mirror of
https://github.com/rapid7/metasploit-payloads
synced 2024-11-26 17:41:08 +01:00
Update lanattacks to not use delay loading of metsrv
This commit is contained in:
parent
f7b50df020
commit
8565f9967e
@ -2,17 +2,16 @@
|
||||
* This module implements LAN attacks, like pxesploit and DHCP attacks
|
||||
*/
|
||||
#define _CRT_SECURE_NO_DEPRECATE 1
|
||||
#include "../../common/common.h"
|
||||
#include "../../DelayLoadMetSrv/DelayLoadMetSrv.h"
|
||||
// include the Reflectiveloader() function, we end up linking back to the metsrv.dll's Init function
|
||||
// but this doesnt matter as we wont ever call DLL_METASPLOIT_ATTACH as that is only used by the
|
||||
// second stage reflective dll inject payload and not the metsrv itself when it loads extensions.
|
||||
#include "common.h"
|
||||
#include "common_metapi.h"
|
||||
|
||||
// Required so that use of the API works.
|
||||
MetApi* met_api = NULL;
|
||||
|
||||
#include "../../ReflectiveDLLInjection/dll/src/ReflectiveLoader.c"
|
||||
#include <windows.h>
|
||||
#include "lanattacks.h"
|
||||
|
||||
// this sets the delay load hook function, see DelayLoadMetSrv.h
|
||||
EnableDelayLoadMetSrv();
|
||||
|
||||
void* dhcpserver = NULL; //global DHCP server pointer
|
||||
void* tftpserver = NULL; //global TFTP server pointer
|
||||
@ -20,11 +19,11 @@ void* tftpserver = NULL; //global TFTP server pointer
|
||||
//Launches the DHCP server
|
||||
DWORD request_lanattacks_start_dhcp(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
Packet *response = met_api->packet.create_response(packet);
|
||||
|
||||
int res = startDHCPServer(dhcpserver);
|
||||
|
||||
packet_transmit_response(res, remote, response);
|
||||
met_api->packet.transmit_response(res, remote, response);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
@ -32,12 +31,12 @@ DWORD request_lanattacks_start_dhcp(Remote *remote, Packet *packet)
|
||||
//Reset the DHCP server
|
||||
DWORD request_lanattacks_reset_dhcp(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
Packet *response = met_api->packet.create_response(packet);
|
||||
|
||||
destroyDHCPServer(dhcpserver);
|
||||
dhcpserver = createDHCPServer();
|
||||
|
||||
packet_transmit_response(ERROR_SUCCESS, remote, response);
|
||||
met_api->packet.transmit_response(ERROR_SUCCESS, remote, response);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
@ -48,35 +47,35 @@ DWORD request_lanattacks_set_dhcp_option(Remote *remote, Packet *packet)
|
||||
DWORD retval = ERROR_SUCCESS;
|
||||
char* name = NULL;
|
||||
unsigned int namelen = 0;
|
||||
Packet *response = packet_create_response(packet);
|
||||
Packet *response = met_api->packet.create_response(packet);
|
||||
|
||||
do
|
||||
{
|
||||
//Get option value
|
||||
Tlv tlv;
|
||||
if ((retval = packet_get_tlv(packet, TLV_TYPE_LANATTACKS_OPTION, &tlv)) != ERROR_SUCCESS)
|
||||
if ((retval = met_api->packet.get_tlv(packet, TLV_TYPE_LANATTACKS_OPTION, &tlv)) != ERROR_SUCCESS)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
//Get option name
|
||||
name = packet_get_tlv_value_string(packet, TLV_TYPE_LANATTACKS_OPTION_NAME);
|
||||
name = met_api->packet.get_tlv_value_string(packet, TLV_TYPE_LANATTACKS_OPTION_NAME);
|
||||
namelen = (unsigned int)strlen(name);
|
||||
setDHCPOption(dhcpserver, name, namelen, (char*)tlv.buffer, tlv.header.length);
|
||||
} while (0);
|
||||
|
||||
packet_transmit_response(retval, remote, response);
|
||||
met_api->packet.transmit_response(retval, remote, response);
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
//Turns off the DHCP server
|
||||
DWORD request_lanattacks_stop_dhcp(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
Packet *response = met_api->packet.create_response(packet);
|
||||
|
||||
int res = stopDHCPServer(dhcpserver);
|
||||
|
||||
packet_transmit_response(res, remote, response);
|
||||
met_api->packet.transmit_response(res, remote, response);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
@ -84,13 +83,13 @@ DWORD request_lanattacks_stop_dhcp(Remote *remote, Packet *packet)
|
||||
//Gets and resets the DHCP log
|
||||
DWORD request_lanattacks_dhcp_log(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
Packet *response = met_api->packet.create_response(packet);
|
||||
|
||||
unsigned long loglen;
|
||||
unsigned char * log = getDHCPLog(dhcpserver, &loglen);
|
||||
|
||||
packet_add_tlv_raw(response, TLV_TYPE_LANATTACKS_RAW, log, loglen);
|
||||
packet_transmit_response(ERROR_SUCCESS, remote, response);
|
||||
met_api->packet.add_tlv_raw(response, TLV_TYPE_LANATTACKS_RAW, log, loglen);
|
||||
met_api->packet.transmit_response(ERROR_SUCCESS, remote, response);
|
||||
free(log);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
@ -99,11 +98,11 @@ DWORD request_lanattacks_dhcp_log(Remote *remote, Packet *packet)
|
||||
//Launches the TFTP server
|
||||
DWORD request_lanattacks_start_tftp(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
Packet *response = met_api->packet.create_response(packet);
|
||||
|
||||
int res = startTFTPServer(tftpserver);
|
||||
|
||||
packet_transmit_response(res, remote, response);
|
||||
met_api->packet.transmit_response(res, remote, response);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
@ -111,12 +110,12 @@ DWORD request_lanattacks_start_tftp(Remote *remote, Packet *packet)
|
||||
//Reset the TFTP server
|
||||
DWORD request_lanattacks_reset_tftp(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
Packet *response = met_api->packet.create_response(packet);
|
||||
|
||||
destroyTFTPServer(tftpserver);
|
||||
tftpserver = createTFTPServer();
|
||||
|
||||
packet_transmit_response(ERROR_SUCCESS, remote, response);
|
||||
met_api->packet.transmit_response(ERROR_SUCCESS, remote, response);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
@ -127,34 +126,34 @@ DWORD request_lanattacks_add_tftp_file(Remote *remote, Packet *packet)
|
||||
DWORD retval = ERROR_SUCCESS;
|
||||
char* name = NULL;
|
||||
unsigned int namelen = 0;
|
||||
Packet *response = packet_create_response(packet);
|
||||
Packet *response = met_api->packet.create_response(packet);
|
||||
|
||||
do{
|
||||
Tlv tlv;
|
||||
//Get file contents
|
||||
if ((retval = packet_get_tlv(packet, TLV_TYPE_LANATTACKS_RAW, &tlv)) != ERROR_SUCCESS)
|
||||
if ((retval = met_api->packet.get_tlv(packet, TLV_TYPE_LANATTACKS_RAW, &tlv)) != ERROR_SUCCESS)
|
||||
{
|
||||
break;
|
||||
}
|
||||
|
||||
//Get file name
|
||||
name = packet_get_tlv_value_string(packet, TLV_TYPE_LANATTACKS_OPTION_NAME);
|
||||
name = met_api->packet.get_tlv_value_string(packet, TLV_TYPE_LANATTACKS_OPTION_NAME);
|
||||
namelen = (unsigned int)strlen(name);
|
||||
addTFTPFile(tftpserver, name, namelen, (char*)tlv.buffer, tlv.header.length);
|
||||
} while (0);
|
||||
|
||||
packet_transmit_response(retval, remote, response);
|
||||
met_api->packet.transmit_response(retval, remote, response);
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
||||
//Turns off the TFTP server
|
||||
DWORD request_lanattacks_stop_tftp(Remote *remote, Packet *packet)
|
||||
{
|
||||
Packet *response = packet_create_response(packet);
|
||||
Packet *response = met_api->packet.create_response(packet);
|
||||
|
||||
int res = stopTFTPServer(tftpserver);
|
||||
|
||||
packet_transmit_response(res, remote, response);
|
||||
met_api->packet.transmit_response(res, remote, response);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
@ -175,14 +174,15 @@ Command customCommands[] =
|
||||
|
||||
/*!
|
||||
* @brief Initialize the server extension.
|
||||
* @param api Pointer to the Meterpreter API structure.
|
||||
* @param remote Pointer to the remote instance.
|
||||
* @return Indication of success or failure.
|
||||
*/
|
||||
DWORD __declspec(dllexport) InitServerExtension(Remote *remote)
|
||||
DWORD __declspec(dllexport) InitServerExtension(MetApi* api, Remote* remote)
|
||||
{
|
||||
hMetSrv = remote->met_srv;
|
||||
met_api = api;
|
||||
|
||||
command_register_all(customCommands);
|
||||
met_api->command.register_all(customCommands);
|
||||
|
||||
dhcpserver = createDHCPServer();
|
||||
tftpserver = createTFTPServer();
|
||||
@ -208,7 +208,7 @@ DWORD __declspec(dllexport) DeinitServerExtension(Remote *remote)
|
||||
destroyDHCPServer(dhcpserver);
|
||||
dhcpserver = NULL;
|
||||
|
||||
command_deregister_all(customCommands);
|
||||
met_api->command.deregister_all(customCommands);
|
||||
|
||||
return ERROR_SUCCESS;
|
||||
}
|
||||
|
@ -84,7 +84,7 @@
|
||||
<Optimization>MinSpace</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
@ -127,7 +127,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
|
||||
<Optimization>MinSpace</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
@ -173,7 +173,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
|
||||
<Optimization>MinSpace</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
@ -223,7 +223,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\"</Command>
|
||||
<Optimization>MinSpace</Optimization>
|
||||
<InlineFunctionExpansion>OnlyExplicitInline</InlineFunctionExpansion>
|
||||
<IntrinsicFunctions>false</IntrinsicFunctions>
|
||||
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<AdditionalIncludeDirectories>..\..\source\ReflectiveDLLInjection\common;..\..\source\extensions\lanattacks;..\..\source\common;%(AdditionalIncludeDirectories)</AdditionalIncludeDirectories>
|
||||
<PreprocessorDefinitions>WIN32;NDEBUG;_WINDOWS;_USRDLL;%(PreprocessorDefinitions)</PreprocessorDefinitions>
|
||||
<StringPooling>true</StringPooling>
|
||||
<RuntimeLibrary>MultiThreaded</RuntimeLibrary>
|
||||
|
Loading…
Reference in New Issue
Block a user