Resolve PR #31 conflict

Conflicts: .gitignore
2025-03-30 22:19:17 +02:00 · 2013-10-16 09:39:47 -05:00 · 2013-10-16 09:39:47 -05:00 · 1fc10a8664
commit 1fc10a8664
parent 4b0a6a5102 864917b32d
2 changed files with 16 additions and 12 deletions
--- a/c/meterpreter/source/extensions/priv/server/elevate/kitrap0d.c
+++ b/c/meterpreter/source/extensions/priv/server/elevate/kitrap0d.c
@ -192,7 +192,7 @@ BOOL kitrap0d_spawn_ntvdm( char * cpProgram, HANDLE * hProcess )
 /*
 * Find a suitable exe to host the exploit in.
 */
-BOOL elevate_via_exploit_getpath( char cpOutput[MAX_PATH], DWORD dwOutputLength )
+BOOL elevate_via_exploit_getpath( char *cpOutput, DWORD dwOutputSize )
 {
 	DWORD dwResult         = ERROR_SUCCESS;
 	char cWinDir[MAX_PATH] = {0};
@ -213,17 +213,19 @@ BOOL elevate_via_exploit_getpath( char cpOutput[MAX_PATH], DWORD dwOutputLength
 			if( !cpFileName )
 				break;

-			if( cWinDir[ strlen(cWinDir) - 1 ] == '\\' )
-				_snprintf_s( cpOutput, sizeof(cpOutput), dwOutputLength, "%s%s", cWinDir, cpFileName );
-			else
-				_snprintf_s( cpOutput, sizeof(cpOutput), dwOutputLength, "%s\\%s", cWinDir, cpFileName );
+			if ( _snprintf_s( cpOutput, dwOutputSize, dwOutputSize - 1, "%s%s%s", cWinDir,
+				 cWinDir[ strlen(cWinDir) - 1 ] == '\\' ? "" : "\\", cpFileName ) == -1 )
+			{
+				dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Path truncation: %s", cpOutput );
+				break;
+			}

 			dprintf( "[KITRAP0D] elevate_via_exploit_getpath. Trying: %s", cpOutput );

 			if( GetFileAttributes( cpOutput ) != INVALID_FILE_ATTRIBUTES )
 				return TRUE;

-			memset( cpOutput, 0, dwOutputLength );
+			memset( cpOutput, 0, dwOutputSize );

 			dwIndex++;
 		}
@ -266,7 +268,7 @@ DWORD elevate_via_exploit_kitrap0d( Remote * remote, Packet * packet )
 			BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. invalid arguments", ERROR_BAD_ARGUMENTS );

 		// 1. first get a file path to a suitable exe...
-		if( !elevate_via_exploit_getpath( (char *)&cVdmPath, MAX_PATH ) )
+		if( !elevate_via_exploit_getpath( cVdmPath, MAX_PATH ) )
 			BREAK_WITH_ERROR( "[KITRAP0D] elevate_via_exploit_kitrap0d. elevate_via_exploit_getpath failed", ERROR_FILE_NOT_FOUND );

 		// 2. Scan kernel image for the required code sequence, and find the base address...
--- a/c/meterpreter/source/extensions/stdapi/server/net/config/interface.c
+++ b/c/meterpreter/source/extensions/stdapi/server/net/config/interface.c
@ -182,10 +182,11 @@ DWORD get_interfaces_windows(Remote *remote, Packet *response) {
 			entries[tlv_cnt].buffer        = (PUCHAR)&mtu_bigendian;
 			tlv_cnt++;

-			if (pCurr->Length > 68) {
-				// Then this is a Longhorn struct version and it contains the
-				// FirstPrefix member, save it for later in case we don't have
-				// an OnLinkPrefixLength
+			// According to http://msdn.microsoft.com/en-us/library/windows/desktop/aa366058(v=vs.85).aspx
+			// the PIP_ADAPTER_PREFIX doesn't exist prior to XP SP1. We check for this via the `Length`
+			// value, which is 72 in XP without an SP, but 144 in later versions.
+			if (pCurr->Length > 72) {
+				// Save the first prefix for later in case we don't have an OnLinkPrefixLength
 				pPrefix = pCurr->FirstPrefix;
 			}

@ -210,7 +211,8 @@ DWORD get_interfaces_windows(Remote *remote, Packet *response) {
 					// will be populated
 					prefixes[prefixes_cnt] = htonl(pAddr->OnLinkPrefixLength);
 				}
-				if (pPrefix && 0 == prefixes[prefixes_cnt]) {
+
+				if (pPrefix && 0 == prefixes[prefixes_cnt] ) {
 					// Otherwise, we have to walk the FirstPrefix linked list
 					prefixes[prefixes_cnt] = htonl(pPrefix->PrefixLength);
 					pPrefix = pPrefix->Next;