Land #88, Fix Python <-> Meterp bindings (xor key issue + TLV issue in getsystem)

c/meterpreter/source/extensions/python/Lib/meterpreter/core.py

@@ -212,7 +212,8 @@ def invoke_meterpreter(method, is_local, tlv = ""):
   header = struct.pack('>I', PACKET_TYPE_REQUEST)
   header += tlv_pack(TLV_TYPE_METHOD, method)
   header += tlv_pack(TLV_TYPE_REQUEST_ID, 0)
-  req = struct.pack('>I', len(header) + len(tlv) + 4) + header + tlv
+  # add a leading 4-byte "zero" for the xor-key
+  req = struct.pack('>I>I', 0, len(header) + len(tlv) + 4) + header + tlv
 
   return getattr(meterpreter_bindings, binding)(is_local, req)
 

c/meterpreter/source/extensions/python/Lib/meterpreter/elevate.py

@@ -6,7 +6,7 @@ from meterpreter.tlv import *
 # We only support technique 1 (as it's the only one that doesn't require DLLs)
 def getsystem():
   tlv = tlv_pack(TLV_TYPE_ELEVATE_TECHNIQUE, 1)
-  tlv = tlv_pack(TLV_TYPE_ELEVATE_SERVICE_NAME, rnd_string(5))
+  tlv += tlv_pack(TLV_TYPE_ELEVATE_SERVICE_NAME, rnd_string(5))
   resp = invoke_meterpreter('priv_elevate_getsystem', True, tlv)
   if resp == None:
     return False
@@ -26,7 +26,6 @@ def steal_token(pid):
   if resp == None:
     return False
 
-  print packet_get_tlv(resp, TLV_TYPE_RESULT)['value']
   return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0
 
 def drop_token():
@@ -34,6 +33,5 @@ def drop_token():
   if resp == None:
     return False
 
-  print packet_get_tlv(resp, TLV_TYPE_RESULT)['value']
   return packet_get_tlv(resp, TLV_TYPE_RESULT)['value'] == 0