mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-01-02 11:36:22 +01:00
Tod Beardsley
commit
6a446637b5
@ -50,7 +50,7 @@ DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet)
|
||||
for (i=0;i<num_tokens;i++)
|
||||
if (token_list[i].token)
|
||||
{
|
||||
get_domain_from_token(token_list[i].token, domain_name);
|
||||
get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
|
||||
// If token is not "useless" local account connect to sniffer
|
||||
if (_stricmp(domain_name, "NT AUTHORITY"))
|
||||
{
|
||||
|
||||
@ -204,7 +204,7 @@ void process_user_token(HANDLE token, unique_user_token *uniq_tokens, DWORD *num
|
||||
// If token user has not been seen yet then create new entry
|
||||
if (!user_exists)
|
||||
{
|
||||
strcpy(uniq_tokens[*num_tokens].username, full_name);
|
||||
strcpy_s(uniq_tokens[*num_tokens].username, MAX_USERNAME, full_name);
|
||||
uniq_tokens[*num_tokens].token_num = 1;
|
||||
uniq_tokens[*num_tokens].delegation_available = FALSE;
|
||||
uniq_tokens[*num_tokens].impersonation_available = FALSE;
|
||||
|
||||
@ -8,9 +8,11 @@ typedef struct
|
||||
HANDLE token;
|
||||
} SavedToken;
|
||||
|
||||
#define MAX_USERNAME 256
|
||||
|
||||
typedef struct
|
||||
{
|
||||
char username[256];
|
||||
char username[MAX_USERNAME];
|
||||
int token_num;
|
||||
BOOL delegation_available;
|
||||
BOOL impersonation_available;
|
||||
|
||||
@ -11,7 +11,7 @@
|
||||
#include <wchar.h>
|
||||
#include "incognito.h"
|
||||
|
||||
BOOL get_domain_from_token(HANDLE token, char *domain_to_return)
|
||||
BOOL get_domain_from_token(HANDLE token, char *domainBuffer, DWORD domainBufferSize)
|
||||
{
|
||||
LPVOID TokenUserInfo[BUF_SIZE];
|
||||
char username[BUF_SIZE] = "", domainname[BUF_SIZE] = "";
|
||||
@ -21,7 +21,7 @@ BOOL get_domain_from_token(HANDLE token, char *domain_to_return)
|
||||
return FALSE;
|
||||
LookupAccountSidA(NULL, ((TOKEN_USER*)TokenUserInfo)->User.Sid, username, &user_length, domainname, &domain_length, (PSID_NAME_USE)&sid_type);
|
||||
|
||||
strcpy(domain_to_return, domainname);
|
||||
strcpy_s(domainBuffer, domainBufferSize, domainname);
|
||||
|
||||
return TRUE;
|
||||
}
|
||||
|
||||
@ -8,6 +8,6 @@ BOOL is_local_system();
|
||||
|
||||
BOOL get_domain_username_from_token(HANDLE token, char *full_name_to_return);
|
||||
BOOL get_domain_groups_from_token(HANDLE token, char **group_name_array[], DWORD *num_groups);
|
||||
BOOL get_domain_from_token(HANDLE token, char *domain_to_return);
|
||||
BOOL get_domain_from_token(HANDLE token, char *domainBuffer, DWORD domainBufferSize);
|
||||
|
||||
#endif
|
||||
@ -35,8 +35,9 @@ LPSTR fs_expand_path(LPCSTR regular)
|
||||
return expandedFilePath;
|
||||
#else /* Hack to make it work with existing code under *nix */
|
||||
char *expandedFilePath;
|
||||
expandedFilePath = malloc(strlen(regular)+1);
|
||||
strcpy(expandedFilePath, regular);
|
||||
DWORD expandedFilePathSize = strlen(regular)+1;
|
||||
expandedFilePath = malloc(expandedFilePathSize);
|
||||
strncpy(expandedFilePath, regular, expandedFilePathSize - 1);
|
||||
return expandedFilePath;
|
||||
#endif
|
||||
}
|
||||
|
||||
@ -261,13 +261,13 @@ DWORD windows_get_tcp_table(struct connection_table **table_connection)
|
||||
state = currentv4->dwState;
|
||||
if ((state <= 0) || (state > 12))
|
||||
state = 13; // points to UNKNOWN in the state array
|
||||
strncpy(current_connection->state, tcp_connection_states[state], sizeof(current_connection->state));
|
||||
strncpy(current_connection->protocol, "tcp", sizeof(current_connection->protocol));
|
||||
strncpy((char*)current_connection->state, tcp_connection_states[state], sizeof(current_connection->state) - 1);
|
||||
strncpy((char*)current_connection->protocol, "tcp", sizeof(current_connection->protocol) - 1);
|
||||
|
||||
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
||||
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||
|
||||
set_process_name(currentv4->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
|
||||
set_process_name(currentv4->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name) - 1);
|
||||
|
||||
(*table_connection)->entries++;
|
||||
}
|
||||
@ -307,13 +307,13 @@ DWORD windows_get_tcp_table(struct connection_table **table_connection)
|
||||
state = currentv6->dwState;
|
||||
if ((state <= 0) || (state > 12))
|
||||
state = 13; // points to UNKNOWN in the state array
|
||||
strncpy(current_connection->state, tcp_connection_states[state], sizeof(current_connection->state));
|
||||
strncpy(current_connection->protocol, "tcp6", sizeof(current_connection->protocol));
|
||||
strncpy((char*)current_connection->state, tcp_connection_states[state], sizeof(current_connection->state) - 1);
|
||||
strncpy((char*)current_connection->protocol, "tcp6", sizeof(current_connection->protocol) - 1);
|
||||
|
||||
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
||||
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||
|
||||
set_process_name(currentv6->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
|
||||
set_process_name(currentv6->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name));
|
||||
|
||||
(*table_connection)->entries++;
|
||||
}
|
||||
@ -373,11 +373,11 @@ DWORD windows_get_udp_table_win2000_down(struct connection_table **table_connect
|
||||
current_connection->remote_port = 0;
|
||||
|
||||
// force state to ""
|
||||
strncpy(current_connection->state, "", sizeof(current_connection->state));
|
||||
strncpy(current_connection->protocol, "udp", sizeof(current_connection->protocol));
|
||||
strncpy((char*)current_connection->state, "", sizeof(current_connection->state) - 1);
|
||||
strncpy((char*)current_connection->protocol, "udp", sizeof(current_connection->protocol) - 1);
|
||||
|
||||
// force program_name to "-"
|
||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
||||
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||
|
||||
(*table_connection)->entries++;
|
||||
}
|
||||
@ -435,13 +435,13 @@ DWORD windows_get_udp_table(struct connection_table **table_connection)
|
||||
current_connection->local_port = ntohs((u_short)(currentv4->dwLocalPort & 0x0000ffff));
|
||||
current_connection->remote_port = 0;
|
||||
|
||||
strncpy(current_connection->state, "", sizeof(current_connection->state));
|
||||
strncpy(current_connection->protocol, "udp", sizeof(current_connection->protocol));
|
||||
strncpy((char*)current_connection->state, "", sizeof(current_connection->state) - 1);
|
||||
strncpy((char*)current_connection->protocol, "udp", sizeof(current_connection->protocol) - 1);
|
||||
|
||||
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
||||
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||
|
||||
set_process_name(currentv4->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
|
||||
set_process_name(currentv4->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name));
|
||||
|
||||
(*table_connection)->entries++;
|
||||
}
|
||||
@ -474,13 +474,13 @@ DWORD windows_get_udp_table(struct connection_table **table_connection)
|
||||
current_connection->local_port = ntohs((u_short)(currentv6->dwLocalPort & 0x0000ffff));
|
||||
current_connection->remote_port = 0;
|
||||
|
||||
strncpy(current_connection->state, "", sizeof(current_connection->state));
|
||||
strncpy(current_connection->protocol, "udp6", sizeof(current_connection->protocol));
|
||||
strncpy((char*)current_connection->state, "", sizeof(current_connection->state) - 1);
|
||||
strncpy((char*)current_connection->protocol, "udp6", sizeof(current_connection->protocol) - 1);
|
||||
|
||||
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
||||
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||
|
||||
set_process_name(currentv6->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
|
||||
set_process_name(currentv6->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name));
|
||||
|
||||
(*table_connection)->entries++;
|
||||
}
|
||||
@ -656,15 +656,15 @@ DWORD linux_parse_proc_net_file(char * filename, struct connection_table ** tabl
|
||||
current_connection->uid = uid;
|
||||
current_connection->inode = inode;
|
||||
// protocol such as tcp/tcp6/udp/udp6
|
||||
strncpy(current_connection->protocol, protocol, sizeof(current_connection->protocol));
|
||||
strncpy((char*)current_connection->protocol, protocol, sizeof(current_connection->protocol) - 1);
|
||||
if ((state < 0) && (state > 11))
|
||||
state = 12; // points to UNKNOWN in the table
|
||||
|
||||
// state, number to string : 0x0A --> LISTEN
|
||||
strncpy(current_connection->state, connection_states[state], sizeof(current_connection->state));
|
||||
strncpy((char*)current_connection->state, connection_states[state], sizeof(current_connection->state) - 1);
|
||||
|
||||
// initialize every program_name to "-", will be changed if we find the good info in /proc
|
||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
||||
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||
|
||||
(*table_connection)->entries++;
|
||||
}
|
||||
|
||||
@ -199,7 +199,7 @@ DWORD request_sys_process_image_get_images(Remote *remote, Packet *packet)
|
||||
Packet *response = packet_create_response(packet);
|
||||
HMODULE *modules = NULL;
|
||||
BOOLEAN valid = FALSE;
|
||||
HANDLE psapi = NULL;
|
||||
HMODULE psapi = NULL;
|
||||
HANDLE handle;
|
||||
DWORD result = ERROR_SUCCESS;
|
||||
DWORD needed = 0, actual, tries = 0;
|
||||
@ -351,6 +351,7 @@ DWORD remote_load_library(HANDLE process, LPCSTR image, HMODULE *base)
|
||||
LoadLibraryContext *context = NULL;
|
||||
DWORD result = ERROR_SUCCESS;
|
||||
DWORD contextSize = 0;
|
||||
DWORD imagePathSize = 0;
|
||||
BYTE loadLibraryStub[] =
|
||||
"\x8b\x54\x24\x04" // see load_library_stub
|
||||
"\x8d\x5a\x04"
|
||||
@ -361,7 +362,8 @@ DWORD remote_load_library(HANDLE process, LPCSTR image, HMODULE *base)
|
||||
do
|
||||
{
|
||||
// Calculate the size of the context we'll be passing
|
||||
contextSize = (DWORD)strlen(image) + 1 + sizeof(LoadLibraryContext);
|
||||
imagePathSize = (DWORD)strlen(image) + 1;
|
||||
contextSize = imagePathSize + sizeof(LoadLibraryContext);
|
||||
|
||||
if (!(context = (LoadLibraryContext *)malloc(contextSize)))
|
||||
{
|
||||
@ -373,7 +375,7 @@ DWORD remote_load_library(HANDLE process, LPCSTR image, HMODULE *base)
|
||||
context->loadLibraryAddress = (PVOID)GetProcAddress(
|
||||
GetModuleHandle("kernel32"), "LoadLibraryA");
|
||||
|
||||
strcpy(context->imagePath, image);
|
||||
strcpy_s(context->imagePath, imagePathSize, image);
|
||||
|
||||
// Execute the LoadLibraryA stub
|
||||
result = execute_code_stub_in_process(process, (PVOID)loadLibraryStub,
|
||||
@ -398,6 +400,7 @@ DWORD remote_get_proc_address(HANDLE process, HMODULE module,
|
||||
GetProcAddressContext *context = NULL;
|
||||
DWORD result = ERROR_SUCCESS;
|
||||
DWORD contextSize = 0;
|
||||
DWORD symbolSize = 0;
|
||||
BYTE getProcAddressStub[] =
|
||||
"\x8b\x54\x24\x04" // see unload_library_stub
|
||||
"\x8b\x5a\x04"
|
||||
@ -410,7 +413,8 @@ DWORD remote_get_proc_address(HANDLE process, HMODULE module,
|
||||
do
|
||||
{
|
||||
// Calculate the size of the context we'll be passing
|
||||
contextSize = strlen(symbol) + 1 + sizeof(GetProcAddressContext);
|
||||
symbolSize = (DWORD)strlen(symbol) + 1;
|
||||
contextSize = symbolSize + sizeof(GetProcAddressContext);
|
||||
|
||||
if (!(context = (GetProcAddressContext *)malloc(contextSize)))
|
||||
{
|
||||
@ -423,7 +427,7 @@ DWORD remote_get_proc_address(HANDLE process, HMODULE module,
|
||||
GetModuleHandle("kernel32"), "GetProcAddress");
|
||||
context->module = module;
|
||||
|
||||
strcpy(context->symbol, symbol);
|
||||
strcpy_s(context->symbol, symbolSize, symbol);
|
||||
|
||||
// Execute the LoadLibraryA stub
|
||||
result = execute_code_stub_in_process(process, (PVOID)getProcAddressStub,
|
||||
|
||||
@ -308,7 +308,7 @@ BOOL ps_getpath( DWORD pid, char * cpExePath, DWORD dwExePathSize, char * cpExeN
|
||||
{
|
||||
name = strrchr( cpExePath, '\\' );
|
||||
if( name )
|
||||
strncpy( cpExeName, name+1, dwExeNameSize );
|
||||
strncpy( cpExeName, name+1, dwExeNameSize - 1 );
|
||||
}
|
||||
success = TRUE;
|
||||
}
|
||||
@ -639,6 +639,9 @@ void parse_status(char * buffer, struct info_process * info) {
|
||||
strncpy(info->name, str+strlen(NAME), sizeof(info->name)-1);
|
||||
|
||||
if ( strncmp(str, STATE, strlen(STATE)) == 0 ) {
|
||||
// TODO: rather than use strncpy for 1 char, why can't
|
||||
// we just write the one char given the state is already zeroed?
|
||||
// info->state[0] = str[strlen(STATE)];
|
||||
strncpy(info->state, str+strlen(STATE), 1); // want only 1 char
|
||||
}
|
||||
|
||||
|
||||
@ -562,7 +562,7 @@ HMODULE libloader_load_library(LPCSTR name, PUCHAR buffer, DWORD bufferLength)
|
||||
do
|
||||
{
|
||||
// The name of the library to load it as
|
||||
strncpy(ctx->libname, shortName, sizeof(ctx->libname));
|
||||
strncpy(ctx->libname, shortName, sizeof(ctx->libname) - 1);
|
||||
ctx->liblen = (int)strlen(ctx->libname) + 1;
|
||||
|
||||
// The address of the raw buffer
|
||||
|
||||
Loading…
Reference in New Issue
Block a user