entries[tlv_cnt].header.type = TLV_TYPE_MAC_NAME;
entries[tlv_cnt].buffer = (PUCHAR)iface.bDescr;
tlv_cnt++;
}
}
// Add the interface group
packet_add_tlv_group(response, TLV_TYPE_NETWORK_INTERFACE,
entries, tlv_cnt);
}
} while (0);
if (table)
free(table);
return result;
}
DWORD get_interfaces_windows(Remote *remote, Packet *response) {
DWORD result = ERROR_SUCCESS;
DWORD tlv_cnt;
// Most of the time we'll need:
// index, name (description), MAC addr, mtu, flags, IP addr, netmask, maybe scope id
// In some cases, the interface will have multiple addresses, so we'll realloc
// this when necessary, but this will cover the common case.
DWORD allocd_entries = 20;
Tlv *entries = (Tlv *)malloc(sizeof(Tlv) * 20);
int prefixes[30];
int prefixes_cnt = 0;
DWORD mtu_bigendian;
DWORD interface_index_bigendian;
ULONG flags = GAA_FLAG_INCLUDE_PREFIX
| GAA_FLAG_SKIP_DNS_SERVER
| GAA_FLAG_SKIP_MULTICAST
| GAA_FLAG_SKIP_ANYCAST;
LPSOCKADDR sockaddr;
ULONG family = AF_UNSPEC;
IP_ADAPTER_ADDRESSES *pAdapters = NULL;
IP_ADAPTER_ADDRESSES *pCurr = NULL;
ULONG outBufLen = 0;
DWORD (WINAPI *gaa)(DWORD, DWORD, void *, void *, void *);
// Use the newer version so we're guaranteed to have a large enough struct.
// Unfortunately, using these probably means it won't compile on older
// versions of Visual Studio. =(
IP_ADAPTER_UNICAST_ADDRESS_LH *pAddr = NULL;
IP_ADAPTER_UNICAST_ADDRESS_LH *pPref = NULL;
// IP_ADAPTER_PREFIX is only defined if NTDDI_VERSION > NTDDI_WINXP
// Since we request older versions of things, we have to be explicit
// when using newer structs.
IP_ADAPTER_PREFIX_XP *pPrefix = NULL;
do
{
gaa = (DWORD (WINAPI *)(DWORD,DWORD,void*,void*,void*))GetProcAddress(
GetModuleHandle("iphlpapi"), "GetAdaptersAddresses"
);
if (!gaa) {
result = get_interfaces_windows_mib(remote, response);
break;
}
gaa(family, flags, NULL, pAdapters, &outBufLen);
if (!(pAdapters = (IP_ADAPTER_ADDRESSES *)malloc(outBufLen)))
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
if (gaa(family, flags, NULL, pAdapters, &outBufLen))
{
result = GetLastError();
break;
}
// Enumerate the entries
for (pCurr = pAdapters; pCurr; pCurr = pCurr->Next)
{
tlv_cnt = 0;
interface_index_bigendian = htonl(pCurr->IfIndex);
entries[tlv_cnt].header.length = sizeof(DWORD);
entries[tlv_cnt].header.type = TLV_TYPE_INTERFACE_INDEX;
entries[tlv_cnt].buffer = (PUCHAR)&interface_index_bigendian;
tlv_cnt++;
entries[tlv_cnt].header.length = pCurr->PhysicalAddressLength;
entries[tlv_cnt].header.type = TLV_TYPE_MAC_ADDR;
entries[tlv_cnt].buffer = (PUCHAR)pCurr->PhysicalAddress;
tlv_cnt++;
entries[tlv_cnt].header.length = wcslen(pCurr->Description)*2 + 1;
entries[tlv_cnt].header.type = TLV_TYPE_MAC_NAME;
entries[tlv_cnt].buffer = (PUCHAR)pCurr->Description;
tlv_cnt++;
mtu_bigendian = htonl(pCurr->Mtu);
entries[tlv_cnt].header.length = sizeof(DWORD);
entries[tlv_cnt].header.type = TLV_TYPE_INTERFACE_MTU;
entries[tlv_cnt].buffer = (PUCHAR)&mtu_bigendian;
tlv_cnt++;
if (pCurr->Length > 68) {
// Then this is a Longhorn struct version and it contains the
// FirstPrefix member, save it for later in case we don't have
// an OnLinkPrefixLength
pPrefix = pCurr->FirstPrefix;
}
for (pAddr = (void*)pCurr->FirstUnicastAddress; pAddr; pAddr = (void*)pAddr->Next)
{
sockaddr = pAddr->Address.lpSockaddr;
if (AF_INET != sockaddr->sa_family && AF_INET6 != sockaddr->sa_family) {
// Skip interfaces that aren't IP
continue;
}
// This loop can add up to three Tlv's - one for address, one
// for scope_id, one for netmask. Go ahead and allocate enough
// room for all of them.
if (allocd_entries < tlv_cnt+3) {
entries = realloc(entries, sizeof(Tlv) * (tlv_cnt+3));
allocd_entries += 3;
}
if (pAddr->Length > 44) {
// Then this is Vista+ and the OnLinkPrefixLength member
// will be populated
prefixes[prefixes_cnt] = htonl(pAddr->OnLinkPrefixLength);
}
if (pPrefix && 0 == prefixes[prefixes_cnt]) {
// Otherwise, we have to walk the FirstPrefix linked list
prefixes[prefixes_cnt] = htonl(pPrefix->PrefixLength);
pPrefix = pPrefix->Next;
} else {
// This is XP SP0 and as far as I can tell, we have no way
// of determining the netmask short of bailing on
// this method and falling back to MIB, which doesn't
// return IPv6 addresses. Older versions (e.g. NT4, 2k)
// don't have GetAdapterAddresses, so they will have fallen
// through earlier to the MIB implementation.
free(entries);
free(pAdapters);
return get_interfaces_windows_mib(remote, response);
}
if (prefixes[prefixes_cnt]) {
entries[tlv_cnt].header.length = 4;
entries[tlv_cnt].header.type = TLV_TYPE_IP_PREFIX;
entries[tlv_cnt].buffer = (PUCHAR)&prefixes[prefixes_cnt];
tlv_cnt++;
prefixes_cnt++;
}
if (sockaddr->sa_family == AF_INET) {
entries[tlv_cnt].header.length = 4;
entries[tlv_cnt].header.type = TLV_TYPE_IP;
entries[tlv_cnt].buffer = (PUCHAR)&(((struct sockaddr_in *)sockaddr)->sin_addr);
tlv_cnt++;
} else {
entries[tlv_cnt].header.length = 16;
entries[tlv_cnt].header.type = TLV_TYPE_IP;
entries[tlv_cnt].buffer = (PUCHAR)&(((struct sockaddr_in6 *)sockaddr)->sin6_addr);
tlv_cnt++;
entries[tlv_cnt].header.length = sizeof(DWORD);
entries[tlv_cnt].header.type = TLV_TYPE_IP6_SCOPE;
entries[tlv_cnt].buffer = (PUCHAR)&(((struct sockaddr_in6 *)sockaddr)->sin6_scope_id);
tlv_cnt++;
}
}
// Add the interface group
packet_add_tlv_group(response, TLV_TYPE_NETWORK_INTERFACE,
entries, tlv_cnt);
}
} while (0);
if (entries)
free(entries);
if (pAdapters)
free(pAdapters);
return result;
}
#else /* _WIN32 */
int get_interfaces_linux(Remote *remote, Packet *response) {
struct ifaces_list *ifaces = NULL;
2012-02-02 00:11:52 -07:00
int i;
2012-03-11 22:08:44 -06:00
int result;
uint32_t interface_index_bigendian, mtu_bigendian;
DWORD allocd_entries = 10;
Tlv *entries = (Tlv *)malloc(sizeof(Tlv) * 10);
2012-02-02 00:11:52 -07:00
dprintf("Grabbing interfaces");
2012-03-11 22:08:44 -06:00
result = netlink_get_interfaces(&ifaces);
dprintf("Got 'em");
2012-02-02 00:11:52 -07:00
2012-03-11 22:08:44 -06:00
if (!result) {
for (i = 0; i < ifaces->entries; i++) {
int tlv_cnt = 0;
int j = 0;
dprintf("Building TLV for iface %d", i);
entries[tlv_cnt].header.length = strlen(ifaces->ifaces[i].name)+1;
entries[tlv_cnt].header.type = TLV_TYPE_MAC_NAME;
entries[tlv_cnt].buffer = (PUCHAR)ifaces->ifaces[i].name;
tlv_cnt++;
entries[tlv_cnt].header.length = 6;
entries[tlv_cnt].header.type = TLV_TYPE_MAC_ADDR;
entries[tlv_cnt].buffer = (PUCHAR)ifaces->ifaces[i].hwaddr;
tlv_cnt++;
mtu_bigendian = htonl(ifaces->ifaces[i].mtu);
entries[tlv_cnt].header.length = sizeof(uint32_t);
entries[tlv_cnt].header.type = TLV_TYPE_INTERFACE_MTU;
entries[tlv_cnt].buffer = (PUCHAR)&mtu_bigendian;
tlv_cnt++;
entries[tlv_cnt].header.length = strlen(ifaces->ifaces[i].flags)+1;
entries[tlv_cnt].header.type = TLV_TYPE_INTERFACE_FLAGS;
entries[tlv_cnt].buffer = (PUCHAR)ifaces->ifaces[i].flags;
tlv_cnt++;
interface_index_bigendian = htonl(ifaces->ifaces[i].index);
entries[tlv_cnt].header.length = sizeof(uint32_t);
entries[tlv_cnt].header.type = TLV_TYPE_INTERFACE_INDEX;
entries[tlv_cnt].buffer = (PUCHAR)&interface_index_bigendian;
tlv_cnt++;
for (j = 0; j < ifaces->ifaces[i].addr_count; j++) {
Squashed commit of the following: commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9 Author: James Lee <egypt@metasploit.com> Date: Wed May 9 16:22:49 2012 -0600 Add register_command calls for md5 and sha1 commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c Author: James Lee <egypt@metasploit.com> Date: Wed May 9 16:22:09 2012 -0600 Read the file instead of downloading it commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056 Author: James Lee <egypt@metasploit.com> Date: Wed May 9 15:27:11 2012 -0600 Re-compile linux meterp to support the loadlib api commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5 Author: James Lee <egypt@metasploit.com> Date: Wed May 9 14:50:25 2012 -0600 Re-compile java meterp to support the loadlib api commit c137187b346b708487245a849b95343223e4e7b0 Author: James Lee <egypt@metasploit.com> Date: Wed May 9 14:44:10 2012 -0600 Don't try to get interfaces if this session doesn't implement it commit 88bba1e6c360c5725c4174623f56bcb6d8b54228 Author: James Lee <egypt@metasploit.com> Date: Wed May 9 14:38:17 2012 -0600 Remove debugging load commit 02954cbf93e2a13da967780cb703103b3f83ecf4 Merge: d9ef256 88b35a3 Author: James Lee <egypt@metasploit.com> Date: Wed May 9 12:06:53 2012 -0600 Merge branch 'rapid7' into feature/4905 Conflicts: data/meterpreter/ext_server_stdapi.php modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb commit d9ef2569b88ae8bce67f13316f6eff76311fd846 Author: James Lee <egypt@metasploit.com> Date: Wed May 2 18:06:06 2012 -0600 PHP doesn't support rev2self commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba Author: James Lee <egypt@metasploit.com> Date: Tue May 1 18:21:59 2012 -0600 Add php support for returning new extension commands commit 7e35f2d671d3797fc3fab12e54015387f44b0b33 Author: James Lee <egypt@metasploit.com> Date: Tue May 1 16:03:26 2012 -0600 Reset CVE-2012-0507 back to master Purges commits unrelated to this branch. commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80 Author: James Lee <egypt@metasploit.com> Date: Tue May 1 15:59:35 2012 -0600 Revert "Make building the jar for cve-2012-0507 a bit easier" This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f. Conflicts: external/source/exploits/CVE-2012-0507/Makefile external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java commit 8c259fb779f736be16fe972215ddff1dd32fd0f3 Merge: fe2c273 1c03c2b Author: James Lee <egypt@metasploit.com> Date: Tue May 1 15:35:44 2012 -0600 Merge branch 'rapid7' into feature/4905 Conflicts: data/meterpreter/ext_server_stdapi.jar data/meterpreter/meterpreter.jar external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java modules/auxiliary/server/browser_autopwn.rb commit fe2c273a6d840c67040d6c9e337f908204337e18 Merge: 8caff47 4e955e5 Author: James Lee <egypt@metasploit.com> Date: Fri Apr 6 10:19:53 2012 -0600 Merge branch 'rapid7' into feature/4905 commit 8caff47d97469f1a5459c04461fd1098487ea514 Author: James Lee <egypt@metasploit.com> Date: Thu Apr 5 17:51:18 2012 -0600 Fix requires to find the test library commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d Author: James Lee <egypt@metasploit.com> Date: Thu Apr 5 17:48:35 2012 -0600 Fix a load order problem with solaris post mods commit 81b658362e5e6bdd215d18b53d14429d163aff72 Merge: adad2cf 6ef4257 Author: James Lee <egypt@metasploit.com> Date: Thu Apr 5 15:43:19 2012 -0600 Merge branch 'master' into feature/4905 commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180 Merge: 70ab8c0 5852455 Author: James Lee <egypt@metasploit.com> Date: Thu Apr 5 15:16:56 2012 -0600 Merge branch 'rapid7' Conflicts: lib/rex/exploitation/javascriptosdetect.rb commit adad2cf04c501c2a787e5475b62abd31871c06a0 Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 20:20:21 2012 -0600 Deal with null data/jar Not sure why "" turns into null sometimes, but it was breaking shells; this fixes it. commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16 Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 18:10:59 2012 -0600 Prev commit moved these to src/a commit 27ef76522ad10436ec785728445ed2cc0657f85f Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 18:08:32 2012 -0600 Make building the jar for cve-2012-0507 a bit easier Mostly stolen from cve-2008-5353 commit db3dbad0a5ff20b05758be073c3502138ff095c2 Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 14:52:23 2012 -0600 Fix incorrect option name commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf Author: James Lee <egypt@metasploit.com> Date: Wed Mar 28 15:36:20 2012 -0600 Add bap support to java_rhino commit a611ab16e06bd324d6616d0bd69f2c09d671bca0 Author: James Lee <egypt@metasploit.com> Date: Wed Mar 28 15:35:16 2012 -0600 Put next_exploit on the window object so it's always in scope Solves some issues with Chrome not running more than one exploit commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f Author: James Lee <egypt@metasploit.com> Date: Tue Mar 27 14:31:53 2012 -0600 Pull common stuff up out of the body commit 748309465a029593e2fe2fd445149745367513f4 Author: James Lee <egypt@metasploit.com> Date: Tue Mar 27 11:04:03 2012 -0600 Fix indentation level commit 954d485e3b8ffea9a7451bd495c1956a098e0eda Author: James Lee <egypt@metasploit.com> Date: Tue Mar 27 11:02:42 2012 -0600 Abstract out copy-pasted methods Need to do the same thing for OSX, but it's a different implementation. commit cba8d7c911fb184f6358948022fd4a0e010878d0 Author: James Lee <egypt@metasploit.com> Date: Fri Mar 23 18:04:50 2012 -0600 Linux doesn't implement (drop|steal)_token commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f Author: James Lee <egypt@metasploit.com> Date: Fri Mar 23 17:57:37 2012 -0600 Add availability checks for net, sys, ui, and webcam commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811 Author: James Lee <egypt@metasploit.com> Date: Fri Mar 23 16:45:59 2012 -0600 add requirement checking for fs and core commands commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4 Author: James Lee <egypt@metasploit.com> Date: Wed Mar 21 17:20:59 2012 -0600 Add a to_octal method that converts e.g. "A" to \0101 commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa Author: James Lee <egypt@metasploit.com> Date: Wed Mar 21 17:20:07 2012 -0600 Don't use "echo -n" It's not portable commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548 Author: James Lee <egypt@metasploit.com> Date: Tue Mar 20 17:01:10 2012 -0600 Return a list of new commands after core_loadlib, java version Thanks mihi for the patch and the awesome responsiveness! commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a Author: James Lee <egypt@metasploit.com> Date: Tue Mar 20 13:21:06 2012 -0600 Make sure we have a response before doing stuff with it commit 721001ead474a17d1a16de543f78b548879f5e7e Author: James Lee <egypt@metasploit.com> Date: Mon Mar 19 21:25:31 2012 -0600 Add missing rmdir and mkdir protocol commands to PHP Now passes all the stdapi tests that it can [*] Session type is meterpreter and platform is php/php [+] should return a user id [+] should return a sysinfo Hash [-] FAILED: should return network interfaces [-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1 [-] FAILED: should have an interface that matches session_host [-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1 [-] FAILED: should return network routes [-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1 [+] should return the proper directory separator [+] should return the current working directory [+] should list files in the current directory [+] should stat a directory [+] should create and remove a dir [+] should change directories [+] should create and remove files [+] should upload a file [-] Passed: 10; Failed: 3 commit 024e99167a025f4678a707e1ee809a1524007d4d Author: James Lee <egypt@metasploit.com> Date: Mon Mar 19 15:26:00 2012 -0600 Use a proper TLV type instead of a generic one commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a Author: James Lee <egypt@metasploit.com> Date: Mon Mar 19 15:24:25 2012 -0600 Fix a counting error that caused segfaults (Linux) commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0 Author: James Lee <egypt@metasploit.com> Date: Mon Mar 19 15:06:02 2012 -0600 Return a list of new commands after core_loadlib Gets Windows back in sync with Linux commit 3d3959f720de68e2f36ebfabe8196e01f98fe904 Author: James Lee <egypt@metasploit.com> Date: Mon Mar 19 14:50:55 2012 -0600 Refactor extensionList -> extension_commands It's not the same as extension_list. commit a7acb638af803732fc5f3975e0c0632f427e0deb Author: sinn3r <msfsinn3r@gmail.com> Date: Sun Mar 18 00:07:27 2012 -0500 Massive whitespace cleanup commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5 Author: sinn3r <msfsinn3r@gmail.com> Date: Sat Mar 17 16:00:20 2012 -0500 Add back enum_protections with some new changes commit d778eec36953bb9bf4985e967ad2c119a1acd79b Author: ohdae <bindshell@live.com> Date: Sat Mar 17 13:28:31 2012 -0400 Added fix for enum_protections commit 64611819d43bf13ab2d68f4353513c39e5a64fe0 Author: sinn3r <msfsinn3r@gmail.com> Date: Sat Mar 17 03:14:26 2012 -0500 A bunch of fixes commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9 Author: sinn3r <msfsinn3r@gmail.com> Date: Sat Mar 17 00:28:05 2012 -0500 The comments in get_chatlogs need an update commit 666477e42a734f3120dcc4282b01b5ab5819384a Author: sinn3r <msfsinn3r@gmail.com> Date: Sat Mar 17 00:25:41 2012 -0500 Correct license format commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7 Author: sinn3r <msfsinn3r@gmail.com> Date: Sat Mar 17 00:22:03 2012 -0500 Add enum_adium.rb post module commit d290cf4fef1309df9a1af748e7c6c259a6788576 Author: ohdae <bindshell@live.com> Date: Fri Mar 16 16:54:36 2012 -0300 Changed store_note to store_loot. Fixed local/remote file retrieval commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c Author: James Lee <egypt@metasploit.com> Date: Fri Mar 16 11:29:07 2012 -0600 Fall back to MIB method if we can't get netmasks Misses IPv6 addresses, but at least doesn't break everything. [Fixes #6525] commit a9a30232dd5fcc0854c10b4d58df8511a23f3091 Author: sinn3r <msfsinn3r@gmail.com> Date: Fri Mar 16 11:49:31 2012 -0500 This module is not ready, yanked. commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495 Author: Gregory Man <man.gregory@gmail.com> Date: Fri Mar 16 18:09:08 2012 +0200 sockso_traversal 1.8 compatibility fix commit e76965ce565a8ae634dc0d3c743542f1a6d977d7 Author: ohdae <bindshell@live.com> Date: Fri Mar 16 09:17:35 2012 -0400 fix commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7 Author: ohdae <bindshell@live.com> Date: Fri Mar 16 09:14:48 2012 -0400 saves each config to loot instead of notes commit f4713974fa82d8b13017cb0817b5fd36696194d9 Author: James Lee <egypt@metasploit.com> Date: Fri Mar 16 03:46:10 2012 -0600 Check for a 0 prefix length If the OnLinkPrefixLength is 0, something is wrong, try the value in the prefix linked list. Appears to fix v4 addresses on XP but not 2k3. [See #6525] commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5 Author: James Lee <egypt@metasploit.com> Date: Fri Mar 16 01:46:41 2012 -0600 Return network prefixes when available Solves #6525 on Vista+. Win2k still works using the old MIB method (which doesn't support ipv6). Win2k3 and XP are still busted for unknown reasons. commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d Author: ohdae <bindshell@live.com> Date: Thu Mar 15 22:59:42 2012 -0400 Enumerate important and interesting configuration files commit 9336df2ac28ee2df10a0e66e7006df3d23493492 Author: David Maloney <David_Maloney@rapid7.com> Date: Thu Mar 15 19:06:48 2012 -0500 More Virtualisation SSL fixes commit f24c378281ee6c85f687d4823f09ef5848812daf Author: David Maloney <David_Maloney@rapid7.com> Date: Thu Mar 15 18:15:29 2012 -0500 Default SSL to true for esx_fingerprint module commit d6e14c42120df0fd16b79709ac5723d0e2818810 Author: sinn3r <msfsinn3r@gmail.com> Date: Thu Mar 15 15:56:24 2012 -0500 Fix typo commit b24dcfe43e625740ec8a1465f33be02f7ec40162 Author: sinn3r <msfsinn3r@gmail.com> Date: Thu Mar 15 15:55:54 2012 -0500 Add sockso dir traversal commit 033052c1e075fcf43e9c17e5ee4a5006247cb375 Author: James Lee <egypt@metasploit.com> Date: Thu Mar 15 14:31:25 2012 -0600 Fix syntax error in 1.8, thanks Jun Koi for the patch commit 4529efaeaa22e52c9c7c1528c68efb60af8af729 Author: sinn3r <msfsinn3r@gmail.com> Date: Thu Mar 15 14:27:40 2012 -0500 enum_protections is now find_apps commit 49e823802bd8f2cb1940545e74db04f3788352d1 Author: sinn3r <msfsinn3r@gmail.com> Date: Thu Mar 15 14:22:23 2012 -0500 File rename, as well as design and cosmetic changes commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb Author: ohdae <bindshell@live.com> Date: Thu Mar 15 15:29:52 2012 -0300 added report_note, removed store_loot function, cleaned up info/author commit 27d571932e51afbac0c0fcd95c52f038786a9a28 Author: ohdae <bindshell@live.com> Date: Thu Mar 15 12:18:29 2012 -0300 fixed output newline issue commit 5a828e35d1629dc68825fe7d9322d1316888f8d7 Author: ohdae <bindshell@live.com> Date: Thu Mar 15 01:05:35 2012 -0300 fixed save line commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5 Author: ohdae <bindshell@live.com> Date: Thu Mar 15 01:02:07 2012 -0300 removed unneeded comments commit 5861e1512f2949c0d7848d9ebed8241277462085 Author: ohdae <bindshell@live.com> Date: Thu Mar 15 01:00:55 2012 -0300 fixed output issue commit 593a3648111f1db1f56a410250539261c2a7cd9f Author: ohdae <bindshell@live.com> Date: Wed Mar 14 18:26:53 2012 -0300 removed unneeded dependency commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f Author: ohdae <bindshell@live.com> Date: Wed Mar 14 13:30:16 2012 -0400 locates installed 3rd part av, fws, etc commit 5bf512d0e9d2b412c4107228db178a7078111443 Author: sinn3r <msfsinn3r@gmail.com> Date: Wed Mar 14 16:50:54 2012 -0500 Add OSVDB-79863 NetDecision Directory Traversal commit 18715d0367f4ef01b5998d732043cbe224e1787e Author: James Lee <egypt@metasploit.com> Date: Wed Mar 14 23:03:01 2012 -0600 Store the retrieved commands on the session commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd Author: James Lee <egypt@metasploit.com> Date: Wed Mar 14 22:45:16 2012 -0600 Retrieve the list of new commands The client side doesn't do anything with them yet commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50 Author: James Lee <egypt@metasploit.com> Date: Wed Mar 14 22:41:16 2012 -0600 Return a list of the new commands in response to core_loadlib Linux commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c Author: James Lee <egypt@metasploit.com> Date: Wed Mar 14 15:13:45 2012 -0600 Whitespace at EOL commit 4afcb4cb9da1921ede29b03b149433cc65d680da Author: James Lee <egypt@metasploit.com> Date: Wed Mar 14 14:30:09 2012 -0600 Create instance methods that return extensions Before this change, meterpreter sessions would not #respond_to? their extensions despite having a pseudo-accessor for them: ``` >> client.respond_to? :sys => false >> client.sys => #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}> ``` After: ``` >> client.respond_to? :sys => true ``` commit 70ab8c018f67d15929b6f41322540837ab7b37c5 Merge: a8a3938 5f2bace Author: James Lee <egypt@metasploit.com> Date: Tue Apr 3 11:46:25 2012 -0600 Merge branch 'master' into bap-refactor Conflicts: external/source/exploits/CVE-2012-0507/Help.java external/source/exploits/CVE-2012-0507/Makefile external/source/exploits/CVE-2012-0507/msf/x/Help.java external/source/exploits/CVE-2012-0507/src/a/Exploit.java external/source/exploits/CVE-2012-0507/src/a/Help.java commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0 Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 20:20:21 2012 -0600 Deal with null data/jar Not sure why "" turns into null sometimes, but it was breaking shells; this fixes it. commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06 Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 18:10:59 2012 -0600 Prev commit moved these to src/a commit 5074eadbea426fc4f83d6d165a01e640ef42b4de Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 18:08:32 2012 -0600 Make building the jar for cve-2012-0507 a bit easier Mostly stolen from cve-2008-5353 commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0 Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 14:52:23 2012 -0600 Fix incorrect option name commit 78824ef60084510d3befe0ded6eed314d55eeb12 Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 13:24:33 2012 -0600 Add the detected browser version to the DOM Doing it this way lets modules grab the info a bit more easily. commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9 Merge: 0faa3f6 b5fc8e4 Author: James Lee <egypt@metasploit.com> Date: Thu Mar 29 13:19:05 2012 -0600 Merge branch 'master' into bap-refactor commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee Author: James Lee <egypt@metasploit.com> Date: Wed Mar 28 15:36:20 2012 -0600 Add bap support to java_rhino commit 66ca27f994e3b11c9c8adae85642820768158860 Author: James Lee <egypt@metasploit.com> Date: Wed Mar 28 15:35:16 2012 -0600 Put next_exploit on the window object so it's always in scope Solves some issues with Chrome not running more than one exploit commit 7fc2ca1a0690c7a973307772aed42ab3514e1761 Merge: 325d306 e48c47e Author: James Lee <egypt@metasploit.com> Date: Wed Mar 28 15:10:54 2012 -0600 Merge branch 'master' into bap-refactor commit 325d3060599bc79674e93dd5f55a4e60061e9bdb Author: James Lee <egypt@metasploit.com> Date: Tue Mar 27 14:31:53 2012 -0600 Pull common stuff up out of the body commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c Author: James Lee <egypt@metasploit.com> Date: Tue Mar 27 11:04:03 2012 -0600 Fix indentation level commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d Author: James Lee <egypt@metasploit.com> Date: Tue Mar 27 11:02:42 2012 -0600 Abstract out copy-pasted methods Need to do the same thing for OSX, but it's a different implementation.
2012-05-15 17:00:02 -06:00
if (allocd_entries < tlv_cnt+2) {
entries = realloc(entries, sizeof(Tlv) * (tlv_cnt+2));
allocd_entries += 2;
}
if (ifaces->ifaces[i].addr_list[j].family == AF_INET) {
dprintf("ip addr for %s", ifaces->ifaces[i].name);
entries[tlv_cnt].header.length = sizeof(__u32);
entries[tlv_cnt].header.type = TLV_TYPE_IP;
entries[tlv_cnt].buffer = (PUCHAR)&ifaces->ifaces[i].addr_list[j].ip.addr;
tlv_cnt++;
//dprintf("netmask for %s", ifaces->ifaces[i].name);
entries[tlv_cnt].header.length = sizeof(__u32);
entries[tlv_cnt].header.type = TLV_TYPE_NETMASK;
entries[tlv_cnt].buffer = (PUCHAR)&ifaces->ifaces[i].addr_list[j].nm.netmask;
tlv_cnt++;
} else {
dprintf("-- ip six addr for %s", ifaces->ifaces[i].name);
entries[tlv_cnt].header.length = sizeof(__u128);
entries[tlv_cnt].header.type = TLV_TYPE_IP;
entries[tlv_cnt].buffer = (PUCHAR)&ifaces->ifaces[i].addr_list[j].ip.addr6;
tlv_cnt++;
//dprintf("netmask6 for %s", ifaces->ifaces[i].name);
entries[tlv_cnt].header.length = sizeof(__u128);
entries[tlv_cnt].header.type = TLV_TYPE_NETMASK;
entries[tlv_cnt].buffer = (PUCHAR)&ifaces->ifaces[i].addr_list[j].nm.netmask6;
tlv_cnt++;
}
}
dprintf("Adding TLV to group");
packet_add_tlv_group(response, TLV_TYPE_NETWORK_INTERFACE, entries, tlv_cnt);
dprintf("done Adding TLV to group");
}
}
2012-02-02 00:11:52 -07:00
if (ifaces)
free(ifaces);
if (entries)
free(entries);
2012-03-11 22:08:44 -06:00
return result;
}
#endif
/*
* Returns zero or more local interfaces to the requestor
*/
DWORD request_net_config_get_interfaces(Remote *remote, Packet *packet)
{
Packet *response = packet_create_response(packet);
DWORD result = ERROR_SUCCESS;
#ifdef _WIN32
result = get_interfaces_windows(remote, response);
#else
result = get_interfaces_linux(remote, response);
#endif
// Transmit the response if valid
packet_transmit_response(result, remote, response);
return result;
}