mirror of
https://github.com/rapid7/metasploit-payloads
synced 2024-11-26 17:41:08 +01:00
Add support for listing of loaded drivers
This commit is contained in:
OJ
parent
e371e1cf48
commit
2b9aac9c45
1
c/meterpreter/source/extensions/stdapi/server/stdapi.c
Normal file → Executable file
1
c/meterpreter/source/extensions/stdapi/server/stdapi.c
Normal file → Executable file
@ -115,6 +115,7 @@ Command customCommands[] =
|
||||
COMMAND_REQ("stdapi_sys_config_getprivs", request_sys_config_getprivs),
|
||||
COMMAND_REQ("stdapi_sys_config_getenv", request_sys_config_getenv),
|
||||
#ifdef _WIN32
|
||||
COMMAND_REQ("stdapi_sys_config_driver_list", request_sys_config_driver_list),
|
||||
COMMAND_REQ("stdapi_sys_config_steal_token", request_sys_config_steal_token),
|
||||
COMMAND_REQ("stdapi_sys_config_drop_token", request_sys_config_drop_token),
|
||||
COMMAND_REQ("stdapi_sys_config_getsid", request_sys_config_getsid),
|
||||
|
||||
86
c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
Normal file → Executable file
86
c/meterpreter/source/extensions/stdapi/server/sys/config/config.c
Normal file → Executable file
@ -3,6 +3,7 @@
|
||||
#ifdef _WIN32
|
||||
#include <Sddl.h>
|
||||
#include <Lm.h>
|
||||
#include <psapi.h>
|
||||
|
||||
typedef NTSTATUS(WINAPI *PRtlGetVersion)(LPOSVERSIONINFOEXW);
|
||||
|
||||
@ -783,3 +784,88 @@ DWORD request_sys_config_rev2self(Remote *remote, Packet *packet)
|
||||
|
||||
return dwResult;
|
||||
}
|
||||
|
||||
/*!
|
||||
* @brief Handle the driver list function call.
|
||||
*/
|
||||
DWORD request_sys_config_driver_list(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet* response = packet_create_response(packet);
|
||||
DWORD result = ERROR_SUCCESS;
|
||||
|
||||
#ifdef _WIN32
|
||||
LPVOID ignored = NULL;
|
||||
DWORD sizeNeeded = 0;
|
||||
|
||||
// start by getting the size required to store the driver list
|
||||
EnumDeviceDrivers(&ignored, sizeof(ignored), &sizeNeeded);
|
||||
|
||||
if (sizeNeeded > 0)
|
||||
{
|
||||
dprintf("[CONFIG] Size required for driver list: %u 0x%x", sizeNeeded, sizeNeeded);
|
||||
|
||||
LPVOID* driverList = (LPVOID*)malloc(sizeNeeded);
|
||||
if (driverList)
|
||||
{
|
||||
if (EnumDeviceDrivers(driverList, sizeNeeded, &sizeNeeded))
|
||||
{
|
||||
CHAR baseName[MAX_PATH];
|
||||
CHAR fileName[MAX_PATH];
|
||||
DWORD driverCount = sizeNeeded / sizeof(LPVOID);
|
||||
dprintf("[CONFIG] Total driver handles: %u", driverCount);
|
||||
|
||||
for (DWORD i = 0; i < driverCount; ++i)
|
||||
{
|
||||
BOOL valid = TRUE;
|
||||
|
||||
if (!GetDeviceDriverBaseNameA(driverList[i], baseName, MAX_PATH))
|
||||
{
|
||||
dprintf("[CONFIG] %d Driver base name read failed: %u 0x%x", i, GetLastError(), GetLastError());
|
||||
// null terminate the string at the start, indicating that it's invalid
|
||||
baseName[0] = '\x00';
|
||||
}
|
||||
else
|
||||
{
|
||||
dprintf("[CONFIG] %d Driver basename: %s", i, baseName);
|
||||
}
|
||||
|
||||
if (!GetDeviceDriverFileNameA(driverList[i], fileName, MAX_PATH))
|
||||
{
|
||||
dprintf("[CONFIG] %d Driver file name read failed: %u 0x%x", i, GetLastError(), GetLastError());
|
||||
|
||||
// null terminate the string at the start, indicating that it's invalid
|
||||
fileName[0] = '\x00';
|
||||
|
||||
// we'll mark the entry as invalid if both calls failed.
|
||||
valid = baseName[0] != '\x00';
|
||||
}
|
||||
else
|
||||
{
|
||||
dprintf("[CONFIG] %d Driver filename: %s", i, fileName);
|
||||
}
|
||||
|
||||
if (valid)
|
||||
{
|
||||
Packet* entry = packet_create_group();
|
||||
packet_add_tlv_string(entry, TLV_TYPE_DRIVER_BASENAME, baseName);
|
||||
packet_add_tlv_string(entry, TLV_TYPE_DRIVER_FILENAME, fileName);
|
||||
packet_add_group(response, TLV_TYPE_DRIVER_ENTRY, entry);
|
||||
}
|
||||
}
|
||||
}
|
||||
|
||||
free(driverList);
|
||||
}
|
||||
else
|
||||
{
|
||||
result = ERROR_OUTOFMEMORY;
|
||||
}
|
||||
}
|
||||
#else
|
||||
result = ERROR_NOT_SUPPORTED;
|
||||
#endif
|
||||
|
||||
packet_transmit_response(result, remote, response);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
2
c/meterpreter/source/extensions/stdapi/server/sys/config/config.h
Normal file → Executable file
2
c/meterpreter/source/extensions/stdapi/server/sys/config/config.h
Normal file → Executable file
@ -9,4 +9,6 @@ DWORD request_sys_config_rev2self(Remote *remote, Packet *packet);
|
||||
DWORD request_sys_config_getprivs(Remote *remote, Packet *packet);
|
||||
DWORD request_sys_config_steal_token(Remote *remote, Packet *packet);
|
||||
DWORD request_sys_config_drop_token(Remote *remote, Packet *packet);
|
||||
DWORD request_sys_config_driver_list(Remote *remote, Packet *packet);
|
||||
|
||||
#endif
|
||||
|
||||
0
c/meterpreter/source/extensions/stdapi/server/sys/sys.h
Normal file → Executable file
0
c/meterpreter/source/extensions/stdapi/server/sys/sys.h
Normal file → Executable file
5
c/meterpreter/source/extensions/stdapi/stdapi.h
Normal file → Executable file
5
c/meterpreter/source/extensions/stdapi/stdapi.h
Normal file → Executable file
@ -69,6 +69,11 @@
|
||||
#define TLV_TYPE_PARENT_PID MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 2307 )
|
||||
#define TLV_TYPE_PROCESS_SESSION MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 2308 )
|
||||
|
||||
// Driver enum stuff
|
||||
#define TLV_TYPE_DRIVER_ENTRY MAKE_CUSTOM_TLV( TLV_META_TYPE_GROUP, TLV_TYPE_EXTENSION_STDAPI, 2320 )
|
||||
#define TLV_TYPE_DRIVER_BASENAME MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 2321 )
|
||||
#define TLV_TYPE_DRIVER_FILENAME MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 2322 )
|
||||
|
||||
#define TLV_TYPE_IMAGE_FILE MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 2400 )
|
||||
#define TLV_TYPE_IMAGE_FILE_PATH MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 2401 )
|
||||
#define TLV_TYPE_PROCEDURE_NAME MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 2402 )
|
||||
|
||||
@ -115,7 +115,7 @@
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>winmm.lib;backcompat.lib;iphlpapi.lib;shlwapi.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;metsrv.lib;jpeg.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>psapi.lib;winmm.lib;backcompat.lib;iphlpapi.lib;shlwapi.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;metsrv.lib;jpeg.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\backcompat\$(Configuration);..\metsrv\$(Configuration)\$(Platform);..\..\deps\openssl\lib\win;..\..\source\jpeg-8\lib\win\x86;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<DelayLoadDLLs>metsrv.dll;%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||
@ -177,7 +177,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>winmm.lib;backcompat.lib;iphlpapi.lib;shlwapi.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;metsrv.lib;jpeg.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>psapi.lib;winmm.lib;backcompat.lib;iphlpapi.lib;shlwapi.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;metsrv.lib;jpeg.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\backcompat\$(Configuration);..\metsrv\$(Configuration)\$(Platform);..\..\deps\openssl\lib\win;..\..\source\jpeg-8\lib\win\x86;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<DelayLoadDLLs>metsrv.dll;%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||
@ -238,7 +238,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>winmm.lib;iphlpapi.lib;shlwapi.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;metsrv.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>psapi.lib;winmm.lib;iphlpapi.lib;shlwapi.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;metsrv.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\..\source\jpeg-8\lib\win\x64;..\metsrv\$(Configuration)\$(Platform);..\..\deps\openssl\lib\win\x64;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<DelayLoadDLLs>metsrv.dll;%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||
@ -299,7 +299,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
|
||||
<Culture>0x0409</Culture>
|
||||
</ResourceCompile>
|
||||
<Link>
|
||||
<AdditionalDependencies>winmm.lib;iphlpapi.lib;shlwapi.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;metsrv.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<AdditionalDependencies>psapi.lib;winmm.lib;iphlpapi.lib;shlwapi.lib;ws2_32.lib;odbc32.lib;odbccp32.lib;metsrv.lib;ssleay32.lib;libeay32.lib;%(AdditionalDependencies)</AdditionalDependencies>
|
||||
<SuppressStartupBanner>true</SuppressStartupBanner>
|
||||
<AdditionalLibraryDirectories>..\..\source\jpeg-8\lib\win\x64;..\metsrv\$(Configuration)\$(Platform);..\..\deps\openssl\lib\win\x64;%(AdditionalLibraryDirectories)</AdditionalLibraryDirectories>
|
||||
<DelayLoadDLLs>metsrv.dll;%(DelayLoadDLLs)</DelayLoadDLLs>
|
||||
|
||||
Loading…
Reference in New Issue
Block a user