Implement transport removal

c/meterpreter/source/common/arch/win/i386/base_dispatch.c

@@ -293,6 +293,54 @@ BOOL remote_request_core_transport_prev(Remote* remote, Packet* packet, DWORD* r
 	return *result == ERROR_SUCCESS ? FALSE : TRUE;
 }
 
+DWORD remote_request_core_transport_remove(Remote* remote, Packet* packet)
+{
+	DWORD result = ERROR_SUCCESS;
+
+	// make sure we are not trying to remove the last transport
+	if (remote->transport == remote->transport->prev_transport)
+	{
+		dprintf("[DISPATCH] Refusing to delete the last transport");
+		result = ERROR_INVALID_FUNCTION;
+	}
+	else
+	{
+		Transport* found = NULL;
+		Transport* transport = remote->transport;
+		wchar_t* transportUrl = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_URL);
+
+		do
+		{
+			if (wcscmp(transportUrl, transport->url) == 0)
+			{
+				found = transport;
+				break;
+			}
+
+			transport = transport->next_transport;
+		} while (transport != remote->transport);
+
+		if (found == NULL || found == remote->transport)
+		{
+			dprintf("[DISPATCH] Transport not found, or attempting to remove current");
+			// if we don't have a valid transport, or they're trying to remove the
+			// existing one, then bomb out (that might come later)
+			result = ERROR_INVALID_PARAMETER;
+		}
+		else
+		{
+			remote->trans_remove(remote, found);
+			dprintf("[DISPATCH] Transport removed");
+		}
+
+		SAFE_FREE(transportUrl);
+	}
+
+	packet_transmit_empty_response(remote, packet, result);
+	dprintf("[DISPATCH] Response sent.");
+	return result;
+}
+
 DWORD remote_request_core_transport_add(Remote* remote, Packet* packet)
 {
 	Transport* transport = NULL;

c/meterpreter/source/common/base.c

@@ -35,6 +35,7 @@ extern BOOL remote_request_core_transport_change(Remote* remote, Packet* packet,
 extern BOOL remote_request_core_transport_next(Remote* remote, Packet* packet, DWORD* result);
 extern BOOL remote_request_core_transport_prev(Remote* remote, Packet* packet, DWORD* result);
 extern DWORD remote_request_core_transport_add(Remote* remote, Packet* packet);
+extern DWORD remote_request_core_transport_remove(Remote* remote, Packet* packet);
 
 extern BOOL remote_request_core_migrate(Remote *remote, Packet *packet, DWORD* pResult);
 
@@ -99,6 +100,7 @@ Command baseCommands[] =
 	COMMAND_INLINE_REQ("core_transport_next", remote_request_core_transport_next),
 	COMMAND_INLINE_REQ("core_transport_prev", remote_request_core_transport_prev),
 	COMMAND_REQ("core_transport_add", remote_request_core_transport_add),
+	COMMAND_REQ("core_transport_remove", remote_request_core_transport_remove),
 	// Migration
 	COMMAND_INLINE_REQ("core_migrate", remote_request_core_migrate),
 	// Shutdown

c/meterpreter/source/common/remote.h

@@ -33,6 +33,7 @@ typedef BOOL(*PTransportInit)(Transport* transport);
 typedef BOOL(*PTransportDeinit)(Transport* transport);
 typedef void(*PTransportDestroy)(Transport* transport);
 typedef Transport*(*PTransportCreate)(Remote* remote, MetsrvTransportCommon* config, LPDWORD size);
+typedef void(*PTransportRemove)(Remote* remote, Transport* oldTransport);
 typedef void(*PConfigCreate)(Remote* remote, MetsrvConfig** config, LPDWORD size);
 
 typedef BOOL(*PServerDispatch)(Remote* remote, THREAD* dispatchThread);
@@ -135,6 +136,7 @@ typedef struct _Remote
 #endif
 
 	PTransportCreate trans_create;        ///! Helper to create transports from configuration.
+	PTransportRemove trans_remove;        ///! Helper to remove transports from the current session.
 
 	int sess_expiry_time;                 ///! Number of seconds that the session runs for.
 	int sess_expiry_end;                  ///! Unix timestamp for when the server should shut down.

c/meterpreter/source/server/server_setup_win.c

@@ -158,7 +158,7 @@ static void append_transport(Transport** list, Transport* newTransport)
 static void remove_transport(Remote* remote, Transport* oldTransport)
 {
 	// if we point to ourself, then we're the last one
-	if (remote->transport->next_transport == oldTransport)
+	if (remote->transport->next_transport == remote->transport)
 	{
 		remote->transport = NULL;
 	}
@@ -347,6 +347,8 @@ DWORD server_setup(MetsrvConfig* config)
 
 			// Set up the transport creation function pointer
 			remote->trans_create = create_transport;
+			// Set up the transport removal function pointer
+			remote->trans_remove = remove_transport;
 			// and the config creation pointer
 			remote->config_create = config_create;