Fix Metasploit 6 pivoting issue

2025-01-02 11:36:22 +01:00 · 2020-09-24 14:23:56 +01:00 · 2020-09-24 14:23:56 +01:00 · 985ccbd3af
commit 985ccbd3af
parent 62f78c0f23
2 changed files with 13 additions and 12 deletions
--- a/c/meterpreter/source/common/common_command_ids.h
+++ b/c/meterpreter/source/common/common_command_ids.h
@ -55,6 +55,7 @@
 #define COMMAND_ID_CORE_TRANSPORT_SETCERTHASH 31
 #define COMMAND_ID_CORE_TRANSPORT_SET_TIMEOUTS 32
 #define COMMAND_ID_CORE_TRANSPORT_SLEEP 33
+#define COMMAND_ID_CORE_PIVOT_SESSION_NEW 34
 #define COMMAND_ID_STDAPI_FS_CHDIR 1001
 #define COMMAND_ID_STDAPI_FS_CHMOD 1002
 #define COMMAND_ID_STDAPI_FS_DELETE_DIR 1003
--- a/c/meterpreter/source/metsrv/server_pivot_named_pipe.c
+++ b/c/meterpreter/source/metsrv/server_pivot_named_pipe.c
@ -163,18 +163,18 @@ static DWORD read_pipe_to_packet(NamedPipeContext* ctx, LPBYTE source, DWORD sou
 					dprintf("[PIPE] Request ID found and matches expected value");
 					// we have a response to our session guid request
 					DWORD sessionGuidLen = 0;
-					LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, 0);
-#ifdef DEBUGTRACE
-					PUCHAR h = (PUCHAR)&sessionGuid[0];
-					dprintf("[PIPE] Returned session guid: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",
-						h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7], h[8], h[9], h[10], h[11], h[12], h[13], h[14], h[15]);
-					h = (PUCHAR)&ctx->pivot_session_guid;
-					dprintf("[PIPE]    Pivot session guid: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",
-						h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7], h[8], h[9], h[10], h[11], h[12], h[13], h[14], h[15]);
-					dprintf("[PIPE] Session pivot session guid size: %u", sizeof(ctx->pivot_session_guid));
-#endif
-					if (sessionGuid != NULL && memcmp(&ctx->pivot_session_guid, sessionGuid, sizeof(ctx->pivot_session_guid)) != 0)
+					LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, &sessionGuidLen);
+					if (sessionGuid != NULL && sessionGuidLen == sizeof(ctx->pivot_session_guid) && memcmp(&ctx->pivot_session_guid, sessionGuid, sizeof(ctx->pivot_session_guid)) != 0)
 					{
+#ifdef DEBUGTRACE
+						PUCHAR h = (PUCHAR)&sessionGuid[0];
+						dprintf("[PIPE] Returned session guid: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",
+							h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7], h[8], h[9], h[10], h[11], h[12], h[13], h[14], h[15]);
+						h = (PUCHAR)&ctx->pivot_session_guid;
+						dprintf("[PIPE]    Pivot session guid: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",
+							h[0], h[1], h[2], h[3], h[4], h[5], h[6], h[7], h[8], h[9], h[10], h[11], h[12], h[13], h[14], h[15]);
+						dprintf("[PIPE] Session pivot session guid size: %u", sizeof(ctx->pivot_session_guid));
+#endif
 						dprintf("[PIPE] Session guid returned, looks like the session is a reconnect");
 						memcpy(&ctx->pivot_session_guid, sessionGuid, sizeof(ctx->pivot_session_guid));

@ -212,7 +212,7 @@ static DWORD read_pipe_to_packet(NamedPipeContext* ctx, LPBYTE source, DWORD sou

 					// with the session now established, we need to inform metasploit of the new connection
 					dprintf("[PIPE] Informing MSF of the new named pipe pivot");
-					Packet* notification = packet_create(PACKET_TLV_TYPE_REQUEST, COMMAND_ID_CORE_PIVOT_SESSION_DIED);
+					Packet* notification = packet_create(PACKET_TLV_TYPE_REQUEST, COMMAND_ID_CORE_PIVOT_SESSION_NEW);
 					packet_add_tlv_raw(notification, TLV_TYPE_SESSION_GUID, (LPVOID)&ctx->pivot_session_guid, sizeof(ctx->pivot_session_guid));
 					packet_add_tlv_raw(notification, TLV_TYPE_PIVOT_ID, (LPVOID)&ctx->pivot_id, sizeof(ctx->pivot_id));
 					packet_transmit(ctx->remote, notification, NULL);