github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-02 11:36:22 +01:00
Code Releases Activity

Fix stageless URI redirect parsing

Browse Source 
This commit fixes the case where we incorrectly assume that the URIs
used in the transport don't make use of the LURI setting in MSF.

The bug was that the code iterated through the URI string in reverse,
looking for a slash and then using that as the point to patch the new
URI over the existing. This meant that with the LURI parameter used, the
actual LURI field was missed, and the patch would result in the LURI
value appearing again.

The fix put in iterates from the start of the string and looks for the
third instance of the slash. This means that the LURI field is patched
as well as the UUID section.

Fixes #197
This commit is contained in:
OJ 2017-05-03 10:36:53 +10:00
parent d74ca91e81
commit 7c65e621a1
No known key found for this signature in database
GPG Key ID: D5DC61FB93260597
1 changed files with 25 additions and 4 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

29
c/meterpreter/source/server/win/server_transport_winhttp.c
View File

@ -865,12 +865,33 @@ static DWORD server_dispatch_http(Remote* remote, THREAD* dispatchThread)
// we also need to patch the new URI into the original transport URL, not just the currently
// active URI for comms. If we don't, then migration behaves badly.
// Start by locating the start of the URI in the current URL, by finding the third slash
wchar_t* csr = transport->url + wcslen(transport->url) - 2;
while (*csr != L'/')
// The URL looks like this: http(s)://<domain-or-ip>:port/lurivalue/UUIDJUNK/
// Start by locating the start of the URI in the current URL, by finding the third slash,
// as this value includes the LURI
wchar_t* csr = transport->url;
for (int i = 0; i < 3; ++i)
{
--csr;
// We need to move to the next character first in case
// we are currently pointing at the previously found /
// we know we're safe skipping the first character in the whole
// URL because that'll be part of the scheme (ie. 'h' in http)
++csr;
while (*csr != L'\0' && *csr != L'/')
{
++csr;
}
dprintf("[DISPATCH] %d csr: %p -> %S", i, csr, csr);
// this shouldn't happen!
if (*csr == L'\0')
{
break;
}
}
// the pointer that we have will be
dprintf("[DISPATCH] Pointer is at: %p -> %S", csr, csr);
// patch in the new URI