mirror of
https://github.com/rapid7/metasploit-payloads
synced 2024-12-21 05:35:54 +01:00
commit some fixes from philip, see #2418
git-svn-id: file:///home/svn/framework3/trunk@10272 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
parent
600afb35e5
commit
466153da06
@ -294,11 +294,11 @@ scheduler_run(THREAD *thread)
|
||||
|
||||
LIST_REMOVE(current, link);
|
||||
close(current->waitable);
|
||||
channel_close((Channel *)current->context, remote, NULL, 0, NULL);
|
||||
free(current);
|
||||
|
||||
nentries--;
|
||||
|
||||
// how do we notify remote that we have closed fd?
|
||||
// it just hangs atm :~(
|
||||
}
|
||||
}
|
||||
}
|
||||
|
@ -17,6 +17,9 @@
|
||||
#include <sys/select.h>
|
||||
#include <sys/endian.h>
|
||||
#include <netinet/in.h>
|
||||
#include <arpa/inet.h>
|
||||
#include <sys/socket.h>
|
||||
#include <unistd.h>
|
||||
|
||||
// only do debugging on unix side of things for now.
|
||||
#define DEBUGTRACE
|
||||
|
@ -10,6 +10,10 @@ typedef BOOL (STDMETHODCALLTYPE FAR * LPFNCREATEENVIRONMENTBLOCK)( LPVOID *lpEn
|
||||
typedef BOOL (STDMETHODCALLTYPE FAR * LPFNDESTROYENVIRONMENTBLOCK) ( LPVOID lpEnvironment );
|
||||
typedef BOOL (WINAPI * LPCREATEPROCESSWITHTOKENW)( HANDLE, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION );
|
||||
|
||||
#else
|
||||
|
||||
#include "linux-in-mem-exe.h"
|
||||
|
||||
#endif
|
||||
|
||||
/*
|
||||
@ -21,8 +25,8 @@ typedef BOOL (WINAPI * LPCREATEPROCESSWITHTOKENW)( HANDLE, DWORD, LPCWSTR, LPWST
|
||||
DWORD request_sys_process_attach(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
HANDLE handle = NULL;
|
||||
#ifdef _WIN32
|
||||
HANDLE handle = NULL;
|
||||
DWORD result = ERROR_SUCCESS;
|
||||
DWORD pid;
|
||||
|
||||
@ -67,21 +71,22 @@ DWORD request_sys_process_close(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
HANDLE handle;
|
||||
#ifdef _WIN32
|
||||
DWORD result = ERROR_SUCCESS;
|
||||
|
||||
handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
|
||||
|
||||
|
||||
if (handle)
|
||||
{
|
||||
#ifdef _WIN32
|
||||
if (handle != GetCurrentProcess())
|
||||
CloseHandle(handle);
|
||||
#else
|
||||
// XXX ... not entirely sure this ports across.
|
||||
#endif
|
||||
}
|
||||
else
|
||||
result = ERROR_INVALID_PARAMETER;
|
||||
#else
|
||||
DWORD result = ERROR_NOT_SUPPORTED;
|
||||
#endif
|
||||
|
||||
// Send the response packet to the requestor
|
||||
packet_transmit_response(result, remote, response);
|
||||
|
||||
@ -155,6 +160,8 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
DWORD result = ERROR_SUCCESS;
|
||||
Tlv inMemoryData;
|
||||
BOOL doInMemory = FALSE;
|
||||
#ifdef _WIN32
|
||||
PROCESS_INFORMATION pi;
|
||||
STARTUPINFO si;
|
||||
@ -162,8 +169,6 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
|
||||
PCHAR path, arguments, commandLine = NULL;
|
||||
DWORD flags = 0, createFlags = 0;
|
||||
BOOL inherit = FALSE;
|
||||
Tlv inMemoryData;
|
||||
BOOL doInMemory = FALSE;
|
||||
HANDLE token, pToken;
|
||||
char * cpDesktop = NULL;
|
||||
DWORD session = 0;
|
||||
@ -546,7 +551,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
|
||||
if( cpDesktop )
|
||||
free( cpDesktop );
|
||||
#else
|
||||
PCHAR path, arguments, commandLine = NULL;
|
||||
PCHAR path, arguments;;
|
||||
DWORD flags;
|
||||
char *argv[64], *p;
|
||||
int in[2] = { -1, -1 }, out[2] = {-1, -1}; // file descriptors
|
||||
@ -556,6 +561,8 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
|
||||
pid_t pid;
|
||||
int have_pty = -1;
|
||||
|
||||
int hidden = (flags & PROCESS_EXECUTE_FLAG_HIDDEN);
|
||||
|
||||
dprintf( "[PROCESS] request_sys_process_execute" );
|
||||
|
||||
do {
|
||||
@ -566,6 +573,11 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
|
||||
|
||||
dprintf("path: %s, arguments: %s\n", path ? path : "(null)", arguments ? arguments : "(null)");
|
||||
|
||||
if (packet_get_tlv(packet, TLV_TYPE_VALUE_DATA, &inMemoryData) == ERROR_SUCCESS)
|
||||
{
|
||||
doInMemory = TRUE;
|
||||
}
|
||||
|
||||
// how to handle a single string argument line? we don't have a lexer/parser to
|
||||
// correctly handle stuff like quotes, etc. could dumbly parse on white space to
|
||||
// build arguments for execve. revert to /bin/sh -c style execution?
|
||||
@ -663,6 +675,12 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
|
||||
}
|
||||
}
|
||||
|
||||
/*
|
||||
* We can create "hidden" processes via clone() instead of fork()
|
||||
* clone(child_stack, flags = CLONE_THREAD) should do the trick. Probably worth while as well.
|
||||
* memory / fd's etc won't be shared. linux specific syscall though.
|
||||
*/
|
||||
|
||||
pid = fork();
|
||||
switch(pid) {
|
||||
|
||||
@ -672,7 +690,8 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
|
||||
break;
|
||||
|
||||
case 0:
|
||||
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED) {
|
||||
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED)
|
||||
{
|
||||
if(have_pty)
|
||||
{
|
||||
dup2(slave, 0);
|
||||
@ -690,9 +709,16 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
|
||||
}
|
||||
for(i = 3; i < 1024; i++) close(i);
|
||||
|
||||
execve(path, argv, environ);
|
||||
exit(EXIT_FAILURE);
|
||||
if(doInMemory)
|
||||
{
|
||||
perform_in_mem_exe(argv, environ, inMemoryData.buffer);
|
||||
} else {
|
||||
execve(path, argv, environ);
|
||||
}
|
||||
|
||||
dprintf("[%s] failed to execute program, exit(EXIT_FAILURE) time", __FUNCTION__);
|
||||
|
||||
exit(EXIT_FAILURE);
|
||||
default:
|
||||
dprintf("child pid is %d\n", pid);
|
||||
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED) {
|
||||
@ -826,7 +852,7 @@ DWORD request_sys_process_getpid(Remote *remote, Packet *packet)
|
||||
#ifdef _WIN32
|
||||
packet_add_tlv_uint(response, TLV_TYPE_PID, GetCurrentProcessId());
|
||||
#else
|
||||
packet_add_tlv_uint(response, TLV_TYPE_PID, gettid());
|
||||
packet_add_tlv_uint(response, TLV_TYPE_PID, getpid());
|
||||
#endif
|
||||
|
||||
packet_transmit_response(ERROR_SUCCESS, remote, response);
|
||||
|
@ -33,7 +33,10 @@ libsupport.h: ../../bionic/compiled/libsupport.so
|
||||
libmetsrv_main.h: ../../bionic/compiled/libmetsrv_main.so
|
||||
../../../tools/so2h.pl ../../bionic/compiled/libmetsrv_main.so libmetsrv_main
|
||||
|
||||
metsrv_rtld.o: libc.h libm.h libcrypto.h libssl.h libmetsrv_main.h libsupport.h
|
||||
libpcap.h: ../../bionic/compiled/libpcap.so
|
||||
../../../tools/so2h.pl ../../bionic/compiled/libpcap.so libpcap
|
||||
|
||||
metsrv_rtld.o: libc.h libm.h libcrypto.h libssl.h libmetsrv_main.h libsupport.h libpcap.h
|
||||
|
||||
rtldtest: rtldtest.c msflinker
|
||||
gcc -o rtldtest rtldtest.c -DEP=`objdump -f msflinker | grep start | awk '{ print $$3 }'`
|
||||
|
@ -27,6 +27,7 @@
|
||||
#include "libssl.h"
|
||||
#include "libsupport.h"
|
||||
#include "libmetsrv_main.h"
|
||||
#include "libpcap.h"
|
||||
|
||||
struct libs {
|
||||
char *name;
|
||||
@ -42,6 +43,7 @@ static struct libs libs[] = {
|
||||
{ "libssl.so.0.9.8", libssl, libssl_length, NULL },
|
||||
{ "libsupport.so", libsupport, libsupport_length, NULL },
|
||||
{ "libmetsrv_main.so", libmetsrv_main, libmetsrv_main_length, NULL },
|
||||
{ "libpcap.so.1", libpcap, libpcap_length, NULL },
|
||||
};
|
||||
|
||||
#define LIBC_IDX 0
|
||||
|
@ -547,12 +547,6 @@ _do_lookup(soinfo *si, const char *name, unsigned *base)
|
||||
}
|
||||
}
|
||||
|
||||
if(! strncmp(name, "dl", 2)) {
|
||||
s = _elf_lookup(&libdl_info, elf_hash, name);
|
||||
if((s != NULL) && (s->st_shndx != SHN_UNDEF))
|
||||
goto done;
|
||||
}
|
||||
|
||||
#if ALLOW_SYMBOLS_FROM_MAIN
|
||||
/* If we are resolving relocations while dlopen()ing a library, it's OK for
|
||||
* the library to resolve a symbol that's defined in the executable itself,
|
||||
|
@ -27,7 +27,7 @@ endif
|
||||
objects = server/general.o server/stdapi.o server/fs/dir.o server/fs/file.o \
|
||||
server/fs/fs_util.o \
|
||||
server/net/socket/tcp.o server/net/socket/tcp_server.o server/net/socket/udp.o \
|
||||
server/sys/config/config.o server/sys/process/process.o
|
||||
server/sys/config/config.o server/sys/process/process.o server/sys/process/linux-in-mem-exe.o
|
||||
#server/net/config/interface.o \
|
||||
#server/net/config/route.o \
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user