mirror of
https://github.com/rapid7/metasploit-payloads
synced 2025-03-24 18:16:24 +01:00
Tod Beardsley
commit
6a446637b5
c/meterpreter/source
extensions
incognito
stdapi/server
server/win
@ -50,7 +50,7 @@ DWORD request_incognito_snarf_hashes(Remote *remote, Packet *packet)
|
|||||||
for (i=0;i<num_tokens;i++)
|
for (i=0;i<num_tokens;i++)
|
||||||
if (token_list[i].token)
|
if (token_list[i].token)
|
||||||
{
|
{
|
||||||
get_domain_from_token(token_list[i].token, domain_name);
|
get_domain_from_token(token_list[i].token, domain_name, BUF_SIZE);
|
||||||
// If token is not "useless" local account connect to sniffer
|
// If token is not "useless" local account connect to sniffer
|
||||||
if (_stricmp(domain_name, "NT AUTHORITY"))
|
if (_stricmp(domain_name, "NT AUTHORITY"))
|
||||||
{
|
{
|
||||||
|
|||||||
@ -204,7 +204,7 @@ void process_user_token(HANDLE token, unique_user_token *uniq_tokens, DWORD *num
|
|||||||
// If token user has not been seen yet then create new entry
|
// If token user has not been seen yet then create new entry
|
||||||
if (!user_exists)
|
if (!user_exists)
|
||||||
{
|
{
|
||||||
strcpy(uniq_tokens[*num_tokens].username, full_name);
|
strcpy_s(uniq_tokens[*num_tokens].username, MAX_USERNAME, full_name);
|
||||||
uniq_tokens[*num_tokens].token_num = 1;
|
uniq_tokens[*num_tokens].token_num = 1;
|
||||||
uniq_tokens[*num_tokens].delegation_available = FALSE;
|
uniq_tokens[*num_tokens].delegation_available = FALSE;
|
||||||
uniq_tokens[*num_tokens].impersonation_available = FALSE;
|
uniq_tokens[*num_tokens].impersonation_available = FALSE;
|
||||||
|
|||||||
@ -8,9 +8,11 @@ typedef struct
|
|||||||
HANDLE token;
|
HANDLE token;
|
||||||
} SavedToken;
|
} SavedToken;
|
||||||
|
|
||||||
|
#define MAX_USERNAME 256
|
||||||
|
|
||||||
typedef struct
|
typedef struct
|
||||||
{
|
{
|
||||||
char username[256];
|
char username[MAX_USERNAME];
|
||||||
int token_num;
|
int token_num;
|
||||||
BOOL delegation_available;
|
BOOL delegation_available;
|
||||||
BOOL impersonation_available;
|
BOOL impersonation_available;
|
||||||
|
|||||||
@ -11,7 +11,7 @@
|
|||||||
#include <wchar.h>
|
#include <wchar.h>
|
||||||
#include "incognito.h"
|
#include "incognito.h"
|
||||||
|
|
||||||
BOOL get_domain_from_token(HANDLE token, char *domain_to_return)
|
BOOL get_domain_from_token(HANDLE token, char *domainBuffer, DWORD domainBufferSize)
|
||||||
{
|
{
|
||||||
LPVOID TokenUserInfo[BUF_SIZE];
|
LPVOID TokenUserInfo[BUF_SIZE];
|
||||||
char username[BUF_SIZE] = "", domainname[BUF_SIZE] = "";
|
char username[BUF_SIZE] = "", domainname[BUF_SIZE] = "";
|
||||||
@ -21,7 +21,7 @@ BOOL get_domain_from_token(HANDLE token, char *domain_to_return)
|
|||||||
return FALSE;
|
return FALSE;
|
||||||
LookupAccountSidA(NULL, ((TOKEN_USER*)TokenUserInfo)->User.Sid, username, &user_length, domainname, &domain_length, (PSID_NAME_USE)&sid_type);
|
LookupAccountSidA(NULL, ((TOKEN_USER*)TokenUserInfo)->User.Sid, username, &user_length, domainname, &domain_length, (PSID_NAME_USE)&sid_type);
|
||||||
|
|
||||||
strcpy(domain_to_return, domainname);
|
strcpy_s(domainBuffer, domainBufferSize, domainname);
|
||||||
|
|
||||||
return TRUE;
|
return TRUE;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -8,6 +8,6 @@ BOOL is_local_system();
|
|||||||
|
|
||||||
BOOL get_domain_username_from_token(HANDLE token, char *full_name_to_return);
|
BOOL get_domain_username_from_token(HANDLE token, char *full_name_to_return);
|
||||||
BOOL get_domain_groups_from_token(HANDLE token, char **group_name_array[], DWORD *num_groups);
|
BOOL get_domain_groups_from_token(HANDLE token, char **group_name_array[], DWORD *num_groups);
|
||||||
BOOL get_domain_from_token(HANDLE token, char *domain_to_return);
|
BOOL get_domain_from_token(HANDLE token, char *domainBuffer, DWORD domainBufferSize);
|
||||||
|
|
||||||
#endif
|
#endif
|
||||||
@ -35,8 +35,9 @@ LPSTR fs_expand_path(LPCSTR regular)
|
|||||||
return expandedFilePath;
|
return expandedFilePath;
|
||||||
#else /* Hack to make it work with existing code under *nix */
|
#else /* Hack to make it work with existing code under *nix */
|
||||||
char *expandedFilePath;
|
char *expandedFilePath;
|
||||||
expandedFilePath = malloc(strlen(regular)+1);
|
DWORD expandedFilePathSize = strlen(regular)+1;
|
||||||
strcpy(expandedFilePath, regular);
|
expandedFilePath = malloc(expandedFilePathSize);
|
||||||
|
strncpy(expandedFilePath, regular, expandedFilePathSize - 1);
|
||||||
return expandedFilePath;
|
return expandedFilePath;
|
||||||
#endif
|
#endif
|
||||||
}
|
}
|
||||||
|
|||||||
@ -261,13 +261,13 @@ DWORD windows_get_tcp_table(struct connection_table **table_connection)
|
|||||||
state = currentv4->dwState;
|
state = currentv4->dwState;
|
||||||
if ((state <= 0) || (state > 12))
|
if ((state <= 0) || (state > 12))
|
||||||
state = 13; // points to UNKNOWN in the state array
|
state = 13; // points to UNKNOWN in the state array
|
||||||
strncpy(current_connection->state, tcp_connection_states[state], sizeof(current_connection->state));
|
strncpy((char*)current_connection->state, tcp_connection_states[state], sizeof(current_connection->state) - 1);
|
||||||
strncpy(current_connection->protocol, "tcp", sizeof(current_connection->protocol));
|
strncpy((char*)current_connection->protocol, "tcp", sizeof(current_connection->protocol) - 1);
|
||||||
|
|
||||||
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
||||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||||
|
|
||||||
set_process_name(currentv4->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
|
set_process_name(currentv4->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name) - 1);
|
||||||
|
|
||||||
(*table_connection)->entries++;
|
(*table_connection)->entries++;
|
||||||
}
|
}
|
||||||
@ -307,13 +307,13 @@ DWORD windows_get_tcp_table(struct connection_table **table_connection)
|
|||||||
state = currentv6->dwState;
|
state = currentv6->dwState;
|
||||||
if ((state <= 0) || (state > 12))
|
if ((state <= 0) || (state > 12))
|
||||||
state = 13; // points to UNKNOWN in the state array
|
state = 13; // points to UNKNOWN in the state array
|
||||||
strncpy(current_connection->state, tcp_connection_states[state], sizeof(current_connection->state));
|
strncpy((char*)current_connection->state, tcp_connection_states[state], sizeof(current_connection->state) - 1);
|
||||||
strncpy(current_connection->protocol, "tcp6", sizeof(current_connection->protocol));
|
strncpy((char*)current_connection->protocol, "tcp6", sizeof(current_connection->protocol) - 1);
|
||||||
|
|
||||||
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
||||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||||
|
|
||||||
set_process_name(currentv6->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
|
set_process_name(currentv6->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name));
|
||||||
|
|
||||||
(*table_connection)->entries++;
|
(*table_connection)->entries++;
|
||||||
}
|
}
|
||||||
@ -373,11 +373,11 @@ DWORD windows_get_udp_table_win2000_down(struct connection_table **table_connect
|
|||||||
current_connection->remote_port = 0;
|
current_connection->remote_port = 0;
|
||||||
|
|
||||||
// force state to ""
|
// force state to ""
|
||||||
strncpy(current_connection->state, "", sizeof(current_connection->state));
|
strncpy((char*)current_connection->state, "", sizeof(current_connection->state) - 1);
|
||||||
strncpy(current_connection->protocol, "udp", sizeof(current_connection->protocol));
|
strncpy((char*)current_connection->protocol, "udp", sizeof(current_connection->protocol) - 1);
|
||||||
|
|
||||||
// force program_name to "-"
|
// force program_name to "-"
|
||||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||||
|
|
||||||
(*table_connection)->entries++;
|
(*table_connection)->entries++;
|
||||||
}
|
}
|
||||||
@ -435,13 +435,13 @@ DWORD windows_get_udp_table(struct connection_table **table_connection)
|
|||||||
current_connection->local_port = ntohs((u_short)(currentv4->dwLocalPort & 0x0000ffff));
|
current_connection->local_port = ntohs((u_short)(currentv4->dwLocalPort & 0x0000ffff));
|
||||||
current_connection->remote_port = 0;
|
current_connection->remote_port = 0;
|
||||||
|
|
||||||
strncpy(current_connection->state, "", sizeof(current_connection->state));
|
strncpy((char*)current_connection->state, "", sizeof(current_connection->state) - 1);
|
||||||
strncpy(current_connection->protocol, "udp", sizeof(current_connection->protocol));
|
strncpy((char*)current_connection->protocol, "udp", sizeof(current_connection->protocol) - 1);
|
||||||
|
|
||||||
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
||||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||||
|
|
||||||
set_process_name(currentv4->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
|
set_process_name(currentv4->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name));
|
||||||
|
|
||||||
(*table_connection)->entries++;
|
(*table_connection)->entries++;
|
||||||
}
|
}
|
||||||
@ -474,13 +474,13 @@ DWORD windows_get_udp_table(struct connection_table **table_connection)
|
|||||||
current_connection->local_port = ntohs((u_short)(currentv6->dwLocalPort & 0x0000ffff));
|
current_connection->local_port = ntohs((u_short)(currentv6->dwLocalPort & 0x0000ffff));
|
||||||
current_connection->remote_port = 0;
|
current_connection->remote_port = 0;
|
||||||
|
|
||||||
strncpy(current_connection->state, "", sizeof(current_connection->state));
|
strncpy((char*)current_connection->state, "", sizeof(current_connection->state) - 1);
|
||||||
strncpy(current_connection->protocol, "udp6", sizeof(current_connection->protocol));
|
strncpy((char*)current_connection->protocol, "udp6", sizeof(current_connection->protocol) - 1);
|
||||||
|
|
||||||
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
// force program_name to "-" and try to get real name through GetOwnerModuleFromXXXEntry
|
||||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||||
|
|
||||||
set_process_name(currentv6->dwOwningPid, current_connection->program_name, sizeof(current_connection->program_name));
|
set_process_name(currentv6->dwOwningPid, (char*)current_connection->program_name, sizeof(current_connection->program_name));
|
||||||
|
|
||||||
(*table_connection)->entries++;
|
(*table_connection)->entries++;
|
||||||
}
|
}
|
||||||
@ -656,15 +656,15 @@ DWORD linux_parse_proc_net_file(char * filename, struct connection_table ** tabl
|
|||||||
current_connection->uid = uid;
|
current_connection->uid = uid;
|
||||||
current_connection->inode = inode;
|
current_connection->inode = inode;
|
||||||
// protocol such as tcp/tcp6/udp/udp6
|
// protocol such as tcp/tcp6/udp/udp6
|
||||||
strncpy(current_connection->protocol, protocol, sizeof(current_connection->protocol));
|
strncpy((char*)current_connection->protocol, protocol, sizeof(current_connection->protocol) - 1);
|
||||||
if ((state < 0) && (state > 11))
|
if ((state < 0) && (state > 11))
|
||||||
state = 12; // points to UNKNOWN in the table
|
state = 12; // points to UNKNOWN in the table
|
||||||
|
|
||||||
// state, number to string : 0x0A --> LISTEN
|
// state, number to string : 0x0A --> LISTEN
|
||||||
strncpy(current_connection->state, connection_states[state], sizeof(current_connection->state));
|
strncpy((char*)current_connection->state, connection_states[state], sizeof(current_connection->state) - 1);
|
||||||
|
|
||||||
// initialize every program_name to "-", will be changed if we find the good info in /proc
|
// initialize every program_name to "-", will be changed if we find the good info in /proc
|
||||||
strncpy(current_connection->program_name, "-", sizeof(current_connection->program_name));
|
strncpy((char*)current_connection->program_name, "-", sizeof(current_connection->program_name) - 1);
|
||||||
|
|
||||||
(*table_connection)->entries++;
|
(*table_connection)->entries++;
|
||||||
}
|
}
|
||||||
|
|||||||
@ -199,7 +199,7 @@ DWORD request_sys_process_image_get_images(Remote *remote, Packet *packet)
|
|||||||
Packet *response = packet_create_response(packet);
|
Packet *response = packet_create_response(packet);
|
||||||
HMODULE *modules = NULL;
|
HMODULE *modules = NULL;
|
||||||
BOOLEAN valid = FALSE;
|
BOOLEAN valid = FALSE;
|
||||||
HANDLE psapi = NULL;
|
HMODULE psapi = NULL;
|
||||||
HANDLE handle;
|
HANDLE handle;
|
||||||
DWORD result = ERROR_SUCCESS;
|
DWORD result = ERROR_SUCCESS;
|
||||||
DWORD needed = 0, actual, tries = 0;
|
DWORD needed = 0, actual, tries = 0;
|
||||||
@ -351,6 +351,7 @@ DWORD remote_load_library(HANDLE process, LPCSTR image, HMODULE *base)
|
|||||||
LoadLibraryContext *context = NULL;
|
LoadLibraryContext *context = NULL;
|
||||||
DWORD result = ERROR_SUCCESS;
|
DWORD result = ERROR_SUCCESS;
|
||||||
DWORD contextSize = 0;
|
DWORD contextSize = 0;
|
||||||
|
DWORD imagePathSize = 0;
|
||||||
BYTE loadLibraryStub[] =
|
BYTE loadLibraryStub[] =
|
||||||
"\x8b\x54\x24\x04" // see load_library_stub
|
"\x8b\x54\x24\x04" // see load_library_stub
|
||||||
"\x8d\x5a\x04"
|
"\x8d\x5a\x04"
|
||||||
@ -361,7 +362,8 @@ DWORD remote_load_library(HANDLE process, LPCSTR image, HMODULE *base)
|
|||||||
do
|
do
|
||||||
{
|
{
|
||||||
// Calculate the size of the context we'll be passing
|
// Calculate the size of the context we'll be passing
|
||||||
contextSize = (DWORD)strlen(image) + 1 + sizeof(LoadLibraryContext);
|
imagePathSize = (DWORD)strlen(image) + 1;
|
||||||
|
contextSize = imagePathSize + sizeof(LoadLibraryContext);
|
||||||
|
|
||||||
if (!(context = (LoadLibraryContext *)malloc(contextSize)))
|
if (!(context = (LoadLibraryContext *)malloc(contextSize)))
|
||||||
{
|
{
|
||||||
@ -373,7 +375,7 @@ DWORD remote_load_library(HANDLE process, LPCSTR image, HMODULE *base)
|
|||||||
context->loadLibraryAddress = (PVOID)GetProcAddress(
|
context->loadLibraryAddress = (PVOID)GetProcAddress(
|
||||||
GetModuleHandle("kernel32"), "LoadLibraryA");
|
GetModuleHandle("kernel32"), "LoadLibraryA");
|
||||||
|
|
||||||
strcpy(context->imagePath, image);
|
strcpy_s(context->imagePath, imagePathSize, image);
|
||||||
|
|
||||||
// Execute the LoadLibraryA stub
|
// Execute the LoadLibraryA stub
|
||||||
result = execute_code_stub_in_process(process, (PVOID)loadLibraryStub,
|
result = execute_code_stub_in_process(process, (PVOID)loadLibraryStub,
|
||||||
@ -398,6 +400,7 @@ DWORD remote_get_proc_address(HANDLE process, HMODULE module,
|
|||||||
GetProcAddressContext *context = NULL;
|
GetProcAddressContext *context = NULL;
|
||||||
DWORD result = ERROR_SUCCESS;
|
DWORD result = ERROR_SUCCESS;
|
||||||
DWORD contextSize = 0;
|
DWORD contextSize = 0;
|
||||||
|
DWORD symbolSize = 0;
|
||||||
BYTE getProcAddressStub[] =
|
BYTE getProcAddressStub[] =
|
||||||
"\x8b\x54\x24\x04" // see unload_library_stub
|
"\x8b\x54\x24\x04" // see unload_library_stub
|
||||||
"\x8b\x5a\x04"
|
"\x8b\x5a\x04"
|
||||||
@ -410,7 +413,8 @@ DWORD remote_get_proc_address(HANDLE process, HMODULE module,
|
|||||||
do
|
do
|
||||||
{
|
{
|
||||||
// Calculate the size of the context we'll be passing
|
// Calculate the size of the context we'll be passing
|
||||||
contextSize = strlen(symbol) + 1 + sizeof(GetProcAddressContext);
|
symbolSize = (DWORD)strlen(symbol) + 1;
|
||||||
|
contextSize = symbolSize + sizeof(GetProcAddressContext);
|
||||||
|
|
||||||
if (!(context = (GetProcAddressContext *)malloc(contextSize)))
|
if (!(context = (GetProcAddressContext *)malloc(contextSize)))
|
||||||
{
|
{
|
||||||
@ -423,7 +427,7 @@ DWORD remote_get_proc_address(HANDLE process, HMODULE module,
|
|||||||
GetModuleHandle("kernel32"), "GetProcAddress");
|
GetModuleHandle("kernel32"), "GetProcAddress");
|
||||||
context->module = module;
|
context->module = module;
|
||||||
|
|
||||||
strcpy(context->symbol, symbol);
|
strcpy_s(context->symbol, symbolSize, symbol);
|
||||||
|
|
||||||
// Execute the LoadLibraryA stub
|
// Execute the LoadLibraryA stub
|
||||||
result = execute_code_stub_in_process(process, (PVOID)getProcAddressStub,
|
result = execute_code_stub_in_process(process, (PVOID)getProcAddressStub,
|
||||||
|
|||||||
@ -308,7 +308,7 @@ BOOL ps_getpath( DWORD pid, char * cpExePath, DWORD dwExePathSize, char * cpExeN
|
|||||||
{
|
{
|
||||||
name = strrchr( cpExePath, '\\' );
|
name = strrchr( cpExePath, '\\' );
|
||||||
if( name )
|
if( name )
|
||||||
strncpy( cpExeName, name+1, dwExeNameSize );
|
strncpy( cpExeName, name+1, dwExeNameSize - 1 );
|
||||||
}
|
}
|
||||||
success = TRUE;
|
success = TRUE;
|
||||||
}
|
}
|
||||||
@ -639,6 +639,9 @@ void parse_status(char * buffer, struct info_process * info) {
|
|||||||
strncpy(info->name, str+strlen(NAME), sizeof(info->name)-1);
|
strncpy(info->name, str+strlen(NAME), sizeof(info->name)-1);
|
||||||
|
|
||||||
if ( strncmp(str, STATE, strlen(STATE)) == 0 ) {
|
if ( strncmp(str, STATE, strlen(STATE)) == 0 ) {
|
||||||
|
// TODO: rather than use strncpy for 1 char, why can't
|
||||||
|
// we just write the one char given the state is already zeroed?
|
||||||
|
// info->state[0] = str[strlen(STATE)];
|
||||||
strncpy(info->state, str+strlen(STATE), 1); // want only 1 char
|
strncpy(info->state, str+strlen(STATE), 1); // want only 1 char
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|||||||
@ -562,7 +562,7 @@ HMODULE libloader_load_library(LPCSTR name, PUCHAR buffer, DWORD bufferLength)
|
|||||||
do
|
do
|
||||||
{
|
{
|
||||||
// The name of the library to load it as
|
// The name of the library to load it as
|
||||||
strncpy(ctx->libname, shortName, sizeof(ctx->libname));
|
strncpy(ctx->libname, shortName, sizeof(ctx->libname) - 1);
|
||||||
ctx->liblen = (int)strlen(ctx->libname) + 1;
|
ctx->liblen = (int)strlen(ctx->libname) + 1;
|
||||||
|
|
||||||
// The address of the raw buffer
|
// The address of the raw buffer
|
||||||
|
|||||||
Loading…
x
Reference in New Issue
Block a user