github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-02 11:36:22 +01:00
Code Releases Activity

Land #397, Change from PEM to DER for crypt TLV negotiation

Browse Source
This commit is contained in:
Spencer McIntyre 2020-06-18 13:54:31 -04:00
commit c8312f9c73
No known key found for this signature in database
GPG Key ID: 58101BA0D0D9C987
23 changed files with 81 additions and 94 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
c/meterpreter/source/common/common_core.h
View File

@ -135,15 +135,13 @@ typedef enum
TLV_TYPE_LIBRARY_PATH = TLV_VALUE(TLV_META_TYPE_STRING, 400), ///! Represents a path to the library to be loaded (string).
TLV_TYPE_TARGET_PATH = TLV_VALUE(TLV_META_TYPE_STRING, 401), ///! Represents a target path (string).
TLV_TYPE_MIGRATE_PID = TLV_VALUE(TLV_META_TYPE_UINT, 402), ///! Represents a process identifier of the migration target (unsigned integer).
TLV_TYPE_MIGRATE_PAYLOAD_LEN = TLV_VALUE(TLV_META_TYPE_UINT, 403), ///! Represents a migration payload size/length in bytes (unsigned integer).
TLV_TYPE_MIGRATE_PAYLOAD = TLV_VALUE(TLV_META_TYPE_STRING, 404), ///! Represents a migration payload (string).
TLV_TYPE_MIGRATE_PAYLOAD = TLV_VALUE(TLV_META_TYPE_RAW, 404), ///! Represents a migration payload (raw).
TLV_TYPE_MIGRATE_ARCH = TLV_VALUE(TLV_META_TYPE_UINT, 405), ///! Represents a migration target architecture.
TLV_TYPE_MIGRATE_TECHNIQUE = TLV_VALUE(TLV_META_TYPE_UINT, 406), ///! Represents a migration technique (unsigned int).
TLV_TYPE_MIGRATE_BASE_ADDR = TLV_VALUE(TLV_META_TYPE_UINT, 407), ///! Represents a migration payload base address (unsigned int).
TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_VALUE(TLV_META_TYPE_UINT, 408), ///! Represents a migration payload entry point (unsigned int).
TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_VALUE(TLV_META_TYPE_STRING, 409), ///! Represents a unix domain socket path, used to migrate on linux (string)
TLV_TYPE_MIGRATE_STUB_LEN = TLV_VALUE(TLV_META_TYPE_UINT, 410), ///! Represents a migration stub length (uint).
TLV_TYPE_MIGRATE_STUB = TLV_VALUE(TLV_META_TYPE_STRING, 411), ///! Represents a migration stub (string).
TLV_TYPE_MIGRATE_STUB = TLV_VALUE(TLV_META_TYPE_RAW, 411), ///! Represents a migration stub (raw).
// Transport switching
TLV_TYPE_TRANS_TYPE = TLV_VALUE(TLV_META_TYPE_UINT, 430), ///! Represents the type of transport to switch to.
@ -166,7 +164,7 @@ typedef enum
TLV_TYPE_SESSION_GUID = TLV_VALUE(TLV_META_TYPE_RAW, 462), ///! Represents a Session GUID.
// Packet encryption
TLV_TYPE_RSA_PUB_KEY = TLV_VALUE(TLV_META_TYPE_STRING, 550), ///! Represents PEM-formatter RSA public key
TLV_TYPE_RSA_PUB_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 550), ///! Represents DER-encoded RSA public key
TLV_TYPE_SYM_KEY_TYPE = TLV_VALUE(TLV_META_TYPE_UINT, 551), ///! Represents the type of symmetric key
TLV_TYPE_SYM_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 552), ///! Represents the symmetric key
TLV_TYPE_ENC_SYM_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 553), ///! Represents and RSA-encrypted symmetric key
@ -174,7 +172,6 @@ typedef enum
// Pivots
TLV_TYPE_PIVOT_ID = TLV_VALUE(TLV_META_TYPE_RAW, 650), ///! Represents the id of the pivot listener
TLV_TYPE_PIVOT_STAGE_DATA = TLV_VALUE(TLV_META_TYPE_RAW, 651), ///! Represents the data to be staged on new connections.
TLV_TYPE_PIVOT_STAGE_DATA_SIZE = TLV_VALUE(TLV_META_TYPE_UINT, 652), ///! Represents the size of the data to be staged on new connections.
TLV_TYPE_PIVOT_NAMED_PIPE_NAME = TLV_VALUE(TLV_META_TYPE_STRING, 653), ///! Represents named pipe name.
TLV_TYPE_EXTENSIONS = TLV_VALUE(TLV_META_TYPE_COMPLEX, 20000), ///! Represents an extension value.

2
c/meterpreter/source/common/common_metapi.h
View File

@ -92,7 +92,7 @@ typedef struct _SchedulerApi
typedef struct _PacketApi
{
BOOL(*get_tlv_value_bool)(Packet* packet, TlvType type);
BYTE*(*get_tlv_value_raw)(Packet* packet, TlvType type);
BYTE*(*get_tlv_value_raw)(Packet* packet, TlvType type, DWORD* length);
DWORD(*add_completion_handler)(LPCSTR requestId, PacketRequestCompletion* completion);
DWORD(*add_exception)(Packet* packet, DWORD code, PCHAR fmt, ...);
DWORD(*add_group)(Packet* packet, TlvType type, Packet* groupPacket);

1
c/meterpreter/source/extensions/extapi/extapi.h
View File

@ -81,7 +81,6 @@
#define TLV_TYPE_EXT_PAGEANT_STATUS MAKE_CUSTOM_TLV(TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 85)
#define TLV_TYPE_EXT_PAGEANT_ERRORMESSAGE MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 86)
#define TLV_TYPE_EXT_PAGEANT_RETURNEDBLOB MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 87)
#define TLV_TYPE_EXT_PAGEANT_SIZE_IN MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 88)
#define TLV_TYPE_EXT_PAGEANT_BLOB_IN MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 89)
#define TLV_TYPE_EXT_WMI_DOMAIN MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 90)

3
c/meterpreter/source/extensions/extapi/pageantjacker.c
View File

@ -180,8 +180,7 @@ DWORD request_pageant_send_query(Remote *remote, Packet *packet)
PAGEANTQUERYRESULTS results = { 0 };
// Retrieve from metasploit
rawDataSizeIn = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_EXT_PAGEANT_SIZE_IN);
rawDataIn = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXT_PAGEANT_BLOB_IN);
rawDataIn = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXT_PAGEANT_BLOB_IN, &rawDataSizeIn);
dprintf("[PJ(request_pageant_send_query)] Size in: %d. Data is at 0x%p", rawDataSizeIn, rawDataIn);

4
c/meterpreter/source/extensions/peinjector/peinjector_bridge.c
View File

@ -51,8 +51,8 @@ DWORD request_peinjector_inject_shellcode(Remote *remote, Packet *packet)
if (response)
{
BYTE* shellcode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_PEINJECTOR_SHELLCODE);
UINT size = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_PEINJECTOR_SHELLCODE_SIZE);
DWORD size = 0;
BYTE* shellcode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_PEINJECTOR_SHELLCODE, &size);
BOOL is_x64 = met_api->packet.get_tlv_value_bool(packet, TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64);
char* target_executable_path = met_api->packet.get_tlv_value_string(packet, TLV_TYPE_PEINJECTOR_TARGET_EXECUTABLE);

3
c/meterpreter/source/extensions/powershell/powershell.h
View File

@ -11,7 +11,6 @@
#define TLV_TYPE_POWERSHELL_SESSIONID MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 1)
#define TLV_TYPE_POWERSHELL_CODE MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 2)
#define TLV_TYPE_POWERSHELL_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 3)
#define TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 4)
#define TLV_TYPE_POWERSHELL_ASSEMBLY MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 5)
#endif
#endif

4
c/meterpreter/source/extensions/powershell/powershell_bridge.cpp
View File

@ -821,10 +821,10 @@ DWORD request_powershell_assembly_load(Remote *remote, Packet *packet)
if (response)
{
BYTE* binary = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_POWERSHELL_ASSEMBLY);
DWORD binarySize = 0;
BYTE* binary = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_POWERSHELL_ASSEMBLY, &binarySize);
if (binary != NULL)
{
DWORD binarySize = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE);
dwResult = load_assembly(binary, binarySize);
}
else

5
c/meterpreter/source/extensions/python/python_commands.c
View File

@ -484,7 +484,8 @@ DWORD request_python_execute(Remote* remote, Packet* packet)
{
DWORD dwResult = ERROR_SUCCESS;
Packet* response = met_api->packet.create_response(packet);
LPBYTE pythonCode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXTENSION_PYTHON_CODE);
DWORD codeSize = 0;
LPBYTE pythonCode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXTENSION_PYTHON_CODE, &codeSize);
PyObject* mainModule = PyImport_AddModule("__main__");
PyObject* mainDict = PyModule_GetDict(mainModule);
@ -506,4 +507,4 @@ DWORD request_python_execute(Remote* remote, Packet* packet)
}
return dwResult;
}
}

8
c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c
View File

@ -687,14 +687,20 @@ DWORD request_railgun_memwrite( Remote * pRemote, Packet * pPacket )
if( !lpAddress )
BREAK_WITH_ERROR( "[RAILGUN] request_railgun_memwrite: !lpAddress", ERROR_INVALID_PARAMETER );
pData = met_api->packet.get_tlv_value_raw( pPacket, TLV_TYPE_RAILGUN_MEM_DATA );
DWORD pDataLen = 0;
pData = met_api->packet.get_tlv_value_raw( pPacket, TLV_TYPE_RAILGUN_MEM_DATA, &pDataLen );
if( !pData )
BREAK_WITH_ERROR( "[RAILGUN] request_railgun_memwrite: !pData", ERROR_INVALID_PARAMETER );
// The length of the buffer specified may not match the required read size, so we still
// need to have the length specified.
dwLength = met_api->packet.get_tlv_value_uint( pPacket, TLV_TYPE_RAILGUN_MEM_LENGTH );
if( !dwLength )
BREAK_WITH_ERROR( "[RAILGUN] request_railgun_memwrite: !dwLength", ERROR_INVALID_PARAMETER );
// Let's not be silly and try to read more than the buffer allows?
dwLength = min(dwLength, pDataLen);
__try
{
memcpy( lpAddress, pData, dwLength );

8
c/meterpreter/source/extensions/stdapi/server/sys/process/ps.c
View File

@ -40,7 +40,7 @@ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer, char * cpCommandLine )
DWORD dwPidArch = PROCESS_ARCH_UNKNOWN;
DWORD dwDllArch = PROCESS_ARCH_UNKNOWN;
LPVOID lpDllBuffer = NULL;
DWORD dwDllLenght = 0;
DWORD dwDllLength = 0;
do
{
@ -52,12 +52,12 @@ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer, char * cpCommandLine )
if( dwPidArch == PROCESS_ARCH_X86 )
{
lpDllBuffer = pDllBuffer->lpPE32DllBuffer;
dwDllLenght = pDllBuffer->dwPE32DllLenght;
dwDllLength = pDllBuffer->dwPE32DllLength;
}
else if( dwPidArch == PROCESS_ARCH_X64 )
{
lpDllBuffer = pDllBuffer->lpPE64DllBuffer;
dwDllLenght = pDllBuffer->dwPE64DllLenght;
dwDllLength = pDllBuffer->dwPE64DllLength;
}
else
{
@ -71,7 +71,7 @@ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer, char * cpCommandLine )
if( dwDllArch != dwPidArch )
BREAK_WITH_ERROR( "[PS] ps_inject_dll. pid/dll architecture mixup", ERROR_BAD_ENVIRONMENT );
dwResult = met_api->inject.dll( dwPid, lpDllBuffer, dwDllLenght, cpCommandLine );
dwResult = met_api->inject.dll( dwPid, lpDllBuffer, dwDllLength, cpCommandLine );
} while( 0 );

4
c/meterpreter/source/extensions/stdapi/server/sys/process/ps.h
View File

@ -30,9 +30,9 @@ typedef DWORD(WINAPI * GETMODULEBASENAMEW)(HANDLE hProcess, HMODULE hModule, LPW
typedef struct _DLL_BUFFER
{
LPVOID lpPE32DllBuffer;
DWORD dwPE32DllLenght;
DWORD dwPE32DllLength;
LPVOID lpPE64DllBuffer;
DWORD dwPE64DllLenght;
DWORD dwPE64DllLength;
} DLL_BUFFER;
typedef struct _PROCESS_BASIC_INFORMATION

15
c/meterpreter/source/extensions/stdapi/server/ui/desktop.c
View File

@ -403,7 +403,7 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request)
Packet * response = NULL;
THREAD * pPipeThread = NULL;
LPVOID lpDllBuffer = NULL;
DLL_BUFFER DllBuffer = { 0 };
DLL_BUFFER dllBuffer = { 0 };
char cNamedPipe[MAX_PATH] = { 0 };
char cCommandLine[MAX_PATH] = { 0 };
int quality = 0;
@ -429,13 +429,10 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request)
// get the x86 and x64 screenshot dll's. we are not obliged to send both but we reduce the number of processes
// we can inject into (wow64 and x64) if we only send one type on an x64 system. If we are on an x86 system
// we dont need to send the x64 screenshot dll as there will be no x64 processes to inject it into.
DllBuffer.dwPE32DllLenght = met_api->packet.get_tlv_value_uint(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH);
DllBuffer.lpPE32DllBuffer = met_api->packet.get_tlv_value_string(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER);
dllBuffer.lpPE32DllBuffer = met_api->packet.get_tlv_value_raw(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER, &dllBuffer.dwPE32DllLength);
dllBuffer.lpPE64DllBuffer = met_api->packet.get_tlv_value_raw(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER, &dllBuffer.dwPE64DllLength);
DllBuffer.dwPE64DllLenght = met_api->packet.get_tlv_value_uint(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH);
DllBuffer.lpPE64DllBuffer = met_api->packet.get_tlv_value_string(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER);
if (!DllBuffer.lpPE32DllBuffer && !DllBuffer.lpPE64DllBuffer)
if (!dllBuffer.lpPE32DllBuffer && !dllBuffer.lpPE64DllBuffer)
{
BREAK_WITH_ERROR("[UI] desktop_screenshot. Invalid dll arguments, at least 1 dll must be supplied", ERROR_BAD_ARGUMENTS);
}
@ -474,7 +471,7 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request)
if (dwCurrentSessionId != dwActiveSessionId)
{
dprintf("[UI] desktop_screenshot. Injecting into active session %d...\n", dwActiveSessionId);
if (session_inject(dwActiveSessionId, &DllBuffer, cCommandLine) != ERROR_SUCCESS)
if (session_inject(dwActiveSessionId, &dllBuffer, cCommandLine) != ERROR_SUCCESS)
{
BREAK_WITH_ERROR("[UI] desktop_screenshot. session_inject failed", ERROR_ACCESS_DENIED);
}
@ -482,7 +479,7 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request)
else
{
dprintf("[UI] desktop_screenshot. Allready in the active session %d.\n", dwActiveSessionId);
if (ps_inject(GetCurrentProcessId(), &DllBuffer, cCommandLine) != ERROR_SUCCESS)
if (ps_inject(GetCurrentProcessId(), &dllBuffer, cCommandLine) != ERROR_SUCCESS)
{
BREAK_WITH_ERROR("[UI] desktop_screenshot. ps_inject current process failed", ERROR_ACCESS_DENIED);
}

6
c/meterpreter/source/extensions/stdapi/stdapi.h
View File

@ -181,10 +181,8 @@
#define TLV_TYPE_DESKTOP_STATION MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3006 )
#define TLV_TYPE_DESKTOP_NAME MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3007 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3008 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3009 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3010 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3011 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3012 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_STDAPI, 3010 )
#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_STDAPI, 3012 )
#define TLV_TYPE_KEYSCAN_TRACK_ACTIVE_WINDOW MAKE_CUSTOM_TLV( TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_STDAPI, 3013 )
#define TLV_TYPE_KEYS_SEND MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3014 )

20
c/meterpreter/source/metsrv/base_dispatch.c
View File

@ -86,7 +86,8 @@ DWORD create_transport_from_request(Remote* remote, Packet* packet, Transport**
wchar_t* proxy = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_HOST);
wchar_t* proxyUser = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_USER);
wchar_t* proxyPass = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_PASS);
PBYTE certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH);
DWORD certHashLen = 0;
PBYTE certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH, &certHashLen);
wchar_t* headers = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_HEADERS);
size_t configSize = sizeof(MetsrvTransportHttp);
@ -400,7 +401,8 @@ DWORD remote_request_core_transport_setcerthash(Remote* remote, Packet* packet)
break;
}
unsigned char* certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH);
DWORD certHashLen = 0;
unsigned char* certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH, &certHashLen);
HttpTransportContext* ctx = (HttpTransportContext*)remote->transport->ctx;
// Support adding a new cert hash if one doesn't exist
@ -540,20 +542,18 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul
// Get the target process architecture to inject into
dwDestinationArch = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_ARCH);
// Get the length of the payload buffer
dwPayloadLength = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_PAYLOAD_LEN);
// Receive the actual migration payload buffer
lpPayloadBuffer = packet_get_tlv_value_string(packet, TLV_TYPE_MIGRATE_PAYLOAD);
lpPayloadBuffer = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_PAYLOAD, &dwPayloadLength);
// Get handles to the updated UUIDs if they're there
lpUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID);
DWORD uuidLen = 0;
lpUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID, &uuidLen);
// Get the migrate stub information
dwMigrateStubLength = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_STUB_LEN);
lpMigrateStub = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_STUB);
lpMigrateStub = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_STUB, &dwMigrateStubLength);
dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s, PayloadLength=%d", dwProcessID, (dwDestinationArch == 2 ? "x64" : "x86"), dwPayloadLength);
dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s", dwProcessID, dwDestinationArch == 2 ? "x64" : "x86");
dprintf("[MIGRATE] Attempting to migrate. PayloadLength=%d StubLength=%d", dwPayloadLength, dwMigrateStubLength);
// If we can, get SeDebugPrivilege...
if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken))

6
c/meterpreter/source/metsrv/core.c
View File

@ -844,9 +844,10 @@ UINT packet_get_tlv_value_uint(Packet *packet, TlvType type)
* @brief Get the raw value of a TLV.
* @param packet Pointer to the packet to get the TLV from.
* @param type Type of TLV to get (optional).
* @param length Variable that will receive the length of the raw data.
* @return The value found in the TLV.
*/
BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type)
BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type, DWORD* length)
{
Tlv tlv;
@ -855,6 +856,7 @@ BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type)
return NULL;
}
*length = tlv.header.length;
return tlv.buffer;
}
@ -1325,4 +1327,4 @@ DWORD packet_transmit(Remote* remote, Packet* packet, PacketRequestCompletion* c
packet_destroy(packet);
return res;
}
}

2
c/meterpreter/source/metsrv/core.h
View File

@ -41,7 +41,7 @@ DWORD packet_enum_tlv(Packet *packet, DWORD index, TlvType type, Tlv *tlv);
PCHAR packet_get_tlv_value_string(Packet *packet, TlvType type);
wchar_t* packet_get_tlv_value_wstring(Packet* packet, TlvType type);
UINT packet_get_tlv_value_uint(Packet *packet, TlvType type);
BYTE * packet_get_tlv_value_raw( Packet * packet, TlvType type );
BYTE* packet_get_tlv_value_raw(Packet* packet, TlvType type, DWORD* length);
QWORD packet_get_tlv_value_qword(Packet *packet, TlvType type);
BOOL packet_get_tlv_value_bool(Packet *packet, TlvType type);

31
c/meterpreter/source/metsrv/packet_encryption.c
View File

@ -322,10 +322,10 @@ DWORD encrypt_packet(Remote* remote, Packet* packet, LPBYTE* buffer, LPDWORD buf
return result;
}
DWORD public_key_encrypt(CHAR* publicKeyPem, unsigned char* data, DWORD dataLength, unsigned char** encryptedData, DWORD* encryptedDataLength)
DWORD public_key_encrypt(BYTE* publicKeyDer, UINT publicKeyDerLen, BYTE* data, DWORD dataLength, BYTE** encryptedData, DWORD* encryptedDataLength)
{
DWORD result = ERROR_SUCCESS;
LPBYTE pubKeyBin = NULL;
//LPBYTE pubKeyBin = NULL;
CERT_PUBLIC_KEY_INFO* pubKeyInfo = NULL;
HCRYPTPROV rsaProv = 0;
HCRYPTKEY pubCryptKey = 0;
@ -333,32 +333,14 @@ DWORD public_key_encrypt(CHAR* publicKeyPem, unsigned char* data, DWORD dataLeng
do
{
if (publicKeyPem == NULL)
if (publicKeyDer == NULL || publicKeyDerLen == 0)
{
result = ERROR_BAD_ARGUMENTS;
break;
}
DWORD binaryRequiredSize = 0;
CryptStringToBinaryA(publicKeyPem, 0, CRYPT_STRING_BASE64HEADER, NULL, &binaryRequiredSize, NULL, NULL);
dprintf("[ENC] Required size for the binary key is: %u (%x)", binaryRequiredSize, binaryRequiredSize);
pubKeyBin = (LPBYTE)malloc(binaryRequiredSize);
if (pubKeyBin == NULL)
{
result = ERROR_OUTOFMEMORY;
break;
}
if (!CryptStringToBinaryA(publicKeyPem, 0, CRYPT_STRING_BASE64HEADER, pubKeyBin, &binaryRequiredSize, NULL, NULL))
{
result = GetLastError();
dprintf("[ENC] Failed to convert the given base64 encoded key into bytes: %u (%x)", result, result);
break;
}
DWORD keyRequiredSize = 0;
if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, pubKeyBin, binaryRequiredSize, CRYPT_ENCODE_ALLOC_FLAG, 0, &pubKeyInfo, &keyRequiredSize))
if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, publicKeyDer, publicKeyDerLen, CRYPT_ENCODE_ALLOC_FLAG, 0, &pubKeyInfo, &keyRequiredSize))
{
result = GetLastError();
dprintf("[ENC] Failed to decode: %u (%x)", result, result);
@ -544,10 +526,11 @@ DWORD request_negotiate_aes_key(Remote* remote, Packet* packet)
}
// now we need to encrypt this key data using the public key given
CHAR* pubKeyPem = packet_get_tlv_value_string(packet, TLV_TYPE_RSA_PUB_KEY);
DWORD pubKeyDerLen = 0;
BYTE* pubKeyDer = packet_get_tlv_value_raw(packet, TLV_TYPE_RSA_PUB_KEY, &pubKeyDerLen);
unsigned char* cipherText = NULL;
DWORD cipherTextLength = 0;
DWORD pubEncryptResult = public_key_encrypt(pubKeyPem, remote->enc_ctx->key_data.key, remote->enc_ctx->key_data.length, &cipherText, &cipherTextLength);
DWORD pubEncryptResult = public_key_encrypt(pubKeyDer, pubKeyDerLen, remote->enc_ctx->key_data.key, remote->enc_ctx->key_data.length, &cipherText, &cipherTextLength);
packet_add_tlv_uint(response, TLV_TYPE_SYM_KEY_TYPE, ENC_FLAG_AES256);
if (pubEncryptResult == ERROR_SUCCESS && cipherText != NULL)

6
c/meterpreter/source/metsrv/remote_dispatch.c
View File

@ -407,7 +407,8 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet)
DWORD request_core_set_uuid(Remote* remote, Packet* packet)
{
Packet* response = packet_create_response(packet);
PBYTE newUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID);
DWORD newUuidLen = 0;
PBYTE newUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID, &newUuidLen);
if (newUuid != NULL)
{
@ -448,7 +449,8 @@ DWORD request_core_get_session_guid(Remote* remote, Packet* packet)
DWORD request_core_set_session_guid(Remote* remote, Packet* packet)
{
DWORD result = ERROR_SUCCESS;
LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID);
DWORD sessionGuidLen = 0;
LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, &sessionGuidLen);
if (sessionGuid != NULL)
{

5
c/meterpreter/source/metsrv/server_pivot.c
View File

@ -25,7 +25,8 @@ DWORD request_core_pivot_add(Remote* remote, Packet* packet)
DWORD request_core_pivot_remove(Remote* remote, Packet* packet)
{
DWORD result = ERROR_NOT_FOUND;
LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID);
DWORD pivotIdLen = 0;
LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID, &pivotIdLen);
if (pivotId != NULL)
{
@ -45,4 +46,4 @@ DWORD request_core_pivot_remove(Remote* remote, Packet* packet)
packet_transmit_empty_response(remote, packet, result);
return result;
}
}

11
c/meterpreter/source/metsrv/server_pivot_named_pipe.c
View File

@ -162,7 +162,8 @@ static DWORD read_pipe_to_packet(NamedPipeContext* ctx, LPBYTE source, DWORD sou
{
dprintf("[PIPE] Request ID found and matches expected value");
// we have a response to our session guid request
LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID);
DWORD sessionGuidLen = 0;
LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, 0);
#ifdef DEBUGTRACE
PUCHAR h = (PUCHAR)&sessionGuid[0];
dprintf("[PIPE] Returned session guid: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X",
@ -754,14 +755,14 @@ DWORD request_core_pivot_add_named_pipe(Remote* remote, Packet* packet)
namedPipeServer = ".";
}
LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID);
UINT pivotIdLen = 0;
LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID, &pivotIdLen);
if (pivotId != NULL)
{
memcpy(&ctx->pivot_id, pivotId, sizeof(ctx->pivot_id));
}
LPVOID stageData = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_STAGE_DATA);
ctx->stage_data_size = packet_get_tlv_value_uint(packet, TLV_TYPE_PIVOT_STAGE_DATA_SIZE);
LPVOID stageData = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_STAGE_DATA, &ctx->stage_data_size);
if (stageData && ctx->stage_data_size > 0)
{
@ -832,4 +833,4 @@ DWORD request_core_pivot_add_named_pipe(Remote* remote, Packet* packet)
} while (0);
return dwResult;
}
}

10
java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java
View File

@ -204,12 +204,10 @@ public interface TLVType {
public static final int TLV_TYPE_POWER_REASON = TLVPacket.TLV_META_TYPE_UINT | 4101;
// Screenshot
public static final int TLV_TYPE_DESKTOP_SCREENSHOT = TLVPacket.TLV_META_TYPE_RAW | 3002;
public static final int TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY = TLVPacket.TLV_META_TYPE_UINT | 3008;
public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH = TLVPacket.TLV_META_TYPE_UINT | 3009;
public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER = TLVPacket.TLV_META_TYPE_STRING | 3010;
public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH = TLVPacket.TLV_META_TYPE_UINT | 3011;
public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER = TLVPacket.TLV_META_TYPE_STRING | 3012;
public static final int TLV_TYPE_DESKTOP_SCREENSHOT = TLVPacket.TLV_META_TYPE_RAW | 3002;
public static final int TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY = TLVPacket.TLV_META_TYPE_UINT | 3008;
public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER = TLVPacket.TLV_META_TYPE_RAW | 3010;
public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER = TLVPacket.TLV_META_TYPE_RAW | 3012;
int TLV_TYPE_EXTENSION_EXTAPI = 0;
int TLV_EXTENSIONS = 20000;

2
java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/NotYetImplementedCommand.java
View File

@ -149,9 +149,7 @@ public class NotYetImplementedCommand implements Command {
typeNames.put(new Integer(TLVType.TLV_TYPE_POWER_REASON), "TLV_TYPE_POWER_REASON");
typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT), "TLV_TYPE_DESKTOP_SCREENSHOT");
typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY), "TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY");
typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH), "TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH");
typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER), "TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER");
typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH), "TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH");
typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER), "TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER");
}

10
php/meterpreter/meterpreter.php
View File

@ -187,7 +187,7 @@ define("TLV_TYPE_UUID", TLV_META_TYPE_RAW | 461);
define("TLV_TYPE_SESSION_GUID", TLV_META_TYPE_RAW | 462);
# Packet encryption
define("TLV_TYPE_RSA_PUB_KEY", TLV_META_TYPE_STRING | 550);
define("TLV_TYPE_RSA_PUB_KEY", TLV_META_TYPE_RAW | 550);
define("TLV_TYPE_SYM_KEY_TYPE", TLV_META_TYPE_UINT | 551);
define("TLV_TYPE_SYM_KEY", TLV_META_TYPE_RAW | 552);
define("TLV_TYPE_ENC_SYM_KEY", TLV_META_TYPE_RAW | 553);
@ -552,6 +552,12 @@ function get_hdd_label() {
return "";
}
function der_to_pem($der_data) {
$pem = chunk_split(base64_encode($der_data), 64, "\n");
$pem = "-----BEGIN PUBLIC KEY-----\n".$pem."-----END PUBLIC KEY-----\n";
return $pem;
}
if (!function_exists('core_negotiate_tlv_encryption')) {
register_command('core_negotiate_tlv_encryption', COMMAND_ID_CORE_NEGOTIATE_TLV_ENCRYPTION);
function core_negotiate_tlv_encryption($req, &$pkt) {
@ -564,7 +570,7 @@ if (!function_exists('core_negotiate_tlv_encryption')) {
my_print("Encryption via public key is supported");
$pub_key_tlv = packet_get_tlv($req, TLV_TYPE_RSA_PUB_KEY);
if ($pub_key_tlv != null) {
$key = openssl_pkey_get_public($pub_key_tlv['value']);
$key = openssl_pkey_get_public(der_to_pem($pub_key_tlv['value']));
$enc = '';
openssl_public_encrypt($GLOBALS['AES_KEY'], $enc, $key, OPENSSL_PKCS1_PADDING);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_ENC_SYM_KEY, $enc));