Remove core_uuid and add core_set_uuid

2024-11-26 17:41:08 +01:00 · 2016-10-29 12:42:36 +10:00 · 2016-10-29 12:42:36 +10:00 · 70812fd1ce
commit 70812fd1ce
parent ed1e912e6b
10 changed files with 56 additions and 44 deletions
--- a/c/meterpreter/source/server/posix/remote_dispatch.c
+++ b/c/meterpreter/source/server/posix/remote_dispatch.c
@ -153,17 +153,19 @@ DWORD request_core_machine_id(Remote* remote, Packet* packet)

 	return ERROR_SUCCESS;
 }
-
-DWORD request_core_uuid(Remote* remote, Packet* packet) {
-	DWORD res = ERROR_SUCCESS;
-	Packet* response = packet_create_response(packet);
-
-	if (response) {
-		packet_add_tlv_raw(response, TLV_TYPE_UUID, remote->orig_config->session.uuid, UUID_SIZE);
-
-		packet_transmit_response(ERROR_SUCCESS, remote, response);
-	}
-
-	return res;
-}
-
+
+DWORD request_core_set_uuid(Remote* remote, Packet* packet)
+{
+	Packet* response = packet_create_response(packet);
+	PBYTE newUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID);
+
+	if (newUuid != NULL) {
+		memcpy(remote->orig_config->session.uuid, newUuid, UUID_SIZE);
+	}
+
+	if (response) {
+		packet_transmit_response(ERROR_SUCCESS, remote, response);
+	}
+
+	return ERROR_SUCCESS;
+}
--- a/c/meterpreter/source/server/remote_dispatch_common.c
+++ b/c/meterpreter/source/server/remote_dispatch_common.c
@ -9,7 +9,7 @@ PLIST gExtensionList = NULL;

 DWORD request_core_enumextcmd(Remote* remote, Packet* packet);
 DWORD request_core_machine_id(Remote* remote, Packet* packet);
-DWORD request_core_uuid(Remote* remote, Packet* packet);
+DWORD request_core_set_uuid(Remote* remote, Packet* packet);
 #ifdef _WIN32
 BOOL request_core_patch_url(Remote* remote, Packet* packet, DWORD* result);
 #endif
@ -20,7 +20,7 @@ Command customCommands[] =
 	COMMAND_REQ("core_loadlib", request_core_loadlib),
 	COMMAND_REQ("core_enumextcmd", request_core_enumextcmd),
 	COMMAND_REQ("core_machine_id", request_core_machine_id),
-	COMMAND_REQ("core_uuid", request_core_uuid),
+	COMMAND_REQ("core_set_uuid", request_core_set_uuid),
 #ifdef _WIN32
 	COMMAND_INLINE_REP("core_patch_url", request_core_patch_url),
 #endif
--- a/c/meterpreter/source/server/win/remote_dispatch.c
+++ b/c/meterpreter/source/server/win/remote_dispatch.c
@ -239,28 +239,22 @@ DWORD request_core_loadlib(Remote *pRemote, Packet *pPacket)
 	return res;
 }

-DWORD request_core_uuid(Remote* remote, Packet* packet)
+DWORD request_core_set_uuid(Remote* remote, Packet* packet)
 {
-	DWORD res = ERROR_SUCCESS;
 	Packet* response = packet_create_response(packet);
+	PBYTE newUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID);
+
+	if (newUuid != NULL)
+	{
+		memcpy(remote->orig_config->session.uuid, newUuid, UUID_SIZE);
+	}

 	if (response)
 	{
-#ifdef DEBUGTRACE
-		LPBYTE uuid = remote->orig_config->session.uuid;
-		dprintf("[request_core_uuid] returning: %02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x%02x",
-			uuid[0], uuid[1], uuid[2], uuid[3],
-			uuid[4], uuid[5], uuid[6], uuid[7],
-			uuid[8], uuid[9], uuid[10], uuid[11],
-			uuid[12], uuid[13], uuid[14], uuid[15]
-			);
-#endif
-		// This is always added to every packet, so we don't need to add it here.
-
 		packet_transmit_response(ERROR_SUCCESS, remote, response);
 	}

-	return res;
+	return ERROR_SUCCESS;
 }

 DWORD request_core_machine_id(Remote* pRemote, Packet* pPacket)
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Meterpreter.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/Meterpreter.java
@ -90,6 +90,10 @@ public class Meterpreter {
        return this.uuid;
    }

+    public void setUUID(byte[] newUuid) {
+        this.uuid = newUuid;
+    }
+
    public long getExpiry() {
        return (this.sessionExpiry - System.currentTimeMillis()) / Transport.MS;
    }
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
@ -121,6 +121,7 @@ public interface TLVType {
    public static final int TLV_TYPE_COMPUTER_NAME = TLVPacket.TLV_META_TYPE_STRING | 1040;
    public static final int TLV_TYPE_OS_NAME       = TLVPacket.TLV_META_TYPE_STRING | 1041;
    public static final int TLV_TYPE_USER_NAME     = TLVPacket.TLV_META_TYPE_STRING | 1042;
+    public static final int TLV_TYPE_ARCHITECTURE  = TLVPacket.TLV_META_TYPE_STRING | 1043;

    public static final int TLV_TYPE_ENV_VARIABLE = TLVPacket.TLV_META_TYPE_STRING | 1100;
    public static final int TLV_TYPE_ENV_VALUE    = TLVPacket.TLV_META_TYPE_STRING | 1101;
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/Loader.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/Loader.java
@ -19,7 +19,7 @@ public class Loader implements ExtensionLoader {
        mgr.registerCommand("core_channel_write", core_channel_write.class);
        mgr.registerCommand("core_enumextcmd", core_enumextcmd.class);
        mgr.registerCommand("core_loadlib", core_loadlib.class);
-        mgr.registerCommand("core_uuid", core_uuid.class);
+        mgr.registerCommand("core_set_uuid", core_set_uuid.class);
        mgr.registerCommand("core_machine_id", core_machine_id.class);
        mgr.registerCommand("core_patch_url", core_patch_url.class);
        mgr.registerCommand("core_shutdown", core_shutdown.class);
--- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_set_uuid.java
+++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/core/core_set_uuid.java
@ -8,10 +8,12 @@ import com.metasploit.meterpreter.command.Command;

 import java.io.IOException;

-public class core_uuid implements Command {
+public class core_set_uuid implements Command {
    public int execute(Meterpreter meterpreter, TLVPacket request, TLVPacket response) throws Exception {
-        // UUID is added to every packet, so we don't need it here.
+        byte[] newUuid = request.getRawValue(TLVType.TLV_TYPE_UUID, null);
+        if (newUuid != null) {
+            meterpreter.setUUID(newUuid);
+        }
        return ERROR_SUCCESS;
    }
 }
-
--- a/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_sys_config_sysinfo.java
+++ b/java/meterpreter/stdapi/src/main/java/com/metasploit/meterpreter/stdapi/stdapi_sys_config_sysinfo.java
@ -13,4 +13,4 @@ public class stdapi_sys_config_sysinfo implements Command {
        response.add(TLVType.TLV_TYPE_OS_NAME, System.getProperty("os.name") + " " + System.getProperty("os.version") + " (" + System.getProperty("os.arch") + ")");
        return ERROR_SUCCESS;
    }
-}
+}
--- a/php/meterpreter/meterpreter.php
+++ b/php/meterpreter/meterpreter.php
@ -32,7 +32,7 @@ if (!isset($GLOBALS['readers'])) {

 # global list of extension commands
 if (!isset($GLOBALS['commands'])) {
-    $GLOBALS['commands'] = array("core_loadlib", "core_machine_id", "core_uuid");
+    $GLOBALS['commands'] = array("core_loadlib", "core_machine_id", "core_set_uuid");
 }

 function register_command($c) {
@ -442,9 +442,13 @@ function core_enumextcmd($req, &$pkt) {
  return ERROR_SUCCESS;
 }

-function core_uuid($req, &$pkt) {
-    my_print("doing core_uuid");
-    # this is always added, so we don't need to add it ourselves
+function core_set_uuid($req, &$pkt) {
+    my_print("doing core_set_uuid");
+    $new_uuid = packet_get_tlv($req, TLV_TYPE_UUID);
+    if ($new_uuid != null) {
+      $GLOBALS['UUID'] = $new_uuid['value'];
+      my_print("New UUID is {$GLOBALS['UUID']}");
+    }
    return ERROR_SUCCESS;
 }

@ -674,7 +678,7 @@ function handle_dead_resource_channel($resource) {
        packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, 'core_channel_close'));
        packet_add_tlv($pkt, create_tlv(TLV_TYPE_REQUEST_ID, generate_req_id()));
        packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_ID, $cid));
-        packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, PAYLOAD_UUID));
+        packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, $GLOBALS['UUID']));

        # Add the length to the beginning of the packet
        $pkt = pack("N", strlen($pkt) + 4) . $pkt;
@ -699,7 +703,7 @@ function handle_resource_read_channel($resource, $data) {
    packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_DATA, $data));
    packet_add_tlv($pkt, create_tlv(TLV_TYPE_LENGTH, strlen($data)));
    packet_add_tlv($pkt, create_tlv(TLV_TYPE_REQUEST_ID, generate_req_id()));
-    packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, PAYLOAD_UUID));
+    packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, $GLOBALS['UUID']));

    # Add the length to the beginning of the packet
    $pkt = pack("N", strlen($pkt) + 4) . $pkt;
@ -725,7 +729,7 @@ function create_response($xor, $req) {
    }

    packet_add_tlv($pkt, create_tlv(TLV_TYPE_RESULT, $result));
-    packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, PAYLOAD_UUID));
+    packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, $GLOBALS['UUID']));

    # Add the length to the beginning of the packet
    $pkt = pack("N", strlen($pkt) + 4) . $pkt;
@ -1222,6 +1226,9 @@ error_reporting(0);
@ignore_user_abort(1);
@ini_set('max_execution_time',0);

+# Add the payload UUID to globals, and use that from now on so that we can
+# update it as required.
+$GLOBALS['UUID'] = PAYLOAD_UUID;

 # If we don't have a socket we're standalone, setup the connection here.
 # Otherwise, this is a staged payload, don't bother connecting
--- a/python/meterpreter/meterpreter.py
+++ b/python/meterpreter/meterpreter.py
@ -851,8 +851,10 @@ class PythonMeterpreter(object):
 		pkt  = struct.pack('>I', len(pkt) + 4) + pkt
 		self.send_packet(pkt)

-	def _core_uuid(self, request, response):
-		# UUID is now always included, so we don't need to add it here.
+	def _core_set_uuid(self, request, response):
+		new_uuid = packet_get_tlv(request, TLV_TYPE_UUID)
+		if new_uuid:
+			PAYLOAD_UUID = binascii.b2a_hex(new_uuid['value'])
 		return ERROR_SUCCESS, response

 	def _core_enumextcmd(self, request, response):