Post V2013, Land #43, getproxy

See also #46

c/meterpreter/source/common/compat_types.h

@@ -174,9 +174,11 @@ typedef	char		BYTE;
 typedef	uint32_t	ULONG;
 typedef	uint32_t *	PULONG;
 typedef	const char	CSTR;
+typedef	const wchar_t	CWSTR;
 typedef	unsigned char	UCHAR;
 typedef UCHAR *		PUCHAR;
 typedef	CSTR *		LPCSTR;
+typedef	CWSTR *		LPCWSTR;
 typedef	char *		LPSTR;
 typedef	long		DWORD;
 typedef	DWORD *		LPDWORD;

c/meterpreter/source/common/core.c

@@ -319,6 +319,34 @@ DWORD packet_add_tlv_string( Packet *packet, TlvType type, LPCSTR str )
 	return packet_add_tlv_raw(packet, type, (PUCHAR)str, (DWORD)strlen(str) + 1);
 }
 
+/*!
+ * @brief Add a wide-string value TLV to a packet, including the \c NULL terminator.
+ * @param packet Pointer to the packet to add the value to.
+ * @param type TLV type for the value.
+ * @param str Pointer to the wide-string value to add to the packet.
+ * @return Indication of success or failure.
+ * @retval ERROR_SUCCESS The operation completed successfully.
+ * @retval ERROR_NOT_ENOUGH_MEMORY Insufficient memory available.
+ */
+DWORD packet_add_tlv_wstring(Packet *packet, TlvType type, LPCWSTR str)
+{
+	DWORD dwResult;
+	size_t charCount = wcslen(str);
+	LPSTR lpStr = (LPSTR)malloc(charCount + 1);
+
+	if (lpStr) {
+		wcstombs(lpStr, str, charCount);
+		lpStr[charCount] = 0;
+		dwResult = packet_add_tlv_raw(packet, type, (PUCHAR)lpStr, charCount + 1);
+		free(lpStr);
+	}
+	else {
+		dwResult = ERROR_NOT_ENOUGH_MEMORY;
+	}
+
+	return dwResult;
+}
+
 /*!
  * @brief Add a unsigned integer value TLV to a packet.
  * @param packet Pointer to the packet to add the value to.

c/meterpreter/source/common/core.h

@@ -210,6 +210,7 @@ LINKAGE Packet *packet_duplicate(Packet *packet);
 LINKAGE VOID packet_destroy(Packet *packet);
 
 LINKAGE DWORD packet_add_tlv_string(Packet *packet, TlvType type, LPCSTR str);
+LINKAGE DWORD packet_add_tlv_wstring(Packet *packet, TlvType type, LPCWSTR str);
 LINKAGE DWORD packet_add_tlv_uint(Packet *packet, TlvType type, UINT val);
 LINKAGE DWORD packet_add_tlv_qword(Packet *packet, TlvType type, QWORD val );
 LINKAGE DWORD packet_add_tlv_bool(Packet *packet, TlvType type, BOOL val);

c/meterpreter/source/extensions/stdapi/server/net/config/proxy_config.c

@@ -0,0 +1,86 @@
+#include "precomp.h"
+
+#ifdef _WIN32
+typedef struct
+{
+    BOOL    fAutoDetect;
+    LPWSTR  lpszAutoConfigUrl;
+    LPWSTR  lpszProxy;
+    LPWSTR  lpszProxyBypass;
+} WINHTTP_CURRENT_USER_IE_PROXY_CONFIG;
+
+typedef BOOL (WINAPI * PWINHTTPGETIEPROXYCONFIGFORCURRENTUSER)(
+	WINHTTP_CURRENT_USER_IE_PROXY_CONFIG *pProxyConfig
+);
+#endif
+
+/*!
+ * @brief Get the current Internet Explorer proxy configuration.
+ * @param remote Pointer to the \c Remote instance making the call.
+ * @param packet Pointer to the \c Request packet.
+ * @return Indication of success or failure.
+ * @remark This function will only get the proxy configuration that is
+ *         available through IE. This also happens to be the same as that
+ *         which Chrome uses, so you get that for free. But other browsers
+ *         such as Firefox, Safari, Opera, etc. which have their own
+ *         settings are not supported by this function.
+ */
+DWORD request_net_config_get_proxy_config(Remote *remote, Packet *packet)
+{
+	DWORD dwResult = ERROR_NOT_SUPPORTED;
+	Packet *response = packet_create_response(packet);
+
+#ifdef _WIN32
+	HMODULE hWinHttp = NULL;
+	PWINHTTPGETIEPROXYCONFIGFORCURRENTUSER pProxyFun = NULL;
+	WINHTTP_CURRENT_USER_IE_PROXY_CONFIG proxyConfig;
+
+	do
+	{
+		if ((hWinHttp = LoadLibraryA("Winhttp.dll")) == NULL) {
+			dprintf("[PROXY] Unable to load Winhttp.dll");
+			break;
+		}
+
+		if ((pProxyFun = (PWINHTTPGETIEPROXYCONFIGFORCURRENTUSER)GetProcAddress(hWinHttp, "WinHttpGetIEProxyConfigForCurrentUser")) == NULL) {
+			dprintf("[PROXY] Unable to find WinHttpGetIEProxyConfigForCurrentUser in Winhttp.dll");
+			break;
+		}
+
+		if (!pProxyFun(&proxyConfig)) {
+			BREAK_ON_ERROR("[PROXY] Failed to extract proxy configuration");
+			break;
+		}
+
+		packet_add_tlv_bool(response, TLV_TYPE_PROXY_CFG_AUTODETECT, proxyConfig.fAutoDetect);
+
+		if (proxyConfig.lpszAutoConfigUrl) {
+			packet_add_tlv_wstring(response, TLV_TYPE_PROXY_CFG_AUTOCONFIGURL, proxyConfig.lpszAutoConfigUrl);
+			GlobalFree((HGLOBAL)proxyConfig.lpszAutoConfigUrl);
+		}
+
+		if (proxyConfig.lpszProxy) {
+			packet_add_tlv_wstring(response, TLV_TYPE_PROXY_CFG_PROXY, proxyConfig.lpszProxy);
+			GlobalFree((HGLOBAL)proxyConfig.lpszProxy);
+		}
+
+		if (proxyConfig.lpszProxyBypass) {
+			packet_add_tlv_wstring(response, TLV_TYPE_PROXY_CFG_PROXYBYPASS, proxyConfig.lpszProxyBypass);
+			GlobalFree((HGLOBAL)proxyConfig.lpszProxyBypass);
+		}
+
+		dwResult = ERROR_SUCCESS;
+
+	} while(0);
+
+	if (hWinHttp != NULL) {
+		FreeLibrary(hWinHttp);
+	}
+#else
+	// no support for this on "nix"
+#endif
+
+	packet_transmit_response(dwResult, remote, response);
+
+	return dwResult;
+}

c/meterpreter/source/extensions/stdapi/server/net/net.h

@@ -59,6 +59,8 @@ DWORD request_net_config_get_arp_table(Remote *remote, Packet *packet);
 
 DWORD request_net_config_get_netstat(Remote *remote, Packet *packet);
 
+DWORD request_net_config_get_proxy_config(Remote *remote, Packet *packet);
+
 // Socket
 DWORD request_net_socket_tcp_shutdown(Remote *remote, Packet *packet);
 

c/meterpreter/source/extensions/stdapi/server/stdapi.c

@@ -338,6 +338,10 @@ Command customCommands[] =
 	},
 
 #ifdef WIN32
+	{ "stdapi_net_config_get_proxy",
+	  { request_net_config_get_proxy_config,			  { 0 }, 0 },
+	  { EMPTY_DISPATCH_HANDLER                                     },
+	},
 	// Resolve
 	{ "stdapi_net_resolve_host",
 	  { request_resolve_host,							  { 0 }, 0 },

c/meterpreter/source/extensions/stdapi/stdapi.h

@@ -419,6 +419,11 @@
                 TLV_META_TYPE_UINT,      \
                 TLV_TYPE_EXTENSION_STDAPI, \
                 1444)
+// Proxy configuration
+#define TLV_TYPE_PROXY_CFG_AUTODETECT     MAKE_CUSTOM_TLV(TLV_META_TYPE_BOOL,   TLV_TYPE_EXTENSION_STDAPI, 1445)
+#define TLV_TYPE_PROXY_CFG_AUTOCONFIGURL  MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 1446)
+#define TLV_TYPE_PROXY_CFG_PROXY          MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 1447)
+#define TLV_TYPE_PROXY_CFG_PROXYBYPASS    MAKE_CUSTOM_TLV(TLV_META_TYPE_STRING, TLV_TYPE_EXTENSION_STDAPI, 1448)
 
 	// Socket
 #define TLV_TYPE_PEER_HOST             \

c/meterpreter/workspace/ext_server_stdapi/ext_server_stdapi.vcxproj

@@ -602,6 +602,7 @@ copy /y "$(TargetDir)$(TargetFileName)" "$(ProjectDir)..\..\output\$(PlatformSho
     <ClCompile Include="..\..\source\extensions\stdapi\server\general.c" />
     <ClCompile Include="..\..\source\extensions\stdapi\server\net\config\arp.c" />
     <ClCompile Include="..\..\source\extensions\stdapi\server\net\config\netstat.c" />
+    <ClCompile Include="..\..\source\extensions\stdapi\server\net\config\proxy_config.c" />
     <ClCompile Include="..\..\source\extensions\stdapi\server\net\resolve.c" />
     <ClCompile Include="..\..\source\extensions\stdapi\server\stdapi.c">
       <PreCompiledHeader>Create</PreCompiledHeader>