From 5c959187ea5f461e3e85387cd785b18717fc09a3 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 6 May 2020 09:17:44 +1000 Subject: [PATCH 1/7] Support pub key in DER instead of PEM Easy change on the Windows side, we just needed to remove the code that converts PEM to DER and off we go. --- c/meterpreter/source/common/common_core.h | 3 +- .../source/metsrv/packet_encryption.c | 31 +++++-------------- 2 files changed, 9 insertions(+), 25 deletions(-) diff --git a/c/meterpreter/source/common/common_core.h b/c/meterpreter/source/common/common_core.h index 921f5605..30ce8606 100644 --- a/c/meterpreter/source/common/common_core.h +++ b/c/meterpreter/source/common/common_core.h @@ -166,10 +166,11 @@ typedef enum TLV_TYPE_SESSION_GUID = TLV_VALUE(TLV_META_TYPE_RAW, 462), ///! Represents a Session GUID. // Packet encryption - TLV_TYPE_RSA_PUB_KEY = TLV_VALUE(TLV_META_TYPE_STRING, 550), ///! Represents PEM-formatter RSA public key + TLV_TYPE_RSA_PUB_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 550), ///! Represents DER-encoded RSA public key TLV_TYPE_SYM_KEY_TYPE = TLV_VALUE(TLV_META_TYPE_UINT, 551), ///! Represents the type of symmetric key TLV_TYPE_SYM_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 552), ///! Represents the symmetric key TLV_TYPE_ENC_SYM_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 553), ///! Represents and RSA-encrypted symmetric key + TLV_TYPE_RSA_PUB_KEY_LEN = TLV_VALUE(TLV_META_TYPE_UINT, 554), ///! Represents the length of the DER-encoded RSA public key // Pivots TLV_TYPE_PIVOT_ID = TLV_VALUE(TLV_META_TYPE_RAW, 650), ///! Represents the id of the pivot listener diff --git a/c/meterpreter/source/metsrv/packet_encryption.c b/c/meterpreter/source/metsrv/packet_encryption.c index 4ee9a2d8..8a1c0cc4 100644 --- a/c/meterpreter/source/metsrv/packet_encryption.c +++ b/c/meterpreter/source/metsrv/packet_encryption.c @@ -322,10 +322,10 @@ DWORD encrypt_packet(Remote* remote, Packet* packet, LPBYTE* buffer, LPDWORD buf return result; } -DWORD public_key_encrypt(CHAR* publicKeyPem, unsigned char* data, DWORD dataLength, unsigned char** encryptedData, DWORD* encryptedDataLength) +DWORD public_key_encrypt(BYTE* publicKeyDer, UINT publicKeyDerLen, BYTE* data, DWORD dataLength, BYTE** encryptedData, DWORD* encryptedDataLength) { DWORD result = ERROR_SUCCESS; - LPBYTE pubKeyBin = NULL; + //LPBYTE pubKeyBin = NULL; CERT_PUBLIC_KEY_INFO* pubKeyInfo = NULL; HCRYPTPROV rsaProv = 0; HCRYPTKEY pubCryptKey = 0; @@ -333,32 +333,14 @@ DWORD public_key_encrypt(CHAR* publicKeyPem, unsigned char* data, DWORD dataLeng do { - if (publicKeyPem == NULL) + if (publicKeyDer == NULL || publicKeyDerLen == 0) { result = ERROR_BAD_ARGUMENTS; break; } - DWORD binaryRequiredSize = 0; - CryptStringToBinaryA(publicKeyPem, 0, CRYPT_STRING_BASE64HEADER, NULL, &binaryRequiredSize, NULL, NULL); - dprintf("[ENC] Required size for the binary key is: %u (%x)", binaryRequiredSize, binaryRequiredSize); - - pubKeyBin = (LPBYTE)malloc(binaryRequiredSize); - if (pubKeyBin == NULL) - { - result = ERROR_OUTOFMEMORY; - break; - } - - if (!CryptStringToBinaryA(publicKeyPem, 0, CRYPT_STRING_BASE64HEADER, pubKeyBin, &binaryRequiredSize, NULL, NULL)) - { - result = GetLastError(); - dprintf("[ENC] Failed to convert the given base64 encoded key into bytes: %u (%x)", result, result); - break; - } - DWORD keyRequiredSize = 0; - if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, pubKeyBin, binaryRequiredSize, CRYPT_ENCODE_ALLOC_FLAG, 0, &pubKeyInfo, &keyRequiredSize)) + if (!CryptDecodeObjectEx(X509_ASN_ENCODING, X509_PUBLIC_KEY_INFO, publicKeyDer, publicKeyDerLen, CRYPT_ENCODE_ALLOC_FLAG, 0, &pubKeyInfo, &keyRequiredSize)) { result = GetLastError(); dprintf("[ENC] Failed to decode: %u (%x)", result, result); @@ -544,10 +526,11 @@ DWORD request_negotiate_aes_key(Remote* remote, Packet* packet) } // now we need to encrypt this key data using the public key given - CHAR* pubKeyPem = packet_get_tlv_value_string(packet, TLV_TYPE_RSA_PUB_KEY); + BYTE* pubKeyDer = packet_get_tlv_value_raw(packet, TLV_TYPE_RSA_PUB_KEY); + UINT pubKeyDerLen = packet_get_tlv_value_uint(packet, TLV_TYPE_RSA_PUB_KEY_LEN); unsigned char* cipherText = NULL; DWORD cipherTextLength = 0; - DWORD pubEncryptResult = public_key_encrypt(pubKeyPem, remote->enc_ctx->key_data.key, remote->enc_ctx->key_data.length, &cipherText, &cipherTextLength); + DWORD pubEncryptResult = public_key_encrypt(pubKeyDer, pubKeyDerLen, remote->enc_ctx->key_data.key, remote->enc_ctx->key_data.length, &cipherText, &cipherTextLength); packet_add_tlv_uint(response, TLV_TYPE_SYM_KEY_TYPE, ENC_FLAG_AES256); if (pubEncryptResult == ERROR_SUCCESS && cipherText != NULL) From 53dc79f384e2f1fe26c7c8f92717009c08082160 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 6 May 2020 09:32:35 +1000 Subject: [PATCH 2/7] Update PHP to use DER instead of PEM for RSA --- php/meterpreter/meterpreter.php | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) diff --git a/php/meterpreter/meterpreter.php b/php/meterpreter/meterpreter.php index 139b3484..03c54b96 100755 --- a/php/meterpreter/meterpreter.php +++ b/php/meterpreter/meterpreter.php @@ -187,10 +187,11 @@ define("TLV_TYPE_UUID", TLV_META_TYPE_RAW | 461); define("TLV_TYPE_SESSION_GUID", TLV_META_TYPE_RAW | 462); # Packet encryption -define("TLV_TYPE_RSA_PUB_KEY", TLV_META_TYPE_STRING | 550); +define("TLV_TYPE_RSA_PUB_KEY", TLV_META_TYPE_RAW | 550); define("TLV_TYPE_SYM_KEY_TYPE", TLV_META_TYPE_UINT | 551); define("TLV_TYPE_SYM_KEY", TLV_META_TYPE_RAW | 552); define("TLV_TYPE_ENC_SYM_KEY", TLV_META_TYPE_RAW | 553); +define("TLV_TYPE_RSA_PUB_KEY_LEN", TLV_META_TYPE_UINT | 554); # --------------------------------------------------------------- # --- THIS CONTENT WAS GENERATED BY A TOOL @ 2020-05-01 05:33:39 UTC @@ -552,6 +553,12 @@ function get_hdd_label() { return ""; } +function der_to_pem($der_data) { + $pem = chunk_split(base64_encode($der_data), 64, "\n"); + $pem = "-----BEGIN PUBLIC KEY-----\n".$pem."-----END PUBLIC KEY-----\n"; + return $pem; +} + if (!function_exists('core_negotiate_tlv_encryption')) { register_command('core_negotiate_tlv_encryption', COMMAND_ID_CORE_NEGOTIATE_TLV_ENCRYPTION); function core_negotiate_tlv_encryption($req, &$pkt) { @@ -564,7 +571,7 @@ if (!function_exists('core_negotiate_tlv_encryption')) { my_print("Encryption via public key is supported"); $pub_key_tlv = packet_get_tlv($req, TLV_TYPE_RSA_PUB_KEY); if ($pub_key_tlv != null) { - $key = openssl_pkey_get_public($pub_key_tlv['value']); + $key = openssl_pkey_get_public(der_to_pem($pub_key_tlv['value'])); $enc = ''; openssl_public_encrypt($GLOBALS['AES_KEY'], $enc, $key, OPENSSL_PKCS1_PADDING); packet_add_tlv($pkt, create_tlv(TLV_TYPE_ENC_SYM_KEY, $enc)); From 5fc2117325dd98061877e9ecd7d675a03cbb2742 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 6 May 2020 10:44:19 +1000 Subject: [PATCH 3/7] Adjust the tlv raw function and remove some unnecessary headers --- c/meterpreter/source/common/common_core.h | 4 ---- c/meterpreter/source/common/common_metapi.h | 2 +- c/meterpreter/source/extensions/extapi/extapi.h | 1 - .../source/extensions/extapi/pageantjacker.c | 3 +-- .../source/extensions/peinjector/peinjector_bridge.c | 4 ++-- .../source/extensions/powershell/powershell.h | 3 +-- .../extensions/powershell/powershell_bridge.cpp | 4 ++-- .../source/extensions/python/python_commands.c | 5 +++-- c/meterpreter/source/metsrv/base_dispatch.c | 12 +++++++----- c/meterpreter/source/metsrv/core.c | 6 ++++-- c/meterpreter/source/metsrv/core.h | 2 +- c/meterpreter/source/metsrv/packet_encryption.c | 4 ++-- c/meterpreter/source/metsrv/remote_dispatch.c | 6 ++++-- c/meterpreter/source/metsrv/server_pivot.c | 5 +++-- .../source/metsrv/server_pivot_named_pipe.c | 11 ++++++----- php/meterpreter/meterpreter.php | 1 - 16 files changed, 37 insertions(+), 36 deletions(-) diff --git a/c/meterpreter/source/common/common_core.h b/c/meterpreter/source/common/common_core.h index 30ce8606..9022648c 100644 --- a/c/meterpreter/source/common/common_core.h +++ b/c/meterpreter/source/common/common_core.h @@ -135,14 +135,12 @@ typedef enum TLV_TYPE_LIBRARY_PATH = TLV_VALUE(TLV_META_TYPE_STRING, 400), ///! Represents a path to the library to be loaded (string). TLV_TYPE_TARGET_PATH = TLV_VALUE(TLV_META_TYPE_STRING, 401), ///! Represents a target path (string). TLV_TYPE_MIGRATE_PID = TLV_VALUE(TLV_META_TYPE_UINT, 402), ///! Represents a process identifier of the migration target (unsigned integer). - TLV_TYPE_MIGRATE_PAYLOAD_LEN = TLV_VALUE(TLV_META_TYPE_UINT, 403), ///! Represents a migration payload size/length in bytes (unsigned integer). TLV_TYPE_MIGRATE_PAYLOAD = TLV_VALUE(TLV_META_TYPE_STRING, 404), ///! Represents a migration payload (string). TLV_TYPE_MIGRATE_ARCH = TLV_VALUE(TLV_META_TYPE_UINT, 405), ///! Represents a migration target architecture. TLV_TYPE_MIGRATE_TECHNIQUE = TLV_VALUE(TLV_META_TYPE_UINT, 406), ///! Represents a migration technique (unsigned int). TLV_TYPE_MIGRATE_BASE_ADDR = TLV_VALUE(TLV_META_TYPE_UINT, 407), ///! Represents a migration payload base address (unsigned int). TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_VALUE(TLV_META_TYPE_UINT, 408), ///! Represents a migration payload entry point (unsigned int). TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_VALUE(TLV_META_TYPE_STRING, 409), ///! Represents a unix domain socket path, used to migrate on linux (string) - TLV_TYPE_MIGRATE_STUB_LEN = TLV_VALUE(TLV_META_TYPE_UINT, 410), ///! Represents a migration stub length (uint). TLV_TYPE_MIGRATE_STUB = TLV_VALUE(TLV_META_TYPE_STRING, 411), ///! Represents a migration stub (string). // Transport switching @@ -170,12 +168,10 @@ typedef enum TLV_TYPE_SYM_KEY_TYPE = TLV_VALUE(TLV_META_TYPE_UINT, 551), ///! Represents the type of symmetric key TLV_TYPE_SYM_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 552), ///! Represents the symmetric key TLV_TYPE_ENC_SYM_KEY = TLV_VALUE(TLV_META_TYPE_RAW, 553), ///! Represents and RSA-encrypted symmetric key - TLV_TYPE_RSA_PUB_KEY_LEN = TLV_VALUE(TLV_META_TYPE_UINT, 554), ///! Represents the length of the DER-encoded RSA public key // Pivots TLV_TYPE_PIVOT_ID = TLV_VALUE(TLV_META_TYPE_RAW, 650), ///! Represents the id of the pivot listener TLV_TYPE_PIVOT_STAGE_DATA = TLV_VALUE(TLV_META_TYPE_RAW, 651), ///! Represents the data to be staged on new connections. - TLV_TYPE_PIVOT_STAGE_DATA_SIZE = TLV_VALUE(TLV_META_TYPE_UINT, 652), ///! Represents the size of the data to be staged on new connections. TLV_TYPE_PIVOT_NAMED_PIPE_NAME = TLV_VALUE(TLV_META_TYPE_STRING, 653), ///! Represents named pipe name. TLV_TYPE_EXTENSIONS = TLV_VALUE(TLV_META_TYPE_COMPLEX, 20000), ///! Represents an extension value. diff --git a/c/meterpreter/source/common/common_metapi.h b/c/meterpreter/source/common/common_metapi.h index ed7cd694..98653818 100644 --- a/c/meterpreter/source/common/common_metapi.h +++ b/c/meterpreter/source/common/common_metapi.h @@ -92,7 +92,7 @@ typedef struct _SchedulerApi typedef struct _PacketApi { BOOL(*get_tlv_value_bool)(Packet* packet, TlvType type); - BYTE*(*get_tlv_value_raw)(Packet* packet, TlvType type); + BYTE*(*get_tlv_value_raw)(Packet* packet, TlvType type, UINT* length); DWORD(*add_completion_handler)(LPCSTR requestId, PacketRequestCompletion* completion); DWORD(*add_exception)(Packet* packet, DWORD code, PCHAR fmt, ...); DWORD(*add_group)(Packet* packet, TlvType type, Packet* groupPacket); diff --git a/c/meterpreter/source/extensions/extapi/extapi.h b/c/meterpreter/source/extensions/extapi/extapi.h index 4ec8d478..bef34e89 100644 --- a/c/meterpreter/source/extensions/extapi/extapi.h +++ b/c/meterpreter/source/extensions/extapi/extapi.h @@ -81,7 +81,6 @@ #define TLV_TYPE_EXT_PAGEANT_STATUS MAKE_CUSTOM_TLV(TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 85) #define TLV_TYPE_EXT_PAGEANT_ERRORMESSAGE MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 86) #define TLV_TYPE_EXT_PAGEANT_RETURNEDBLOB MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 87) -#define TLV_TYPE_EXT_PAGEANT_SIZE_IN MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 88) #define TLV_TYPE_EXT_PAGEANT_BLOB_IN MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 89) #define TLV_TYPE_EXT_WMI_DOMAIN MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_EXTAPI, TLV_EXTENSIONS + 90) diff --git a/c/meterpreter/source/extensions/extapi/pageantjacker.c b/c/meterpreter/source/extensions/extapi/pageantjacker.c index 8bd86fa5..c2b53037 100644 --- a/c/meterpreter/source/extensions/extapi/pageantjacker.c +++ b/c/meterpreter/source/extensions/extapi/pageantjacker.c @@ -180,8 +180,7 @@ DWORD request_pageant_send_query(Remote *remote, Packet *packet) PAGEANTQUERYRESULTS results = { 0 }; // Retrieve from metasploit - rawDataSizeIn = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_EXT_PAGEANT_SIZE_IN); - rawDataIn = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXT_PAGEANT_BLOB_IN); + rawDataIn = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXT_PAGEANT_BLOB_IN, &rawDataSizeIn); dprintf("[PJ(request_pageant_send_query)] Size in: %d. Data is at 0x%p", rawDataSizeIn, rawDataIn); diff --git a/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c b/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c index 2e2d1014..7fb8380e 100755 --- a/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c +++ b/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c @@ -51,8 +51,8 @@ DWORD request_peinjector_inject_shellcode(Remote *remote, Packet *packet) if (response) { - BYTE* shellcode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_PEINJECTOR_SHELLCODE); - UINT size = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_PEINJECTOR_SHELLCODE_SIZE); + UINT size = 0; + BYTE* shellcode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_PEINJECTOR_SHELLCODE, &size); BOOL is_x64 = met_api->packet.get_tlv_value_bool(packet, TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64); char* target_executable_path = met_api->packet.get_tlv_value_string(packet, TLV_TYPE_PEINJECTOR_TARGET_EXECUTABLE); diff --git a/c/meterpreter/source/extensions/powershell/powershell.h b/c/meterpreter/source/extensions/powershell/powershell.h index 1ce2b925..708bd751 100755 --- a/c/meterpreter/source/extensions/powershell/powershell.h +++ b/c/meterpreter/source/extensions/powershell/powershell.h @@ -11,7 +11,6 @@ #define TLV_TYPE_POWERSHELL_SESSIONID MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 1) #define TLV_TYPE_POWERSHELL_CODE MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 2) #define TLV_TYPE_POWERSHELL_RESULT MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 3) -#define TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE MAKE_CUSTOM_TLV(TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 4) #define TLV_TYPE_POWERSHELL_ASSEMBLY MAKE_CUSTOM_TLV(TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_PSH, TLV_EXTENSIONS + 5) -#endif \ No newline at end of file +#endif diff --git a/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp b/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp index e57d965e..942a5239 100755 --- a/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp +++ b/c/meterpreter/source/extensions/powershell/powershell_bridge.cpp @@ -821,10 +821,10 @@ DWORD request_powershell_assembly_load(Remote *remote, Packet *packet) if (response) { - BYTE* binary = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_POWERSHELL_ASSEMBLY); + DWORD binarySize = 0; + BYTE* binary = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_POWERSHELL_ASSEMBLY, &binarySize); if (binary != NULL) { - DWORD binarySize = met_api->packet.get_tlv_value_uint(packet, TLV_TYPE_POWERSHELL_ASSEMBLY_SIZE); dwResult = load_assembly(binary, binarySize); } else diff --git a/c/meterpreter/source/extensions/python/python_commands.c b/c/meterpreter/source/extensions/python/python_commands.c index 95062fce..6fb8b3a5 100755 --- a/c/meterpreter/source/extensions/python/python_commands.c +++ b/c/meterpreter/source/extensions/python/python_commands.c @@ -484,7 +484,8 @@ DWORD request_python_execute(Remote* remote, Packet* packet) { DWORD dwResult = ERROR_SUCCESS; Packet* response = met_api->packet.create_response(packet); - LPBYTE pythonCode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXTENSION_PYTHON_CODE); + UINT codeSize = 0; + LPBYTE pythonCode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXTENSION_PYTHON_CODE, &codeSize); PyObject* mainModule = PyImport_AddModule("__main__"); PyObject* mainDict = PyModule_GetDict(mainModule); @@ -506,4 +507,4 @@ DWORD request_python_execute(Remote* remote, Packet* packet) } return dwResult; -} \ No newline at end of file +} diff --git a/c/meterpreter/source/metsrv/base_dispatch.c b/c/meterpreter/source/metsrv/base_dispatch.c index 7cea4398..b79a4bb0 100644 --- a/c/meterpreter/source/metsrv/base_dispatch.c +++ b/c/meterpreter/source/metsrv/base_dispatch.c @@ -86,7 +86,8 @@ DWORD create_transport_from_request(Remote* remote, Packet* packet, Transport** wchar_t* proxy = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_HOST); wchar_t* proxyUser = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_USER); wchar_t* proxyPass = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_PASS); - PBYTE certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH); + UINT certHashLen = 0; + PBYTE certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH, &certHashLen); wchar_t* headers = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_HEADERS); size_t configSize = sizeof(MetsrvTransportHttp); @@ -400,7 +401,8 @@ DWORD remote_request_core_transport_setcerthash(Remote* remote, Packet* packet) break; } - unsigned char* certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH); + UINT certHashLen = 0; + unsigned char* certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH, &certHashLen); HttpTransportContext* ctx = (HttpTransportContext*)remote->transport->ctx; // Support adding a new cert hash if one doesn't exist @@ -547,11 +549,11 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul lpPayloadBuffer = packet_get_tlv_value_string(packet, TLV_TYPE_MIGRATE_PAYLOAD); // Get handles to the updated UUIDs if they're there - lpUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID); + UINT uuidLen = 0; + lpUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID, &uuidLen); // Get the migrate stub information - dwMigrateStubLength = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_STUB_LEN); - lpMigrateStub = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_STUB); + lpMigrateStub = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_STUB, dwMigrateStubLength); dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s, PayloadLength=%d", dwProcessID, (dwDestinationArch == 2 ? "x64" : "x86"), dwPayloadLength); diff --git a/c/meterpreter/source/metsrv/core.c b/c/meterpreter/source/metsrv/core.c index feeb3e61..7d576129 100644 --- a/c/meterpreter/source/metsrv/core.c +++ b/c/meterpreter/source/metsrv/core.c @@ -844,9 +844,10 @@ UINT packet_get_tlv_value_uint(Packet *packet, TlvType type) * @brief Get the raw value of a TLV. * @param packet Pointer to the packet to get the TLV from. * @param type Type of TLV to get (optional). + * @param length Variable that will receive the length of the raw data. * @return The value found in the TLV. */ -BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type) +BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type, DWORD* length) { Tlv tlv; @@ -855,6 +856,7 @@ BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type) return NULL; } + *length = tlv->header.length; return tlv.buffer; } @@ -1325,4 +1327,4 @@ DWORD packet_transmit(Remote* remote, Packet* packet, PacketRequestCompletion* c packet_destroy(packet); return res; -} \ No newline at end of file +} diff --git a/c/meterpreter/source/metsrv/core.h b/c/meterpreter/source/metsrv/core.h index bd804102..2eac02fc 100644 --- a/c/meterpreter/source/metsrv/core.h +++ b/c/meterpreter/source/metsrv/core.h @@ -41,7 +41,7 @@ DWORD packet_enum_tlv(Packet *packet, DWORD index, TlvType type, Tlv *tlv); PCHAR packet_get_tlv_value_string(Packet *packet, TlvType type); wchar_t* packet_get_tlv_value_wstring(Packet* packet, TlvType type); UINT packet_get_tlv_value_uint(Packet *packet, TlvType type); -BYTE * packet_get_tlv_value_raw( Packet * packet, TlvType type ); +BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type, DWORD* length) QWORD packet_get_tlv_value_qword(Packet *packet, TlvType type); BOOL packet_get_tlv_value_bool(Packet *packet, TlvType type); diff --git a/c/meterpreter/source/metsrv/packet_encryption.c b/c/meterpreter/source/metsrv/packet_encryption.c index 8a1c0cc4..f5f38755 100644 --- a/c/meterpreter/source/metsrv/packet_encryption.c +++ b/c/meterpreter/source/metsrv/packet_encryption.c @@ -526,8 +526,8 @@ DWORD request_negotiate_aes_key(Remote* remote, Packet* packet) } // now we need to encrypt this key data using the public key given - BYTE* pubKeyDer = packet_get_tlv_value_raw(packet, TLV_TYPE_RSA_PUB_KEY); - UINT pubKeyDerLen = packet_get_tlv_value_uint(packet, TLV_TYPE_RSA_PUB_KEY_LEN); + UINT pubKeyDerLen = 0; + BYTE* pubKeyDer = packet_get_tlv_value_raw_len(packet, TLV_TYPE_RSA_PUB_KEY, &pubKeyDerLen); unsigned char* cipherText = NULL; DWORD cipherTextLength = 0; DWORD pubEncryptResult = public_key_encrypt(pubKeyDer, pubKeyDerLen, remote->enc_ctx->key_data.key, remote->enc_ctx->key_data.length, &cipherText, &cipherTextLength); diff --git a/c/meterpreter/source/metsrv/remote_dispatch.c b/c/meterpreter/source/metsrv/remote_dispatch.c index 2999b667..93056a01 100644 --- a/c/meterpreter/source/metsrv/remote_dispatch.c +++ b/c/meterpreter/source/metsrv/remote_dispatch.c @@ -407,7 +407,8 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet) DWORD request_core_set_uuid(Remote* remote, Packet* packet) { Packet* response = packet_create_response(packet); - PBYTE newUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID); + UINT newUuidLen = 0; + PBYTE newUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID, &newUuidLen); if (newUuid != NULL) { @@ -448,7 +449,8 @@ DWORD request_core_get_session_guid(Remote* remote, Packet* packet) DWORD request_core_set_session_guid(Remote* remote, Packet* packet) { DWORD result = ERROR_SUCCESS; - LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID); + UINT sessionGuidLen = 0; + LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, &sessionGuidLen); if (sessionGuid != NULL) { diff --git a/c/meterpreter/source/metsrv/server_pivot.c b/c/meterpreter/source/metsrv/server_pivot.c index d2e49c58..de35ce97 100644 --- a/c/meterpreter/source/metsrv/server_pivot.c +++ b/c/meterpreter/source/metsrv/server_pivot.c @@ -25,7 +25,8 @@ DWORD request_core_pivot_add(Remote* remote, Packet* packet) DWORD request_core_pivot_remove(Remote* remote, Packet* packet) { DWORD result = ERROR_NOT_FOUND; - LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID); + UINT pivotIdLen = 0; + LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID, &pivotIdLen); if (pivotId != NULL) { @@ -45,4 +46,4 @@ DWORD request_core_pivot_remove(Remote* remote, Packet* packet) packet_transmit_empty_response(remote, packet, result); return result; -} \ No newline at end of file +} diff --git a/c/meterpreter/source/metsrv/server_pivot_named_pipe.c b/c/meterpreter/source/metsrv/server_pivot_named_pipe.c index 4cdfd653..616f760a 100644 --- a/c/meterpreter/source/metsrv/server_pivot_named_pipe.c +++ b/c/meterpreter/source/metsrv/server_pivot_named_pipe.c @@ -162,7 +162,8 @@ static DWORD read_pipe_to_packet(NamedPipeContext* ctx, LPBYTE source, DWORD sou { dprintf("[PIPE] Request ID found and matches expected value"); // we have a response to our session guid request - LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID); + UINT sessionGuidLen = 0; + LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, 0); #ifdef DEBUGTRACE PUCHAR h = (PUCHAR)&sessionGuid[0]; dprintf("[PIPE] Returned session guid: %02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X%02X", @@ -754,14 +755,14 @@ DWORD request_core_pivot_add_named_pipe(Remote* remote, Packet* packet) namedPipeServer = "."; } - LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID); + UINT pivotIdLen = 0; + LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID, &pivotIdLen); if (pivotId != NULL) { memcpy(&ctx->pivot_id, pivotId, sizeof(ctx->pivot_id)); } - LPVOID stageData = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_STAGE_DATA); - ctx->stage_data_size = packet_get_tlv_value_uint(packet, TLV_TYPE_PIVOT_STAGE_DATA_SIZE); + LPVOID stageData = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_STAGE_DATA, &ctx->stage_data_size); if (stageData && ctx->stage_data_size > 0) { @@ -832,4 +833,4 @@ DWORD request_core_pivot_add_named_pipe(Remote* remote, Packet* packet) } while (0); return dwResult; -} \ No newline at end of file +} diff --git a/php/meterpreter/meterpreter.php b/php/meterpreter/meterpreter.php index 03c54b96..65f2bbcf 100755 --- a/php/meterpreter/meterpreter.php +++ b/php/meterpreter/meterpreter.php @@ -191,7 +191,6 @@ define("TLV_TYPE_RSA_PUB_KEY", TLV_META_TYPE_RAW | 550); define("TLV_TYPE_SYM_KEY_TYPE", TLV_META_TYPE_UINT | 551); define("TLV_TYPE_SYM_KEY", TLV_META_TYPE_RAW | 552); define("TLV_TYPE_ENC_SYM_KEY", TLV_META_TYPE_RAW | 553); -define("TLV_TYPE_RSA_PUB_KEY_LEN", TLV_META_TYPE_UINT | 554); # --------------------------------------------------------------- # --- THIS CONTENT WAS GENERATED BY A TOOL @ 2020-05-01 05:33:39 UTC From 30f232a7fddc84540b9ee8eeade73bc05892c192 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 6 May 2020 11:12:24 +1000 Subject: [PATCH 4/7] Adjust TLV types and fix up code to deal with new raw api --- c/meterpreter/source/common/common_core.h | 4 ++-- c/meterpreter/source/common/common_metapi.h | 2 +- .../extensions/peinjector/peinjector_bridge.c | 2 +- .../source/extensions/python/python_commands.c | 2 +- c/meterpreter/source/metsrv/base_dispatch.c | 16 +++++++--------- c/meterpreter/source/metsrv/core.c | 2 +- c/meterpreter/source/metsrv/core.h | 2 +- c/meterpreter/source/metsrv/packet_encryption.c | 4 ++-- c/meterpreter/source/metsrv/remote_dispatch.c | 4 ++-- c/meterpreter/source/metsrv/server_pivot.c | 2 +- .../source/metsrv/server_pivot_named_pipe.c | 2 +- 11 files changed, 20 insertions(+), 22 deletions(-) diff --git a/c/meterpreter/source/common/common_core.h b/c/meterpreter/source/common/common_core.h index 9022648c..ff5e48da 100644 --- a/c/meterpreter/source/common/common_core.h +++ b/c/meterpreter/source/common/common_core.h @@ -135,13 +135,13 @@ typedef enum TLV_TYPE_LIBRARY_PATH = TLV_VALUE(TLV_META_TYPE_STRING, 400), ///! Represents a path to the library to be loaded (string). TLV_TYPE_TARGET_PATH = TLV_VALUE(TLV_META_TYPE_STRING, 401), ///! Represents a target path (string). TLV_TYPE_MIGRATE_PID = TLV_VALUE(TLV_META_TYPE_UINT, 402), ///! Represents a process identifier of the migration target (unsigned integer). - TLV_TYPE_MIGRATE_PAYLOAD = TLV_VALUE(TLV_META_TYPE_STRING, 404), ///! Represents a migration payload (string). + TLV_TYPE_MIGRATE_PAYLOAD = TLV_VALUE(TLV_META_TYPE_RAW, 404), ///! Represents a migration payload (raw). TLV_TYPE_MIGRATE_ARCH = TLV_VALUE(TLV_META_TYPE_UINT, 405), ///! Represents a migration target architecture. TLV_TYPE_MIGRATE_TECHNIQUE = TLV_VALUE(TLV_META_TYPE_UINT, 406), ///! Represents a migration technique (unsigned int). TLV_TYPE_MIGRATE_BASE_ADDR = TLV_VALUE(TLV_META_TYPE_UINT, 407), ///! Represents a migration payload base address (unsigned int). TLV_TYPE_MIGRATE_ENTRY_POINT = TLV_VALUE(TLV_META_TYPE_UINT, 408), ///! Represents a migration payload entry point (unsigned int). TLV_TYPE_MIGRATE_SOCKET_PATH = TLV_VALUE(TLV_META_TYPE_STRING, 409), ///! Represents a unix domain socket path, used to migrate on linux (string) - TLV_TYPE_MIGRATE_STUB = TLV_VALUE(TLV_META_TYPE_STRING, 411), ///! Represents a migration stub (string). + TLV_TYPE_MIGRATE_STUB = TLV_VALUE(TLV_META_TYPE_RAW, 411), ///! Represents a migration stub (raw). // Transport switching TLV_TYPE_TRANS_TYPE = TLV_VALUE(TLV_META_TYPE_UINT, 430), ///! Represents the type of transport to switch to. diff --git a/c/meterpreter/source/common/common_metapi.h b/c/meterpreter/source/common/common_metapi.h index 98653818..5921957d 100644 --- a/c/meterpreter/source/common/common_metapi.h +++ b/c/meterpreter/source/common/common_metapi.h @@ -92,7 +92,7 @@ typedef struct _SchedulerApi typedef struct _PacketApi { BOOL(*get_tlv_value_bool)(Packet* packet, TlvType type); - BYTE*(*get_tlv_value_raw)(Packet* packet, TlvType type, UINT* length); + BYTE*(*get_tlv_value_raw)(Packet* packet, TlvType type, DWORD* length); DWORD(*add_completion_handler)(LPCSTR requestId, PacketRequestCompletion* completion); DWORD(*add_exception)(Packet* packet, DWORD code, PCHAR fmt, ...); DWORD(*add_group)(Packet* packet, TlvType type, Packet* groupPacket); diff --git a/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c b/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c index 7fb8380e..1eff42c9 100755 --- a/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c +++ b/c/meterpreter/source/extensions/peinjector/peinjector_bridge.c @@ -51,7 +51,7 @@ DWORD request_peinjector_inject_shellcode(Remote *remote, Packet *packet) if (response) { - UINT size = 0; + DWORD size = 0; BYTE* shellcode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_PEINJECTOR_SHELLCODE, &size); BOOL is_x64 = met_api->packet.get_tlv_value_bool(packet, TLV_TYPE_PEINJECTOR_SHELLCODE_ISX64); diff --git a/c/meterpreter/source/extensions/python/python_commands.c b/c/meterpreter/source/extensions/python/python_commands.c index 6fb8b3a5..9e11658e 100755 --- a/c/meterpreter/source/extensions/python/python_commands.c +++ b/c/meterpreter/source/extensions/python/python_commands.c @@ -484,7 +484,7 @@ DWORD request_python_execute(Remote* remote, Packet* packet) { DWORD dwResult = ERROR_SUCCESS; Packet* response = met_api->packet.create_response(packet); - UINT codeSize = 0; + DWORD codeSize = 0; LPBYTE pythonCode = met_api->packet.get_tlv_value_raw(packet, TLV_TYPE_EXTENSION_PYTHON_CODE, &codeSize); PyObject* mainModule = PyImport_AddModule("__main__"); diff --git a/c/meterpreter/source/metsrv/base_dispatch.c b/c/meterpreter/source/metsrv/base_dispatch.c index b79a4bb0..24c6e241 100644 --- a/c/meterpreter/source/metsrv/base_dispatch.c +++ b/c/meterpreter/source/metsrv/base_dispatch.c @@ -86,7 +86,7 @@ DWORD create_transport_from_request(Remote* remote, Packet* packet, Transport** wchar_t* proxy = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_HOST); wchar_t* proxyUser = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_USER); wchar_t* proxyPass = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_PROXY_PASS); - UINT certHashLen = 0; + DWORD certHashLen = 0; PBYTE certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH, &certHashLen); wchar_t* headers = packet_get_tlv_value_wstring(packet, TLV_TYPE_TRANS_HEADERS); @@ -401,7 +401,7 @@ DWORD remote_request_core_transport_setcerthash(Remote* remote, Packet* packet) break; } - UINT certHashLen = 0; + DWORD certHashLen = 0; unsigned char* certHash = packet_get_tlv_value_raw(packet, TLV_TYPE_TRANS_CERT_HASH, &certHashLen); HttpTransportContext* ctx = (HttpTransportContext*)remote->transport->ctx; @@ -542,20 +542,18 @@ BOOL remote_request_core_migrate(Remote * remote, Packet * packet, DWORD* pResul // Get the target process architecture to inject into dwDestinationArch = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_ARCH); - // Get the length of the payload buffer - dwPayloadLength = packet_get_tlv_value_uint(packet, TLV_TYPE_MIGRATE_PAYLOAD_LEN); - // Receive the actual migration payload buffer - lpPayloadBuffer = packet_get_tlv_value_string(packet, TLV_TYPE_MIGRATE_PAYLOAD); + lpPayloadBuffer = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_PAYLOAD, &dwPayloadLength); // Get handles to the updated UUIDs if they're there - UINT uuidLen = 0; + DWORD uuidLen = 0; lpUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID, &uuidLen); // Get the migrate stub information - lpMigrateStub = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_STUB, dwMigrateStubLength); + lpMigrateStub = packet_get_tlv_value_raw(packet, TLV_TYPE_MIGRATE_STUB, &dwMigrateStubLength); - dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s, PayloadLength=%d", dwProcessID, (dwDestinationArch == 2 ? "x64" : "x86"), dwPayloadLength); + dprintf("[MIGRATE] Attempting to migrate. ProcessID=%d, Arch=%s", dwProcessID, dwDestinationArch == 2 ? "x64" : "x86"); + dprintf("[MIGRATE] Attempting to migrate. PayloadLength=%d StubLength=%d", dwPayloadLength, dwMigrateStubLength); // If we can, get SeDebugPrivilege... if (OpenProcessToken(GetCurrentProcess(), TOKEN_ADJUST_PRIVILEGES | TOKEN_QUERY, &hToken)) diff --git a/c/meterpreter/source/metsrv/core.c b/c/meterpreter/source/metsrv/core.c index 7d576129..9cd7d858 100644 --- a/c/meterpreter/source/metsrv/core.c +++ b/c/meterpreter/source/metsrv/core.c @@ -856,7 +856,7 @@ BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type, DWORD* length) return NULL; } - *length = tlv->header.length; + *length = tlv.header.length; return tlv.buffer; } diff --git a/c/meterpreter/source/metsrv/core.h b/c/meterpreter/source/metsrv/core.h index 2eac02fc..ba231b03 100644 --- a/c/meterpreter/source/metsrv/core.h +++ b/c/meterpreter/source/metsrv/core.h @@ -41,7 +41,7 @@ DWORD packet_enum_tlv(Packet *packet, DWORD index, TlvType type, Tlv *tlv); PCHAR packet_get_tlv_value_string(Packet *packet, TlvType type); wchar_t* packet_get_tlv_value_wstring(Packet* packet, TlvType type); UINT packet_get_tlv_value_uint(Packet *packet, TlvType type); -BYTE * packet_get_tlv_value_raw(Packet * packet, TlvType type, DWORD* length) +BYTE* packet_get_tlv_value_raw(Packet* packet, TlvType type, DWORD* length); QWORD packet_get_tlv_value_qword(Packet *packet, TlvType type); BOOL packet_get_tlv_value_bool(Packet *packet, TlvType type); diff --git a/c/meterpreter/source/metsrv/packet_encryption.c b/c/meterpreter/source/metsrv/packet_encryption.c index f5f38755..10b1b21c 100644 --- a/c/meterpreter/source/metsrv/packet_encryption.c +++ b/c/meterpreter/source/metsrv/packet_encryption.c @@ -526,8 +526,8 @@ DWORD request_negotiate_aes_key(Remote* remote, Packet* packet) } // now we need to encrypt this key data using the public key given - UINT pubKeyDerLen = 0; - BYTE* pubKeyDer = packet_get_tlv_value_raw_len(packet, TLV_TYPE_RSA_PUB_KEY, &pubKeyDerLen); + DWORD pubKeyDerLen = 0; + BYTE* pubKeyDer = packet_get_tlv_value_raw(packet, TLV_TYPE_RSA_PUB_KEY, &pubKeyDerLen); unsigned char* cipherText = NULL; DWORD cipherTextLength = 0; DWORD pubEncryptResult = public_key_encrypt(pubKeyDer, pubKeyDerLen, remote->enc_ctx->key_data.key, remote->enc_ctx->key_data.length, &cipherText, &cipherTextLength); diff --git a/c/meterpreter/source/metsrv/remote_dispatch.c b/c/meterpreter/source/metsrv/remote_dispatch.c index 93056a01..9500de1a 100644 --- a/c/meterpreter/source/metsrv/remote_dispatch.c +++ b/c/meterpreter/source/metsrv/remote_dispatch.c @@ -407,7 +407,7 @@ DWORD request_core_loadlib(Remote *remote, Packet *packet) DWORD request_core_set_uuid(Remote* remote, Packet* packet) { Packet* response = packet_create_response(packet); - UINT newUuidLen = 0; + DWORD newUuidLen = 0; PBYTE newUuid = packet_get_tlv_value_raw(packet, TLV_TYPE_UUID, &newUuidLen); if (newUuid != NULL) @@ -449,7 +449,7 @@ DWORD request_core_get_session_guid(Remote* remote, Packet* packet) DWORD request_core_set_session_guid(Remote* remote, Packet* packet) { DWORD result = ERROR_SUCCESS; - UINT sessionGuidLen = 0; + DWORD sessionGuidLen = 0; LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, &sessionGuidLen); if (sessionGuid != NULL) diff --git a/c/meterpreter/source/metsrv/server_pivot.c b/c/meterpreter/source/metsrv/server_pivot.c index de35ce97..e084559a 100644 --- a/c/meterpreter/source/metsrv/server_pivot.c +++ b/c/meterpreter/source/metsrv/server_pivot.c @@ -25,7 +25,7 @@ DWORD request_core_pivot_add(Remote* remote, Packet* packet) DWORD request_core_pivot_remove(Remote* remote, Packet* packet) { DWORD result = ERROR_NOT_FOUND; - UINT pivotIdLen = 0; + DWORD pivotIdLen = 0; LPBYTE pivotId = packet_get_tlv_value_raw(packet, TLV_TYPE_PIVOT_ID, &pivotIdLen); if (pivotId != NULL) diff --git a/c/meterpreter/source/metsrv/server_pivot_named_pipe.c b/c/meterpreter/source/metsrv/server_pivot_named_pipe.c index 616f760a..ab54c470 100644 --- a/c/meterpreter/source/metsrv/server_pivot_named_pipe.c +++ b/c/meterpreter/source/metsrv/server_pivot_named_pipe.c @@ -162,7 +162,7 @@ static DWORD read_pipe_to_packet(NamedPipeContext* ctx, LPBYTE source, DWORD sou { dprintf("[PIPE] Request ID found and matches expected value"); // we have a response to our session guid request - UINT sessionGuidLen = 0; + DWORD sessionGuidLen = 0; LPBYTE sessionGuid = packet_get_tlv_value_raw(packet, TLV_TYPE_SESSION_GUID, 0); #ifdef DEBUGTRACE PUCHAR h = (PUCHAR)&sessionGuid[0]; From 6419fa9e40e423f535f91a97611bb3f18027e214 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 6 May 2020 11:30:15 +1000 Subject: [PATCH 5/7] Fix buffer meta type values, typos and function calls --- .../extensions/stdapi/server/railgun/railgun.c | 8 +++++++- .../extensions/stdapi/server/sys/process/ps.c | 8 ++++---- .../extensions/stdapi/server/sys/process/ps.h | 4 ++-- .../source/extensions/stdapi/server/ui/desktop.c | 15 ++++++--------- c/meterpreter/source/extensions/stdapi/stdapi.h | 6 ++---- 5 files changed, 21 insertions(+), 20 deletions(-) diff --git a/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c b/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c index 51f9a8c9..879c9c7c 100755 --- a/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c +++ b/c/meterpreter/source/extensions/stdapi/server/railgun/railgun.c @@ -687,14 +687,20 @@ DWORD request_railgun_memwrite( Remote * pRemote, Packet * pPacket ) if( !lpAddress ) BREAK_WITH_ERROR( "[RAILGUN] request_railgun_memwrite: !lpAddress", ERROR_INVALID_PARAMETER ); - pData = met_api->packet.get_tlv_value_raw( pPacket, TLV_TYPE_RAILGUN_MEM_DATA ); + DWORD pDataLen = 0; + pData = met_api->packet.get_tlv_value_raw( pPacket, TLV_TYPE_RAILGUN_MEM_DATA, &pDataLen ); if( !pData ) BREAK_WITH_ERROR( "[RAILGUN] request_railgun_memwrite: !pData", ERROR_INVALID_PARAMETER ); + // The length of the buffer specified may not match the required read size, so we still + // need to have the length specified. dwLength = met_api->packet.get_tlv_value_uint( pPacket, TLV_TYPE_RAILGUN_MEM_LENGTH ); if( !dwLength ) BREAK_WITH_ERROR( "[RAILGUN] request_railgun_memwrite: !dwLength", ERROR_INVALID_PARAMETER ); + // Let's not be silly and try to read more than the buffer allows? + dwLength = min(dwLength, pDataLen); + __try { memcpy( lpAddress, pData, dwLength ); diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/process/ps.c b/c/meterpreter/source/extensions/stdapi/server/sys/process/ps.c index e4cd5f72..107e8bc9 100644 --- a/c/meterpreter/source/extensions/stdapi/server/sys/process/ps.c +++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/ps.c @@ -40,7 +40,7 @@ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer, char * cpCommandLine ) DWORD dwPidArch = PROCESS_ARCH_UNKNOWN; DWORD dwDllArch = PROCESS_ARCH_UNKNOWN; LPVOID lpDllBuffer = NULL; - DWORD dwDllLenght = 0; + DWORD dwDllLength = 0; do { @@ -52,12 +52,12 @@ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer, char * cpCommandLine ) if( dwPidArch == PROCESS_ARCH_X86 ) { lpDllBuffer = pDllBuffer->lpPE32DllBuffer; - dwDllLenght = pDllBuffer->dwPE32DllLenght; + dwDllLength = pDllBuffer->dwPE32DllLength; } else if( dwPidArch == PROCESS_ARCH_X64 ) { lpDllBuffer = pDllBuffer->lpPE64DllBuffer; - dwDllLenght = pDllBuffer->dwPE64DllLenght; + dwDllLength = pDllBuffer->dwPE64DllLength; } else { @@ -71,7 +71,7 @@ DWORD ps_inject( DWORD dwPid, DLL_BUFFER * pDllBuffer, char * cpCommandLine ) if( dwDllArch != dwPidArch ) BREAK_WITH_ERROR( "[PS] ps_inject_dll. pid/dll architecture mixup", ERROR_BAD_ENVIRONMENT ); - dwResult = met_api->inject.dll( dwPid, lpDllBuffer, dwDllLenght, cpCommandLine ); + dwResult = met_api->inject.dll( dwPid, lpDllBuffer, dwDllLength, cpCommandLine ); } while( 0 ); diff --git a/c/meterpreter/source/extensions/stdapi/server/sys/process/ps.h b/c/meterpreter/source/extensions/stdapi/server/sys/process/ps.h index 4002db76..9aebcb52 100644 --- a/c/meterpreter/source/extensions/stdapi/server/sys/process/ps.h +++ b/c/meterpreter/source/extensions/stdapi/server/sys/process/ps.h @@ -30,9 +30,9 @@ typedef DWORD(WINAPI * GETMODULEBASENAMEW)(HANDLE hProcess, HMODULE hModule, LPW typedef struct _DLL_BUFFER { LPVOID lpPE32DllBuffer; - DWORD dwPE32DllLenght; + DWORD dwPE32DllLength; LPVOID lpPE64DllBuffer; - DWORD dwPE64DllLenght; + DWORD dwPE64DllLength; } DLL_BUFFER; typedef struct _PROCESS_BASIC_INFORMATION diff --git a/c/meterpreter/source/extensions/stdapi/server/ui/desktop.c b/c/meterpreter/source/extensions/stdapi/server/ui/desktop.c index ad0827ff..083b0972 100644 --- a/c/meterpreter/source/extensions/stdapi/server/ui/desktop.c +++ b/c/meterpreter/source/extensions/stdapi/server/ui/desktop.c @@ -403,7 +403,7 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request) Packet * response = NULL; THREAD * pPipeThread = NULL; LPVOID lpDllBuffer = NULL; - DLL_BUFFER DllBuffer = { 0 }; + DLL_BUFFER dllBuffer = { 0 }; char cNamedPipe[MAX_PATH] = { 0 }; char cCommandLine[MAX_PATH] = { 0 }; int quality = 0; @@ -429,13 +429,10 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request) // get the x86 and x64 screenshot dll's. we are not obliged to send both but we reduce the number of processes // we can inject into (wow64 and x64) if we only send one type on an x64 system. If we are on an x86 system // we dont need to send the x64 screenshot dll as there will be no x64 processes to inject it into. - DllBuffer.dwPE32DllLenght = met_api->packet.get_tlv_value_uint(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH); - DllBuffer.lpPE32DllBuffer = met_api->packet.get_tlv_value_string(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER); + dllBuffer.lpPE32DllBuffer = met_api->packet.get_tlv_value_raw(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER, &dllBuffer.dwPE32DllLength); + dllBuffer.lpPE64DllBuffer = met_api->packet.get_tlv_value_raw(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER, &dllBuffer.dwPE64DllLength); - DllBuffer.dwPE64DllLenght = met_api->packet.get_tlv_value_uint(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH); - DllBuffer.lpPE64DllBuffer = met_api->packet.get_tlv_value_string(request, TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER); - - if (!DllBuffer.lpPE32DllBuffer && !DllBuffer.lpPE64DllBuffer) + if (!dllBuffer.lpPE32DllBuffer && !dllBuffer.lpPE64DllBuffer) { BREAK_WITH_ERROR("[UI] desktop_screenshot. Invalid dll arguments, at least 1 dll must be supplied", ERROR_BAD_ARGUMENTS); } @@ -474,7 +471,7 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request) if (dwCurrentSessionId != dwActiveSessionId) { dprintf("[UI] desktop_screenshot. Injecting into active session %d...\n", dwActiveSessionId); - if (session_inject(dwActiveSessionId, &DllBuffer, cCommandLine) != ERROR_SUCCESS) + if (session_inject(dwActiveSessionId, &dllBuffer, cCommandLine) != ERROR_SUCCESS) { BREAK_WITH_ERROR("[UI] desktop_screenshot. session_inject failed", ERROR_ACCESS_DENIED); } @@ -482,7 +479,7 @@ DWORD request_ui_desktop_screenshot(Remote * remote, Packet * request) else { dprintf("[UI] desktop_screenshot. Allready in the active session %d.\n", dwActiveSessionId); - if (ps_inject(GetCurrentProcessId(), &DllBuffer, cCommandLine) != ERROR_SUCCESS) + if (ps_inject(GetCurrentProcessId(), &dllBuffer, cCommandLine) != ERROR_SUCCESS) { BREAK_WITH_ERROR("[UI] desktop_screenshot. ps_inject current process failed", ERROR_ACCESS_DENIED); } diff --git a/c/meterpreter/source/extensions/stdapi/stdapi.h b/c/meterpreter/source/extensions/stdapi/stdapi.h index 16ffbfd3..7ebab981 100755 --- a/c/meterpreter/source/extensions/stdapi/stdapi.h +++ b/c/meterpreter/source/extensions/stdapi/stdapi.h @@ -181,10 +181,8 @@ #define TLV_TYPE_DESKTOP_STATION MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3006 ) #define TLV_TYPE_DESKTOP_NAME MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3007 ) #define TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3008 ) -#define TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3009 ) -#define TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3010 ) -#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH MAKE_CUSTOM_TLV( TLV_META_TYPE_UINT, TLV_TYPE_EXTENSION_STDAPI, 3011 ) -#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3012 ) +#define TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_STDAPI, 3010 ) +#define TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER MAKE_CUSTOM_TLV( TLV_META_TYPE_RAW, TLV_TYPE_EXTENSION_STDAPI, 3012 ) #define TLV_TYPE_KEYSCAN_TRACK_ACTIVE_WINDOW MAKE_CUSTOM_TLV( TLV_META_TYPE_BOOL, TLV_TYPE_EXTENSION_STDAPI, 3013 ) #define TLV_TYPE_KEYS_SEND MAKE_CUSTOM_TLV( TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 3014 ) From 50048d02ca0dd9744ff573b8c392655a0d032474 Mon Sep 17 00:00:00 2001 From: OJ Date: Wed, 6 May 2020 11:32:50 +1000 Subject: [PATCH 6/7] Fix up TLV types and remove ones that don't exist --- .../main/java/com/metasploit/meterpreter/TLVType.java | 10 ++++------ .../meterpreter/command/NotYetImplementedCommand.java | 2 -- java/pom.xml | 4 ++-- 3 files changed, 6 insertions(+), 10 deletions(-) diff --git a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java index fdcdb94d..060e3629 100644 --- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java +++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/TLVType.java @@ -204,12 +204,10 @@ public interface TLVType { public static final int TLV_TYPE_POWER_REASON = TLVPacket.TLV_META_TYPE_UINT | 4101; // Screenshot - public static final int TLV_TYPE_DESKTOP_SCREENSHOT = TLVPacket.TLV_META_TYPE_RAW | 3002; - public static final int TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY = TLVPacket.TLV_META_TYPE_UINT | 3008; - public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH = TLVPacket.TLV_META_TYPE_UINT | 3009; - public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER = TLVPacket.TLV_META_TYPE_STRING | 3010; - public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH = TLVPacket.TLV_META_TYPE_UINT | 3011; - public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER = TLVPacket.TLV_META_TYPE_STRING | 3012; + public static final int TLV_TYPE_DESKTOP_SCREENSHOT = TLVPacket.TLV_META_TYPE_RAW | 3002; + public static final int TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY = TLVPacket.TLV_META_TYPE_UINT | 3008; + public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER = TLVPacket.TLV_META_TYPE_RAW | 3010; + public static final int TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER = TLVPacket.TLV_META_TYPE_RAW | 3012; int TLV_TYPE_EXTENSION_EXTAPI = 0; int TLV_EXTENSIONS = 20000; diff --git a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/NotYetImplementedCommand.java b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/NotYetImplementedCommand.java index d7388023..c0a0d30e 100644 --- a/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/NotYetImplementedCommand.java +++ b/java/meterpreter/meterpreter/src/main/java/com/metasploit/meterpreter/command/NotYetImplementedCommand.java @@ -149,9 +149,7 @@ public class NotYetImplementedCommand implements Command { typeNames.put(new Integer(TLVType.TLV_TYPE_POWER_REASON), "TLV_TYPE_POWER_REASON"); typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT), "TLV_TYPE_DESKTOP_SCREENSHOT"); typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY), "TLV_TYPE_DESKTOP_SCREENSHOT_QUALITY"); - typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH), "TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_LENGTH"); typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER), "TLV_TYPE_DESKTOP_SCREENSHOT_PE32DLL_BUFFER"); - typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH), "TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_LENGTH"); typeNames.put(new Integer(TLVType.TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER), "TLV_TYPE_DESKTOP_SCREENSHOT_PE64DLL_BUFFER"); } diff --git a/java/pom.xml b/java/pom.xml index d5bbf1bb..6bddafe3 100644 --- a/java/pom.xml +++ b/java/pom.xml @@ -26,8 +26,8 @@ maven-compiler-plugin 3.0 - 1.5 - 1.5 + 1.6 + 1.6 true none From aacaf43ace21712d2f329348d4abe6660e44cbbf Mon Sep 17 00:00:00 2001 From: OJ Date: Mon, 15 Jun 2020 17:13:03 +1000 Subject: [PATCH 7/7] Revert mistaken modification to pom.xml --- java/pom.xml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/java/pom.xml b/java/pom.xml index 6bddafe3..d5bbf1bb 100644 --- a/java/pom.xml +++ b/java/pom.xml @@ -26,8 +26,8 @@ maven-compiler-plugin 3.0 - 1.6 - 1.6 + 1.5 + 1.5 true none