Adjust TLV types and fix up code to deal with new raw api

2024-11-26 17:41:08 +01:00 · 2020-05-06 11:12:24 +10:00 · 2020-05-06 11:12:24 +10:00 · 30f232a7fd
commit 30f232a7fd
parent 5fc2117325
11 changed files with 20 additions and 22 deletions
--- a/c/meterpreter/source/common/common_core.h
+++ b/c/meterpreter/source/common/common_core.h
@ -135,13 +135,13 @@ typedef enum
 	TLV_TYPE_LIBRARY_PATH        = TLV_VALUE(TLV_META_TYPE_STRING,    400),   ///! Represents a path to the library to be loaded (string).
 	TLV_TYPE_TARGET_PATH         = TLV_VALUE(TLV_META_TYPE_STRING,    401),   ///! Represents a target path (string).
 	TLV_TYPE_MIGRATE_PID         = TLV_VALUE(TLV_META_TYPE_UINT,      402),   ///! Represents a process identifier of the migration target (unsigned integer).
-	TLV_TYPE_MIGRATE_PAYLOAD     = TLV_VALUE(TLV_META_TYPE_STRING,    404),   ///! Represents a migration payload (string).
+	TLV_TYPE_MIGRATE_PAYLOAD     = TLV_VALUE(TLV_META_TYPE_RAW,       404),   ///! Represents a migration payload (raw).
 	TLV_TYPE_MIGRATE_ARCH        = TLV_VALUE(TLV_META_TYPE_UINT,      405),   ///! Represents a migration target architecture.
 	TLV_TYPE_MIGRATE_TECHNIQUE   = TLV_VALUE(TLV_META_TYPE_UINT,      406),   ///! Represents a migration technique (unsigned int).
 	TLV_TYPE_MIGRATE_BASE_ADDR   = TLV_VALUE(TLV_META_TYPE_UINT,      407),   ///! Represents a migration payload base address (unsigned int).
 	TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_VALUE(TLV_META_TYPE_UINT,      408),   ///! Represents a migration payload entry point (unsigned int).
 	TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_VALUE(TLV_META_TYPE_STRING,    409),   ///! Represents a unix domain socket path, used to migrate on linux (string)
-	TLV_TYPE_MIGRATE_STUB        = TLV_VALUE(TLV_META_TYPE_STRING,    411),   ///! Represents a migration stub (string).
+	TLV_TYPE_MIGRATE_STUB        = TLV_VALUE(TLV_META_TYPE_RAW,       411),   ///! Represents a migration stub (raw).

 	// Transport switching
 	TLV_TYPE_TRANS_TYPE          = TLV_VALUE(TLV_META_TYPE_UINT,      430),   ///! Represents the type of transport to switch to.
--- a/c/meterpreter/source/common/common_metapi.h
+++ b/c/meterpreter/source/common/common_metapi.h
@ -92,7 +92,7 @@ typedef struct _SchedulerApi
 typedef struct _PacketApi
 {
 	BOOL(*get_tlv_value_bool)(Packet* packet, TlvType type);
-	BYTE*(*get_tlv_value_raw)(Packet* packet, TlvType type, UINT* length);
+	BYTE*(*get_tlv_value_raw)(Packet* packet, TlvType type, DWORD* length);
 	DWORD(*add_completion_handler)(LPCSTR requestId, PacketRequestCompletion* completion);
 	DWORD(*add_exception)(Packet* packet, DWORD code, PCHAR fmt, ...);
 	DWORD(*add_group)(Packet* packet, TlvType type, Packet* groupPacket);
--- a/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c
+++ b/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c
@ -51,7 +51,7 @@ DWORD request_peinjector_inject_shellcode(Remote *remote, Packet *packet)

 	if (response)
 	{
-		UINT size = 0;
+		DWORD size = 0;
 		BYTE* shellcode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_PEINJECTOR_SHELLCODE, &size);
 		BOOL is_x64 = met_api->packet.get_tlv_value_bool(packet, TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64);

--- a/c/meterpreter/source/extensions/python/python_commands.c
+++ b/c/meterpreter/source/extensions/python/python_commands.c
@ -484,7 +484,7 @@ DWORD request_python_execute(Remote* remote, Packet* packet)
 {
 	DWORD dwResult = ERROR_SUCCESS;
 	Packet* response = met_api->packet.create_response(packet);
-	UINT codeSize = 0;
+	DWORD codeSize = 0;
 	LPBYTE pythonCode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXTENSION_PYTHON_CODE, &codeSize);

 	PyObject* mainModule = PyImport_AddModule("__main__");
--- a/c/meterpreter/source/metsrv/base_dispatch.c
+++ b/c/meterpreter/source/metsrv/base_dispatch.c
@ -86,7 +86,7 @@ DWORD create_transport_from_request(Remote* remote, Packet* packet, Transport**
 			wchar_t* proxy = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_HOST);
 			wchar_t* proxyUser = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_USER);
 			wchar_t* proxyPass = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_PASS);
-			UINT certHashLen = 0;
+			DWORD certHashLen = 0;
 			PBYTE certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH, &certHashLen);
 			wchar_t* headers = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_HEADERS);

@ -401,7 +401,7 @@ DWORD remote_request_core_transport_setcerthash(Remote* remote, Packet* packet)
 			break;
 		}

-		UINT certHashLen = 0;
+		DWORD certHashLen = 0;
 		unsigned char* certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH, &certHashLen);
 		HttpTransportContext* ctx = (HttpTransportContext*)remote->transport->ctx;

@ -542,20 +542,18 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
 		// Get the target process architecture to inject into
 		dwDestinationArch = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_ARCH);

-		// Get the length of the payload buffer
-		dwPayloadLength = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_PAYLOAD_LEN);
-
 		// Receive the actual migration payload buffer
-		lpPayloadBuffer = packet_get_tlv_value_string(packet, TLV_TYPE_MIGRATE_PAYLOAD);
+		lpPayloadBuffer = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_PAYLOAD, &dwPayloadLength);

 		// Get handles to the updated UUIDs if they're there
-		UINT uuidLen = 0;
+		DWORD uuidLen = 0;
 		lpUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID, &uuidLen);

 		// Get the migrate stub information
-		lpMigrateStub = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_STUB, dwMigrateStubLength);
+		lpMigrateStub = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_STUB, &dwMigrateStubLength);

-		dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s, PayloadLength=%d", dwProcessID, (dwDestinationArch == 2 ? "x64" : "x86"), dwPayloadLength);
+		dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s", dwProcessID, dwDestinationArch == 2 ? "x64" : "x86");
+		dprintf("[MIGRATE] Attempting to migrate. PayloadLength=%d StubLength=%d", dwPayloadLength, dwMigrateStubLength);

 		// If we can, get SeDebugPrivilege...
 		if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))
--- a/c/meterpreter/source/metsrv/core.c
+++ b/c/meterpreter/source/metsrv/core.c
@ -856,7 +856,7 @@ BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type, DWORD* length)
 		return NULL;
 	}

-	*length = tlv->header.length;
+	*length = tlv.header.length;
 	return tlv.buffer;
 }

--- a/c/meterpreter/source/metsrv/core.h
+++ b/c/meterpreter/source/metsrv/core.h
@ -41,7 +41,7 @@ DWORD packet_enum_tlv(Packet *packet, DWORD index, TlvType type, Tlv *tlv);
 PCHAR packet_get_tlv_value_string(Packet *packet, TlvType type);
 wchar_t* packet_get_tlv_value_wstring(Packet* packet, TlvType type);
 UINT packet_get_tlv_value_uint(Packet *packet, TlvType type);
-BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type, DWORD* length)
+BYTE* packet_get_tlv_value_raw(Packet* packet, TlvType type, DWORD* length);
 QWORD packet_get_tlv_value_qword(Packet *packet, TlvType type);
 BOOL packet_get_tlv_value_bool(Packet *packet, TlvType type);

--- a/c/meterpreter/source/metsrv/packet_encryption.c
+++ b/c/meterpreter/source/metsrv/packet_encryption.c
@ -526,8 +526,8 @@ DWORD request_negotiate_aes_key(Remote* remote, Packet* packet)
 		}

 		// now we need to encrypt this key data using the public key given
-		UINT pubKeyDerLen = 0;
-		BYTE* pubKeyDer = packet_get_tlv_value_raw_len(packet, TLV_TYPE_RSA_PUB_KEY, &pubKeyDerLen);
+		DWORD pubKeyDerLen = 0;
+		BYTE* pubKeyDer = packet_get_tlv_value_raw(packet, TLV_TYPE_RSA_PUB_KEY, &pubKeyDerLen);
 		unsigned char* cipherText = NULL;
 		DWORD cipherTextLength = 0;
 		DWORD pubEncryptResult = public_key_encrypt(pubKeyDer, pubKeyDerLen, remote->enc_ctx->key_data.key, remote->enc_ctx->key_data.length, &cipherText, &cipherTextLength);
--- a/c/meterpreter/source/metsrv/remote_dispatch.c
+++ b/c/meterpreter/source/metsrv/remote_dispatch.c
@ -407,7 +407,7 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
 DWORD request_core_set_uuid(Remote* remote, Packet* packet)
 {
 	Packet* response = packet_create_response(packet);
-  UINT newUuidLen = 0;
+	DWORD newUuidLen = 0;
 	PBYTE newUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID, &newUuidLen);

 	if (newUuid != NULL)
@ -449,7 +449,7 @@ DWORD request_core_get_session_guid(Remote* remote, Packet* packet)
 DWORD request_core_set_session_guid(Remote* remote, Packet* packet)
 {
 	DWORD result = ERROR_SUCCESS;
-	UINT sessionGuidLen = 0;
+	DWORD sessionGuidLen = 0;
 	LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, &sessionGuidLen);

 	if (sessionGuid != NULL)
--- a/c/meterpreter/source/metsrv/server_pivot.c
+++ b/c/meterpreter/source/metsrv/server_pivot.c
@ -25,7 +25,7 @@ DWORD request_core_pivot_add(Remote* remote, Packet* packet)
 DWORD request_core_pivot_remove(Remote* remote, Packet* packet)
 {
 	DWORD result = ERROR_NOT_FOUND;
-	UINT pivotIdLen = 0;
+	DWORD pivotIdLen = 0;
 	LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID, &pivotIdLen);

 	if (pivotId != NULL)
--- a/c/meterpreter/source/metsrv/server_pivot_named_pipe.c
+++ b/c/meterpreter/source/metsrv/server_pivot_named_pipe.c
@ -162,7 +162,7 @@ static DWORD read_pipe_to_packet(NamedPipeContext* ctx, LPBYTE source, DWORD sou
 				{
 					dprintf("[PIPE] Request ID found and matches expected value");
 					// we have a response to our session guid request
-					UINT sessionGuidLen = 0;
+					DWORD sessionGuidLen = 0;
 					LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, 0);
 #ifdef DEBUGTRACE
 					PUCHAR h = (PUCHAR)&sessionGuid[0];